Android's Binder inter-process communication mechanism is mainly used to implement remote procedure calls (RPC). For large blocks of data transfer between processes in the Android system, such as audio data, for efficiency and other reasons, the Binder mechanism is generally not used directly. The Binder library provides cross-process large block data transfer components based on shared memory plus the cross-process file descriptor transfer capability of the Binder mechanism. The overall structure of these components is as follows:
IMemoryHeap
IMemoryHeapThe class represents a large block of shared memory. This class is defined (located frameworks/native/libs/binder/include/binder/IMemory.h) as follows:
class IMemoryHeap : public IInterface
{
public:
DECLARE_META_INTERFACE(MemoryHeap)
// flags returned by getFlags()
enum {
READ_ONLY = 0x00000001
};
virtual int getHeapID() const = 0;
virtual void* getBase() const = 0;
virtual size_t getSize() const = 0;
virtual uint32_t getFlags() const = 0;
virtual off_t getOffset() const = 0;
// these are there just for backward source compatibility
int32_t heapID() const { return getHeapID(); }
void* base() const { return getBase(); }
size_t virtualSize() const { return getSize(); }
};
Shared memory blocks are mainly described by file descriptors, offsets, sizes and tags. The memory base address is the virtual memory address of the shared memory block after memory mapping in the current process.
MemoryHeapBaseClass can allocate and manage a large shared memory block on a device. This class is defined (located frameworks/native/libs/binder/include/binder/MemoryHeapBase.h) as follows:
namespace android {
// ---------------------------------------------------------------------------
class MemoryHeapBase : public virtual BnMemoryHeap
{
public:
enum {
READ_ONLY = IMemoryHeap::READ_ONLY,
// memory won't be mapped locally, but will be mapped in the remote
// process.
DONT_MAP_LOCALLY = 0x00000100,
NO_CACHING = 0x00000200
};
/*
* maps the memory referenced by fd. but DOESN'T take ownership
* of the filedescriptor (it makes a copy with dup()
*/
MemoryHeapBase(int fd, size_t size, uint32_t flags = 0, off_t offset = 0);
/*
* maps memory from the given device
*/
explicit MemoryHeapBase(const char* device, size_t size = 0, uint32_t flags = 0);
/*
* maps memory from ashmem, with the given name for debugging
* if the READ_ONLY flag is set, the memory will be writeable by the calling process,
* but not by others. this is NOT the case with the other ctors.
*/
explicit MemoryHeapBase(size_t size, uint32_t flags = 0, char const* name = nullptr);
virtual ~MemoryHeapBase();
/* implement IMemoryHeap interface */
int getHeapID() const override;
/* virtual address of the heap. returns MAP_FAILED in case of error */
void* getBase() const override;
size_t getSize() const override;
uint32_t getFlags() const override;
off_t getOffset() const override;
const char* getDevice() const;
/* this closes this heap -- use carefully */
void dispose();
protected:
MemoryHeapBase();
// init() takes ownership of fd
status_t init(int fd, void *base, size_t size,
int flags = 0, const char* device = nullptr);
private:
status_t mapfd(int fd, bool writeableByCaller, size_t size, off_t offset = 0);
int mFD;
size_t mSize;
void* mBase;
uint32_t mFlags;
const char* mDevice;
bool mNeedUnmap;
off_t mOffset;
};
// ---------------------------------------------------------------------------
} // namespace android
The specific device where the shared memory block is located can be described by the file system path of the device or the file descriptor opened by the device, or it can be allocated on the default device. MemoryHeapBaseThe implementation (located frameworks/native/libs/binder/MemoryHeapBase.cpp) of each member function of the class is as follows:
namespace android {
// ---------------------------------------------------------------------------
MemoryHeapBase::MemoryHeapBase()
: mFD(-1), mSize(0), mBase(MAP_FAILED),
mDevice(nullptr), mNeedUnmap(false), mOffset(0)
{
}
MemoryHeapBase::MemoryHeapBase(size_t size, uint32_t flags, char const * name)
: mFD(-1), mSize(0), mBase(MAP_FAILED), mFlags(flags),
mDevice(nullptr), mNeedUnmap(false), mOffset(0)
{
const size_t pagesize = getpagesize();
size = ((size + pagesize-1) & ~(pagesize-1));
int fd = ashmem_create_region(name == nullptr ? "MemoryHeapBase" : name, size);
ALOGE_IF(fd<0, "error creating ashmem region: %s", strerror(errno));
if (fd >= 0) {
if (mapfd(fd, true, size) == NO_ERROR) {
if (flags & READ_ONLY) {
ashmem_set_prot_region(fd, PROT_READ);
}
}
}
}
MemoryHeapBase::MemoryHeapBase(const char* device, size_t size, uint32_t flags)
: mFD(-1), mSize(0), mBase(MAP_FAILED), mFlags(flags),
mDevice(nullptr), mNeedUnmap(false), mOffset(0)
{
int open_flags = O_RDWR;
if (flags & NO_CACHING)
open_flags |= O_SYNC;
int fd = open(device, open_flags);
ALOGE_IF(fd<0, "error opening %s: %s", device, strerror(errno));
if (fd >= 0) {
const size_t pagesize = getpagesize();
size = ((size + pagesize-1) & ~(pagesize-1));
if (mapfd(fd, false, size) == NO_ERROR) {
mDevice = device;
}
}
}
MemoryHeapBase::MemoryHeapBase(int fd, size_t size, uint32_t flags, off_t offset)
: mFD(-1), mSize(0), mBase(MAP_FAILED), mFlags(flags),
mDevice(nullptr), mNeedUnmap(false), mOffset(0)
{
const size_t pagesize = getpagesize();
size = ((size + pagesize-1) & ~(pagesize-1));
mapfd(fcntl(fd, F_DUPFD_CLOEXEC, 0), false, size, offset);
}
status_t MemoryHeapBase::init(int fd, void *base, size_t size, int flags, const char* device)
{
if (mFD != -1) {
return INVALID_OPERATION;
}
mFD = fd;
mBase = base;
mSize = size;
mFlags = flags;
mDevice = device;
return NO_ERROR;
}
status_t MemoryHeapBase::mapfd(int fd, bool writeableByCaller, size_t size, off_t offset)
{
if (size == 0) {
// try to figure out the size automatically
struct stat sb;
if (fstat(fd, &sb) == 0) {
size = (size_t)sb.st_size;
// sb.st_size is off_t which on ILP32 may be 64 bits while size_t is 32 bits.
if ((off_t)size != sb.st_size) {
ALOGE("%s: size of file %lld cannot fit in memory",
__func__, (long long)sb.st_size);
return INVALID_OPERATION;
}
}
// if it didn't work, let mmap() fail.
