This adds a new --start-child-zygote argument that instructs the main
zygote to create a new child process that will also be a zygote. The
system_server generates a random name in the abstract socket namespace
for it and the child-zygote to communicate over, and that is passed as
an argument to the new process.
A child-zygote bypasses the normal post-fork-child of the zygote process
in order to preserve itself as a zygote. This means not starting the
Binder threadpool nor launching into ActivityThread. Instead, a
child-zygote calls into its own main function. The main function runs a
ZygoteServer select loop, listening on the socket name specified by the
system_server when it was forked.
Unlike the system zygotes, a child-zygote can be killed without bringing
down the system. Killing a child-zygote will not terminate its child
processes, which will be reparented to init for reaping when they
eventually exit.
Bug: 63749735
Test: m (with multi-project commits landed)
Change-Id: I3e7ebbdba498f8fec1d84cdf927dc43a92be4b68
Extend the installd profile interface to take the profile name as
argument. This shifts the responsibility for choosing the names of
profiles for primary apks completely to PackageManager. Each of the
application code paths will get an unique profile name based on their
split name.
All the profile operations will now work on a specific profile name rather
than assuming a default global name.
Also, move dumpProfiles and clearProfiles functionality to the
ArtManagerService so that we can re-use profileName computations easier.
(cherry picked from commit 6ae39fc2e5)
Test: manual (dexopt apps, merge profiles, clear profiles)
gts GtsAndroidRuntimeManagerHostTestCases
Bug: 30934496
Merged-In: Ie65d45eed7de0844edf4b7af918d7eaa74ec1f2c
Change-Id: Ie65d45eed7de0844edf4b7af918d7eaa74ec1f2c
Complete the implementation of ArtManager#snapshotProfile. The snapshot is
performed by calling the installer and then return to the caller via the
specified callback.
(cherry picked from commit fd9f8ae973)
Bug: 30934496
Test: gts-tradefed -m GtsAndroidRuntimeManagerHostTestCases
Merged-In: I87131487846d91d79a56041445420376b61ca8e7
Change-Id: I87131487846d91d79a56041445420376b61ca8e7
Currently ZygoteProcess only uses String names in the RESERVED socket
namespace. This CL reworks the class to use LocalSocketAddress, so that
other socket namespaces can be used to communicate with zygotes.
Bug: 63749735
Test: m (no functional change)
Merged-In: I4146f684bfcd78b16500829d02ff54590a8b48f5
Change-Id: I0113a7189530c2e57c48058df542057e855bae42
When the libcutils constant was added there a merge conflict, which
caused the AID_WEBVIEW_ZYGOTE value to land with a different value than
the Java-side Process value. Nothing yet uses the Process constant, so
there were no ill effects.
Test: m
Change-Id: I8cc87bce1ddbdcdaf79d85c828d86837e96cce21
Add classloader support to android.os.Debug.attachJvmtiAgent. For
the original version without a given classloader, look up the
application's main classloader.
Bug: 65016018
Bug: 70901841
Test: m
Test: cts-tradefed run commandAndExit cts-dev
Change-Id: I649b6883e05dc2f75073fe1f978423f6a7b880df
Before this change, seccomp filter setup is as early as in zygote's main
function. To make it possible to split app and system server's filter,
this postpone the setup to after fork. It also starts to call app
specific and system server specific setup function.
The filter setup is done in Zygote's ForkAndSpecializeCommon. This is
because adding a seccomp filter must be done when either the caller has
CAP_SYS_ADMIN or after the PR_SET_NO_NEW_PRIVS bit is set. Given that
setting PR_SET_NO_NEW_PRIVS breaks SELinux domain transition
(b/71859146), this must be done after Zygote forks but before
CAP_SYS_ADMIN is droppped.
Test: (cts) -m CtsSecurityTestCases -t android.security.cts.SeccompTest
Test: no selinux denial flood in dmesg with selinux enforced
Test: debuggerd -b `pidof com.android.phone` # logcat shows tombstoned
received crash request
Bug: 63944145
Bug: 71859146
Change-Id: I8215c8530d3d0de504a270488f8e29635805e8b0
In future, managing DNS-over-TLS hostname lookup and netd programming
can be encapsulated here.
Test: as follows
- built
- flashed
- booted
- runtest frameworks-net passes
Bug: 64133961
Change-Id: I47ccfa99c30c780524c45c4af605e720ccba34a0
Before this change, seccomp filter setup is as early as in zygote's main
function. To make it possible to split app and system server's filter,
this postpone the setup to after fork. It also starts to call app
specific and system server specific setup function.
In terms of performance since this happens at fork, the measure shows
the overhead is negligible. Assuming 130 instruction in the BPF, on
walleye, even when running on little core with fixed low frequency, each
setup took about 60.9us on average. When it runs on big core with
higher frequency, it took about 39.3us.
Test: (cts) -m CtsSecurityTestCases -t android.security.cts.SeccompTest
Bug: 63944145
Change-Id: I748735b478405098beac1e200d911c13ea60e380
Merged-In: I748735b478405098beac1e200d911c13ea60e380
Add a method to compute the size of a ProxyMap without cleared
references. Use it in the crash decision. Report both counts, as
well as the count after a forced GC before actually crashing.
Rename the histogram generating function after a small refactoring
to make that easier.
When we crash, we now generate a message like the following
(generated here with reduced thresholds):
01-03 01:40:52.273 4793 4947 E JavaBinder: java.lang.AssertionError:
Binder ProxyMap has too many entries: 277 (total), 275 (uncleared),
257 (after GC). BinderProxy leak?
after the histogram. Unfortunately, the intervening GC may take some
time, and other intervening messages may sneak into the log between
them.
