bindService()过程解析

引言

在做IPC架构时，bindService()是一个绕不过的话题。基于此，本文打算深入研究bindService()的完整过程，并且尝试回答以下几个问题:

bindService()过程系统到底做了什么？
使用Activity Context和Application Context进行bindService()的效果是一样的吗？

回答以上问题的目的其实是为了回答以下这个终极问题:

进行IPC通信是否一定要采用bindService()，有没有可能采用其他的方案?

bindService()过程

Client端bindService()

以Context的bindService()为例，在Context中只是个抽象方法，真正的实现是在ContextImpl中，如下:

@Override
    public boolean bindService(Intent service, ServiceConnection conn,
            int flags) {
        warnIfCallingFromSystemProcess();
        return bindServiceCommon(service, conn, flags, Process.myUserHandle());
    }

而bindServiceCommon()方法如下:

private boolean bindServiceCommon(Intent service, ServiceConnection conn, int flags,
            UserHandle user) {
        IServiceConnection sd;
        if (conn == null) {
            throw new IllegalArgumentException("connection is null");
        }
        if (mPackageInfo != null) {
            sd = mPackageInfo.getServiceDispatcher(conn, getOuterContext(),
                    mMainThread.getHandler(), flags);
        } else {
            throw new RuntimeException("Not supported in system context");
        }
        validateServiceIntent(service);
        try {
            IBinder token = getActivityToken();
            if (token == null && (flags&BIND_AUTO_CREATE) == 0 && mPackageInfo != null
                    && mPackageInfo.getApplicationInfo().targetSdkVersion
                    < android.os.Build.VERSION_CODES.ICE_CREAM_SANDWICH) {
                flags |= BIND_WAIVE_PRIORITY;
            }
            service.prepareToLeaveProcess();
            int res = ActivityManagerNative.getDefault().bindService(
                mMainThread.getApplicationThread(), getActivityToken(), service,
                service.resolveTypeIfNeeded(getContentResolver()),
                sd, flags, getOpPackageName(), user.getIdentifier());
            if (res < 0) {
                throw new SecurityException(
                        "Not allowed to bind to service " + service);
            }
            return res != 0;
        } catch (RemoteException e) {
            throw new RuntimeException("Failure from system", e);
        }
    }

这个方法中有以下几点值得注意:

mPackageInfo其实是LoadedAPK对象，那么它的getServiceDispatcher()方法做了什么事呢?
如果getActivityToken(), flags不为BIND_AUTO_CREATE,并且targetSdkVersion小于14的话，flags会添加BIND_WAIVE_PRIORITY标志，这个标志的含义是弃权，即不影响提供Service的进程的优先级
调用AMP.bindService()时，会传递getActivityToken()的值，而这个值对于bindService()的结果有什么样的影响呢？

后面将逐步回答以上3个问题。

首先看一下LoadedApk的getServiceDispatcher()方法:

public final IServiceConnection getServiceDispatcher(ServiceConnection c,
        Context context, Handler handler, int flags) {
    synchronized (mServices) {
        LoadedApk.ServiceDispatcher sd = null;
        ArrayMap<ServiceConnection, LoadedApk.ServiceDispatcher> map = mServices.get(context);
        if (map != null) {
            sd = map.get(c);
        }
        if (sd == null) {
            sd = new ServiceDispatcher(c, context, handler, flags);
            if (map == null) {
                map = new ArrayMap<ServiceConnection, LoadedApk.ServiceDispatcher>();
                mServices.put(context, map);
            }
            map.put(c, sd);
        } else {
            sd.validate(context, handler);
        }
        return sd.getIServiceConnection();
    }
}

显然，这个方法就是首先尝试从缓存中取出ServiceDispatcher对象，如果没有取到就新建一个ServiceDispatcher对象，而ServiceConnection就是此时保存到ServiceDispatcher对象中的。

不过需要注意的是最后返回的并不是ServiceDispatcher对象，而是其中的IServiceConnection对象，其中IServiceConnection是一个IPC接口, 而IServiceConnection对象的初始化就是在ServiceDispatcher的构造方法中。这个IServiceConnection的binder会在IPC时传递到AMS中。

IServiceConnection的aidl定义如下:

import android.content.ComponentName;
/** @hide */
oneway interface IServiceConnection {
    void connected(in ComponentName name, IBinder service);
}

显然，它是个单向方法，并且ComponentName参数也是单向传递到server端的。

再回到bindServiceCommon()方法中，接下来就是调用AMP的bindService()方法，然后通过IPC调用到AMS的bindService()方法，而AMS中的bindService()方法分析见下一小节。

AMS中bindService()

该方法如下:

public int bindService(IApplicationThread caller, IBinder token, Intent service,
            String resolvedType, IServiceConnection connection, int flags, String callingPackage,
            int userId) throws TransactionTooLargeException {
        enforceNotIsolatedCaller("bindService");
        // Refuse possible leaked file descriptors
        if (service != null && service.hasFileDescriptors() == true) {
            throw new IllegalArgumentException("File descriptors passed in Intent");
        }
        if (callingPackage == null) {
            throw new IllegalArgumentException("callingPackage cannot be null");
        }
        synchronized(this) {
            return mServices.bindServiceLocked(caller, token, service,
                    resolvedType, connection, flags, callingPackage, userId);
        }
    }

注意其中的mServices是ActiveServices对象，其bindServiceLocked()方法如下:

int bindServiceLocked(IApplicationThread caller, IBinder token, Intent service,
            String resolvedType, IServiceConnection connection, int flags,
            String callingPackage, int userId) throws TransactionTooLargeException {
        ...
        final ProcessRecord callerApp = mAm.getRecordForAppLocked(caller);
        if (callerApp == null) {
            throw new SecurityException(
                    "Unable to find app for caller " + caller
                    + " (pid=" + Binder.getCallingPid()
                    + ") when binding service " + service);
        }
        ActivityRecord activity = null;
        if (token != null) {
            activity = ActivityRecord.isInStackLocked(token);
            if (activity == null) {
                Slog.w(TAG, "Binding with unknown activity: " + token);
                return 0;
            }
        }
        int clientLabel = 0;
        PendingIntent clientIntent = null;
        if (callerApp.info.uid == Process.SYSTEM_UID) {
            // Hacky kind of thing -- allow system stuff to tell us
            // what they are, so we can report this elsewhere for
            // others to know why certain services are running.
            try {
                clientIntent = service.getParcelableExtra(Intent.EXTRA_CLIENT_INTENT);
            } catch (RuntimeException e) {
            }
            if (clientIntent != null) {
                clientLabel = service.getIntExtra(Intent.EXTRA_CLIENT_LABEL, 0);
                if (clientLabel != 0) {
                    // There are no useful extras in the intent, trash them.
                    // System code calling with this stuff just needs to know
                    // this will happen.
                    service = service.cloneFilter();
                }
            }
        }
        if ((flags&Context.BIND_TREAT_LIKE_ACTIVITY) != 0) {
            mAm.enforceCallingPermission(android.Manifest.permission.MANAGE_ACTIVITY_STACKS,
                    "BIND_TREAT_LIKE_ACTIVITY");
        }
        final boolean callerFg = callerApp.setSchedGroup != Process.THREAD_GROUP_BG_NONINTERACTIVE;
        ServiceLookupResult res =
            retrieveServiceLocked(service, resolvedType, callingPackage,
                    Binder.getCallingPid(), Binder.getCallingUid(), userId, true, callerFg);
        if (res == null) {
            return 0;
        }
        if (res.record == null) {
            return -1;
        }
        ServiceRecord s = res.record;
        final long origId = Binder.clearCallingIdentity();
        try {
            if (unscheduleServiceRestartLocked(s, callerApp.info.uid, false)) {
              ...
            if ((flags&Context.BIND_AUTO_CREATE) != 0) {
                s.lastActivity = SystemClock.uptimeMillis();
                if (!s.hasAutoCreateConnections()) {
                    // This is the first binding, let the tracker know.
                    ProcessStats.ServiceState stracker = s.getTracker();
                    if (stracker != null) {
                        stracker.setBound(true, mAm.mProcessStats.getMemFactorLocked(),
                                s.lastActivity);
                    }
                }
            }
            mAm.startAssociationLocked(callerApp.uid, callerApp.processName,
                    s.appInfo.uid, s.name, s.processName);
            AppBindRecord b = s.retrieveAppBindingLocked(service, callerApp);
            ConnectionRecord c = new ConnectionRecord(b, activity,
                    connection, flags, clientLabel, clientIntent);
            IBinder binder = connection.asBinder();
            ArrayList<ConnectionRecord> clist = s.connections.get(binder);
            if (clist == null) {
                clist = new ArrayList<ConnectionRecord>();
                s.connections.put(binder, clist);
            }
            clist.add(c);
            b.connections.add(c);
            if (activity != null) {
                if (activity.connections == null) {
                    activity.connections = new HashSet<ConnectionRecord>();
                }
                activity.connections.add(c);
            }
            b.client.connections.add(c);
            if ((c.flags&Context.BIND_ABOVE_CLIENT) != 0) {
                b.client.hasAboveClient = true;
            }
            if (s.app != null) {
                updateServiceClientActivitiesLocked(s.app, c, true);
            }
            clist = mServiceConnections.get(binder);
            if (clist == null) {
                clist = new ArrayList<ConnectionRecord>();
                mServiceConnections.put(binder, clist);
            }
            clist.add(c);
            if ((flags&Context.BIND_AUTO_CREATE) != 0) {
                s.lastActivity = SystemClock.uptimeMillis();
                if (bringUpServiceLocked(s, service.getFlags(), callerFg, false) != null) {
                    return 0;
                }
            }
            if (s.app != null) {
                if ((flags&Context.BIND_TREAT_LIKE_ACTIVITY) != 0) {
                    s.app.treatLikeActivity = true;
                }
                // This could have made the service more important.
                mAm.updateLruProcessLocked(s.app, s.app.hasClientActivities
                        || s.app.treatLikeActivity, b.client);
                mAm.updateOomAdjLocked(s.app);
            }
            ...
            if (s.app != null && b.intent.received) {
                // Service is already running, so we can immediately
                // publish the connection.
                try {
                    c.conn.connected(s.name, b.intent.binder);
                } catch (Exception e) {
                    ...
                }
                // If this is the first app connected back to this binding,
                // and the service had previously asked to be told when
                // rebound, then do so.
                if (b.intent.apps.size() == 1 && b.intent.doRebind) {
                    requestServiceBindingLocked(s, b.intent, callerFg, true);
                }
            } else if (!b.intent.requested) {
                requestServiceBindingLocked(s, b.intent, callerFg, false);
            }
            getServiceMap(s.userId).ensureNotStartingBackground(s);
        } finally {
            Binder.restoreCallingIdentity(origId);
        }
        return 1;
    }

这个方法主要做了以下事情:

根据传递的IApplicationThread，通过AMS.getRecordForAppLocked()方法，从LRU缓存中获取ProcessRecord对象;这里可以保证一定能从缓存中取到，因为在App调用bindService()之前，所在的进程一定已经启动，只要启动了就会在AMS中留下进程记录。
前面提到的Activity的token在这里用上了，如果token不为null,就会从缓存中取出ActivityRecord, 类似地，如果是从Activity中调用bindService()，由于Activity已经启动，所以这里也一定可以取到ActivityRecord对象;
如果是系统uid,那么会从Intent中提取出clientIntent;
调用retrieveServiceLocked()方法来获取ServiceLookupResult这个查询结果，这个方法会先尝试从缓存中取出ServiceRecord对象，如果没有则新建ServiceRecord并且存入缓存中，最后返回的ServiceLookupResult是ServiceRecord的包装类;
调用unscheduleServiceRestartLocked(),即如果要绑定的Service在重启名单中，那么就将它从AMS的mHandler中移除重启的Callback;
之后调用ServiceRecord的retrieveAppBindingLocked()从缓存中获取或者新建AppBindRecord对象；
然后新建ConnectionRecord对象,这个对象包含的信息非常多，包括AppBindRecord对象，ActivityRecord对象，IServiceConnection代理，flags, clientLabel和clientIntent;
之后将ConnectionRecord对象放入缓存中，这个缓存的key是IServiceConnection的binder, value是ArrayList，这说明一个IServiceConnection可能对应多个ConnectionRecord,其实这也很好理解，因为一个client进程只有一个用于处理服务连接状态的IServiceConnection,但是一个client进程中却可能有多个连接;
之后，如果ServiceRecord中的ProcessRecord不为空，则调用updateServiceClientActivitiesLocked()方法，这个方法主要作用就是查找client进程中是否存在activity,如果存在则更新AMS中ProcessRecord的LRU记录;
如果flags中含有Context.BIND_AUTO_CREATE标志，那么调用bringUpServiceLocked()将启动Service，这个过程还可能伴随启动Service所在进程(如果进程没有启动的话); 在下一节将详细分析。

