1 /* 2 * Copyright (C) 2005 The Android Open Source Project 3 * 4 * Licensed under the Apache License, Version 2.0 (the "License"); 5 * you may not use this file except in compliance with the License. 6 * You may obtain a copy of the License at 7 * 8 * http://www.apache.org/licenses/LICENSE-2.0 9 * 10 * Unless required by applicable law or agreed to in writing, software 11 * distributed under the License is distributed on an "AS IS" BASIS, 12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 * See the License for the specific language governing permissions and 14 * limitations under the License. 15 */ 16 17 #define LOG_TAG "ProcessState" 18 19 #include <binder/ProcessState.h> 20 21 #include <binder/BpBinder.h> 22 #include <binder/IPCThreadState.h> 23 #include <binder/IServiceManager.h> 24 #include <cutils/atomic.h> 25 #include <utils/Log.h> 26 #include <utils/String8.h> 27 #include <utils/String8.h> 28 #include <utils/threads.h> 29 30 #include <private/binder/binder_module.h> 31 #include <private/binder/Static.h> 32 33 #include <errno.h> 34 #include <fcntl.h> 35 #include <stdio.h> 36 #include <stdlib.h> 37 #include <unistd.h> 38 #include <sys/ioctl.h> 39 #include <sys/mman.h> 40 #include <sys/stat.h> 41 #include <sys/types.h> 42 43 #define BINDER_VM_SIZE ((1 * 1024 * 1024) - sysconf(_SC_PAGE_SIZE) * 2) 44 #define DEFAULT_MAX_BINDER_THREADS 15 45 46 // ------------------------------------------------------------------------- 47 48 namespace android { 49 50 class PoolThread : public Thread 51 { 52 public: 53 explicit PoolThread(bool isMain) 54 : mIsMain(isMain) 55 { 56 } 57 58 protected: 59 virtual bool threadLoop() 60 { 61 IPCThreadState::self()->joinThreadPool(mIsMain); 62 return false; 63 } 64 65 const bool mIsMain; 66 }; 67 68 sp<ProcessState> ProcessState::self() 69 { 70 Mutex::Autolock _l(gProcessMutex); 71 if (gProcess != NULL) { 72 return gProcess; 73 } 74 gProcess = new ProcessState("/dev/binder"); 75 return gProcess; 76 } 77 78 sp<ProcessState> ProcessState::initWithDriver(const char* driver) 79 { 80 Mutex::Autolock _l(gProcessMutex); 81 if (gProcess != NULL) { 82 // Allow for initWithDriver to be called repeatedly with the same 83 // driver. 84 if (!strcmp(gProcess->getDriverName().c_str(), driver)) { 85 return gProcess; 86 } 87 LOG_ALWAYS_FATAL("ProcessState was already initialized."); 88 } 89 90 if (access(driver, R_OK) == -1) { 91 ALOGE("Binder driver %s is unavailable. Using /dev/binder instead.", driver); 92 driver = "/dev/binder"; 93 } 94 95 gProcess = new ProcessState(driver); 96 return gProcess; 97 } 98 99 sp<ProcessState> ProcessState::selfOrNull() 100 { 101 Mutex::Autolock _l(gProcessMutex); 102 return gProcess; 103 } 104 105 void ProcessState::setContextObject(const sp<IBinder>& object) 106 { 107 setContextObject(object, String16("default")); 108 } 109 110 sp<IBinder> ProcessState::getContextObject(const sp<IBinder>& /*caller*/) 111 { 112 return getStrongProxyForHandle(0); 113 } 114 115 void ProcessState::setContextObject(const sp<IBinder>& object, const String16& name) 116 { 117 AutoMutex _l(mLock); 118 mContexts.add(name, object); 119 } 120 121 sp<IBinder> ProcessState::getContextObject(const String16& name, const sp<IBinder>& caller) 122 { 123 mLock.lock(); 124 sp<IBinder> object( 125 mContexts.indexOfKey(name) >= 0 ? mContexts.valueFor(name) : NULL); 126 mLock.unlock(); 127 128 //printf("Getting context object %s for %p\n", String8(name).string(), caller.get()); 129 130 if (object != NULL) return object; 131 132 // Don't attempt to retrieve contexts if we manage them 133 if (mManagesContexts) { 134 ALOGE("getContextObject(%s) failed, but we manage the contexts!