IPCThreadState.cpp revision 58e5daaed8b446bdcf937a5eb368d6623d33f423
1/* 2 * Copyright (C) 2005 The Android Open Source Project 3 * 4 * Licensed under the Apache License, Version 2.0 (the "License"); 5 * you may not use this file except in compliance with the License. 6 * You may obtain a copy of the License at 7 * 8 * http://www.apache.org/licenses/LICENSE-2.0 9 * 10 * Unless required by applicable law or agreed to in writing, software 11 * distributed under the License is distributed on an "AS IS" BASIS, 12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 * See the License for the specific language governing permissions and 14 * limitations under the License. 15 */ 16 17#define LOG_TAG "IPCThreadState" 18 19#include <binder/IPCThreadState.h> 20 21#include <binder/Binder.h> 22#include <binder/BpBinder.h> 23#include <binder/TextOutput.h> 24 25#include <cutils/sched_policy.h> 26#include <utils/Log.h> 27#include <utils/SystemClock.h> 28#include <utils/threads.h> 29 30#include <private/binder/binder_module.h> 31#include <private/binder/Static.h> 32 33#include <errno.h> 34#include <inttypes.h> 35#include <pthread.h> 36#include <sched.h> 37#include <signal.h> 38#include <stdio.h> 39#include <sys/ioctl.h> 40#include <sys/resource.h> 41#include <unistd.h> 42 43#if LOG_NDEBUG 44 45#define IF_LOG_TRANSACTIONS() if (false) 46#define IF_LOG_COMMANDS() if (false) 47#define LOG_REMOTEREFS(...) 48#define IF_LOG_REMOTEREFS() if (false) 49 50#define LOG_THREADPOOL(...) 51#define LOG_ONEWAY(...) 52 53#else 54 55#define IF_LOG_TRANSACTIONS() IF_ALOG(LOG_VERBOSE, "transact") 56#define IF_LOG_COMMANDS() IF_ALOG(LOG_VERBOSE, "ipc") 57#define LOG_REMOTEREFS(...) ALOG(LOG_DEBUG, "remoterefs", __VA_ARGS__) 58#define IF_LOG_REMOTEREFS() IF_ALOG(LOG_DEBUG, "remoterefs") 59#define LOG_THREADPOOL(...) ALOG(LOG_DEBUG, "threadpool", __VA_ARGS__) 60#define LOG_ONEWAY(...) ALOG(LOG_DEBUG, "ipc", __VA_ARGS__) 61 62#endif 63 64// --------------------------------------------------------------------------- 65 66namespace android { 67 68// Static const and functions will be optimized out if not used, 69// when LOG_NDEBUG and references in IF_LOG_COMMANDS() are optimized out. 70static const char *kReturnStrings[] = { 71 "BR_ERROR", 72 "BR_OK", 73 "BR_TRANSACTION", 74 "BR_REPLY", 75 "BR_ACQUIRE_RESULT", 76 "BR_DEAD_REPLY", 77 "BR_TRANSACTION_COMPLETE", 78 "BR_INCREFS", 79 "BR_ACQUIRE", 80 "BR_RELEASE", 81 "BR_DECREFS", 82 "BR_ATTEMPT_ACQUIRE", 83 "BR_NOOP", 84 "BR_SPAWN_LOOPER", 85 "BR_FINISHED", 86 "BR_DEAD_BINDER", 87 "BR_CLEAR_DEATH_NOTIFICATION_DONE", 88 "BR_FAILED_REPLY" 89}; 90 91static const char *kCommandStrings[] = { 92 "BC_TRANSACTION", 93 "BC_REPLY", 94 "BC_ACQUIRE_RESULT", 95 "BC_FREE_BUFFER", 96 "BC_INCREFS", 97 "BC_ACQUIRE", 98 "BC_RELEASE", 99 "BC_DECREFS", 100 "BC_INCREFS_DONE", 101 "BC_ACQUIRE_DONE", 102 "BC_ATTEMPT_ACQUIRE", 103 "BC_REGISTER_LOOPER", 104 "BC_ENTER_LOOPER", 105 "BC_EXIT_LOOPER", 106 "BC_REQUEST_DEATH_NOTIFICATION", 107 "BC_CLEAR_DEATH_NOTIFICATION", 108 "BC_DEAD_BINDER_DONE" 109}; 110 111static const char* getReturnString(uint32_t cmd) 112{ 113 size_t idx = cmd & 0xff; 114 if (idx < sizeof(kReturnStrings) / sizeof(kReturnStrings[0])) 115 return kReturnStrings[idx]; 116 else 117 return "unknown"; 118} 119 120static const void* printBinderTransactionData(TextOutput& out, const void* data) 121{ 122 const binder_transaction_data* btd = 123 (const binder_transaction_data*)data; 124 if (btd->target.handle < 1024) { 125 /* want to print descriptors in decimal; guess based on value */ 126 out << "target.desc=" << btd->target.handle; 127 } else { 128 out << "target.ptr=" << btd->target.ptr; 129 } 130 out << " (cookie " << btd->cookie << ")" << endl 131 << "code=" << TypeCode(btd->code) << ", flags=" << (void*)(long)btd->flags << endl 132 << "data=" << btd->data.ptr.buffer << " (" << (void*)btd->data_size 133 << " bytes)" << endl 134 << "offsets=" << btd->data.ptr.offsets << " (" << (void*)btd->offsets_size 135 << " bytes)"; 136 return btd+1; 137} 138 139static const void* printReturnCommand(TextOutput& out, const void* _cmd) 140{ 141 static const size_t N = sizeof(kReturnStrings)/sizeof(kReturnStrings[0]); 142 const int32_t* cmd = (const int32_t*)_cmd; 143 uint32_t code = (uint32_t)*cmd++; 