blob: 19ab33e85f5ed750e3938789fd0001986c71aaac [file] [log] [blame]
* Copyright (C) 2019 The Android Open Source Project
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* See the License for the specific language governing permissions and
* limitations under the License.
import static android.service.watchdog.ExplicitHealthCheckService.EXTRA_HEALTH_CHECK_PASSED_PACKAGE;
import static android.service.watchdog.ExplicitHealthCheckService.EXTRA_REQUESTED_PACKAGES;
import static android.service.watchdog.ExplicitHealthCheckService.EXTRA_SUPPORTED_PACKAGES;
import android.Manifest;
import android.annotation.MainThread;
import android.annotation.Nullable;
import android.content.ComponentName;
import android.content.Context;
import android.content.Intent;
import android.content.ServiceConnection;
import android.os.IBinder;
import android.os.RemoteCallback;
import android.os.RemoteException;
import android.os.UserHandle;
import android.service.watchdog.ExplicitHealthCheckService;
import android.service.watchdog.IExplicitHealthCheckService;
import android.service.watchdog.PackageInfo;
import android.text.TextUtils;
import android.util.ArraySet;
import android.util.Slog;
import java.util.Collection;
import java.util.Collections;
import java.util.Iterator;
import java.util.List;
import java.util.Set;
import java.util.function.Consumer;
// TODO(b/120598832): Add tests
* Controls the connections with {@link ExplicitHealthCheckService}.
class ExplicitHealthCheckController {
private static final String TAG = "ExplicitHealthCheckController";
private final Object mLock = new Object();
private final Context mContext;
// Called everytime a package passes the health check, so the watchdog is notified of the
// passing check. In practice, should never be null after it has been #setEnabled.
// To prevent deadlocks between the controller and watchdog threads, we have
// a lock invariant to ALWAYS acquire the PackageWatchdog#mLock before #mLock in this class.
// It's easier to just NOT hold #mLock when calling into watchdog code on this consumer.
@GuardedBy("mLock") @Nullable private Consumer<String> mPassedConsumer;
// Called everytime after a successful #syncRequest call, so the watchdog can receive packages
// supporting health checks and update its internal state. In practice, should never be null
// after it has been #setEnabled.
// To prevent deadlocks between the controller and watchdog threads, we have
// a lock invariant to ALWAYS acquire the PackageWatchdog#mLock before #mLock in this class.
// It's easier to just NOT hold #mLock when calling into watchdog code on this consumer.
@GuardedBy("mLock") @Nullable private Consumer<List<PackageInfo>> mSupportedConsumer;
// Called everytime we need to notify the watchdog to sync requests between itself and the
// health check service. In practice, should never be null after it has been #setEnabled.
// To prevent deadlocks between the controller and watchdog threads, we have
// a lock invariant to ALWAYS acquire the PackageWatchdog#mLock before #mLock in this class.
// It's easier to just NOT hold #mLock when calling into watchdog code on this runnable.
@GuardedBy("mLock") @Nullable private Runnable mNotifySyncRunnable;
// Actual binder object to the explicit health check service.
@GuardedBy("mLock") @Nullable private IExplicitHealthCheckService mRemoteService;
// Connection to the explicit health check service, necessary to unbind.
// We should only try to bind if mConnection is null, non-null indicates we
// are connected or at least connecting.
@GuardedBy("mLock") @Nullable private ServiceConnection mConnection;
// Bind state of the explicit health check service.
@GuardedBy("mLock") private boolean mEnabled;
ExplicitHealthCheckController(Context context) {
mContext = context;
/** Enables or disables explicit health checks. */
public void setEnabled(boolean enabled) {
synchronized (mLock) {
Slog.i(TAG, "Explicit health checks " + (enabled ? "enabled." : "disabled."));
mEnabled = enabled;
* Sets callbacks to listen to important events from the controller.
* <p> Should be called once at initialization before any other calls to the controller to
* ensure a happens-before relationship of the set parameters and visibility on other threads.
public void setCallbacks(Consumer<String> passedConsumer,
Consumer<List<PackageInfo>> supportedConsumer, Runnable notifySyncRunnable) {
synchronized (mLock) {
if (mPassedConsumer != null || mSupportedConsumer != null
|| mNotifySyncRunnable != null) {, "Resetting health check controller callbacks");
mPassedConsumer = Preconditions.checkNotNull(passedConsumer);
mSupportedConsumer = Preconditions.checkNotNull(supportedConsumer);
mNotifySyncRunnable = Preconditions.checkNotNull(notifySyncRunnable);
* Calls the health check service to request or cancel packages based on
* {@code newRequestedPackages}.