Experiments so far suggest that none of this greatly affects the
decision when to die. But this eliminates uncertainty as to whether
there was really a problem.
Bug: 71353150
Test: Tested with reduced thresholds, and then booted AOSP.
Change-Id: I53f24bae23eedcdb78a1c32296c65692b7bb2c42
In general, using Mutable inside of structures
or as API arguments is a code smell. However, it
is the most syntactically clean way of fetching
something out of a lambda or inner class.
Using this, one can do:
Mutable<Result> res = new Mutable<>();
hidlObject.foo((...) -> {
res.value = ...;
});
There is an alternative:
Result a[] = new Result[1];
hidlObject.foo((...) -> {
a[0] = ...;
});
However, this alternative syntax is relatively messy.
Bug: N/A
Test: boot, use w/ wifi
Change-Id: Ibff13c653cc17bd25ddbb0534ba21ef485bff7aa
To help investigate potential BinderProxy leaks, attempt to log a
histogram of BinderProxy descriptors to the logcat before asserting.
Bug: 71353150
Test: m
Change-Id: I47313814160678369b15e7dc5851d8096c286b9d
Settings application shows internal storage size using API getTotalBytes in StorageStatsManager.
This API calls getPrimaryStorageSize() in StorageManager.
getPrimaryStorageSize() returns /data parition size calculated API roundStorageSize() in FileUtils.
Using this API, total primary storage size returns 8GB if 16GB emmc size device has /data partition size below 8GB.
So we should modify getting of primary storage size close to real emmc size.
getPrimaryStorageSize() will be calculated sum of /data and /system partition size.
Test: Check primary storage size in Settings application
Change-Id: I3ad33534b1c55d09afbb0e9be1c408c02c442842
Signed-off-by: hj.seo <hj.seo@lge.com>
GSI disables AVB by overriding vbmeta partition.
When a device can run runtime vintf checking, it should already
pass AVB, so we don't need to check AVB in runtime vintf.
We cannot change the original VintfObject.verify() because AVB check is
still needed for android.os.RecoverySystem to verify a newly downloaded
OTA package.
Bug: 68016134
Test: Boot with GSI and there is no Android System dialog
Change-Id: Ie1efa6f1abd8fa8f495aededd145c0ab2c0c1fae
Merged-In: Ie1efa6f1abd8fa8f495aededd145c0ab2c0c1fae
This fails when trying to run the AOSP mailer with CRASH_AT_SIZE = 500,
when the check interval is reduced sufficiently so that the test is
actually executed. System server has been observed to use more than
1000 BinderProxies. Thus 5000 seems like roughly the lowest safe limit.
Note that the test is executed somewhat rarely, so we may exceed
this number by quite a few before we actually crash.
Bug: 65760710
Test: Builds, AOSP boots & works for a few tasks. Fails as expected
with reduced limit.
Change-Id: I1c999b85e1ba1bd1d166a9ffba4f0b3992ffee45
... that returns PID of the process for debuggable builds.
This calls into the C++ equivalent of the function.
Test: lshal
Bug: 68992575
Change-Id: Ia177c709c6930510035cff33dc2389441a76351d
For fresh installs the PM does not set the app uid before invoking
dexopt; so we would always get a bogus GID.
This is a temporary workaround which fixes the GID of newly
installed apps to an arbitrary UNKNOWN gid.
Test: adb install
Bug: 64548938
Bug: 69331247
(cherry picked from commit a73e165c2e)
Change-Id: I6438ec8cfca88df813e166f9ef5821e62faf524a
Bluetooth service needs to natively access id of parent profile. Add
method exposing it.
Test: cts-tradefed run cts-dev -m DevicePolicyManager --test
com.android.cts.devicepolicy.ManagedProfileTest#testBluetooth
Bug: 69284968
Change-Id: I697906f2959b0736c1d3cc6af7560c27d77ce11b
AID_SHARED_GID is a GID shared by a specific app across all users on
the same device. Bring the UserHandle and multiuser.c implementations
into agreement, and copy/paste the unit tests that verify that both
behave identically.
Since we might now return "-1" when a GID is invalid, have
ActivityManager handle these cases by quickly swapping in the
always-valid getUserGid().
Test: bit FrameworksCoreTests:android.os.UserHandleTest
Bug: 34151068, 64548938
Change-Id: I0463aba923ae5ce1942666359a394ae6cdb7c1f8
Symptom:
Global reference table overflow happens on system_server.
Root cause:
If a process repeatedly create a context and get AutofillManager
from the context, each BinderProxy of AutofillManagerClient are
registered to AutofillManagerServiceImpl. They aren't removed until
the process is died. BinderProxy consumes global reference and finally
causes crash on system_server.
Solution:
Remove AutofillManagerClient from AutofillManagerServiceImpl after
AutofillManager is finalized.
Test: cts-tradefed run commandAndExit cts-dev -m CtsAutoFillServiceTestCases
Bug: 68747744
Change-Id: I8b76c5368b54317b8696cac470cc390b36e910e7
IFoo.Proxy.equals() -> HidlSupport.equals() ->
IHwInterface.asBinder().equals() -> HwRemoteBinder.equals().
IFoo.Stub.equals() -> default Object.equals()
Notice that IHwInterface.asBinder() returns mRemote(of type
HwRemoteBinder) for proxies and itself (of type HwBinder) for stubs.
If IFoo.Stub.asBinder() had not return "this", its equals()
should also be overridden.
Bug: 68727931
Test: hidl_test_java
Change-Id: I916983d7bc739747145e2ebb6830226310fd4980
Support for instruction counting has been removed from ART
and the VMDebug APIs in question throw UnsupportedOperationException
unconditionally.
Test: make
Change-Id: Ibcaa160f755a5708bc6fbef3a783acfc26f0ba90