144 size_t cmdIndex = code & 0xff; 145 if (code == BR_ERROR) { 146 out << "BR_ERROR: " << (void*)(long)(*cmd++) << endl; 147 return cmd; 148 } else if (cmdIndex >= N) { 149 out << "Unknown reply: " << code << endl; 150 return cmd; 151 } 152 out << kReturnStrings[cmdIndex]; 153 154 switch (code) { 155 case BR_TRANSACTION: 156 case BR_REPLY: { 157 out << ": " << indent; 158 cmd = (const int32_t *)printBinderTransactionData(out, cmd); 159 out << dedent; 160 } break; 161 162 case BR_ACQUIRE_RESULT: { 163 const int32_t res = *cmd++; 164 out << ": " << res << (res ? " (SUCCESS)" : " (FAILURE)"); 165 } break; 166 167 case BR_INCREFS: 168 case BR_ACQUIRE: 169 case BR_RELEASE: 170 case BR_DECREFS: { 171 const int32_t b = *cmd++; 172 const int32_t c = *cmd++; 173 out << ": target=" << (void*)(long)b << " (cookie " << (void*)(long)c << ")"; 174 } break; 175 176 case BR_ATTEMPT_ACQUIRE: { 177 const int32_t p = *cmd++; 178 const int32_t b = *cmd++; 179 const int32_t c = *cmd++; 180 out << ": target=" << (void*)(long)b << " (cookie " << (void*)(long)c 181 << "), pri=" << p; 182 } break; 183 184 case BR_DEAD_BINDER: 185 case BR_CLEAR_DEATH_NOTIFICATION_DONE: { 186 const int32_t c = *cmd++; 187 out << ": death cookie " << (void*)(long)c; 188 } break; 189 190 default: 191 // no details to show for: BR_OK, BR_DEAD_REPLY, 192 // BR_TRANSACTION_COMPLETE, BR_FINISHED 193 break; 194 } 195 196 out << endl; 197 return cmd; 198} 199 200static const void* printCommand(TextOutput& out, const void* _cmd) 201{ 202 static const size_t N = sizeof(kCommandStrings)/sizeof(kCommandStrings[0]); 203 const int32_t* cmd = (const int32_t*)_cmd; 204 uint32_t code = (uint32_t)*cmd++; 205 size_t cmdIndex = code & 0xff; 206 207 if (cmdIndex >= N) { 208 out << "Unknown command: " << code << endl; 209 return cmd; 210 } 211 out << kCommandStrings[cmdIndex]; 212 213 switch (code) { 214 case BC_TRANSACTION: 215 case BC_REPLY: { 216 out << ": " << indent; 217 cmd = (const int32_t *)printBinderTransactionData(out, cmd); 218 out << dedent; 219 } break; 220 221 case BC_ACQUIRE_RESULT: { 222 const int32_t res = *cmd++; 223 out << ": " << res << (res ? " (SUCCESS)" : " (FAILURE)"); 224 } break; 225 226 case BC_FREE_BUFFER: { 227 const int32_t buf = *cmd++; 228 out << ": buffer=" << (void*)(long)buf; 229 } break; 230 231 case BC_INCREFS: 232 case BC_ACQUIRE: 233 case BC_RELEASE: 234 case BC_DECREFS: { 235 const int32_t d = *cmd++; 236 out << ": desc=" << d; 237 } break; 238 239 case BC_INCREFS_DONE: 240 case BC_ACQUIRE_DONE: { 241 const int32_t b = *cmd++; 242 const int32_t c = *cmd++; 243 out << ": target=" << (void*)(long)b << " (cookie " << (void*)(long)c << ")"; 244 } break; 245 246 case BC_ATTEMPT_ACQUIRE: { 247 const int32_t p = *cmd++; 248 const int32_t d = *cmd++; 249 out << ": desc=" << d << ", pri=" << p; 250 } break; 251 252 case BC_REQUEST_DEATH_NOTIFICATION: 253 case BC_CLEAR_DEATH_NOTIFICATION: { 254 const int32_t h = *cmd++; 255 const int32_t c = *cmd++; 256 out << ": handle=" << h << " (death cookie " << (void*)(long)c << ")"; 257 } break; 258 259 case BC_DEAD_BINDER_DONE: { 260 const int32_t c = *cmd++; 261 out << ": death cookie " << (void*)(long)c; 262 } break; 263 264 default: 265 // no details to show for: BC_REGISTER_LOOPER, BC_ENTER_LOOPER, 266 // BC_EXIT_LOOPER 267 break; 268 } 269 270 out << endl; 271 return cmd; 272} 273 274static pthread_mutex_t gTLSMutex = PTHREAD_MUTEX_INITIALIZER; 275static bool gHaveTLS = false; 276static pthread_key_t gTLS = 0; 277static bool gShutdown = false; 278static bool gDisableBackgroundScheduling = false; 279 280IPCThreadState* IPCThreadState::self() 281{ 282 if (gHaveTLS) { 283restart: 284 const pthread_key_t k = gTLS; 285 IPCThreadState* st = (IPCThreadState*)pthread_getspecific(k); 286 if (st) return st; 287 return new IPCThreadState; 288 } 289 290 if (gShutdown) { 291 ALOGW("Calling IPCThreadState::self() during shutdown is dangerous, expect a crash.