}
if ((mFlags & DONT_MAP_LOCALLY) == 0) {
int prot = PROT_READ;
if (writeableByCaller || (mFlags & READ_ONLY) == 0) {
prot |= PROT_WRITE;
}
void* base = (uint8_t*)mmap(nullptr, size,
prot, MAP_SHARED, fd, offset);
if (base == MAP_FAILED) {
ALOGE("mmap(fd=%d, size=%zu) failed (%s)",
fd, size, strerror(errno));
close(fd);
return -errno;
}
//ALOGD("mmap(fd=%d, base=%p, size=%zu)", fd, base, size);
mBase = base;
mNeedUnmap = true;
} else {
mBase = nullptr; // not MAP_FAILED
mNeedUnmap = false;
}
mFD = fd;
mSize = size;
mOffset = offset;
return NO_ERROR;
}
MemoryHeapBase::~MemoryHeapBase()
{
dispose();
}
void MemoryHeapBase::dispose()
{
int fd = android_atomic_or(-1, &mFD);
if (fd >= 0) {
if (mNeedUnmap) {
//ALOGD("munmap(fd=%d, base=%p, size=%zu)", fd, mBase, mSize);
munmap(mBase, mSize);
}
mBase = nullptr;
mSize = 0;
close(fd);
}
}
int MemoryHeapBase::getHeapID() const {
return mFD;
}
void* MemoryHeapBase::getBase() const {
return mBase;
}
size_t MemoryHeapBase::getSize() const {
return mSize;
}
uint32_t MemoryHeapBase::getFlags() const {
return mFlags;
}
const char* MemoryHeapBase::getDevice() const {
return mDevice;
}
off_t MemoryHeapBase::getOffset() const {
return mOffset;
}
// ---------------------------------------------------------------------------
} // namespace android
When constructing MemoryHeapBasea class object, if you do not provide the file system path of the device or the file descriptor opened by the device, a shared memory block will be created on the default device, and the shared memory block size will be adjusted to an integer aligned upward to the memory page size times. MemoryHeapBaseThe class calls ashmem_create_region()the function to create a shared memory block on the default device and obtains the corresponding file descriptor. This function is defined (located system/core/libcutils/ashmem-dev.cpp) as follows:
#define F_SEAL_FUTURE_WRITE 0x0010
/*
* The minimum vendor API level at and after which it is safe to use memfd.
* This is to facilitate deprecation of ashmem.
*/
#define MIN_MEMFD_VENDOR_API_LEVEL 29
#define MIN_MEMFD_VENDOR_API_LEVEL_CHAR 'Q'
/* ashmem identity */
static dev_t __ashmem_rdev;
/*
* If we trigger a signal handler in the middle of locked activity and the
* signal handler calls ashmem, we could get into a deadlock state.
*/
static pthread_mutex_t __ashmem_lock = PTHREAD_MUTEX_INITIALIZER;
/*
* has_memfd_support() determines if the device can use memfd. memfd support
* has been there for long time, but certain things in it may be missing. We
* check for needed support in it. Also we check if the VNDK version of
* libcutils being used is new enough, if its not, then we cannot use memfd
* since the older copies may be using ashmem so we just use ashmem. Once all
* Android devices that are getting updates are new enough (ex, they were
* originally shipped with Android release > P), then we can just use memfd and
* delete all ashmem code from libcutils (while preserving the interface).
*
* NOTE:
* The sys.use_memfd property is set by default to false in Android
* to temporarily disable memfd, till vendor and apps are ready for it.
* The main issue: either apps or vendor processes can directly make ashmem
* IOCTLs on FDs they receive by assuming they are ashmem, without going
* through libcutils. Such fds could have very well be originally created with
* libcutils hence they could be memfd. Thus the IOCTLs will break.
*
* Set default value of sys.use_memfd property to true once the issue is
* resolved, so that the code can then self-detect if kernel support is present
* on the device. The property can also set to true from adb shell, for
* debugging.
*/
static bool debug_log = false; /* set to true for verbose logging and other debug */
static bool pin_deprecation_warn = true; /* Log the pin deprecation warning only once */
/* Determine if vendor processes would be ok with memfd in the system:
*
* If VNDK is using older libcutils, don't use memfd. This is so that the
* same shared memory mechanism is used across binder transactions between
* vendor partition processes and system partition processes.
*/
static bool check_vendor_memfd_allowed() {
std::string vndk_version = android::base::GetProperty("ro.vndk.version", "");
if (vndk_version == "") {
ALOGE("memfd: ro.vndk.version not defined or invalid (%s), this is mandated since P.\n",
vndk_version.c_str());
return false;
}
/* No issues if vendor is targetting current Dessert */
if (vndk_version == "current") {
return false;
}
/* Check if VNDK version is a number and act on it */
char* p;
long int vers = strtol(vndk_version.c_str(), &p, 10);
if (*p == 0) {
if (vers < MIN_MEMFD_VENDOR_API_LEVEL) {
ALOGI("memfd: device VNDK version (%s) is < Q so using ashmem.\n",
vndk_version.c_str());
return false;
}
return true;
}
// Non-numeric should be a single ASCII character. Characters after the
// first are ignored.
if (tolower(vndk_version[0]) < 'a' || tolower(vndk_version[0]) > 'z') {
ALOGE("memfd: ro.vndk.version not defined or invalid (%s), this is mandated since P.\n",
vndk_version.c_str());
return false;
}
if (tolower(vndk_version[0]) < tolower(MIN_MEMFD_VENDOR_API_LEVEL_CHAR)) {
ALOGI("memfd: device is using VNDK version (%s) which is less than Q. Use ashmem only.\n",
vndk_version.c_str());
return false;
}
return true;
}
/* Determine if memfd can be supported. This is just one-time hardwork
* which will be cached by the caller.
*/
static bool __has_memfd_support() {
if (check_vendor_memfd_allowed() == false) {
return false;
}
/* Used to turn on/off the detection at runtime, in the future this
* property will be removed once we switch everything over to ashmem.
* Currently it is used only for debugging to switch the system over.
*/
if (!android::base::GetBoolProperty("sys.use_memfd", false)) {
if (debug_log) {
ALOGD("sys.use_memfd=false so memfd disabled\n");
}
return false;
}
// Check if kernel support exists, otherwise fall back to ashmem.