Service侧进程启动以及Service启动

ActiveServices中bringUpServiceLocked()方法如下:

private final String bringUpServiceLocked(ServiceRecord r, int intentFlags, boolean execInFg,
         boolean whileRestarting) throws TransactionTooLargeException {
     //Slog.i(TAG, "Bring up service:");
     //r.dump("  ");
     if (r.app != null && r.app.thread != null) {
         sendServiceArgsLocked(r, execInFg, false);
         return null;
     }
     if (!whileRestarting && r.restartDelay > 0) {
         // If waiting for a restart, then do nothing.
         return null;
     }
     if (DEBUG_SERVICE) Slog.v(TAG_SERVICE, "Bringing up " + r + " " + r.intent);
     // We are now bringing the service up, so no longer in the
     // restarting state.
     if (mRestartingServices.remove(r)) {
         r.resetRestartCounter();
         clearRestartingIfNeededLocked(r);
     }
     // Make sure this service is no longer considered delayed, we are starting it now.
     if (r.delayed) {
         if (DEBUG_DELAYED_STARTS) Slog.v(TAG_SERVICE, "REM FR DELAY LIST (bring up): " + r);
         getServiceMap(r.userId).mDelayedStartList.remove(r);
         r.delayed = false;
     }
     // Make sure that the user who owns this service is started.  If not,
     // we don't want to allow it to run.
     if (mAm.mStartedUsers.get(r.userId) == null) {
         String msg = "Unable to launch app "
                 + r.appInfo.packageName + "/"
                 + r.appInfo.uid + " for service "
                 + r.intent.getIntent() + ": user " + r.userId + " is stopped";
         Slog.w(TAG, msg);
         bringDownServiceLocked(r);
         return msg;
     }
     // Service is now being launched, its package can't be stopped.
     try {
         AppGlobals.getPackageManager().setPackageStoppedState(
                 r.packageName, false, r.userId);
     } catch (RemoteException e) {
     } catch (IllegalArgumentException e) {
         Slog.w(TAG, "Failed trying to unstop package "
                 + r.packageName + ": " + e);
     }
     final boolean isolated = (r.serviceInfo.flags&ServiceInfo.FLAG_ISOLATED_PROCESS) != 0;
     final String procName = r.processName;
     ProcessRecord app;
     if (!isolated) {
         app = mAm.getProcessRecordLocked(procName, r.appInfo.uid, false);
         if (DEBUG_MU) Slog.v(TAG_MU, "bringUpServiceLocked: appInfo.uid=" + r.appInfo.uid
                     + " app=" + app);
         if (app != null && app.thread != null) {
             try {
                 app.addPackage(r.appInfo.packageName, r.appInfo.versionCode, mAm.mProcessStats);
                 realStartServiceLocked(r, app, execInFg);
                 return null;
             } catch (TransactionTooLargeException e) {
                 throw e;
             } catch (RemoteException e) {
                 Slog.w(TAG, "Exception when starting service " + r.shortName, e);
             }
             // If a dead object exception was thrown -- fall through to
             // restart the application.
         }
     } else {
         // If this service runs in an isolated process, then each time
         // we call startProcessLocked() we will get a new isolated
         // process, starting another process if we are currently waiting
         // for a previous process to come up.  To deal with this, we store
         // in the service any current isolated process it is running in or
         // waiting to have come up.
         app = r.isolatedProc;
     }
     // Not running -- get it started, and enqueue this service record
     // to be executed when the app comes up.
     if (app == null) {
         if ((app=mAm.startProcessLocked(procName, r.appInfo, true, intentFlags,
                 "service", r.name, false, isolated, false)) == null) {
             String msg = "Unable to launch app "
                     + r.appInfo.packageName + "/"
                     + r.appInfo.uid + " for service "
                     + r.intent.getIntent() + ": process is bad";
             Slog.w(TAG, msg);
             bringDownServiceLocked(r);
             return msg;
         }
         if (isolated) {
             r.isolatedProc = app;
         }
     }
     if (!mPendingServices.contains(r)) {
         mPendingServices.add(r);
     }
     if (r.delayedStop) {
         // Oh and hey we've already been asked to stop!
         r.delayedStop = false;
         if (r.startRequested) {
             if (DEBUG_DELAYED_STARTS) Slog.v(TAG_SERVICE,
                     "Applying delayed stop (in bring up): " + r);
             stopServiceLocked(r);
         }
     }
     return null;
 }

首先尝试从AMS.getProcessRecordLocked()方法中获取ProcessRecord,如果获取到了，说明进程已经启动，就可以调用realStartServiceLocked()方法启动Service了:

private final void realStartServiceLocked(ServiceRecord r,
            ProcessRecord app, boolean execInFg) throws RemoteException {
        if (app.thread == null) {
            throw new RemoteException();
        }
        if (DEBUG_MU)
            Slog.v(TAG_MU, "realStartServiceLocked, ServiceRecord.uid = " + r.appInfo.uid
                    + ", ProcessRecord.uid = " + app.uid);
        r.app = app;
        r.restartTime = r.lastActivity = SystemClock.uptimeMillis();
        final boolean newService = app.services.add(r);
        bumpServiceExecutingLocked(r, execInFg, "create");
        mAm.updateLruProcessLocked(app, false, null);
        mAm.updateOomAdjLocked();
        boolean created = false;
        try {
            if (LOG_SERVICE_START_STOP) {
                String nameTerm;
                int lastPeriod = r.shortName.lastIndexOf('.');
                nameTerm = lastPeriod >= 0 ? r.shortName.substring(lastPeriod) : r.shortName;
                EventLogTags.writeAmCreateService(
                        r.userId, System.identityHashCode(r), nameTerm, r.app.uid, r.app.pid);
            }
            synchronized (r.stats.getBatteryStats()) {
                r.stats.startLaunchedLocked();
            }
            mAm.ensurePackageDexOpt(r.serviceInfo.packageName);
            app.forceProcessStateUpTo(ActivityManager.PROCESS_STATE_SERVICE);
            app.thread.scheduleCreateService(r, r.serviceInfo,
                    mAm.compatibilityInfoForPackageLocked(r.serviceInfo.applicationInfo),
                    app.repProcState);
            r.postNotification();
            created = true;
        } catch (DeadObjectException e) {
            Slog.w(TAG, "Application dead when creating service " + r);
            mAm.appDiedLocked(app);
            throw e;
        } finally {
            if (!created) {
                // Keep the executeNesting count accurate.
                final boolean inDestroying = mDestroyingServices.contains(r);
                serviceDoneExecutingLocked(r, inDestroying, inDestroying);
                // Cleanup.
                if (newService) {
                    app.services.remove(r);
                    r.app = null;
                }
                // Retry.
                if (!inDestroying) {
                    scheduleServiceRestartLocked(r, false);
                }
            }
        }
        requestServiceBindingsLocked(r, execInFg);
        updateServiceClientActivitiesLocked(app, null, true);
        // If the service is in the started state, and there are no
        // pending arguments, then fake up one so its onStartCommand() will
        // be called.
        if (r.startRequested && r.callStart && r.pendingStarts.size() == 0) {
            r.pendingStarts.add(new ServiceRecord.StartItem(r, false, r.makeNextStartId(),
                    null, null));
        }
        sendServiceArgsLocked(r, execInFg, true);
        if (r.delayed) {
            if (DEBUG_DELAYED_STARTS) Slog.v(TAG_SERVICE, "REM FR DELAY LIST (new proc): " + r);
            getServiceMap(r.userId).mDelayedStartList.remove(r);
            r.delayed = false;
        }
        if (r.delayedStop) {
            // Oh and hey we've already been asked to stop!
            r.delayedStop = false;
            if (r.startRequested) {
                if (DEBUG_DELAYED_STARTS) Slog.v(TAG_SERVICE,
                        "Applying delayed stop (from start): " + r);
                stopServiceLocked(r);
            }
        }
    }

这个方法也很长，主要做了以下事情:

调用AMS.updateLruProcessLocked()方法更新ProcessRecord的LRU缓存;
调用AMS.updateOomAdjLocked()方法更新Service所在进程的oom_adj值;
通过ProcessRecord中的IApplicationThread的代理，通过IPC调用scheduleCreateService()方法，进行Service的创建，ApplicationThread中的调用过程以前我们分析过很多，这里就不再赘述了;
如果发现不需要重新创建(比如已经创建了),那么就进行一些状态维护即可

之后调用requestServiceBindingsLocked()方法，这个方法非常重要，就是在这里，把Service的onBind()与要提供的服务关联起来了。该方法如下:

1
2
3
4
5
6
7
8
9
10 private final void requestServiceBindingsLocked(ServiceRecord r, boolean execInFg)
        throws TransactionTooLargeException {
    for (int i=r.bindings.size()-1; i>=0; i--) {
        IntentBindRecord ibr = r.bindings.valueAt(i);
        if (!requestServiceBindingLocked(r, ibr, execInFg, false)) {
            break;
        }
    }
}

显然，这里是遍历ServiceRecord中的IntentBindRecord,即所有的绑定记录，然后调用requestServiceBindingLocked()方法，只要有一个执行成功即中断。而requestServiceBindingLocked()方法如下:

private final boolean requestServiceBindingLocked(ServiceRecord r, IntentBindRecord i,
          boolean execInFg, boolean rebind) throws TransactionTooLargeException {
      if (r.app == null || r.app.thread == null) {
          // If service is not currently running, can't yet bind.
          return false;
      }
      if ((!i.requested || rebind) && i.apps.size() > 0) {
          try {
              bumpServiceExecutingLocked(r, execInFg, "bind");
              r.app.forceProcessStateUpTo(ActivityManager.PROCESS_STATE_SERVICE);
              r.app.thread.scheduleBindService(r, i.intent.getIntent(), rebind,
                      r.app.repProcState);
              if (!rebind) {
                  i.requested = true;
              }
              i.hasBound = true;
              i.doRebind = false;
          } catch (TransactionTooLargeException e) {
              // Keep the executeNesting count accurate.
              if (DEBUG_SERVICE) Slog.v(TAG_SERVICE, "Crashed while binding " + r, e);
              final boolean inDestroying = mDestroyingServices.contains(r);
              serviceDoneExecutingLocked(r, inDestroying, inDestroying);
              throw e;
          } catch (RemoteException e) {
              if (DEBUG_SERVICE) Slog.v(TAG_SERVICE, "Crashed while binding " + r);
              // Keep the executeNesting count accurate.
              final boolean inDestroying = mDestroyingServices.contains(r);
              serviceDoneExecutingLocked(r, inDestroying, inDestroying);
              return false;
          }
      }
      return true;
  }

这个方法的重点是调用ApplicationThread的代理，通过IPC调用scheduleBindService(), 注意这里会将ServiceRecord(继承自Binder)传递过去(后面要给它赋值),而ApplicationThread中的scheduleBindService()方法如下:

public final void scheduleBindService(IBinder token, Intent intent,
             boolean rebind, int processState) {
         updateProcessState(processState, false);
         BindServiceData s = new BindServiceData();
         s.token = token;
         s.intent = intent;
         s.rebind = rebind;
         if (DEBUG_SERVICE)
             Slog.v(TAG, "scheduleBindService token=" + token + " intent=" + intent + " uid="
                     + Binder.getCallingUid() + " pid=" + Binder.getCallingPid());
         sendMessage(H.BIND_SERVICE, s);
     }

