StrictMode.java revision cb9ceb1029036363a81952d8ed5dfcbc83e6ff72
1/* 2 * Copyright (C) 2010 The Android Open Source Project 3 * 4 * Licensed under the Apache License, Version 2.0 (the "License"); 5 * you may not use this file except in compliance with the License. 6 * You may obtain a copy of the License at 7 * 8 * http://www.apache.org/licenses/LICENSE-2.0 9 * 10 * Unless required by applicable law or agreed to in writing, software 11 * distributed under the License is distributed on an "AS IS" BASIS, 12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 * See the License for the specific language governing permissions and 14 * limitations under the License. 15 */ 16package android.os; 17 18import android.app.ActivityManagerNative; 19import android.app.ApplicationErrorReport; 20import android.util.Log; 21import android.util.Printer; 22 23import com.android.internal.os.RuntimeInit; 24 25import dalvik.system.BlockGuard; 26 27import java.io.PrintWriter; 28import java.io.StringWriter; 29import java.util.ArrayList; 30import java.util.HashMap; 31 32/** 33 * <p>StrictMode lets you impose stricter rules under which your 34 * application runs.</p> 35 */ 36public final class StrictMode { 37 private static final String TAG = "StrictMode"; 38 private static final boolean LOG_V = false; 39 40 // Only log a duplicate stack trace to the logs every second. 41 private static final long MIN_LOG_INTERVAL_MS = 1000; 42 43 // Only show an annoying dialog at most every 30 seconds 44 private static final long MIN_DIALOG_INTERVAL_MS = 30000; 45 46 private StrictMode() {} 47 48 public static final int DISALLOW_DISK_WRITE = 0x01; 49 public static final int DISALLOW_DISK_READ = 0x02; 50 public static final int DISALLOW_NETWORK = 0x04; 51 52 /** @hide */ 53 public static final int DISALLOW_MASK = 54 DISALLOW_DISK_WRITE | DISALLOW_DISK_READ | DISALLOW_NETWORK; 55 56 /** 57 * Flag to log to the system log. 58 */ 59 public static final int PENALTY_LOG = 0x10; // normal android.util.Log 60 61 /** 62 * Show an annoying dialog to the user. Will be rate-limited to be only 63 * a little annoying. 64 */ 65 public static final int PENALTY_DIALOG = 0x20; 66 67 /** 68 * Crash hard if policy is violated. 69 */ 70 public static final int PENALTY_DEATH = 0x40; 71 72 /** 73 * Log a stacktrace to the DropBox on policy violation. 74 */ 75 public static final int PENALTY_DROPBOX = 0x80; 76 77 /** 78 * Non-public penalty mode which overrides all the other penalty 79 * bits and signals that we're in a Binder call and we should 80 * ignore the other penalty bits and instead serialize back all 81 * our offending stack traces to the caller to ultimately handle 82 * in the originating process. 83 * 84 * This must be kept in sync with the constant in libs/binder/Parcel.cpp 85 * 86 * @hide 87 */ 88 public static final int PENALTY_GATHER = 0x100; 89 90 /** @hide */ 91 public static final int PENALTY_MASK = 92 PENALTY_LOG | PENALTY_DIALOG | 93 PENALTY_DROPBOX | PENALTY_DEATH; 94 95 /** 96 * Log of strict mode violation stack traces that have occurred 97 * during a Binder call, to be serialized back later to the caller 98 * via Parcel.writeNoException() (amusingly) where the caller can 99 * choose how to react. 100 */ 101 private static final ThreadLocal<ArrayList<ViolationInfo>> gatheredViolations = 102 new ThreadLocal<ArrayList<ViolationInfo>>() { 103 @Override protected ArrayList<ViolationInfo> initialValue() { 104 // Starts null to avoid unnecessary allocations when 105 // checking whether there are any violations or not in 106 // hasGatheredViolations() below. 