// This code needs to build on old API levels, so we can't use the libc
// wrapper.
android::base::unique_fd fd(
syscall(__NR_memfd_create, "test_android_memfd", MFD_CLOEXEC | MFD_ALLOW_SEALING));
if (fd == -1) {
ALOGE("memfd_create failed: %s, no memfd support.\n", strerror(errno));
return false;
}
if (fcntl(fd, F_ADD_SEALS, F_SEAL_FUTURE_WRITE) == -1) {
ALOGE("fcntl(F_ADD_SEALS) failed: %s, no memfd support.\n", strerror(errno));
return false;
}
if (debug_log) {
ALOGD("memfd: device has memfd support, using it\n");
}
return true;
}
static bool has_memfd_support() {
/* memfd_supported is the initial global per-process state of what is known
* about memfd.
*/
static bool memfd_supported = __has_memfd_support();
return memfd_supported;
}
static std::string get_ashmem_device_path() {
static const std::string boot_id_path = "/proc/sys/kernel/random/boot_id";
std::string boot_id;
if (!android::base::ReadFileToString(boot_id_path, &boot_id)) {
ALOGE("Failed to read %s: %s.\n", boot_id_path.c_str(), strerror(errno));
return "";
};
boot_id = android::base::Trim(boot_id);
return "/dev/ashmem" + boot_id;
}
/* logistics of getting file descriptor for ashmem */
static int __ashmem_open_locked()
{
static const std::string ashmem_device_path = get_ashmem_device_path();
if (ashmem_device_path.empty()) {
return -1;
}
int fd = TEMP_FAILURE_RETRY(open(ashmem_device_path.c_str(), O_RDWR | O_CLOEXEC));
// fallback for APEX w/ use_vendor on Q, which would have still used /dev/ashmem
if (fd < 0) {
int saved_errno = errno;
fd = TEMP_FAILURE_RETRY(open("/dev/ashmem", O_RDWR | O_CLOEXEC));
if (fd < 0) {
/* Q launching devices and newer must not reach here since they should have been
* able to open ashmem_device_path */
ALOGE("Unable to open ashmem device %s (error = %s) and /dev/ashmem(error = %s)",
ashmem_device_path.c_str(), strerror(saved_errno), strerror(errno));
return fd;
}
}
struct stat st;
int ret = TEMP_FAILURE_RETRY(fstat(fd, &st));
if (ret < 0) {
int save_errno = errno;
close(fd);
errno = save_errno;
return ret;
}
if (!S_ISCHR(st.st_mode) || !st.st_rdev) {
close(fd);
errno = ENOTTY;
return -1;
}
__ashmem_rdev = st.st_rdev;
return fd;
}
static int __ashmem_open()
{
int fd;
pthread_mutex_lock(&__ashmem_lock);
fd = __ashmem_open_locked();
pthread_mutex_unlock(&__ashmem_lock);
return fd;
}
. . . . . .
static int memfd_create_region(const char* name, size_t size) {
// This code needs to build on old API levels, so we can't use the libc
// wrapper.
android::base::unique_fd fd(syscall(__NR_memfd_create, name, MFD_CLOEXEC | MFD_ALLOW_SEALING));
if (fd == -1) {
ALOGE("memfd_create(%s, %zd) failed: %s\n", name, size, strerror(errno));
return -1;
}
if (ftruncate(fd, size) == -1) {
ALOGE("ftruncate(%s, %zd) failed for memfd creation: %s\n", name, size, strerror(errno));
return -1;
}
if (debug_log) {
ALOGE("memfd_create(%s, %zd) success. fd=%d\n", name, size, fd.get());
}
return fd.release();
}
/*
* ashmem_create_region - creates a new ashmem region and returns the file
* descriptor, or <0 on error
*
* `name' is an optional label to give the region (visible in /proc/pid/maps)
* `size' is the size of the region, in page-aligned bytes
*/
int ashmem_create_region(const char *name, size_t size)
{
int ret, save_errno;
if (has_memfd_support()) {
return memfd_create_region(name ? name : "none", size);
}
int fd = __ashmem_open();
if (fd < 0) {
return fd;
}
if (name) {
char buf[ASHMEM_NAME_LEN] = {0};
strlcpy(buf, name, sizeof(buf));
ret = TEMP_FAILURE_RETRY(ioctl(fd, ASHMEM_SET_NAME, buf));
if (ret < 0) {
goto error;
}
}
ret = TEMP_FAILURE_RETRY(ioctl(fd, ASHMEM_SET_SIZE, size));
if (ret < 0) {
goto error;
}
return fd;
error:
save_errno = errno;
close(fd);
errno = save_errno;
return ret;
}
ashmem_create_region()The function first checks whether the system supports memfd, and if so, creates a shared memory block through the memfd mechanism. The method to determine whether the system supports the memfd mechanism is to first check the VNDK version obtained from the system property ro.vndk.version . If the version cannot be obtained or the version is lower than Android Q, it is considered not supported, otherwise continue to check; check the system property sys .use_memfd , if it cannot be obtained or the value is false, it is considered not supported, otherwise it continues to check; call memfd_createthe system call, if the call fails, it is considered not supported, otherwise it continues to check; try to set the file descriptor F_ADD_SEALS, if it fails, it is considered not supported ; Otherwise, it is considered that the memfd mechanism is supported.
When the system does not support the memfd mechanism, Android's anonymous memory sharing mechanism is used to create shared memory blocks. The specific method is to open the anonymous shared memory device file, set the name, and set the size. The path to the anonymous shared memory device file will be tried first /dev/ashmem$boot_id. If this path does not exist, it will be tried /dev/ashmem.
MemoryHeapBaseIn the class, ashmem_create_region()after calling the function to create a shared memory block on the default device, memory map it to the current process and set the protected mode for it.
When constructing MemoryHeapBasethe class object, if the file system path of the device is provided, the shared memory block size is also adjusted upward to an integral multiple of the memory page size, the device file is opened, and it is memory mapped into the current process.
When constructing MemoryHeapBasethe class object, if the file descriptor opened by the device is provided, it will be directly memory mapped into the current process.
In the class inheritance hierarchy, the class located between MemoryHeapBaseand is mainly used for cross-process transfer of shared memory block information. This class is defined (located ) as follows:IMemoryHeapBnMemoryHeapframeworks/native/libs/binder/include/binder/IMemory.h
class BnMemoryHeap : public BnInterface<IMemoryHeap>
{
public:
// NOLINTNEXTLINE(google-default-arguments)
virtual status_t onTransact(
uint32_t code,
const Parcel& data,
Parcel* reply,
uint32_t flags = 0);
BnMemoryHeap();
protected:
virtual ~BnMemoryHeap();
};
BnMemoryHeapA class has only onTransact()one main member function. BnMemoryHeapThe implementation (located frameworks/native/libs/binder/IMemory.cpp) of each member function of the class is as follows:
IMPLEMENT_META_INTERFACE(MemoryHeap, "android.utils.IMemoryHeap")
BnMemoryHeap::BnMemoryHeap() {
}
BnMemoryHeap::~BnMemoryHeap() {
}
// NOLINTNEXTLINE(google-default-arguments)
status_t BnMemoryHeap::onTransact(
uint32_t code, const Parcel& data, Parcel* reply, uint32_t flags)
{
switch(code) {
case HEAP_ID: {
CHECK_INTERFACE(IMemoryHeap, data, reply);
reply->writeFileDescriptor(getHeapID());
reply->writeUint64(getSize());
reply->writeInt64(getOffset());
reply->writeUint32(getFlags());
return NO_ERROR;
} break;
default:
return BBinder::onTransact(code, data, reply, flags);
}
}
BnMemoryHeapThe / MemoryHeapBaseobject is a Binder service similar to the ActivityManagerServiceand AudioPolicyServiceobject, except that the service content it provides is relatively simple and can only return information about shared memory blocks.