这个方法很简单，就是新建了一个包装类BindServiceData对象，然后通过H传递消息到主线程，之后调用handleBindService()方法:

private void handleBindService(BindServiceData data) {
    Service s = mServices.get(data.token);
    if (DEBUG_SERVICE)
        Slog.v(TAG, "handleBindService s=" + s + " rebind=" + data.rebind);
    if (s != null) {
        try {
            data.intent.setExtrasClassLoader(s.getClassLoader());
            data.intent.prepareToEnterProcess();
            try {
                if (!data.rebind) {
                    IBinder binder = s.onBind(data.intent);
                    ActivityManagerNative.getDefault().publishService(
                            data.token, data.intent, binder);
                } else {
                    s.onRebind(data.intent);
                    ActivityManagerNative.getDefault().serviceDoneExecuting(
                            data.token, SERVICE_DONE_EXECUTING_ANON, 0, 0);
                }
                ensureJitEnabled();
            } catch (RemoteException ex) {
            }
        } catch (Exception e) {
            if (!mInstrumentation.onException(s, e)) {
                throw new RuntimeException(
                        "Unable to bind to service " + s
                        + " with " + data.intent + ": " + e.toString(), e);
            }
        }
    }
}

这里的data.token就是IPC调用传递过来的ServiceRecord对象，由于在前面已经通过IPC调用启动了Service对象，所以这里可以通过data.token从缓存中取出Service对象，然后分两种情况:

如果不是重连，那么就调用Service的onBind()方法获取IBinder,而获取的这个binder会在pushlishService()时传递到AMS中，之后又会通过AMS到client进程中，这也就是client中获取到Service中onBind()所返回的binder的原因。之后就进行IPC调用，最终会调用到AMS.publishService()方法，这个方法在后面会进行详细分析，这里先放一下;
否则回调Service的onRebind()方法,这个方法经常被我们忽视，实际上也很重要。之后通过IPC调用到AMS的serviceDoneExecuting()方法。

至此，Service侧的调用就基本结束了，主要是AMS对其的两次IPC调用，分别是IApplicationThread的scheduleCreateService()和scheduleBindService(), 前者是为了新建Service, 而后者是获取Service的onBind()所返回的IBinder对象。

继续ActiveServices.bringUpServiceLocked()方法分析

再回到ActiveServices的bringUpServiceLocked()方法中，对于还未启动或者进程已经回收的进程的情况，需要先调用AMS.startProcessLocked()方法来启动进程，并且等到进程启动完成之后再进行绑定。

那它是如何实现这点的呢？

其实很简单，就是将ServiceRecord先放到mPendingServices中，代码片段如下:

...
 // Not running -- get it started, and enqueue this service record
        // to be executed when the app comes up.
        if (app == null) {
            if ((app=mAm.startProcessLocked(procName, r.appInfo, true, intentFlags,
                    "service", r.name, false, isolated, false)) == null) {
                String msg = "Unable to launch app "
                        + r.appInfo.packageName + "/"
                        + r.appInfo.uid + " for service "
                        + r.intent.getIntent() + ": process is bad";
                Slog.w(TAG, msg);
                bringDownServiceLocked(r);
                return msg;
            }
            if (isolated) {
                r.isolatedProc = app;
            }
        }
        if (!mPendingServices.contains(r)) {
            mPendingServices.add(r);
        }
...

这个mPendingServices顾名思义，就是暂时挂起的服务，那它等到什么时候会用到呢？或者说要挂起到什么时候才能被使用呢？

答案就在AMS的attachApplicationLocked()方法中。

在启动Service所在进程后，会通过IPC调用到AMS的attachApplication()—>attachApplicationLocked()方法，

而在AMS的attachApplicationLocked()方法中，有如下代码片段:

...  
// Find any services that should be running in this process...
        if (!badApp) {
            try {
                didSomething |= mServices.attachApplicationLocked(app, processName);
            } catch (Exception e) {
                Slog.wtf(TAG, "Exception thrown starting services in " + app, e);
                badApp = true;
            }
        }
...

注释已经写得很清楚了，就是执行到这里时，查找那些本来应该运行在这个进程的Service(由于进程没启动而暂时挂起的那些), 然后调用到ActiveServices的attachApplicationLocked()方法:

boolean attachApplicationLocked(ProcessRecord proc, String processName)
            throws RemoteException {
        boolean didSomething = false;
        // Collect any services that are waiting for this process to come up.
        if (mPendingServices.size() > 0) {
            ServiceRecord sr = null;
            try {
                for (int i=0; i<mPendingServices.size(); i++) {
                    sr = mPendingServices.get(i);
                    if (proc != sr.isolatedProc && (proc.uid != sr.appInfo.uid
                            || !processName.equals(sr.processName))) {
                        continue;
                    }
                    mPendingServices.remove(i);
                    i--;
                    proc.addPackage(sr.appInfo.packageName, sr.appInfo.versionCode,
                            mAm.mProcessStats);
                    realStartServiceLocked(sr, proc, sr.createdFromFg);
                    didSomething = true;
                    if (!isServiceNeeded(sr, false, false)) {
                        // We were waiting for this service to start, but it is actually no
                        // longer needed.  This could happen because bringDownServiceIfNeeded
                        // won't bring down a service that is pending...  so now the pending
                        // is done, so let's drop it.
                        bringDownServiceLocked(sr);
                    }
                }
            } catch (RemoteException e) {
                Slog.w(TAG, "Exception in new application when starting service "
                        + sr.shortName, e);
                throw e;
            }
        }
        // Also, if there are any services that are waiting to restart and
        // would run in this process, now is a good time to start them.  It would
        // be weird to bring up the process but arbitrarily not let the services
        // run at this point just because their restart time hasn't come up.
        if (mRestartingServices.size() > 0) {
            ServiceRecord sr;
            for (int i=0; i<mRestartingServices.size(); i++) {
                sr = mRestartingServices.get(i);
                if (proc != sr.isolatedProc && (proc.uid != sr.appInfo.uid
                        || !processName.equals(sr.processName))) {
                    continue;
                }
                mAm.mHandler.removeCallbacks(sr.restarter);
                mAm.mHandler.post(sr.restarter);
            }
        }
        return didSomething;
    }

显然，在这个方法里面，会调用realStarServiceLocked()方法完成Service的创建和绑定工作，由于前面已经分析过，这里就不再赘述了。

AMS中更新oom_adj值

由于在上一步可能进行启动Service所在进程的操作，所以在这里再次对s.app是否为null进行判断，然后同样也更新了ProcessRecord的LRU记录；并且，有一个很重要的操作是调用了AMS的updateOomAdjLocked()方法更新client进程的oom_adj值，该方法如下:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22 final boolean updateOomAdjLocked(ProcessRecord app) {
        final ActivityRecord TOP_ACT = resumedAppLocked();
        final ProcessRecord TOP_APP = TOP_ACT != null ? TOP_ACT.app : null;
        final boolean wasCached = app.cached;
    
        mAdjSeq++;
    
        // This is the desired cached adjusment we want to tell it to use.
        // If our app is currently cached, we know it, and that is it.  Otherwise,
        // we don't know it yet, and it needs to now be cached we will then
        // need to do a complete oom adj.
        final int cachedAdj = app.curRawAdj >= ProcessList.CACHED_APP_MIN_ADJ
                ? app.curRawAdj : ProcessList.UNKNOWN_ADJ;
        boolean success = updateOomAdjLocked(app, cachedAdj, TOP_APP, false,
                SystemClock.uptimeMillis());
        if (wasCached != app.cached || app.curRawAdj == ProcessList.UNKNOWN_ADJ) {
            // Changed to/from cached state, so apps after it in the LRU
            // list may also be changed.
            updateOomAdjLocked();
        }
        return success;
    }

注释中已经写得很清楚了，就是如果app进程(即发起bindService()的那个进程)是缓存的，那么取app进程当前的oom_adj值和ProcessList.CACHED_APP_MIN_ADJ中的较大值，然后调用updateOomAdjLocked()方法更新app进程的oom_adj值即可。该方法如下:

private final boolean updateOomAdjLocked(ProcessRecord app, int cachedAdj,
           ProcessRecord TOP_APP, boolean doingAll, long now) {
       if (app.thread == null) {
           return false;
       }
       computeOomAdjLocked(app, cachedAdj, TOP_APP, doingAll, now);
       return applyOomAdjLocked(app, doingAll, now, SystemClock.elapsedRealtime());
   }

可见这里主要就是调用了computeOomAdjLocked()方法对于app进程的oom_adj值进行了一次计算，然后调用applyOomAdjLocked()方法将计算结果运用上去。

其中computeOomAdjLocked()方法非常重要，现在市面上所谓的进程保活措施的依据有很多就是来自于这里。这个方法的分析请见下一小节。

另外，由于AMS的updateOomAdjLocked()方法非常复杂，以至于我觉得有必要专门用一小节来分析，详情请看下下小节。

AMS.computeOomAdjLocked()

该方法如下:

