| /* |
| * Copyright (C) 2005 The Android Open Source Project |
| * |
| * Licensed under the Apache License, Version 2.0 (the "License"); |
| * you may not use this file except in compliance with the License. |
| * You may obtain a copy of the License at |
| * |
| * http://www.apache.org/licenses/LICENSE-2.0 |
| * |
| * Unless required by applicable law or agreed to in writing, software |
| * distributed under the License is distributed on an "AS IS" BASIS, |
| * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| * See the License for the specific language governing permissions and |
| * limitations under the License. |
| */ |
| |
| #define LOG_TAG "IPCThreadState" |
| |
| #include <binder/IPCThreadState.h> |
| |
| #include <binder/Binder.h> |
| #include <binder/BpBinder.h> |
| #include <binder/TextOutput.h> |
| |
| #include <utils/CallStack.h> |
| |
| #include <atomic> |
| #include <errno.h> |
| #include <inttypes.h> |
| #include <pthread.h> |
| #include <sched.h> |
| #include <signal.h> |
| #include <stdio.h> |
| #include <sys/ioctl.h> |
| #include <sys/resource.h> |
| #include <unistd.h> |
| |
| #include "Utils.h" |
| #include "binder_module.h" |
| |
| #if LOG_NDEBUG |
| |
| #define IF_LOG_TRANSACTIONS() if (false) |
| #define IF_LOG_COMMANDS() if (false) |
| #define LOG_REMOTEREFS(...) |
| #define IF_LOG_REMOTEREFS() if (false) |
| |
| #define LOG_THREADPOOL(...) |
| #define LOG_ONEWAY(...) |
| |
| #else |
| |
| #define IF_LOG_TRANSACTIONS() IF_ALOG(LOG_VERBOSE, "transact") |
| #define IF_LOG_COMMANDS() IF_ALOG(LOG_VERBOSE, "ipc") |
| #define LOG_REMOTEREFS(...) ALOG(LOG_DEBUG, "remoterefs", __VA_ARGS__) |
| #define IF_LOG_REMOTEREFS() IF_ALOG(LOG_DEBUG, "remoterefs") |
| #define LOG_THREADPOOL(...) ALOG(LOG_DEBUG, "threadpool", __VA_ARGS__) |
| #define LOG_ONEWAY(...) ALOG(LOG_DEBUG, "ipc", __VA_ARGS__) |
| |
| #endif |
| |
| // --------------------------------------------------------------------------- |
| |
| namespace android { |
| |
| using namespace std::chrono_literals; |
| |
| // Static const and functions will be optimized out if not used, |
| // when LOG_NDEBUG and references in IF_LOG_COMMANDS() are optimized out. |
| static const char* kReturnStrings[] = { |
| "BR_ERROR", |
| "BR_OK", |
| "BR_TRANSACTION/BR_TRANSACTION_SEC_CTX", |
| "BR_REPLY", |
| "BR_ACQUIRE_RESULT", |
| "BR_DEAD_REPLY", |
| "BR_TRANSACTION_COMPLETE", |
| "BR_INCREFS", |
| "BR_ACQUIRE", |
| "BR_RELEASE", |
| "BR_DECREFS", |
| "BR_ATTEMPT_ACQUIRE", |
| "BR_NOOP", |
| "BR_SPAWN_LOOPER", |
| "BR_FINISHED", |
| "BR_DEAD_BINDER", |
| "BR_CLEAR_DEATH_NOTIFICATION_DONE", |
| "BR_FAILED_REPLY", |
| "BR_FROZEN_REPLY", |
| "BR_ONEWAY_SPAM_SUSPECT", |
| "BR_TRANSACTION_PENDING_FROZEN", |
| "BR_FROZEN_BINDER", |
| "BR_CLEAR_FREEZE_NOTIFICATION_DONE", |
| }; |
| |
| static const char* kCommandStrings[] = { |
| "BC_TRANSACTION", |
| "BC_REPLY", |
| "BC_ACQUIRE_RESULT", |
| "BC_FREE_BUFFER", |
| "BC_INCREFS", |
| "BC_ACQUIRE", |
| "BC_RELEASE", |
| "BC_DECREFS", |
| "BC_INCREFS_DONE", |
| "BC_ACQUIRE_DONE", |
| "BC_ATTEMPT_ACQUIRE", |
| "BC_REGISTER_LOOPER", |
| "BC_ENTER_LOOPER", |
| "BC_EXIT_LOOPER", |
| "BC_REQUEST_DEATH_NOTIFICATION", |
| "BC_CLEAR_DEATH_NOTIFICATION", |
| "BC_DEAD_BINDER_DONE", |
| "BC_TRANSACTION_SG", |
| "BC_REPLY_SG", |
| "BC_REQUEST_FREEZE_NOTIFICATION", |
| "BC_CLEAR_FREEZE_NOTIFICATION", |
| "BC_FREEZE_NOTIFICATION_DONE", |
| }; |
| |
| static const int64_t kWorkSourcePropagatedBitIndex = 32; |
| |
| static const char* getReturnString(uint32_t cmd) |
| { |
| size_t idx = cmd & _IOC_NRMASK; |
| if (idx < sizeof(kReturnStrings) / sizeof(kReturnStrings[0])) |
| return kReturnStrings[idx]; |
| else |
| return "unknown"; |
| } |
| |
| static const void* printBinderTransactionData(std::ostream& out, const void* data) { |
| const binder_transaction_data* btd = |
| (const binder_transaction_data*)data; |
| if (btd->target.handle < 1024) { |
| /* want to print descriptors in decimal; guess based on value */ |
| out << "\ttarget.desc=" << btd->target.handle; |
| } else { |
| out << "\ttarget.ptr=" << btd->target.ptr; |
| } |
| out << "\t (cookie " << btd->cookie << ")\n" |
| << "\tcode=" << TypeCode(btd->code) << ", flags=" << (void*)(uint64_t)btd->flags << "\n" |
| << "\tdata=" << btd->data.ptr.buffer << " (" << (void*)btd->data_size << " bytes)\n" |
| << "\toffsets=" << btd->data.ptr.offsets << " (" << (void*)btd->offsets_size << " bytes)\n"; |
| return btd + 1; |
| } |
| |
| static const void* printBinderTransactionDataSecCtx(std::ostream& out, const void* data) { |
| const binder_transaction_data_secctx* btd = (const binder_transaction_data_secctx*)data; |
| |
| printBinderTransactionData(out, &btd->transaction_data); |
| |
| char* secctx = (char*)btd->secctx; |
| out << "\tsecctx=" << secctx << "\n"; |
| |
| return btd+1; |
| } |
| |
| static const void* printReturnCommand(std::ostream& out, const void* _cmd) { |
| static const size_t N = sizeof(kReturnStrings)/sizeof(kReturnStrings[0]); |
| const int32_t* cmd = (const int32_t*)_cmd; |
| uint32_t code = (uint32_t)*cmd++; |
| size_t cmdIndex = code & 0xff; |
| if (code == BR_ERROR) { |
| out << "\tBR_ERROR: " << (void*)(uint64_t)(*cmd++) << "\n"; |
| return cmd; |
| } else if (cmdIndex >= N) { |
| out << "\tUnknown reply: " << code << "\n"; |
| return cmd; |
| } |
| out << "\t" << kReturnStrings[cmdIndex]; |
| |
| switch (code) { |
| case BR_TRANSACTION_SEC_CTX: { |
| out << ": "; |
| cmd = (const int32_t*)printBinderTransactionDataSecCtx(out, cmd); |
| } break; |
| |
| case BR_TRANSACTION: |
| case BR_REPLY: { |
| out << ": "; |
| cmd = (const int32_t*)printBinderTransactionData(out, cmd); |
| } break; |
| |
| case BR_ACQUIRE_RESULT: { |
| const int32_t res = *cmd++; |
| out << ": " << res << (res ? " (SUCCESS)" : " (FAILURE)"); |
| } break; |
| |
| case BR_INCREFS: |
| case BR_ACQUIRE: |
| case BR_RELEASE: |
| case BR_DECREFS: { |
| const int32_t b = *cmd++; |
| const int32_t c = *cmd++; |
| out << ": target=" << (void*)(uint64_t)b << " (cookie " << (void*)(uint64_t)c << ")"; |
| } break; |
| |
| case BR_ATTEMPT_ACQUIRE: { |
| const int32_t p = *cmd++; |
| const int32_t b = *cmd++; |
| const int32_t c = *cmd++; |
| out << ": target=" << (void*)(uint64_t)b << " (cookie " << (void*)(uint64_t)c |
| << "), pri=" << p; |
| } break; |
| |
| case BR_DEAD_BINDER: |
| case BR_CLEAR_DEATH_NOTIFICATION_DONE: { |
| const int32_t c = *cmd++; |
| out << ": death cookie " << (void*)(uint64_t)c; |
| } break; |
| |
| case BR_FROZEN_BINDER: { |
| const int32_t c = *cmd++; |
| const int32_t h = *cmd++; |
| const int32_t isFrozen = *cmd++; |
