1 /*
2 * Copyright (C) 2005 The Android Open Source Project
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
16
17 #define LOG_TAG "hw-IPCThreadState"
18
19 #include <hwbinder/IPCThreadState.h>
20
21 #include <hwbinder/Binder.h>
22 #include <hwbinder/BpHwBinder.h>
23 #include <hwbinder/TextOutput.h>
24 #include <hwbinder/binder_kernel.h>
25
26 #include <utils/Log.h>
27 #include <utils/SystemClock.h>
28 #include <utils/threads.h>
29
30 #include <private/binder/binder_module.h>
31 #include <hwbinder/Static.h>
32
33 #include <errno.h>
34 #include <inttypes.h>
35 #include <pthread.h>
36 #include <sched.h>
37 #include <signal.h>
38 #include <stdio.h>
39 #include <sys/ioctl.h>
40 #include <sys/resource.h>
41 #include <unistd.h>
42
43 #if LOG_NDEBUG
44
45 #define IF_LOG_TRANSACTIONS() if (false)
46 #define IF_LOG_COMMANDS() if (false)
47 #define LOG_REMOTEREFS(...)
48 #define IF_LOG_REMOTEREFS() if (false)
49 #define LOG_THREADPOOL(...)
50 #define LOG_ONEWAY(...)
51
52 #else
53
54 #define IF_LOG_TRANSACTIONS() IF_ALOG(LOG_VERBOSE, "transact")
55 #define IF_LOG_COMMANDS() IF_ALOG(LOG_VERBOSE, "ipc")
56 #define LOG_REMOTEREFS(...) ALOG(LOG_DEBUG, "remoterefs", __VA_ARGS__)
57 #define IF_LOG_REMOTEREFS() IF_ALOG(LOG_DEBUG, "remoterefs")
58 #define LOG_THREADPOOL(...) ALOG(LOG_DEBUG, "threadpool", __VA_ARGS__)
59 #define LOG_ONEWAY(...) ALOG(LOG_DEBUG, "ipc", __VA_ARGS__)
60
61 #endif
62
63 // ---------------------------------------------------------------------------
64
65 namespace android {
66 namespace hardware {
67
68 // Static const and functions will be optimized out if not used,
69 // when LOG_NDEBUG and references in IF_LOG_COMMANDS() are optimized out.
70 static const char *kReturnStrings[] = {
71 "BR_ERROR",
72 "BR_OK",
73 "BR_TRANSACTION",
74 "BR_REPLY",
75 "BR_ACQUIRE_RESULT",
76 "BR_DEAD_REPLY",
77 "BR_TRANSACTION_COMPLETE",
78 "BR_INCREFS",
79 "BR_ACQUIRE",
80 "BR_RELEASE",
81 "BR_DECREFS",
82 "BR_ATTEMPT_ACQUIRE",
83 "BR_NOOP",
84 "BR_SPAWN_LOOPER",
85 "BR_FINISHED",
86 "BR_DEAD_BINDER",
87 "BR_CLEAR_DEATH_NOTIFICATION_DONE",
88 "BR_FAILED_REPLY"
89 };
90
91 static const char *kCommandStrings[] = {
92 "BC_TRANSACTION",
93 "BC_REPLY",
94 "BC_ACQUIRE_RESULT",
95 "BC_FREE_BUFFER",
96 "BC_INCREFS",
97 "BC_ACQUIRE",
98 "BC_RELEASE",
99 "BC_DECREFS",
100 "BC_INCREFS_DONE",
101 "BC_ACQUIRE_DONE",
102 "BC_ATTEMPT_ACQUIRE",
103 "BC_REGISTER_LOOPER",
104 "BC_ENTER_LOOPER",
105 "BC_EXIT_LOOPER",
106 "BC_REQUEST_DEATH_NOTIFICATION",
107 "BC_CLEAR_DEATH_NOTIFICATION",
108 "BC_DEAD_BINDER_DONE"
109 };
110
getReturnString(size_t idx)111 static const char* getReturnString(size_t idx)
112 {
113 if (idx < sizeof(kReturnStrings) / sizeof(kReturnStrings[0]))
114 return kReturnStrings[idx];
115 else
116 return "unknown";
117 }
118
printBinderTransactionData(TextOutput & out,const void * data)119 static const void* printBinderTransactionData(TextOutput& out, const void* data)
120 {
121 const binder_transaction_data* btd =
122 (const binder_transaction_data*)data;
123 if (btd->target.handle < 1024) {
124 /* want to print descriptors in decimal; guess based on value */
125 out << "target.desc=" << btd->target.handle;
126 } else {
127 out << "target.ptr=" << btd->target.ptr;
128 }
129 out << " (cookie " << btd->cookie << ")" << endl
130 << "code=" << TypeCode(btd->code) << ", flags=" << (void*)(long)btd->flags << endl
131 << "data=" << btd->data.ptr.buffer << " (" << (void*)btd->data_size
132 << " bytes)" << endl
133 << "offsets=" << btd->data.ptr.offsets << " (" << (void*)btd->offsets_size
134 << " bytes)";
135 return btd+1;
136 }
137
printReturnCommand(TextOutput & out,const void * _cmd)138 static const void* printReturnCommand(TextOutput& out, const void* _cmd)
139 {
140 static const size_t N = sizeof(kReturnStrings)/sizeof(kReturnStrings[0]);
141 const int32_t* cmd = (const int32_t*)_cmd;
142 uint32_t code = (uint32_t)*cmd++;
143 size_t cmdIndex = code & 0xff;
144 if (code == BR_ERROR) {
145 out << "BR_ERROR: " << (void*)(long)(*cmd++) << endl;
146 return cmd;
147 } else if (cmdIndex >= N) {
148 out << "Unknown reply: " << code << endl;
149 return cmd;
150 }
151 out << kReturnStrings[cmdIndex];
152
153 switch (code) {
154 case BR_TRANSACTION:
155 case BR_REPLY: {
156 out << ": " << indent;
157 cmd = (const int32_t *)printBinderTransactionData(out, cmd);
158 out << dedent;
159 } break;
160
