1 /*
2 * Copyright (C) 2005 The Android Open Source Project
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
16
17 #define LOG_TAG "IPCThreadState"
18
19 #include <binder/IPCThreadState.h>
20
21 #include <binder/Binder.h>
22 #include <binder/BpBinder.h>
23 #include <binder/TextOutput.h>
24
25 #include <android-base/macros.h>
26 #include <cutils/sched_policy.h>
27 #include <utils/CallStack.h>
28 #include <utils/Log.h>
29 #include <utils/SystemClock.h>
30 #include <utils/threads.h>
31
32 #include <private/binder/binder_module.h>
33
34 #include <atomic>
35 #include <errno.h>
36 #include <inttypes.h>
37 #include <pthread.h>
38 #include <sched.h>
39 #include <signal.h>
40 #include <stdio.h>
41 #include <sys/ioctl.h>
42 #include <sys/resource.h>
43 #include <unistd.h>
44
45 #include "Static.h"
46
47 #if LOG_NDEBUG
48
49 #define IF_LOG_TRANSACTIONS() if (false)
50 #define IF_LOG_COMMANDS() if (false)
51 #define LOG_REMOTEREFS(...)
52 #define IF_LOG_REMOTEREFS() if (false)
53
54 #define LOG_THREADPOOL(...)
55 #define LOG_ONEWAY(...)
56
57 #else
58
59 #define IF_LOG_TRANSACTIONS() IF_ALOG(LOG_VERBOSE, "transact")
60 #define IF_LOG_COMMANDS() IF_ALOG(LOG_VERBOSE, "ipc")
61 #define LOG_REMOTEREFS(...) ALOG(LOG_DEBUG, "remoterefs", __VA_ARGS__)
62 #define IF_LOG_REMOTEREFS() IF_ALOG(LOG_DEBUG, "remoterefs")
63 #define LOG_THREADPOOL(...) ALOG(LOG_DEBUG, "threadpool", __VA_ARGS__)
64 #define LOG_ONEWAY(...) ALOG(LOG_DEBUG, "ipc", __VA_ARGS__)
65
66 #endif
67
68 // ---------------------------------------------------------------------------
69
70 namespace android {
71
72 // Static const and functions will be optimized out if not used,
73 // when LOG_NDEBUG and references in IF_LOG_COMMANDS() are optimized out.
74 static const char *kReturnStrings[] = {
75 "BR_ERROR",
76 "BR_OK",
77 "BR_TRANSACTION",
78 "BR_REPLY",
79 "BR_ACQUIRE_RESULT",
80 "BR_DEAD_REPLY",
81 "BR_TRANSACTION_COMPLETE",
82 "BR_INCREFS",
83 "BR_ACQUIRE",
84 "BR_RELEASE",
85 "BR_DECREFS",
86 "BR_ATTEMPT_ACQUIRE",
87 "BR_NOOP",
88 "BR_SPAWN_LOOPER",
89 "BR_FINISHED",
90 "BR_DEAD_BINDER",
91 "BR_CLEAR_DEATH_NOTIFICATION_DONE",
92 "BR_FAILED_REPLY",
93 "BR_TRANSACTION_SEC_CTX",
94 };
95
96 static const char *kCommandStrings[] = {
97 "BC_TRANSACTION",
98 "BC_REPLY",
99 "BC_ACQUIRE_RESULT",
100 "BC_FREE_BUFFER",
101 "BC_INCREFS",
102 "BC_ACQUIRE",
103 "BC_RELEASE",
104 "BC_DECREFS",
105 "BC_INCREFS_DONE",
106 "BC_ACQUIRE_DONE",
107 "BC_ATTEMPT_ACQUIRE",
108 "BC_REGISTER_LOOPER",
109 "BC_ENTER_LOOPER",
110 "BC_EXIT_LOOPER",
111 "BC_REQUEST_DEATH_NOTIFICATION",
112 "BC_CLEAR_DEATH_NOTIFICATION",
113 "BC_DEAD_BINDER_DONE"
114 };
115
116 static const int64_t kWorkSourcePropagatedBitIndex = 32;
117
getReturnString(uint32_t cmd)118 static const char* getReturnString(uint32_t cmd)
119 {
120 size_t idx = cmd & _IOC_NRMASK;
121 if (idx < sizeof(kReturnStrings) / sizeof(kReturnStrings[0]))
122 return kReturnStrings[idx];
123 else
124 return "unknown";
125 }
126
printBinderTransactionData(TextOutput & out,const void * data)127 static const void* printBinderTransactionData(TextOutput& out, const void* data)
128 {
129 const binder_transaction_data* btd =
130 (const binder_transaction_data*)data;
131 if (btd->target.handle < 1024) {
132 /* want to print descriptors in decimal; guess based on value */
133 out << "target.desc=" << btd->target.handle;
134 } else {
135 out << "target.ptr=" << btd->target.ptr;
136 }
137 out << " (cookie " << btd->cookie << ")" << endl
138 << "code=" << TypeCode(btd->code) << ", flags=" << (void*)(long)btd->flags << endl
139 << "data=" << btd->data.ptr.buffer << " (" << (void*)btd->data_size
140 << " bytes)" << endl
141 << "offsets=" << btd->data.ptr.offsets << " (" << (void*)btd->offsets_size
142 << " bytes)";
143 return btd+1;
144 }
145
printReturnCommand(TextOutput & out,const void * _cmd)146 static const void* printReturnCommand(TextOutput& out, const void* _cmd)
147 {
148 static const size_t N = sizeof(kReturnStrings)/sizeof(kReturnStrings[0]);
149 const int32_t* cmd = (const int32_t*)_cmd;
150 uint32_t code = (uint32_t)*cmd++;
151 size_t cmdIndex = code & 0xff;
152 if (code == BR_ERROR) {
153 out << "BR_ERROR: " << (void*)(long)(*cmd++) << endl;
154 return cmd;
155 } else if (cmdIndex >= N) {
156 out << "Unknown reply: " << code << endl;
157 return cmd;
158 }
159 out << kReturnStrings[cmdIndex];
160
161 switch (code) {
162 case BR_TRANSACTION:
163 case BR_REPLY: {
164 out << ": " << indent;
165 cmd = (const int32_t *)printBinderTransactionData(out, cmd);
166 out << dedent;
167 } break;
168
169 case BR_ACQUIRE_RESULT: {
170 const int32_t res = *cmd++;
