Sending transaction to freed BBinder through weak handle
can cause use of a (mostly) freed object. We need to try to
safely promote to a strong reference first.
Change-Id: Ic9c6940fa824980472e94ed2dfeca52a6b0fd342
(cherry picked from commit c11146106f94e07016e8e26e4f8628f9a0c73199)
Will be used by the system_server watchdog to monitor the
availability of binder threads in the process to handle
incoming IPC requests.
Bug: 19297165
Change-Id: I39175f3869ad14da5620fddb47f454e6e4ee2b25
Now that we're in C++11 mode by default, clang complains about switch
statements with case values not matching the type -- since some
binder_driver_return_protocol values are > 0x7fffffff, we need to make
the switch statements operate on uint32_t rather than int32_t.
BUG: 18466763
Change-Id: Iedbfd5c7a3d3d9f087d2eab4ff21343ad7a2a448
Signed-off-by: Bernhard Rosenkränzer <Bernhard.Rosenkranzer@linaro.org>
Clang compiler warns about undefined static functions like getReturnString
before all references are removed inside IF_LOG_COMMANDS.
To remove such warnings, we can leave those static functions defined
and the compiler will remove them at the end when they are not used.
Add a cast to long before converting from int to void*,
to avoid type cast warnings on 64 bit targets.
BUG: 17043248
Change-Id: Ica31101522279d2c8eacc90e2939767002fb827b
Try to clean up the code paths coming in and out of binder IPCs to
plug any places where we could disrupt the gather flag of a thread,
causing it to keep gathering stack crawls (which is the thing that
is causing our strict mode data to become so large).
We now take care of saving and restoring this state in the core
IPC code path, not at the Java layer.
Change-Id: I73d564778da127bdce00f304225930e7f2318293
When using 64 bit binder pointers, only initializing the 32 bit
handle, in a stack allocated struct, will pass uninitialized stack
data to the kernel and other processes.
Change-Id: I3432d9d36bb251d8ddb0a863661aeb80aabb3d92
When using the 64 bit binder interface from a 32 bit process the
pointer may get sign extended and cause the kernel to fail to read
from it.
Change-Id: I90fcf53880e2aa92e230a9723f9b3f7696170e32
The driver does not support BC_ATTEMPT_ACQUIRE and will return an error.
IPCThreadState does not handle driver errors, and will resend the failed
command blocking all other commands.
Change-Id: I643986037341821b27b62dc82df933844f4842b8
Fix warnings related to casting pointers to ints, using %d or %ld to
print size_t/ssize_t, and unused parameters.
Change-Id: I7a13ba83d402952989c1f795cd9e880a95b98d9e
Changes include
- Binder attempts to cast pointers to a int datatype
which is not sufficient on a 64-bit platform.
- This patch introduces new read/write functions into
Parcel that allow pointers to be written using the
uintptr_t datatype for compile-time data type size
selection.
- Change access specifier for the methods above.
- Binder uses the 64bit android_atomic_release_cas64
(aka cmpxchg)
Change-Id: I595280541e0ba1d19c94b2ca2127bf9d96efabf1
Signed-off-by: Matthew Leach <matthew.leach@arm.com>
Signed-off-by: Serban Constantinescu <serban.constantinescu@arm.com>
This is currently safe to do only for processes that disallow any binder
threads to be created: setThreadPoolMaxThreadCount(0).
Change-Id: I8a27f3cf26f4d51edb7f222af487ac256cbcab65
Adds logging to help determine what is happening to the /dev/binder
fd and dump the process state when it happens.
bug: 8912673
Change-Id: I2aa0c66fc499e91e0bf9ee4ae20404bec35adc82
When the app_process is shutting down the main thread will close the
binder fd while pool threads are executing an ioctl (in
IPCThreadState::stopProcess called by AppRuntime::onStarted in
app_main.c).
The binder driver will then return all pending calls in ioctl
without any error and with a command. One of the threads gets a
BR_SPAWN_LOOPER which will create a new thread (the other thread
gets a BR_NOOP). This new thread then calls
vm->AttachCurrentThread. Usually this results in a log entry with
"AndroidRuntime: NOTE: attach of thread 'Binder Thread #3' failed",
but sometimes it also causes a SIGSEGV. This depends on the timing
between the new thread an the main thread that calls DestroyJavaVM
(in AndroidRuntime::start).
If IPCThreadState.cpp is compiled with "#define LOG_NDEBUG 0" the
pool thread will loop and hit the
ALOG_ASSERT(mProcess->mDriverFD >= 0) in
IPCThreadState::talkWithDriver.
Crashes like this has been seen when running the am command and
other commands that use the app_process.
This fix makes sure that any command that is received when the driver
fd is closed are ignored and IPCThreadState::talkWithDriver instead
returns an error which will cause the pool thread to exit and detach
itself from the vm. A check to avoid calling ioctl to a fd with -1
was also added in IPCThreadState::threadDestructor.
