Create temp refs on proxies.
Fixes the following scenario:
1) Thread T1 receives a binder proxy and adds a local strong/weak ref
2) Thread T1 queues BC_ACQUIRE/BC_INCREFS (but does not flush)
3) Thread T1 hands the binder proxy off to another thread T2, which
adds another strong ref
4) Thread T1 now drops its own ref to the proxy, but it doesn't get
destructed because T2 has its own ref to it
6) Thread T2 runs and drops its own ref to the proxy, which causes a
BC_RELEASE/BC_DECREFS to be queued to the driver.
Now, if T1 writes its command queue to the driver first, everything
is fine, because a BC_ACQUIRE/BC_INCREFS will be followed by a
BC_RELEASE/BC_DECREFS. However if T2 writes its command queue first,
BC_RELEASE/BC_DECREFS will be sent first, and the driver will delete
the reference prematurely.
Fix this by temporarily holding a weak/strong ref until the initial
BC_ACUIRE/BC_INCREFS is flushed to the driver.
Bug: 78437964
Test: sailfish builds, boots, no invalid ref messages on dumpsys
Change-Id: Ica5efaf9fa2785423c37abb1456575d97f1cd85f
diff --git a/libs/binder/BpBinder.cpp b/libs/binder/BpBinder.cpp
index 289433b..c8de373 100644
--- a/libs/binder/BpBinder.cpp
+++ b/libs/binder/BpBinder.cpp
@@ -150,7 +150,7 @@
ALOGV("Creating BpBinder %p handle %d\n", this, mHandle);
extendObjectLifetime(OBJECT_LIFETIME_WEAK);
- IPCThreadState::self()->incWeakHandle(handle);
+ IPCThreadState::self()->incWeakHandle(handle, this);
}
bool BpBinder::isDescriptorCached() const {
@@ -412,7 +412,7 @@
{
ALOGV("onFirstRef BpBinder %p handle %d\n", this, mHandle);
IPCThreadState* ipc = IPCThreadState::self();
- if (ipc) ipc->incStrongHandle(mHandle);
+ if (ipc) ipc->incStrongHandle(mHandle, this);
}
void BpBinder::onLastStrongRef(const void* /*id*/)
diff --git a/libs/binder/IPCThreadState.cpp b/libs/binder/IPCThreadState.cpp
index ba9bf61..fd552b4 100644
--- a/libs/binder/IPCThreadState.cpp
+++ b/libs/binder/IPCThreadState.cpp
@@ -409,6 +409,15 @@
if (mProcess->mDriverFD <= 0)
return;
talkWithDriver(false);
+ // The flush could have caused post-write refcount decrements to have
+ // been executed, which in turn could result in BC_RELEASE/BC_DECREFS
+ // being queued in mOut. So flush again, if we need to.
+ if (mOut.dataSize() > 0) {
+ talkWithDriver(false);
+ }
+ if (mOut.dataSize() > 0) {
+ ALOGW("mOut.dataSize() > 0 after flushCommands()");
+ }
}
void IPCThreadState::blockUntilThreadAvailable()
@@ -501,6 +510,21 @@
}
}
+void IPCThreadState::processPostWriteDerefs()
+{
+ for (size_t i = 0; i < mPostWriteWeakDerefs.size(); i++) {
+ RefBase::weakref_type* refs = mPostWriteWeakDerefs[i];
+ refs->decWeak(mProcess.get());
+ }
+ mPostWriteWeakDerefs.clear();
+
+ for (size_t i = 0; i < mPostWriteStrongDerefs.size(); i++) {
+ RefBase* obj = mPostWriteStrongDerefs[i];
+ obj->decStrong(mProcess.get());
+ }
+ mPostWriteStrongDerefs.clear();
+}
+
void IPCThreadState::joinThreadPool(bool isMain)
{
LOG_THREADPOOL("**** THREAD %p (PID %d) IS JOINING THE THREAD POOL\n", (void*)pthread_self(), getpid());
@@ -627,11 +651,14 @@
return err;
}
-void IPCThreadState::incStrongHandle(int32_t handle)
+void IPCThreadState::incStrongHandle(int32_t handle, BpBinder *proxy)
{
LOG_REMOTEREFS("IPCThreadState::incStrongHandle(%d)\n", handle);
mOut.writeInt32(BC_ACQUIRE);
mOut.writeInt32(handle);
+ // Create a temp reference until the driver has handled this command.
+ proxy->incStrong(mProcess.get());
+ mPostWriteStrongDerefs.push(proxy);
}
void IPCThreadState::decStrongHandle(int32_t handle)
@@ -641,11 +668,14 @@
mOut.writeInt32(handle);
}
-void IPCThreadState::incWeakHandle(int32_t handle)
+void IPCThreadState::incWeakHandle(int32_t handle, BpBinder *proxy)
{
LOG_REMOTEREFS("IPCThreadState::incWeakHandle(%d)\n", handle);
mOut.writeInt32(BC_INCREFS);
mOut.writeInt32(handle);
+ // Create a temp reference until the driver has handled this command.
+ proxy->getWeakRefs()->incWeak(mProcess.get());
+ mPostWriteWeakDerefs.push(proxy->getWeakRefs());
}
void IPCThreadState::decWeakHandle(int32_t handle)
@@ -897,8 +927,10 @@
if (bwr.write_consumed > 0) {
if (bwr.write_consumed < mOut.dataSize())
mOut.remove(0, bwr.write_consumed);
- else
+ else {
mOut.setDataSize(0);
+ processPostWriteDerefs();
+ }
}
if (bwr.read_consumed > 0) {
mIn.setDataSize(bwr.read_consumed);
diff --git a/libs/binder/include/binder/IPCThreadState.h b/libs/binder/include/binder/IPCThreadState.h
index 245607e..c1d9a9a 100644
--- a/libs/binder/include/binder/IPCThreadState.h
+++ b/libs/binder/include/binder/IPCThreadState.h
@@ -64,9 +64,9 @@
uint32_t code, const Parcel& data,
Parcel* reply, uint32_t flags);
- void incStrongHandle(int32_t handle);
+ void incStrongHandle(int32_t handle, BpBinder *proxy);
void decStrongHandle(int32_t handle);
- void incWeakHandle(int32_t handle);
+ void incWeakHandle(int32_t handle, BpBinder *proxy);
void decWeakHandle(int32_t handle);
status_t attemptIncStrongHandle(int32_t handle);
static void expungeHandle(int32_t handle, IBinder* binder);
@@ -106,6 +106,7 @@
status_t getAndExecuteCommand();
status_t executeCommand(int32_t command);
void processPendingDerefs();
+ void processPostWriteDerefs();
void clearCaller();
@@ -118,7 +119,8 @@
const sp<ProcessState> mProcess;
Vector<BBinder*> mPendingStrongDerefs;
Vector<RefBase::weakref_type*> mPendingWeakDerefs;
-
+ Vector<RefBase*> mPostWriteStrongDerefs;
+ Vector<RefBase::weakref_type*> mPostWriteWeakDerefs;
Parcel mIn;
Parcel mOut;
status_t mLastError;