1 /* 2 * Copyright (C) 2008 The Android Open Source Project 3 * 4 * Licensed under the Apache License, Version 2.0 (the "License"); 5 * you may not use this file except in compliance with the License. 6 * You may obtain a copy of the License at 7 * 8 * http://www.apache.org/licenses/LICENSE-2.0 9 * 10 * Unless required by applicable law or agreed to in writing, software 11 * distributed under the License is distributed on an "AS IS" BASIS, 12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 * See the License for the specific language governing permissions and 14 * limitations under the License. 15 */ 16 17 #include <errno.h> 18 #include <stdio.h> 19 #include <sys/socket.h> 20 #include <sys/un.h> 21 #include <unistd.h> 22 23 #include "android-base/stringprintf.h" 24 25 #include "base/logging.h" // For VLOG. 26 #include "jdwp/jdwp_priv.h" 27 #include "thread-current-inl.h" 28 29 #ifdef ART_TARGET_ANDROID 30 #include "cutils/sockets.h" 31 #endif 32 33 /* 34 * The JDWP <-> ADB transport protocol is explained in detail 35 * in system/core/adb/jdwp_service.c. Here's a summary. 36 * 37 * 1/ when the JDWP thread starts, it tries to connect to a Unix 38 * domain stream socket (@jdwp-control) that is opened by the 39 * ADB daemon. 40 * 41 * 2/ it then sends the current process PID as an int32_t. 42 * 43 * 3/ then, it uses recvmsg to receive file descriptors from the 44 * daemon. each incoming file descriptor is a pass-through to 45 * a given JDWP debugger, that can be used to read the usual 46 * JDWP-handshake, etc... 47 */ 48 49 static constexpr char kJdwpControlName[] = "\0jdwp-control"; 50 static constexpr size_t kJdwpControlNameLen = sizeof(kJdwpControlName) - 1; 51 /* This timeout is for connect/send with control socket. In practice, the 52 * connect should never timeout since it's just connect to a local unix domain 53 * socket. But in case adb is buggy and doesn't respond to any connection, the 54 * connect will block. For send, actually it would never block since we only send 55 * several bytes and the kernel buffer is big enough to accept it. 10 seconds 56 * should be far enough. 57 */ 58 static constexpr int kControlSockSendTimeout = 10; 59 60 namespace art { 61 62 namespace JDWP { 63 64 using android::base::StringPrintf; 65 66 struct JdwpAdbState : public JdwpNetStateBase { 67 public: 68 explicit JdwpAdbState(JdwpState* state) 69 : JdwpNetStateBase(state), 70 state_lock_("JdwpAdbState lock", kJdwpAdbStateLock) { 71 control_sock_ = -1; 72 shutting_down_ = false; 73 74 control_addr_.controlAddrUn.sun_family = AF_UNIX; 75 control_addr_len_ = sizeof(control_addr_.controlAddrUn.sun_family) + kJdwpControlNameLen; 76 memcpy(control_addr_.controlAddrUn.sun_path, kJdwpControlName, kJdwpControlNameLen); 77 } 78 79 ~JdwpAdbState() { 80 if (clientSock != -1) { 81 shutdown(clientSock, SHUT_RDWR); 82 close(clientSock); 83 } 84 if (control_sock_ != -1) { 85 shutdown(control_sock_, SHUT_RDWR); 86 close(control_sock_); 87 } 88 } 89 90 virtual bool Accept() REQUIRES(!state_lock_); 91 92 virtual bool Establish(const JdwpOptions*) { 93 return false; 94 } 95 96 virtual void Shutdown() REQUIRES(!state_lock_) { 97 int control_sock; 98 int local_clientSock; 99 { 100 MutexLock mu(Thread::Current(), state_lock_); 101 shutting_down_ = true; 102 control_sock = this->control_sock_; 103 local_clientSock = this->clientSock; 104 /* clear these out so it doesn't wake up and try to reuse them */ 105 this->control_sock_ = this->clientSock = -1; 106 } 107 108 if (local_clientSock != -1) { 109 shutdown(local_clientSock, SHUT_RDWR); 