| out << ": freeze cookie " << (void*)(uint64_t)c << " isFrozen: " << isFrozen; |
| } break; |
| |
| case BR_CLEAR_FREEZE_NOTIFICATION_DONE: { |
| const int32_t c = *cmd++; |
| out << ": freeze cookie " << (void*)(uint64_t)c; |
| } break; |
| |
| default: |
| // no details to show for: BR_OK, BR_DEAD_REPLY, |
| // BR_TRANSACTION_COMPLETE, BR_FINISHED |
| break; |
| } |
| |
| out << "\n"; |
| return cmd; |
| } |
| |
| static void printReturnCommandParcel(std::ostream& out, const Parcel& parcel) { |
| const void* cmds = parcel.data(); |
| out << "\t" << HexDump(cmds, parcel.dataSize()) << "\n"; |
| IF_LOG_COMMANDS() { |
| const void* end = parcel.data() + parcel.dataSize(); |
| while (cmds < end) cmds = printReturnCommand(out, cmds); |
| } |
| } |
| |
| static const void* printCommand(std::ostream& out, const void* _cmd) { |
| static const size_t N = sizeof(kCommandStrings)/sizeof(kCommandStrings[0]); |
| const int32_t* cmd = (const int32_t*)_cmd; |
| uint32_t code = (uint32_t)*cmd++; |
| size_t cmdIndex = code & 0xff; |
| |
| if (cmdIndex >= N) { |
| out << "Unknown command: " << code << "\n"; |
| return cmd; |
| } |
| out << kCommandStrings[cmdIndex]; |
| |
| switch (code) { |
| case BC_TRANSACTION: |
| case BC_REPLY: { |
| out << ": "; |
| cmd = (const int32_t*)printBinderTransactionData(out, cmd); |
| } break; |
| |
| case BC_ACQUIRE_RESULT: { |
| const int32_t res = *cmd++; |
| out << ": " << res << (res ? " (SUCCESS)" : " (FAILURE)"); |
| } break; |
| |
| case BC_FREE_BUFFER: { |
| const int32_t buf = *cmd++; |
| out << ": buffer=" << (void*)(uint64_t)buf; |
| } break; |
| |
| case BC_INCREFS: |
| case BC_ACQUIRE: |
| case BC_RELEASE: |
| case BC_DECREFS: { |
| const int32_t d = *cmd++; |
| out << ": desc=" << d; |
| } break; |
| |
| case BC_INCREFS_DONE: |
| case BC_ACQUIRE_DONE: { |
| const int32_t b = *cmd++; |
| const int32_t c = *cmd++; |
| out << ": target=" << (void*)(uint64_t)b << " (cookie " << (void*)(uint64_t)c << ")"; |
| } break; |
| |
| case BC_ATTEMPT_ACQUIRE: { |
| const int32_t p = *cmd++; |
| const int32_t d = *cmd++; |
| out << ": desc=" << d << ", pri=" << p; |
| } break; |
| |
| case BC_REQUEST_DEATH_NOTIFICATION: |
| case BC_CLEAR_DEATH_NOTIFICATION: { |
| const int32_t h = *cmd++; |
| const int32_t c = *cmd++; |
| out << ": handle=" << h << " (death cookie " << (void*)(uint64_t)c << ")"; |
| } break; |
| |
| case BC_REQUEST_FREEZE_NOTIFICATION: |
| case BC_CLEAR_FREEZE_NOTIFICATION: { |
| const int32_t h = *cmd++; |
| const int32_t c = *cmd++; |
| out << ": handle=" << h << " (freeze cookie " << (void*)(uint64_t)c << ")"; |
| } break; |
| |
| case BC_DEAD_BINDER_DONE: { |
| const int32_t c = *cmd++; |
| out << ": death cookie " << (void*)(uint64_t)c; |
| } break; |
| |
| case BC_FREEZE_NOTIFICATION_DONE: { |
| const int32_t c = *cmd++; |
| out << ": freeze cookie " << (void*)(uint64_t)c; |
| } break; |
| |
| default: |
| // no details to show for: BC_REGISTER_LOOPER, BC_ENTER_LOOPER, |
| // BC_EXIT_LOOPER |
| break; |
| } |
| |
| out << "\n"; |
| return cmd; |
| } |
| |
| LIBBINDER_IGNORE("-Wzero-as-null-pointer-constant") |
| static pthread_mutex_t gTLSMutex = PTHREAD_MUTEX_INITIALIZER; |
| LIBBINDER_IGNORE_END() |
| static std::atomic<bool> gHaveTLS(false); |
| static pthread_key_t gTLS = 0; |
| static std::atomic<bool> gShutdown = false; |
| static std::atomic<bool> gDisableBackgroundScheduling = false; |
| |
| IPCThreadState* IPCThreadState::self() |
| { |
| if (gHaveTLS.load(std::memory_order_acquire)) { |
| restart: |
| const pthread_key_t k = gTLS; |
| IPCThreadState* st = (IPCThreadState*)pthread_getspecific(k); |
| if (st) return st; |
| return new IPCThreadState; |
| } |
| |
| // Racey, heuristic test for simultaneous shutdown. |
| if (gShutdown.load(std::memory_order_relaxed)) { |
| ALOGW("Calling IPCThreadState::self() during shutdown is dangerous, expect a crash.\n"); |
| return nullptr; |
| } |
| |
| pthread_mutex_lock(&gTLSMutex); |
| if (!gHaveTLS.load(std::memory_order_relaxed)) { |
| int key_create_value = pthread_key_create(&gTLS, threadDestructor); |
| if (key_create_value != 0) { |
| pthread_mutex_unlock(&gTLSMutex); |
| ALOGW("IPCThreadState::self() unable to create TLS key, expect a crash: %s\n", |
| strerror(key_create_value)); |
| return nullptr; |
| } |
| gHaveTLS.store(true, std::memory_order_release); |
| } |
| pthread_mutex_unlock(&gTLSMutex); |
| goto restart; |
| } |
| |
| IPCThreadState* IPCThreadState::selfOrNull() |
| { |
| if (gHaveTLS.load(std::memory_order_acquire)) { |
| const pthread_key_t k = gTLS; |
| IPCThreadState* st = (IPCThreadState*)pthread_getspecific(k); |
| return st; |
| } |
| return nullptr; |
| } |
| |
| void IPCThreadState::shutdown() |
| { |
| gShutdown.store(true, std::memory_order_relaxed); |
| |
| if (gHaveTLS.load(std::memory_order_acquire)) { |
| // XXX Need to wait for all thread pool threads to exit! |
| IPCThreadState* st = (IPCThreadState*)pthread_getspecific(gTLS); |
| if (st) { |
| delete st; |
| pthread_setspecific(gTLS, nullptr); |
| } |
| pthread_key_delete(gTLS); |
| gHaveTLS.store(false, std::memory_order_release); |
| } |
| } |
| |
| void IPCThreadState::disableBackgroundScheduling(bool disable) |
| { |
| gDisableBackgroundScheduling.store(disable, std::memory_order_relaxed); |
| } |
| |
| bool IPCThreadState::backgroundSchedulingDisabled() |
| { |
| return gDisableBackgroundScheduling.load(std::memory_order_relaxed); |
| } |
| |
| status_t IPCThreadState::clearLastError() |
| { |
| const status_t err = mLastError; |
| mLastError = NO_ERROR; |
| return err; |
| } |
| |
| pid_t IPCThreadState::getCallingPid() const |
| { |
| checkContextIsBinderForUse(__func__); |
| return mCallingPid; |
| } |
| |
| const char* IPCThreadState::getCallingSid() const |
| { |
| checkContextIsBinderForUse(__func__); |
| return mCallingSid; |
| } |
| |
| uid_t IPCThreadState::getCallingUid() const |
| { |
| checkContextIsBinderForUse(__func__); |
| return mCallingUid; |
| } |
| |
| const IPCThreadState::SpGuard* IPCThreadState::pushGetCallingSpGuard(const SpGuard* guard) { |
| const SpGuard* orig = mServingStackPointerGuard; |
| mServingStackPointerGuard = guard; |
| return orig; |
| } |
| |
| void IPCThreadState::restoreGetCallingSpGuard(const SpGuard* guard) { |
| mServingStackPointerGuard = guard; |
| } |
| |
| void IPCThreadState::checkContextIsBinderForUse(const char* use) const { |
| if (mServingStackPointerGuard == nullptr) [[likely]] { |
| return; |
| } |
| |
| if (!mServingStackPointer || mServingStackPointerGuard->address < mServingStackPointer) { |
| LOG_ALWAYS_FATAL("In context %s, %s does not make sense (binder sp: %p, guard: %p).", |