171 out << ": " << res << (res ? " (SUCCESS)" : " (FAILURE)");
172 } break;
173
174 case BR_INCREFS:
175 case BR_ACQUIRE:
176 case BR_RELEASE:
177 case BR_DECREFS: {
178 const int32_t b = *cmd++;
179 const int32_t c = *cmd++;
180 out << ": target=" << (void*)(long)b << " (cookie " << (void*)(long)c << ")";
181 } break;
182
183 case BR_ATTEMPT_ACQUIRE: {
184 const int32_t p = *cmd++;
185 const int32_t b = *cmd++;
186 const int32_t c = *cmd++;
187 out << ": target=" << (void*)(long)b << " (cookie " << (void*)(long)c
188 << "), pri=" << p;
189 } break;
190
191 case BR_DEAD_BINDER:
192 case BR_CLEAR_DEATH_NOTIFICATION_DONE: {
193 const int32_t c = *cmd++;
194 out << ": death cookie " << (void*)(long)c;
195 } break;
196
197 default:
198 // no details to show for: BR_OK, BR_DEAD_REPLY,
199 // BR_TRANSACTION_COMPLETE, BR_FINISHED
200 break;
201 }
202
203 out << endl;
204 return cmd;
205 }
206
printCommand(TextOutput & out,const void * _cmd)207 static const void* printCommand(TextOutput& out, const void* _cmd)
208 {
209 static const size_t N = sizeof(kCommandStrings)/sizeof(kCommandStrings[0]);
210 const int32_t* cmd = (const int32_t*)_cmd;
211 uint32_t code = (uint32_t)*cmd++;
212 size_t cmdIndex = code & 0xff;
213
214 if (cmdIndex >= N) {
215 out << "Unknown command: " << code << endl;
216 return cmd;
217 }
218 out << kCommandStrings[cmdIndex];
219
220 switch (code) {
221 case BC_TRANSACTION:
222 case BC_REPLY: {
223 out << ": " << indent;
224 cmd = (const int32_t *)printBinderTransactionData(out, cmd);
225 out << dedent;
226 } break;
227
228 case BC_ACQUIRE_RESULT: {
229 const int32_t res = *cmd++;
230 out << ": " << res << (res ? " (SUCCESS)" : " (FAILURE)");
231 } break;
232
233 case BC_FREE_BUFFER: {
234 const int32_t buf = *cmd++;
235 out << ": buffer=" << (void*)(long)buf;
236 } break;
237
238 case BC_INCREFS:
239 case BC_ACQUIRE:
240 case BC_RELEASE:
241 case BC_DECREFS: {
242 const int32_t d = *cmd++;
243 out << ": desc=" << d;
244 } break;
245
246 case BC_INCREFS_DONE:
247 case BC_ACQUIRE_DONE: {
248 const int32_t b = *cmd++;
249 const int32_t c = *cmd++;
250 out << ": target=" << (void*)(long)b << " (cookie " << (void*)(long)c << ")";
251 } break;
252
253 case BC_ATTEMPT_ACQUIRE: {
254 const int32_t p = *cmd++;
255 const int32_t d = *cmd++;
256 out << ": desc=" << d << ", pri=" << p;
257 } break;
258
259 case BC_REQUEST_DEATH_NOTIFICATION:
260 case BC_CLEAR_DEATH_NOTIFICATION: {
261 const int32_t h = *cmd++;
262 const int32_t c = *cmd++;
263 out << ": handle=" << h << " (death cookie " << (void*)(long)c << ")";
264 } break;
265
266 case BC_DEAD_BINDER_DONE: {
267 const int32_t c = *cmd++;
268 out << ": death cookie " << (void*)(long)c;
269 } break;
270
271 default:
272 // no details to show for: BC_REGISTER_LOOPER, BC_ENTER_LOOPER,
273 // BC_EXIT_LOOPER
274 break;
275 }
276
277 out << endl;
278 return cmd;
279 }
280
281 static pthread_mutex_t gTLSMutex = PTHREAD_MUTEX_INITIALIZER;
282 static std::atomic<bool> gHaveTLS(false);
283 static pthread_key_t gTLS = 0;
284 static std::atomic<bool> gShutdown = false;
285 static std::atomic<bool> gDisableBackgroundScheduling = false;
286
self()287 IPCThreadState* IPCThreadState::self()
288 {
289 if (gHaveTLS.load(std::memory_order_acquire)) {
290 restart:
291 const pthread_key_t k = gTLS;
292 IPCThreadState* st = (IPCThreadState*)pthread_getspecific(k);
293 if (st) return st;
294 return new IPCThreadState;
295 }
296
297 // Racey, heuristic test for simultaneous shutdown.
298 if (gShutdown.load(std::memory_order_relaxed)) {
299 ALOGW("Calling IPCThreadState::self() during shutdown is dangerous, expect a crash.\n");
300 return nullptr;
301 }
302
303 pthread_mutex_lock(&gTLSMutex);
304 if (!gHaveTLS.load(std::memory_order_relaxed)) {
305 int key_create_value = pthread_key_create(&gTLS, threadDestructor);
306 if (key_create_value != 0) {
307 pthread_mutex_unlock(&gTLSMutex);
308 ALOGW("IPCThreadState::self() unable to create TLS key, expect a crash: %s\n",
309 strerror(key_create_value));
310 return nullptr;
311 }
312 gHaveTLS.store(true, std::memory_order_release);
313 }
314 pthread_mutex_unlock(&gTLSMutex);
315 goto restart;
316 }
317
selfOrNull()318 IPCThreadState* IPCThreadState::selfOrNull()
319 {
320 if (gHaveTLS.load(std::memory_order_acquire)) {
321 const pthread_key_t k = gTLS;
322 IPCThreadState* st = (IPCThreadState*)pthread_getspecific(k);
323 return st;
324 }
325 return nullptr;
326 }
327
shutdown()328 void IPCThreadState::shutdown()
329 {
330 gShutdown.store(true, std::memory_order_relaxed);
331
332 if (gHaveTLS.load(std::memory_order_acquire)) {
333 // XXX Need to wait for all thread pool threads to exit!