\n"); 292 return NULL; 293 } 294 295 pthread_mutex_lock(&gTLSMutex); 296 if (!gHaveTLS) { 297 int key_create_value = pthread_key_create(&gTLS, threadDestructor); 298 if (key_create_value != 0) { 299 pthread_mutex_unlock(&gTLSMutex); 300 ALOGW("IPCThreadState::self() unable to create TLS key, expect a crash: %s\n", 301 strerror(key_create_value)); 302 return NULL; 303 } 304 gHaveTLS = true; 305 } 306 pthread_mutex_unlock(&gTLSMutex); 307 goto restart; 308} 309 310IPCThreadState* IPCThreadState::selfOrNull() 311{ 312 if (gHaveTLS) { 313 const pthread_key_t k = gTLS; 314 IPCThreadState* st = (IPCThreadState*)pthread_getspecific(k); 315 return st; 316 } 317 return NULL; 318} 319 320void IPCThreadState::shutdown() 321{ 322 gShutdown = true; 323 324 if (gHaveTLS) { 325 // XXX Need to wait for all thread pool threads to exit! 326 IPCThreadState* st = (IPCThreadState*)pthread_getspecific(gTLS); 327 if (st) { 328 delete st; 329 pthread_setspecific(gTLS, NULL); 330 } 331 pthread_key_delete(gTLS); 332 gHaveTLS = false; 333 } 334} 335 336void IPCThreadState::disableBackgroundScheduling(bool disable) 337{ 338 gDisableBackgroundScheduling = disable; 339} 340 341bool IPCThreadState::backgroundSchedulingDisabled() 342{ 343 return gDisableBackgroundScheduling; 344} 345 346sp<ProcessState> IPCThreadState::process() 347{ 348 return mProcess; 349} 350 351status_t IPCThreadState::clearLastError() 352{ 353 const status_t err = mLastError; 354 mLastError = NO_ERROR; 355 return err; 356} 357 358pid_t IPCThreadState::getCallingPid() const 359{ 360 return mCallingPid; 361} 362 363uid_t IPCThreadState::getCallingUid() const 364{ 365 return mCallingUid; 366} 367 368int64_t IPCThreadState::clearCallingIdentity() 369{ 370 int64_t token = ((int64_t)mCallingUid<<32) | mCallingPid; 371 clearCaller(); 372 return token; 373} 374 375void IPCThreadState::setStrictModePolicy(int32_t policy) 376{ 377 mStrictModePolicy = policy; 378} 379 380int32_t IPCThreadState::getStrictModePolicy() const 381{ 382 return mStrictModePolicy; 383} 384 385void IPCThreadState::setLastTransactionBinderFlags(int32_t flags) 386{ 387 mLastTransactionBinderFlags = flags; 388} 389 390int32_t IPCThreadState::getLastTransactionBinderFlags() const 391{ 392 return mLastTransactionBinderFlags; 393} 394 395void IPCThreadState::restoreCallingIdentity(int64_t token) 396{ 397 mCallingUid = (int)(token>>32); 398 mCallingPid = (int)token; 399} 400 401void IPCThreadState::clearCaller() 402{ 403 mCallingPid = getpid(); 404 mCallingUid = getuid(); 405} 406 407void IPCThreadState::flushCommands() 408{ 409 if (mProcess->mDriverFD <= 0) 410 return; 411 talkWithDriver(false); 412} 413 414void IPCThreadState::blockUntilThreadAvailable() 415{ 416 pthread_mutex_lock(&mProcess->mThreadCountLock); 417 while (mProcess->mExecutingThreadsCount >= mProcess->mMaxThreads) { 418 ALOGW("Waiting for thread to be free. mExecutingThreadsCount=%lu mMaxThreads=%lu\n", 419 static_cast<unsigned long>(mProcess->mExecutingThreadsCount), 420 static_cast<unsigned long>(mProcess->mMaxThreads)); 421 pthread_cond_wait(&mProcess->mThreadCountDecrement, &mProcess->mThreadCountLock); 422 } 423 pthread_mutex_unlock(&mProcess->mThreadCountLock); 424} 425 426status_t IPCThreadState::getAndExecuteCommand() 427{ 428 status_t result; 429 int32_t cmd; 430 431 result = talkWithDriver(); 432 if (result >= NO_ERROR) { 433 size_t IN = mIn.dataAvail(); 434 if (IN < sizeof(int32_t)) return result; 435 cmd = mIn.readInt32(); 436 IF_LOG_COMMANDS() { 437 alog << "Processing top-level Command: " 438 << getReturnString(cmd) << endl; 439 } 440 441 pthread_mutex_lock(&mProcess->mThreadCountLock); 442 mProcess->mExecutingThreadsCount++; 443 if (mProcess->mExecutingThreadsCount >= mProcess->mMaxThreads && 444 mProcess->mStarvationStartTimeMs == 0) { 445 mProcess->mStarvationStartTimeMs = uptimeMillis(); 446 } 447 pthread_mutex_unlock(&mProcess->mThreadCountLock); 448 449 result = executeCommand(cmd); 450 451 pthread_mutex_lock(&mProcess->mThreadCountLock); 452 mProcess->mExecutingThreadsCount--; 453 if (mProcess->mExecutingThreadsCount < mProcess->mMaxThreads && 454 mProcess->mStarvationStartTimeMs != 0) { 455 int64_t starvationTimeMs = uptimeMillis() - mProcess->mStarvationStartTimeMs; 456 if (starvationTimeMs > 100) { 457 ALOGE("binder thread pool (%zu threads) starved for %" PRId64 " ms", 458 mProcess->mMaxThreads, starvationTimeMs); 459 } 460 mProcess->mStarvationStartTimeMs = 0; 461 } 462 pthread_cond_broadcast(&mProcess->mThreadCountDecrement); 463 pthread_mutex_unlock(&mProcess->mThreadCountLock); 464 } 465 466 return result; 467} 468 469// When we've cleared the incoming command queue, process any pending derefs 470void IPCThreadState::processPendingDerefs() 471{ 472 if (mIn.dataPosition() >= mIn.dataSize()) { 473 /* 474 * The decWeak()/decStrong() calls may cause a destructor to run, 475 * which in turn could have initiated an outgoing transaction, 476 * which in turn could cause us to add to the pending refs 477 * vectors; so instead of simply iterating, loop until they're empty. 