110 } 111 112 if (control_sock != -1) { 113 shutdown(control_sock, SHUT_RDWR); 114 } 115 116 WakePipe(); 117 } 118 119 virtual bool ProcessIncoming() REQUIRES(!state_lock_); 120 121 private: 122 int ReceiveClientFd() REQUIRES(!state_lock_); 123 124 bool IsDown() REQUIRES(!state_lock_) { 125 MutexLock mu(Thread::Current(), state_lock_); 126 return shutting_down_; 127 } 128 129 int ControlSock() REQUIRES(!state_lock_) { 130 MutexLock mu(Thread::Current(), state_lock_); 131 if (shutting_down_) { 132 CHECK_EQ(control_sock_, -1); 133 } 134 return control_sock_; 135 } 136 137 int control_sock_ GUARDED_BY(state_lock_); 138 bool shutting_down_ GUARDED_BY(state_lock_); 139 Mutex state_lock_; 140 141 socklen_t control_addr_len_; 142 union { 143 sockaddr_un controlAddrUn; 144 sockaddr controlAddrPlain; 145 } control_addr_; 146 }; 147 148 /* 149 * Do initial prep work, e.g. binding to ports and opening files. This 150 * runs in the main thread, before the JDWP thread starts, so it shouldn't 151 * do anything that might block forever. 152 */ 153 bool InitAdbTransport(JdwpState* state, const JdwpOptions*) { 154 VLOG(jdwp) << "ADB transport startup"; 155 state->netState = new JdwpAdbState(state); 156 return (state->netState != nullptr); 157 } 158 159 /* 160 * Receive a file descriptor from ADB. The fd can be used to communicate 161 * directly with a debugger or DDMS. 162 * 163 * Returns the file descriptor on success. On failure, returns -1 and 164 * closes netState->control_sock_. 165 */ 166 int JdwpAdbState::ReceiveClientFd() { 167 char dummy = '!'; 168 union { 169 cmsghdr cm; 170 char buffer[CMSG_SPACE(sizeof(int))]; 171 } cm_un; 172 173 iovec iov; 174 iov.iov_base = &dummy; 175 iov.iov_len = 1; 176 177 msghdr msg; 178 msg.msg_name = nullptr; 179 msg.msg_namelen = 0; 180 msg.msg_iov = &iov; 181 msg.msg_iovlen = 1; 182 msg.msg_flags = 0; 183 msg.msg_control = cm_un.buffer; 184 msg.msg_controllen = sizeof(cm_un.buffer); 185 186 cmsghdr* cmsg = CMSG_FIRSTHDR(&msg); 187 cmsg->cmsg_len = msg.msg_controllen; 188 cmsg->cmsg_level = SOL_SOCKET; 189 cmsg->cmsg_type = SCM_RIGHTS; 190 (reinterpret_cast<int*>(CMSG_DATA(cmsg)))[0] = -1; 191 192 int rc = TEMP_FAILURE_RETRY(recvmsg(ControlSock(), &msg, 0)); 193 194 if (rc <= 0) { 195 if (rc == -1) { 196 PLOG(WARNING) << "Receiving file descriptor from ADB failed (socket " << ControlSock() << ")"; 197 } 198 MutexLock mu(Thread::Current(), state_lock_); 199 close(control_sock_); 200 control_sock_ = -1; 201 return -1; 202 } 203 204 return (reinterpret_cast<int*>(CMSG_DATA(cmsg)))[0]; 205 } 206 207 /* 208 * Block forever, waiting for a debugger to connect to us. Called from the 209 * JDWP thread. 210 * 211 * This needs to un-block and return "false" if the VM is shutting down. It 212 * should return "true" when it successfully accepts a connection. 213 */ 214 bool JdwpAdbState::Accept() { 215 int retryCount = 0; 216 217 /* first, ensure that we get a connection to the ADB daemon */ 218 219 retry: 220 if (IsDown()) { 221 return false; 222 } 223 224 if (ControlSock() == -1) { 225 int sleep_ms = 500; 226 const int sleep_max_ms = 2*1000; 227 228 int sock = socket(AF_UNIX, SOCK_SEQPACKET, 0); 229 if (sock < 0) { 230 PLOG(ERROR) << "Could not create ADB control socket"; 231 return false; 232 } 233 struct timeval timeout; 234 timeout.tv_sec = kControlSockSendTimeout; 235 timeout.tv_usec = 0; 236 setsockopt(sock, SOL_SOCKET, SO_SNDTIMEO, &timeout, sizeof(timeout)); 237 { 238 MutexLock mu(Thread::Current(), state_lock_); 239 control_sock_ = sock; 240 if (shutting_down_) { 241 return false; 242 } 243 if (!MakePipe()) { 244 return false; 245 } 246 } 247 248 int32_t pid = getpid(); 249 250 for (;;) { 251 /* 252 * If adbd isn't running, because USB debugging was disabled or 253 * perhaps the system is restarting it for "adb root", the 254 * connect() will fail. We loop here forever waiting for it 255 * to come back. 256 * 257 * Waking up and polling every couple of seconds is generally a 258 * bad thing to do, but we only do this if the application is 259 * debuggable *and* adbd isn't running. Still, for the sake 260 * of battery life, we should consider timing out and giving 261 * up after a few minutes in case somebody ships an app with 262 * the debuggable flag set. 263 */ 264 int ret = connect(ControlSock(), &control_addr_.controlAddrPlain, control_addr_len_); 265 if (!ret) { 266 int control_sock = ControlSock(); 267 #ifdef ART_TARGET_ANDROID 268 if (control_sock < 0 || !socket_peer_is_trusted(control_sock)) { 269 if (control_sock >= 0 && shutdown(control_sock, SHUT_RDWR)) { 270 PLOG(ERROR) << "trouble shutting down socket"; 271 } 272 return false; 273 } 274 #endif 275 276 /* now try to send our pid to the ADB daemon */ 277 ret = TEMP_FAILURE_RETRY(send(control_sock, &pid, sizeof(pid), 0)); 278 if (ret == sizeof(pid)) { 279 VLOG(jdwp) << "PID " << pid << " sent to ADB"; 280 break; 281 } 282 283 PLOG(ERROR) << "Weird, can't send JDWP process pid to ADB"; 284 return false; 285 } 286 if (VLOG_IS_ON(jdwp)) { 287 PLOG(ERROR) << "Can't connect to ADB control socket"; 288 } 289 290 usleep(sleep_ms * 1000); 291 292 sleep_ms += (sleep_ms >> 1); 293 if (sleep_ms > sleep_max_ms) { 294 sleep_ms = sleep_max_ms; 295 } 296 if (IsDown()) { 297 return false; 298 } 299 } 300 } 301 302 VLOG(jdwp) << "trying to receive file descriptor from ADB"; 303 /* now we can receive a client file descriptor */ 304 int sock = ReceiveClientFd(); 305 { 306 MutexLock mu(Thread::Current(), state_lock_); 307 clientSock = sock; 308 if (shutting_down_) { 309 return false; // suppress logs and additional activity 310 } 311 } 312 if (clientSock == -1) { 313 if (++retryCount > 5) { 314 LOG(ERROR) << "adb connection max retries exceeded"; 315 return false; 316 } 317 goto retry; 318 } else { 319 VLOG(jdwp) << "received file descriptor " << clientSock << " from ADB"; 320 SetAwaitingHandshake(true); 321 input_count_ = 0; 322 return true; 323 } 324 } 325 326 /* 327 * Process incoming data. If no data is available, this will block until 328 * some arrives. 329 * 330 * If we get a full packet, handle it. 331 * 332 * To take some of the mystery out of life, we want to reject incoming 333 * connections if we already have a debugger attached. If we don't, the 334 * debugger will just mysteriously hang until it times out. We could just 335 * close the listen socket, but there's a good chance we won't be able to 336 * bind to the same port again, which would confuse utilities. 337 * 338 * Returns "false" on error (indicating that the connection has been severed), 339 * "true" if things are still okay. 340 */ 341 bool JdwpAdbState::ProcessIncoming() { 342 int readCount; 343 344 CHECK_NE(clientSock, -1); 345 346 if (!HaveFullPacket()) { 347 /* read some more, looping until we have data */ 348 errno = 0; 349 while (1) { 350 int selCount; 351 fd_set readfds; 352 int maxfd = -1; 353 int fd; 354 355 FD_ZERO(&readfds); 356 357 /* configure fds; note these may get zapped by another thread */ 358 fd = ControlSock(); 359 if (fd >= 0) { 360 FD_SET(fd, &readfds); 361 if (maxfd < fd) { 362 maxfd = fd; 363 } 364 } 365 fd = clientSock; 366 if (fd >= 0) { 367 FD_SET(fd, &readfds); 368 if (maxfd < fd) { 369 maxfd = fd; 370 } 371 } 372 fd = wake_pipe_[0]; 373 if (fd >= 0) { 374 FD_SET(fd, &readfds); 375 if (maxfd < fd) { 376 maxfd = fd; 377 } 378 } else { 379 LOG(INFO) << "NOTE: entering select w/o wakepipe"; 380 } 381 382 if (maxfd < 0) { 383 VLOG(jdwp) << "+++ all fds are closed"; 384 return false; 385 } 386 387 /* 388 * Select blocks until it sees activity on the file descriptors. 