| mServingStackPointerGuard->context, use, mServingStackPointer, |
| mServingStackPointerGuard->address); |
| } |
| |
| // in the case mServingStackPointer is deeper in the stack than the guard, |
| // we must be serving a binder transaction (maybe nested). This is a binder |
| // context, so we don't abort |
| } |
| |
| constexpr uint32_t encodeExplicitIdentity(bool hasExplicitIdentity, pid_t callingPid) { |
| uint32_t as_unsigned = static_cast<uint32_t>(callingPid); |
| if (hasExplicitIdentity) { |
| return as_unsigned | (1 << 30); |
| } else { |
| return as_unsigned & ~(1 << 30); |
| } |
| } |
| |
| constexpr int64_t packCallingIdentity(bool hasExplicitIdentity, uid_t callingUid, |
| pid_t callingPid) { |
| // Calling PID is a 32-bit signed integer, but doesn't consume the entire 32 bit space. |
| // To future-proof this and because we have extra capacity, we decided to also support -1, |
| // since this constant is used to represent invalid UID in other places of the system. |
| // Thus, we pack hasExplicitIdentity into the 2nd bit from the left. This allows us to |
| // preserve the (left-most) bit for the sign while also encoding the value of |
| // hasExplicitIdentity. |
| // 32b | 1b | 1b | 30b |
| // token = [ calling uid | calling pid(sign) | has explicit identity | calling pid(rest) ] |
| uint64_t token = (static_cast<uint64_t>(callingUid) << 32) | |
| encodeExplicitIdentity(hasExplicitIdentity, callingPid); |
| return static_cast<int64_t>(token); |
| } |
| |
| constexpr bool unpackHasExplicitIdentity(int64_t token) { |
| return static_cast<int32_t>(token) & (1 << 30); |
| } |
| |
| constexpr uid_t unpackCallingUid(int64_t token) { |
| return static_cast<uid_t>(token >> 32); |
| } |
| |
| constexpr pid_t unpackCallingPid(int64_t token) { |
| int32_t encodedPid = static_cast<int32_t>(token); |
| if (encodedPid & (1 << 31)) { |
| return encodedPid | (1 << 30); |
| } else { |
| return encodedPid & ~(1 << 30); |
| } |
| } |
| |
| static_assert(unpackHasExplicitIdentity(packCallingIdentity(true, 1000, 9999)) == true, |
| "pack true hasExplicit"); |
| |
| static_assert(unpackCallingUid(packCallingIdentity(true, 1000, 9999)) == 1000, "pack true uid"); |
| |
| static_assert(unpackCallingPid(packCallingIdentity(true, 1000, 9999)) == 9999, "pack true pid"); |
| |
| static_assert(unpackHasExplicitIdentity(packCallingIdentity(false, 1000, 9999)) == false, |
| "pack false hasExplicit"); |
| |
| static_assert(unpackCallingUid(packCallingIdentity(false, 1000, 9999)) == 1000, "pack false uid"); |
| |
| static_assert(unpackCallingPid(packCallingIdentity(false, 1000, 9999)) == 9999, "pack false pid"); |
| |
| static_assert(unpackHasExplicitIdentity(packCallingIdentity(true, 1000, -1)) == true, |
| "pack true (negative) hasExplicit"); |
| |
| static_assert(unpackCallingUid(packCallingIdentity(true, 1000, -1)) == 1000, |
| "pack true (negative) uid"); |
| |
| static_assert(unpackCallingPid(packCallingIdentity(true, 1000, -1)) == -1, |
| "pack true (negative) pid"); |
| |
| static_assert(unpackHasExplicitIdentity(packCallingIdentity(false, 1000, -1)) == false, |
| "pack false (negative) hasExplicit"); |
| |
| static_assert(unpackCallingUid(packCallingIdentity(false, 1000, -1)) == 1000, |
| "pack false (negative) uid"); |
| |
| static_assert(unpackCallingPid(packCallingIdentity(false, 1000, -1)) == -1, |
| "pack false (negative) pid"); |
| |
| int64_t IPCThreadState::clearCallingIdentity() |
| { |
| // ignore mCallingSid for legacy reasons |
| int64_t token = packCallingIdentity(mHasExplicitIdentity, mCallingUid, mCallingPid); |
| clearCaller(); |
| mHasExplicitIdentity = true; |
| return token; |
| } |
| |
| bool IPCThreadState::hasExplicitIdentity() { |
| return mHasExplicitIdentity; |
| } |
| |
| void IPCThreadState::setStrictModePolicy(int32_t policy) |
| { |
| mStrictModePolicy = policy; |
| } |
| |
| int32_t IPCThreadState::getStrictModePolicy() const |
| { |
| return mStrictModePolicy; |
| } |
| |
| int64_t IPCThreadState::setCallingWorkSourceUid(uid_t uid) |
| { |
| int64_t token = setCallingWorkSourceUidWithoutPropagation(uid); |
| mPropagateWorkSource = true; |
| return token; |
| } |
| |
| int64_t IPCThreadState::setCallingWorkSourceUidWithoutPropagation(uid_t uid) |
| { |
| const int64_t propagatedBit = ((int64_t)mPropagateWorkSource) << kWorkSourcePropagatedBitIndex; |
| int64_t token = propagatedBit | mWorkSource; |
| mWorkSource = uid; |
| return token; |
| } |
| |
| void IPCThreadState::clearPropagateWorkSource() |
| { |
| mPropagateWorkSource = false; |
| } |
| |
| bool IPCThreadState::shouldPropagateWorkSource() const |
| { |
| return mPropagateWorkSource; |
| } |
| |
| uid_t IPCThreadState::getCallingWorkSourceUid() const |
| { |
| return mWorkSource; |
| } |
| |
| int64_t IPCThreadState::clearCallingWorkSource() |
| { |
| return setCallingWorkSourceUid(kUnsetWorkSource); |
| } |
| |
| void IPCThreadState::restoreCallingWorkSource(int64_t token) |
| { |
| uid_t uid = (int)token; |
| setCallingWorkSourceUidWithoutPropagation(uid); |
| mPropagateWorkSource = ((token >> kWorkSourcePropagatedBitIndex) & 1) == 1; |
| } |
| |
| void IPCThreadState::setLastTransactionBinderFlags(int32_t flags) |
| { |
| mLastTransactionBinderFlags = flags; |
| } |
| |
| int32_t IPCThreadState::getLastTransactionBinderFlags() const |
| { |
| return mLastTransactionBinderFlags; |
| } |
| |
| void IPCThreadState::setCallRestriction(ProcessState::CallRestriction restriction) { |
| mCallRestriction = restriction; |
| } |
| |
| ProcessState::CallRestriction IPCThreadState::getCallRestriction() const { |
| return mCallRestriction; |
| } |
| |
| void IPCThreadState::restoreCallingIdentity(int64_t token) |
| { |
| mCallingUid = unpackCallingUid(token); |
| mCallingSid = nullptr; // not enough data to restore |
| mCallingPid = unpackCallingPid(token); |
| mHasExplicitIdentity = unpackHasExplicitIdentity(token); |
| } |
| |
| void IPCThreadState::clearCaller() |
| { |
| mCallingPid = getpid(); |
| mCallingSid = nullptr; // expensive to lookup |
| mCallingUid = getuid(); |
| } |
| |
| void IPCThreadState::flushCommands() |
| { |
| if (mProcess->mDriverFD < 0) |
| return; |
| talkWithDriver(false); |
| // The flush could have caused post-write refcount decrements to have |
| // been executed, which in turn could result in BC_RELEASE/BC_DECREFS |
| // being queued in mOut. So flush again, if we need to. |
| if (mOut.dataSize() > 0) { |
| talkWithDriver(false); |
| } |
| if (mOut.dataSize() > 0) { |
| ALOGW("mOut.dataSize() > 0 after flushCommands()"); |
| } |
| } |
| |