107 return null; 108 } 109 }; 110 111 /** 112 * Sets the policy for what actions the current thread is denied, 113 * as well as the penalty for violating the policy. 114 * 115 * @param policyMask a bitmask of DISALLOW_* and PENALTY_* values. 116 */ 117 public static void setThreadBlockingPolicy(final int policyMask) { 118 // In addition to the Java-level thread-local in Dalvik's 119 // BlockGuard, we also need to keep a native thread-local in 120 // Binder in order to propagate the value across Binder calls, 121 // even across native-only processes. The two are kept in 122 // sync via the callback to onStrictModePolicyChange, below. 123 setBlockGuardPolicy(policyMask); 124 125 // And set the Android native version... 126 Binder.setThreadStrictModePolicy(policyMask); 127 } 128 129 // Sets the policy in Dalvik/libcore (BlockGuard) 130 private static void setBlockGuardPolicy(final int policyMask) { 131 if (policyMask == 0) { 132 BlockGuard.setThreadPolicy(BlockGuard.LAX_POLICY); 133 return; 134 } 135 BlockGuard.Policy policy = BlockGuard.getThreadPolicy(); 136 if (!(policy instanceof AndroidBlockGuardPolicy)) { 137 BlockGuard.setThreadPolicy(new AndroidBlockGuardPolicy(policyMask)); 138 } else { 139 AndroidBlockGuardPolicy androidPolicy = (AndroidBlockGuardPolicy) policy; 140 androidPolicy.setPolicyMask(policyMask); 141 } 142 } 143 144 private static class StrictModeNetworkViolation extends BlockGuard.BlockGuardPolicyException { 145 public StrictModeNetworkViolation(int policyMask) { 146 super(policyMask, DISALLOW_NETWORK); 147 } 148 } 149 150 private static class StrictModeDiskReadViolation extends BlockGuard.BlockGuardPolicyException { 151 public StrictModeDiskReadViolation(int policyMask) { 152 super(policyMask, DISALLOW_DISK_READ); 153 } 154 } 155 156 private static class StrictModeDiskWriteViolation extends BlockGuard.BlockGuardPolicyException { 157 public StrictModeDiskWriteViolation(int policyMask) { 158 super(policyMask, DISALLOW_DISK_WRITE); 159 } 160 } 161 162 /** 163 * Returns the bitmask of the current thread's blocking policy. 164 * 165 * @return the bitmask of all the DISALLOW_* and PENALTY_* bits currently enabled 166 */ 167 public static int getThreadBlockingPolicy() { 168 return BlockGuard.getThreadPolicy().getPolicyMask(); 169 } 170 171 /** 172 * Parses the BlockGuard policy mask out from the Exception's 173 * getMessage() String value. Kinda gross, but least 174 * invasive. :/ 175 * 176 * Input is of form "policy=137 violation=64" 177 * 178 * Returns 0 on failure, which is a valid policy, but not a 179 * valid policy during a violation (else there must've been 180 * some policy in effect to violate). 181 */ 182 private static int parsePolicyFromMessage(String message) { 183 if (message == null || !message.startsWith("policy=")) { 184 return 0; 185 } 186 int spaceIndex = message.indexOf(' '); 187 if (spaceIndex == -1) { 188 return 0; 189 } 190 String policyString = message.substring(7, spaceIndex); 191 try { 192 return Integer.valueOf(policyString).intValue(); 193 } catch (NumberFormatException e) { 194 return 0; 195 } 196 } 197 198 /** 199 * Like parsePolicyFromMessage(), but returns the violation. 