BpMemoryHeapThe class is the client of the BnMemoryHeap/ binder service. It implements the interface and encapsulates the client handle of the / binder service. This class is defined (located ) as follows:MemoryHeapBaseIMemoryHeapBnMemoryHeapMemoryHeapBaseframeworks/native/libs/binder/IMemory.cpp
enum {
HEAP_ID = IBinder::FIRST_CALL_TRANSACTION
};
class BpMemoryHeap : public BpInterface<IMemoryHeap>
{
public:
explicit BpMemoryHeap(const sp<IBinder>& impl);
virtual ~BpMemoryHeap();
int getHeapID() const override;
void* getBase() const override;
size_t getSize() const override;
uint32_t getFlags() const override;
off_t getOffset() const override;
private:
friend class IMemory;
friend class HeapCache;
// for debugging in this module
static inline sp<IMemoryHeap> find_heap(const sp<IBinder>& binder) {
return gHeapCache->find_heap(binder);
}
static inline void free_heap(const sp<IBinder>& binder) {
gHeapCache->free_heap(binder);
}
static inline sp<IMemoryHeap> get_heap(const sp<IBinder>& binder) {
return gHeapCache->get_heap(binder);
}
static inline void dump_heaps() {
gHeapCache->dump_heaps();
}
void assertMapped() const;
void assertReallyMapped() const;
mutable std::atomic<int32_t> mHeapId;
mutable void* mBase;
mutable size_t mSize;
mutable uint32_t mFlags;
mutable off_t mOffset;
mutable bool mRealHeap;
mutable Mutex mLock;
};
BpMemoryHeapThe class sends a request to obtain the file description, size, offset, and tag information of the shared memory block, and maps the shared memory block to the current process. BpMemoryHeapThe implementation (located frameworks/native/libs/binder/IMemory.cpp) of each member function of the class is as follows:
BpMemoryHeap::BpMemoryHeap(const sp<IBinder>& impl)
: BpInterface<IMemoryHeap>(impl),
mHeapId(-1), mBase(MAP_FAILED), mSize(0), mFlags(0), mOffset(0), mRealHeap(false)
{
}
BpMemoryHeap::~BpMemoryHeap() {
int32_t heapId = mHeapId.load(memory_order_relaxed);
if (heapId != -1) {
close(heapId);
if (mRealHeap) {
// by construction we're the last one
if (mBase != MAP_FAILED) {
sp<IBinder> binder = IInterface::asBinder(this);
if (VERBOSE) {
ALOGD("UNMAPPING binder=%p, heap=%p, size=%zu, fd=%d",
binder.get(), this, mSize, heapId);
}
munmap(mBase, mSize);
}
} else {
// remove from list only if it was mapped before
sp<IBinder> binder = IInterface::asBinder(this);
free_heap(binder);
}
}
}
void BpMemoryHeap::assertMapped() const
{
int32_t heapId = mHeapId.load(memory_order_acquire);
if (heapId == -1) {
sp<IBinder> binder(IInterface::asBinder(const_cast<BpMemoryHeap*>(this)));
sp<BpMemoryHeap> heap = sp<BpMemoryHeap>::cast(find_heap(binder));
heap->assertReallyMapped();
if (heap->mBase != MAP_FAILED) {
Mutex::Autolock _l(mLock);
if (mHeapId.load(memory_order_relaxed) == -1) {
mBase = heap->mBase;
mSize = heap->mSize;
mOffset = heap->mOffset;
int fd = fcntl(heap->mHeapId.load(memory_order_relaxed), F_DUPFD_CLOEXEC, 0);
ALOGE_IF(fd==-1, "cannot dup fd=%d",
heap->mHeapId.load(memory_order_relaxed));
mHeapId.store(fd, memory_order_release);
}
} else {
// something went wrong
free_heap(binder);
}
}
}
void BpMemoryHeap::assertReallyMapped() const
{
int32_t heapId = mHeapId.load(memory_order_acquire);
if (heapId == -1) {
// remote call without mLock held, worse case scenario, we end up
// calling transact() from multiple threads, but that's not a problem,
// only mmap below must be in the critical section.
Parcel data, reply;
data.writeInterfaceToken(IMemoryHeap::getInterfaceDescriptor());
status_t err = remote()->transact(HEAP_ID, data, &reply);
int parcel_fd = reply.readFileDescriptor();
const uint64_t size64 = reply.readUint64();
const int64_t offset64 = reply.readInt64();
const uint32_t flags = reply.readUint32();
const size_t size = (size_t)size64;
const off_t offset = (off_t)offset64;
if (err != NO_ERROR || // failed transaction
size != size64 || offset != offset64) { // ILP32 size check
ALOGE("binder=%p transaction failed fd=%d, size=%zu, err=%d (%s)",
IInterface::asBinder(this).get(),
parcel_fd, size, err, strerror(-err));
return;
}
Mutex::Autolock _l(mLock);
if (mHeapId.load(memory_order_relaxed) == -1) {
int fd = fcntl(parcel_fd, F_DUPFD_CLOEXEC, 0);
ALOGE_IF(fd == -1, "cannot dup fd=%d, size=%zu, err=%d (%s)",
parcel_fd, size, err, strerror(errno));
int access = PROT_READ;
if (!(flags & READ_ONLY)) {
access |= PROT_WRITE;
}
mRealHeap = true;
mBase = mmap(nullptr, size, access, MAP_SHARED, fd, offset);
if (mBase == MAP_FAILED) {
ALOGE("cannot map BpMemoryHeap (binder=%p), size=%zu, fd=%d (%s)",
IInterface::asBinder(this).get(), size, fd, strerror(errno));
close(fd);
} else {
mSize = size;
mFlags = flags;
mOffset = offset;
mHeapId.store(fd, memory_order_release);
}
}
}
}
int BpMemoryHeap::getHeapID() const {
assertMapped();
// We either stored mHeapId ourselves, or loaded it with acquire semantics.
return mHeapId.load(memory_order_relaxed);
}
void* BpMemoryHeap::getBase() const {
assertMapped();
return mBase;
}
size_t BpMemoryHeap::getSize() const {
assertMapped();
return mSize;
}
uint32_t BpMemoryHeap::getFlags() const {
assertMapped();
return mFlags;
}
off_t BpMemoryHeap::getOffset() const {
assertMapped();
return mOffset;
}
BpMemoryHeapThe class is created based on the client handle of the BnMemoryHeap/ MemoryHeapBasebinder service. When its interface member functions are called, they assertMapped()ensure that the shared memory block has been mapped into the current process. assertMapped()The function sends a request to the server, obtains the information of the shared memory block, maps the shared memory block into the current process, and HeapCachesaves the related information of the shared memory block in .