161 case BR_ACQUIRE_RESULT: {
162 const int32_t res = *cmd++;
163 out << ": " << res << (res ? " (SUCCESS)" : " (FAILURE)");
164 } break;
165
166 case BR_INCREFS:
167 case BR_ACQUIRE:
168 case BR_RELEASE:
169 case BR_DECREFS: {
170 const int32_t b = *cmd++;
171 const int32_t c = *cmd++;
172 out << ": target=" << (void*)(long)b << " (cookie " << (void*)(long)c << ")";
173 } break;
174
175 case BR_ATTEMPT_ACQUIRE: {
176 const int32_t p = *cmd++;
177 const int32_t b = *cmd++;
178 const int32_t c = *cmd++;
179 out << ": target=" << (void*)(long)b << " (cookie " << (void*)(long)c
180 << "), pri=" << p;
181 } break;
182
183 case BR_DEAD_BINDER:
184 case BR_CLEAR_DEATH_NOTIFICATION_DONE: {
185 const int32_t c = *cmd++;
186 out << ": death cookie " << (void*)(long)c;
187 } break;
188
189 default:
190 // no details to show for: BR_OK, BR_DEAD_REPLY,
191 // BR_TRANSACTION_COMPLETE, BR_FINISHED
192 break;
193 }
194
195 out << endl;
196 return cmd;
197 }
198
printCommand(TextOutput & out,const void * _cmd)199 static const void* printCommand(TextOutput& out, const void* _cmd)
200 {
201 static const size_t N = sizeof(kCommandStrings)/sizeof(kCommandStrings[0]);
202 const int32_t* cmd = (const int32_t*)_cmd;
203 uint32_t code = (uint32_t)*cmd++;
204 size_t cmdIndex = code & 0xff;
205
206 if (cmdIndex >= N) {
207 out << "Unknown command: " << code << endl;
208 return cmd;
209 }
210 out << kCommandStrings[cmdIndex];
211
212 switch (code) {
213 case BC_TRANSACTION:
214 case BC_REPLY: {
215 out << ": " << indent;
216 cmd = (const int32_t *)printBinderTransactionData(out, cmd);
217 out << dedent;
218 } break;
219
220 case BC_ACQUIRE_RESULT: {
221 const int32_t res = *cmd++;
222 out << ": " << res << (res ? " (SUCCESS)" : " (FAILURE)");
223 } break;
224
225 case BC_FREE_BUFFER: {
226 const int32_t buf = *cmd++;
227 out << ": buffer=" << (void*)(long)buf;
228 } break;
229
230 case BC_INCREFS:
231 case BC_ACQUIRE:
232 case BC_RELEASE:
233 case BC_DECREFS: {
234 const int32_t d = *cmd++;
235 out << ": desc=" << d;
236 } break;
237
238 case BC_INCREFS_DONE:
239 case BC_ACQUIRE_DONE: {
240 const int32_t b = *cmd++;
241 const int32_t c = *cmd++;
242 out << ": target=" << (void*)(long)b << " (cookie " << (void*)(long)c << ")";
243 } break;
244
245 case BC_ATTEMPT_ACQUIRE: {
246 const int32_t p = *cmd++;
247 const int32_t d = *cmd++;
248 out << ": desc=" << d << ", pri=" << p;
249 } break;
250
251 case BC_REQUEST_DEATH_NOTIFICATION:
252 case BC_CLEAR_DEATH_NOTIFICATION: {
253 const int32_t h = *cmd++;
254 const int32_t c = *cmd++;
255 out << ": handle=" << h << " (death cookie " << (void*)(long)c << ")";
256 } break;
257
258 case BC_DEAD_BINDER_DONE: {
259 const int32_t c = *cmd++;
260 out << ": death cookie " << (void*)(long)c;
261 } break;
262
263 default:
264 // no details to show for: BC_REGISTER_LOOPER, BC_ENTER_LOOPER,
265 // BC_EXIT_LOOPER
266 break;
267 }
268
269 out << endl;
270 return cmd;
271 }
272
273 static pthread_mutex_t gTLSMutex = PTHREAD_MUTEX_INITIALIZER;
274 static bool gHaveTLS = false;
275 static pthread_key_t gTLS = 0;
276 static bool gShutdown = false;
277 static bool gDisableBackgroundScheduling = false;
278
self()279 IPCThreadState* IPCThreadState::self()
280 {
281 if (gHaveTLS) {
282 restart:
283 const pthread_key_t k = gTLS;
284 IPCThreadState* st = (IPCThreadState*)pthread_getspecific(k);
285 if (st) return st;
286 return new IPCThreadState;
287 }
288
289 if (gShutdown) {
290 ALOGW("Calling IPCThreadState::self() during shutdown is dangerous, expect a crash.\n");
291 return NULL;
292 }
293
294 pthread_mutex_lock(&gTLSMutex);
295 if (!gHaveTLS) {
296 int key_create_value = pthread_key_create(&gTLS, threadDestructor);
297 if (key_create_value != 0) {
298 pthread_mutex_unlock(&gTLSMutex);
299 ALOGW("IPCThreadState::self() unable to create TLS key, expect a crash: %s\n",
300 strerror(key_create_value));
301 return NULL;
302 }
303 gHaveTLS = true;
304 }
305 pthread_mutex_unlock(&gTLSMutex);
306 goto restart;
307 }
308
selfOrNull()309 IPCThreadState* IPCThreadState::selfOrNull()
310 {
311 if (gHaveTLS) {
312 const pthread_key_t k = gTLS;
313 IPCThreadState* st = (IPCThreadState*)pthread_getspecific(k);
314 return st;
315 }
316 return NULL;
317 }
318
shutdown()319 void IPCThreadState::shutdown()
320 {
321 gShutdown = true;
322
323 if (gHaveTLS) {
324 // XXX Need to wait for all thread pool threads to exit!
