1 /*
2 * Copyright (C) 2005 The Android Open Source Project
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
16
17 #define LOG_TAG "ProcessState"
18
19 #include <binder/ProcessState.h>
20
21 #include <binder/BpBinder.h>
22 #include <binder/IPCThreadState.h>
23 #include <binder/IServiceManager.h>
24 #include <cutils/atomic.h>
25 #include <utils/Log.h>
26 #include <utils/String8.h>
27 #include <utils/String8.h>
28 #include <utils/threads.h>
29
30 #include <private/binder/binder_module.h>
31 #include <private/binder/Static.h>
32
33 #include <errno.h>
34 #include <fcntl.h>
35 #include <stdio.h>
36 #include <stdlib.h>
37 #include <unistd.h>
38 #include <sys/ioctl.h>
39 #include <sys/mman.h>
40 #include <sys/stat.h>
41 #include <sys/types.h>
42
43 #define BINDER_VM_SIZE ((1 * 1024 * 1024) - sysconf(_SC_PAGE_SIZE) * 2)
44 #define DEFAULT_MAX_BINDER_THREADS 15
45
46 // -------------------------------------------------------------------------
47
48 namespace android {
49
50 class PoolThread : public Thread
51 {
52 public:
PoolThread(bool isMain)53 explicit PoolThread(bool isMain)
54 : mIsMain(isMain)
55 {
56 }
57
58 protected:
threadLoop()59 virtual bool threadLoop()
60 {
61 IPCThreadState::self()->joinThreadPool(mIsMain);
62 return false;
63 }
64
65 const bool mIsMain;
66 };
67
self()68 sp<ProcessState> ProcessState::self()
69 {
70 Mutex::Autolock _l(gProcessMutex);
71 if (gProcess != NULL) {
72 return gProcess;
73 }
74 gProcess = new ProcessState("/dev/binder");
75 return gProcess;
76 }
77
initWithDriver(const char * driver)78 sp<ProcessState> ProcessState::initWithDriver(const char* driver)
79 {
80 Mutex::Autolock _l(gProcessMutex);
81 if (gProcess != NULL) {
82 // Allow for initWithDriver to be called repeatedly with the same
83 // driver.
84 if (!strcmp(gProcess->getDriverName().c_str(), driver)) {
85 return gProcess;
86 }
87 LOG_ALWAYS_FATAL("ProcessState was already initialized.");
88 }
89
90 if (access(driver, R_OK) == -1) {
91 ALOGE("Binder driver %s is unavailable. Using /dev/binder instead.", driver);
92 driver = "/dev/binder";
93 }
94
95 gProcess = new ProcessState(driver);
96 return gProcess;
97 }
98
selfOrNull()99 sp<ProcessState> ProcessState::selfOrNull()
100 {
101 Mutex::Autolock _l(gProcessMutex);
102 return gProcess;
103 }
104
setContextObject(const sp<IBinder> & object)105 void ProcessState::setContextObject(const sp<IBinder>& object)
106 {
107 setContextObject(object, String16("default"));
108 }
109
getContextObject(const sp<IBinder> &)110 sp<IBinder> ProcessState::getContextObject(const sp<IBinder>& /*caller*/)
111 {
112 return getStrongProxyForHandle(0);
113 }
114
setContextObject(const sp<IBinder> & object,const String16 & name)115 void ProcessState::setContextObject(const sp<IBinder>& object, const String16& name)
116 {
117 AutoMutex _l(mLock);
118 mContexts.add(name, object);
119 }
120
getContextObject(const String16 & name,const sp<IBinder> & caller)121 sp<IBinder> ProcessState::getContextObject(const String16& name, const sp<IBinder>& caller)
122 {
123 mLock.lock();
124 sp<IBinder> object(
125 mContexts.indexOfKey(name) >= 0 ? mContexts.valueFor(name) : NULL);
126 mLock.unlock();
127
128 //printf("Getting context object %s for %p\n", String8(name).string(), caller.get());
129
130 if (object != NULL) return object;
131
132 // Don't attempt to retrieve contexts if we manage them
133 if (mManagesContexts) {
134 ALOGE("getContextObject(%s) failed, but we manage the contexts!\n",
135 String8(name).string());
136 return NULL;
137 }
138
139 IPCThreadState* ipc = IPCThreadState::self();
140 {