IMemory
IMemoryIMemoryHeapThe class represents a small piece of memory allocated from a large shared memory block, i.e. , this class is defined (located frameworks/native/libs/binder/include/binder/IMemory.h) as follows:
class IMemory : public IInterface
{
public:
DECLARE_META_INTERFACE(Memory)
// NOLINTNEXTLINE(google-default-arguments)
virtual sp<IMemoryHeap> getMemory(ssize_t* offset=nullptr, size_t* size=nullptr) const = 0;
// helpers
// Accessing the underlying pointer must be done with caution, as there are
// some inherent security risks associated with it. When receiving an
// IMemory from an untrusted process, there is currently no way to guarantee
// that this process would't change the content after the fact. This may
// lead to TOC/TOU class of security bugs. In most cases, when performance
// is not an issue, the recommended practice is to immediately copy the
// buffer upon reception, then work with the copy, e.g.:
//
// std::string private_copy(mem.size(), '\0');
// memcpy(private_copy.data(), mem.unsecurePointer(), mem.size());
//
// In cases where performance is an issue, this matter must be addressed on
// an ad-hoc basis.
void* unsecurePointer() const;
size_t size() const;
ssize_t offset() const;
private:
// These are now deprecated and are left here for backward-compatibility
// with prebuilts that may reference these symbol at runtime.
// Instead, new code should use unsecurePointer()/unsecureFastPointer(),
// which do the same thing, but make it more obvious that there are some
// security-related pitfalls associated with them.
void* pointer() const;
void* fastPointer(const sp<IBinder>& heap, ssize_t offset) const;
};
IMemoryHeapClass-managed memory can generally be considered unstructured, IMemorywhile managed memory is generally used to create certain structures. IMemoryThe definitions (located frameworks/native/libs/binder/IMemory.cpp) of each member function of the class are as follows:
void* IMemory::fastPointer(const sp<IBinder>& binder, ssize_t offset) const
{
sp<IMemoryHeap> realHeap = BpMemoryHeap::get_heap(binder);
void* const base = realHeap->base();
if (base == MAP_FAILED)
return nullptr;
return static_cast<char*>(base) + offset;
}
void* IMemory::unsecurePointer() const {
ssize_t offset;
sp<IMemoryHeap> heap = getMemory(&offset);
void* const base = heap!=nullptr ? heap->base() : MAP_FAILED;
if (base == MAP_FAILED)
return nullptr;
return static_cast<char*>(base) + offset;
}
void* IMemory::pointer() const { return unsecurePointer(); }
size_t IMemory::size() const {
size_t size;
getMemory(nullptr, &size);
return size;
}
ssize_t IMemory::offset() const {
ssize_t offset;
getMemory(&offset);
return offset;
}
IMemoryThe class mainly obtains information related to a specific small piece of memory from its subclass, including the shared memory block where this memory is located IMemoryHeap, as well as the offset and size, and can return the base address of this small piece of memory for reading and writing.
MemoryBaseThe class maintains information related to a specific small piece of memory. The definition of this class (located in frameworks/native/libs/binder/include/binder/MemoryBase.h) is as follows:
class MemoryBase : public BnMemory
{
public:
MemoryBase(const sp<IMemoryHeap>& heap, ssize_t offset, size_t size);
virtual ~MemoryBase();
virtual sp<IMemoryHeap> getMemory(ssize_t* offset, size_t* size) const;
protected:
size_t getSize() const { return mSize; }
ssize_t getOffset() const { return mOffset; }
const sp<IMemoryHeap>& getHeap() const { return mHeap; }
private:
size_t mSize;
ssize_t mOffset;
sp<IMemoryHeap> mHeap;
};
The implementation (located) of each member function of this class frameworks/native/libs/binder/MemoryBase.cppis as follows:
MemoryBase::MemoryBase(const sp<IMemoryHeap>& heap,
ssize_t offset, size_t size)
: mSize(size), mOffset(offset), mHeap(heap)
{
}
sp<IMemoryHeap> MemoryBase::getMemory(ssize_t* offset, size_t* size) const
{
if (offset) *offset = mOffset;
if (size) *size = mSize;
return mHeap;
}
MemoryBase::~MemoryBase()
{
}
MemoryBaseAll information related to a specific small piece of memory maintained by the class is passed in the constructor.
In the class inheritance hierarchy, the class located between MemoryBaseand is mainly used for cross-process transfer of a small shared memory block information. This class is defined (located ) as follows:IMemoryBnMemoryframeworks/native/libs/binder/include/binder/IMemory.h
class BnMemory : public BnInterface<IMemory>
{
public:
// NOLINTNEXTLINE(google-default-arguments)
virtual status_t onTransact(
uint32_t code,
const Parcel& data,
Parcel* reply,
uint32_t flags = 0);
BnMemory();
protected:
virtual ~BnMemory();
};
Similar to BnMemoryHeapclasses, BnMemoryclasses have only onTransact()one main member function. BnMemoryThe implementation (located frameworks/native/libs/binder/IMemory.cpp) of each member function of the class is as follows:
IMPLEMENT_META_INTERFACE(Memory, "android.utils.IMemory")
BnMemory::BnMemory() {
}
BnMemory::~BnMemory() {
}
// NOLINTNEXTLINE(google-default-arguments)
status_t BnMemory::onTransact(
uint32_t code, const Parcel& data, Parcel* reply, uint32_t flags)
{
switch(code) {
case GET_MEMORY: {
CHECK_INTERFACE(IMemory, data, reply);
ssize_t offset;
size_t size;
reply->writeStrongBinder( IInterface::asBinder(getMemory(&offset, &size)) );
reply->writeInt64(offset);
reply->writeUint64(size);
return NO_ERROR;
} break;
default:
return BBinder::onTransact(code, data, reply, flags);
}
}
BnMemory/ MemoryBaseObject is also a Binder service, which can only return a small piece of shared memory block-related information, mainly an IMemoryHeapobject, as well as offset and size.
