xref: /aosp_15_r20/frameworks/native/libs/binder/tests/binderStabilityTest.cpp (revision 38e8c45f13ce32b0dcecb25141ffecaf386fa17f) 
1 /*
2  * Copyright (C) 2019 The Android Open Source Project
3  *
4  * Licensed under the Apache License, Version 2.0 (the "License");
5  * you may not use this file except in compliance with the License.
6  * You may obtain a copy of the License at
7  *
8  *      http://www.apache.org/licenses/LICENSE-2.0
9  *
10  * Unless required by applicable law or agreed to in writing, software
11  * distributed under the License is distributed on an "AS IS" BASIS,
12  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13  * See the License for the specific language governing permissions and
14  * limitations under the License.
15  */
16 
17 #include <android/binder_libbinder.h>
18 #include <android/binder_manager.h>
19 #include <android/binder_stability.h>
20 #include <binder/Binder.h>
21 #include <binder/IBinder.h>
22 #include <binder/IPCThreadState.h>
23 #include <binder/IServiceManager.h>
24 #include <binder/Parcel.h>
25 #include <binder/Stability.h>
26 #include <gtest/gtest.h>
27 
28 #include <sys/prctl.h>
29 
30 #include "../Utils.h"
31 #include "BnBinderStabilityTest.h"
32 #include "aidl/BnBinderStabilityTest.h"
33 
34 using namespace android;
35 using namespace ndk;
36 using android::binder::Status;
37 using android::internal::Stability; // for testing only!
38 
39 const String16 kSystemStabilityServer = String16("binder_stability_test_service_system");
40 
41 // This is handwritten so that we can test different stability levels w/o having the AIDL
42 // compiler assign them. Hand-writing binder interfaces is considered a bad practice
43 // sanity reasons. YOU SHOULD DEFINE AN AIDL INTERFACE INSTEAD!
44 class BadStableBinder : public BBinder {
45 public:
46     static constexpr uint32_t USER_TRANSACTION = IBinder::FIRST_CALL_TRANSACTION;
47     static String16 kDescriptor;
48 
49     bool gotUserTransaction = false;
50 
doUserTransaction(const sp<IBinder> & binder)51     static status_t doUserTransaction(const sp<IBinder>& binder) {
52         Parcel data, reply;
53         data.writeInterfaceToken(kDescriptor);
54         return binder->transact(USER_TRANSACTION, data, &reply, 0/*flags*/);
55     }
56 
onTransact(uint32_t code,const Parcel & data,Parcel * reply,uint32_t flags)57     status_t onTransact(uint32_t code,
58             const Parcel& data, Parcel* reply, uint32_t flags) override {
59         if (code == USER_TRANSACTION) {
60             // not interested in this kind of stability. Make sure
61             // we have a test failure
62             LOG_ALWAYS_FATAL_IF(!data.enforceInterface(kDescriptor));
63 
64             gotUserTransaction = true;
65 
66             ALOGE("binder stability: Got user transaction");
67             return OK;
68         }
69         return BBinder::onTransact(code, data, reply, flags);
70     }
71 
undef()72     static sp<BadStableBinder> undef() {
73         sp<BadStableBinder> iface = new BadStableBinder();
74         return iface;
75     }
76 
system()77     static sp<BadStableBinder> system() {
78         sp<BadStableBinder> iface = new BadStableBinder();
79         Stability::markCompilationUnit(iface.get()); // <- for test only
80         return iface;
81     }
82 
vintf()83     static sp<BadStableBinder> vintf() {
84         sp<BadStableBinder> iface = new BadStableBinder();
85         Stability::markVintf(iface.get()); // <- for test only
86         return iface;
87     }
88 
vendor()89     static sp<BadStableBinder> vendor() {
90         sp<BadStableBinder> iface = new BadStableBinder();
91         Stability::markVndk(iface.get()); // <- for test only
92         return iface;
93     }
94 };
95 String16 BadStableBinder::kDescriptor = String16("BadStableBinder.test");
96 
97 // NO! NO! NO! Do not even think of doing something like this!
98 // This is for testing! If a class like this was actually used in production,
99 // it would ruin everything!