478 * 479 * We do this in an outer loop, because calling decStrong() 480 * may result in something being added to mPendingWeakDerefs, 481 * which could be delayed until the next incoming command 482 * from the driver if we don't process it now. 483 */ 484 while (mPendingWeakDerefs.size() > 0 || mPendingStrongDerefs.size() > 0) { 485 while (mPendingWeakDerefs.size() > 0) { 486 RefBase::weakref_type* refs = mPendingWeakDerefs[0]; 487 mPendingWeakDerefs.removeAt(0); 488 refs->decWeak(mProcess.get()); 489 } 490 491 if (mPendingStrongDerefs.size() > 0) { 492 // We don't use while() here because we don't want to re-order 493 // strong and weak decs at all; if this decStrong() causes both a 494 // decWeak() and a decStrong() to be queued, we want to process 495 // the decWeak() first. 496 BBinder* obj = mPendingStrongDerefs[0]; 497 mPendingStrongDerefs.removeAt(0); 498 obj->decStrong(mProcess.get()); 499 } 500 } 501 } 502} 503 504void IPCThreadState::joinThreadPool(bool isMain) 505{ 506 LOG_THREADPOOL("**** THREAD %p (PID %d) IS JOINING THE THREAD POOL\n", (void*)pthread_self(), getpid()); 507 508 mOut.writeInt32(isMain ? BC_ENTER_LOOPER : BC_REGISTER_LOOPER); 509 510 status_t result; 511 do { 512 processPendingDerefs(); 513 // now get the next command to be processed, waiting if necessary 514 result = getAndExecuteCommand(); 515 516 if (result < NO_ERROR && result != TIMED_OUT && result != -ECONNREFUSED && result != -EBADF) { 517 ALOGE("getAndExecuteCommand(fd=%d) returned unexpected error %d, aborting", 518 mProcess->mDriverFD, result); 519 abort(); 520 } 521 522 // Let this thread exit the thread pool if it is no longer 523 // needed and it is not the main process thread. 524 if(result == TIMED_OUT && !isMain) { 525 break; 526 } 527 } while (result != -ECONNREFUSED && result != -EBADF); 528 529 LOG_THREADPOOL("**** THREAD %p (PID %d) IS LEAVING THE THREAD POOL err=%d\n", 530 (void*)pthread_self(), getpid(), result); 531 532 mOut.writeInt32(BC_EXIT_LOOPER); 533 talkWithDriver(false); 534} 535 536int IPCThreadState::setupPolling(int* fd) 537{ 538 if (mProcess->mDriverFD <= 0) { 539 return -EBADF; 540 } 541 542 mOut.writeInt32(BC_ENTER_LOOPER); 543 *fd = mProcess->mDriverFD; 544 return 0; 545} 546 547status_t IPCThreadState::handlePolledCommands() 548{ 549 status_t result; 550 551 do { 552 result = getAndExecuteCommand(); 553 } while (mIn.dataPosition() < mIn.dataSize()); 554 555 processPendingDerefs(); 556 flushCommands(); 557 return result; 558} 559 560void IPCThreadState::stopProcess(bool /*immediate*/) 561{ 562 //ALOGI("**** STOPPING PROCESS"); 563 flushCommands(); 564 int fd = mProcess->mDriverFD; 565 mProcess->mDriverFD = -1; 566 close(fd); 567 //kill(getpid(), SIGKILL); 568} 569 570status_t IPCThreadState::transact(int32_t handle, 571 uint32_t code, const Parcel& data, 572 Parcel* reply, uint32_t flags) 573{ 574 status_t err; 575 576 flags |= TF_ACCEPT_FDS; 577 578 IF_LOG_TRANSACTIONS() { 579 TextOutput::Bundle _b(alog); 580 alog << "BC_TRANSACTION thr " << (void*)pthread_self() << " / hand " 581 << handle << " / code " << TypeCode(code) << ": " 582 << indent << data << dedent << endl; 583 } 584 585 LOG_ONEWAY(">>>> SEND from pid %d uid %d %s", getpid(), getuid(), 586 (flags & TF_ONE_WAY) == 0 ? "READ REPLY" : "ONE WAY"); 587 err = writeTransactionData(BC_TRANSACTION, flags, handle, code, data, NULL); 588 589 if (err != NO_ERROR) { 590 if (reply) reply->setError(err); 591 return (mLastError = err); 592 } 593 594 if ((flags & TF_ONE_WAY) == 0) { 595 #if 0 596 if (code == 4) { // relayout 597 ALOGI(">>>>>> CALLING transaction 4"); 598 } else { 599 ALOGI(">>>>>> CALLING transaction %d", code); 600 } 601 #endif 602 if (reply) { 603 err = waitForResponse(reply); 604 } else { 605 Parcel fakeReply; 606 err = waitForResponse(&fakeReply); 