325 IPCThreadState* st = (IPCThreadState*)pthread_getspecific(gTLS);
326 if (st) {
327 delete st;
328 pthread_setspecific(gTLS, NULL);
329 }
330 pthread_key_delete(gTLS);
331 gHaveTLS = false;
332 }
333 }
334
disableBackgroundScheduling(bool disable)335 void IPCThreadState::disableBackgroundScheduling(bool disable)
336 {
337 gDisableBackgroundScheduling = disable;
338 }
339
process()340 sp<ProcessState> IPCThreadState::process()
341 {
342 return mProcess;
343 }
344
clearLastError()345 status_t IPCThreadState::clearLastError()
346 {
347 const status_t err = mLastError;
348 mLastError = NO_ERROR;
349 return err;
350 }
351
getCallingPid() const352 pid_t IPCThreadState::getCallingPid() const
353 {
354 return mCallingPid;
355 }
356
getCallingUid() const357 uid_t IPCThreadState::getCallingUid() const
358 {
359 return mCallingUid;
360 }
361
clearCallingIdentity()362 int64_t IPCThreadState::clearCallingIdentity()
363 {
364 int64_t token = ((int64_t)mCallingUid<<32) | mCallingPid;
365 clearCaller();
366 return token;
367 }
368
setStrictModePolicy(int32_t policy)369 void IPCThreadState::setStrictModePolicy(int32_t policy)
370 {
371 mStrictModePolicy = policy;
372 }
373
getStrictModePolicy() const374 int32_t IPCThreadState::getStrictModePolicy() const
375 {
376 return mStrictModePolicy;
377 }
378
setLastTransactionBinderFlags(int32_t flags)379 void IPCThreadState::setLastTransactionBinderFlags(int32_t flags)
380 {
381 mLastTransactionBinderFlags = flags;
382 }
383
getLastTransactionBinderFlags() const384 int32_t IPCThreadState::getLastTransactionBinderFlags() const
385 {
386 return mLastTransactionBinderFlags;
387 }
388
restoreCallingIdentity(int64_t token)389 void IPCThreadState::restoreCallingIdentity(int64_t token)
390 {
391 mCallingUid = (int)(token>>32);
392 mCallingPid = (int)token;
393 }
394
clearCaller()395 void IPCThreadState::clearCaller()
396 {
397 mCallingPid = getpid();
398 mCallingUid = getuid();
399 }
400
flushCommands()401 void IPCThreadState::flushCommands()
402 {
403 if (mProcess->mDriverFD <= 0)
404 return;
405 talkWithDriver(false);
406 // The flush could have caused post-write refcount decrements to have
407 // been executed, which in turn could result in BC_RELEASE/BC_DECREFS
408 // being queued in mOut. So flush again, if we need to.
409 if (mOut.dataSize() > 0) {
410 talkWithDriver(false);
411 }
412 if (mOut.dataSize() > 0) {
413 ALOGW("mOut.dataSize() > 0 after flushCommands()");
414 }
415 }
416
blockUntilThreadAvailable()417 void IPCThreadState::blockUntilThreadAvailable()
418 {
419 pthread_mutex_lock(&mProcess->mThreadCountLock);
420 while (mProcess->mExecutingThreadsCount >= mProcess->mMaxThreads) {
421 ALOGW("Waiting for thread to be free. mExecutingThreadsCount=%lu mMaxThreads=%lu\n",
422 static_cast<unsigned long>(mProcess->mExecutingThreadsCount),
423 static_cast<unsigned long>(mProcess->mMaxThreads));
424 pthread_cond_wait(&mProcess->mThreadCountDecrement, &mProcess->mThreadCountLock);
425 }
426 pthread_mutex_unlock(&mProcess->mThreadCountLock);
427 }
428
getAndExecuteCommand()429 status_t IPCThreadState::getAndExecuteCommand()
430 {
431 status_t result;
432 int32_t cmd;
433
434 result = talkWithDriver();
435 if (result >= NO_ERROR) {
436 size_t IN = mIn.dataAvail();
437 if (IN < sizeof(int32_t)) return result;
438 cmd = mIn.readInt32();
439 IF_LOG_COMMANDS() {
440 alog << "Processing top-level Command: "
441 << getReturnString(cmd) << endl;
442 }
443
444 pthread_mutex_lock(&mProcess->mThreadCountLock);
445 mProcess->mExecutingThreadsCount++;
446 if (mProcess->mExecutingThreadsCount >= mProcess->mMaxThreads &&
447 mProcess->mMaxThreads > 1 && mProcess->mStarvationStartTimeMs == 0) {
448 mProcess->mStarvationStartTimeMs = uptimeMillis();
449 }
450 pthread_mutex_unlock(&mProcess->mThreadCountLock);
451
452 result = executeCommand(cmd);
453
454 pthread_mutex_lock(&mProcess->mThreadCountLock);
455 mProcess->mExecutingThreadsCount--;
456 if (mProcess->mExecutingThreadsCount < mProcess->mMaxThreads &&
457 mProcess->mStarvationStartTimeMs != 0) {
458 int64_t starvationTimeMs = uptimeMillis() - mProcess->mStarvationStartTimeMs;
459 if (starvationTimeMs > 100) {
460 // If there is only a single-threaded client, nobody would be blocked
461 // on this, and it's not really starvation. (see b/37647467)
462 ALOGW("All binder threads in pool (%zu threads) busy for %" PRId64 " ms%s",
463 mProcess->mMaxThreads, starvationTimeMs,
464 mProcess->mMaxThreads > 1 ? "" : " (may be a false alarm)");
465 }
466 mProcess->mStarvationStartTimeMs = 0;
467 }
468 pthread_cond_broadcast(&mProcess->mThreadCountDecrement);
469 pthread_mutex_unlock(&mProcess->mThreadCountLock);
470 }
471
472 return result;
473 }
474
475 // When we've cleared the incoming command queue, process any pending derefs
processPendingDerefs()476 void IPCThreadState::processPendingDerefs()
477 {
478 if (mIn.dataPosition() >= mIn.dataSize()) {
479 /*
480 * The decWeak()/decStrong() calls may cause a destructor to run,
481 * which in turn could have initiated an outgoing transaction,
482 * which in turn could cause us to add to the pending refs
483 * vectors; so instead of simply iterating, loop until they're empty.
484 *
485 * We do this in an outer loop, because calling decStrong()
486 * may result in something being added to mPendingWeakDerefs,
487 * which could be delayed until the next incoming command
488 * from the driver if we don't process it now.
489 */
490 while (mPendingWeakDerefs.size() > 0 || mPendingStrongDerefs.size() > 0) {
491 while (mPendingWeakDerefs.size() > 0) {
492 RefBase::weakref_type* refs = mPendingWeakDerefs[0];
493 mPendingWeakDerefs.removeAt(0);
494 refs->decWeak(mProcess.get());
495 }
496
497 if (mPendingStrongDerefs.size() > 0) {
498 // We don't use while() here because we don't want to re-order
499 // strong and weak decs at all; if this decStrong() causes both a
500 // decWeak() and a decStrong() to be queued, we want to process
501 // the decWeak() first.