200 */ 201 private static int parseViolationFromMessage(String message) { 202 if (message == null) { 203 return 0; 204 } 205 int violationIndex = message.indexOf("violation="); 206 if (violationIndex == -1) { 207 return 0; 208 } 209 String violationString = message.substring(violationIndex + 10); 210 try { 211 return Integer.valueOf(violationString).intValue(); 212 } catch (NumberFormatException e) { 213 return 0; 214 } 215 } 216 217 private static class AndroidBlockGuardPolicy implements BlockGuard.Policy { 218 private int mPolicyMask; 219 220 // Map from violation stacktrace hashcode -> uptimeMillis of 221 // last violation. No locking needed, as this is only 222 // accessed by the same thread. 223 private final HashMap<Integer, Long> mLastViolationTime = new HashMap<Integer, Long>(); 224 225 public AndroidBlockGuardPolicy(final int policyMask) { 226 mPolicyMask = policyMask; 227 } 228 229 @Override 230 public String toString() { 231 return "AndroidBlockGuardPolicy; mPolicyMask=" + mPolicyMask; 232 } 233 234 // Part of BlockGuard.Policy interface: 235 public int getPolicyMask() { 236 return mPolicyMask; 237 } 238 239 // Part of BlockGuard.Policy interface: 240 public void onWriteToDisk() { 241 if ((mPolicyMask & DISALLOW_DISK_WRITE) == 0) { 242 return; 243 } 244 BlockGuard.BlockGuardPolicyException e = new StrictModeDiskWriteViolation(mPolicyMask); 245 e.fillInStackTrace(); 246 startHandlingViolationException(e); 247 } 248 249 // Part of BlockGuard.Policy interface: 250 public void onReadFromDisk() { 251 if ((mPolicyMask & DISALLOW_DISK_READ) == 0) { 252 return; 253 } 254 BlockGuard.BlockGuardPolicyException e = new StrictModeDiskReadViolation(mPolicyMask); 255 e.fillInStackTrace(); 256 startHandlingViolationException(e); 257 } 258 259 // Part of BlockGuard.Policy interface: 260 public void onNetwork() { 261 if ((mPolicyMask & DISALLOW_NETWORK) == 0) { 262 return; 263 } 264 BlockGuard.BlockGuardPolicyException e = new StrictModeNetworkViolation(mPolicyMask); 265 e.fillInStackTrace(); 266 startHandlingViolationException(e); 267 } 268 269 public void setPolicyMask(int policyMask) { 270 mPolicyMask = policyMask; 271 } 272 273 // Start handling a violation that just started and hasn't 274 // actually run yet (e.g. no disk write or network operation 275 // has yet occurred). This sees if we're in an event loop 276 // thread and, if so, uses it to roughly measure how long the 277 // violation took. 278 void startHandlingViolationException(BlockGuard.BlockGuardPolicyException e) { 279 final ViolationInfo info = new ViolationInfo(e, e.getPolicy()); 280 info.violationUptimeMillis = SystemClock.uptimeMillis(); 281 handleViolationWithTimingAttempt(info); 282 } 283 284 private static final ThreadLocal<ArrayList<ViolationInfo>> violationsBeingTimed = 285 new ThreadLocal<ArrayList<ViolationInfo>>() { 286 @Override protected ArrayList<ViolationInfo> initialValue() { 287 return new ArrayList<ViolationInfo>(); 288 } 289 }; 290 291 // Attempts to fill in the provided ViolationInfo's 292 // durationMillis field if this thread has a Looper we can use 293 // to measure with. We measure from the time of violation 294 // until the time the looper is idle again (right before 295 // the next epoll_wait) 296 void handleViolationWithTimingAttempt(final ViolationInfo info) { 297 Looper looper = Looper.myLooper(); 298 299 // Without a Looper, we're unable to time how long the 300 // violation takes place. This case should be rare, as 301 // most users will care about timing violations that 302 // happen on their main UI thread. Note that this case is 303 // also hit when a violation takes place in a Binder 304 // thread, in "gather" mode. In this case, the duration 305 // of the violation is computed by the ultimate caller and 306 // its Looper, if any. 307 // TODO: if in gather mode, ignore Looper.myLooper() and always 308 // go