100 class MyBinderStabilityTest : public BnBinderStabilityTest {
101 public:
sendBinder(const sp<IBinder> &)102     Status sendBinder(const sp<IBinder>& /*binder*/) override {
103         return Status::ok();
104     }
sendAndCallBinder(const sp<IBinder> & binder)105     Status sendAndCallBinder(const sp<IBinder>& binder) override {
106         ALOGI("Debug log stability: %s", Stability::debugToString(binder).c_str());
107         return Status::fromExceptionCode(BadStableBinder::doUserTransaction(binder));
108     }
returnNoStabilityBinder(sp<IBinder> * _aidl_return)109     Status returnNoStabilityBinder(sp<IBinder>* _aidl_return) override {
110         *_aidl_return = BadStableBinder::undef();
111         return Status::ok();
112     }
returnLocalStabilityBinder(sp<IBinder> * _aidl_return)113     Status returnLocalStabilityBinder(sp<IBinder>* _aidl_return) override {
114         *_aidl_return = BadStableBinder::system();
115         return Status::ok();
116     }
returnVintfStabilityBinder(sp<IBinder> * _aidl_return)117     Status returnVintfStabilityBinder(sp<IBinder>* _aidl_return) override {
118         *_aidl_return = BadStableBinder::vintf();
119         return Status::ok();
120     }
returnVendorStabilityBinder(sp<IBinder> * _aidl_return)121     Status returnVendorStabilityBinder(sp<IBinder>* _aidl_return) override {
122         *_aidl_return = BadStableBinder::vendor();
123         return Status::ok();
124     }
125 };
126 
TEST(BinderStability,OnlyVintfStabilityBinderNeedsVintfDeclaration)127 TEST(BinderStability, OnlyVintfStabilityBinderNeedsVintfDeclaration) {
128     EXPECT_FALSE(Stability::requiresVintfDeclaration(nullptr));
129     EXPECT_FALSE(Stability::requiresVintfDeclaration(BadStableBinder::undef()));
130     EXPECT_FALSE(Stability::requiresVintfDeclaration(BadStableBinder::system()));
131     EXPECT_FALSE(Stability::requiresVintfDeclaration(BadStableBinder::vendor()));
132 
133     EXPECT_TRUE(Stability::requiresVintfDeclaration(BadStableBinder::vintf()));
134 }
135 
TEST(BinderStability,ForceDowngradeToLocalStability)136 TEST(BinderStability, ForceDowngradeToLocalStability) {
137     sp<IBinder> someBinder = BadStableBinder::vintf();
138 
139     EXPECT_TRUE(Stability::requiresVintfDeclaration(someBinder));
140 
141     // silly to do this after already using the binder, but it's for the test
142     Stability::forceDowngradeToLocalStability(someBinder);
143 
144     EXPECT_FALSE(Stability::requiresVintfDeclaration(someBinder));
145 }
146 
TEST(BinderStability,NdkForceDowngradeToLocalStability)147 TEST(BinderStability, NdkForceDowngradeToLocalStability) {
148     sp<IBinder> someBinder = BadStableBinder::vintf();
149 
150     EXPECT_TRUE(Stability::requiresVintfDeclaration(someBinder));
151 
152     // silly to do this after already using the binder, but it's for the test
153     AIBinder_forceDowngradeToLocalStability(AIBinder_fromPlatformBinder(someBinder));
154 
155     EXPECT_FALSE(Stability::requiresVintfDeclaration(someBinder));
156 }
157 
TEST(BinderStability,ForceDowngradeToVendorStability)158 TEST(BinderStability, ForceDowngradeToVendorStability) {
159     LIBBINDER_IGNORE("-Wdeprecated-declarations")
160     sp<IBinder> serverBinder = android::defaultServiceManager()->getService(kSystemStabilityServer);
161     LIBBINDER_IGNORE_END()
162     auto server = interface_cast<IBinderStabilityTest>(serverBinder);
163 
164     ASSERT_NE(nullptr, server.get());
165     ASSERT_NE(nullptr, IInterface::asBinder(server)->remoteBinder());
166 
167     {
168         sp<BadStableBinder> binder = BadStableBinder::vintf();
169 
170         EXPECT_TRUE(Stability::requiresVintfDeclaration(binder));
171         EXPECT_TRUE(server->sendAndCallBinder(binder).isOk());
172         EXPECT_TRUE(binder->gotUserTransaction);
173     }
174     {
175         sp<BadStableBinder> binder = BadStableBinder::vintf();
176 
177         // This method should never be called directly. This is done only for the test.