502 BHwBinder* obj = mPendingStrongDerefs[0];
503 mPendingStrongDerefs.removeAt(0);
504 obj->decStrong(mProcess.get());
505 }
506 }
507 }
508 }
509
processPostWriteDerefs()510 void IPCThreadState::processPostWriteDerefs()
511 {
512 /*
513 * libhwbinder has a flushCommands() in the BpHwBinder destructor,
514 * which makes this function (potentially) reentrant.
515 * New entries shouldn't be added though, so just iterating until empty
516 * should be safe.
517 */
518 while (mPostWriteWeakDerefs.size() > 0) {
519 RefBase::weakref_type* refs = mPostWriteWeakDerefs[0];
520 mPostWriteWeakDerefs.removeAt(0);
521 refs->decWeak(mProcess.get());
522 }
523
524 while (mPostWriteStrongDerefs.size() > 0) {
525 RefBase* obj = mPostWriteStrongDerefs[0];
526 mPostWriteStrongDerefs.removeAt(0);
527 obj->decStrong(mProcess.get());
528 }
529 }
530
joinThreadPool(bool isMain)531 void IPCThreadState::joinThreadPool(bool isMain)
532 {
533 LOG_THREADPOOL("**** THREAD %p (PID %d) IS JOINING THE THREAD POOL\n", (void*)pthread_self(), getpid());
534
535 mOut.writeInt32(isMain ? BC_ENTER_LOOPER : BC_REGISTER_LOOPER);
536
537 status_t result;
538 mIsLooper = true;
539 do {
540 processPendingDerefs();
541 // now get the next command to be processed, waiting if necessary
542 result = getAndExecuteCommand();
543
544 if (result < NO_ERROR && result != TIMED_OUT && result != -ECONNREFUSED && result != -EBADF) {
545 ALOGE("getAndExecuteCommand(fd=%d) returned unexpected error %d, aborting",
546 mProcess->mDriverFD, result);
547 abort();
548 }
549
550 // Let this thread exit the thread pool if it is no longer
551 // needed and it is not the main process thread.
552 if(result == TIMED_OUT && !isMain) {
553 break;
554 }
555 } while (result != -ECONNREFUSED && result != -EBADF);
556
557 LOG_THREADPOOL("**** THREAD %p (PID %d) IS LEAVING THE THREAD POOL err=%d\n",
558 (void*)pthread_self(), getpid(), result);
559
560 mOut.writeInt32(BC_EXIT_LOOPER);
561 mIsLooper = false;
562 talkWithDriver(false);
563 }
564
setupPolling(int * fd)565 int IPCThreadState::setupPolling(int* fd)
566 {
567 if (mProcess->mDriverFD <= 0) {
568 return -EBADF;
569 }
570
571 // Tells the kernel to not spawn any additional binder threads,
572 // as that won't work with polling. Also, the caller is responsible
573 // for subsequently calling handlePolledCommands()
574 mProcess->setThreadPoolConfiguration(1, true /* callerWillJoin */);
575 mIsPollingThread = true;
576
577 mOut.writeInt32(BC_ENTER_LOOPER);
578 *fd = mProcess->mDriverFD;
579 return 0;
580 }
581
handlePolledCommands()582 status_t IPCThreadState::handlePolledCommands()
583 {
584 status_t result;
585
586 do {
587 result = getAndExecuteCommand();
588 } while (mIn.dataPosition() < mIn.dataSize());
589
590 processPendingDerefs();
591 flushCommands();
592 return result;
593 }
594
stopProcess(bool)595 void IPCThreadState::stopProcess(bool /*immediate*/)
596 {
597 //ALOGI("**** STOPPING PROCESS");
598 flushCommands();
599 int fd = mProcess->mDriverFD;
600 mProcess->mDriverFD = -1;
601 close(fd);
602 //kill(getpid(), SIGKILL);
603 }
604
transact(int32_t handle,uint32_t code,const Parcel & data,Parcel * reply,uint32_t flags)605 status_t IPCThreadState::transact(int32_t handle,
606 uint32_t code, const Parcel& data,
607 Parcel* reply, uint32_t flags)
608 {
609 status_t err;
610
611 flags |= TF_ACCEPT_FDS;
612
613 IF_LOG_TRANSACTIONS() {
614 alog << "BC_TRANSACTION thr " << (void*)pthread_self() << " / hand "
615 << handle << " / code " << TypeCode(code) << ": "
616 << indent << data << dedent << endl;
617 }
618
619 LOG_ONEWAY(">>>> SEND from pid %d uid %d %s", getpid(), getuid(),
620 (flags & TF_ONE_WAY) == 0 ? "READ REPLY" : "ONE WAY");
621 err = writeTransactionData(BC_TRANSACTION_SG, flags, handle, code, data, NULL);
622
623 if (err != NO_ERROR) {
624 if (reply) reply->setError(err);
625 return (mLastError = err);
626 }
627
628 if ((flags & TF_ONE_WAY) == 0) {
629 #if 0
630 if (code == 4) { // relayout
631 ALOGI(">>>>>> CALLING transaction 4");
632 } else {
633 ALOGI(">>>>>> CALLING transaction %d", code);
634 }
635 #endif
636 if (reply) {
637 err = waitForResponse(reply);
638 } else {
639 Parcel fakeReply;
640 err = waitForResponse(&fakeReply);
641 }
642 #if 0
643 if (code == 4) { // relayout
644 ALOGI("<<<<<< RETURNING transaction 4");
645 } else {
646 ALOGI("<<<<<< RETURNING transaction %d", code);
647 }
648 #endif
649
650 IF_LOG_TRANSACTIONS() {
651 alog << "BR_REPLY thr " << (void*)pthread_self() << " / hand "
652 << handle << ": ";
653 if (reply) alog << indent << *reply << dedent << endl;
654 else alog << "(none requested)" << endl;
655 }
656 } else {
657 err = waitForResponse(NULL, NULL);
658 }
659
660 return err;
661 }
662
incStrongHandle(int32_t handle,BpHwBinder * proxy)663 void IPCThreadState::incStrongHandle(int32_t handle, BpHwBinder *proxy)
664 {
665 LOG_REMOTEREFS("IPCThreadState::incStrongHandle(%d)\n", handle);
666 mOut.writeInt32(BC_ACQUIRE);
667 mOut.writeInt32(handle);
668 // Create a temp reference until the driver has handled this command.