389 * Closing the local file descriptor does not count as activity, 390 * so we can't rely on that to wake us up (it works for read() 391 * and accept(), but not select()). 392 * 393 * We can do one of three things: (1) send a signal and catch 394 * EINTR, (2) open an additional fd ("wake pipe") and write to 395 * it when it's time to exit, or (3) time out periodically and 396 * re-issue the select. We're currently using #2, as it's more 397 * reliable than #1 and generally better than #3. Wastes two fds. 398 */ 399 selCount = select(maxfd + 1, &readfds, nullptr, nullptr, nullptr); 400 if (selCount < 0) { 401 if (errno == EINTR) { 402 continue; 403 } 404 PLOG(ERROR) << "select failed"; 405 goto fail; 406 } 407 408 if (wake_pipe_[0] >= 0 && FD_ISSET(wake_pipe_[0], &readfds)) { 409 VLOG(jdwp) << "Got wake-up signal, bailing out of select"; 410 goto fail; 411 } 412 int control_sock = ControlSock(); 413 if (control_sock >= 0 && FD_ISSET(control_sock, &readfds)) { 414 int sock = ReceiveClientFd(); 415 if (sock >= 0) { 416 LOG(INFO) << "Ignoring second debugger -- accepting and dropping"; 417 close(sock); 418 } else { 419 CHECK_EQ(ControlSock(), -1); 420 /* 421 * Remote side most likely went away, so our next read 422 * on clientSock will fail and throw us out of the loop. 423 */ 424 } 425 } 426 if (clientSock >= 0 && FD_ISSET(clientSock, &readfds)) { 427 readCount = read(clientSock, input_buffer_ + input_count_, sizeof(input_buffer_) - input_count_); 428 if (readCount < 0) { 429 /* read failed */ 430 if (errno != EINTR) { 431 goto fail; 432 } 433 VLOG(jdwp) << "+++ EINTR hit"; 434 return true; 435 } else if (readCount == 0) { 436 /* EOF hit -- far end went away */ 437 VLOG(jdwp) << "+++ peer disconnected"; 438 goto fail; 439 } else { 440 break; 441 } 442 } 443 } 444 445 input_count_ += readCount; 446 if (!HaveFullPacket()) { 447 return true; /* still not there yet */ 448 } 449 } 450 451 /* 452 * Special-case the initial handshake. For some bizarre reason we're 453 * expected to emulate bad tty settings by echoing the request back 454 * exactly as it was sent. Note the handshake is always initiated by 455 * the debugger, no matter who connects to whom. 456 * 457 * Other than this one case, the protocol [claims to be] stateless. 458 */ 459 if (IsAwaitingHandshake()) { 460 if (memcmp(input_buffer_, kMagicHandshake, kMagicHandshakeLen) != 0) { 461 LOG(ERROR) << StringPrintf("ERROR: bad handshake '%.14s'", input_buffer_); 462 goto fail; 463 } 464 465 errno = 0; 466 int cc = TEMP_FAILURE_RETRY(write(clientSock, input_buffer_, kMagicHandshakeLen)); 467 if (cc != kMagicHandshakeLen) { 468 PLOG(ERROR) << "Failed writing handshake bytes (" << cc << " of " << kMagicHandshakeLen << ")"; 469 goto fail; 470 } 471 472 ConsumeBytes(kMagicHandshakeLen); 473 SetAwaitingHandshake(false); 474 VLOG(jdwp) << "+++ handshake complete"; 475 return true; 476 } 477 478 /* 479 * Handle this packet. 480 */ 481 return state_->HandlePacket(); 482 483 fail: 484 Close(); 485 return false; 486 } 487 488 } // namespace JDWP 489 490 } // namespace art 491