\n", 135 String8(name).string()); 136 return NULL; 137 } 138 139 IPCThreadState* ipc = IPCThreadState::self(); 140 { 141 Parcel data, reply; 142 // no interface token on this magic transaction 143 data.writeString16(name); 144 data.writeStrongBinder(caller); 145 status_t result = ipc->transact(0 /*magic*/, 0, data, &reply, 0); 146 if (result == NO_ERROR) { 147 object = reply.readStrongBinder(); 148 } 149 } 150 151 ipc->flushCommands(); 152 153 if (object != NULL) setContextObject(object, name); 154 return object; 155 } 156 157 void ProcessState::startThreadPool() 158 { 159 AutoMutex _l(mLock); 160 if (!mThreadPoolStarted) { 161 mThreadPoolStarted = true; 162 spawnPooledThread(true); 163 } 164 } 165 166 bool ProcessState::isContextManager(void) const 167 { 168 return mManagesContexts; 169 } 170 171 bool ProcessState::becomeContextManager(context_check_func checkFunc, void* userData) 172 { 173 if (!mManagesContexts) { 174 AutoMutex _l(mLock); 175 mBinderContextCheckFunc = checkFunc; 176 mBinderContextUserData = userData; 177 178 int dummy = 0; 179 status_t result = ioctl(mDriverFD, BINDER_SET_CONTEXT_MGR, &dummy); 180 if (result == 0) { 181 mManagesContexts = true; 182 } else if (result == -1) { 183 mBinderContextCheckFunc = NULL; 184 mBinderContextUserData = NULL; 185 ALOGE("Binder ioctl to become context manager failed: %s\n", strerror(errno)); 186 } 187 } 188 return mManagesContexts; 189 } 190 191 // Get references to userspace objects held by the kernel binder driver 192 // Writes up to count elements into buf, and returns the total number 193 // of references the kernel has, which may be larger than count. 194 // buf may be NULL if count is 0. The pointers returned by this method 195 // should only be used for debugging and not dereferenced, they may 196 // already be invalid. 197 ssize_t ProcessState::getKernelReferences(size_t buf_count, uintptr_t* buf) 198 { 199 // TODO: remove these when they are defined by bionic's binder.h 200 struct binder_node_debug_info { 201 binder_uintptr_t ptr; 202 binder_uintptr_t cookie; 203 __u32 has_strong_ref; 204 __u32 has_weak_ref; 205 }; 206 #define BINDER_GET_NODE_DEBUG_INFO _IOWR('b', 11, struct binder_node_debug_info) 207 208 binder_node_debug_info info = {}; 209 210 uintptr_t* end = buf ? buf + buf_count : NULL; 211 size_t count = 0; 212 213 do { 214 status_t result = ioctl(mDriverFD, BINDER_GET_NODE_DEBUG_INFO, &info); 215 if (result < 0) { 216 return -1; 217 } 218 if (info.ptr != 0) { 219 if (buf && buf < end) 220 *buf++ = info.ptr; 221 count++; 222 if (buf && buf < end) 223 *buf++ = info.cookie; 224 count++; 225 } 226 } while (info.ptr != 0); 227 228 return count; 229 } 230 231 ProcessState::handle_entry* ProcessState::lookupHandleLocked(int32_t handle) 232 { 233 const size_t N=mHandleToObject.size(); 234 if (N <= (size_t)handle) { 235 handle_entry e; 236 e.binder = NULL; 237 e.refs = NULL; 238 status_t err = mHandleToObject.insertAt(e, N, handle+1-N); 239 if (err < NO_ERROR) return NULL; 240 } 241 return &mHandleToObject.editItemAt(handle); 