Another solution might be to change the binder driver so that it
returns an error when the fd is closed (or atleast not a
BR_SPAWN_LOOPER command). It might also be possible to call exit(0)
which is done when System.exit(0) is called from java.
Change-Id: I3d1f0ff64896c44be2a5994b3a90f7a06d27f429
Remove C++ APIs androidSetThreadSchedulingGroup and
androidGetThreadSchedulingGroup, and the ANDROID_TGROUP_* constants.
Former callers of these should now use the C APIs set_sched_policy and
get_sched_policy, and the SP_* constants.
Note: debug.sys.noschedgroups is not supported by the C APIs,
this needs to be discussed.
Change-Id: I32bbfc539ef4090faf9ef0320380e8cca9eae07c
As part of scheduling policy cleanup, remove or isolate
all references to the scheduling policy APIs.
Change-Id: Ia1ea2fe711a399039f25217309e061267744b856
Switching activity stacks
Cache ContentProvider per user
Long-press power to switch users (on phone)
Added ServiceMap for separating services by user
Launch PendingIntents on the correct user's uid
Fix task switching from Recents list
AppWidgetService is mostly working.
Commands added to pm and am to allow creating and switching profiles.
Change-Id: I15810e8cfbe50a04bd3323a7ef5a8ff4230870ed
Updated the command name lists, and masked off the additional bits in
the command word when doing the name lookup.
Made descriptor values easier to grep for and consistent with kernel
output (i.e. decimal rather than hex). Attempt to show transaction
descriptors as such (they're in a union with a pointer).
Also, the writeLines() function in Static was using a no-op
logging call to write an iovec. It looks like all callers are using
N=1, so I just added a log for the first string.
Bug 5155269
Change-Id: I417b8d77da3eb6ee1d2069ba94047210f75738bc
- New feature to "am monitor" to have it automatically launch
gdbserv for you when a crash/ANR happens, and tell you how to
run the client.
- Update dumpstate to match new location of binder debug logs
- Various commented out logs that are being used to track down
issues.
Change-Id: Ia5dd0cd2df983a1fc6be697642a4590aa02a26a5
This was causing stack stitching problems where a one-way call with
violations followed by a two-way call without violations was getting
the previous one-way call's violation stack stitched on to the second
caller's stack.
The solution is a little more indirect than I would've liked
(preserving the binder's onTransact flags until enforceInterface) but
was seemingly necessary to work without changing the AIDL compiler.
It should also be sufficiently cheap, since no new calls to
thread-local IPCThreadState lookups were required. The additional
work is just same-thread getter/setters on the existing
IPCThreadState.
Change-Id: I4b6db1d445c56e868e6d0d7be3ba6849f4ef23ae
This is (intendend to be) a no-op change.
At this stage, Binder RPCs just have an additional uint32 passed around
in the header, right before the interface name. But nothing is actually
done with them yet. That value should right now always be 0.
This now boots and seems to work.
Change-Id: I135b7c84f07575e6b9717fef2424d301a450df7b
On binder incalls, the handler thread is given the caller's priority by the
driver, but not the caller's cgroup. We have explicit code that sets the
handler's cgroup to match the caller's, *except* that the system process
explicitly disables this behavior. This led to a siuation in which we were
running binder incalls to the system process at nice=10 but cgroup=fg.
That's fine as far as it goes, except that if a GC happened in the handler
thread, it would be promoted to foreground priority and cgroup both, to avoid
having the GC take forever. Then, when GC finished, the original priority
is reset, and the cgroup set *based on that priority*. This would push the
handler thread into nice=10 cgroup=bg_non_interactive -- which matches the
caller, but is supposed to be impossible in the system process.
The end result of this was that we could be running "lengthy" operations in
the system process in the background. Unfortunately, some of the operations
that wound up like this would hold important global system locks for up to
twenty seconds as a result, making the entire device unresponsive to input
for that period.
This CL fixes the binder incall setup to ensure that within the system process,
a binder incall is always begun from the normal foreground priority as well
as cgroup. In practice now the device still becomes laggy/sluggish when the
offending lock-holding time-consuming incall occurs, but since it still runs
as a foreground task it is able to proceed to completion within a short time
rather than taking 20 seconds.
Fixes bug #2403717
Change-Id: Id046aeabd0e80c48eef94accc37842835eab308d
This is a very simply implementation: upon receiving an IPC, if the handling
thread is at a background priority (the driver will have taken care of
propagating this from the calling thread), then stick it in to the background
scheduling group. Plus an API to turn this off for the process, which is
used by the system process.
This also pulls some of the code for managing scheduling classes out of
the Process JNI wrappers and in to some convenience methods in thread.h.
To prevent buggy command implementations from poisoning binder threads'
scheduling class & priority for future command execution, we now reset the
cgroup and thread priority to foreground/normal when a binder service thread
finishes executing the designated command.
Change-Id: Ibc0ab2485751453f6dc96fdb4eb877fd02796e3f