334 IPCThreadState* st = (IPCThreadState*)pthread_getspecific(gTLS);
335 if (st) {
336 delete st;
337 pthread_setspecific(gTLS, nullptr);
338 }
339 pthread_key_delete(gTLS);
340 gHaveTLS.store(false, std::memory_order_release);
341 }
342 }
343
disableBackgroundScheduling(bool disable)344 void IPCThreadState::disableBackgroundScheduling(bool disable)
345 {
346 gDisableBackgroundScheduling.store(disable, std::memory_order_relaxed);
347 }
348
backgroundSchedulingDisabled()349 bool IPCThreadState::backgroundSchedulingDisabled()
350 {
351 return gDisableBackgroundScheduling.load(std::memory_order_relaxed);
352 }
353
process()354 sp<ProcessState> IPCThreadState::process()
355 {
356 return mProcess;
357 }
358
clearLastError()359 status_t IPCThreadState::clearLastError()
360 {
361 const status_t err = mLastError;
362 mLastError = NO_ERROR;
363 return err;
364 }
365
getCallingPid() const366 pid_t IPCThreadState::getCallingPid() const
367 {
368 return mCallingPid;
369 }
370
getCallingSid() const371 const char* IPCThreadState::getCallingSid() const
372 {
373 return mCallingSid;
374 }
375
getCallingUid() const376 uid_t IPCThreadState::getCallingUid() const
377 {
378 return mCallingUid;
379 }
380
clearCallingIdentity()381 int64_t IPCThreadState::clearCallingIdentity()
382 {
383 // ignore mCallingSid for legacy reasons
384 int64_t token = ((int64_t)mCallingUid<<32) | mCallingPid;
385 clearCaller();
386 return token;
387 }
388
setStrictModePolicy(int32_t policy)389 void IPCThreadState::setStrictModePolicy(int32_t policy)
390 {
391 mStrictModePolicy = policy;
392 }
393
getStrictModePolicy() const394 int32_t IPCThreadState::getStrictModePolicy() const
395 {
396 return mStrictModePolicy;
397 }
398
setCallingWorkSourceUid(uid_t uid)399 int64_t IPCThreadState::setCallingWorkSourceUid(uid_t uid)
400 {
401 int64_t token = setCallingWorkSourceUidWithoutPropagation(uid);
402 mPropagateWorkSource = true;
403 return token;
404 }
405
setCallingWorkSourceUidWithoutPropagation(uid_t uid)406 int64_t IPCThreadState::setCallingWorkSourceUidWithoutPropagation(uid_t uid)
407 {
408 const int64_t propagatedBit = ((int64_t)mPropagateWorkSource) << kWorkSourcePropagatedBitIndex;
409 int64_t token = propagatedBit | mWorkSource;
410 mWorkSource = uid;
411 return token;
412 }
413
clearPropagateWorkSource()414 void IPCThreadState::clearPropagateWorkSource()
415 {
416 mPropagateWorkSource = false;
417 }
418
shouldPropagateWorkSource() const419 bool IPCThreadState::shouldPropagateWorkSource() const
420 {
421 return mPropagateWorkSource;
422 }
423
getCallingWorkSourceUid() const424 uid_t IPCThreadState::getCallingWorkSourceUid() const
425 {
426 return mWorkSource;
427 }
428
clearCallingWorkSource()429 int64_t IPCThreadState::clearCallingWorkSource()
430 {
431 return setCallingWorkSourceUid(kUnsetWorkSource);
432 }
433
restoreCallingWorkSource(int64_t token)434 void IPCThreadState::restoreCallingWorkSource(int64_t token)
435 {
436 uid_t uid = (int)token;
437 setCallingWorkSourceUidWithoutPropagation(uid);
438 mPropagateWorkSource = ((token >> kWorkSourcePropagatedBitIndex) & 1) == 1;
439 }
440
setLastTransactionBinderFlags(int32_t flags)441 void IPCThreadState::setLastTransactionBinderFlags(int32_t flags)
442 {
443 mLastTransactionBinderFlags = flags;
444 }
445
getLastTransactionBinderFlags() const446 int32_t IPCThreadState::getLastTransactionBinderFlags() const
447 {
448 return mLastTransactionBinderFlags;
449 }
450
restoreCallingIdentity(int64_t token)451 void IPCThreadState::restoreCallingIdentity(int64_t token)
452 {
453 mCallingUid = (int)(token>>32);
454 mCallingSid = nullptr; // not enough data to restore
455 mCallingPid = (int)token;
456 }
457
clearCaller()458 void IPCThreadState::clearCaller()
459 {
460 mCallingPid = getpid();
461 mCallingSid = nullptr; // expensive to lookup
462 mCallingUid = getuid();
463 }
464
flushCommands()465 void IPCThreadState::flushCommands()
466 {
467 if (mProcess->mDriverFD < 0)
468 return;
469 talkWithDriver(false);
470 // The flush could have caused post-write refcount decrements to have
471 // been executed, which in turn could result in BC_RELEASE/BC_DECREFS
472 // being queued in mOut. So flush again, if we need to.
473 if (mOut.dataSize() > 0) {
474 talkWithDriver(false);
475 }
476 if (mOut.dataSize() > 0) {
477 ALOGW("mOut.dataSize() > 0 after flushCommands()");
478 }
479 }
480
blockUntilThreadAvailable()481 void IPCThreadState::blockUntilThreadAvailable()
482 {
483 pthread_mutex_lock(&mProcess->mThreadCountLock);
484 while (mProcess->mExecutingThreadsCount >= mProcess->mMaxThreads) {
485 ALOGW("Waiting for thread to be free. mExecutingThreadsCount=%lu mMaxThreads=%lu\n",
486 static_cast<unsigned long>(mProcess->mExecutingThreadsCount),
487 static_cast<unsigned long>(mProcess->mMaxThreads));
488 pthread_cond_wait(&mProcess->mThreadCountDecrement, &mProcess->mThreadCountLock);
489 }
490 pthread_mutex_unlock(&mProcess->mThreadCountLock);
491 }
492
getAndExecuteCommand()493 status_t IPCThreadState::getAndExecuteCommand()
494 {
495 status_t result;
496 int32_t cmd;
497
498 result = talkWithDriver();
499 if (result >= NO_ERROR) {
500 size_t IN = mIn.dataAvail();
501 if (IN < sizeof(int32_t)) return result;
502 cmd = mIn.readInt32();
503 IF_LOG_COMMANDS() {
504 alog << "Processing top-level Command: "
505 << getReturnString(cmd) << endl;
506 }
507
508 pthread_mutex_lock(&mProcess->mThreadCountLock);
509 mProcess->mExecutingThreadsCount++;
510 if (mProcess->mExecutingThreadsCount >= mProcess->mMaxThreads &&
511 mProcess->mStarvationStartTimeMs == 0) {
512 mProcess->mStarvationStartTimeMs = uptimeMillis();
513 }
514 pthread_mutex_unlock(&mProcess->mThreadCountLock);
515
516 result = executeCommand(cmd);
517
518 pthread_mutex_lock(&mProcess->mThreadCountLock);
519 mProcess->mExecutingThreadsCount--;
520 if (mProcess->mExecutingThreadsCount < mProcess->mMaxThreads &&
521 mProcess->mStarvationStartTimeMs != 0) {
522 int64_t starvationTimeMs = uptimeMillis() - mProcess->mStarvationStartTimeMs;
523 if (starvationTimeMs > 100) {
524 ALOGE("binder thread pool (%zu threads) starved for %" PRId64 " ms",
525 mProcess->mMaxThreads, starvationTimeMs);
526 }
527 mProcess->mStarvationStartTimeMs = 0;
528 }
529 pthread_cond_broadcast(&mProcess->mThreadCountDecrement);
530 pthread_mutex_unlock(&mProcess->mThreadCountLock);
531 }
532
533 return result;
534 }
535
536 // When we've cleared the incoming command queue, process any pending derefs
processPendingDerefs()537 void IPCThreadState::processPendingDerefs()
538 {
539 if (mIn.dataPosition() >= mIn.dataSize()) {
540 /*
541 * The decWeak()/decStrong() calls may cause a destructor to run,
542 * which in turn could have initiated an outgoing transaction,
543 * which in turn could cause us to add to the pending refs
544 * vectors; so instead of simply iterating, loop until they're empty.