| bool IPCThreadState::flushIfNeeded() |
| { |
| if (mIsLooper || mServingStackPointer != nullptr || mIsFlushing) { |
| return false; |
| } |
| mIsFlushing = true; |
| // In case this thread is not a looper and is not currently serving a binder transaction, |
| // there's no guarantee that this thread will call back into the kernel driver any time |
| // soon. Therefore, flush pending commands such as BC_FREE_BUFFER, to prevent them from getting |
| // stuck in this thread's out buffer. |
| flushCommands(); |
| mIsFlushing = false; |
| return true; |
| } |
| |
| void IPCThreadState::blockUntilThreadAvailable() |
| { |
| std::unique_lock lock_guard_(mProcess->mOnThreadAvailableLock); |
| mProcess->mOnThreadAvailableWaiting++; |
| mProcess->mOnThreadAvailableCondVar.wait(lock_guard_, [&] { |
| size_t max = mProcess->mMaxThreads; |
| size_t cur = mProcess->mExecutingThreadsCount; |
| if (cur < max) { |
| return true; |
| } |
| ALOGW("Waiting for thread to be free. mExecutingThreadsCount=%zu mMaxThreads=%zu\n", cur, |
| max); |
| return false; |
| }); |
| mProcess->mOnThreadAvailableWaiting--; |
| } |
| |
| status_t IPCThreadState::getAndExecuteCommand() |
| { |
| status_t result; |
| int32_t cmd; |
| |
| result = talkWithDriver(); |
| if (result >= NO_ERROR) { |
| size_t IN = mIn.dataAvail(); |
| if (IN < sizeof(int32_t)) return result; |
| cmd = mIn.readInt32(); |
| IF_LOG_COMMANDS() { |
| std::ostringstream logStream; |
| logStream << "Processing top-level Command: " << getReturnString(cmd) << "\n"; |
| std::string message = logStream.str(); |
| ALOGI("%s", message.c_str()); |
| } |
| |
| size_t newThreadsCount = mProcess->mExecutingThreadsCount.fetch_add(1) + 1; |
| if (newThreadsCount >= mProcess->mMaxThreads) { |
| auto expected = ProcessState::never(); |
| mProcess->mStarvationStartTime |
| .compare_exchange_strong(expected, std::chrono::steady_clock::now()); |
| } |
| |
| result = executeCommand(cmd); |
| |
| size_t maxThreads = mProcess->mMaxThreads; |
| newThreadsCount = mProcess->mExecutingThreadsCount.fetch_sub(1) - 1; |
| if (newThreadsCount < maxThreads) { |
| auto starvationStartTime = |
| mProcess->mStarvationStartTime.exchange(ProcessState::never()); |
| if (starvationStartTime != ProcessState::never()) { |
| auto starvationTime = std::chrono::steady_clock::now() - starvationStartTime; |
| if (starvationTime > 100ms) { |
| ALOGE("binder thread pool (%zu threads) starved for %" PRId64 " ms", maxThreads, |
| to_ms(starvationTime)); |
| } |
| } |
| } |
| |
| // Cond broadcast can be expensive, so don't send it every time a binder |
| // call is processed. b/168806193 |
| if (mProcess->mOnThreadAvailableWaiting > 0) { |
| std::lock_guard lock_guard_(mProcess->mOnThreadAvailableLock); |
| mProcess->mOnThreadAvailableCondVar.notify_all(); |
| } |
| } |
| |
| return result; |
| } |
| |
| // When we've cleared the incoming command queue, process any pending derefs |
| void IPCThreadState::processPendingDerefs() |
| { |
| if (mIn.dataPosition() >= mIn.dataSize()) { |
| /* |
| * The decWeak()/decStrong() calls may cause a destructor to run, |
| * which in turn could have initiated an outgoing transaction, |
| * which in turn could cause us to add to the pending refs |
| * vectors; so instead of simply iterating, loop until they're empty. |
| * |
| * We do this in an outer loop, because calling decStrong() |
| * may result in something being added to mPendingWeakDerefs, |
| * which could be delayed until the next incoming command |
| * from the driver if we don't process it now. |
| */ |
| while (mPendingWeakDerefs.size() > 0 || mPendingStrongDerefs.size() > 0) { |
| while (mPendingWeakDerefs.size() > 0) { |
| RefBase::weakref_type* refs = mPendingWeakDerefs[0]; |
| mPendingWeakDerefs.removeAt(0); |
| refs->decWeak(mProcess.get()); |
| } |
| |
| if (mPendingStrongDerefs.size() > 0) { |
| // We don't use while() here because we don't want to re-order |
| // strong and weak decs at all; if this decStrong() causes both a |
| // decWeak() and a decStrong() to be queued, we want to process |
| // the decWeak() first. |
| BBinder* obj = mPendingStrongDerefs[0]; |
| mPendingStrongDerefs.removeAt(0); |
| obj->decStrong(mProcess.get()); |
| } |
| } |
| } |
| } |
| |
| void IPCThreadState::processPostWriteDerefs() |
| { |
| for (size_t i = 0; i < mPostWriteWeakDerefs.size(); i++) { |
| RefBase::weakref_type* refs = mPostWriteWeakDerefs[i]; |
| refs->decWeak(mProcess.get()); |
| } |
| mPostWriteWeakDerefs.clear(); |
| |
| for (size_t i = 0; i < mPostWriteStrongDerefs.size(); i++) { |
| RefBase* obj = mPostWriteStrongDerefs[i]; |
| obj->decStrong(mProcess.get()); |
| } |
| mPostWriteStrongDerefs.clear(); |
| } |
| |
| void IPCThreadState::joinThreadPool(bool isMain) |
| { |
| LOG_THREADPOOL("**** THREAD %p (PID %d) IS JOINING THE THREAD POOL\n", (void*)pthread_self(), |
| getpid()); |
| mProcess->mCurrentThreads++; |
| mOut.writeInt32(isMain ? BC_ENTER_LOOPER : BC_REGISTER_LOOPER); |
| |
| mIsLooper = true; |
| status_t result; |
| do { |
| processPendingDerefs(); |
| // now get the next command to be processed, waiting if necessary |
| result = getAndExecuteCommand(); |
| |
| if (result < NO_ERROR && result != TIMED_OUT && result != -ECONNREFUSED && result != -EBADF) { |
| LOG_ALWAYS_FATAL("getAndExecuteCommand(fd=%d) returned unexpected error %d, aborting", |
| mProcess->mDriverFD, result); |
| } |
| |
| // Let this thread exit the thread pool if it is no longer |
| // needed and it is not the main process thread. |
| if(result == TIMED_OUT && !isMain) { |
| break; |
| } |
| } while (result != -ECONNREFUSED && result != -EBADF); |
| |
| LOG_THREADPOOL("**** THREAD %p (PID %d) IS LEAVING THE THREAD POOL err=%d\n", |
| (void*)pthread_self(), getpid(), result); |
| |
| mOut.writeInt32(BC_EXIT_LOOPER); |
| mIsLooper = false; |
| talkWithDriver(false); |
| size_t oldCount = mProcess->mCurrentThreads.fetch_sub(1); |
| LOG_ALWAYS_FATAL_IF(oldCount == 0, |
| "Threadpool thread count underflowed. Thread cannot exist and exit in " |
| "empty threadpool\n" |
| "Misconfiguration. Increase threadpool max threads configuration\n"); |
| } |
| |
| status_t IPCThreadState::setupPolling(int* fd) |
| { |
| if (mProcess->mDriverFD < 0) { |
| return -EBADF; |
| } |
| |
| mOut.writeInt32(BC_ENTER_LOOPER); |
| flushCommands(); |
| *fd = mProcess->mDriverFD; |
| mProcess->mCurrentThreads++; |
| return 0; |
| } |
| |
| status_t IPCThreadState::handlePolledCommands() |
| { |
| status_t result; |
| |
| do { |
| result = getAndExecuteCommand(); |
| } while (mIn.dataPosition() < mIn.dataSize()); |
| |
| processPendingDerefs(); |