669 proxy->incStrong(mProcess.get());
670 mPostWriteStrongDerefs.push(proxy);
671 }
672
decStrongHandle(int32_t handle)673 void IPCThreadState::decStrongHandle(int32_t handle)
674 {
675 LOG_REMOTEREFS("IPCThreadState::decStrongHandle(%d)\n", handle);
676 mOut.writeInt32(BC_RELEASE);
677 mOut.writeInt32(handle);
678 }
679
incWeakHandle(int32_t handle,BpHwBinder * proxy)680 void IPCThreadState::incWeakHandle(int32_t handle, BpHwBinder *proxy)
681 {
682 LOG_REMOTEREFS("IPCThreadState::incWeakHandle(%d)\n", handle);
683 mOut.writeInt32(BC_INCREFS);
684 mOut.writeInt32(handle);
685 // Create a temp reference until the driver has handled this command.
686 proxy->getWeakRefs()->incWeak(mProcess.get());
687 mPostWriteWeakDerefs.push(proxy->getWeakRefs());
688 }
689
decWeakHandle(int32_t handle)690 void IPCThreadState::decWeakHandle(int32_t handle)
691 {
692 LOG_REMOTEREFS("IPCThreadState::decWeakHandle(%d)\n", handle);
693 mOut.writeInt32(BC_DECREFS);
694 mOut.writeInt32(handle);
695 }
696
attemptIncStrongHandle(int32_t handle)697 status_t IPCThreadState::attemptIncStrongHandle(int32_t handle)
698 {
699 #if HAS_BC_ATTEMPT_ACQUIRE
700 LOG_REMOTEREFS("IPCThreadState::attemptIncStrongHandle(%d)\n", handle);
701 mOut.writeInt32(BC_ATTEMPT_ACQUIRE);
702 mOut.writeInt32(0); // xxx was thread priority
703 mOut.writeInt32(handle);
704 status_t result = UNKNOWN_ERROR;
705
706 waitForResponse(NULL, &result);
707
708 #if LOG_REFCOUNTS
709 printf("IPCThreadState::attemptIncStrongHandle(%ld) = %s\n",
710 handle, result == NO_ERROR ? "SUCCESS" : "FAILURE");
711 #endif
712
713 return result;
714 #else
715 (void)handle;
716 ALOGE("%s(%d): Not supported\n", __func__, handle);
717 return INVALID_OPERATION;
718 #endif
719 }
720
expungeHandle(int32_t handle,IBinder * binder)721 void IPCThreadState::expungeHandle(int32_t handle, IBinder* binder)
722 {
723 #if LOG_REFCOUNTS
724 printf("IPCThreadState::expungeHandle(%ld)\n", handle);
725 #endif
726 self()->mProcess->expungeHandle(handle, binder); // NOLINT
727 }
728
requestDeathNotification(int32_t handle,BpHwBinder * proxy)729 status_t IPCThreadState::requestDeathNotification(int32_t handle, BpHwBinder* proxy)
730 {
731 mOut.writeInt32(BC_REQUEST_DEATH_NOTIFICATION);
732 mOut.writeInt32((int32_t)handle);
733 mOut.writePointer((uintptr_t)proxy);
734 return NO_ERROR;
735 }
736
clearDeathNotification(int32_t handle,BpHwBinder * proxy)737 status_t IPCThreadState::clearDeathNotification(int32_t handle, BpHwBinder* proxy)
738 {
739 mOut.writeInt32(BC_CLEAR_DEATH_NOTIFICATION);
740 mOut.writeInt32((int32_t)handle);
741 mOut.writePointer((uintptr_t)proxy);
742 return NO_ERROR;
743 }
744
IPCThreadState()745 IPCThreadState::IPCThreadState()
746 : mProcess(ProcessState::self()),
747 mMyThreadId(gettid()),
748 mStrictModePolicy(0),
749 mLastTransactionBinderFlags(0),
750 mIsLooper(false),
751 mIsPollingThread(false) {
752 pthread_setspecific(gTLS, this);
753 clearCaller();
754 mIn.setDataCapacity(256);
755 mOut.setDataCapacity(256);
756
757 // TODO(b/67742352): remove this variable from the class
758 (void)mMyThreadId;
759 }
760
~IPCThreadState()761 IPCThreadState::~IPCThreadState()
762 {
763 }
764
sendReply(const Parcel & reply,uint32_t flags)765 status_t IPCThreadState::sendReply(const Parcel& reply, uint32_t flags)
766 {
767 status_t err;
768 status_t statusBuffer;
769 err = writeTransactionData(BC_REPLY_SG, flags, -1, 0, reply, &statusBuffer);
770 if (err < NO_ERROR) return err;
771
772 return waitForResponse(NULL, NULL);
773 }
774
waitForResponse(Parcel * reply,status_t * acquireResult)775 status_t IPCThreadState::waitForResponse(Parcel *reply, status_t *acquireResult)
776 {
777 uint32_t cmd;
778 int32_t err;
779
780 while (1) {
781 if ((err=talkWithDriver()) < NO_ERROR) break;
782 err = mIn.errorCheck();
783 if (err < NO_ERROR) break;
784 if (mIn.dataAvail() == 0) continue;
785
786 cmd = (uint32_t)mIn.readInt32();
787
788 IF_LOG_COMMANDS() {
789 alog << "Processing waitForResponse Command: "
790 << getReturnString(cmd) << endl;
791 }
792
793 switch (cmd) {
794 case BR_TRANSACTION_COMPLETE:
795 if (!reply && !acquireResult) goto finish;
796 break;
797
798 case BR_DEAD_REPLY:
799 err = DEAD_OBJECT;
800 goto finish;
801
802 case BR_FAILED_REPLY:
803 err = FAILED_TRANSACTION;
804 goto finish;
805
806 case BR_ACQUIRE_RESULT:
807 {
808 ALOG_ASSERT(acquireResult != NULL, "Unexpected brACQUIRE_RESULT");
809 const int32_t result = mIn.readInt32();
810 if (!acquireResult) continue;
811 *acquireResult = result ? NO_ERROR : INVALID_OPERATION;
812 }
813 goto finish;
814
815 case BR_REPLY:
816 {
817 binder_transaction_data tr;
818 err = mIn.read(&tr, sizeof(tr));
819 ALOG_ASSERT(err == NO_ERROR, "Not enough command data for brREPLY");
820 if (err != NO_ERROR) goto finish;
821
822 if (reply) {
823 if ((tr.flags & TF_STATUS_CODE) == 0) {
824 reply->ipcSetDataReference(
825 reinterpret_cast<const uint8_t*>(tr.data.ptr.buffer),
826 tr.data_size,
827 reinterpret_cast<const binder_size_t*>(tr.data.ptr.offsets),
828 tr.offsets_size/sizeof(binder_size_t),