BnMemoryMemoryBaseThe client of the / binder service is BpMemory, which implements IMemorythe interface and encapsulates the client handle of the BnMemory/ binder service. This class is defined (located ) as follows:MemoryBaseframeworks/native/libs/binder/IMemory.cpp
class BpMemory : public BpInterface<IMemory>
{
public:
explicit BpMemory(const sp<IBinder>& impl);
virtual ~BpMemory();
// NOLINTNEXTLINE(google-default-arguments)
virtual sp<IMemoryHeap> getMemory(ssize_t* offset=nullptr, size_t* size=nullptr) const;
private:
mutable sp<IMemoryHeap> mHeap;
mutable ssize_t mOffset;
mutable size_t mSize;
};
Similar MemoryBaseto , BpMemoryit manages a small shared memory block, except that the relevant information about the small shared memory block it manages is obtained by requesting the BnMemory/ binder service, the most important of which is . The implementation (located ) of each member function of the class is as follows:MemoryBaseIMemoryHeapBpMemoryframeworks/native/libs/binder/IMemory.cpp
BpMemory::BpMemory(const sp<IBinder>& impl)
: BpInterface<IMemory>(impl), mOffset(0), mSize(0)
{
}
BpMemory::~BpMemory()
{
}
// NOLINTNEXTLINE(google-default-arguments)
sp<IMemoryHeap> BpMemory::getMemory(ssize_t* offset, size_t* size) const
{
if (mHeap == nullptr) {
Parcel data, reply;
data.writeInterfaceToken(IMemory::getInterfaceDescriptor());
if (remote()->transact(GET_MEMORY, data, &reply) == NO_ERROR) {
sp<IBinder> heap = reply.readStrongBinder();
if (heap != nullptr) {
mHeap = interface_cast<IMemoryHeap>(heap);
if (mHeap != nullptr) {
const int64_t offset64 = reply.readInt64();
const uint64_t size64 = reply.readUint64();
const ssize_t o = (ssize_t)offset64;
const size_t s = (size_t)size64;
size_t heapSize = mHeap->getSize();
if (s == size64 && o == offset64 // ILP32 bounds check
&& s <= heapSize
&& o >= 0
&& (static_cast<size_t>(o) <= heapSize - s)) {
mOffset = o;
mSize = s;
} else {
// Hm.
android_errorWriteWithInfoLog(0x534e4554,
"26877992", -1, nullptr, 0);
mOffset = 0;
mSize = 0;
}
}
}
}
}
if (offset) *offset = mOffset;
if (size) *size = mSize;
return (mSize > 0) ? mHeap : nullptr;
}
In the function BpMemoryof the class getMemory(), the request BnMemory/ MemoryBasebinder service obtains BnMemoryHeapthe client handle of the object, creates BpMemoryHeapthe object based on the handle, and obtains the size and offset.
HeapCacheThis class is used to cache the mapping information of a piece of shared memory in the current process, that is , multiple client proxy objects can be created for the same BnMemoryHeap/ binder service in a certain process to help the process perform memory mapping of the shared memory block only once. The class definition (located ) is as follows:MemoryHeapBaseBpMemoryHeapHeapCacheHeapCacheframeworks/native/libs/binder/IMemory.cpp
class HeapCache : public IBinder::DeathRecipient
{
public:
HeapCache();
virtual ~HeapCache();
virtual void binderDied(const wp<IBinder>& who);
sp<IMemoryHeap> find_heap(const sp<IBinder>& binder);
void free_heap(const sp<IBinder>& binder);
sp<IMemoryHeap> get_heap(const sp<IBinder>& binder);
void dump_heaps();
private:
// For IMemory.cpp
struct heap_info_t {
sp<IMemoryHeap> heap;
int32_t count;
// Note that this cannot be meaningfully copied.
};
void free_heap(const wp<IBinder>& binder);
Mutex mHeapCacheLock; // Protects entire vector below.
KeyedVector< wp<IBinder>, heap_info_t > mHeapCache;
// We do not use the copy-on-write capabilities of KeyedVector.
// TODO: Reimplemement based on standard C++ container?
};
static sp<HeapCache> gHeapCache = sp<HeapCache>::make();
HeapCacheThe cache has wp<IBinder>as key, shared memory block information heap_info_tas value, and heap_info_tonly contains BpMemoryHeapand reference count. HeapCacheThe implementation (located frameworks/native/libs/binder/IMemory.cpp) of each member function of the class is as follows:
HeapCache::HeapCache()
: DeathRecipient()
{
}
HeapCache::~HeapCache()
{
}
void HeapCache::binderDied(const wp<IBinder>& binder)
{
//ALOGD("binderDied binder=%p", binder.unsafe_get());
free_heap(binder);
}
sp<IMemoryHeap> HeapCache::find_heap(const sp<IBinder>& binder)
{
Mutex::Autolock _l(mHeapCacheLock);
ssize_t i = mHeapCache.indexOfKey(binder);
if (i>=0) {
heap_info_t& info = mHeapCache.editValueAt(i);
ALOGD_IF(VERBOSE,
"found binder=%p, heap=%p, size=%zu, fd=%d, count=%d",
binder.get(), info.heap.get(),
static_cast<BpMemoryHeap*>(info.heap.get())->mSize,
static_cast<BpMemoryHeap*>(info.heap.get())
->mHeapId.load(memory_order_relaxed),
info.count);
++info.count;
return info.heap;
} else {
heap_info_t info;
info.heap = interface_cast<IMemoryHeap>(binder);
info.count = 1;
//ALOGD("adding binder=%p, heap=%p, count=%d",
// binder.get(), info.heap.get(), info.count);
mHeapCache.add(binder, info);
return info.heap;
}
}
void HeapCache::free_heap(const sp<IBinder>& binder) {
free_heap( wp<IBinder>(binder) );
}
void HeapCache::free_heap(const wp<IBinder>& binder)
{
sp<IMemoryHeap> rel;
{
Mutex::Autolock _l(mHeapCacheLock);
ssize_t i = mHeapCache.indexOfKey(binder);
if (i>=0) {
heap_info_t& info(mHeapCache.editValueAt(i));
if (--info.count == 0) {
ALOGD_IF(VERBOSE,
"removing binder=%p, heap=%p, size=%zu, fd=%d, count=%d",
binder.unsafe_get(), info.heap.get(),
static_cast<BpMemoryHeap*>(info.heap.get())->mSize,
static_cast<BpMemoryHeap*>(info.heap.get())
->mHeapId.load(memory_order_relaxed),
info.count);
rel = mHeapCache.valueAt(i).heap;
mHeapCache.removeItemsAt(i);
}
} else {
ALOGE("free_heap binder=%p not found!!!", binder.unsafe_get());
}
}
}
sp<IMemoryHeap> HeapCache::get_heap(const sp<IBinder>& binder)
{
sp<IMemoryHeap> realHeap;
Mutex::Autolock _l(mHeapCacheLock);
ssize_t i = mHeapCache.indexOfKey(binder);
if (i>=0) realHeap = mHeapCache.valueAt(i).heap;
else realHeap = interface_cast<IMemoryHeap>(binder);
return realHeap;
}
For a particular BnMemoryHeap/ binder service, no matter how many client proxy objects MemoryHeapBaseare created for it in a process , only the one in the cache actually performs the memory mapping of the shared memory block in the current process, and only its fields are .BpMemoryHeapHeapCachemRealHeaptrue
HeapCacheThe process of putting shared memory block information into the cache is roughly as follows :
BpMemoryClass object creation;BpMemoryThe function of the class objectgetMemory()is called;BpMemoryThe function of the class objectgetMemory()requestsBnMemorythe /MemoryBasebinder service and obtains the client handle of theBnMemoryHeap/ binder service;MemoryHeapBaseBpMemoryThe function of class objectgetMemory()creates anBpMemoryHeapobject;BpMemoryHeapThe interface function of the object is called, and the interface function callassertMapped()function ensures the mapping of the shared memory block in the current process;assertMapped()The function queriesHeapCachethe cache. If the shared memory block information corresponding to the keyheap_info_tdoes not exist, anotherBpMemoryHeapobject is created and placed in the cache. Of course, as seen earlier,assertMapped()the function will also request the objectHeapCachein the cacheBpMemoryHeapto execute the shared memory block in the cache. Mapping in the current process and copies the shared memory block size, offset, memory base address, and file descriptor to the current object.