607 } 608 #if 0 609 if (code == 4) { // relayout 610 ALOGI("<<<<<< RETURNING transaction 4"); 611 } else { 612 ALOGI("<<<<<< RETURNING transaction %d", code); 613 } 614 #endif 615 616 IF_LOG_TRANSACTIONS() { 617 TextOutput::Bundle _b(alog); 618 alog << "BR_REPLY thr " << (void*)pthread_self() << " / hand " 619 << handle << ": "; 620 if (reply) alog << indent << *reply << dedent << endl; 621 else alog << "(none requested)" << endl; 622 } 623 } else { 624 err = waitForResponse(NULL, NULL); 625 } 626 627 return err; 628} 629 630void IPCThreadState::incStrongHandle(int32_t handle) 631{ 632 LOG_REMOTEREFS("IPCThreadState::incStrongHandle(%d)\n", handle); 633 mOut.writeInt32(BC_ACQUIRE); 634 mOut.writeInt32(handle); 635} 636 637void IPCThreadState::decStrongHandle(int32_t handle) 638{ 639 LOG_REMOTEREFS("IPCThreadState::decStrongHandle(%d)\n", handle); 640 mOut.writeInt32(BC_RELEASE); 641 mOut.writeInt32(handle); 642} 643 644void IPCThreadState::incWeakHandle(int32_t handle) 645{ 646 LOG_REMOTEREFS("IPCThreadState::incWeakHandle(%d)\n", handle); 647 mOut.writeInt32(BC_INCREFS); 648 mOut.writeInt32(handle); 649} 650 651void IPCThreadState::decWeakHandle(int32_t handle) 652{ 653 LOG_REMOTEREFS("IPCThreadState::decWeakHandle(%d)\n", handle); 654 mOut.writeInt32(BC_DECREFS); 655 mOut.writeInt32(handle); 656} 657 658status_t IPCThreadState::attemptIncStrongHandle(int32_t handle) 659{ 660#if HAS_BC_ATTEMPT_ACQUIRE 661 LOG_REMOTEREFS("IPCThreadState::attemptIncStrongHandle(%d)\n", handle); 662 mOut.writeInt32(BC_ATTEMPT_ACQUIRE); 663 mOut.writeInt32(0); // xxx was thread priority 664 mOut.writeInt32(handle); 665 status_t result = UNKNOWN_ERROR; 666 667 waitForResponse(NULL, &result); 668 669#if LOG_REFCOUNTS 670 ALOGV("IPCThreadState::attemptIncStrongHandle(%ld) = %s\n", 671 handle, result == NO_ERROR ? "SUCCESS" : "FAILURE"); 672#endif 673 674 return result; 675#else 676 (void)handle; 677 ALOGE("%s(%d): Not supported\n", __func__, handle); 678 return INVALID_OPERATION; 679#endif 680} 681 682void IPCThreadState::expungeHandle(int32_t handle, IBinder* binder) 683{ 684#if LOG_REFCOUNTS 685 ALOGV("IPCThreadState::expungeHandle(%ld)\n", handle); 686#endif 687 self()->mProcess->expungeHandle(handle, binder); // NOLINT 688} 689 690status_t IPCThreadState::requestDeathNotification(int32_t handle, BpBinder* proxy) 691{ 692 mOut.writeInt32(BC_REQUEST_DEATH_NOTIFICATION); 693 mOut.writeInt32((int32_t)handle); 694 mOut.writePointer((uintptr_t)proxy); 695 return NO_ERROR; 696} 697 698status_t IPCThreadState::clearDeathNotification(int32_t handle, BpBinder* proxy) 699{ 700 mOut.writeInt32(BC_CLEAR_DEATH_NOTIFICATION); 701 mOut.writeInt32((int32_t)handle); 702 mOut.writePointer((uintptr_t)proxy); 703 return NO_ERROR; 704} 705 706IPCThreadState::IPCThreadState() 707 : mProcess(ProcessState::self()), 708 mStrictModePolicy(0), 709 mLastTransactionBinderFlags(0) 710{ 711 pthread_setspecific(gTLS, this); 712 clearCaller(); 713 mIn.setDataCapacity(256); 714 mOut.setDataCapacity(256); 715} 716 717IPCThreadState::~IPCThreadState() 718{ 719} 720 721status_t IPCThreadState::sendReply(const Parcel& reply, uint32_t flags) 722{ 723 status_t err; 724 status_t statusBuffer; 725 err = writeTransactionData(BC_REPLY, flags, -1, 0, reply, &statusBuffer); 726 if (err < NO_ERROR) return err; 727 728 return waitForResponse(NULL, NULL); 729} 730 731status_t IPCThreadState::waitForResponse(Parcel *reply, status_t *acquireResult) 732{ 733 uint32_t cmd; 734 int32_t err; 735 736 while (1) { 737 if ((err=talkWithDriver()) < NO_ERROR) break; 738 err = mIn.errorCheck(); 739 if (err < NO_ERROR) break; 740 if (mIn.dataAvail() == 0) continue; 741 742 cmd = (uint32_t)mIn.readInt32(); 743 744 IF_LOG_COMMANDS() { 745 alog << "Processing waitForResponse Command: " 746 << getReturnString(cmd) << endl; 747 } 748 749 switch (cmd) { 750 case BR_TRANSACTION_COMPLETE: 751 if (!reply && !acquireResult) goto finish; 752 break; 753 754 case BR_DEAD_REPLY: 755 err = DEAD_OBJECT; 756 goto finish; 757 758 case BR_FAILED_REPLY: 759 err = FAILED_TRANSACTION; 760 goto finish; 761 762 case BR_ACQUIRE_RESULT: 763 { 764 ALOG_ASSERT(acquireResult != NULL, "Unexpected brACQUIRE_RESULT"); 765 const int32_t result = mIn.readInt32(); 766 if (!acquireResult) continue; 767 *acquireResult = result ? NO_ERROR : INVALID_OPERATION; 768 } 769 goto finish; 770 771 case BR_REPLY: 772 { 773 binder_transaction_data tr; 774 err = mIn.read(&tr, sizeof(tr)); 775 ALOG_ASSERT(err == NO_ERROR, "Not enough command data for brREPLY"); 776 if (err != NO_ERROR) goto finish; 777 778 if (reply) { 779 if ((tr.flags & TF_STATUS_CODE) == 0) { 780 reply->ipcSetDataReference( 781 reinterpret_cast<const uint8_t*>(tr.data.ptr.buffer), 782 tr.data_size, 783 reinterpret_cast<const binder_size_t*>(tr.data.ptr.offsets), 784 tr.offsets_size/sizeof(binder_size_t), 785 freeBuffer, this); 786 } else { 787 err = *reinterpret_cast<const status_t*>(tr.data.ptr.buffer); 788 freeBuffer(NULL, 789 reinterpret_cast<const uint8_t*>(tr.data.ptr.buffer), 790 tr.data_size, 791 reinterpret_cast<const binder_size_t*>(tr.data.ptr.offsets), 792 tr.offsets_size/sizeof(binder_size_t), this); 793 } 794 } else { 795 freeBuffer(NULL, 796 reinterpret_cast<const uint8_t*>(tr.data.ptr.buffer), 797 tr.data_size, 798 reinterpret_cast<const binder_size_t*>(tr.data.ptr.offsets), 799 tr.offsets_size/sizeof(binder_size_t), this); 800 continue; 801 } 802 } 803 goto finish; 804 805 default: 806 err = executeCommand(cmd); 807 if (err != NO_ERROR) goto finish; 808 break; 809 } 810 } 811 812finish: 813 if (err != NO_ERROR) { 814 if (acquireResult) *acquireResult = err; 815 if (reply) reply->setError(err); 816 mLastError = err; 817 } 818 819 return err; 820} 821 822status_t IPCThreadState::talkWithDriver(bool doReceive) 823{ 824 if (mProcess->mDriverFD <= 0) { 825 return -EBADF; 826 } 827 828 binder_write_read bwr; 829 830 // Is the read buffer empty? 831 const bool needRead = mIn.dataPosition() >= mIn.dataSize(); 832 833 // We don't want to write anything if we are still reading 834 // from data left in the input buffer and the caller 835 // has requested to read the next data. 836 const size_t outAvail = (!doReceive || needRead) ? mOut.dataSize() : 0; 837 838 bwr.write_size = outAvail; 839 bwr.write_buffer = (uintptr_t)mOut.data(); 840 841 // This is what we'll read. 842 if (doReceive && needRead) { 843 bwr.read_size = mIn.dataCapacity(); 844 bwr.read_buffer = (uintptr_t)mIn.data(); 845 } else { 846 bwr.read_size = 0; 847 bwr.read_buffer = 0; 848 } 849 850 IF_LOG_COMMANDS() { 851 TextOutput::Bundle _b(alog); 852 if (outAvail != 0) { 853 alog << "Sending commands to driver: " << indent; 854 const void* cmds = (const void*)bwr.write_buffer; 855 const void* end = ((const uint8_t*)cmds)+bwr.write_size; 856 alog << HexDump(cmds, bwr.write_size) << endl; 857 while (cmds < end) cmds = printCommand(alog, cmds); 858 alog << dedent; 859 } 860 alog << "Size of receive buffer: " << bwr.read_size 861 << ", needRead: " << needRead << ", doReceive: " << doReceive << endl; 862 } 863 864 // Return immediately if there is nothing to do. 865 if ((bwr.write_size == 0) && (bwr.read_size == 0)) return NO_ERROR; 866 867 bwr.write_consumed = 0; 868 bwr.read_consumed = 0; 869 status_t err; 870 do { 871 IF_LOG_COMMANDS() { 872 alog << "About to read/write, write size = " << mOut.dataSize() << endl; 873 } 874#if defined(__ANDROID__) 875 if (ioctl(mProcess->mDriverFD, BINDER_WRITE_READ, &bwr) >= 0) 876 err = NO_ERROR; 877 else 878 err = -errno; 879#else 880 err = INVALID_OPERATION; 881#endif 882 if (mProcess->mDriverFD <= 0) { 883 err = -EBADF; 884 } 885 IF_LOG_COMMANDS() { 886 alog << "Finished read/write, write size = " << mOut.dataSize() << endl; 887 } 888 } while (err == -EINTR); 889 890 IF_LOG_COMMANDS() { 891 alog << "Our err: " << (void*)(intptr_t)err << ", write consumed: " 892 << bwr.write_consumed << " (of " << mOut.dataSize() 893 << "), read consumed: " << bwr.read_consumed << endl; 894 } 895 896 if (err >= NO_ERROR) { 897 if (bwr.write_consumed > 0) { 898 if (bwr.write_consumed < mOut.dataSize()) 899 mOut.remove(0, bwr.write_consumed); 900 else 901 mOut.setDataSize(0); 902 } 903 if (bwr.read_consumed > 0) { 904 mIn.setDataSize(bwr.read_consumed); 905 mIn.setDataPosition(0); 906 } 907 IF_LOG_COMMANDS() { 908 TextOutput::Bundle _b(alog); 909 alog << "Remaining data size: " << mOut.dataSize() << endl; 910 alog << "Received commands from driver: " << indent; 911 const void* cmds = mIn.data(); 912 const void* end = mIn.data() + mIn.dataSize(); 913 alog << HexDump(cmds, mIn.dataSize()) << endl; 914 while (cmds < end) cmds = printReturnCommand(alog, cmds); 915 alog << dedent; 916 } 917 return NO_ERROR; 918 } 919 920 return err; 921} 922 923status_t IPCThreadState::writeTransactionData(int32_t cmd, uint32_t binderFlags, 924 int32_t handle, uint32_t code, const Parcel& data, status_t* statusBuffer) 925{ 926 binder_transaction_data tr; 927 928 tr.target.ptr = 0; /* Don't pass uninitialized stack data to a remote process */ 929 tr.target.handle = handle; 930 tr.code = code; 931 tr.flags = binderFlags; 932 tr.cookie = 0; 933 tr.sender_pid = 0; 934 tr.sender_euid = 0; 935 936 const status_t err = data.errorCheck(); 937 if (err == NO_ERROR) { 938 tr.data_size = data.ipcDataSize(); 939 tr.data.ptr.buffer = data.ipcData(); 940 tr.offsets_size = data.ipcObjectsCount()*sizeof(binder_size_t); 941 tr.data.ptr.offsets = data.ipcObjects(); 942 } else if (statusBuffer) { 943 tr.flags |= TF_STATUS_CODE; 944 *statusBuffer = err; 945 tr.data_size = sizeof(status_t); 946 tr.data.ptr.buffer = reinterpret_cast<uintptr_t>(statusBuffer); 947 tr.offsets_size = 0; 948 tr.data.ptr.offsets = 0; 949 } else { 950 return (mLastError = err); 951 } 952 953 mOut.writeInt32(cmd); 954 mOut.write(&tr, sizeof(tr)); 955 956 return NO_ERROR; 957} 958 959sp<BBinder> the_context_object; 960 961void setTheContextObject(sp<BBinder> obj) 962{ 963 the_context_object = obj; 964} 965 966status_t IPCThreadState::executeCommand(int32_t cmd) 967{ 968 BBinder* obj; 969 RefBase::weakref_type* refs; 970 status_t result = NO_ERROR; 971 972 switch ((uint32_t)cmd) { 973 case BR_ERROR: 974 result = mIn.readInt32(); 975 break; 976 977 case BR_OK: 978 break; 979 980 case BR_ACQUIRE: 981 refs = (RefBase::weakref_type*)mIn.readPointer(); 982 obj = (BBinder*)mIn.readPointer(); 983 ALOG_ASSERT(refs->refBase() == obj, 984 "BR_ACQUIRE: object %p does not match cookie %p (expected %p)", 985 refs, obj, refs->refBase()); 986 obj->incStrong(mProcess.get()); 987 IF_LOG_REMOTEREFS() { 988 LOG_REMOTEREFS("BR_ACQUIRE from driver on %p", obj); 989 obj->printRefs(); 990 } 991 mOut.writeInt32(BC_ACQUIRE_DONE); 992 mOut.writePointer((uintptr_t)refs); 993 mOut.writePointer((uintptr_t)obj); 994 break; 995 996 case BR_RELEASE: 997 refs = (RefBase::weakref_type*)mIn.readPointer(); 998 obj = (BBinder*)mIn.readPointer(); 999 ALOG_ASSERT(refs->refBase() == obj, 1000 "BR_RELEASE: object %p does not match cookie %p (expected %p)", 1001 refs, obj, refs->refBase()); 1002 IF_LOG_REMOTEREFS() { 1003 LOG_REMOTEREFS("BR_RELEASE from driver on %p", obj); 1004 obj->printRefs(); 1005 } 1006 mPendingStrongDerefs.push(obj); 1007 break; 1008 1009 case BR_INCREFS: 1010 refs = (RefBase::weakref_type*)mIn.readPointer(); 1011 obj = (BBinder*)mIn.readPointer(); 1012 refs->incWeak(mProcess.get()); 1013 mOut.writeInt32(BC_INCREFS_DONE); 1014 mOut.writePointer((uintptr_t)refs); 1015 mOut.writePointer((uintptr_t)obj); 1016 break; 1017 1018 case BR_DECREFS: 1019 refs = (RefBase::weakref_type*)mIn.readPointer(); 1020 obj = (BBinder*)mIn.readPointer(); 1021 // NOTE: This assertion is not valid, because the object may no 1022 // longer exist (thus the (BBinder*)cast above resulting in a different 1023 // memory address). 1024 //ALOG_ASSERT(refs->refBase() == obj, 1025 // "BR_DECREFS: object %p does not match cookie %p (expected %p)", 1026 // refs, obj, refs->refBase()); 1027 mPendingWeakDerefs.push(refs); 1028 break; 1029 1030 case BR_ATTEMPT_ACQUIRE: 1031 refs = (RefBase::weakref_type*)mIn.readPointer(); 1032 obj = (BBinder*)mIn.readPointer(); 1033 1034 { 1035 const bool success = refs->attemptIncStrong(mProcess.get()); 1036 ALOG_ASSERT(success && refs->refBase() == obj, 1037 "BR_ATTEMPT_ACQUIRE: object %p does not match cookie %p (expected %p)", 1038 refs, obj, refs->refBase()); 1039 1040 mOut.writeInt32(BC_ACQUIRE_RESULT); 1041 mOut.writeInt32((int32_t)success); 1042 } 1043 break; 1044 1045 case BR_TRANSACTION: 1046 { 1047 binder_transaction_data tr; 1048 result = mIn.read(&tr, sizeof(tr)); 1049 ALOG_ASSERT(result == NO_ERROR, 1050 "Not enough command data for brTRANSACTION"); 1051 if (result != NO_ERROR) break; 1052 1053 Parcel buffer; 1054 buffer.ipcSetDataReference( 1055 reinterpret_cast<const