private final int computeOomAdjLocked(ProcessRecord app, int cachedAdj, ProcessRecord TOP_APP,
        boolean doingAll, long now) {
    if (mAdjSeq == app.adjSeq) {
        // This adjustment has already been computed.
        return app.curRawAdj;
    }
    if (app.thread == null) {
        app.adjSeq = mAdjSeq;
        app.curSchedGroup = Process.THREAD_GROUP_BG_NONINTERACTIVE;
        app.curProcState = ActivityManager.PROCESS_STATE_CACHED_EMPTY;
        return (app.curAdj=app.curRawAdj=ProcessList.CACHED_APP_MAX_ADJ);
    }
    app.adjTypeCode = ActivityManager.RunningAppProcessInfo.REASON_UNKNOWN;
    app.adjSource = null;
    app.adjTarget = null;
    app.empty = false;
    app.cached = false;
    final int activitiesSize = app.activities.size();
    if (app.maxAdj <= ProcessList.FOREGROUND_APP_ADJ) {  //这表示app.maxAdj的优先级比ProcessList.FOREGROUND_APP_ADJ还高，那当然就要调整一下了
        // The max adjustment doesn't allow this app to be anything
        // below foreground, so it is not worth doing work for it.
        app.adjType = "fixed";
        app.adjSeq = mAdjSeq;
        app.curRawAdj = app.maxAdj;
        app.foregroundActivities = false;
        app.curSchedGroup = Process.THREAD_GROUP_DEFAULT;
        app.curProcState = ActivityManager.PROCESS_STATE_PERSISTENT;
        // System processes can do UI, and when they do we want to have
        // them trim their memory after the user leaves the UI.  To
        // facilitate this, here we need to determine whether or not it
        // is currently showing UI.
        app.systemNoUi = true;
        if (app == TOP_APP) {
            app.systemNoUi = false;
        } else if (activitiesSize > 0) {
            for (int j = 0; j < activitiesSize; j++) {
                final ActivityRecord r = app.activities.get(j);
                if (r.visible) {
                    app.systemNoUi = false;
                }
            }
        }
        if (!app.systemNoUi) {
            app.curProcState = ActivityManager.PROCESS_STATE_PERSISTENT_UI;
        }
        return (app.curAdj=app.maxAdj);
    }
    app.systemNoUi = false;
    final int PROCESS_STATE_TOP = mTopProcessState;
    // Determine the importance of the process, starting with most
    // important to least, and assign an appropriate OOM adjustment.
    int adj;
    int schedGroup;
    int procState;
    boolean foregroundActivities = false;
    BroadcastQueue queue;
    if (app == TOP_APP) {
        // The last app on the list is the foreground app.
        adj = ProcessList.FOREGROUND_APP_ADJ;
        schedGroup = Process.THREAD_GROUP_DEFAULT;
        app.adjType = "top-activity";
        foregroundActivities = true;
        procState = PROCESS_STATE_TOP;
    } else if (app.instrumentationClass != null) {
        // Don't want to kill running instrumentation.
        adj = ProcessList.FOREGROUND_APP_ADJ;
        schedGroup = Process.THREAD_GROUP_DEFAULT;
        app.adjType = "instrumentation";
        procState = ActivityManager.PROCESS_STATE_FOREGROUND_SERVICE;
    } else if ((queue = isReceivingBroadcast(app)) != null) {
        // An app that is currently receiving a broadcast also
        // counts as being in the foreground for OOM killer purposes.
        // It's placed in a sched group based on the nature of the
        // broadcast as reflected by which queue it's active in.
        adj = ProcessList.FOREGROUND_APP_ADJ;
        schedGroup = (queue == mFgBroadcastQueue)
                ? Process.THREAD_GROUP_DEFAULT : Process.THREAD_GROUP_BG_NONINTERACTIVE;
        app.adjType = "broadcast";
        procState = ActivityManager.PROCESS_STATE_RECEIVER;
    } else if (app.executingServices.size() > 0) {
        // An app that is currently executing a service callback also
        // counts as being in the foreground.
        adj = ProcessList.FOREGROUND_APP_ADJ;
        schedGroup = app.execServicesFg ?
                Process.THREAD_GROUP_DEFAULT : Process.THREAD_GROUP_BG_NONINTERACTIVE;
        app.adjType = "exec-service";
        procState = ActivityManager.PROCESS_STATE_SERVICE;
        //Slog.i(TAG, "EXEC " + (app.execServicesFg ? "FG" : "BG") + ": " + app);
    } else {
        // As far as we know the process is empty.  We may change our mind later.
        schedGroup = Process.THREAD_GROUP_BG_NONINTERACTIVE;
        // At this point we don't actually know the adjustment.  Use the cached adj
        // value that the caller wants us to.
        adj = cachedAdj;
        procState = ActivityManager.PROCESS_STATE_CACHED_EMPTY;
        app.cached = true;
        app.empty = true;
        app.adjType = "cch-empty";
    }
    // Examine all activities if not already foreground.
    if (!foregroundActivities && activitiesSize > 0) {
        for (int j = 0; j < activitiesSize; j++) {
            final ActivityRecord r = app.activities.get(j);
            if (r.app != app) {
                Slog.w(TAG, "Wtf, activity " + r + " in proc activity list not using proc "
                        + app + "?!? Using " + r.app + " instead.");
                continue;
            }
            if (r.visible) {
                // App has a visible activity; only upgrade adjustment.
                if (adj > ProcessList.VISIBLE_APP_ADJ) {
                    adj = ProcessList.VISIBLE_APP_ADJ;
                    app.adjType = "visible";
                }
                if (procState > PROCESS_STATE_TOP) {
                    procState = PROCESS_STATE_TOP;
                }
                schedGroup = Process.THREAD_GROUP_DEFAULT;
                app.cached = false;
                app.empty = false;
                foregroundActivities = true;
                break;
            } else if (r.state == ActivityState.PAUSING || r.state == ActivityState.PAUSED) {
                if (adj > ProcessList.PERCEPTIBLE_APP_ADJ) {
                    adj = ProcessList.PERCEPTIBLE_APP_ADJ;
                    app.adjType = "pausing";
                }
                if (procState > PROCESS_STATE_TOP) {
                    procState = PROCESS_STATE_TOP;
                }
                schedGroup = Process.THREAD_GROUP_DEFAULT;
                app.cached = false;
                app.empty = false;
                foregroundActivities = true;
            } else if (r.state == ActivityState.STOPPING) {
                if (adj > ProcessList.PERCEPTIBLE_APP_ADJ) {
                    adj = ProcessList.PERCEPTIBLE_APP_ADJ;
                    app.adjType = "stopping";
                }
                // For the process state, we will at this point consider the
                // process to be cached.  It will be cached either as an activity
                // or empty depending on whether the activity is finishing.  We do
                // this so that we can treat the process as cached for purposes of
                // memory trimming (determing current memory level, trim command to
                // send to process) since there can be an arbitrary number of stopping
                // processes and they should soon all go into the cached state.
                if (!r.finishing) {
                    if (procState > ActivityManager.PROCESS_STATE_LAST_ACTIVITY) {
                        procState = ActivityManager.PROCESS_STATE_LAST_ACTIVITY;
                    }
                }
                app.cached = false;
                app.empty = false;
                foregroundActivities = true;
            } else {
                if (procState > ActivityManager.PROCESS_STATE_CACHED_ACTIVITY) {
                    procState = ActivityManager.PROCESS_STATE_CACHED_ACTIVITY;
                    app.adjType = "cch-act";
                }
            }
        }
    }
    if (adj > ProcessList.PERCEPTIBLE_APP_ADJ) {
        if (app.foregroundServices) {
            // The user is aware of this app, so make it visible.
            adj = ProcessList.PERCEPTIBLE_APP_ADJ;
            procState = ActivityManager.PROCESS_STATE_FOREGROUND_SERVICE;
            app.cached = false;
            app.adjType = "fg-service";
            schedGroup = Process.THREAD_GROUP_DEFAULT;
        } else if (app.forcingToForeground != null) {
            // The user is aware of this app, so make it visible.
            adj = ProcessList.PERCEPTIBLE_APP_ADJ;
            procState = ActivityManager.PROCESS_STATE_IMPORTANT_FOREGROUND;
            app.cached = false;
            app.adjType = "force-fg";
            app.adjSource = app.forcingToForeground;
            schedGroup = Process.THREAD_GROUP_DEFAULT;
        }
    }
    if (app == mHeavyWeightProcess) {
        if (adj > ProcessList.HEAVY_WEIGHT_APP_ADJ) {
            // We don't want to kill the current heavy-weight process.
            adj = ProcessList.HEAVY_WEIGHT_APP_ADJ;
            schedGroup = Process.THREAD_GROUP_BG_NONINTERACTIVE;
            app.cached = false;
            app.adjType = "heavy";
        }
        if (procState > ActivityManager.PROCESS_STATE_HEAVY_WEIGHT) {
            procState = ActivityManager.PROCESS_STATE_HEAVY_WEIGHT;
        }
    }
    if (app == mHomeProcess) {
        if (adj > ProcessList.HOME_APP_ADJ) {
            // This process is hosting what we currently consider to be the
            // home app, so we don't want to let it go into the background.
            adj = ProcessList.HOME_APP_ADJ;
            schedGroup = Process.THREAD_GROUP_BG_NONINTERACTIVE;
            app.cached = false;
            app.adjType = "home";
        }
        if (procState > ActivityManager.PROCESS_STATE_HOME) {
            procState = ActivityManager.PROCESS_STATE_HOME;
        }
    }
    if (app == mPreviousProcess && app.activities.size() > 0) {
        if (adj > ProcessList.PREVIOUS_APP_ADJ) {
            // This was the previous process that showed UI to the user.
            // We want to try to keep it around more aggressively, to give
            // a good experience around switching between two apps.
            adj = ProcessList.PREVIOUS_APP_ADJ;
            schedGroup = Process.THREAD_GROUP_BG_NONINTERACTIVE;
            app.cached = false;
            app.adjType = "previous";
        }
        if (procState > ActivityManager.PROCESS_STATE_LAST_ACTIVITY) {
            procState = ActivityManager.PROCESS_STATE_LAST_ACTIVITY;
        }
    }
    if (false) Slog.i(TAG, "OOM " + app + ": initial adj=" + adj
            + " reason=" + app.adjType);
    // By default, we use the computed adjustment.  It may be changed if
    // there are applications dependent on our services or providers, but
    // this gives us a baseline and makes sure we don't get into an
    // infinite recursion.
    app.adjSeq = mAdjSeq;
    app.curRawAdj = adj;
    app.hasStartedServices = false;
    if (mBackupTarget != null && app == mBackupTarget.app) {
        // If possible we want to avoid killing apps while they're being backed up
        if (adj > ProcessList.BACKUP_APP_ADJ) {
            if (DEBUG_BACKUP) Slog.v(TAG_BACKUP, "oom BACKUP_APP_ADJ for " + app);
            adj = ProcessList.BACKUP_APP_ADJ;
            if (procState > ActivityManager.PROCESS_STATE_IMPORTANT_BACKGROUND) {
                procState = ActivityManager.PROCESS_STATE_IMPORTANT_BACKGROUND;
            }
            app.adjType = "backup";
            app.cached = false;
        }
        if (procState > ActivityManager.PROCESS_STATE_BACKUP) {
            procState = ActivityManager.PROCESS_STATE_BACKUP;
        }
    }
    boolean mayBeTop = false;
    for (int is = app.services.size()-1;
            is >= 0 && (adj > ProcessList.FOREGROUND_APP_ADJ
                    || schedGroup == Process.THREAD_GROUP_BG_NONINTERACTIVE
                    || procState > ActivityManager.PROCESS_STATE_TOP);
            is--) {
        ServiceRecord s = app.services.valueAt(is);
        if (s.startRequested) {
            app.hasStartedServices = true;
            if (procState > ActivityManager.PROCESS_STATE_SERVICE) {
                procState = ActivityManager.PROCESS_STATE_SERVICE;
            }
            if (app.hasShownUi && app != mHomeProcess) {
                // If this process has shown some UI, let it immediately
                // go to the LRU list because it may be pretty heavy with
                // UI stuff.  We'll tag it with a label just to help
                // debug and understand what is going on.
                if (adj > ProcessList.SERVICE_ADJ) {
                    app.adjType = "cch-started-ui-services";
                }
            } else {
                if (now < (s.lastActivity + ActiveServices.MAX_SERVICE_INACTIVITY)) {
                    // This service has seen some activity within
                    // recent memory, so we will keep its process ahead
                    // of the background processes.
                    if (adj > ProcessList.SERVICE_ADJ) {
                        adj = ProcessList.SERVICE_ADJ;
                        app.adjType = "started-services";
                        app.cached = false;
                    }
                }
                // If we have let the service slide into the background
                // state, still have some text describing what it is doing
                // even though the service no longer has an impact.
                if (adj > ProcessList.SERVICE_ADJ) {
                    app.adjType = "cch-started-services";
                }
            }
        }
        for (int conni = s.connections.size()-1;
                conni >= 0 && (adj > ProcessList.FOREGROUND_APP_ADJ
                        || schedGroup == Process.THREAD_GROUP_BG_NONINTERACTIVE
                        || procState > ActivityManager.PROCESS_STATE_TOP);
                conni--) {
            ArrayList<ConnectionRecord> clist = s.connections.valueAt(conni);
            for (int i = 0;
                    i < clist.size() && (adj > ProcessList.FOREGROUND_APP_ADJ
                            || schedGroup == Process.THREAD_GROUP_BG_NONINTERACTIVE
                            || procState > ActivityManager.PROCESS_STATE_TOP);
                    i++) {
                // XXX should compute this based on the max of
                // all connected clients.
                ConnectionRecord cr = clist.get(i);
                if (cr.binding.client == app) {
                    // Binding to ourself is not interesting.
                    continue;
                }
                if ((cr.flags&Context.BIND_WAIVE_PRIORITY) == 0) {
                    ProcessRecord client = cr.binding.client;
                    int clientAdj = computeOomAdjLocked(client, cachedAdj,
                            TOP_APP, doingAll, now);
                    int clientProcState = client.curProcState;
                    if (clientProcState >= ActivityManager.PROCESS_STATE_CACHED_ACTIVITY) {
                        // If the other app is cached for any reason, for purposes here
                        // we are going to consider it empty.  The specific cached state
                        // doesn't propagate except under certain conditions.
                        clientProcState = ActivityManager.PROCESS_STATE_CACHED_EMPTY;
                    }
                    String adjType = null;
                    if ((cr.flags&Context.BIND_ALLOW_OOM_MANAGEMENT) != 0) {
                        // Not doing bind OOM management, so treat
                        // this guy more like a started service.
                        if (app.hasShownUi && app != mHomeProcess) {
                            // If this process has shown some UI, let it immediately
                            // go to the LRU list because it may be pretty heavy with
                            // UI stuff.  We'll tag it with a label just to help
                            // debug and understand what is going on.
                            if (adj > clientAdj) {
                                adjType = "cch-bound-ui-services";
                            }
                            app.cached = false;
                            clientAdj = adj;
                            clientProcState = procState;
                        } else {