829 freeBuffer, this);
830 } else {
831 err = *reinterpret_cast<const status_t*>(tr.data.ptr.buffer);
832 freeBuffer(NULL,
833 reinterpret_cast<const uint8_t*>(tr.data.ptr.buffer),
834 tr.data_size,
835 reinterpret_cast<const binder_size_t*>(tr.data.ptr.offsets),
836 tr.offsets_size/sizeof(binder_size_t), this);
837 }
838 } else {
839 freeBuffer(NULL,
840 reinterpret_cast<const uint8_t*>(tr.data.ptr.buffer),
841 tr.data_size,
842 reinterpret_cast<const binder_size_t*>(tr.data.ptr.offsets),
843 tr.offsets_size/sizeof(binder_size_t), this);
844 continue;
845 }
846 }
847 goto finish;
848
849 default:
850 err = executeCommand(cmd);
851 if (err != NO_ERROR) goto finish;
852 break;
853 }
854 }
855
856 finish:
857 if (err != NO_ERROR) {
858 if (acquireResult) *acquireResult = err;
859 if (reply) reply->setError(err);
860 mLastError = err;
861 }
862
863 return err;
864 }
865
talkWithDriver(bool doReceive)866 status_t IPCThreadState::talkWithDriver(bool doReceive)
867 {
868 if (mProcess->mDriverFD <= 0) {
869 return -EBADF;
870 }
871
872 binder_write_read bwr;
873
874 // Is the read buffer empty?
875 const bool needRead = mIn.dataPosition() >= mIn.dataSize();
876
877 // We don't want to write anything if we are still reading
878 // from data left in the input buffer and the caller
879 // has requested to read the next data.
880 const size_t outAvail = (!doReceive || needRead) ? mOut.dataSize() : 0;
881
882 bwr.write_size = outAvail;
883 bwr.write_buffer = (uintptr_t)mOut.data();
884
885 // This is what we'll read.
886 if (doReceive && needRead) {
887 bwr.read_size = mIn.dataCapacity();
888 bwr.read_buffer = (uintptr_t)mIn.data();
889 } else {
890 bwr.read_size = 0;
891 bwr.read_buffer = 0;
892 }
893
894 IF_LOG_COMMANDS() {
895 if (outAvail != 0) {
896 alog << "Sending commands to driver: " << indent;
897 const void* cmds = (const void*)bwr.write_buffer;
898 const void* end = ((const uint8_t*)cmds)+bwr.write_size;
899 alog << HexDump(cmds, bwr.write_size) << endl;
900 while (cmds < end) cmds = printCommand(alog, cmds);
901 alog << dedent;
902 }
903 alog << "Size of receive buffer: " << bwr.read_size
904 << ", needRead: " << needRead << ", doReceive: " << doReceive << endl;
905 }
906
907 // Return immediately if there is nothing to do.
908 if ((bwr.write_size == 0) && (bwr.read_size == 0)) return NO_ERROR;
909
910 bwr.write_consumed = 0;
911 bwr.read_consumed = 0;
912 status_t err;
913 do {
914 IF_LOG_COMMANDS() {
915 alog << "About to read/write, write size = " << mOut.dataSize() << endl;
916 }
917 #if defined(__ANDROID__)
918 if (ioctl(mProcess->mDriverFD, BINDER_WRITE_READ, &bwr) >= 0)
919 err = NO_ERROR;
920 else
921 err = -errno;
922 #else
923 err = INVALID_OPERATION;
924 #endif
925 if (mProcess->mDriverFD <= 0) {
926 err = -EBADF;
927 }
928 IF_LOG_COMMANDS() {
929 alog << "Finished read/write, write size = " << mOut.dataSize() << endl;
930 }
931 } while (err == -EINTR);
932
933 IF_LOG_COMMANDS() {
934 alog << "Our err: " << (void*)(intptr_t)err << ", write consumed: "
935 << bwr.write_consumed << " (of " << mOut.dataSize()
936 << "), read consumed: " << bwr.read_consumed << endl;
937 }
938
939 if (err >= NO_ERROR) {
940 if (bwr.write_consumed > 0) {
941 if (bwr.write_consumed < mOut.dataSize())
942 mOut.remove(0, bwr.write_consumed);
943 else {
944 mOut.setDataSize(0);
945 processPostWriteDerefs();
946 }
947 }
948 if (bwr.read_consumed > 0) {
949 mIn.setDataSize(bwr.read_consumed);
950 mIn.setDataPosition(0);
951 }
952 IF_LOG_COMMANDS() {
953 alog << "Remaining data size: " << mOut.dataSize() << endl;
954 alog << "Received commands from driver: " << indent;
955 const void* cmds = mIn.data();
956 const void* end = mIn.data() + mIn.dataSize();
957 alog << HexDump(cmds, mIn.dataSize()) << endl;
958 while (cmds < end) cmds = printReturnCommand(alog, cmds);
959 alog << dedent;
960 }
961 return NO_ERROR;
962 }
963
964 return err;
965 }
966
writeTransactionData(int32_t cmd,uint32_t binderFlags,int32_t handle,uint32_t code,const Parcel & data,status_t * statusBuffer)967 status_t IPCThreadState::writeTransactionData(int32_t cmd, uint32_t binderFlags,
968 int32_t handle, uint32_t code, const Parcel& data, status_t* statusBuffer)
969 {
970 binder_transaction_data_sg tr_sg;
971 /* Don't pass uninitialized stack data to a remote process */
972 tr_sg.transaction_data.target.ptr = 0;
973 tr_sg.transaction_data.target.handle = handle;
974 tr_sg.transaction_data.code = code;
975 tr_sg.transaction_data.flags = binderFlags;
976 tr_sg.transaction_data.cookie = 0;
977 tr_sg.transaction_data.sender_pid = 0;
978 tr_sg.transaction_data.sender_euid = 0;
979
980 const status_t err = data.errorCheck();
981 if (err == NO_ERROR) {
982 tr_sg.transaction_data.data_size = data.ipcDataSize();
983 tr_sg.transaction_data.data.ptr.buffer = data.ipcData();
984 tr_sg.transaction_data.offsets_size = data.ipcObjectsCount()*sizeof(binder_size_t);
985 tr_sg.transaction_data.data.ptr.offsets = data.ipcObjects();
986 tr_sg.buffers_size = data.ipcBufferSize();