178         Stability::forceDowngradeToVendorStability(binder);
179 
180         // Binder downgraded to vendor stability, cannot be called from system context
181         EXPECT_FALSE(Stability::requiresVintfDeclaration(binder));
182         EXPECT_EQ(BAD_TYPE, server->sendAndCallBinder(binder).exceptionCode());
183         EXPECT_FALSE(binder->gotUserTransaction);
184     }
185 }
186 
TEST(BinderStability,VintfStabilityServerMustBeDeclaredInManifest)187 TEST(BinderStability, VintfStabilityServerMustBeDeclaredInManifest) {
188     sp<IBinder> vintfServer = BadStableBinder::vintf();
189 
190     for (const char* instance8 : {
191         ".", "/", "/.", "a.d.IFoo", "foo", "a.d.IFoo/foo"
192     }) {
193         String16 instance (instance8);
194 
195         EXPECT_EQ(Status::EX_ILLEGAL_ARGUMENT,
196             android::defaultServiceManager()->addService(String16("."), vintfServer)) << instance8;
197         EXPECT_FALSE(android::defaultServiceManager()->isDeclared(instance)) << instance8;
198         EXPECT_EQ(std::nullopt, android::defaultServiceManager()->updatableViaApex(instance))
199                 << instance8;
200     }
201 }
202 
TEST(BinderStability,ConnectionInfoRequiresManifestEntries)203 TEST(BinderStability, ConnectionInfoRequiresManifestEntries) {
204     sp<IServiceManager> sm = android::defaultServiceManager();
205     sp<IBinder> systemBinder = BadStableBinder::system();
206     EXPECT_EQ(OK, sm->addService(String16("no.connection.foo"), systemBinder));
207     std::optional<android::IServiceManager::ConnectionInfo> connectionInfo;
208     connectionInfo = sm->getConnectionInfo(String16("no.connection.foo"));
209     EXPECT_EQ(connectionInfo, std::nullopt);
210 }
TEST(BinderStability,CantCallVendorBinderInSystemContext)211 TEST(BinderStability, CantCallVendorBinderInSystemContext) {
212     LIBBINDER_IGNORE("-Wdeprecated-declarations")
213     sp<IBinder> serverBinder = android::defaultServiceManager()->getService(kSystemStabilityServer);
214     LIBBINDER_IGNORE_END()
215     auto server = interface_cast<IBinderStabilityTest>(serverBinder);
216 
217     ASSERT_NE(nullptr, server.get());
218     ASSERT_NE(nullptr, IInterface::asBinder(server)->remoteBinder());
219 
220     EXPECT_TRUE(server->sendBinder(BadStableBinder::undef()).isOk());
221     EXPECT_TRUE(server->sendBinder(BadStableBinder::system()).isOk());
222     EXPECT_TRUE(server->sendBinder(BadStableBinder::vintf()).isOk());
223     EXPECT_TRUE(server->sendBinder(BadStableBinder::vendor()).isOk());
224 
225     {
226         sp<BadStableBinder> binder = BadStableBinder::undef();
227         EXPECT_TRUE(server->sendAndCallBinder(binder).isOk());
228         EXPECT_TRUE(binder->gotUserTransaction);
229     }
230     {
231         sp<BadStableBinder> binder = BadStableBinder::system();
232         EXPECT_TRUE(server->sendAndCallBinder(binder).isOk());
233         EXPECT_TRUE(binder->gotUserTransaction);
234     }
235     {
236         sp<BadStableBinder> binder = BadStableBinder::vintf();
237         EXPECT_TRUE(server->sendAndCallBinder(binder).isOk());
238         EXPECT_TRUE(binder->gotUserTransaction);
239     }
240     {
241         // !!! user-defined transaction may not be stable for remote server !!!