545 *
546 * We do this in an outer loop, because calling decStrong()
547 * may result in something being added to mPendingWeakDerefs,
548 * which could be delayed until the next incoming command
549 * from the driver if we don't process it now.
550 */
551 while (mPendingWeakDerefs.size() > 0 || mPendingStrongDerefs.size() > 0) {
552 while (mPendingWeakDerefs.size() > 0) {
553 RefBase::weakref_type* refs = mPendingWeakDerefs[0];
554 mPendingWeakDerefs.removeAt(0);
555 refs->decWeak(mProcess.get());
556 }
557
558 if (mPendingStrongDerefs.size() > 0) {
559 // We don't use while() here because we don't want to re-order
560 // strong and weak decs at all; if this decStrong() causes both a
561 // decWeak() and a decStrong() to be queued, we want to process
562 // the decWeak() first.
563 BBinder* obj = mPendingStrongDerefs[0];
564 mPendingStrongDerefs.removeAt(0);
565 obj->decStrong(mProcess.get());
566 }
567 }
568 }
569 }
570
processPostWriteDerefs()571 void IPCThreadState::processPostWriteDerefs()
572 {
573 for (size_t i = 0; i < mPostWriteWeakDerefs.size(); i++) {
574 RefBase::weakref_type* refs = mPostWriteWeakDerefs[i];
575 refs->decWeak(mProcess.get());
576 }
577 mPostWriteWeakDerefs.clear();
578
579 for (size_t i = 0; i < mPostWriteStrongDerefs.size(); i++) {
580 RefBase* obj = mPostWriteStrongDerefs[i];
581 obj->decStrong(mProcess.get());
582 }
583 mPostWriteStrongDerefs.clear();
584 }
585
joinThreadPool(bool isMain)586 void IPCThreadState::joinThreadPool(bool isMain)
587 {
588 LOG_THREADPOOL("**** THREAD %p (PID %d) IS JOINING THE THREAD POOL\n", (void*)pthread_self(), getpid());
589
590 mOut.writeInt32(isMain ? BC_ENTER_LOOPER : BC_REGISTER_LOOPER);
591
592 status_t result;
593 do {
594 processPendingDerefs();
595 // now get the next command to be processed, waiting if necessary
596 result = getAndExecuteCommand();
597
598 if (result < NO_ERROR && result != TIMED_OUT && result != -ECONNREFUSED && result != -EBADF) {
599 LOG_ALWAYS_FATAL("getAndExecuteCommand(fd=%d) returned unexpected error %d, aborting",
600 mProcess->mDriverFD, result);
601 }
602
603 // Let this thread exit the thread pool if it is no longer
604 // needed and it is not the main process thread.
605 if(result == TIMED_OUT && !isMain) {
606 break;
607 }
608 } while (result != -ECONNREFUSED && result != -EBADF);
609
610 LOG_THREADPOOL("**** THREAD %p (PID %d) IS LEAVING THE THREAD POOL err=%d\n",
611 (void*)pthread_self(), getpid(), result);
612
613 mOut.writeInt32(BC_EXIT_LOOPER);
614 talkWithDriver(false);
615 }
616
setupPolling(int * fd)617 int IPCThreadState::setupPolling(int* fd)
618 {
619 if (mProcess->mDriverFD < 0) {
620 return -EBADF;
621 }
622
623 mOut.writeInt32(BC_ENTER_LOOPER);
624 *fd = mProcess->mDriverFD;
625 return 0;
626 }
627
handlePolledCommands()628 status_t IPCThreadState::handlePolledCommands()
629 {
630 status_t result;
631
632 do {
633 result = getAndExecuteCommand();
634 } while (mIn.dataPosition() < mIn.dataSize());
635
636 processPendingDerefs();
637 flushCommands();
638 return result;
639 }
640
stopProcess(bool)641 void IPCThreadState::stopProcess(bool /*immediate*/)
642 {
643 //ALOGI("**** STOPPING PROCESS");
644 flushCommands();
645 int fd = mProcess->mDriverFD;
646 mProcess->mDriverFD = -1;
647 close(fd);
648 //kill(getpid(), SIGKILL);
649 }
650
transact(int32_t handle,uint32_t code,const Parcel & data,Parcel * reply,uint32_t flags)651 status_t IPCThreadState::transact(int32_t handle,
652 uint32_t code, const Parcel& data,
653 Parcel* reply, uint32_t flags)
654 {
655 status_t err;
656
657 flags |= TF_ACCEPT_FDS;
658
659 IF_LOG_TRANSACTIONS() {
660 TextOutput::Bundle _b(alog);
661 alog << "BC_TRANSACTION thr " << (void*)pthread_self() << " / hand "
662 << handle << " / code " << TypeCode(code) << ": "
663 << indent << data << dedent << endl;
664 }
665
666 LOG_ONEWAY(">>>> SEND from pid %d uid %d %s", getpid(), getuid(),
667 (flags & TF_ONE_WAY) == 0 ? "READ REPLY" : "ONE WAY");
668 err = writeTransactionData(BC_TRANSACTION, flags, handle, code, data, nullptr);
669
670 if (err != NO_ERROR) {
671 if (reply) reply->setError(err);
672 return (mLastError = err);
673 }
674
675 if ((flags & TF_ONE_WAY) == 0) {
676 if (UNLIKELY(mCallRestriction != ProcessState::CallRestriction::NONE)) {
677 if (mCallRestriction == ProcessState::CallRestriction::ERROR_IF_NOT_ONEWAY) {
678 ALOGE("Process making non-oneway call (code: %u) but is restricted.", code);
679 CallStack::logStack("non-oneway call", CallStack::getCurrent(10).get(),
680 ANDROID_LOG_ERROR);
681 } else /* FATAL_IF_NOT_ONEWAY */ {
682 LOG_ALWAYS_FATAL("Process may not make oneway calls (code: %u).", code);
683 }
684 }
685
686 #if 0
687 if (code == 4) { // relayout
688 ALOGI(">>>>>> CALLING transaction 4");
689 } else {
690 ALOGI(">>>>>> CALLING transaction %d", code);
691 }
692 #endif
693 if (reply) {
694 err = waitForResponse(reply);
695 } else {
696 Parcel fakeReply;
697 err = waitForResponse(&fakeReply);
698 }
699 #if 0
700 if (code == 4) { // relayout
701 ALOGI("<<<<<< RETURNING transaction 4");
702 } else {
703 ALOGI("<<<<<< RETURNING transaction %d", code);
704 }
705 #endif
706
707 IF_LOG_TRANSACTIONS() {
708 TextOutput::Bundle _b(alog);
709 alog << "BR_REPLY thr " << (void*)pthread_self() << " / hand "
710 << handle << ": ";
711 if (reply) alog << indent << *reply << dedent << endl;
712 else alog << "(none requested)" << endl;
713 }
714 } else {
715 err = waitForResponse(nullptr, nullptr);
716 }
717
718 return err;
719 }
720
incStrongHandle(int32_t handle,BpBinder * proxy)721 void IPCThreadState::incStrongHandle(int32_t handle, BpBinder *proxy)
722 {
723 LOG_REMOTEREFS("IPCThreadState::incStrongHandle(%d)\n", handle);
724 mOut.writeInt32(BC_ACQUIRE);
725 mOut.writeInt32(handle);
726 // Create a temp reference until the driver has handled this command.