987 } else if (statusBuffer) {
988 tr_sg.transaction_data.flags |= TF_STATUS_CODE;
989 *statusBuffer = err;
990 tr_sg.transaction_data.data_size = sizeof(status_t);
991 tr_sg.transaction_data.data.ptr.buffer = reinterpret_cast<uintptr_t>(statusBuffer);
992 tr_sg.transaction_data.offsets_size = 0;
993 tr_sg.transaction_data.data.ptr.offsets = 0;
994 tr_sg.buffers_size = 0;
995 } else {
996 return (mLastError = err);
997 }
998
999 mOut.writeInt32(cmd);
1000 mOut.write(&tr_sg, sizeof(tr_sg));
1001
1002 return NO_ERROR;
1003 }
1004
setTheContextObject(sp<BHwBinder> obj)1005 void IPCThreadState::setTheContextObject(sp<BHwBinder> obj)
1006 {
1007 mContextObject = obj;
1008 }
1009
isLooperThread()1010 bool IPCThreadState::isLooperThread()
1011 {
1012 return mIsLooper;
1013 }
1014
isOnlyBinderThread()1015 bool IPCThreadState::isOnlyBinderThread() {
1016 return (mIsLooper && mProcess->mMaxThreads <= 1) || mIsPollingThread;
1017 }
1018
executeCommand(int32_t cmd)1019 status_t IPCThreadState::executeCommand(int32_t cmd)
1020 {
1021 BHwBinder* obj;
1022 RefBase::weakref_type* refs;
1023 status_t result = NO_ERROR;
1024 switch ((uint32_t)cmd) {
1025 case BR_ERROR:
1026 result = mIn.readInt32();
1027 break;
1028
1029 case BR_OK:
1030 break;
1031
1032 case BR_ACQUIRE:
1033 refs = (RefBase::weakref_type*)mIn.readPointer();
1034 obj = (BHwBinder*)mIn.readPointer();
1035 ALOG_ASSERT(refs->refBase() == obj,
1036 "BR_ACQUIRE: object %p does not match cookie %p (expected %p)",
1037 refs, obj, refs->refBase());
1038 obj->incStrong(mProcess.get());
1039 IF_LOG_REMOTEREFS() {
1040 LOG_REMOTEREFS("BR_ACQUIRE from driver on %p", obj);
1041 obj->printRefs();
1042 }
1043 mOut.writeInt32(BC_ACQUIRE_DONE);
1044 mOut.writePointer((uintptr_t)refs);
1045 mOut.writePointer((uintptr_t)obj);
1046 break;
1047
1048 case BR_RELEASE:
1049 refs = (RefBase::weakref_type*)mIn.readPointer();
1050 obj = (BHwBinder*)mIn.readPointer();
1051 ALOG_ASSERT(refs->refBase() == obj,
1052 "BR_RELEASE: object %p does not match cookie %p (expected %p)",
1053 refs, obj, refs->refBase());
1054 IF_LOG_REMOTEREFS() {
1055 LOG_REMOTEREFS("BR_RELEASE from driver on %p", obj);
1056 obj->printRefs();
1057 }
1058 mPendingStrongDerefs.push(obj);
1059 break;
1060
1061 case BR_INCREFS:
1062 refs = (RefBase::weakref_type*)mIn.readPointer();
1063 obj = (BHwBinder*)mIn.readPointer();
1064 refs->incWeak(mProcess.get());
1065 mOut.writeInt32(BC_INCREFS_DONE);
1066 mOut.writePointer((uintptr_t)refs);
1067 mOut.writePointer((uintptr_t)obj);
1068 break;
1069
1070 case BR_DECREFS:
1071 refs = (RefBase::weakref_type*)mIn.readPointer();
1072 obj = (BHwBinder*)mIn.readPointer();
1073 // NOTE: This assertion is not valid, because the object may no
1074 // longer exist (thus the (BHwBinder*)cast above resulting in a different
1075 // memory address).
1076 //ALOG_ASSERT(refs->refBase() == obj,
1077 // "BR_DECREFS: object %p does not match cookie %p (expected %p)",
1078 // refs, obj, refs->refBase());
1079 mPendingWeakDerefs.push(refs);
1080 break;
1081
1082 case BR_ATTEMPT_ACQUIRE:
1083 refs = (RefBase::weakref_type*)mIn.readPointer();
1084 obj = (BHwBinder*)mIn.readPointer();
1085
1086 {
1087 const bool success = refs->attemptIncStrong(mProcess.get());
1088 ALOG_ASSERT(success && refs->refBase() == obj,
1089 "BR_ATTEMPT_ACQUIRE: object %p does not match cookie %p (expected %p)",
1090 refs, obj, refs->refBase());
1091
1092 mOut.writeInt32(BC_ACQUIRE_RESULT);
1093 mOut.writeInt32((int32_t)success);
1094 }
1095 break;
1096
1097 case BR_TRANSACTION:
1098 {
1099 binder_transaction_data tr;
1100 result = mIn.read(&tr, sizeof(tr));
1101 ALOG_ASSERT(result == NO_ERROR,
1102 "Not enough command data for brTRANSACTION");
1103 if (result != NO_ERROR) break;
1104
1105 Parcel buffer;
1106 buffer.ipcSetDataReference(
1107 reinterpret_cast<const uint8_t*>(tr.data.ptr.buffer),
1108 tr.data_size,
1109 reinterpret_cast<const binder_size_t*>(tr.data.ptr.offsets),
1110 tr.offsets_size/sizeof(binder_size_t), freeBuffer, this);
1111
1112 const pid_t origPid = mCallingPid;
1113 const uid_t origUid = mCallingUid;
1114 const int32_t origStrictModePolicy = mStrictModePolicy;
1115 const int32_t origTransactionBinderFlags = mLastTransactionBinderFlags;
1116
1117 mCallingPid = tr.sender_pid;
1118 mCallingUid = tr.sender_euid;
1119 mLastTransactionBinderFlags = tr.flags;
1120
1121 //ALOGI(">>>> TRANSACT from pid %d uid %d\n", mCallingPid, mCallingUid);
1122
1123 Parcel reply;
1124 status_t error;
1125 bool reply_sent = false;
1126 IF_LOG_TRANSACTIONS() {
1127 alog << "BR_TRANSACTION thr " << (void*)pthread_self()
1128 << " / obj " << tr.target.ptr << " / code "
1129 << TypeCode(tr.code) << ": " << indent << buffer
1130 << dedent << endl
1131 << "Data addr = "
1132 << reinterpret_cast<const uint8_t*>(tr.data.ptr.buffer)
1133 << ", offsets addr="
1134 << reinterpret_cast<const size_t*>(tr.data.ptr.offsets) << endl;
1135 }
1136
1137 auto reply_callback = [&] (auto &replyParcel) {
1138 if (reply_sent) {
1139 // Reply was sent earlier, ignore it.