into this immediate mode? 309 if (looper == null) { 310 info.durationMillis = -1; // unknown (redundant, already set) 311 handleViolation(info); 312 return; 313 } 314 315 MessageQueue queue = Looper.myQueue(); 316 final ArrayList<ViolationInfo> records = violationsBeingTimed.get(); 317 if (records.size() >= 10) { 318 // Not worth measuring. Too many offenses in one loop. 319 return; 320 } 321 records.add(info); 322 if (records.size() > 1) { 323 // There's already been a violation this loop, so we've already 324 // registered an idle handler to process the list of violations 325 // at the end of this Looper's loop. 326 return; 327 } 328 329 queue.addIdleHandler(new MessageQueue.IdleHandler() { 330 public boolean queueIdle() { 331 long loopFinishTime = SystemClock.uptimeMillis(); 332 for (int n = 0; n < records.size(); ++n) { 333 ViolationInfo v = records.get(n); 334 v.violationNumThisLoop = n + 1; 335 v.durationMillis = 336 (int) (loopFinishTime - v.violationUptimeMillis); 337 handleViolation(v); 338 } 339 records.clear(); 340 return false; // remove this idle handler from the array 341 } 342 }); 343 } 344 345 // Note: It's possible (even quite likely) that the 346 // thread-local policy mask has changed from the time the 347 // violation fired and now (after the violating code ran) due 348 // to people who push/pop temporary policy in regions of code, 349 // hence the policy being passed around. 350 void handleViolation(final ViolationInfo info) { 351 if (info == null || info.crashInfo == null || info.crashInfo.stackTrace == null) { 352 Log.wtf(TAG, "unexpected null stacktrace"); 353 return; 354 } 355 356 if (LOG_V) Log.d(TAG, "handleViolation; policy=" + info.policy); 357 358 if ((info.policy & PENALTY_GATHER) != 0) { 359 ArrayList<ViolationInfo> violations = gatheredViolations.get(); 360 if (violations == null) { 361 violations = new ArrayList<ViolationInfo>(1); 362 gatheredViolations.set(violations); 363 } else if (violations.size() >= 5) { 364 // Too many. In a loop or something? Don't gather them all. 365 return; 366 } 367 for (ViolationInfo previous : violations) { 368 if (info.crashInfo.stackTrace.equals(previous.crashInfo.stackTrace)) { 369 // Duplicate. Don't log. 370 return; 371 } 372 } 373 violations.add(info); 374 return; 375 } 376 377 // Not perfect, but fast and good enough for dup suppression. 378 Integer crashFingerprint = info.crashInfo.stackTrace.hashCode(); 379 long lastViolationTime = 0; 380 if (mLastViolationTime.containsKey(crashFingerprint)) { 381 lastViolationTime = mLastViolationTime.get(crashFingerprint); 382 } 383 long now = SystemClock.uptimeMillis(); 384 mLastViolationTime.put(crashFingerprint, now); 385 long timeSinceLastViolationMillis = lastViolationTime == 0 ? 386 Long.MAX_VALUE : (now - lastViolationTime); 387 388 if ((info.policy & PENALTY_LOG) != 0 && 389 timeSinceLastViolationMillis > MIN_LOG_INTERVAL_MS) { 390 if (info.durationMillis != -1) { 391 Log.d(TAG, "StrictMode policy violation; ~duration=" + 392 info.durationMillis + " ms: " + info.crashInfo.stackTrace); 393 } else { 394 Log.d(TAG, "StrictMode policy violation: " + info.crashInfo.stackTrace); 395 } 396 } 397 398 // The violationMask, passed to ActivityManager, is a 399 // subset of the original StrictMode policy bitmask, with 400 // only the bit violated and penalty bits to be executed 401 // by the ActivityManagerService remaining set. 402 int violationMaskSubset = 0; 403 404 if ((info.policy & PENALTY_DIALOG) != 0 && 405 timeSinceLastViolationMillis > MIN_DIALOG_INTERVAL_MS) { 406 