| flushCommands(); |
| return result; |
| } |
| |
| void IPCThreadState::stopProcess(bool /*immediate*/) |
| { |
| //ALOGI("**** STOPPING PROCESS"); |
| flushCommands(); |
| int fd = mProcess->mDriverFD; |
| mProcess->mDriverFD = -1; |
| close(fd); |
| //kill(getpid(), SIGKILL); |
| } |
| |
| status_t IPCThreadState::transact(int32_t handle, |
| uint32_t code, const Parcel& data, |
| Parcel* reply, uint32_t flags) |
| { |
| LOG_ALWAYS_FATAL_IF(data.isForRpc(), "Parcel constructed for RPC, but being used with binder."); |
| |
| status_t err; |
| |
| flags |= TF_ACCEPT_FDS; |
| |
| IF_LOG_TRANSACTIONS() { |
| std::ostringstream logStream; |
| logStream << "BC_TRANSACTION thr " << (void*)pthread_self() << " / hand " << handle |
| << " / code " << TypeCode(code) << ": \t" << data << "\n"; |
| std::string message = logStream.str(); |
| ALOGI("%s", message.c_str()); |
| } |
| |
| LOG_ONEWAY(">>>> SEND from pid %d uid %d %s", getpid(), getuid(), |
| (flags & TF_ONE_WAY) == 0 ? "READ REPLY" : "ONE WAY"); |
| err = writeTransactionData(BC_TRANSACTION, flags, handle, code, data, nullptr); |
| |
| if (err != NO_ERROR) { |
| if (reply) reply->setError(err); |
| return (mLastError = err); |
| } |
| |
| if ((flags & TF_ONE_WAY) == 0) { |
| if (mCallRestriction != ProcessState::CallRestriction::NONE) [[unlikely]] { |
| if (mCallRestriction == ProcessState::CallRestriction::ERROR_IF_NOT_ONEWAY) { |
| ALOGE("Process making non-oneway call (code: %u) but is restricted.", code); |
| CallStack::logStack("non-oneway call", CallStack::getCurrent(10).get(), |
| ANDROID_LOG_ERROR); |
| } else /* FATAL_IF_NOT_ONEWAY */ { |
| LOG_ALWAYS_FATAL("Process may not make non-oneway calls (code: %u).", code); |
| } |
| } |
| |
| #if 0 |
| if (code == 4) { // relayout |
| ALOGI(">>>>>> CALLING transaction 4"); |
| } else { |
| ALOGI(">>>>>> CALLING transaction %d", code); |
| } |
| #endif |
| if (reply) { |
| err = waitForResponse(reply); |
| } else { |
| Parcel fakeReply; |
| err = waitForResponse(&fakeReply); |
| } |
| #if 0 |
| if (code == 4) { // relayout |
| ALOGI("<<<<<< RETURNING transaction 4"); |
| } else { |
| ALOGI("<<<<<< RETURNING transaction %d", code); |
| } |
| #endif |
| |
| IF_LOG_TRANSACTIONS() { |
| std::ostringstream logStream; |
| logStream << "BR_REPLY thr " << (void*)pthread_self() << " / hand " << handle << ": "; |
| if (reply) |
| logStream << "\t" << *reply << "\n"; |
| else |
| logStream << "(none requested)" |
| << "\n"; |
| std::string message = logStream.str(); |
| ALOGI("%s", message.c_str()); |
| } |
| } else { |
| err = waitForResponse(nullptr, nullptr); |
| } |
| |
| return err; |
| } |
| |
| void IPCThreadState::incStrongHandle(int32_t handle, BpBinder *proxy) |
| { |
| LOG_REMOTEREFS("IPCThreadState::incStrongHandle(%d)\n", handle); |
| mOut.writeInt32(BC_ACQUIRE); |
| mOut.writeInt32(handle); |
| if (!flushIfNeeded()) { |
| // Create a temp reference until the driver has handled this command. |
| proxy->incStrong(mProcess.get()); |
| mPostWriteStrongDerefs.push(proxy); |
| } |
| } |
| |
| void IPCThreadState::decStrongHandle(int32_t handle) |
| { |
| LOG_REMOTEREFS("IPCThreadState::decStrongHandle(%d)\n", handle); |
| mOut.writeInt32(BC_RELEASE); |
| mOut.writeInt32(handle); |
| flushIfNeeded(); |
| } |
| |
| void IPCThreadState::incWeakHandle(int32_t handle, BpBinder *proxy) |
| { |
| LOG_REMOTEREFS("IPCThreadState::incWeakHandle(%d)\n", handle); |
| mOut.writeInt32(BC_INCREFS); |
| mOut.writeInt32(handle); |
| if (!flushIfNeeded()) { |
| // Create a temp reference until the driver has handled this command. |
| proxy->getWeakRefs()->incWeak(mProcess.get()); |
| mPostWriteWeakDerefs.push(proxy->getWeakRefs()); |
| } |
| } |
| |
| void IPCThreadState::decWeakHandle(int32_t handle) |
| { |
| LOG_REMOTEREFS("IPCThreadState::decWeakHandle(%d)\n", handle); |
| mOut.writeInt32(BC_DECREFS); |
| mOut.writeInt32(handle); |
| flushIfNeeded(); |
| } |
| |
| status_t IPCThreadState::attemptIncStrongHandle(int32_t handle) { |
| (void)handle; |
| ALOGE("%s(%d): Not supported\n", __func__, handle); |
| return INVALID_OPERATION; |
| } |
| |
| void IPCThreadState::expungeHandle(int32_t handle, IBinder* binder) |
| { |
| #if LOG_REFCOUNTS |
| ALOGV("IPCThreadState::expungeHandle(%ld)\n", handle); |
| #endif |
| self()->mProcess->expungeHandle(handle, binder); // NOLINT |
| } |
| |
| status_t IPCThreadState::requestDeathNotification(int32_t handle, BpBinder* proxy) |
| { |
| mOut.writeInt32(BC_REQUEST_DEATH_NOTIFICATION); |
| mOut.writeInt32((int32_t)handle); |
| mOut.writePointer((uintptr_t)proxy); |
| return NO_ERROR; |
| } |
| |
| status_t IPCThreadState::clearDeathNotification(int32_t handle, BpBinder* proxy) |
| { |
| mOut.writeInt32(BC_CLEAR_DEATH_NOTIFICATION); |
| mOut.writeInt32((int32_t)handle); |
| mOut.writePointer((uintptr_t)proxy); |
| return NO_ERROR; |
| } |
| |
| status_t IPCThreadState::addFrozenStateChangeCallback(int32_t handle, BpBinder* proxy) { |
| static bool isSupported = |
| ProcessState::isDriverFeatureEnabled(ProcessState::DriverFeature::FREEZE_NOTIFICATION); |
| if (!isSupported) { |
| return INVALID_OPERATION; |
| } |
| proxy->getWeakRefs()->incWeak(proxy); |
| mOut.writeInt32(BC_REQUEST_FREEZE_NOTIFICATION); |
| mOut.writeInt32((int32_t)handle); |
| mOut.writePointer((uintptr_t)proxy); |
| flushCommands(); |
| return NO_ERROR; |
| } |
| |
| status_t IPCThreadState::removeFrozenStateChangeCallback(int32_t handle, BpBinder* proxy) { |
| static bool isSupported = |
| ProcessState::isDriverFeatureEnabled(ProcessState::DriverFeature::FREEZE_NOTIFICATION); |
| if (!isSupported) { |
| return INVALID_OPERATION; |
| } |
| mOut.writeInt32(BC_CLEAR_FREEZE_NOTIFICATION); |
| mOut.writeInt32((int32_t)handle); |
| mOut.writePointer((uintptr_t)proxy); |
| flushCommands(); |
| return NO_ERROR; |
| } |
| |
| IPCThreadState::IPCThreadState() |
| : mProcess(ProcessState::self()), |
| mServingStackPointer(nullptr), |
| mServingStackPointerGuard(nullptr), |
| mWorkSource(kUnsetWorkSource), |
| mPropagateWorkSource(false), |
| mIsLooper(false), |
| mIsFlushing(false), |
| mStrictModePolicy(0), |
| mLastTransactionBinderFlags(0), |
| mCallRestriction(mProcess->mCallRestriction) { |
| pthread_setspecific(gTLS, this); |
| clearCaller(); |
| mHasExplicitIdentity = false; |
| mIn.setDataCapacity(256); |
| mOut.setDataCapacity(256); |
| } |
| |
| IPCThreadState::~IPCThreadState() |
| { |
| } |
| |
| status_t IPCThreadState::sendReply(const Parcel& reply, uint32_t flags) |
| { |
| status_t err; |
| status_t statusBuffer; |
| err = writeTransactionData(BC_REPLY, flags, -1, 0, reply, &statusBuffer); |
