libbinder: RPC limit on oneway transactions
Artificial large limits on oneway transactions. Warn after 1000 pending
transactions and invalidate the connection after 10000. This is a pretty
arbitrary limit, approximating the order of magnitude of average sized
binder transactions you can have before filling up the binder buffer
(I originally did this analysis for HIDL passthrough mode, which uses
3000). However, I've raised the limit because in this case, we must
actually terminate the RPC connection. If this happens, it's already
quite a bad situation. Best we can hope for is to reset everything up.
Unlike kernel binder, we can't return an error when the queue fills up,
since we're processing this on the other side of the transaction. We
must also do this type of analysis on the server side, regardless of
(potentially better) logic in the client side, so that this code also
guards against broken clients.
Fixes: 183140903
Test: binderRpcTest
Change-Id: Ibe1a854b526a7f862776df36d555cb346f01fde7
diff --git a/libs/binder/tests/binderRpcTest.cpp b/libs/binder/tests/binderRpcTest.cpp
index c846660..82f8a3e 100644
--- a/libs/binder/tests/binderRpcTest.cpp
+++ b/libs/binder/tests/binderRpcTest.cpp
@@ -941,6 +941,40 @@
for (auto& t : threads) t.join();
}
+TEST_P(BinderRpc, OnewayCallExhaustion) {
+ constexpr size_t kNumClients = 2;
+ constexpr size_t kTooLongMs = 1000;
+
+ auto proc = createRpcTestSocketServerProcess(kNumClients /*threads*/, 2 /*sessions*/);
+
+ // Build up oneway calls on the second session to make sure it terminates
+ // and shuts down. The first session should be unaffected (proc destructor
+ // checks the first session).
+ auto iface = interface_cast<IBinderRpcTest>(proc.proc.sessions.at(1).root);
+
+ std::vector<std::thread> threads;
+ for (size_t i = 0; i < kNumClients; i++) {
+ // one of these threads will get stuck queueing a transaction once the
+ // socket fills up, the other will be able to fill up transactions on
+ // this object
+ threads.push_back(std::thread([&] {
+ while (iface->sleepMsAsync(kTooLongMs).isOk()) {
+ }
+ }));
+ }
+ for (auto& t : threads) t.join();
+
+ Status status = iface->sleepMsAsync(kTooLongMs);
+ EXPECT_EQ(DEAD_OBJECT, status.transactionError()) << status;
+
+ // the second session should be shutdown in the other process by the time we
+ // are able to join above (it'll only be hung up once it finishes processing
+ // any pending commands). We need to erase this session from the record
+ // here, so that the destructor for our session won't check that this
+ // session is valid, but we still want it to test the other session.
+ proc.proc.sessions.erase(proc.proc.sessions.begin() + 1);
+}
+
TEST_P(BinderRpc, Callbacks) {
const static std::string kTestString = "good afternoon!";