242 } 243 244 sp<IBinder> ProcessState::getStrongProxyForHandle(int32_t handle) 245 { 246 sp<IBinder> result; 247 248 AutoMutex _l(mLock); 249 250 handle_entry* e = lookupHandleLocked(handle); 251 252 if (e != NULL) { 253 // We need to create a new BpBinder if there isn't currently one, OR we 254 // are unable to acquire a weak reference on this current one. See comment 255 // in getWeakProxyForHandle() for more info about this. 256 IBinder* b = e->binder; 257 if (b == NULL || !e->refs->attemptIncWeak(this)) { 258 if (handle == 0) { 259 // Special case for context manager... 260 // The context manager is the only object for which we create 261 // a BpBinder proxy without already holding a reference. 262 // Perform a dummy transaction to ensure the context manager 263 // is registered before we create the first local reference 264 // to it (which will occur when creating the BpBinder). 265 // If a local reference is created for the BpBinder when the 266 // context manager is not present, the driver will fail to 267 // provide a reference to the context manager, but the 268 // driver API does not return status. 269 // 270 // Note that this is not race-free if the context manager 271 // dies while this code runs. 272 // 273 // TODO: add a driver API to wait for context manager, or 274 // stop special casing handle 0 for context manager and add 275 // a driver API to get a handle to the context manager with 276 // proper reference counting. 277 278 Parcel data; 279 status_t status = IPCThreadState::self()->transact( 280 0, IBinder::PING_TRANSACTION, data, NULL, 0); 281 if (status == DEAD_OBJECT) 282 return NULL; 283 } 284 285 b = BpBinder::create(handle); 286 e->binder = b; 287 if (b) e->refs = b->getWeakRefs(); 288 result = b; 289 } else { 290 // This little bit of nastyness is to allow us to add a primary 291 // reference to the remote proxy when this team doesn't have one 292 // but another team is sending the handle to us. 293 result.force_set(b); 294 e->refs->decWeak(this); 295 } 296 } 297 298 return result; 299 } 300 301 wp<IBinder> ProcessState::getWeakProxyForHandle(int32_t handle) 302 { 303 wp<IBinder> result; 304 305 AutoMutex _l(mLock); 306 307 handle_entry* e = lookupHandleLocked(handle); 308 309 if (e != NULL) { 310 // We need to create a new BpBinder if there isn't currently one, OR we 311 // are unable to acquire a weak reference on this current one. The 312 // attemptIncWeak() is safe because we know the BpBinder destructor will always 313 // call expungeHandle(), which acquires the same lock we are holding now. 314 // We need to do this because there is a race condition between someone 315 // releasing a reference on this BpBinder, and a new reference on its handle 316 // arriving from the driver. 317 IBinder* b = e->binder; 318 if (b == NULL || !e->refs->attemptIncWeak(this)) { 319 b = BpBinder::create(handle); 320 result = b; 321 e->binder = b; 322 if (b) e->refs = b->getWeakRefs(); 323 } else { 324 result = b; 325 e->refs->decWeak(this); 326 } 327 } 328 329 return result; 330 } 331 332 void ProcessState::expungeHandle(int32_t handle, IBinder* binder) 333 { 334 AutoMutex _l(mLock); 335 336 handle_entry* e = lookupHandleLocked(handle); 337 338 // This handle may have already been replaced with a new BpBinder 339 // (if someone failed the AttemptIncWeak() above); we don't want 