                            if (now >= (s.lastActivity
                                    + ActiveServices.MAX_SERVICE_INACTIVITY)) {
                                // This service has not seen activity within
                                // recent memory, so allow it to drop to the
                                // LRU list if there is no other reason to keep
                                // it around.  We'll also tag it with a label just
                                // to help debug and undertand what is going on.
                                if (adj > clientAdj) {
                                    adjType = "cch-bound-services";
                                }
                                clientAdj = adj;
                            }
                        }
                    }
                    if (adj > clientAdj) {
                        // If this process has recently shown UI, and
                        // the process that is binding to it is less
                        // important than being visible, then we don't
                        // care about the binding as much as we care
                        // about letting this process get into the LRU
                        // list to be killed and restarted if needed for
                        // memory.
                        if (app.hasShownUi && app != mHomeProcess
                                && clientAdj > ProcessList.PERCEPTIBLE_APP_ADJ) {
                            adjType = "cch-bound-ui-services";
                        } else {
                            if ((cr.flags&(Context.BIND_ABOVE_CLIENT
                                    |Context.BIND_IMPORTANT)) != 0) {
                                adj = clientAdj >= ProcessList.PERSISTENT_SERVICE_ADJ
                                        ? clientAdj : ProcessList.PERSISTENT_SERVICE_ADJ;
                            } else if ((cr.flags&Context.BIND_NOT_VISIBLE) != 0
                                    && clientAdj < ProcessList.PERCEPTIBLE_APP_ADJ
                                    && adj > ProcessList.PERCEPTIBLE_APP_ADJ) {
                                adj = ProcessList.PERCEPTIBLE_APP_ADJ;
                            } else if (clientAdj > ProcessList.VISIBLE_APP_ADJ) {
                                adj = clientAdj;
                            } else {
                                if (adj > ProcessList.VISIBLE_APP_ADJ) {
                                    adj = ProcessList.VISIBLE_APP_ADJ;
                                }
                            }
                            if (!client.cached) {
                                app.cached = false;
                            }
                            adjType = "service";
                        }
                    }
                    if ((cr.flags&Context.BIND_NOT_FOREGROUND) == 0) {
                        if (client.curSchedGroup == Process.THREAD_GROUP_DEFAULT) {
                            schedGroup = Process.THREAD_GROUP_DEFAULT;
                        }
                        if (clientProcState <= ActivityManager.PROCESS_STATE_TOP) {
                            if (clientProcState == ActivityManager.PROCESS_STATE_TOP) {
                                // Special handling of clients who are in the top state.
                                // We *may* want to consider this process to be in the
                                // top state as well, but only if there is not another
                                // reason for it to be running.  Being on the top is a
                                // special state, meaning you are specifically running
                                // for the current top app.  If the process is already
                                // running in the background for some other reason, it
                                // is more important to continue considering it to be
                                // in the background state.
                                mayBeTop = true;
                                clientProcState = ActivityManager.PROCESS_STATE_CACHED_EMPTY;
                            } else {
                                // Special handling for above-top states (persistent
                                // processes).  These should not bring the current process
                                // into the top state, since they are not on top.  Instead
                                // give them the best state after that.
                                if ((cr.flags&Context.BIND_FOREGROUND_SERVICE) != 0) {
                                    clientProcState =
                                            ActivityManager.PROCESS_STATE_BOUND_FOREGROUND_SERVICE;
                                } else if (mWakefulness
                                                == PowerManagerInternal.WAKEFULNESS_AWAKE &&
                                        (cr.flags&Context.BIND_FOREGROUND_SERVICE_WHILE_AWAKE)
                                                != 0) {
                                    clientProcState =
                                            ActivityManager.PROCESS_STATE_BOUND_FOREGROUND_SERVICE;
                                } else {
                                    clientProcState =
                                            ActivityManager.PROCESS_STATE_IMPORTANT_FOREGROUND;
                                }
                            }
                        }
                    } else {
                        if (clientProcState <
                                ActivityManager.PROCESS_STATE_IMPORTANT_BACKGROUND) {
                            clientProcState =
                                    ActivityManager.PROCESS_STATE_IMPORTANT_BACKGROUND;
                        }
                    }
                    if (procState > clientProcState) {
                        procState = clientProcState;
                    }
                    if (procState < ActivityManager.PROCESS_STATE_IMPORTANT_BACKGROUND
                            && (cr.flags&Context.BIND_SHOWING_UI) != 0) {
                        app.pendingUiClean = true;
                    }
                    if (adjType != null) {
                        app.adjType = adjType;
                        app.adjTypeCode = ActivityManager.RunningAppProcessInfo
                                .REASON_SERVICE_IN_USE;
                        app.adjSource = cr.binding.client;
                        app.adjSourceProcState = clientProcState;
                        app.adjTarget = s.name;
                    }
                }
                if ((cr.flags&Context.BIND_TREAT_LIKE_ACTIVITY) != 0) {
                    app.treatLikeActivity = true;
                }
                final ActivityRecord a = cr.activity;
                if ((cr.flags&Context.BIND_ADJUST_WITH_ACTIVITY) != 0) {
                    if (a != null && adj > ProcessList.FOREGROUND_APP_ADJ &&
                            (a.visible || a.state == ActivityState.RESUMED
                             || a.state == ActivityState.PAUSING)) {
                        adj = ProcessList.FOREGROUND_APP_ADJ;
                        if ((cr.flags&Context.BIND_NOT_FOREGROUND) == 0) {
                            schedGroup = Process.THREAD_GROUP_DEFAULT;
                        }
                        app.cached = false;
                        app.adjType = "service";
                        app.adjTypeCode = ActivityManager.RunningAppProcessInfo
                                .REASON_SERVICE_IN_USE;
                        app.adjSource = a;
                        app.adjSourceProcState = procState;
                        app.adjTarget = s.name;
                    }
                }
            }
        }
    }
    for (int provi = app.pubProviders.size()-1;
            provi >= 0 && (adj > ProcessList.FOREGROUND_APP_ADJ
                    || schedGroup == Process.THREAD_GROUP_BG_NONINTERACTIVE
                    || procState > ActivityManager.PROCESS_STATE_TOP);
            provi--) {
        ContentProviderRecord cpr = app.pubProviders.valueAt(provi);
        for (int i = cpr.connections.size()-1;
                i >= 0 && (adj > ProcessList.FOREGROUND_APP_ADJ
                        || schedGroup == Process.THREAD_GROUP_BG_NONINTERACTIVE
                        || procState > ActivityManager.PROCESS_STATE_TOP);
                i--) {
            ContentProviderConnection conn = cpr.connections.get(i);
            ProcessRecord client = conn.client;
            if (client == app) {
                // Being our own client is not interesting.
                continue;
            }
            int clientAdj = computeOomAdjLocked(client, cachedAdj, TOP_APP, doingAll, now);
            int clientProcState = client.curProcState;
            if (clientProcState >= ActivityManager.PROCESS_STATE_CACHED_ACTIVITY) {
                // If the other app is cached for any reason, for purposes here
                // we are going to consider it empty.
                clientProcState = ActivityManager.PROCESS_STATE_CACHED_EMPTY;
            }
            if (adj > clientAdj) {
                if (app.hasShownUi && app != mHomeProcess
                        && clientAdj > ProcessList.PERCEPTIBLE_APP_ADJ) {
                    app.adjType = "cch-ui-provider";
                } else {
                    adj = clientAdj > ProcessList.FOREGROUND_APP_ADJ
                            ? clientAdj : ProcessList.FOREGROUND_APP_ADJ;
                    app.adjType = "provider";
                }
                app.cached &= client.cached;
                app.adjTypeCode = ActivityManager.RunningAppProcessInfo
                        .REASON_PROVIDER_IN_USE;
                app.adjSource = client;
                app.adjSourceProcState = clientProcState;
                app.adjTarget = cpr.name;
            }
            if (clientProcState <= ActivityManager.PROCESS_STATE_TOP) {
                if (clientProcState == ActivityManager.PROCESS_STATE_TOP) {
                    // Special handling of clients who are in the top state.
                    // We *may* want to consider this process to be in the
                    // top state as well, but only if there is not another
                    // reason for it to be running.  Being on the top is a
                    // special state, meaning you are specifically running
                    // for the current top app.  If the process is already
                    // running in the background for some other reason, it
                    // is more important to continue considering it to be
                    // in the background state.
                    mayBeTop = true;
                    clientProcState = ActivityManager.PROCESS_STATE_CACHED_EMPTY;
                } else {
                    // Special handling for above-top states (persistent
                    // processes).  These should not bring the current process
                    // into the top state, since they are not on top.  Instead
                    // give them the best state after that.
                    clientProcState =
                            ActivityManager.PROCESS_STATE_BOUND_FOREGROUND_SERVICE;
                }
            }
            if (procState > clientProcState) {
                procState = clientProcState;
            }
            if (client.curSchedGroup == Process.THREAD_GROUP_DEFAULT) {
                schedGroup = Process.THREAD_GROUP_DEFAULT;
            }
        }
        // If the provider has external (non-framework) process
        // dependencies, ensure that its adjustment is at least
        // FOREGROUND_APP_ADJ.
        if (cpr.hasExternalProcessHandles()) {
            if (adj > ProcessList.FOREGROUND_APP_ADJ) {
                adj = ProcessList.FOREGROUND_APP_ADJ;
                schedGroup = Process.THREAD_GROUP_DEFAULT;
                app.cached = false;
                app.adjType = "provider";
                app.adjTarget = cpr.name;
            }
            if (procState > ActivityManager.PROCESS_STATE_IMPORTANT_FOREGROUND) {
                procState = ActivityManager.PROCESS_STATE_IMPORTANT_FOREGROUND;
            }
        }
    }
    if (mayBeTop && procState > ActivityManager.PROCESS_STATE_TOP) {
        // A client of one of our services or providers is in the top state.  We
        // *may* want to be in the top state, but not if we are already running in
        // the background for some other reason.  For the decision here, we are going
        // to pick out a few specific states that we want to remain in when a client
        // is top (states that tend to be longer-term) and otherwise allow it to go
        // to the top state.
        switch (procState) {
            case ActivityManager.PROCESS_STATE_IMPORTANT_FOREGROUND:
            case ActivityManager.PROCESS_STATE_IMPORTANT_BACKGROUND:
            case ActivityManager.PROCESS_STATE_SERVICE:
                // These all are longer-term states, so pull them up to the top
                // of the background states, but not all the way to the top state.
                procState = ActivityManager.PROCESS_STATE_BOUND_FOREGROUND_SERVICE;
                break;
            default:
                // Otherwise, top is a better choice, so take it.
                procState = ActivityManager.PROCESS_STATE_TOP;
                break;
        }
    }
    if (procState >= ActivityManager.PROCESS_STATE_CACHED_EMPTY) {
        if (app.hasClientActivities) {
            // This is a cached process, but with client activities.  Mark it so.
            procState = ActivityManager.PROCESS_STATE_CACHED_ACTIVITY_CLIENT;
            app.adjType = "cch-client-act";
        } else if (app.treatLikeActivity) {
            // This is a cached process, but somebody wants us to treat it like it has
            // an activity, okay!
            procState = ActivityManager.PROCESS_STATE_CACHED_ACTIVITY;
            app.adjType = "cch-as-act";
        }
    }
    if (adj == ProcessList.SERVICE_ADJ) {
        if (doingAll) {
            app.serviceb = mNewNumAServiceProcs > (mNumServiceProcs/3);
            mNewNumServiceProcs++;
            //Slog.i(TAG, "ADJ " + app + " serviceb=" + app.serviceb);
            if (!app.serviceb) {
                // This service isn't far enough down on the LRU list to
                // normally be a B service, but if we are low on RAM and it
                // is large we want to force it down since we would prefer to
                // keep launcher over it.
                if (mLastMemoryLevel > ProcessStats.ADJ_MEM_FACTOR_NORMAL
                        && app.lastPss >= mProcessList.getCachedRestoreThresholdKb()) {
                    app.serviceHighRam = true;
                    app.serviceb = true;
                    //Slog.i(TAG, "ADJ " + app + " high ram!");
                } else {
                    mNewNumAServiceProcs++;
                    //Slog.i(TAG, "ADJ " + app + " not high ram!");
                }
            } else {
                app.serviceHighRam = false;
            }
        }
        if (app.serviceb) {
            adj = ProcessList.SERVICE_B_ADJ;
        }
    }
    app.curRawAdj = adj;
    //Slog.i(TAG, "OOM ADJ " + app + ": pid=" + app.pid +
    //      " adj=" + adj + " curAdj=" + app.curAdj + " maxAdj=" + app.maxAdj);
    if (adj > app.maxAdj) {
        adj = app.maxAdj;
        if (app.maxAdj <= ProcessList.PERCEPTIBLE_APP_ADJ) {
            schedGroup = Process.THREAD_GROUP_DEFAULT;
        }
    }
    // Do final modification to adj.  Everything we do between here and applying
    // the final setAdj must be done in this function, because we will also use
    // it when computing the final cached adj later.  Note that we don't need to
    // worry about this for max adj above, since max adj will always be used to
    // keep it out of the cached vaues.
    app.curAdj = app.modifyRawOomAdj(adj);
    app.curSchedGroup = schedGroup;
    app.curProcState = procState;
    app.foregroundActivities = foregroundActivities;
    return app.curRawAdj;
}