violationMaskSubset |= PENALTY_DIALOG; 407 } 408 409 if ((info.policy & PENALTY_DROPBOX) != 0 && lastViolationTime == 0) { 410 violationMaskSubset |= PENALTY_DROPBOX; 411 } 412 413 if (violationMaskSubset != 0) { 414 int violationBit = parseViolationFromMessage(info.crashInfo.exceptionMessage); 415 violationMaskSubset |= violationBit; 416 final int savedPolicy = getThreadBlockingPolicy(); 417 try { 418 // First, remove any policy before we call into the Activity Manager, 419 // otherwise we'll infinite recurse as we try to log policy violations 420 // to disk, thus violating policy, thus requiring logging, etc... 421 // We restore the current policy below, in the finally block. 422 setThreadBlockingPolicy(0); 423 424 ActivityManagerNative.getDefault().handleApplicationStrictModeViolation( 425 RuntimeInit.getApplicationObject(), 426 violationMaskSubset, 427 info); 428 } catch (RemoteException e) { 429 Log.e(TAG, "RemoteException trying to handle StrictMode violation", e); 430 } finally { 431 // Restore the policy. 432 setThreadBlockingPolicy(savedPolicy); 433 } 434 } 435 436 if ((info.policy & PENALTY_DEATH) != 0) { 437 System.err.println("StrictMode policy violation with POLICY_DEATH; shutting down."); 438 Process.killProcess(Process.myPid()); 439 System.exit(10); 440 } 441 } 442 } 443 444 /** 445 * Called from Parcel.writeNoException() 446 */ 447 /* package */ static boolean hasGatheredViolations() { 448 return gatheredViolations.get() != null; 449 } 450 451 /** 452 * Called from Parcel.writeException(), so we drop this memory and 453 * don't incorrectly attribute it to the wrong caller on the next 454 * Binder call on this thread. 455 */ 456 /* package */ static void clearGatheredViolations() { 457 gatheredViolations.set(null); 458 } 459 460 /** 461 * Called from Parcel.writeNoException() 462 */ 463 /* package */ static void writeGatheredViolationsToParcel(Parcel p) { 464 ArrayList<ViolationInfo> violations = gatheredViolations.get(); 465 if (violations == null) { 466 p.writeInt(0); 467 } else { 468 p.writeInt(violations.size()); 469 for (int i = 0; i < violations.size(); ++i) { 470 violations.get(i).writeToParcel(p, 0 /* unused flags? */); 471 } 472 if (LOG_V) Log.d(TAG, "wrote violations to response parcel; num=" + violations.size()); 473 violations.clear(); // somewhat redundant, as we're about to null the threadlocal 474 } 475 gatheredViolations.set(null); 476 } 477 478 private static class LogStackTrace extends Exception {} 479 480 /** 481 * Called from Parcel.readException() when the exception is EX_STRICT_MODE_VIOLATIONS, 482 * we here read back all the encoded violations. 483 */ 484 /* package */ static void readAndHandleBinderCallViolations(Parcel p) { 485 // Our own stack trace to append 486 StringWriter sw = new StringWriter(); 487 new LogStackTrace().printStackTrace(new PrintWriter(sw)); 488 String ourStack = sw.toString(); 489 490 int policyMask = getThreadBlockingPolicy(); 491 boolean currentlyGathering = (policyMask & PENALTY_GATHER) != 0; 492 493 int numViolations = p.readInt(); 494 for (int i = 0; i < numViolations; ++i) { 495 if (LOG_V) Log.d(TAG, "strict mode violation stacks read from binder call. i=" + i); 496 ViolationInfo info = new ViolationInfo(p, !currentlyGathering); 497 info.crashInfo.stackTrace += "# via Binder call with stack:\n" + ourStack; 498 BlockGuard.Policy policy = BlockGuard.getThreadPolicy(); 499 if (policy instanceof AndroidBlockGuardPolicy) { 500 ((AndroidBlockGuardPolicy) policy).handleViolationWithTimingAttempt(info); 501 } 502 } 503 } 504 505 /** 506 * Called from android_util_Binder.cpp's 507 * android_os_Parcel_enforceInterface when an incoming Binder call 508 * requires changing the StrictMode policy mask. The role of this 509 * function is to ask Binder for its current (native) thread-local 510 * policy value and synchronize it to libcore's (Java) 511 * thread-local policy value. 