1140 ALOGE("Dropping binder reply, it was sent already.");
1141 return;
1142 }
1143 reply_sent = true;
1144 if ((tr.flags & TF_ONE_WAY) == 0) {
1145 replyParcel.setError(NO_ERROR);
1146 sendReply(replyParcel, 0);
1147 } else {
1148 ALOGE("Not sending reply in one-way transaction");
1149 }
1150 };
1151
1152 if (tr.target.ptr) {
1153 // We only have a weak reference on the target object, so we must first try to
1154 // safely acquire a strong reference before doing anything else with it.
1155 if (reinterpret_cast<RefBase::weakref_type*>(
1156 tr.target.ptr)->attemptIncStrong(this)) {
1157 error = reinterpret_cast<BHwBinder*>(tr.cookie)->transact(tr.code, buffer,
1158 &reply, tr.flags, reply_callback);
1159 reinterpret_cast<BHwBinder*>(tr.cookie)->decStrong(this);
1160 } else {
1161 error = UNKNOWN_TRANSACTION;
1162 }
1163
1164 } else {
1165 error = mContextObject->transact(tr.code, buffer, &reply, tr.flags, reply_callback);
1166 }
1167
1168 if ((tr.flags & TF_ONE_WAY) == 0) {
1169 if (!reply_sent) {
1170 // Should have been a reply but there wasn't, so there
1171 // must have been an error instead.
1172 reply.setError(error);
1173 sendReply(reply, 0);
1174 } else {
1175 if (error != NO_ERROR) {
1176 ALOGE("transact() returned error after sending reply.");
1177 } else {
1178 // Ok, reply sent and transact didn't return an error.
1179 }
1180 }
1181 } else {
1182 // One-way transaction, don't care about return value or reply.
1183 }
1184
1185 //ALOGI("<<<< TRANSACT from pid %d restore pid %d uid %d\n",
1186 // mCallingPid, origPid, origUid);
1187
1188
1189 mCallingPid = origPid;
1190 mCallingUid = origUid;
1191 mStrictModePolicy = origStrictModePolicy;
1192 mLastTransactionBinderFlags = origTransactionBinderFlags;
1193
1194 IF_LOG_TRANSACTIONS() {
1195 alog << "BC_REPLY thr " << (void*)pthread_self() << " / obj "
1196 << tr.target.ptr << ": " << indent << reply << dedent << endl;
1197 }
1198
1199 }
1200 break;
1201
1202 case BR_DEAD_BINDER:
1203 {
1204 BpHwBinder *proxy = (BpHwBinder*)mIn.readPointer();
1205 proxy->sendObituary();
1206 mOut.writeInt32(BC_DEAD_BINDER_DONE);
1207 mOut.writePointer((uintptr_t)proxy);
1208 } break;
1209
1210 case BR_CLEAR_DEATH_NOTIFICATION_DONE:
1211 {
1212 BpHwBinder *proxy = (BpHwBinder*)mIn.readPointer();
1213 proxy->getWeakRefs()->decWeak(proxy);
1214 } break;
1215
1216 case BR_FINISHED:
1217 result = TIMED_OUT;
1218 break;
1219
1220 case BR_NOOP:
1221 break;
1222
1223 case BR_SPAWN_LOOPER:
1224 mProcess->spawnPooledThread(false);
1225 break;
1226
1227 default:
1228 printf("*** BAD COMMAND %d received from Binder driver\n", cmd);
1229 result = UNKNOWN_ERROR;
1230 break;
1231 }
1232
1233 if (result != NO_ERROR) {
1234 mLastError = result;
1235 }
1236
1237 return result;
1238 }
1239
threadDestructor(void * st)1240 void IPCThreadState::threadDestructor(void *st)
1241 {
1242 IPCThreadState* const self = static_cast<IPCThreadState*>(st);
1243 if (self) {
1244 self->flushCommands();
1245 #if defined(__ANDROID__)
1246 if (self->mProcess->mDriverFD > 0) {
1247 ioctl(self->mProcess->mDriverFD, BINDER_THREAD_EXIT, 0);
1248 }
1249 #endif
1250 delete self;
1251 }
1252 }
1253
1254
freeBuffer(Parcel * parcel,const uint8_t * data,size_t,const binder_size_t *,size_t,void *)1255 void IPCThreadState::freeBuffer(Parcel* parcel, const uint8_t* data,
1256 size_t /*dataSize*/,
1257 const binder_size_t* /*objects*/,
1258 size_t /*objectsSize*/, void* /*cookie*/)
1259 {
1260 //ALOGI("Freeing parcel %p", &parcel);
1261 IF_LOG_COMMANDS() {
1262 alog << "Writing BC_FREE_BUFFER for " << data << endl;
1263 }
1264 ALOG_ASSERT(data != NULL, "Called with NULL data");
1265 if (parcel != NULL) parcel->closeFileDescriptors();
1266 IPCThreadState* state = self();
1267 state->mOut.writeInt32(BC_FREE_BUFFER);
1268 state->mOut.writePointer((uintptr_t)data);
1269 }
1270
1271 }; // namespace hardware
1272 }; // namespace android
1273