吐槽一下，这个方法有600多行，只能分成以下几个部分来分析了:

1)如果当前service所在进程的oom_adj值已经被计算过了，那就无需再次计算，直接使用当前的值即可;

2)如果app.thread==null,表明这个进程在缓存中，那么返回ProcessList.CACHED_APP_MAX_ADJ值即可,而这个值的优先级并不高，因为这个数值为15;

3)如果app.maxAdj值小于等于ProcessList.FOREGROUND_APP_ADJ(数值为0),表明最大的调整都不允许Service进程达到ProcessList.FOREGROUND_APP_ADJ,那么就不值得为这个客户端进程工作，所以此时要进行调整，以使app.maxAdj的值能够达到ProcessList.FOREGROUND_APP_ADJ值;

4)根据service进程的情况来为其设置oom_adj值，分别考虑前台app进程，运行instrumentation的进程，正在接收广播的进程，正在执行service callback的进程以及空进程这5种情况。

5)如果不是前台进程，并且service所在进程的Activity数量大于0，就需要依次检查所有activity以更新ProcessRecord和foregroundActivities的状态;

6)如果adj值比ProcessList.PERCEPTIBLE_APP_ADJ(值为2)还大，则要对结果进行调整，如果是ProcessRecord是前台service进程，或者forcingToForeground不为null,则会将adj值调整到ProcessList.PERCEPTIBLE_APP_ADJ值;

7)如果service所在进程对应的ProcessRecord正在执行重量级任务，如果adj>ProcessList.HEAVY_WEIGHT_APP_ADJ值，那么会调整到ProcessList.HEAVY_WEIGHT_APP_ADJ值，这显然是一种均衡策略，不让某个太繁重的任务影响到其他进程的流畅运行;

8)如果服务进程就是mHomeProcess,那么也会依据adj值进行调整;

9)如果服务进程是前一个进程，并且它有activity的话，那么会调整到ProcessList.PREVIOUS_APP_ADJ值;

10)下面根据ProcessRecord中所有ServiceRecord的状态来更新adj和ProcessRecord的值，分以下情况:

如果Service是显式启动的,并且进程还拥有activity,则将其adj值设置为ProcessList.SERVICE_ADJ;
之后遍历每个ServiceRecord中包含的ConnectionRecord,根据ConnectionRecord的值进行adj和ProcessRecord的状态更新，此时会涉及到client端的oom_adj值;

11)最后根据ProcessRecord中所有ContentProviderRecord的状态，逐个分析每个ContentProviderRecord的状态，根据其状态进行adj值和ProcessRecord状态的调整;

12)最后将计算的adj值存放到ProcessRecord中的curRawAdj值中。并且调用ProcessRecord的modifyRawOomAdj()方法来对计算得到的原始adj值进行可能的调整，最后将结果赋值结ProcessRecord的curAdj值中。

###AMS.updateOomAdjLocked()

updateOomAdjLocked()方法如下:

