Fix possible race conditions during channel unregistration.
Previously, the input dispatcher assumed that the input channel's receive pipe file descriptor was a sufficiently unique identifier for looking up input channels in its various tables. However, it can happen that an input channel is disposed and then a new input channel is immediately created that reuses the same file descriptor. Ordinarily this is not a problem, however there is a small opportunity for a race to arise in InputQueue. When InputQueue receives an input event from the dispatcher, it generates a finishedToken that encodes the channel's receive pipe fd, and a sequence number. The finishedToken is used by the ViewRoot as a handle for the event so that it can tell the InputQueue when the event has finished being processed. Here is the race: 1. InputQueue receives an input event, assigns a new finishedToken. 2. ViewRoot begins processing the input event. 3. During processing, ViewRoot unregisters the InputChannel. 4. A new InputChannel is created and is registered with the Input Queue. This InputChannel happens to have the same receive pipe fd as the one previously registered. 5. ViewRoot tells the InputQueue that it has finished processing the input event, passing along the original finishedToken. 6. InputQueue throws an exception because the finishedToken's receive pipe fd is registered but the sequence number is incorrect so it assumes that the client has called finish spuriously. The fix is to include a unique connection id within the finishedToken so that the InputQueue can accurately confirm that the token belongs to the currently registered InputChannel rather than to an old one that happened to have the same receive pipe fd. When it notices this, it ignores the spurious finish. I've also made a couple of other small changes to avoid similar races elsewhere. This patch set also includes a fix to synthesize a finished signal when the input channel is unregistered on the client side to help keep the server and client in sync. Bug: 2834068 Change-Id: I1de34a36249ab74c359c2c67a57e333543400f7b
This commit is contained in:
parent
e999003f69
commit
0cacb87f02
@ -554,6 +554,8 @@ private:
|
|||||||
// All registered connections mapped by receive pipe file descriptor.
|
// All registered connections mapped by receive pipe file descriptor.
|
||||||
KeyedVector<int, sp<Connection> > mConnectionsByReceiveFd;
|
KeyedVector<int, sp<Connection> > mConnectionsByReceiveFd;
|
||||||
|
|
||||||
|
ssize_t getConnectionIndex(const sp<InputChannel>& inputChannel);
|
||||||
|
|
||||||
// Active connections are connections that have a non-empty outbound queue.
|
// Active connections are connections that have a non-empty outbound queue.
|
||||||
// We don't use a ref-counted pointer here because we explicitly abort connections
|
// We don't use a ref-counted pointer here because we explicitly abort connections
|
||||||
// during unregistration which causes the connection's outbound queue to be cleared
|
// during unregistration which causes the connection's outbound queue to be cleared
|
||||||
|
@ -433,8 +433,7 @@ void InputDispatcher::dispatchEventToCurrentInputTargetsLocked(nsecs_t currentTi
|
|||||||
for (size_t i = 0; i < mCurrentInputTargets.size(); i++) {
|
for (size_t i = 0; i < mCurrentInputTargets.size(); i++) {
|
||||||
const InputTarget& inputTarget = mCurrentInputTargets.itemAt(i);
|
const InputTarget& inputTarget = mCurrentInputTargets.itemAt(i);
|
||||||
|
|
||||||
ssize_t connectionIndex = mConnectionsByReceiveFd.indexOfKey(
|
ssize_t connectionIndex = getConnectionIndex(inputTarget.inputChannel);
|
||||||
inputTarget.inputChannel->getReceivePipeFd());
|
|
||||||
if (connectionIndex >= 0) {
|
if (connectionIndex >= 0) {
|
||||||
sp<Connection> connection = mConnectionsByReceiveFd.valueAt(connectionIndex);
|
sp<Connection> connection = mConnectionsByReceiveFd.valueAt(connectionIndex);
|
||||||
prepareDispatchCycleLocked(currentTime, connection, eventEntry, & inputTarget,
|
prepareDispatchCycleLocked(currentTime, connection, eventEntry, & inputTarget,
|
||||||
@ -1367,12 +1366,10 @@ status_t InputDispatcher::registerInputChannel(const sp<InputChannel>& inputChan
|
|||||||
LOGD("channel '%s' ~ registerInputChannel", inputChannel->getName().string());
|
LOGD("channel '%s' ~ registerInputChannel", inputChannel->getName().string());
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