141 Parcel data, reply;
142 // no interface token on this magic transaction
143 data.writeString16(name);
144 data.writeStrongBinder(caller);
145 status_t result = ipc->transact(0 /*magic*/, 0, data, &reply, 0);
146 if (result == NO_ERROR) {
147 object = reply.readStrongBinder();
148 }
149 }
150
151 ipc->flushCommands();
152
153 if (object != NULL) setContextObject(object, name);
154 return object;
155 }
156
startThreadPool()157 void ProcessState::startThreadPool()
158 {
159 AutoMutex _l(mLock);
160 if (!mThreadPoolStarted) {
161 mThreadPoolStarted = true;
162 spawnPooledThread(true);
163 }
164 }
165
isContextManager(void) const166 bool ProcessState::isContextManager(void) const
167 {
168 return mManagesContexts;
169 }
170
becomeContextManager(context_check_func checkFunc,void * userData)171 bool ProcessState::becomeContextManager(context_check_func checkFunc, void* userData)
172 {
173 if (!mManagesContexts) {
174 AutoMutex _l(mLock);
175 mBinderContextCheckFunc = checkFunc;
176 mBinderContextUserData = userData;
177
178 int dummy = 0;
179 status_t result = ioctl(mDriverFD, BINDER_SET_CONTEXT_MGR, &dummy);
180 if (result == 0) {
181 mManagesContexts = true;
182 } else if (result == -1) {
183 mBinderContextCheckFunc = NULL;
184 mBinderContextUserData = NULL;
185 ALOGE("Binder ioctl to become context manager failed: %s\n", strerror(errno));
186 }
187 }
188 return mManagesContexts;
189 }
190
191 // Get references to userspace objects held by the kernel binder driver
192 // Writes up to count elements into buf, and returns the total number
193 // of references the kernel has, which may be larger than count.
194 // buf may be NULL if count is 0. The pointers returned by this method
195 // should only be used for debugging and not dereferenced, they may
196 // already be invalid.
getKernelReferences(size_t buf_count,uintptr_t * buf)197 ssize_t ProcessState::getKernelReferences(size_t buf_count, uintptr_t* buf)
198 {
199 // TODO: remove these when they are defined by bionic's binder.h
200 struct binder_node_debug_info {
201 binder_uintptr_t ptr;
202 binder_uintptr_t cookie;
203 __u32 has_strong_ref;
204 __u32 has_weak_ref;
205 };
206 #define BINDER_GET_NODE_DEBUG_INFO _IOWR('b', 11, struct binder_node_debug_info)
207
208 binder_node_debug_info info = {};
209
210 uintptr_t* end = buf ? buf + buf_count : NULL;
211 size_t count = 0;
212
213 do {
214 status_t result = ioctl(mDriverFD, BINDER_GET_NODE_DEBUG_INFO, &info);
215 if (result < 0) {
216 return -1;
217 }
218 if (info.ptr != 0) {
219 if (buf && buf < end)
220 *buf++ = info.ptr;
221 count++;
222 if (buf && buf < end)
223 *buf++ = info.cookie;
224 count++;
225 }
226 } while (info.ptr != 0);
227
228 return count;
229 }
230
lookupHandleLocked(int32_t handle)231 ProcessState::handle_entry* ProcessState::lookupHandleLocked(int32_t handle)
232 {
233 const size_t N=mHandleToObject.size();
234 if (N <= (size_t)handle) {
235 handle_entry e;
236 e.binder = NULL;
237 e.refs = NULL;
238 status_t err = mHandleToObject.insertAt(e, N, handle+1-N);
239 if (err < NO_ERROR) return NULL;
240 }
241 return &mHandleToObject.editItemAt(handle);
242 }
243
getStrongProxyForHandle(int32_t handle)244 sp<IBinder> ProcessState::getStrongProxyForHandle(int32_t handle)
245 {
246 sp<IBinder> result;
247
248 AutoMutex _l(mLock);
249
250 handle_entry* e = lookupHandleLocked(handle);
251
252 if (e != NULL) {
253 // We need to create a new BpBinder if there isn't currently one, OR we
254 // are unable to acquire a weak reference on this current one. See comment
255 // in getWeakProxyForHandle() for more info about this.