* <p> Supported packages in {@code newRequestedPackages} that have not been previously
* requested will be requested while supported packages not in {@code newRequestedPackages}
* but were previously requested will be cancelled.
* <p> This handles binding and unbinding to the health check service as required.
* <p> Note, calling this may modify {@code newRequestedPackages}.
* <p> Note, this method is not thread safe, all calls should be serialized.
public void syncRequests(Set<String> newRequestedPackages) {
boolean enabled;
synchronized (mLock) {
enabled = mEnabled;
if (!enabled) {
Slog.i(TAG, "Health checks disabled, no supported packages");
// Call outside lock
getSupportedPackages(supportedPackageInfos -> {
// Notify the watchdog without lock held
getRequestedPackages(previousRequestedPackages -> {
synchronized (mLock) {
// Hold lock so requests and cancellations are sent atomically.
// It is important we don't mix requests from multiple threads.
Set<String> supportedPackages = new ArraySet<>();
for (PackageInfo info : supportedPackageInfos) {
// Note, this may modify newRequestedPackages
// Cancel packages no longer requested
newRequestedPackages, p -> cancel(p));
// Request packages not yet requested
previousRequestedPackages, p -> request(p));
if (newRequestedPackages.isEmpty()) {
Slog.i(TAG, "No more health check requests, unbinding...");
private void actOnDifference(Collection<String> collection1, Collection<String> collection2,
Consumer<String> action) {
Iterator<String> iterator = collection1.iterator();
while (iterator.hasNext()) {
String packageName =;
if (!collection2.contains(packageName)) {
* Requests an explicit health check for {@code packageName}.
* After this request, the callback registered on {@link #setCallbacks} can receive explicit
* health check passed results.
private void request(String packageName) {
synchronized (mLock) {
if (!prepareServiceLocked("request health check for " + packageName)) {
Slog.i(TAG, "Requesting health check for package " + packageName);
try {
} catch (RemoteException e) {
Slog.w(TAG, "Failed to request health check for package " + packageName, e);
* Cancels all explicit health checks for {@code packageName}.
* After this request, the callback registered on {@link #setCallbacks} can no longer receive
* explicit health check passed results.
private void cancel(String packageName) {
synchronized (mLock) {
if (!prepareServiceLocked("cancel health check for " + packageName)) {
Slog.i(TAG, "Cancelling health check for package " + packageName);
try {
} catch (RemoteException e) {
// Do nothing, if the service is down, when it comes up, we will sync requests,
// if there's some other error, retrying wouldn't fix anyways.
Slog.w(TAG, "Failed to cancel health check for package " + packageName, e);
* Returns the packages that we can request explicit health checks for.
* The packages will be returned to the {@code consumer}.
private void getSupportedPackages(Consumer<List<PackageInfo>> consumer) {
synchronized (mLock) {
if (!prepareServiceLocked("get health check supported packages")) {
Slog.d(TAG, "Getting health check supported packages");
try {
mRemoteService.getSupportedPackages(new RemoteCallback(result -> {
List<PackageInfo> packages =
Slog.i(TAG, "Explicit health check supported packages " + packages);
} catch (RemoteException e) {
// Request failed, treat as if all observed packages are supported, if any packages
// expire during this period, we may incorrectly treat it as failing health checks
// even if we don't support health checks for the package.
Slog.w(TAG, "Failed to get health check supported packages", e);
* Returns the packages for which health checks are currently in progress.