uint8_t*>(tr.data.ptr.buffer), 1056 tr.data_size, 1057 reinterpret_cast<const binder_size_t*>(tr.data.ptr.offsets), 1058 tr.offsets_size/sizeof(binder_size_t), freeBuffer, this); 1059 1060 const pid_t origPid = mCallingPid; 1061 const uid_t origUid = mCallingUid; 1062 const int32_t origStrictModePolicy = mStrictModePolicy; 1063 const int32_t origTransactionBinderFlags = mLastTransactionBinderFlags; 1064 1065 mCallingPid = tr.sender_pid; 1066 mCallingUid = tr.sender_euid; 1067 mLastTransactionBinderFlags = tr.flags; 1068 1069 //ALOGI(">>>> TRANSACT from pid %d uid %d\n", mCallingPid, mCallingUid); 1070 1071 Parcel reply; 1072 status_t error; 1073 IF_LOG_TRANSACTIONS() { 1074 TextOutput::Bundle _b(alog); 1075 alog << "BR_TRANSACTION thr " << (void*)pthread_self() 1076 << " / obj " << tr.target.ptr << " / code " 1077 << TypeCode(tr.code) << ": " << indent << buffer 1078 << dedent << endl 1079 << "Data addr = " 1080 << reinterpret_cast<const uint8_t*>(tr.data.ptr.buffer) 1081 << ", offsets addr=" 1082 << reinterpret_cast<const size_t*>(tr.data.ptr.offsets) << endl; 1083 } 1084 if (tr.target.ptr) { 1085 // We only have a weak reference on the target object, so we must first try to 1086 // safely acquire a strong reference before doing anything else with it. 1087 if (reinterpret_cast<RefBase::weakref_type*>( 1088 tr.target.ptr)->attemptIncStrong(this)) { 1089 error = reinterpret_cast<BBinder*>(tr.cookie)->transact(tr.code, buffer, 1090 &reply, tr.flags); 1091 reinterpret_cast<BBinder*>(tr.cookie)->decStrong(this); 1092 } else { 1093 error = UNKNOWN_TRANSACTION; 1094 } 1095 1096 } else { 1097 error = the_context_object->transact(tr.code, buffer, &reply, tr.flags); 1098 } 1099 1100 //ALOGI("<<<< TRANSACT from pid %d restore pid %d uid %d\n", 1101 // mCallingPid, origPid, origUid); 1102 1103 if ((tr.flags & TF_ONE_WAY) == 0) { 1104 LOG_ONEWAY("Sending reply to %d!", mCallingPid); 1105 if (error < NO_ERROR) reply.setError(error); 1106 sendReply(reply, 0); 1107 } else { 1108 LOG_ONEWAY("NOT sending reply to %d!", mCallingPid); 1109 } 1110 1111 mCallingPid = origPid; 1112 mCallingUid = origUid; 1113 mStrictModePolicy = origStrictModePolicy; 1114 mLastTransactionBinderFlags = origTransactionBinderFlags; 1115 1116 IF_LOG_TRANSACTIONS() { 1117 TextOutput::Bundle _b(alog); 1118 alog << "BC_REPLY thr " << (void*)pthread_self() << " / obj " 1119 << tr.target.ptr << ": " << indent << reply << dedent << endl; 1120 } 1121 1122 } 1123 break; 1124 1125 case BR_DEAD_BINDER: 1126 { 1127 BpBinder *proxy = (BpBinder*)mIn.readPointer(); 1128 proxy->sendObituary(); 1129 mOut.writeInt32(BC_DEAD_BINDER_DONE); 1130 mOut.writePointer((uintptr_t)proxy); 1131 } break; 1132 1133 case BR_CLEAR_DEATH_NOTIFICATION_DONE: 1134 { 1135 BpBinder *proxy = (BpBinder*)mIn.readPointer(); 1136 proxy->getWeakRefs()->decWeak(proxy); 1137 } break; 1138 1139 case BR_FINISHED: 1140 result = TIMED_OUT; 1141 break; 1142 1143 case BR_NOOP: 1144 break; 1145 1146 case BR_SPAWN_LOOPER: 1147 mProcess->spawnPooledThread(false); 1148 break; 1149 1150 default: 1151 ALOGE("*** BAD COMMAND %d received from Binder driver\n", cmd); 1152 result = UNKNOWN_ERROR; 1153 break; 1154 } 1155 1156 if (result != NO_ERROR) { 1157 mLastError = result; 1158 } 1159 1160 return result; 1161} 1162 1163void IPCThreadState::threadDestructor(void *st) 1164{ 1165 IPCThreadState* const self = static_cast<IPCThreadState*>(st); 1166 if (self) { 1167 self->flushCommands(); 1168#if defined(__ANDROID__) 1169 if (self->mProcess->mDriverFD > 0) { 1170 ioctl(self->mProcess->mDriverFD, BINDER_THREAD_EXIT, 0); 1171 } 1172#endif 1173 delete self; 1174 } 1175} 1176 1177 1178void IPCThreadState::freeBuffer(Parcel* parcel, const uint8_t* data, 1179 size_t /*dataSize*/, 1180 const binder_size_t* /*objects*/, 1181 size_t /*objectsSize*/, void* /*cookie*/) 1182{ 1183 //ALOGI("Freeing parcel %p", &parcel); 1184 IF_LOG_COMMANDS() { 1185 alog << "Writing BC_FREE_BUFFER for " << data << endl; 1186 } 1187 ALOG_ASSERT(data != NULL, "Called with NULL data"); 1188 if (parcel != NULL) parcel->closeFileDescriptors(); 1189 IPCThreadState* state = self(); 1190 state->mOut.writeInt32(BC_FREE_BUFFER); 1191 state->mOut.writePointer((uintptr_t)data); 1192} 1193 1194}; // namespace android 1195