The cache is also consulted when it is necessary to quickly obtain the base address of a small block of shared memory from an sp<IBinder>object and offset HeapCache, as IMemory::fastPointer()seen in .
BpMemoryHeapThe destruction of objects can be seen as the destruction of two types of objects. One is the destruction of objects HeapCachein the cache BpMemoryHeap, in which case the mapping will be unmapped; the other is the destruction of other objects BpMemoryHeap, in which case an attempt will be made to release the objects HeapCachein the cache , and the cache will Reduce the reference count of the object. When the reference count is reduced to 0, the object in the cache will be destroyed .BpMemoryHeapHeapCacheBpMemoryHeapHeapCacheBpMemoryHeap
MemoryDealer
MemoryDealerThe class implements a memory management system that creates a shared memory block and allocates a small piece of shared memory from this shared memory block. The shared memory block is described by and the small piece of shared memory is described IMemoryHeapby IMemory.
MemoryDealerThe class definition (located frameworks/native/libs/binder/include/binder/MemoryDealer.h) is as follows:
class MemoryDealer : public RefBase
{
public:
explicit MemoryDealer(size_t size, const char* name = nullptr,
uint32_t flags = 0 /* or bits such as MemoryHeapBase::READ_ONLY */ );
virtual sp<IMemory> allocate(size_t size);
virtual void deallocate(size_t offset);
virtual void dump(const char* what) const;
// allocations are aligned to some value. return that value so clients can account for it.
static size_t getAllocationAlignment();
sp<IMemoryHeap> getMemoryHeap() const { return heap(); }
protected:
virtual ~MemoryDealer();
private:
const sp<IMemoryHeap>& heap() const;
SimpleBestFitAllocator* allocator() const;
sp<IMemoryHeap> mHeap;
SimpleBestFitAllocator* mAllocator;
};
MemoryDealerThe implementation (located frameworks/native/libs/binder/MemoryDealer.cpp) of each member function of the class is as follows:
MemoryDealer::MemoryDealer(size_t size, const char* name, uint32_t flags)
: mHeap(sp<MemoryHeapBase>::make(size, flags, name)),
mAllocator(new SimpleBestFitAllocator(size)) {}
MemoryDealer::~MemoryDealer()
{
delete mAllocator;
}
sp<IMemory> MemoryDealer::allocate(size_t size)
{
sp<IMemory> memory;
const ssize_t offset = allocator()->allocate(size);
if (offset >= 0) {
memory = sp<Allocation>::make(sp<MemoryDealer>::fromExisting(this), heap(), offset, size);
}
return memory;
}
void MemoryDealer::deallocate(size_t offset)
{
allocator()->deallocate(offset);
}
void MemoryDealer::dump(const char* what) const
{
allocator()->dump(what);
}
const sp<IMemoryHeap>& MemoryDealer::heap() const {
return mHeap;
}
SimpleBestFitAllocator* MemoryDealer::allocator() const {
return mAllocator;
}
// static
size_t MemoryDealer::getAllocationAlignment()
{
return SimpleBestFitAllocator::getAllocationAlignment();
}
MemoryDealerClass-managed memory is created in its constructor. In implementations, the memory allocation interface MemoryDealerused as the memory allocation algorithm returns the offset of allocated memory. A small piece of shared memory allocated by a class is actually represented by the class. Inherited from , relative to , it adds the action of automatically requesting to release memory during destruction .SimpleBestFitAllocatorSimpleBestFitAllocatorMemoryDealerAllocationAllocationMemoryBaseMemoryBaseMemoryDealer
Corresponding to the dynamic memory allocation system of C language, MemoryHeapBaseit can be regarded as malloc()/ free()manages all the memory, and MemoryBasecan be regarded as malloc()a small allocated memory block returned. AllocationThe role is somewhat similar std::unique_ptr, and SimpleBestFitAllocatorcan be regarded as malloc()/ free()used in implementation. Memory allocation and deallocation algorithm, which implements an optimal size adaptation algorithm.
