Revert "binder: race condition by parcel finalize" (a926598e) · Commits · e / os / android_frameworks_base

core/java/android/os/BinderProxy.java

+2 −3

Original line number	Diff line number	Diff line
		@@ -537,8 +537,7 @@ public final class BinderProxy implements IBinder {
		}

		try {
		boolean replyOwnsNative = (reply == null) ? false : reply.ownsNativeParcelObject();
		return transactNative(code, data, reply, replyOwnsNative, flags);
		return transactNative(code, data, reply, flags);
		} finally {
		AppOpsManager.resumeNotedAppOpsCollection(prevCollection);

		@@ -563,7 +562,7 @@ public final class BinderProxy implements IBinder {
		* Native implementation of transact() for proxies
		*/
		public native boolean transactNative(int code, Parcel data, Parcel reply,
		boolean replyOwnsNativeParcelObject, int flags) throws RemoteException;
		int flags) throws RemoteException;
		/**
		* See {@link IBinder#linkToDeath(DeathRecipient, int)}
		*/

core/java/android/os/Parcel.java

+0 −5

Original line number	Diff line number	Diff line
		@@ -3690,9 +3690,4 @@ public final class Parcel {
		public long getBlobAshmemSize() {
		return nativeGetBlobAshmemSize(mNativePtr);
		}

		/** @hide */
		/package/ boolean ownsNativeParcelObject() {
		return mOwnsNativeParcelObject;
		}
		}

core/jni/android_os_Parcel.cpp

+4 −6

Original line number	Diff line number	Diff line
		@@ -36,7 +36,6 @@
		#include <utils/List.h>
		#include <utils/KeyedVector.h>
		#include <binder/Parcel.h>
		#include <binder/ParcelRef.h>
		#include <binder/ProcessState.h>
		#include <binder/IServiceManager.h>
		#include <utils/threads.h>
		@@ -530,9 +529,8 @@ static jobject android_os_Parcel_readFileDescriptor(JNIEnv* env, jclass clazz, j

		static jlong android_os_Parcel_create(JNIEnv* env, jclass clazz)
		{
		sp<ParcelRef> parcelRef = ParcelRef::create();
		parcelRef->incStrong(reinterpret_cast<const void*>(android_os_Parcel_create));
		return reinterpret_cast<jlong>(static_cast<Parcel *>(parcelRef.get()));
		Parcel* parcel = new Parcel();
		return reinterpret_cast<jlong>(parcel);
		}

		static jlong android_os_Parcel_freeBuffer(JNIEnv* env, jclass clazz, jlong nativePtr)
		@@ -547,8 +545,8 @@ static jlong android_os_Parcel_freeBuffer(JNIEnv* env, jclass clazz, jlong nativ

		static void android_os_Parcel_destroy(JNIEnv* env, jclass clazz, jlong nativePtr)
		{
		ParcelRef* derivative = static_cast<ParcelRef>(reinterpret_cast<Parcel>(nativePtr));
		derivative->decStrong(reinterpret_cast<const void*>(android_os_Parcel_create));
		Parcel* parcel = reinterpret_cast<Parcel*>(nativePtr);
		delete parcel;
		}

		static jbyteArray android_os_Parcel_marshall(JNIEnv* env, jclass clazz, jlong nativePtr)

core/jni/android_util_Binder.cpp

+2 −19

Original line number	Diff line number	Diff line
		@@ -35,7 +35,6 @@
		#include <binder/IPCThreadState.h>
		#include <binder/IServiceManager.h>
		#include <binder/Parcel.h>
		#include <binder/ParcelRef.h>
		#include <binder/ProcessState.h>
		#include <binder/Stability.h>
		#include <binderthreadstate/CallerUtils.h>
		@@ -1375,8 +1374,7 @@ static bool should_time_binder_calls() {
		}

		static jboolean android_os_BinderProxy_transact(JNIEnv* env, jobject obj,
		jint code, jobject dataObj, jobject replyObj, jboolean replyObjOwnsNativeParcel,
		jint flags) // throws RemoteException
		jint code, jobject dataObj, jobject replyObj, jint flags) // throws RemoteException
		{
		if (dataObj == NULL) {
		jniThrowNullPointerException(env, NULL);
		@@ -1418,21 +1416,6 @@ static jboolean android_os_BinderProxy_transact(JNIEnv* env, jobject obj,
		status_t err = target->transact(code, *data, reply, flags);
		//if (reply) printf("Transact from Java code to %p received: ", target); reply->print();

		if (reply) {
		if (replyObjOwnsNativeParcel) {
		// as per Parcel java class constructor, here, "reply" MUST be a "ParcelRef"
		// only for Parcel that contained Binder objects
		if (reply->objectsCount() > 0) {
		IPCThreadState::self()->createTransactionReference(static_cast<ParcelRef*>(reply));
		}
		} else {
		// as per Parcel.java, if Parcel java object NOT owning native Parcel object, it will
		// NOT destroy the native Parcel object upon GC(finalize()), so, there will be no race
		// condtion in this case. Please refer to the java class methods: Parcel.finalize(),
		// Parcel.destroy().
		}
		}

		if (kEnableBinderSample) {
		if (time_binder_calls) {
		conditionally_log_binder_call(start_millis, target, code);
		@@ -1559,7 +1542,7 @@ static const JNINativeMethod gBinderProxyMethods[] = {
		{"pingBinder", "()Z", (void*)android_os_BinderProxy_pingBinder},
		{"isBinderAlive", "()Z", (void*)android_os_BinderProxy_isBinderAlive},
		{"getInterfaceDescriptor", "()Ljava/lang/String;", (void*)android_os_BinderProxy_getInterfaceDescriptor},
		{"transactNative", "(ILandroid/os/Parcel;Landroid/os/Parcel;ZI)Z", (void*)android_os_BinderProxy_transact},
		{"transactNative", "(ILandroid/os/Parcel;Landroid/os/Parcel;I)Z", (void*)android_os_BinderProxy_transact},
		{"linkToDeath", "(Landroid/os/IBinder$DeathRecipient;I)V", (void*)android_os_BinderProxy_linkToDeath},
		{"unlinkToDeath", "(Landroid/os/IBinder$DeathRecipient;I)Z", (void*)android_os_BinderProxy_unlinkToDeath},
		{"getNativeFinalizer", "()J", (void*)android_os_BinderProxy_getNativeFinalizer},