242         // !!! so, it does not work !!!
243         sp<BadStableBinder> binder = BadStableBinder::vendor();
244         EXPECT_EQ(BAD_TYPE, server->sendAndCallBinder(binder).exceptionCode());
245         EXPECT_FALSE(binder->gotUserTransaction);
246     }
247 
248     sp<IBinder> out;
249     EXPECT_TRUE(server->returnNoStabilityBinder(&out).isOk());
250     ASSERT_NE(nullptr, out.get());
251     EXPECT_EQ(OK, out->pingBinder());
252     EXPECT_EQ(OK, BadStableBinder::doUserTransaction(out));
253 
254     EXPECT_TRUE(server->returnLocalStabilityBinder(&out).isOk());
255     ASSERT_NE(nullptr, out.get());
256     EXPECT_EQ(OK, out->pingBinder());
257     EXPECT_EQ(OK, BadStableBinder::doUserTransaction(out));
258 
259     EXPECT_TRUE(server->returnVintfStabilityBinder(&out).isOk());
260     ASSERT_NE(nullptr, out.get());
261     EXPECT_EQ(OK, out->pingBinder());
262     EXPECT_EQ(OK, BadStableBinder::doUserTransaction(out));
263 
264     EXPECT_TRUE(server->returnVendorStabilityBinder(&out).isOk());
265     ASSERT_NE(nullptr, out.get());
266 
267     // !!! libbinder-defined transaction works !!!
268     EXPECT_EQ(OK, out->pingBinder());
269 
270     // !!! user-defined transaction may not be stable !!!
271     // !!! so, it does not work !!!
272     EXPECT_EQ(BAD_TYPE, BadStableBinder::doUserTransaction(out));
273 }
274 
275 // This is handwritten so that we can test different stability levels w/o having the AIDL
276 // compiler assign them. Hand-writing binder interfaces is considered a bad practice
277 // sanity reasons. YOU SHOULD DEFINE AN AIDL INTERFACE INSTEAD!
278 
279 struct NdkBinderStable_DataClass {
280     bool gotUserTransaction = false;
281 };
NdkBadStableBinder_Class_onCreate(void * args)282 void* NdkBadStableBinder_Class_onCreate(void* args) {
283     LOG_ALWAYS_FATAL_IF(args != nullptr, "Takes no args");
284     return static_cast<void*>(new NdkBinderStable_DataClass);
285 }
NdkBadStableBinder_Class_onDestroy(void * userData)286 void NdkBadStableBinder_Class_onDestroy(void* userData) {
287     delete static_cast<NdkBinderStable_DataClass*>(userData);
288 }
NdkBadStableBinder_getUserData(AIBinder * binder)289 NdkBinderStable_DataClass* NdkBadStableBinder_getUserData(AIBinder* binder) {
290     LOG_ALWAYS_FATAL_IF(binder == nullptr);
291     void* userData = AIBinder_getUserData(binder);
292     LOG_ALWAYS_FATAL_IF(userData == nullptr, "null data - binder is remote?");
293 
294     return static_cast<NdkBinderStable_DataClass*>(userData);
295 }
NdkBadStableBinder_Class_onTransact(AIBinder * binder,transaction_code_t code,const AParcel *,AParcel *)296 binder_status_t NdkBadStableBinder_Class_onTransact(
297     AIBinder* binder, transaction_code_t code, const AParcel* /*in*/, AParcel* /*out*/) {
298 
299     if (code == BadStableBinder::USER_TRANSACTION) {
300         ALOGE("ndk binder stability: Got user transaction");
301         NdkBadStableBinder_getUserData(binder)->gotUserTransaction = true;
302         return STATUS_OK;
303     }
304 
305     return STATUS_UNKNOWN_TRANSACTION;
306 }
307 
308 static AIBinder_Class* kNdkBadStableBinder =
309     AIBinder_Class_define(String8(BadStableBinder::kDescriptor).c_str(),
310                           NdkBadStableBinder_Class_onCreate,
311                           NdkBadStableBinder_Class_onDestroy,
312                           NdkBadStableBinder_Class_onTransact);
313 
314 // for testing only to get around __ANDROID_VNDK__ guard.