| if (err < NO_ERROR) return err; |
| |
| return waitForResponse(nullptr, nullptr); |
| } |
| |
| status_t IPCThreadState::waitForResponse(Parcel *reply, status_t *acquireResult) |
| { |
| uint32_t cmd; |
| int32_t err; |
| |
| while (1) { |
| if ((err=talkWithDriver()) < NO_ERROR) break; |
| err = mIn.errorCheck(); |
| if (err < NO_ERROR) break; |
| if (mIn.dataAvail() == 0) continue; |
| |
| cmd = (uint32_t)mIn.readInt32(); |
| |
| IF_LOG_COMMANDS() { |
| std::ostringstream logStream; |
| logStream << "Processing waitForResponse Command: " << getReturnString(cmd) << "\n"; |
| std::string message = logStream.str(); |
| ALOGI("%s", message.c_str()); |
| } |
| |
| switch (cmd) { |
| case BR_ONEWAY_SPAM_SUSPECT: |
| ALOGE("Process seems to be sending too many oneway calls."); |
| CallStack::logStack("oneway spamming", CallStack::getCurrent().get(), |
| ANDROID_LOG_ERROR); |
| [[fallthrough]]; |
| case BR_TRANSACTION_COMPLETE: |
| if (!reply && !acquireResult) goto finish; |
| break; |
| |
| case BR_TRANSACTION_PENDING_FROZEN: |
| ALOGW("Sending oneway calls to frozen process."); |
| goto finish; |
| |
| case BR_DEAD_REPLY: |
| err = DEAD_OBJECT; |
| goto finish; |
| |
| case BR_FAILED_REPLY: |
| err = FAILED_TRANSACTION; |
| goto finish; |
| |
| case BR_FROZEN_REPLY: |
| ALOGW("Transaction failed because process frozen."); |
| err = FAILED_TRANSACTION; |
| goto finish; |
| |
| case BR_ACQUIRE_RESULT: |
| { |
| ALOG_ASSERT(acquireResult != NULL, "Unexpected brACQUIRE_RESULT"); |
| const int32_t result = mIn.readInt32(); |
| if (!acquireResult) continue; |
| *acquireResult = result ? NO_ERROR : INVALID_OPERATION; |
| } |
| goto finish; |
| |
| case BR_REPLY: |
| { |
| binder_transaction_data tr; |
| err = mIn.read(&tr, sizeof(tr)); |
| ALOG_ASSERT(err == NO_ERROR, "Not enough command data for brREPLY"); |
| if (err != NO_ERROR) goto finish; |
| |
| if (reply) { |
| if ((tr.flags & TF_STATUS_CODE) == 0) { |
| reply->ipcSetDataReference( |
| reinterpret_cast<const uint8_t*>(tr.data.ptr.buffer), |
| tr.data_size, |
| reinterpret_cast<const binder_size_t*>(tr.data.ptr.offsets), |
| tr.offsets_size/sizeof(binder_size_t), |
| freeBuffer); |
| } else { |
| err = *reinterpret_cast<const status_t*>(tr.data.ptr.buffer); |
| freeBuffer(reinterpret_cast<const uint8_t*>(tr.data.ptr.buffer), |
| tr.data_size, |
| reinterpret_cast<const binder_size_t*>(tr.data.ptr.offsets), |
| tr.offsets_size / sizeof(binder_size_t)); |
| } |
| } else { |
| freeBuffer(reinterpret_cast<const uint8_t*>(tr.data.ptr.buffer), tr.data_size, |
| reinterpret_cast<const binder_size_t*>(tr.data.ptr.offsets), |
| tr.offsets_size / sizeof(binder_size_t)); |
| continue; |
| } |
| } |
| goto finish; |
| |
| default: |
| err = executeCommand(cmd); |
| if (err != NO_ERROR) goto finish; |
| break; |
| } |
| } |
| |
| finish: |
| if (err != NO_ERROR) { |
| if (acquireResult) *acquireResult = err; |
| if (reply) reply->setError(err); |
| mLastError = err; |
| logExtendedError(); |
| } |
| |
| return err; |
| } |
| |
| status_t IPCThreadState::talkWithDriver(bool doReceive) |
| { |
| if (mProcess->mDriverFD < 0) { |
| return -EBADF; |
| } |
| |
| binder_write_read bwr; |
| |
| // Is the read buffer empty? |
| const bool needRead = mIn.dataPosition() >= mIn.dataSize(); |
| |
| // We don't want to write anything if we are still reading |
| // from data left in the input buffer and the caller |
| // has requested to read the next data. |
| const size_t outAvail = (!doReceive || needRead) ? mOut.dataSize() : 0; |
| |
| bwr.write_size = outAvail; |
| bwr.write_buffer = (uintptr_t)mOut.data(); |
| |
| // This is what we'll read. |
| if (doReceive && needRead) { |
| bwr.read_size = mIn.dataCapacity(); |
| bwr.read_buffer = (uintptr_t)mIn.data(); |
| } else { |
| bwr.read_size = 0; |
| bwr.read_buffer = 0; |
| } |
| |
| IF_LOG_COMMANDS() { |
| std::ostringstream logStream; |
| if (outAvail != 0) { |
| logStream << "Sending commands to driver: "; |
| const void* cmds = (const void*)bwr.write_buffer; |
| const void* end = ((const uint8_t*)cmds) + bwr.write_size; |
| logStream << "\t" << HexDump(cmds, bwr.write_size) << "\n"; |
| while (cmds < end) cmds = printCommand(logStream, cmds); |
| } |
| logStream << "Size of receive buffer: " << bwr.read_size << ", needRead: " << needRead |
| << ", doReceive: " << doReceive << "\n"; |
| |
| std::string message = logStream.str(); |
| ALOGI("%s", message.c_str()); |
| } |
| |
| // Return immediately if there is nothing to do. |
| if ((bwr.write_size == 0) && (bwr.read_size == 0)) return NO_ERROR; |
| |
| bwr.write_consumed = 0; |
| bwr.read_consumed = 0; |
| status_t err; |
| do { |
| IF_LOG_COMMANDS() { |
| std::ostringstream logStream; |
| logStream << "About to read/write, write size = " << mOut.dataSize() << "\n"; |
| std::string message = logStream.str(); |
| ALOGI("%s", message.c_str()); |
| } |
| #if defined(__ANDROID__) |
| if (ioctl(mProcess->mDriverFD, BINDER_WRITE_READ, &bwr) >= 0) |
| err = NO_ERROR; |
| else |
| err = -errno; |
| #else |
| err = INVALID_OPERATION; |
| #endif |
| if (mProcess->mDriverFD < 0) { |
| err = -EBADF; |
| } |
| IF_LOG_COMMANDS() { |
| std::ostringstream logStream; |
| logStream << "Finished read/write, write size = " << mOut.dataSize() << "\n"; |
| std::string message = logStream.str(); |
| ALOGI("%s", message.c_str()); |
| } |
| } while (err == -EINTR); |
| |
| IF_LOG_COMMANDS() { |
| std::ostringstream logStream; |
| logStream << "Our err: " << (void*)(intptr_t)err |
| << ", write consumed: " << bwr.write_consumed << " (of " << mOut.dataSize() |
| << "), read consumed: " << bwr.read_consumed << "\n"; |
| std::string message = logStream.str(); |
| ALOGI("%s", message.c_str()); |
| } |
| |
| if (err >= NO_ERROR) { |
| if (bwr.write_consumed > 0) { |
| if (bwr.write_consumed < mOut.dataSize()) { |
| std::ostringstream logStream; |
| printReturnCommandParcel(logStream, mIn); |
| LOG_ALWAYS_FATAL("Driver did not consume write buffer. " |
| "err: %s consumed: %zu of %zu.\n" |
| "Return command: %s", |
| statusToString(err).c_str(), (size_t)bwr.write_consumed, |
| mOut.dataSize(), logStream.str().c_str()); |
| } else { |
| mOut.setDataSize(0); |
| processPostWriteDerefs(); |
| } |
| } |
| if (bwr.read_consumed > 0) { |
| mIn.setDataSize(bwr.read_consumed); |
| mIn.setDataPosition(0); |
| } |
| IF_LOG_COMMANDS() { |
| std::ostringstream logStream; |
| printReturnCommandParcel(logStream, mIn); |
| ALOGI("%s", logStream.str().c_str()); |
| } |
| return NO_ERROR; |
| } |
| |
| ALOGE_IF(mProcess->mDriverFD >= 0, |
| "Driver returned error (%s). This is a bug in either libbinder or the driver. This " |