727 proxy->incStrong(mProcess.get());
728 mPostWriteStrongDerefs.push(proxy);
729 }
730
decStrongHandle(int32_t handle)731 void IPCThreadState::decStrongHandle(int32_t handle)
732 {
733 LOG_REMOTEREFS("IPCThreadState::decStrongHandle(%d)\n", handle);
734 mOut.writeInt32(BC_RELEASE);
735 mOut.writeInt32(handle);
736 }
737
incWeakHandle(int32_t handle,BpBinder * proxy)738 void IPCThreadState::incWeakHandle(int32_t handle, BpBinder *proxy)
739 {
740 LOG_REMOTEREFS("IPCThreadState::incWeakHandle(%d)\n", handle);
741 mOut.writeInt32(BC_INCREFS);
742 mOut.writeInt32(handle);
743 // Create a temp reference until the driver has handled this command.
744 proxy->getWeakRefs()->incWeak(mProcess.get());
745 mPostWriteWeakDerefs.push(proxy->getWeakRefs());
746 }
747
decWeakHandle(int32_t handle)748 void IPCThreadState::decWeakHandle(int32_t handle)
749 {
750 LOG_REMOTEREFS("IPCThreadState::decWeakHandle(%d)\n", handle);
751 mOut.writeInt32(BC_DECREFS);
752 mOut.writeInt32(handle);
753 }
754
attemptIncStrongHandle(int32_t handle)755 status_t IPCThreadState::attemptIncStrongHandle(int32_t handle)
756 {
757 #if HAS_BC_ATTEMPT_ACQUIRE
758 LOG_REMOTEREFS("IPCThreadState::attemptIncStrongHandle(%d)\n", handle);
759 mOut.writeInt32(BC_ATTEMPT_ACQUIRE);
760 mOut.writeInt32(0); // xxx was thread priority
761 mOut.writeInt32(handle);
762 status_t result = UNKNOWN_ERROR;
763
764 waitForResponse(NULL, &result);
765
766 #if LOG_REFCOUNTS
767 ALOGV("IPCThreadState::attemptIncStrongHandle(%ld) = %s\n",
768 handle, result == NO_ERROR ? "SUCCESS" : "FAILURE");
769 #endif
770
771 return result;
772 #else
773 (void)handle;
774 ALOGE("%s(%d): Not supported\n", __func__, handle);
775 return INVALID_OPERATION;
776 #endif
777 }
778
expungeHandle(int32_t handle,IBinder * binder)779 void IPCThreadState::expungeHandle(int32_t handle, IBinder* binder)
780 {
781 #if LOG_REFCOUNTS
782 ALOGV("IPCThreadState::expungeHandle(%ld)\n", handle);
783 #endif
784 self()->mProcess->expungeHandle(handle, binder); // NOLINT
785 }
786
requestDeathNotification(int32_t handle,BpBinder * proxy)787 status_t IPCThreadState::requestDeathNotification(int32_t handle, BpBinder* proxy)
788 {
789 mOut.writeInt32(BC_REQUEST_DEATH_NOTIFICATION);
790 mOut.writeInt32((int32_t)handle);
791 mOut.writePointer((uintptr_t)proxy);
792 return NO_ERROR;
793 }
794
clearDeathNotification(int32_t handle,BpBinder * proxy)795 status_t IPCThreadState::clearDeathNotification(int32_t handle, BpBinder* proxy)
796 {
797 mOut.writeInt32(BC_CLEAR_DEATH_NOTIFICATION);
798 mOut.writeInt32((int32_t)handle);
799 mOut.writePointer((uintptr_t)proxy);
800 return NO_ERROR;
801 }
802
IPCThreadState()803 IPCThreadState::IPCThreadState()
804 : mProcess(ProcessState::self()),
805 mServingStackPointer(nullptr),
806 mWorkSource(kUnsetWorkSource),
807 mPropagateWorkSource(false),
808 mStrictModePolicy(0),
809 mLastTransactionBinderFlags(0),
810 mCallRestriction(mProcess->mCallRestriction)
811 {
812 pthread_setspecific(gTLS, this);
813 clearCaller();
814 mIn.setDataCapacity(256);
815 mOut.setDataCapacity(256);
816 }
817
~IPCThreadState()818 IPCThreadState::~IPCThreadState()
819 {
820 }
821
sendReply(const Parcel & reply,uint32_t flags)822 status_t IPCThreadState::sendReply(const Parcel& reply, uint32_t flags)
823 {
824 status_t err;
825 status_t statusBuffer;
826 err = writeTransactionData(BC_REPLY, flags, -1, 0, reply, &statusBuffer);
827 if (err < NO_ERROR) return err;
828
829 return waitForResponse(nullptr, nullptr);
830 }
831
waitForResponse(Parcel * reply,status_t * acquireResult)832 status_t IPCThreadState::waitForResponse(Parcel *reply, status_t *acquireResult)
833 {
834 uint32_t cmd;
835 int32_t err;
836
837 while (1) {
838 if ((err=talkWithDriver()) < NO_ERROR) break;
839 err = mIn.errorCheck();
840 if (err < NO_ERROR) break;
841 if (mIn.dataAvail() == 0) continue;
842
843 cmd = (uint32_t)mIn.readInt32();
844
845 IF_LOG_COMMANDS() {
846 alog << "Processing waitForResponse Command: "
847 << getReturnString(cmd) << endl;
848 }
849
850 switch (cmd) {
851 case BR_TRANSACTION_COMPLETE:
852 if (!reply && !acquireResult) goto finish;
853 break;
854
855 case BR_DEAD_REPLY:
856 err = DEAD_OBJECT;
857 goto finish;
858
859 case BR_FAILED_REPLY:
860 err = FAILED_TRANSACTION;
861 goto finish;
862
863 case BR_ACQUIRE_RESULT:
864 {
865 ALOG_ASSERT(acquireResult != NULL, "Unexpected brACQUIRE_RESULT");
866 const int32_t result = mIn.readInt32();
867 if (!acquireResult) continue;
868 *acquireResult = result ? NO_ERROR : INVALID_OPERATION;
869 }
870 goto finish;
871
872 case BR_REPLY:
873 {
874 binder_transaction_data tr;
875 err = mIn.read(&tr, sizeof(tr));
876 ALOG_ASSERT(err == NO_ERROR, "Not enough command data for brREPLY");
877 if (err != NO_ERROR) goto finish;
878
879 if (reply) {
880 if ((tr.flags & TF_STATUS_CODE) == 0) {
881 reply->ipcSetDataReference(
882 reinterpret_cast<const uint8_t*>(tr.data.ptr.buffer),