Cross-process transfer of audio data in Android
In android::AudioTrackthe implementation of , the transfer of shared memory block information is not achieved by passing the MemoryHeapBaseand objects, but by passing the object.MemoryBaseandroid::media::SharedFileRegion
AudioTrack::createTrack_l()The object created in the function IAudioFlinger::CreateTrackInputwill be converted into android::media::CreateTrackRequestan object, such as IAudioFlinger::CreateTrackInput::toAidl()the definition of the function (located frameworks/av/media/libaudioclient/IAudioFlinger.cpp):
ConversionResult<media::CreateTrackRequest> IAudioFlinger::CreateTrackInput::toAidl() const {
media::CreateTrackRequest aidl;
aidl.attr = VALUE_OR_RETURN(legacy2aidl_audio_attributes_t_AudioAttributesInternal(attr));
aidl.config = VALUE_OR_RETURN(legacy2aidl_audio_config_t_AudioConfig(config));
aidl.clientInfo = VALUE_OR_RETURN(legacy2aidl_AudioClient_AudioClient(clientInfo));
aidl.sharedBuffer = VALUE_OR_RETURN(legacy2aidl_NullableIMemory_SharedFileRegion(sharedBuffer));
aidl.notificationsPerBuffer = VALUE_OR_RETURN(convertIntegral<int32_t>(notificationsPerBuffer));
aidl.speed = speed;
aidl.audioTrackCallback = audioTrackCallback;
aidl.flags = VALUE_OR_RETURN(legacy2aidl_audio_output_flags_t_int32_t_mask(flags));
aidl.frameCount = VALUE_OR_RETURN(convertIntegral<int64_t>(frameCount));
aidl.notificationFrameCount = VALUE_OR_RETURN(convertIntegral<int64_t>(notificationFrameCount));
aidl.selectedDeviceId = VALUE_OR_RETURN(
legacy2aidl_audio_port_handle_t_int32_t(selectedDeviceId));
aidl.sessionId = VALUE_OR_RETURN(legacy2aidl_audio_session_t_int32_t(sessionId));
return aidl;
}
For IMemorya shared memory block described by , it is legacy2aidl_NullableIMemory_SharedFileRegion()converted to android::media::SharedFileRegionan object by the function, which is defined (located frameworks/av/media/libaudioclient/AidlConversion.cpp) as follows:
ConversionResult<std::optional<media::SharedFileRegion>>
legacy2aidl_NullableIMemory_SharedFileRegion(const sp<IMemory>& legacy) {
std::optional<media::SharedFileRegion> aidl;
if (!convertNullableIMemoryToSharedFileRegion(legacy, &aidl)) {
return unexpected(BAD_VALUE);
}
return aidl;
}
convertNullableIMemoryToSharedFileRegion()The function copies IMemoryinformation related to the shared memory block pointed to, such as file descriptors, offsets, sizes and other information and tags to android::media::SharedFileRegionthe object. The function is defined (located frameworks/av/media/libshmem/ShmemCompat.cpp) as follows:
bool convertIMemoryToSharedFileRegion(const sp<IMemory>& mem,
SharedFileRegion* result) {
assert(mem != nullptr);
assert(result != nullptr);
*result = SharedFileRegion();
ssize_t offset;
size_t size;
sp<IMemoryHeap> heap = mem->getMemory(&offset, &size);
if (size > 0) {
if (heap == nullptr) {
return false;
}
// Make sure the offset and size do not overflow from int64 boundaries.
if (size > std::numeric_limits<int64_t>::max() ||
offset > std::numeric_limits<int64_t>::max() ||
heap->getOffset() > std::numeric_limits<int64_t>::max() ||
static_cast<uint64_t>(heap->getOffset()) +
static_cast<uint64_t>(offset)
> std::numeric_limits<int64_t>::max()) {
return false;
}
const int fd = fcntl(heap->getHeapID(), F_DUPFD_CLOEXEC, 0);
if (fd < 0) {
return false;
}
result->fd.reset(base::unique_fd(fd));
result->size = size;
result->offset = heap->getOffset() + offset;
result->writeable = (heap->getFlags() & IMemoryHeap::READ_ONLY) == 0;
}
return true;
}
. . . . . .
bool convertNullableIMemoryToSharedFileRegion(const sp<IMemory>& mem,
std::optional<SharedFileRegion>* result) {
assert(result != nullptr);
if (mem == nullptr) {
result->reset();
return true;
}
result->emplace();
return convertIMemoryToSharedFileRegion(mem, &result->value());
}
Correspondingly, android::media::SharedFileRegiona process that receives a shared memory block described by an object can also convert it into IMemoryan object. Also in AudioTrack::createTrack_l()the function, you can see the following piece of code:
std::optional<media::SharedFileRegion> sfr;
output.audioTrack->getCblk(&sfr);
sp<IMemory> iMem = VALUE_OR_FATAL(aidl2legacy_NullableSharedFileRegion_IMemory(sfr));
if (iMem == 0) {
ALOGE("%s(%d): Could not get control block", __func__, mPortId);
status = NO_INIT;
goto exit;
}
aidl2legacy_NullableSharedFileRegion_IMemory()The function android::media::SharedFileRegionconverts a shared memory block of object description into IMemorya description of , the function is defined (located frameworks/av/media/libaudioclient/AidlConversion.cpp) as follows:
ConversionResult<sp<IMemory>>
aidl2legacy_NullableSharedFileRegion_IMemory(const std::optional<media::SharedFileRegion>& aidl) {
sp<IMemory> legacy;
if (!convertNullableSharedFileRegionToIMemory(aidl, &legacy)) {
return unexpected(BAD_VALUE);
}
return legacy;
}
convertNullableSharedFileRegionToIMemory()MemoryHeapBaseTo create and objects based on the open file descriptor, offset, size, and tag of the device where the shared memory block resides, MemoryBasethis function is defined (located frameworks/av/media/libshmem/ShmemCompat.cpp) as follows:
bool convertSharedFileRegionToIMemory(const SharedFileRegion& shmem,
sp<IMemory>* result) {
assert(result != nullptr);
if (!validateSharedFileRegion(shmem)) {
return false;
}
// Heap offset and size must be page aligned.
const size_t pageSize = getpagesize();
const size_t pageMask = ~(pageSize - 1);
// OK if this wraps.
const uint64_t endOffset = static_cast<uint64_t>(shmem.offset) +
static_cast<uint64_t>(shmem.size);
// Round down to page boundary.
const uint64_t heapStartOffset = shmem.offset & pageMask;
// Round up to page boundary.
const uint64_t heapEndOffset = (endOffset + pageSize - 1) & pageMask;
const uint64_t heapSize = heapEndOffset - heapStartOffset;
if (heapStartOffset > std::numeric_limits<size_t>::max() ||
heapSize > std::numeric_limits<size_t>::max()) {
return false;
}
uint32_t flags = !shmem.writeable ? IMemoryHeap::READ_ONLY : 0;
const sp<MemoryHeapBase> heap =
new MemoryHeapBase(shmem.fd.get(), heapSize, flags, heapStartOffset);
*result = sp<MemoryBase>::make(heap,
shmem.offset - heapStartOffset,
shmem.size);
return true;
}
. . . . . .
bool convertNullableSharedFileRegionToIMemory(const std::optional<SharedFileRegion>& shmem,
sp<IMemory>* result) {
assert(result != nullptr);
if (!shmem.has_value()) {
result->clear();
return true;
}
return convertSharedFileRegionToIMemory(shmem.value(), result);
}
Done.