* The packages will be returned to the {@code consumer}.
private void getRequestedPackages(Consumer<List<String>> consumer) {
synchronized (mLock) {
if (!prepareServiceLocked("get health check requested packages")) {
Slog.d(TAG, "Getting health check requested packages");
try {
mRemoteService.getRequestedPackages(new RemoteCallback(result -> {
List<String> packages = result.getStringArrayList(EXTRA_REQUESTED_PACKAGES);
Slog.i(TAG, "Explicit health check requested packages " + packages);
} catch (RemoteException e) {
// Request failed, treat as if we haven't requested any packages, if any packages
// were actually requested, they will not be cancelled now. May be cancelled later
Slog.w(TAG, "Failed to get health check requested packages", e);
* Binds to the explicit health check service if the controller is enabled and
* not already bound.
private void bindService() {
synchronized (mLock) {
if (!mEnabled || mConnection != null || mRemoteService != null) {
if (!mEnabled) {
Slog.i(TAG, "Not binding to service, service disabled");
} else if (mRemoteService != null) {
Slog.i(TAG, "Not binding to service, service already connected");
} else {
Slog.i(TAG, "Not binding to service, service already connecting");
ComponentName component = getServiceComponentNameLocked();
if (component == null) {, "Explicit health check service not found");
Intent intent = new Intent();
mConnection = new ServiceConnection() {
public void onServiceConnected(ComponentName name, IBinder service) {
Slog.i(TAG, "Explicit health check service is connected " + name);
public void onServiceDisconnected(ComponentName name) {
// Service crashed or process was killed, #onServiceConnected will be called.
// Don't need to re-bind.
Slog.i(TAG, "Explicit health check service is disconnected " + name);
synchronized (mLock) {
mRemoteService = null;
public void onBindingDied(ComponentName name) {
// Application hosting service probably got updated
// Need to re-bind.
Slog.i(TAG, "Explicit health check service binding is dead. Rebind: " + name);
public void onNullBinding(ComponentName name) {
// Should never happen. Service returned null from #onBind., "Explicit health check service binding is null?? " + name);
mContext.bindServiceAsUser(intent, mConnection,
Context.BIND_AUTO_CREATE, UserHandle.of(UserHandle.USER_SYSTEM));
Slog.i(TAG, "Explicit health check service is bound");
/** Unbinds the explicit health check service. */
private void unbindService() {
synchronized (mLock) {
if (mRemoteService != null) {
mRemoteService = null;
mConnection = null;
Slog.i(TAG, "Explicit health check service is unbound");
private ServiceInfo getServiceInfoLocked() {
final String packageName =
if (packageName == null) {
Slog.w(TAG, "no external services package!");
return null;
final Intent intent = new Intent(ExplicitHealthCheckService.SERVICE_INTERFACE);
final ResolveInfo resolveInfo = mContext.getPackageManager().resolveService(intent,
PackageManager.GET_SERVICES | PackageManager.GET_META_DATA);
if (resolveInfo == null || resolveInfo.serviceInfo == null) {
Slog.w(TAG, "No valid components found.");
return null;
return resolveInfo.serviceInfo;
private ComponentName getServiceComponentNameLocked() {
final ServiceInfo serviceInfo = getServiceInfoLocked();
if (serviceInfo == null) {
return null;
final ComponentName name = new ComponentName(serviceInfo.packageName,;
.equals(serviceInfo.permission)) {
Slog.w(TAG, name.flattenToShortString() + " does not require permission "
return null;
return name;
private void initState(IBinder service) {
synchronized (mLock) {
if (!mEnabled) {
Slog.w(TAG, "Attempting to connect disabled service?? Unbinding...");
// Very unlikely, but we disabled the service after binding but before we connected
mRemoteService = IExplicitHealthCheckService.Stub.asInterface(service);
try {
mRemoteService.setCallback(new RemoteCallback(result -> {
String packageName = result.getString(EXTRA_HEALTH_CHECK_PASSED_PACKAGE);
if (!TextUtils.isEmpty(packageName)) {
if (mPassedConsumer == null) {, "Health check passed for package " + packageName
+ "but no consumer registered.");
} else {
// Call without lock held
} else {, "Empty package passed explicit health check?");
Slog.i(TAG, "Service initialized, syncing requests");
} catch (RemoteException e) {, "Could not setCallback on explicit health check service");
// Calling outside lock;
* Prepares the health check service to receive requests.
* @return {@code true} if it is ready and we can proceed with a request,
* {@code false} otherwise. If it is not ready, and the service is enabled,
* we will bind and the request should be automatically attempted later.
private boolean prepareServiceLocked(String action) {
if (mRemoteService != null && mEnabled) {
return true;
Slog.i(TAG, "Service not ready to " + action
+ (mEnabled ? ". Binding..." : ". Disabled"));
if (mEnabled) {
return false;