883 tr.data_size,
884 reinterpret_cast<const binder_size_t*>(tr.data.ptr.offsets),
885 tr.offsets_size/sizeof(binder_size_t),
886 freeBuffer, this);
887 } else {
888 err = *reinterpret_cast<const status_t*>(tr.data.ptr.buffer);
889 freeBuffer(nullptr,
890 reinterpret_cast<const uint8_t*>(tr.data.ptr.buffer),
891 tr.data_size,
892 reinterpret_cast<const binder_size_t*>(tr.data.ptr.offsets),
893 tr.offsets_size/sizeof(binder_size_t), this);
894 }
895 } else {
896 freeBuffer(nullptr,
897 reinterpret_cast<const uint8_t*>(tr.data.ptr.buffer),
898 tr.data_size,
899 reinterpret_cast<const binder_size_t*>(tr.data.ptr.offsets),
900 tr.offsets_size/sizeof(binder_size_t), this);
901 continue;
902 }
903 }
904 goto finish;
905
906 default:
907 err = executeCommand(cmd);
908 if (err != NO_ERROR) goto finish;
909 break;
910 }
911 }
912
913 finish:
914 if (err != NO_ERROR) {
915 if (acquireResult) *acquireResult = err;
916 if (reply) reply->setError(err);
917 mLastError = err;
918 }
919
920 return err;
921 }
922
talkWithDriver(bool doReceive)923 status_t IPCThreadState::talkWithDriver(bool doReceive)
924 {
925 if (mProcess->mDriverFD < 0) {
926 return -EBADF;
927 }
928
929 binder_write_read bwr;
930
931 // Is the read buffer empty?
932 const bool needRead = mIn.dataPosition() >= mIn.dataSize();
933
934 // We don't want to write anything if we are still reading
935 // from data left in the input buffer and the caller
936 // has requested to read the next data.
937 const size_t outAvail = (!doReceive || needRead) ? mOut.dataSize() : 0;
938
939 bwr.write_size = outAvail;
940 bwr.write_buffer = (uintptr_t)mOut.data();
941
942 // This is what we'll read.
943 if (doReceive && needRead) {
944 bwr.read_size = mIn.dataCapacity();
945 bwr.read_buffer = (uintptr_t)mIn.data();
946 } else {
947 bwr.read_size = 0;
948 bwr.read_buffer = 0;
949 }
950
951 IF_LOG_COMMANDS() {
952 TextOutput::Bundle _b(alog);
953 if (outAvail != 0) {
954 alog << "Sending commands to driver: " << indent;
955 const void* cmds = (const void*)bwr.write_buffer;
956 const void* end = ((const uint8_t*)cmds)+bwr.write_size;
957 alog << HexDump(cmds, bwr.write_size) << endl;
958 while (cmds < end) cmds = printCommand(alog, cmds);
959 alog << dedent;
960 }
961 alog << "Size of receive buffer: " << bwr.read_size
962 << ", needRead: " << needRead << ", doReceive: " << doReceive << endl;
963 }
964
965 // Return immediately if there is nothing to do.
966 if ((bwr.write_size == 0) && (bwr.read_size == 0)) return NO_ERROR;
967
968 bwr.write_consumed = 0;
969 bwr.read_consumed = 0;
970 status_t err;
971 do {
972 IF_LOG_COMMANDS() {
973 alog << "About to read/write, write size = " << mOut.dataSize() << endl;
974 }
975 #if defined(__ANDROID__)
976 if (ioctl(mProcess->mDriverFD, BINDER_WRITE_READ, &bwr) >= 0)
977 err = NO_ERROR;
978 else
979 err = -errno;
980 #else
981 err = INVALID_OPERATION;
982 #endif
983 if (mProcess->mDriverFD < 0) {
984 err = -EBADF;
985 }
986 IF_LOG_COMMANDS() {
987 alog << "Finished read/write, write size = " << mOut.dataSize() << endl;
988 }
989 } while (err == -EINTR);
990
991 IF_LOG_COMMANDS() {
992 alog << "Our err: " << (void*)(intptr_t)err << ", write consumed: "
993 << bwr.write_consumed << " (of " << mOut.dataSize()
994 << "), read consumed: " << bwr.read_consumed << endl;
995 }
996
997 if (err >= NO_ERROR) {
998 if (bwr.write_consumed > 0) {
999 if (bwr.write_consumed < mOut.dataSize())
1000 LOG_ALWAYS_FATAL("Driver did not consume write buffer. "
1001 "err: %s consumed: %zu of %zu",
1002 statusToString(err).c_str(),
1003 (size_t)bwr.write_consumed,
1004 mOut.dataSize());
1005 else {
1006 mOut.setDataSize(0);
1007 processPostWriteDerefs();
1008 }
1009 }
1010 if (bwr.read_consumed > 0) {
1011 mIn.setDataSize(bwr.read_consumed);
1012 mIn.setDataPosition(0);
1013 }
1014 IF_LOG_COMMANDS() {
1015 TextOutput::Bundle _b(alog);
1016 alog << "Remaining data size: " << mOut.dataSize() << endl;
1017 alog << "Received commands from driver: " << indent;
1018 const void* cmds = mIn.data();
1019 const void* end = mIn.data() + mIn.dataSize();
1020 alog << HexDump(cmds, mIn.dataSize()) << endl;
1021 while (cmds < end) cmds = printReturnCommand(alog, cmds);
1022 alog << dedent;
1023 }
1024 return NO_ERROR;
1025 }
1026
1027 return err;
1028 }
1029
writeTransactionData(int32_t cmd,uint32_t binderFlags,int32_t handle,uint32_t code,const Parcel & data,status_t * statusBuffer)1030 status_t IPCThreadState::writeTransactionData(int32_t cmd, uint32_t binderFlags,
1031 int32_t handle, uint32_t code, const Parcel& data, status_t* statusBuffer)
1032 {
1033 binder_transaction_data tr;
1034
1035 tr.target.ptr = 0; /* Don't pass uninitialized stack data to a remote process */
1036 tr.target.handle = handle;
1037 tr.code = code;
1038 tr.flags = binderFlags;
1039 tr.cookie = 0;
1040 tr.sender_pid = 0;
1041 tr.sender_euid = 0;
1042
1043 const status_t err = data.errorCheck();