256 IBinder* b = e->binder;
257 if (b == NULL || !e->refs->attemptIncWeak(this)) {
258 if (handle == 0) {
259 // Special case for context manager...
260 // The context manager is the only object for which we create
261 // a BpBinder proxy without already holding a reference.
262 // Perform a dummy transaction to ensure the context manager
263 // is registered before we create the first local reference
264 // to it (which will occur when creating the BpBinder).
265 // If a local reference is created for the BpBinder when the
266 // context manager is not present, the driver will fail to
267 // provide a reference to the context manager, but the
268 // driver API does not return status.
269 //
270 // Note that this is not race-free if the context manager
271 // dies while this code runs.
272 //
273 // TODO: add a driver API to wait for context manager, or
274 // stop special casing handle 0 for context manager and add
275 // a driver API to get a handle to the context manager with
276 // proper reference counting.
277
278 Parcel data;
279 status_t status = IPCThreadState::self()->transact(
280 0, IBinder::PING_TRANSACTION, data, NULL, 0);
281 if (status == DEAD_OBJECT)
282 return NULL;
283 }
284
285 b = BpBinder::create(handle);
286 e->binder = b;
287 if (b) e->refs = b->getWeakRefs();
288 result = b;
289 } else {
290 // This little bit of nastyness is to allow us to add a primary
291 // reference to the remote proxy when this team doesn't have one
292 // but another team is sending the handle to us.
293 result.force_set(b);
294 e->refs->decWeak(this);
295 }
296 }
297
298 return result;
299 }
300
getWeakProxyForHandle(int32_t handle)301 wp<IBinder> ProcessState::getWeakProxyForHandle(int32_t handle)
302 {
303 wp<IBinder> result;
304
305 AutoMutex _l(mLock);
306
307 handle_entry* e = lookupHandleLocked(handle);
308
309 if (e != NULL) {
310 // We need to create a new BpBinder if there isn't currently one, OR we
311 // are unable to acquire a weak reference on this current one. The
312 // attemptIncWeak() is safe because we know the BpBinder destructor will always
313 // call expungeHandle(), which acquires the same lock we are holding now.
314 // We need to do this because there is a race condition between someone
315 // releasing a reference on this BpBinder, and a new reference on its handle
316 // arriving from the driver.
317 IBinder* b = e->binder;
318 if (b == NULL || !e->refs->attemptIncWeak(this)) {
319 b = BpBinder::create(handle);
320 result = b;
321 e->binder = b;
322 if (b) e->refs = b->getWeakRefs();
323 } else {
324 result = b;
325 e->refs->decWeak(this);
326 }
327 }
328
329 return result;
330 }
331
expungeHandle(int32_t handle,IBinder * binder)332 void ProcessState::expungeHandle(int32_t handle, IBinder* binder)
333 {
334 AutoMutex _l(mLock);
335
336 handle_entry* e = lookupHandleLocked(handle);
337
338 // This handle may have already been replaced with a new BpBinder
339 // (if someone failed the AttemptIncWeak() above); we don't want
340 // to overwrite it.
