Gitiles
Code Review Sign In
gerrit.omnirom.org / android_frameworks_native / 91a96b6474aa999790e4fabfa8ab7240c61c7490^! / . / libs / binder / ndk / ibinder.cpp
commit91a96b6474aa999790e4fabfa8ab7240c61c7490[log] [tgz]
authorSteven Moreland <smoreland@google.com>Wed Jun 30 23:07:13 2021 +0000
committerSteven Moreland <smoreland@google.com>Wed Jun 30 23:50:27 2021 +0000
treeffb424adb5430c1e66fd5d34e09f555775fb7a56
parent07ac6eefffa4822a2e40c2e497bd4a5dae402958 [diff] [blame]
libbinder_ndk: fix race related to bpbinder

In a recent CL, I incorrectly stated in a comment (which is now
corrected here) that ABpBinder::onLastStrongRef can assume the
underlying binder also has no reference count. This is simply wrong (and
such a comment should have came with an assertion).

When this was not true (you receive a binder at the same time that
another thread is dropping the last NDK-layer reference to that binder),
the detachObject call was deleting the ABpBinderTag::Value beneath the
code in lookupOrCreateFromBinder that is looking up this binder.

Bug: 192321823
Test: CtsNdkBinderTestCases (more to come)
Change-Id: I71b1081b6d6ca179d17af6bb1e4a1bb3dd4b109b

diff --git a/libs/binder/ndk/ibinder.cpp b/libs/binder/ndk/ibinder.cpp
index 266ef37..65214bd 100644
--- a/libs/binder/ndk/ibinder.cpp
+++ b/libs/binder/ndk/ibinder.cpp

@@ -232,13 +232,15 @@
 
 void ABpBinder::onLastStrongRef(const void* id) {
     // Since ABpBinder is OBJECT_LIFETIME_WEAK, we must remove this weak reference in order for
-    // the ABpBinder to be deleted. Since a strong reference to this ABpBinder object should no
-    // longer be able to exist at the time of this method call, there is no longer a need to
-    // recover it.
+    // the ABpBinder to be deleted. Even though we have no more references on the ABpBinder
+    // (BpRefBase), the remote object may still exist (for instance, if we
+    // receive it from another process, before the ABpBinder is attached).
 
     ABpBinderTag::Value* value =
-            static_cast<ABpBinderTag::Value*>(remote()->detachObject(ABpBinderTag::kId));
-    if (value) ABpBinderTag::clean(ABpBinderTag::kId, value, nullptr /*cookie*/);
+            static_cast<ABpBinderTag::Value*>(remote()->findObject(ABpBinderTag::kId));
+    CHECK_NE(nullptr, value) << "ABpBinder must always be attached";
+
+    remote()->withLock([&]() { value->binder = nullptr; });
 
     BpRefBase::onLastStrongRef(id);
 }
@@ -251,6 +253,9 @@
         return static_cast<ABBinder*>(binder.get());
     }
 
+    // The following code ensures that for a given binder object (remote or local), if it is not an
+    // ABBinder then at most one ABpBinder object exists in a given process representing it.
+
     auto* value = static_cast<ABpBinderTag::Value*>(binder->findObject(ABpBinderTag::kId));
     if (value == nullptr) {
         value = new ABpBinderTag::Value;