Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 07e01bf7 authored by Steven Moreland's avatar Steven Moreland
Browse files

android_util_Binder: strict RefBase 

Enable stronger checks for better errors. If any of these objects
refcounting gets messed up, this should result in clearer errors.
This is as part of enabling strict RefBase everywhere possible.

Bug: 393013610
Test: N/A
Change-Id: Ib43d640a94a6824cfc05adb5f10a3bc22d15affd
parent 3d1050f4

core/jni/android_util_Binder.cpp

+18 −14
Original line number Diff line number Diff line
@@ -13,8 +13,6 @@ 
 * See the License for the specific language governing permissions and

 * limitations under the License.

 */

#undef ANDROID_UTILS_REF_BASE_DISABLE_IMPLICIT_CONSTRUCTION // TODO:remove this and fix code



#define LOG_TAG "JavaBinder"

// #define LOG_NDEBUG 0
@@ -480,7 +478,7 @@ public: 
        if (b) return b;



        // b/360067751: constructor may trigger GC, so call outside lock

        b = new JavaBBinder(env, obj);

        b = sp<JavaBBinder>::make(env, obj);



        {

            AutoMutex _l(mLock);
@@ -641,11 +639,17 @@ public: 
        } else {

            mObject = env->NewGlobalRef(object);

        }

    }



    void onFirstRef() override {

        T::onFirstRef();



        sp<RecipientList<T>> list = mList.promote();

        // These objects manage their own lifetimes so are responsible for final bookkeeping.

        // The list holds a strong reference to this object.

        LOG_DEATH_FREEZE("%s Adding JavaRecipient %p to RecipientList %p", logPrefix<T>(), this,

                         list.get());

        list->add(this);

        list->add(sp<JavaRecipient>::fromExisting(this));

    }



    void clearReference() {
@@ -653,7 +657,7 @@ public: 
        if (list != NULL) {

            LOG_DEATH_FREEZE("%s Removing JavaRecipient %p from RecipientList %p", logPrefix<T>(),

                             this, list.get());

            list->remove(this);

            list->remove(sp<JavaRecipient>::fromExisting(this));

        } else {

            LOG_DEATH_FREEZE("%s clearReference() on JavaRecipient %p but RecipientList wp purged",

                             logPrefix<T>(), this);
@@ -935,7 +939,7 @@ struct BinderProxyNativeData { 
    // Frozen state change callbacks for mObject. Reference counted only because

    // JavaFrozenStateChangeCallback hold a weak reference that can be

    // temporarily promoted.

    sp<FrozenStateChangeCallbackList> mFrozenStateChangCallbackList;

    sp<FrozenStateChangeCallbackList> mFrozenStateChangeCallbackList;

};



BinderProxyNativeData* getBPNativeData(JNIEnv* env, jobject obj) {
@@ -960,8 +964,8 @@ jobject javaObjectForIBinder(JNIEnv* env, const sp<IBinder>& val) 
    }



    BinderProxyNativeData* nativeData = new BinderProxyNativeData();

    nativeData->mOrgue = new DeathRecipientList;

    nativeData->mFrozenStateChangCallbackList = new FrozenStateChangeCallbackList;

    nativeData->mOrgue = sp<DeathRecipientList>::make();

    nativeData->mFrozenStateChangeCallbackList = sp<FrozenStateChangeCallbackList>::make();

    nativeData->mObject = val;



    jobject object = env->CallStaticObjectMethod(gBinderProxyOffsets.mClass,
@@ -1564,8 +1568,8 @@ static void android_os_BinderProxy_linkToDeath(JNIEnv* env, jobject obj, 
    LOG_DEATH_FREEZE("linkToDeath: binder=%p recipient=%p\n", target, recipient);



    if (!target->localBinder()) {

        DeathRecipientList* list = nd->mOrgue.get();

        sp<JavaDeathRecipient> jdr = new JavaDeathRecipient(env, recipient, list);

        sp<DeathRecipientList> list = nd->mOrgue;

        sp<JavaDeathRecipient> jdr = sp<JavaDeathRecipient>::make(env, recipient, list);

        status_t err = target->linkToDeath(jdr, NULL, flags);

        if (err != NO_ERROR) {

            // Failure adding the death recipient, so clear its reference
@@ -1641,7 +1645,7 @@ static void android_os_BinderProxy_addFrozenStateChangeCallback( 
    LOG_DEATH_FREEZE("addFrozenStateChangeCallback: binder=%p callback=%p\n", target, callback);



    if (!target->localBinder()) {

        FrozenStateChangeCallbackList* list = nd->mFrozenStateChangCallbackList.get();

        sp<FrozenStateChangeCallbackList> list = nd->mFrozenStateChangeCallbackList;

        auto jfscc = sp<JavaFrozenStateChangeCallback>::make(env, callback, list);

        status_t err = target->addFrozenStateChangeCallback(jfscc);

        if (err != NO_ERROR) {
@@ -1675,7 +1679,7 @@ static jboolean android_os_BinderProxy_removeFrozenStateChangeCallback(JNIEnv* e 
        status_t err = NAME_NOT_FOUND;



        // If we find the matching callback, proceed to unlink using that

        FrozenStateChangeCallbackList* list = nd->mFrozenStateChangCallbackList.get();

        FrozenStateChangeCallbackList* list = nd->mFrozenStateChangeCallbackList.get();

        sp<JavaRecipient<IBinder::FrozenStateChangeCallback> > origJFSCC = list->find(callback);

        LOG_DEATH_FREEZE("   removeFrozenStateChangeCallback found list %p and JFSCC %p", list,

                         origJFSCC.get());
@@ -1704,7 +1708,7 @@ static void BinderProxy_destroy(void* rawNativeData) 
    BinderProxyNativeData * nativeData = (BinderProxyNativeData *) rawNativeData;

    LOG_DEATH_FREEZE("Destroying BinderProxy: binder=%p drl=%p fsccl=%p\n",

                     nativeData->mObject.get(), nativeData->mOrgue.get(),

                     nativeData->mFrozenStateChangCallbackList.get());

                     nativeData->mFrozenStateChangeCallbackList.get());

    delete nativeData;

    IPCThreadState::self()->flushCommands();

}