340 // to overwrite it. 341 if (e && e->binder == binder) e->binder = NULL; 342 } 343 344 String8 ProcessState::makeBinderThreadName() { 345 int32_t s = android_atomic_add(1, &mThreadPoolSeq); 346 pid_t pid = getpid(); 347 String8 name; 348 name.appendFormat("Binder:%d_%X", pid, s); 349 return name; 350 } 351 352 void ProcessState::spawnPooledThread(bool isMain) 353 { 354 if (mThreadPoolStarted) { 355 String8 name = makeBinderThreadName(); 356 ALOGV("Spawning new pooled thread, name=%s\n", name.string()); 357 sp<Thread> t = new PoolThread(isMain); 358 t->run(name.string()); 359 } 360 } 361 362 status_t ProcessState::setThreadPoolMaxThreadCount(size_t maxThreads) { 363 status_t result = NO_ERROR; 364 if (ioctl(mDriverFD, BINDER_SET_MAX_THREADS, &maxThreads) != -1) { 365 mMaxThreads = maxThreads; 366 } else { 367 result = -errno; 368 ALOGE("Binder ioctl to set max threads failed: %s", strerror(-result)); 369 } 370 return result; 371 } 372 373 void ProcessState::giveThreadPoolName() { 374 androidSetThreadName( makeBinderThreadName().string() ); 375 } 376 377 String8 ProcessState::getDriverName() { 378 return mDriverName; 379 } 380 381 static int open_driver(const char *driver) 382 { 383 int fd = open(driver, O_RDWR | O_CLOEXEC); 384 if (fd >= 0) { 385 int vers = 0; 386 status_t result = ioctl(fd, BINDER_VERSION, &vers); 387 if (result == -1) { 388 ALOGE("Binder ioctl to obtain version failed: %s", strerror(errno)); 389 close(fd); 390 fd = -1; 391 } 392 if (result != 0 || vers != BINDER_CURRENT_PROTOCOL_VERSION) { 393 ALOGE("Binder driver protocol(%d) does not match user space protocol(%d)! ioctl() return value: %d", 394 vers, BINDER_CURRENT_PROTOCOL_VERSION, result); 395 close(fd); 396 fd = -1; 397 } 398 size_t maxThreads = DEFAULT_MAX_BINDER_THREADS; 399 result = ioctl(fd, BINDER_SET_MAX_THREADS, &maxThreads); 400 if (result == -1) { 401 ALOGE("Binder ioctl to set max threads failed: %s", strerror(errno)); 402 } 403 } else { 404 ALOGW("Opening '%s' failed: %s\n", driver, strerror(errno)); 405 } 406 return fd; 407 } 408 409 ProcessState::ProcessState(const char *driver) 410 : mDriverName(String8(driver)) 411 , mDriverFD(open_driver(driver)) 412 , mVMStart(MAP_FAILED) 413 , mThreadCountLock(PTHREAD_MUTEX_INITIALIZER) 414 , mThreadCountDecrement(PTHREAD_COND_INITIALIZER) 415 , mExecutingThreadsCount(0) 416 , mMaxThreads(DEFAULT_MAX_BINDER_THREADS) 417 , mStarvationStartTimeMs(0) 418 , mManagesContexts(false) 419 , mBinderContextCheckFunc(NULL) 420 , mBinderContextUserData(NULL) 421 , mThreadPoolStarted(false) 422 , mThreadPoolSeq(1) 423 { 424 if (mDriverFD >= 0) { 425 // mmap the binder, providing a chunk of virtual address space to receive transactions. 426 mVMStart = mmap(0, BINDER_VM_SIZE, PROT_READ, MAP_PRIVATE | MAP_NORESERVE, mDriverFD, 0); 427 if (mVMStart == MAP_FAILED) { 428 // *sigh* 429 ALOGE("Using %s failed: unable to mmap transaction memory.\n", mDriverName.c_str()); 430 close(mDriverFD); 431 mDriverFD = -1; 432 mDriverName.clear(); 433 } 434 } 435 436 LOG_ALWAYS_FATAL_IF(mDriverFD < 0, "Binder driver could not be opened. Terminating."); 437 } 438 439 ProcessState::~ProcessState() 440 { 441 if (mDriverFD >= 0) { 442 if (mVMStart != MAP_FAILED) { 443 munmap(mVMStart, BINDER_VM_SIZE); 444 } 445 close(mDriverFD); 446 } 447 mDriverFD = -1; 448 } 449 450 }; // namespace android 451