315 extern "C" void AIBinder_markVendorStability(AIBinder* binder); // <- BAD DO NOT COPY
316 
TEST(BinderStability,NdkCantCallVendorBinderInSystemContext)317 TEST(BinderStability, NdkCantCallVendorBinderInSystemContext) {
318     LIBBINDER_IGNORE("-Wdeprecated-declarations")
319     SpAIBinder binder = SpAIBinder(AServiceManager_getService(
320         String8(kSystemStabilityServer).c_str()));
321     LIBBINDER_IGNORE_END()
322 
323     std::shared_ptr<aidl::IBinderStabilityTest> remoteServer =
324         aidl::IBinderStabilityTest::fromBinder(binder);
325 
326     ASSERT_NE(nullptr, remoteServer.get());
327 
328     SpAIBinder comp = SpAIBinder(AIBinder_new(kNdkBadStableBinder, nullptr /*args*/));
329     EXPECT_TRUE(remoteServer->sendBinder(comp).isOk());
330     EXPECT_TRUE(remoteServer->sendAndCallBinder(comp).isOk());
331     EXPECT_TRUE(NdkBadStableBinder_getUserData(comp.get())->gotUserTransaction);
332 
333     SpAIBinder vendor = SpAIBinder(AIBinder_new(kNdkBadStableBinder, nullptr /*args*/));
334     AIBinder_markVendorStability(vendor.get());
335     EXPECT_TRUE(remoteServer->sendBinder(vendor).isOk());
336     EXPECT_FALSE(remoteServer->sendAndCallBinder(vendor).isOk());
337     EXPECT_FALSE(NdkBadStableBinder_getUserData(vendor.get())->gotUserTransaction);
338 }
339 
340 class MarksStabilityInConstructor : public BBinder {
341 public:
342     static bool gDestructed;
343 
MarksStabilityInConstructor()344     MarksStabilityInConstructor() {
345         Stability::markCompilationUnit(this);
346     }
~MarksStabilityInConstructor()347     ~MarksStabilityInConstructor() {
348         gDestructed = true;
349     }
350 };
351 bool MarksStabilityInConstructor::gDestructed = false;
352 
TEST(BinderStability,MarkingObjectNoDestructTest)353 TEST(BinderStability, MarkingObjectNoDestructTest) {
354     ASSERT_FALSE(MarksStabilityInConstructor::gDestructed);
355 
356     // best practice is to put this directly in an sp, but for this test, we
357     // want to explicitly check what happens before that happens
358     MarksStabilityInConstructor* binder = new MarksStabilityInConstructor();
359     ASSERT_FALSE(MarksStabilityInConstructor::gDestructed);
360 
361     sp<MarksStabilityInConstructor> binderSp = binder;
362     ASSERT_FALSE(MarksStabilityInConstructor::gDestructed);
363 
364     binderSp = nullptr;
365     ASSERT_TRUE(MarksStabilityInConstructor::gDestructed);
366 }
367 
TEST(BinderStability,RemarkDies)368 TEST(BinderStability, RemarkDies) {
369     ASSERT_DEATH({
370         sp<IBinder> binder = new BBinder();
371         Stability::markCompilationUnit(binder.get()); // <-- only called for tests
372         Stability::markVndk(binder.get()); // <-- only called for tests
373     }, "Should only mark known object.");
374 }
375 
main(int argc,char ** argv)376 int main(int argc, char** argv) {
377     ::testing::InitGoogleTest(&argc, argv);
378 
379     if (fork() == 0) {
380         // child process
381         prctl(PR_SET_PDEATHSIG, SIGHUP);
382 
383         sp<IBinder> server = new MyBinderStabilityTest;
384         android::defaultServiceManager()->addService(kSystemStabilityServer, server);
385 
386         IPCThreadState::self()->joinThreadPool(true);
387         exit(1);  // should not reach
388     }
389 
390     // This is not racey. Just giving these services some time to register before we call
391     // getService which sleeps for much longer...
392     usleep(10000);
393 
394     return RUN_ALL_TESTS();
395 }
396