512 */ 513 private static void onBinderStrictModePolicyChange(int newPolicy) { 514 setBlockGuardPolicy(newPolicy); 515 } 516 517 /** 518 * Parcelable that gets sent in Binder call headers back to callers 519 * to report violations that happened during a cross-process call. 520 * 521 * @hide 522 */ 523 public static class ViolationInfo { 524 /** 525 * Stack and other stuff info. 526 */ 527 public final ApplicationErrorReport.CrashInfo crashInfo; 528 529 /** 530 * The strict mode policy mask at the time of violation. 531 */ 532 public final int policy; 533 534 /** 535 * The wall time duration of the violation, when known. -1 when 536 * not known. 537 */ 538 public int durationMillis = -1; 539 540 /** 541 * Which violation number this was (1-based) since the last Looper loop, 542 * from the perspective of the root caller (if it crossed any processes 543 * via Binder calls). The value is 0 if the root caller wasn't on a Looper 544 * thread. 545 */ 546 public int violationNumThisLoop; 547 548 /** 549 * The time (in terms of SystemClock.uptimeMillis()) that the 550 * violation occurred. 551 */ 552 public long violationUptimeMillis; 553 554 /** 555 * Create an uninitialized instance of ViolationInfo 556 */ 557 public ViolationInfo() { 558 crashInfo = null; 559 policy = 0; 560 } 561 562 /** 563 * Create an instance of ViolationInfo initialized from an exception. 564 */ 565 public ViolationInfo(Throwable tr, int policy) { 566 crashInfo = new ApplicationErrorReport.CrashInfo(tr); 567 violationUptimeMillis = SystemClock.uptimeMillis(); 568 this.policy = policy; 569 } 570 571 /** 572 * Create an instance of ViolationInfo initialized from a Parcel. 573 */ 574 public ViolationInfo(Parcel in) { 575 this(in, false); 576 } 577 578 /** 579 * Create an instance of ViolationInfo initialized from a Parcel. 580 * 581 * @param unsetGatheringBit if true, the caller is the root caller 582 * and the gathering penalty should be removed. 583 */ 584 public ViolationInfo(Parcel in, boolean unsetGatheringBit) { 585 crashInfo = new ApplicationErrorReport.CrashInfo(in); 586 int rawPolicy = in.readInt(); 587 if (unsetGatheringBit) { 588 policy = rawPolicy & ~PENALTY_GATHER; 589 } else { 590 policy = rawPolicy; 591 } 592 durationMillis = in.readInt(); 593 violationNumThisLoop = in.readInt(); 594 violationUptimeMillis = in.readLong(); 595 } 596 597 /** 598 * Save a ViolationInfo instance to a parcel. 599 */ 600 public void writeToParcel(Parcel dest, int flags) { 601 crashInfo.writeToParcel(dest, flags); 602 dest.writeInt(policy); 603 dest.writeInt(durationMillis); 604 dest.writeInt(violationNumThisLoop); 605 dest.writeLong(violationUptimeMillis); 606 } 607 608 609 /** 610 * Dump a ViolationInfo instance to a Printer. 611 */ 612 public void dump(Printer pw, String prefix) { 613 crashInfo.dump(pw, prefix); 614 pw.println(prefix + "policy: " + policy); 615 if (durationMillis != -1) { 616 pw.println(prefix + "durationMillis: " + durationMillis); 617 } 618 if (violationNumThisLoop != 0) { 619 pw.println(prefix + "violationNumThisLoop: " + violationNumThisLoop); 620 } 621 pw.println(prefix + "violationUptimeMillis: " + violationUptimeMillis); 622 } 623 624 } 625} 626