1044 if (err == NO_ERROR) {
1045 tr.data_size = data.ipcDataSize();
1046 tr.data.ptr.buffer = data.ipcData();
1047 tr.offsets_size = data.ipcObjectsCount()*sizeof(binder_size_t);
1048 tr.data.ptr.offsets = data.ipcObjects();
1049 } else if (statusBuffer) {
1050 tr.flags |= TF_STATUS_CODE;
1051 *statusBuffer = err;
1052 tr.data_size = sizeof(status_t);
1053 tr.data.ptr.buffer = reinterpret_cast<uintptr_t>(statusBuffer);
1054 tr.offsets_size = 0;
1055 tr.data.ptr.offsets = 0;
1056 } else {
1057 return (mLastError = err);
1058 }
1059
1060 mOut.writeInt32(cmd);
1061 mOut.write(&tr, sizeof(tr));
1062
1063 return NO_ERROR;
1064 }
1065
1066 sp<BBinder> the_context_object;
1067
setTheContextObject(sp<BBinder> obj)1068 void IPCThreadState::setTheContextObject(sp<BBinder> obj)
1069 {
1070 the_context_object = obj;
1071 }
1072
executeCommand(int32_t cmd)1073 status_t IPCThreadState::executeCommand(int32_t cmd)
1074 {
1075 BBinder* obj;
1076 RefBase::weakref_type* refs;
1077 status_t result = NO_ERROR;
1078
1079 switch ((uint32_t)cmd) {
1080 case BR_ERROR:
1081 result = mIn.readInt32();
1082 break;
1083
1084 case BR_OK:
1085 break;
1086
1087 case BR_ACQUIRE:
1088 refs = (RefBase::weakref_type*)mIn.readPointer();
1089 obj = (BBinder*)mIn.readPointer();
1090 ALOG_ASSERT(refs->refBase() == obj,
1091 "BR_ACQUIRE: object %p does not match cookie %p (expected %p)",
1092 refs, obj, refs->refBase());
1093 obj->incStrong(mProcess.get());
1094 IF_LOG_REMOTEREFS() {
1095 LOG_REMOTEREFS("BR_ACQUIRE from driver on %p", obj);
1096 obj->printRefs();
1097 }
1098 mOut.writeInt32(BC_ACQUIRE_DONE);
1099 mOut.writePointer((uintptr_t)refs);
1100 mOut.writePointer((uintptr_t)obj);
1101 break;
1102
1103 case BR_RELEASE:
1104 refs = (RefBase::weakref_type*)mIn.readPointer();
1105 obj = (BBinder*)mIn.readPointer();
1106 ALOG_ASSERT(refs->refBase() == obj,
1107 "BR_RELEASE: object %p does not match cookie %p (expected %p)",
1108 refs, obj, refs->refBase());
1109 IF_LOG_REMOTEREFS() {
1110 LOG_REMOTEREFS("BR_RELEASE from driver on %p", obj);
1111 obj->printRefs();
1112 }
1113 mPendingStrongDerefs.push(obj);
1114 break;
1115
1116 case BR_INCREFS:
1117 refs = (RefBase::weakref_type*)mIn.readPointer();
1118 obj = (BBinder*)mIn.readPointer();
1119 refs->incWeak(mProcess.get());
1120 mOut.writeInt32(BC_INCREFS_DONE);
1121 mOut.writePointer((uintptr_t)refs);
1122 mOut.writePointer((uintptr_t)obj);
1123 break;
1124
1125 case BR_DECREFS:
1126 refs = (RefBase::weakref_type*)mIn.readPointer();
1127 obj = (BBinder*)mIn.readPointer();
1128 // NOTE: This assertion is not valid, because the object may no
1129 // longer exist (thus the (BBinder*)cast above resulting in a different
1130 // memory address).
1131 //ALOG_ASSERT(refs->refBase() == obj,
1132 // "BR_DECREFS: object %p does not match cookie %p (expected %p)",
1133 // refs, obj, refs->refBase());
1134 mPendingWeakDerefs.push(refs);
1135 break;
1136
1137 case BR_ATTEMPT_ACQUIRE:
1138 refs = (RefBase::weakref_type*)mIn.readPointer();
1139 obj = (BBinder*)mIn.readPointer();
1140
1141 {
1142 const bool success = refs->attemptIncStrong(mProcess.get());
1143 ALOG_ASSERT(success && refs->refBase() == obj,
1144 "BR_ATTEMPT_ACQUIRE: object %p does not match cookie %p (expected %p)",
1145 refs, obj, refs->refBase());
1146
1147 mOut.writeInt32(BC_ACQUIRE_RESULT);
1148 mOut.writeInt32((int32_t)success);
1149 }
1150 break;
1151
1152 case BR_TRANSACTION_SEC_CTX:
1153 case BR_TRANSACTION:
1154 {
1155 binder_transaction_data_secctx tr_secctx;
1156 binder_transaction_data& tr = tr_secctx.transaction_data;
1157
1158 if (cmd == (int) BR_TRANSACTION_SEC_CTX) {
1159 result = mIn.read(&tr_secctx, sizeof(tr_secctx));
1160 } else {
1161 result = mIn.read(&tr, sizeof(tr));
1162 tr_secctx.secctx = 0;
1163 }
1164
1165 ALOG_ASSERT(result == NO_ERROR,
1166 "Not enough command data for brTRANSACTION");
1167 if (result != NO_ERROR) break;
1168
1169 Parcel buffer;
1170 buffer.ipcSetDataReference(
1171 reinterpret_cast<const uint8_t*>(tr.data.ptr.buffer),
1172 tr.data_size,
1173 reinterpret_cast<const binder_size_t*>(tr.data.ptr.offsets),
1174 tr.offsets_size/sizeof(binder_size_t), freeBuffer, this);
1175
1176 const void* origServingStackPointer = mServingStackPointer;
1177 mServingStackPointer = &origServingStackPointer; // anything on the stack
1178
1179 const pid_t origPid = mCallingPid;
1180 const char* origSid = mCallingSid;
1181 const uid_t origUid = mCallingUid;
1182 const int32_t origStrictModePolicy = mStrictModePolicy;
1183 const int32_t origTransactionBinderFlags = mLastTransactionBinderFlags;
1184 const int32_t origWorkSource = mWorkSource;
1185 const bool origPropagateWorkSet = mPropagateWorkSource;
1186 // Calling work source will be set by Parcel#enforceInterface. Parcel#enforceInterface
1187 // is only guaranteed to be called for AIDL-generated stubs so we reset the work source
1188 // here to never propagate it.