341 if (e && e->binder == binder) e->binder = NULL;
342 }
343
makeBinderThreadName()344 String8 ProcessState::makeBinderThreadName() {
345 int32_t s = android_atomic_add(1, &mThreadPoolSeq);
346 pid_t pid = getpid();
347 String8 name;
348 name.appendFormat("Binder:%d_%X", pid, s);
349 return name;
350 }
351
spawnPooledThread(bool isMain)352 void ProcessState::spawnPooledThread(bool isMain)
353 {
354 if (mThreadPoolStarted) {
355 String8 name = makeBinderThreadName();
356 ALOGV("Spawning new pooled thread, name=%s\n", name.string());
357 sp<Thread> t = new PoolThread(isMain);
358 t->run(name.string());
359 }
360 }
361
setThreadPoolMaxThreadCount(size_t maxThreads)362 status_t ProcessState::setThreadPoolMaxThreadCount(size_t maxThreads) {
363 status_t result = NO_ERROR;
364 if (ioctl(mDriverFD, BINDER_SET_MAX_THREADS, &maxThreads) != -1) {
365 mMaxThreads = maxThreads;
366 } else {
367 result = -errno;
368 ALOGE("Binder ioctl to set max threads failed: %s", strerror(-result));
369 }
370 return result;
371 }
372
giveThreadPoolName()373 void ProcessState::giveThreadPoolName() {
374 androidSetThreadName( makeBinderThreadName().string() );
375 }
376
getDriverName()377 String8 ProcessState::getDriverName() {
378 return mDriverName;
379 }
380
open_driver(const char * driver)381 static int open_driver(const char *driver)
382 {
383 int fd = open(driver, O_RDWR | O_CLOEXEC);
384 if (fd >= 0) {
385 int vers = 0;
386 status_t result = ioctl(fd, BINDER_VERSION, &vers);
387 if (result == -1) {
388 ALOGE("Binder ioctl to obtain version failed: %s", strerror(errno));
389 close(fd);
390 fd = -1;
391 }
392 if (result != 0 || vers != BINDER_CURRENT_PROTOCOL_VERSION) {
393 ALOGE("Binder driver protocol(%d) does not match user space protocol(%d)! ioctl() return value: %d",
394 vers, BINDER_CURRENT_PROTOCOL_VERSION, result);
395 close(fd);
396 fd = -1;
397 }
398 size_t maxThreads = DEFAULT_MAX_BINDER_THREADS;
399 result = ioctl(fd, BINDER_SET_MAX_THREADS, &maxThreads);
400 if (result == -1) {
401 ALOGE("Binder ioctl to set max threads failed: %s", strerror(errno));
402 }
403 } else {
404 ALOGW("Opening '%s' failed: %s\n", driver, strerror(errno));
405 }
406 return fd;
407 }
408
ProcessState(const char * driver)409 ProcessState::ProcessState(const char *driver)
410 : mDriverName(String8(driver))
411 , mDriverFD(open_driver(driver))
412 , mVMStart(MAP_FAILED)
413 , mThreadCountLock(PTHREAD_MUTEX_INITIALIZER)
414 , mThreadCountDecrement(PTHREAD_COND_INITIALIZER)
415 , mExecutingThreadsCount(0)
416 , mMaxThreads(DEFAULT_MAX_BINDER_THREADS)
417 , mStarvationStartTimeMs(0)
418 , mManagesContexts(false)
419 , mBinderContextCheckFunc(NULL)
420 , mBinderContextUserData(NULL)
421 , mThreadPoolStarted(false)
422 , mThreadPoolSeq(1)
423 {
424 if (mDriverFD >= 0) {
425 // mmap the binder, providing a chunk of virtual address space to receive transactions.
426 mVMStart = mmap(0, BINDER_VM_SIZE, PROT_READ, MAP_PRIVATE | MAP_NORESERVE, mDriverFD, 0);
427 if (mVMStart == MAP_FAILED) {
428 // *sigh*
429 ALOGE("Using %s failed: unable to mmap transaction memory.\n", mDriverName.c_str());
430 close(mDriverFD);
431 mDriverFD = -1;
432 mDriverName.clear();
433 }
434 }
435
436 LOG_ALWAYS_FATAL_IF(mDriverFD < 0, "Binder driver could not be opened. Terminating.");
437 }
438
~ProcessState()439 ProcessState::~ProcessState()
440 {
441 if (mDriverFD >= 0) {
442 if (mVMStart != MAP_FAILED) {
443 munmap(mVMStart, BINDER_VM_SIZE);
444 }
445 close(mDriverFD);
446 }
447 mDriverFD = -1;
448 }
449
450 }; // namespace android
451