| "thread's connection to %s will no longer work.", |
| statusToString(err).c_str(), mProcess->mDriverName.c_str()); |
| return err; |
| } |
| |
| status_t IPCThreadState::writeTransactionData(int32_t cmd, uint32_t binderFlags, |
| int32_t handle, uint32_t code, const Parcel& data, status_t* statusBuffer) |
| { |
| binder_transaction_data tr; |
| |
| tr.target.ptr = 0; /* Don't pass uninitialized stack data to a remote process */ |
| tr.target.handle = handle; |
| tr.code = code; |
| tr.flags = binderFlags; |
| tr.cookie = 0; |
| tr.sender_pid = 0; |
| tr.sender_euid = 0; |
| |
| const status_t err = data.errorCheck(); |
| if (err == NO_ERROR) { |
| tr.data_size = data.ipcDataSize(); |
| tr.data.ptr.buffer = data.ipcData(); |
| tr.offsets_size = data.ipcObjectsCount()*sizeof(binder_size_t); |
| tr.data.ptr.offsets = data.ipcObjects(); |
| } else if (statusBuffer) { |
| tr.flags |= TF_STATUS_CODE; |
| *statusBuffer = err; |
| tr.data_size = sizeof(status_t); |
| tr.data.ptr.buffer = reinterpret_cast<uintptr_t>(statusBuffer); |
| tr.offsets_size = 0; |
| tr.data.ptr.offsets = 0; |
| } else { |
| return (mLastError = err); |
| } |
| |
| mOut.writeInt32(cmd); |
| mOut.write(&tr, sizeof(tr)); |
| |
| return NO_ERROR; |
| } |
| |
| sp<BBinder> the_context_object; |
| |
| void IPCThreadState::setTheContextObject(const sp<BBinder>& obj) |
| { |
| the_context_object = obj; |
| } |
| |
| status_t IPCThreadState::executeCommand(int32_t cmd) |
| { |
| BBinder* obj; |
| RefBase::weakref_type* refs; |
| status_t result = NO_ERROR; |
| |
| switch ((uint32_t)cmd) { |
| case BR_ERROR: |
| result = mIn.readInt32(); |
| break; |
| |
| case BR_OK: |
| break; |
| |
| case BR_ACQUIRE: |
| refs = (RefBase::weakref_type*)mIn.readPointer(); |
| obj = (BBinder*)mIn.readPointer(); |
| ALOG_ASSERT(refs->refBase() == obj, |
| "BR_ACQUIRE: object %p does not match cookie %p (expected %p)", |
| refs, obj, refs->refBase()); |
| obj->incStrong(mProcess.get()); |
| IF_LOG_REMOTEREFS() { |
| LOG_REMOTEREFS("BR_ACQUIRE from driver on %p", obj); |
| obj->printRefs(); |
| } |
| mOut.writeInt32(BC_ACQUIRE_DONE); |
| mOut.writePointer((uintptr_t)refs); |
| mOut.writePointer((uintptr_t)obj); |
| break; |
| |
| case BR_RELEASE: |
| refs = (RefBase::weakref_type*)mIn.readPointer(); |
| obj = (BBinder*)mIn.readPointer(); |
| ALOG_ASSERT(refs->refBase() == obj, |
| "BR_RELEASE: object %p does not match cookie %p (expected %p)", |
| refs, obj, refs->refBase()); |
| IF_LOG_REMOTEREFS() { |
| LOG_REMOTEREFS("BR_RELEASE from driver on %p", obj); |
| obj->printRefs(); |
| } |
| mPendingStrongDerefs.push(obj); |
| break; |
| |
| case BR_INCREFS: |
| refs = (RefBase::weakref_type*)mIn.readPointer(); |
| obj = (BBinder*)mIn.readPointer(); |
| refs->incWeak(mProcess.get()); |
| mOut.writeInt32(BC_INCREFS_DONE); |
| mOut.writePointer((uintptr_t)refs); |
| mOut.writePointer((uintptr_t)obj); |
| break; |
| |
| case BR_DECREFS: |
| refs = (RefBase::weakref_type*)mIn.readPointer(); |
| // NOLINTNEXTLINE(clang-analyzer-deadcode.DeadStores) |
| obj = (BBinder*)mIn.readPointer(); // consume |
| // NOTE: This assertion is not valid, because the object may no |
| // longer exist (thus the (BBinder*)cast above resulting in a different |
| // memory address). |
| //ALOG_ASSERT(refs->refBase() == obj, |
| // "BR_DECREFS: object %p does not match cookie %p (expected %p)", |
| // refs, obj, refs->refBase()); |
| mPendingWeakDerefs.push(refs); |
| break; |
| |
| case BR_ATTEMPT_ACQUIRE: |
| refs = (RefBase::weakref_type*)mIn.readPointer(); |
| obj = (BBinder*)mIn.readPointer(); |
| |
| { |
| const bool success = refs->attemptIncStrong(mProcess.get()); |
| ALOG_ASSERT(success && refs->refBase() == obj, |
| "BR_ATTEMPT_ACQUIRE: object %p does not match cookie %p (expected %p)", |
| refs, obj, refs->refBase()); |
| |
| mOut.writeInt32(BC_ACQUIRE_RESULT); |
| mOut.writeInt32((int32_t)success); |
| } |
| break; |
| |
| case BR_TRANSACTION_SEC_CTX: |
| case BR_TRANSACTION: |
| { |
| binder_transaction_data_secctx tr_secctx; |
| binder_transaction_data& tr = tr_secctx.transaction_data; |
| |
| if (cmd == (int) BR_TRANSACTION_SEC_CTX) { |
| result = mIn.read(&tr_secctx, sizeof(tr_secctx)); |
| } else { |
| result = mIn.read(&tr, sizeof(tr)); |
| tr_secctx.secctx = 0; |
| } |
| |
| ALOG_ASSERT(result == NO_ERROR, |
| "Not enough command data for brTRANSACTION"); |
| if (result != NO_ERROR) break; |
| |
| Parcel buffer; |
| buffer.ipcSetDataReference( |
| reinterpret_cast<const uint8_t*>(tr.data.ptr.buffer), |
| tr.data_size, |
| reinterpret_cast<const binder_size_t*>(tr.data.ptr.offsets), |
| tr.offsets_size/sizeof(binder_size_t), freeBuffer); |
| |
| const void* origServingStackPointer = mServingStackPointer; |
| mServingStackPointer = __builtin_frame_address(0); |
| |
| const pid_t origPid = mCallingPid; |
| const char* origSid = mCallingSid; |
| const uid_t origUid = mCallingUid; |
| const bool origHasExplicitIdentity = mHasExplicitIdentity; |
| const int32_t origStrictModePolicy = mStrictModePolicy; |
| const int32_t origTransactionBinderFlags = mLastTransactionBinderFlags; |
| const int32_t origWorkSource = mWorkSource; |
| const bool origPropagateWorkSet = mPropagateWorkSource; |
| // Calling work source will be set by Parcel#enforceInterface. Parcel#enforceInterface |
| // is only guaranteed to be called for AIDL-generated stubs so we reset the work source |
| // here to never propagate it. |
| clearCallingWorkSource(); |
| clearPropagateWorkSource(); |
| |
| mCallingPid = tr.sender_pid; |
| mCallingSid = reinterpret_cast<const char*>(tr_secctx.secctx); |
| mCallingUid = tr.sender_euid; |
| mHasExplicitIdentity = false; |
| mLastTransactionBinderFlags = tr.flags; |
| |
| // ALOGI(">>>> TRANSACT from pid %d sid %s uid %d\n", mCallingPid, |
| // (mCallingSid ? mCallingSid : "<N/A>"), mCallingUid); |
| |
| Parcel reply; |
| status_t error; |
| IF_LOG_TRANSACTIONS() { |
| std::ostringstream logStream; |
| logStream << "BR_TRANSACTION thr " << (void*)pthread_self() << " / obj " |
| << tr.target.ptr << " / code " << TypeCode(tr.code) << ": \t" << buffer |
| << "\n" |
| << "Data addr = " << reinterpret_cast<const uint8_t*>(tr.data.ptr.buffer) |
| << ", offsets addr=" |
| << reinterpret_cast<const size_t*>(tr.data.ptr.offsets) << "\n"; |
| std::string message = logStream.str(); |
| ALOGI("%s", message.c_str()); |
| } |
| if (tr.target.ptr) { |
| // We only have a weak reference on the target object, so we must first try to |
| // safely acquire a strong reference before doing anything else with it. |
| if (reinterpret_cast<RefBase::weakref_type*>( |