1189 clearCallingWorkSource();
1190 clearPropagateWorkSource();
1191
1192 mCallingPid = tr.sender_pid;
1193 mCallingSid = reinterpret_cast<const char*>(tr_secctx.secctx);
1194 mCallingUid = tr.sender_euid;
1195 mLastTransactionBinderFlags = tr.flags;
1196
1197 // ALOGI(">>>> TRANSACT from pid %d sid %s uid %d\n", mCallingPid,
1198 // (mCallingSid ? mCallingSid : "<N/A>"), mCallingUid);
1199
1200 Parcel reply;
1201 status_t error;
1202 IF_LOG_TRANSACTIONS() {
1203 TextOutput::Bundle _b(alog);
1204 alog << "BR_TRANSACTION thr " << (void*)pthread_self()
1205 << " / obj " << tr.target.ptr << " / code "
1206 << TypeCode(tr.code) << ": " << indent << buffer
1207 << dedent << endl
1208 << "Data addr = "
1209 << reinterpret_cast<const uint8_t*>(tr.data.ptr.buffer)
1210 << ", offsets addr="
1211 << reinterpret_cast<const size_t*>(tr.data.ptr.offsets) << endl;
1212 }
1213 if (tr.target.ptr) {
1214 // We only have a weak reference on the target object, so we must first try to
1215 // safely acquire a strong reference before doing anything else with it.
1216 if (reinterpret_cast<RefBase::weakref_type*>(
1217 tr.target.ptr)->attemptIncStrong(this)) {
1218 error = reinterpret_cast<BBinder*>(tr.cookie)->transact(tr.code, buffer,
1219 &reply, tr.flags);
1220 reinterpret_cast<BBinder*>(tr.cookie)->decStrong(this);
1221 } else {
1222 error = UNKNOWN_TRANSACTION;
1223 }
1224
1225 } else {
1226 error = the_context_object->transact(tr.code, buffer, &reply, tr.flags);
1227 }
1228
1229 //ALOGI("<<<< TRANSACT from pid %d restore pid %d sid %s uid %d\n",
1230 // mCallingPid, origPid, (origSid ? origSid : "<N/A>"), origUid);
1231
1232 if ((tr.flags & TF_ONE_WAY) == 0) {
1233 LOG_ONEWAY("Sending reply to %d!", mCallingPid);
1234 if (error < NO_ERROR) reply.setError(error);
1235 sendReply(reply, 0);
1236 } else {
1237 if (error != OK || reply.dataSize() != 0) {
1238 alog << "oneway function results will be dropped but finished with status "
1239 << statusToString(error)
1240 << " and parcel size " << reply.dataSize() << endl;
1241 }
1242 LOG_ONEWAY("NOT sending reply to %d!", mCallingPid);
1243 }
1244
1245 mServingStackPointer = origServingStackPointer;
1246 mCallingPid = origPid;
1247 mCallingSid = origSid;
1248 mCallingUid = origUid;
1249 mStrictModePolicy = origStrictModePolicy;
1250 mLastTransactionBinderFlags = origTransactionBinderFlags;
1251 mWorkSource = origWorkSource;
1252 mPropagateWorkSource = origPropagateWorkSet;
1253
1254 IF_LOG_TRANSACTIONS() {
1255 TextOutput::Bundle _b(alog);
1256 alog << "BC_REPLY thr " << (void*)pthread_self() << " / obj "
1257 << tr.target.ptr << ": " << indent << reply << dedent << endl;
1258 }
1259
1260 }
1261 break;
1262
1263 case BR_DEAD_BINDER:
1264 {
1265 BpBinder *proxy = (BpBinder*)mIn.readPointer();
1266 proxy->sendObituary();
1267 mOut.writeInt32(BC_DEAD_BINDER_DONE);
1268 mOut.writePointer((uintptr_t)proxy);
1269 } break;
1270
1271 case BR_CLEAR_DEATH_NOTIFICATION_DONE:
1272 {
1273 BpBinder *proxy = (BpBinder*)mIn.readPointer();
1274 proxy->getWeakRefs()->decWeak(proxy);
1275 } break;
1276
1277 case BR_FINISHED:
1278 result = TIMED_OUT;
1279 break;
1280
1281 case BR_NOOP:
1282 break;
1283
1284 case BR_SPAWN_LOOPER:
1285 mProcess->spawnPooledThread(false);
1286 break;
1287
1288 default:
1289 ALOGE("*** BAD COMMAND %d received from Binder driver\n", cmd);
1290 result = UNKNOWN_ERROR;
1291 break;
1292 }
1293
1294 if (result != NO_ERROR) {
1295 mLastError = result;
1296 }
1297
1298 return result;
1299 }
1300
getServingStackPointer() const1301 const void* IPCThreadState::getServingStackPointer() const {
1302 return mServingStackPointer;
1303 }
1304
threadDestructor(void * st)1305 void IPCThreadState::threadDestructor(void *st)
1306 {
1307 IPCThreadState* const self = static_cast<IPCThreadState*>(st);
1308 if (self) {
1309 self->flushCommands();
1310 #if defined(__ANDROID__)
1311 if (self->mProcess->mDriverFD >= 0) {
1312 ioctl(self->mProcess->mDriverFD, BINDER_THREAD_EXIT, 0);
1313 }
1314 #endif
1315 delete self;
1316 }
1317 }
1318
1319
freeBuffer(Parcel * parcel,const uint8_t * data,size_t,const binder_size_t *,size_t,void *)1320 void IPCThreadState::freeBuffer(Parcel* parcel, const uint8_t* data,
1321 size_t /*dataSize*/,
1322 const binder_size_t* /*objects*/,
1323 size_t /*objectsSize*/, void* /*cookie*/)
1324 {
1325 //ALOGI("Freeing parcel %p", &parcel);
1326 IF_LOG_COMMANDS() {
1327 alog << "Writing BC_FREE_BUFFER for " << data << endl;
1328 }
1329 ALOG_ASSERT(data != NULL, "Called with NULL data");
1330 if (parcel != nullptr) parcel->closeFileDescriptors();
1331 IPCThreadState* state = self();
1332 state->mOut.writeInt32(BC_FREE_BUFFER);
1333 state->mOut.writePointer((uintptr_t)data);
1334 }
1335
1336 } // namespace android
1337