final void updateOomAdjLocked() {
       final ActivityRecord TOP_ACT = resumedAppLocked();
       final ProcessRecord TOP_APP = TOP_ACT != null ? TOP_ACT.app : null;
       final long now = SystemClock.uptimeMillis();
       final long nowElapsed = SystemClock.elapsedRealtime();
       final long oldTime = now - ProcessList.MAX_EMPTY_TIME;
       final int N = mLruProcesses.size();
       if (false) {
           RuntimeException e = new RuntimeException();
           e.fillInStackTrace();
           Slog.i(TAG, "updateOomAdj: top=" + TOP_ACT, e);
       }
       // Reset state in all uid records.
       for (int i=mActiveUids.size()-1; i>=0; i--) {
           final UidRecord uidRec = mActiveUids.valueAt(i);
           if (false && DEBUG_UID_OBSERVERS) Slog.i(TAG_UID_OBSERVERS,
                   "Starting update of " + uidRec);
           uidRec.reset();
       }
       mAdjSeq++;
       mNewNumServiceProcs = 0;
       mNewNumAServiceProcs = 0;
       final int emptyProcessLimit;
       final int cachedProcessLimit;
       if (mProcessLimit <= 0) {
           emptyProcessLimit = cachedProcessLimit = 0;
       } else if (mProcessLimit == 1) {
           emptyProcessLimit = 1;
           cachedProcessLimit = 0;
       } else {
           emptyProcessLimit = ProcessList.computeEmptyProcessLimit(mProcessLimit);
           cachedProcessLimit = mProcessLimit - emptyProcessLimit;
       }
       // Let's determine how many processes we have running vs.
       // how many slots we have for background processes; we may want
       // to put multiple processes in a slot of there are enough of
       // them.
       int numSlots = (ProcessList.CACHED_APP_MAX_ADJ
               - ProcessList.CACHED_APP_MIN_ADJ + 1) / 2;
       int numEmptyProcs = N - mNumNonCachedProcs - mNumCachedHiddenProcs;
       if (numEmptyProcs > cachedProcessLimit) {
           // If there are more empty processes than our limit on cached
           // processes, then use the cached process limit for the factor.
           // This ensures that the really old empty processes get pushed
           // down to the bottom, so if we are running low on memory we will
           // have a better chance at keeping around more cached processes
           // instead of a gazillion empty processes.
           numEmptyProcs = cachedProcessLimit;
       }
       int emptyFactor = numEmptyProcs/numSlots;
       if (emptyFactor < 1) emptyFactor = 1;
       int cachedFactor = (mNumCachedHiddenProcs > 0 ? mNumCachedHiddenProcs : 1)/numSlots;
       if (cachedFactor < 1) cachedFactor = 1;
       int stepCached = 0;
       int stepEmpty = 0;
       int numCached = 0;
       int numEmpty = 0;
       int numTrimming = 0;
       mNumNonCachedProcs = 0;
       mNumCachedHiddenProcs = 0;
       // First update the OOM adjustment for each of the
       // application processes based on their current state.
       int curCachedAdj = ProcessList.CACHED_APP_MIN_ADJ;
       int nextCachedAdj = curCachedAdj+1;
       int curEmptyAdj = ProcessList.CACHED_APP_MIN_ADJ;
       int nextEmptyAdj = curEmptyAdj+2;
       for (int i=N-1; i>=0; i--) {
           ProcessRecord app = mLruProcesses.get(i);
           if (!app.killedByAm && app.thread != null) {
               app.procStateChanged = false;
               computeOomAdjLocked(app, ProcessList.UNKNOWN_ADJ, TOP_APP, true, now);
               // If we haven't yet assigned the final cached adj
               // to the process, do that now.
               if (app.curAdj >= ProcessList.UNKNOWN_ADJ) { //KP 注意:oom_adj值是越大则优先级越小，所以这里的app.curAdj>=ProcessList.UNKNOWN_ADJ表示比ProcessList.UNKNOWN_ADJ的优先级还低，即表示还没更新它的oom_adj值
                   switch (app.curProcState) {
                       case ActivityManager.PROCESS_STATE_CACHED_ACTIVITY:
                       case ActivityManager.PROCESS_STATE_CACHED_ACTIVITY_CLIENT:
                           // This process is a cached process holding activities...
                           // assign it the next cached value for that type, and then
                           // step that cached level.
                           app.curRawAdj = curCachedAdj;
                           app.curAdj = app.modifyRawOomAdj(curCachedAdj);
                           if (DEBUG_LRU && false) Slog.d(TAG_LRU, "Assigning activity LRU #" + i
                                   + " adj: " + app.curAdj + " (curCachedAdj=" + curCachedAdj
                                   + ")");
                           if (curCachedAdj != nextCachedAdj) {
                               stepCached++;
                               if (stepCached >= cachedFactor) {
                                   stepCached = 0;
                                   curCachedAdj = nextCachedAdj;
                                   nextCachedAdj += 2;
                                   if (nextCachedAdj > ProcessList.CACHED_APP_MAX_ADJ) {
                                       nextCachedAdj = ProcessList.CACHED_APP_MAX_ADJ;
                                   }
                               }
                           }
                           break;
                       default:
                           // For everything else, assign next empty cached process
                           // level and bump that up.  Note that this means that
                           // long-running services that have dropped down to the
                           // cached level will be treated as empty (since their process
                           // state is still as a service), which is what we want.
                           app.curRawAdj = curEmptyAdj;
                           app.curAdj = app.modifyRawOomAdj(curEmptyAdj);
                           if (DEBUG_LRU && false) Slog.d(TAG_LRU, "Assigning empty LRU #" + i
                                   + " adj: " + app.curAdj + " (curEmptyAdj=" + curEmptyAdj
                                   + ")");
                           if (curEmptyAdj != nextEmptyAdj) {
                               stepEmpty++;
                               if (stepEmpty >= emptyFactor) {
                                   stepEmpty = 0;
                                   curEmptyAdj = nextEmptyAdj;
                                   nextEmptyAdj += 2;
                                   if (nextEmptyAdj > ProcessList.CACHED_APP_MAX_ADJ) {
                                       nextEmptyAdj = ProcessList.CACHED_APP_MAX_ADJ;
                                   }
                               }
                           }
                           break;
                   }
               }
               applyOomAdjLocked(app, true, now, nowElapsed);
               // Count the number of process types.
               switch (app.curProcState) {
                   case ActivityManager.PROCESS_STATE_CACHED_ACTIVITY:
                   case ActivityManager.PROCESS_STATE_CACHED_ACTIVITY_CLIENT:
                       mNumCachedHiddenProcs++;
                       numCached++;
                       if (numCached > cachedProcessLimit) {
                           app.kill("cached #" + numCached, true);
                       }
                       break;
                   case ActivityManager.PROCESS_STATE_CACHED_EMPTY:
                       if (numEmpty > ProcessList.TRIM_EMPTY_APPS
                               && app.lastActivityTime < oldTime) {
                           app.kill("empty for "
                                   + ((oldTime + ProcessList.MAX_EMPTY_TIME - app.lastActivityTime)
                                   / 1000) + "s", true);
                       } else {
                           numEmpty++;
                           if (numEmpty > emptyProcessLimit) {
                               app.kill("empty #" + numEmpty, true);
                           }
                       }
                       break;
                   default:
                       mNumNonCachedProcs++;
                       break;
               }
               if (app.isolated && app.services.size() <= 0) {
                   // If this is an isolated process, and there are no
                   // services running in it, then the process is no longer
                   // needed.  We agressively kill these because we can by
                   // definition not re-use the same process again, and it is
                   // good to avoid having whatever code was running in them
                   // left sitting around after no longer needed.
                   app.kill("isolated not needed", true);
               } else {
                   // Keeping this process, update its uid.
                   final UidRecord uidRec = app.uidRecord;
                   if (uidRec != null && uidRec.curProcState > app.curProcState) {
                       uidRec.curProcState = app.curProcState;
                   }
               }
               if (app.curProcState >= ActivityManager.PROCESS_STATE_HOME
                       && !app.killedByAm) {
                   numTrimming++;
               }
           }
       }
       mNumServiceProcs = mNewNumServiceProcs;
       // Now determine the memory trimming level of background processes.
       // Unfortunately we need to start at the back of the list to do this
       // properly.  We only do this if the number of background apps we
       // are managing to keep around is less than half the maximum we desire;
       // if we are keeping a good number around, we'll let them use whatever
       // memory they want.
       final int numCachedAndEmpty = numCached + numEmpty;
       int memFactor;
       if (numCached <= ProcessList.TRIM_CACHED_APPS
               && numEmpty <= ProcessList.TRIM_EMPTY_APPS) {
           if (numCachedAndEmpty <= ProcessList.TRIM_CRITICAL_THRESHOLD) {
               memFactor = ProcessStats.ADJ_MEM_FACTOR_CRITICAL;
           } else if (numCachedAndEmpty <= ProcessList.TRIM_LOW_THRESHOLD) {
               memFactor = ProcessStats.ADJ_MEM_FACTOR_LOW;
           } else {
               memFactor = ProcessStats.ADJ_MEM_FACTOR_MODERATE;
           }
       } else {
           memFactor = ProcessStats.ADJ_MEM_FACTOR_NORMAL;
       }
       // We always allow the memory level to go up (better).  We only allow it to go
       // down if we are in a state where that is allowed, *and* the total number of processes
       // has gone down since last time.
       if (DEBUG_OOM_ADJ) Slog.d(TAG_OOM_ADJ, "oom: memFactor=" + memFactor
               + " last=" + mLastMemoryLevel + " allowLow=" + mAllowLowerMemLevel
               + " numProcs=" + mLruProcesses.size() + " last=" + mLastNumProcesses);
       if (memFactor > mLastMemoryLevel) {
           if (!mAllowLowerMemLevel || mLruProcesses.size() >= mLastNumProcesses) {
               memFactor = mLastMemoryLevel;
               if (DEBUG_OOM_ADJ) Slog.d(TAG_OOM_ADJ, "Keeping last mem factor!");
           }
       }
       mLastMemoryLevel = memFactor;
       mLastNumProcesses = mLruProcesses.size();
       boolean allChanged = mProcessStats.setMemFactorLocked(memFactor, !isSleeping(), now);
       final int trackerMemFactor = mProcessStats.getMemFactorLocked();
       if (memFactor != ProcessStats.ADJ_MEM_FACTOR_NORMAL) {
           if (mLowRamStartTime == 0) {
               mLowRamStartTime = now;
           }
           int step = 0;
           int fgTrimLevel;
           switch (memFactor) {
               case ProcessStats.ADJ_MEM_FACTOR_CRITICAL:
                   fgTrimLevel = ComponentCallbacks2.TRIM_MEMORY_RUNNING_CRITICAL;
                   break;
               case ProcessStats.ADJ_MEM_FACTOR_LOW:
                   fgTrimLevel = ComponentCallbacks2.TRIM_MEMORY_RUNNING_LOW;
                   break;
               default:
                   fgTrimLevel = ComponentCallbacks2.TRIM_MEMORY_RUNNING_MODERATE;
                   break;
           }
           int factor = numTrimming/3;
           int minFactor = 2;
           if (mHomeProcess != null) minFactor++;
           if (mPreviousProcess != null) minFactor++;
           if (factor < minFactor) factor = minFactor;
           int curLevel = ComponentCallbacks2.TRIM_MEMORY_COMPLETE;
           for (int i=N-1; i>=0; i--) {
               ProcessRecord app = mLruProcesses.get(i);
               if (allChanged || app.procStateChanged) {
                   setProcessTrackerStateLocked(app, trackerMemFactor, now);
                   app.procStateChanged = false;
               }
               if (app.curProcState >= ActivityManager.PROCESS_STATE_HOME
                       && !app.killedByAm) {
                   if (app.trimMemoryLevel < curLevel && app.thread != null) {
                       try {
                           if (DEBUG_SWITCH || DEBUG_OOM_ADJ) Slog.v(TAG_OOM_ADJ,
                                   "Trimming memory of " + app.processName + " to " + curLevel);
                           app.thread.scheduleTrimMemory(curLevel);
                       } catch (RemoteException e) {
                       }
                       if (false) {
                           // For now we won't do this; our memory trimming seems
                           // to be good enough at this point that destroying
                           // activities causes more harm than good.
                           if (curLevel >= ComponentCallbacks2.TRIM_MEMORY_COMPLETE
                                   && app != mHomeProcess && app != mPreviousProcess) {
                               // Need to do this on its own message because the stack may not
                               // be in a consistent state at this point.
                               // For these apps we will also finish their activities
                               // to help them free memory.
                               mStackSupervisor.scheduleDestroyAllActivities(app, "trim");
                           }
                       }
                   }
                   app.trimMemoryLevel = curLevel;
                   step++;
                   if (step >= factor) {
                       step = 0;
                       switch (curLevel) {
                           case ComponentCallbacks2.TRIM_MEMORY_COMPLETE:
                               curLevel = ComponentCallbacks2.TRIM_MEMORY_MODERATE;
                               break;
                           case ComponentCallbacks2.TRIM_MEMORY_MODERATE:
                               curLevel = ComponentCallbacks2.TRIM_MEMORY_BACKGROUND;
                               break;
                       }
                   }
               } else if (app.curProcState == ActivityManager.PROCESS_STATE_HEAVY_WEIGHT) {
                   if (app.trimMemoryLevel < ComponentCallbacks2.TRIM_MEMORY_BACKGROUND
                           && app.thread != null) {
                       try {
                           if (DEBUG_SWITCH || DEBUG_OOM_ADJ) Slog.v(TAG_OOM_ADJ,
                                   "Trimming memory of heavy-weight " + app.processName
                                   + " to " + ComponentCallbacks2.TRIM_MEMORY_BACKGROUND);
                           app.thread.scheduleTrimMemory(
                                   ComponentCallbacks2.TRIM_MEMORY_BACKGROUND);
                       } catch (RemoteException e) {
                       }
                   }
                   app.trimMemoryLevel = ComponentCallbacks2.TRIM_MEMORY_BACKGROUND;
               } else {
                   if ((app.curProcState >= ActivityManager.PROCESS_STATE_IMPORTANT_BACKGROUND
                           || app.systemNoUi) && app.pendingUiClean) {
                       // If this application is now in the background and it
                       // had done UI, then give it the special trim level to
                       // have it free UI resources.
                       final int level = ComponentCallbacks2.TRIM_MEMORY_UI_HIDDEN;
                       if (app.trimMemoryLevel < level && app.thread != null) {
                           try {
                               if (DEBUG_SWITCH || DEBUG_OOM_ADJ) Slog.v(TAG_OOM_ADJ,
                                       "Trimming memory of bg-ui " + app.processName
                                       + " to " + level);
                               app.thread.scheduleTrimMemory(level);
                           } catch (RemoteException e) {
                           }
                       }
                       app.pendingUiClean = false;
                   }
                   if (app.trimMemoryLevel < fgTrimLevel && app.thread != null) {
                       try {
                           if (DEBUG_SWITCH || DEBUG_OOM_ADJ) Slog.v(TAG_OOM_ADJ,
                                   "Trimming memory of fg " + app.processName
                                   + " to " + fgTrimLevel);
                           app.thread.scheduleTrimMemory(fgTrimLevel);
                       } catch (RemoteException e) {
                       }
                   }
                   app.trimMemoryLevel = fgTrimLevel;
               }
           }
       } else {
           if (mLowRamStartTime != 0) {
               mLowRamTimeSinceLastIdle += now - mLowRamStartTime;
               mLowRamStartTime = 0;
           }
           for (int i=N-1; i>=0; i--) {
               ProcessRecord app = mLruProcesses.get(i);
               if (allChanged || app.procStateChanged) {
                   setProcessTrackerStateLocked(app, trackerMemFactor, now);
                   app.procStateChanged = false;
               }
               if ((app.curProcState >= ActivityManager.PROCESS_STATE_IMPORTANT_BACKGROUND
                       || app.systemNoUi) && app.pendingUiClean) {
                   if (app.trimMemoryLevel < ComponentCallbacks2.TRIM_MEMORY_UI_HIDDEN
                           && app.thread != null) {
                       try {
                           if (DEBUG_SWITCH || DEBUG_OOM_ADJ) Slog.v(TAG_OOM_ADJ,
                                   "Trimming memory of ui hidden " + app.processName
                                   + " to " + ComponentCallbacks2.TRIM_MEMORY_UI_HIDDEN);
                           app.thread.scheduleTrimMemory(
                                   ComponentCallbacks2.TRIM_MEMORY_UI_HIDDEN);
                       } catch (RemoteException e) {
                       }
                   }
                   app.pendingUiClean = false;
               }
               app.trimMemoryLevel = 0;
           }
       }
       if (mAlwaysFinishActivities) {
           // Need to do this on its own message because the stack may not
           // be in a consistent state at this point.
           mStackSupervisor.scheduleDestroyAllActivities(null, "always-finish");
       }
       if (allChanged) {
           requestPssAllProcsLocked(now, false, mProcessStats.isMemFactorLowered());
       }
       // Update from any uid changes.
       for (int i=mActiveUids.size()-1; i>=0; i--) {
           final UidRecord uidRec = mActiveUids.valueAt(i);
           if (uidRec.setProcState != uidRec.curProcState) {
               if (DEBUG_UID_OBSERVERS) Slog.i(TAG_UID_OBSERVERS,
                       "Changes in " + uidRec + ": proc state from " + uidRec.setProcState
                       + " to " + uidRec.curProcState);
               uidRec.setProcState = uidRec.curProcState;
               enqueueUidChangeLocked(uidRec, false);
           }
       }
       if (mProcessStats.shouldWriteNowLocked(now)) {
           mHandler.post(new Runnable() {
               @Override public void run() {
                   synchronized (ActivityManagerService.this) {
                       mProcessStats.writeStateAsyncLocked();
                   }
               }
           });
       }
       if (DEBUG_OOM_ADJ) {
           final long duration = SystemClock.uptimeMillis() - now;
           if (false) {
               Slog.d(TAG_OOM_ADJ, "Did OOM ADJ in " + duration + "ms",
                       new RuntimeException("here").fillInStackTrace());
           } else {
               Slog.d(TAG_OOM_ADJ, "Did OOM ADJ in " + duration + "ms");
           }
       }
   }

吐槽一下这个400多行的方法，还好这个方法的注释写得比较全面，主要就是做了以下事情:

首先基于app当前状态更新每个app进程的oom_adj值，在这里面也可以看到，对于孤立的进程(即无service在其中运行的进程)，AMS会有很大的概率将其杀死(原话是agressively kill these)，所以如果想保活的话，要尽可能避免这种情况的出现
然后决定后台进程的memory trimming level
最后会根据uid的改变来更新oom_adj值

client端的连接回调

再回到ActiveServices中的bindServiceLocked()方法中，在更新完Service所在进程的oom_adj值之后，会通过IServiceConnection进行IPC调用，对应的代码片段为:

... 
if (s.app != null && b.intent.received) {
                // Service is already running, so we can immediately
                // publish the connection.
                try {
                    c.conn.connected(s.name, b.intent.binder);
                } catch (Exception e) {
                    Slog.w(TAG, "Failure sending service " + s.shortName
                            + " to connection " + c.conn.asBinder()
                            + " (in " + c.binding.client.processName + ")", e);
                }
                // If this is the first app connected back to this binding,
                // and the service had previously asked to be told when
                // rebound, then do so.
                if (b.intent.apps.size() == 1 && b.intent.doRebind) {
                    requestServiceBindingLocked(s, b.intent, callerFg, true);
                }
            } else if (!b.intent.requested) {
                requestServiceBindingLocked(s, b.intent, callerFg, false);
            }
            ....

