libbinder_ndk: ABBinder objects are tagged.
This allows us to always cast an object directly to the underlying
object rather than temporarily putting it behind a proxy. This also
simplifies the AIBinder_associateClass API greatly.
As a side-effect, this also fixes reading null parcelables from
binder buffers due to a previously missing check.
Bug: 111445392
Test: runtests.sh
Change-Id: I0c9a75132f9da35a2500b1e83f218b180b2dda36
diff --git a/libs/binder/ndk/AIBinder.cpp b/libs/binder/ndk/AIBinder.cpp
index d0ce98d..fe07914 100644
--- a/libs/binder/ndk/AIBinder.cpp
+++ b/libs/binder/ndk/AIBinder.cpp
@@ -28,14 +28,29 @@
using ::android::String16;
using ::android::wp;
+namespace ABBinderTag {
+
+static const void* kId = "ABBinder";
+static void* kValue = static_cast<void*>(new bool{true});
+void cleanId(const void* /*id*/, void* /*obj*/, void* /*cookie*/){/* do nothing */};
+
+static void attach(const sp<IBinder>& binder) {
+ binder->attachObject(kId, kValue, nullptr /*cookie*/, cleanId);
+}
+static bool has(const sp<IBinder>& binder) {
+ return binder != nullptr && binder->findObject(kId) == kValue;
+}
+
+} // namespace ABBinderTag
+
AIBinder::AIBinder(const AIBinder_Class* clazz) : mClazz(clazz) {}
AIBinder::~AIBinder() {}
-sp<AIBinder> AIBinder::associateClass(const AIBinder_Class* clazz) {
+bool AIBinder::associateClass(const AIBinder_Class* clazz) {
using ::android::String8;
- if (clazz == nullptr) return nullptr;
- if (mClazz == clazz) return this;
+ if (clazz == nullptr) return false;
+ if (mClazz == clazz) return true;
String8 newDescriptor(clazz->getInterfaceDescriptor());
@@ -45,42 +60,31 @@
LOG(ERROR) << __func__ << ": Class descriptors '" << currentDescriptor
<< "' match during associateClass, but they are different class objects. "
"Class descriptor collision?";
- return nullptr;
+ } else {
+ LOG(ERROR) << __func__
+ << ": Class cannot be associated on object which already has a class. "
+ "Trying to associate to '"
+ << newDescriptor.c_str() << "' but already set to '"
+ << currentDescriptor.c_str() << "'.";
}
- LOG(ERROR) << __func__
- << ": Class cannot be associated on object which already has a class. Trying to "
- "associate to '"
- << newDescriptor.c_str() << "' but already set to '" << currentDescriptor.c_str()
- << "'.";
- return nullptr;
+ // always a failure because we know mClazz != clazz
+ return false;
}
+ CHECK(asABpBinder() != nullptr); // ABBinder always has a descriptor
+
String8 descriptor(getBinder()->getInterfaceDescriptor());
if (descriptor != newDescriptor) {
LOG(ERROR) << __func__ << ": Expecting binder to have class '" << newDescriptor.c_str()
<< "' but descriptor is actually '" << descriptor.c_str() << "'.";
- return nullptr;
+ return false;
}
- // The descriptor matches, so if it is local, this is guaranteed to be the libbinder_ndk class.
- // An error here can occur if there is a conflict between descriptors (two unrelated classes
- // define the same descriptor), but this should never happen.
-
- // if this is a local ABBinder, mClazz should be non-null
- CHECK(asABBinder() == nullptr);
- CHECK(asABpBinder() != nullptr);
-
- if (!isRemote()) {
- // ABpBinder but proxy to a local object. Therefore that local object must be an ABBinder.
- ABBinder* binder = static_cast<ABBinder*>(getBinder().get());
- return binder;
- }
-
- // This is a remote object
+ // if this is a local object, it's not one known to libbinder_ndk
mClazz = clazz;
- return this;
+ return true;
}
ABBinder::ABBinder(const AIBinder_Class* clazz, void* userData)
@@ -111,12 +115,22 @@
}
}
-ABpBinder::ABpBinder(::android::sp<::android::IBinder> binder)
+ABpBinder::ABpBinder(const ::android::sp<::android::IBinder>& binder)
: AIBinder(nullptr /*clazz*/), BpRefBase(binder) {
CHECK(binder != nullptr);
}
ABpBinder::~ABpBinder() {}
+sp<AIBinder> ABpBinder::fromBinder(const ::android::sp<::android::IBinder>& binder) {
+ if (binder == nullptr) {
+ return nullptr;
+ }
+ if (ABBinderTag::has(binder)) {
+ return static_cast<ABBinder*>(binder.get());
+ }
+ return new ABpBinder(binder);
+}
+
struct AIBinder_Weak {
wp<AIBinder> binder;
};
@@ -162,9 +176,11 @@
void* userData = clazz->onCreate(args);
- AIBinder* ret = new ABBinder(clazz, userData);
- AIBinder_incStrong(ret);
- return ret;
+ sp<AIBinder> ret = new ABBinder(clazz, userData);
+ ABBinderTag::attach(ret->getBinder());
+
+ AIBinder_incStrong(ret.get());
+ return ret.get();
}
bool AIBinder_isRemote(AIBinder* binder) {
@@ -200,23 +216,12 @@
return binder->getStrongCount();
}
-void AIBinder_associateClass(AIBinder** binder, const AIBinder_Class* clazz) {
- if (binder == nullptr || *binder == nullptr) {
- return;
+bool AIBinder_associateClass(AIBinder* binder, const AIBinder_Class* clazz) {
+ if (binder == nullptr) {
+ return false;
}
- sp<AIBinder> result = (*binder)->associateClass(clazz);
-
- // This function takes one refcount of 'binder' and delivers one refcount of 'result' to the
- // callee. First we give the callee their refcount and then take it away from binder. This is
- // done in this order in order to handle the case that the result and the binder are the same
- // object.
- if (result != nullptr) {
- AIBinder_incStrong(result.get());
- }
- AIBinder_decStrong(*binder);
-
- *binder = result.get(); // Maybe no-op
+ return binder->associateClass(clazz);
}
const AIBinder_Class* AIBinder_getClass(AIBinder* binder) {