| tr.target.ptr)->attemptIncStrong(this)) { |
| error = reinterpret_cast<BBinder*>(tr.cookie)->transact(tr.code, buffer, |
| &reply, tr.flags); |
| reinterpret_cast<BBinder*>(tr.cookie)->decStrong(this); |
| } else { |
| error = UNKNOWN_TRANSACTION; |
| } |
| |
| } else { |
| error = the_context_object->transact(tr.code, buffer, &reply, tr.flags); |
| } |
| |
| //ALOGI("<<<< TRANSACT from pid %d restore pid %d sid %s uid %d\n", |
| // mCallingPid, origPid, (origSid ? origSid : "<N/A>"), origUid); |
| |
| if ((tr.flags & TF_ONE_WAY) == 0) { |
| LOG_ONEWAY("Sending reply to %d!", mCallingPid); |
| if (error < NO_ERROR) reply.setError(error); |
| |
| // b/238777741: clear buffer before we send the reply. |
| // Otherwise, there is a race where the client may |
| // receive the reply and send another transaction |
| // here and the space used by this transaction won't |
| // be freed for the client. |
| buffer.setDataSize(0); |
| |
| constexpr uint32_t kForwardReplyFlags = TF_CLEAR_BUF; |
| sendReply(reply, (tr.flags & kForwardReplyFlags)); |
| } else { |
| if (error != OK) { |
| std::ostringstream logStream; |
| logStream << "oneway function results for code " << tr.code << " on binder at " |
| << reinterpret_cast<void*>(tr.target.ptr) |
| << " will be dropped but finished with status " |
| << statusToString(error); |
| |
| // ideally we could log this even when error == OK, but it |
| // causes too much logspam because some manually-written |
| // interfaces have clients that call methods which always |
| // write results, sometimes as oneway methods. |
| if (reply.dataSize() != 0) { |
| logStream << " and reply parcel size " << reply.dataSize(); |
| } |
| std::string message = logStream.str(); |
| ALOGI("%s", message.c_str()); |
| } |
| LOG_ONEWAY("NOT sending reply to %d!", mCallingPid); |
| } |
| |
| mServingStackPointer = origServingStackPointer; |
| mCallingPid = origPid; |
| mCallingSid = origSid; |
| mCallingUid = origUid; |
| mHasExplicitIdentity = origHasExplicitIdentity; |
| mStrictModePolicy = origStrictModePolicy; |
| mLastTransactionBinderFlags = origTransactionBinderFlags; |
| mWorkSource = origWorkSource; |
| mPropagateWorkSource = origPropagateWorkSet; |
| |
| IF_LOG_TRANSACTIONS() { |
| std::ostringstream logStream; |
| logStream << "BC_REPLY thr " << (void*)pthread_self() << " / obj " << tr.target.ptr |
| << ": \t" << reply << "\n"; |
| std::string message = logStream.str(); |
| ALOGI("%s", message.c_str()); |
| } |
| |
| } |
| break; |
| |
| case BR_DEAD_BINDER: |
| { |
| BpBinder *proxy = (BpBinder*)mIn.readPointer(); |
| proxy->sendObituary(); |
| mOut.writeInt32(BC_DEAD_BINDER_DONE); |
| mOut.writePointer((uintptr_t)proxy); |
| } break; |
| |
| case BR_CLEAR_DEATH_NOTIFICATION_DONE: |
| { |
| BpBinder *proxy = (BpBinder*)mIn.readPointer(); |
| proxy->getWeakRefs()->decWeak(proxy); |
| } break; |
| |
| case BR_FROZEN_BINDER: { |
| const struct binder_frozen_state_info* data = |
| reinterpret_cast<const struct binder_frozen_state_info*>( |
| mIn.readInplace(sizeof(struct binder_frozen_state_info))); |
| if (data == nullptr) { |
| result = UNKNOWN_ERROR; |
| break; |
| } |
| BpBinder* proxy = (BpBinder*)data->cookie; |
| bool isFrozen = mIn.readInt32() > 0; |
| proxy->getPrivateAccessor().onFrozenStateChanged(data->is_frozen); |
| mOut.writeInt32(BC_FREEZE_NOTIFICATION_DONE); |
| mOut.writePointer(data->cookie); |
| } break; |
| |
| case BR_CLEAR_FREEZE_NOTIFICATION_DONE: { |
| BpBinder* proxy = (BpBinder*)mIn.readPointer(); |
| proxy->getWeakRefs()->decWeak(proxy); |
| } break; |
| |
| case BR_FINISHED: |
| result = TIMED_OUT; |
| break; |
| |
| case BR_NOOP: |
| break; |
| |
| case BR_SPAWN_LOOPER: |
| mProcess->spawnPooledThread(false); |
| break; |
| |
| default: |
| ALOGE("*** BAD COMMAND %d received from Binder driver\n", cmd); |
| result = UNKNOWN_ERROR; |
| break; |
| } |
| |
| if (result != NO_ERROR) { |
| mLastError = result; |
| } |
| |
| return result; |
| } |
| |
| const void* IPCThreadState::getServingStackPointer() const { |
| return mServingStackPointer; |
| } |
| |
| void IPCThreadState::threadDestructor(void *st) |
| { |
| IPCThreadState* const self = static_cast<IPCThreadState*>(st); |
| if (self) { |
| self->flushCommands(); |
| #if defined(__ANDROID__) |
| if (self->mProcess->mDriverFD >= 0) { |
| ioctl(self->mProcess->mDriverFD, BINDER_THREAD_EXIT, 0); |
| } |
| #endif |
| delete self; |
| } |
| } |
| |
| status_t IPCThreadState::getProcessFreezeInfo(pid_t pid, uint32_t *sync_received, |
| uint32_t *async_received) |
| { |
| int ret = 0; |
| binder_frozen_status_info info = {}; |
| info.pid = pid; |
| |
| #if defined(__ANDROID__) |
| if (ioctl(self()->mProcess->mDriverFD, BINDER_GET_FROZEN_INFO, &info) < 0) |
| ret = -errno; |
| #endif |
| *sync_received = info.sync_recv; |
| *async_received = info.async_recv; |
| |
| return ret; |
| } |
| |
| status_t IPCThreadState::freeze(pid_t pid, bool enable, uint32_t timeout_ms) { |
| struct binder_freeze_info info; |
| int ret = 0; |
| |
| info.pid = pid; |
| info.enable = enable; |
| info.timeout_ms = timeout_ms; |
| |
| |
| #if defined(__ANDROID__) |
| if (ioctl(self()->mProcess->mDriverFD, BINDER_FREEZE, &info) < 0) |
| ret = -errno; |
| #endif |
| |
| // |
| // ret==-EAGAIN indicates that transactions have not drained. |
| // Call again to poll for completion. |
| // |
| return ret; |
| } |
| |
| void IPCThreadState::logExtendedError() { |
| struct binder_extended_error ee = {.command = BR_OK}; |
| |
| if (!ProcessState::isDriverFeatureEnabled(ProcessState::DriverFeature::EXTENDED_ERROR)) |
| return; |
| |
| #if defined(__ANDROID__) |
| if (ioctl(self()->mProcess->mDriverFD, BINDER_GET_EXTENDED_ERROR, &ee) < 0) { |
| ALOGE("Failed to get extended error: %s", strerror(errno)); |
| return; |
| } |
| #endif |
| |
| ALOGE_IF(ee.command != BR_OK, "Binder transaction failure. id: %d, BR_*: %d, error: %d (%s)", |
| ee.id, ee.command, ee.param, strerror(-ee.param)); |
| } |
| |
| void IPCThreadState::freeBuffer(const uint8_t* data, size_t /*dataSize*/, |
| const binder_size_t* /*objects*/, size_t /*objectsSize*/) { |
| //ALOGI("Freeing parcel %p", &parcel); |
| IF_LOG_COMMANDS() { |
| std::ostringstream logStream; |
| logStream << "Writing BC_FREE_BUFFER for " << data << "\n"; |
| std::string message = logStream.str(); |
| ALOGI("%s", message.c_str()); |
| } |
| ALOG_ASSERT(data != NULL, "Called with NULL data"); |
| IPCThreadState* state = self(); |
| state->mOut.writeInt32(BC_FREE_BUFFER); |
| state->mOut.writePointer((uintptr_t)data); |
| state->flushIfNeeded(); |
| } |
| |
| } // namespace android |