int receiveFd;
|
|
||||||
{ // acquire lock
|
{ // acquire lock
|
||||||
AutoMutex _l(mLock);
|
AutoMutex _l(mLock);
|
||||||
|
|
||||||
receiveFd = inputChannel->getReceivePipeFd();
|
if (getConnectionIndex(inputChannel) >= 0) {
|
||||||
if (mConnectionsByReceiveFd.indexOfKey(receiveFd) >= 0) {
|
|
||||||
LOGW("Attempted to register already registered input channel '%s'",
|
LOGW("Attempted to register already registered input channel '%s'",
|
||||||
inputChannel->getName().string());
|
inputChannel->getName().string());
|
||||||
return BAD_VALUE;
|
return BAD_VALUE;
|
||||||
@ -1386,12 +1383,13 @@ status_t InputDispatcher::registerInputChannel(const sp<InputChannel>& inputChan
|
|||||||
return status;
|
return status;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
int32_t receiveFd = inputChannel->getReceivePipeFd();
|
||||||
mConnectionsByReceiveFd.add(receiveFd, connection);
|
mConnectionsByReceiveFd.add(receiveFd, connection);
|
||||||
|
|
||||||
|
mPollLoop->setCallback(receiveFd, POLLIN, handleReceiveCallback, this);
|
||||||
|
|
||||||
runCommandsLockedInterruptible();
|
runCommandsLockedInterruptible();
|
||||||
} // release lock
|
} // release lock
|
||||||
|
|
||||||
mPollLoop->setCallback(receiveFd, POLLIN, handleReceiveCallback, this);
|
|
||||||
return OK;
|
return OK;
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -1400,12 +1398,10 @@ status_t InputDispatcher::unregisterInputChannel(const sp<InputChannel>& inputCh
|
|||||||
LOGD("channel '%s' ~ unregisterInputChannel", inputChannel->getName().string());
|
LOGD("channel '%s' ~ unregisterInputChannel", inputChannel->getName().string());
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
int32_t receiveFd;
|
|
||||||
{ // acquire lock
|
{ // acquire lock
|
||||||
AutoMutex _l(mLock);
|
AutoMutex _l(mLock);
|
||||||
|
|
||||||
receiveFd = inputChannel->getReceivePipeFd();
|
ssize_t connectionIndex = getConnectionIndex(inputChannel);
|
||||||
ssize_t connectionIndex = mConnectionsByReceiveFd.indexOfKey(receiveFd);
|
|
||||||
if (connectionIndex < 0) {
|
if (connectionIndex < 0) {
|
||||||
LOGW("Attempted to unregister already unregistered input channel '%s'",
|
LOGW("Attempted to unregister already unregistered input channel '%s'",
|
||||||
inputChannel->getName().string());
|
inputChannel->getName().string());
|
||||||
@ -1417,20 +1413,32 @@ status_t InputDispatcher::unregisterInputChannel(const sp<InputChannel>& inputCh
|
|||||||
|
|
||||||
connection->status = Connection::STATUS_ZOMBIE;
|
connection->status = Connection::STATUS_ZOMBIE;
|
||||||
|
|
||||||
|
mPollLoop->removeCallback(inputChannel->getReceivePipeFd());
|
||||||
|
|
||||||
nsecs_t currentTime = now();
|
nsecs_t currentTime = now();
|
||||||
abortDispatchCycleLocked(currentTime, connection, true /*broken*/);
|
abortDispatchCycleLocked(currentTime, connection, true /*broken*/);
|
||||||
|
|
||||||
runCommandsLockedInterruptible();
|
runCommandsLockedInterruptible();
|
||||||
} // release lock
|
} // release lock
|
||||||
|
|
||||||
mPollLoop->removeCallback(receiveFd);
|
|
||||||
|
|
||||||
// Wake the poll loop because removing the connection may have changed the current
|
// Wake the poll loop because removing the connection may have changed the current
|
||||||
// synchronization state.
|
// synchronization state.
|
||||||
mPollLoop->wake();
|
mPollLoop->wake();
|
||||||
return OK;
|
return OK;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
ssize_t InputDispatcher::getConnectionIndex(const sp<InputChannel>& inputChannel) {
|
||||||
|
ssize_t connectionIndex = mConnectionsByReceiveFd.indexOfKey(inputChannel->getReceivePipeFd());
|
||||||
|
if (connectionIndex >= 0) {
|
||||||
|
sp<Connection> connection = mConnectionsByReceiveFd.valueAt(connectionIndex);
|
||||||
|
if (connection->inputChannel.get() == inputChannel.get()) {
|
||||||
|
return connectionIndex;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
return -1;
|
||||||
|
}
|
||||||
|
|
||||||
void InputDispatcher::activateConnectionLocked(Connection* connection) {
|
void InputDispatcher::activateConnectionLocked(Connection* connection) {
|
||||||
for (size_t i = 0; i < mActiveConnections.size(); i++) {
|
for (size_t i = 0; i < mActiveConnections.size(); i++) {
|
||||||
if (mActiveConnections.itemAt(i) == connection) {
|
if (mActiveConnections.itemAt(i) == connection) {
|
||||||
|
Loading…
Reference in New Issue
Block a user