显然是调用IServiceConnection的connected()方法，再回到ContextImpl中，IServiceConnection的真正实现在ServiceDispatcher中的InnerConnection中:

private static class InnerConnection extends IServiceConnection.Stub {
     final WeakReference<LoadedApk.ServiceDispatcher> mDispatcher;
     InnerConnection(LoadedApk.ServiceDispatcher sd) {
         mDispatcher = new WeakReference<LoadedApk.ServiceDispatcher>(sd);
     }
     public void connected(ComponentName name, IBinder service) throws RemoteException {
         LoadedApk.ServiceDispatcher sd = mDispatcher.get();
         if (sd != null) {
             sd.connected(name, service);
         }
     }
 }

显然，通过IPC调用之后会调用ServiceDispatcher的connected()方法，该方法如下:

public void connected(ComponentName name, IBinder service) {
           if (mActivityThread != null) {
               mActivityThread.post(new RunConnection(name, service, 0));
           } else {
               doConnected(name, service);
           }
       }

到这里就很好理解了，由于回调是在binder线程中，这里通过ActivityThread中的Handler将事件发布到主线程中，其中RunConnection如下:

private final class RunConnection implements Runnable {
           RunConnection(ComponentName name, IBinder service, int command) {
               mName = name;
               mService = service;
               mCommand = command;
           }
           public void run() {
               if (mCommand == 0) {
                   doConnected(mName, mService);
               } else if (mCommand == 1) {
                   doDeath(mName, mService);
               }
           }
           final ComponentName mName;
           final IBinder mService;
           final int mCommand;
       }

而doConnected()方法如下:

public void doConnected(ComponentName name, IBinder service) {
          ServiceDispatcher.ConnectionInfo old;
          ServiceDispatcher.ConnectionInfo info;
          synchronized (this) {
              if (mForgotten) {
                  // We unbound before receiving the connection; ignore
                  // any connection received.
                  return;
              }
              old = mActiveConnections.get(name);
              if (old != null && old.binder == service) {
                  // Huh, already have this one.  Oh well!
                  return;
              }
              if (service != null) {
                  // A new service is being connected... set it all up.
                  mDied = false;
                  info = new ConnectionInfo();
                  info.binder = service;
                  info.deathMonitor = new DeathMonitor(name, service);
                  try {
                      service.linkToDeath(info.deathMonitor, 0);
                      mActiveConnections.put(name, info);
                  } catch (RemoteException e) {
                      // This service was dead before we got it...  just
                      // don't do anything with it.
                      mActiveConnections.remove(name);
                      return;
                  }
              } else {
                  // The named service is being disconnected... clean up.
                  mActiveConnections.remove(name);
              }
              if (old != null) {
                  old.binder.unlinkToDeath(old.deathMonitor, 0);
              }
          }
          // If there was an old service, it is not disconnected.
          if (old != null) {
              mConnection.onServiceDisconnected(name);
          }
          // If there is a new service, it is now connected.
          if (service != null) {
              mConnection.onServiceConnected(name, service);
          }
      }

可以发现，这个方法看似很长，实际上主要就是做了三件事:

处理之前的ServiceConnection
为IBinder添加DeathMonitor,一旦发现binderDied()回调，就进行连接记录的修改，以及调用ServiceConnection的onDisconnected()方法
调用我们创建的ServiceConnection的onServiceConnected()方法。

继续AMS中的bindServiceLocked()方法

再回到AMS的bindServiceLocked()方法，最后面的一个代码片段如下:

if (s.app != null && b.intent.received) {
     // Service is already running, so we can immediately
     // publish the connection.
     try {
         c.conn.connected(s.name, b.intent.binder);
     } catch (Exception e) {
         Slog.w(TAG, "Failure sending service " + s.shortName
                 + " to connection " + c.conn.asBinder()
                 + " (in " + c.binding.client.processName + ")", e);
     }
     // If this is the first app connected back to this binding,
     // and the service had previously asked to be told when
     // rebound, then do so.
     if (b.intent.apps.size() == 1 && b.intent.doRebind) {
         requestServiceBindingLocked(s, b.intent, callerFg, true);
     }
 } else if (!b.intent.requested) {
     requestServiceBindingLocked(s, b.intent, callerFg, false);
 }

这段代码非常有意思，即有两种情形，一种是某个进程重连到远程Service时，会调用requestServiceBindingLocked()方法:

private final boolean requestServiceBindingLocked(ServiceRecord r, IntentBindRecord i,
           boolean execInFg, boolean rebind) throws TransactionTooLargeException {
       if (r.app == null || r.app.thread == null) {
           // If service is not currently running, can't yet bind.
           return false;
       }
       if ((!i.requested || rebind) && i.apps.size() > 0) {
           try {
               bumpServiceExecutingLocked(r, execInFg, "bind");
               r.app.forceProcessStateUpTo(ActivityManager.PROCESS_STATE_SERVICE);
               r.app.thread.scheduleBindService(r, i.intent.getIntent(), rebind,
                       r.app.repProcState);
               if (!rebind) {
                   i.requested = true;
               }
               i.hasBound = true;
               i.doRebind = false;
           } catch (TransactionTooLargeException e) {
               // Keep the executeNesting count accurate.
               if (DEBUG_SERVICE) Slog.v(TAG_SERVICE, "Crashed while binding " + r, e);
               final boolean inDestroying = mDestroyingServices.contains(r);
               serviceDoneExecutingLocked(r, inDestroying, inDestroying);
               throw e;
           } catch (RemoteException e) {
               if (DEBUG_SERVICE) Slog.v(TAG_SERVICE, "Crashed while binding " + r);
               // Keep the executeNesting count accurate.
               final boolean inDestroying = mDestroyingServices.contains(r);
               serviceDoneExecutingLocked(r, inDestroying, inDestroying);
               return false;
           }
       }
       return true;
   }

忽略其它细节，注意r.app.thread.scheduleBindService()这个调用，这其实是会IPC调用到Service所在进程的ApplicationThread的scheduleBindService()方法,之后通过Handler在主线程调用handleBindService()方法：

private void handleBindService(BindServiceData data) {
        Service s = mServices.get(data.token);
        if (DEBUG_SERVICE)
            Slog.v(TAG, "handleBindService s=" + s + " rebind=" + data.rebind);
        if (s != null) {
            try {
                data.intent.setExtrasClassLoader(s.getClassLoader());
                data.intent.prepareToEnterProcess();
                try {
                    if (!data.rebind) {
                        IBinder binder = s.onBind(data.intent);
                        ActivityManagerNative.getDefault().publishService(
                                data.token, data.intent, binder);
                    } else {
                        s.onRebind(data.intent);
                        ActivityManagerNative.getDefault().serviceDoneExecuting(
                                data.token, SERVICE_DONE_EXECUTING_ANON, 0, 0);
                    }
                    ensureJitEnabled();
                } catch (RemoteException ex) {
                }
            } catch (Exception e) {
                if (!mInstrumentation.onException(s, e)) {
                    throw new RuntimeException(
                            "Unable to bind to service " + s
                            + " with " + data.intent + ": " + e.toString(), e);
                }
            }
        }
    }

在这里可以看到分两种情况，如果不是重新连接，调用AMP的publishService()方法;否则调用AMP的serviceDoneExecuting()方法，这个方法其实是一个IPC调用，告诉AMS重新连接上了，然后AMS就会更新它的ServiceRecord和相应进程的oom_adj值。下一小节我们将分析AMS的publishService()方法。

AMS.publishService()

publishService()方法如下:

public void publishService(IBinder token, Intent intent, IBinder service) {
        // Refuse possible leaked file descriptors
        if (intent != null && intent.hasFileDescriptors() == true) {
            throw new IllegalArgumentException("File descriptors passed in Intent");
        }
        synchronized(this) {
            if (!(token instanceof ServiceRecord)) {
                throw new IllegalArgumentException("Invalid service token");
            }
            mServices.publishServiceLocked((ServiceRecord)token, intent, service);
        }
    }

类似的，调用到ActiveServices的publishServiceLocked()方法:

void publishServiceLocked(ServiceRecord r, Intent intent, IBinder service) {
       final long origId = Binder.clearCallingIdentity();
       try {
           ...
           if (r != null) {
               Intent.FilterComparison filter
                       = new Intent.FilterComparison(intent);
               IntentBindRecord b = r.bindings.get(filter);
               if (b != null && !b.received) {
                   b.binder = service;
                   b.requested = true;
                   b.received = true;
                   for (int conni=r.connections.size()-1; conni>=0; conni--) {
                       ArrayList<ConnectionRecord> clist = r.connections.valueAt(conni);
                       for (int i=0; i<clist.size(); i++) {
                           ConnectionRecord c = clist.get(i);
                           if (!filter.equals(c.binding.intent.intent)) {
                               ...
                               continue;
                           }
                           ...
                           try {
                               c.conn.connected(r.name, service);
                           } catch (Exception e) {
                               ...
                           }
                       }
                   }
               }
               serviceDoneExecutingLocked(r, mDestroyingServices.contains(r), false);
           }
       } finally {
           Binder.restoreCallingIdentity(origId);
       }
   }

这个方法主要做了两件事:

给IntentBindRecord赋值，其中的binder就是Service中onBind()所返回的binder;

这里会先判断b.received是否为false,如果为false说明发起绑定流程的进程还没收到绑定回调，从而此时会再次通过IPC调用到InnerConnection的connected()方法。

最后再来看一下serviceDoneExecutingLocked()方法，这个方法也很重要:

private void serviceDoneExecutingLocked(ServiceRecord r, boolean inDestroying,
          boolean finishing) {
      if (DEBUG_SERVICE) Slog.v(TAG_SERVICE, "<<< DONE EXECUTING " + r
              + ": nesting=" + r.executeNesting
              + ", inDestroying=" + inDestroying + ", app=" + r.app);
      else if (DEBUG_SERVICE_EXECUTING) Slog.v(TAG_SERVICE_EXECUTING,
              "<<< DONE EXECUTING " + r.shortName);
      r.executeNesting--;
      if (r.executeNesting <= 0) {
          if (r.app != null) {
              if (DEBUG_SERVICE) Slog.v(TAG_SERVICE,
                      "Nesting at 0 of " + r.shortName);
              r.app.execServicesFg = false;
              r.app.executingServices.remove(r);
              if (r.app.executingServices.size() == 0) {
                  if (DEBUG_SERVICE || DEBUG_SERVICE_EXECUTING) Slog.v(TAG_SERVICE_EXECUTING,
                          "No more executingServices of " + r.shortName);
                  mAm.mHandler.removeMessages(ActivityManagerService.SERVICE_TIMEOUT_MSG, r.app);
              } else if (r.executeFg) {
                  // Need to re-evaluate whether the app still needs to be in the foreground.
                  for (int i=r.app.executingServices.size()-1; i>=0; i--) {
                      if (r.app.executingServices.valueAt(i).executeFg) {
                          r.app.execServicesFg = true;
                          break;
                      }
                  }
              }
              if (inDestroying) {
                  if (DEBUG_SERVICE) Slog.v(TAG_SERVICE,
                          "doneExecuting remove destroying " + r);
                  mDestroyingServices.remove(r);
                  r.bindings.clear();
              }
              mAm.updateOomAdjLocked(r.app);
          }
          r.executeFg = false;
          if (r.tracker != null) {
              r.tracker.setExecuting(false, mAm.mProcessStats.getMemFactorLocked(),
                      SystemClock.uptimeMillis());
              if (finishing) {
                  r.tracker.clearCurrentOwner(r, false);
                  r.tracker = null;
              }
          }
          if (finishing) {
              if (r.app != null && !r.app.persistent) {
                  r.app.services.remove(r);
              }
              r.app = null;
          }
      }
  }

整个方法中，对我们来说最重要的就是mAm.updateOomAdjLocked(r.app);这个方法了,因为它涉及到更新Service所在进程的oom_adj值，而oom_adj值直接关系到内存回收。由于AMS.updateOomAdjLocked()方法我们在前面已经分析过了，这里就不再赘述了。

总结

通过前面的分析，可以知道bindService()其实主要做了以下事情:

在client侧，ServiceConnection对象会保存在ServiceDispatcher对象中，并且利用IServiceConnection进行IPC
AMS会根据bindService中的Intent信息，会对Service侧进行两次IPC调用，分别是IApplicationThread的scheduleCreateService()和scheduleBindService(), 前者是为了新建Service, 而后者是获取Service的onBind()所返回的IBinder对象
之后AMS会根据client端和Service本身的的情况来调整Service所在进程的oom_adj值
最后通过IServiceConnection的proxy进行IPC,最终调用到client端的ServiceConnection的onServiceConnected()方法

用图片展示整个流程的关键节点如下: