feat: segfault the app when opening

Author: nift4

app/src/main/cpp/NativeTrack.cpp

@@ -4,12 +4,20 @@
 #include <dlfcn.h>
 #include <cstring>
 #include <android/log_macros.h>
+#include <bits/timespec.h>
+#include "helpers.h"
 
 extern void *libaudioclient_handle;
 extern void *libpermission_handle;
 extern void *libandroid_runtime_handle;
+extern void *libutils_handle;
 extern bool initLib(JNIEnv *env);
 
+typedef void*(*ZN7android7RefBaseC2Ev_t)(void* thisptr);
+static ZN7android7RefBaseC2Ev_t ZN7android7RefBaseC2Ev = nullptr;
+typedef void*(*ZN7android7RefBaseD2Ev_t)(void* thisptr);
+static ZN7android7RefBaseD2Ev_t ZN7android7RefBaseD2Ev = nullptr;
+#include "aosp_stubs.h"
 typedef void*(*ZN7android19parcelForJavaObjectEP7_JNIEnvP8_jobject_t)(_JNIEnv*, _jobject*);
 static ZN7android19parcelForJavaObjectEP7_JNIEnvP8_jobject_t ZN7android19parcelForJavaObjectEP7_JNIEnvP8_jobject = nullptr;
 typedef int32_t(*ZN7android7content22AttributionSourceState14readFromParcelEPKNS_6ParcelE_t)(void* thisptr, void* parcel);
@@ -18,92 +26,152 @@ typedef void*(*ZN7android10AudioTrackC1ERKNS_7content22AttributionSourceStateE_t
 static ZN7android10AudioTrackC1ERKNS_7content22AttributionSourceStateE_t ZN7android10AudioTrackC1ERKNS_7content22AttributionSourceStateE = nullptr;
 typedef void*(*ZN7android10AudioTrackC1Ev_t)(void* thisptr);
 static ZN7android10AudioTrackC1Ev_t ZN7android10AudioTrackC1Ev = nullptr;
+typedef void(*ZNK7android7RefBase9incStrongEPKv_t)(void* thisptr, void* id);
+static ZNK7android7RefBase9incStrongEPKv_t ZNK7android7RefBase9incStrongEPKv = nullptr;
+typedef void(*ZNK7android7RefBase9decStrongEPKv_t)(void* thisptr, void* id);
+static ZNK7android7RefBase9decStrongEPKv_t ZNK7android7RefBase9decStrongEPKv = nullptr;
+typedef void*(*ZNK7android7RefBase10createWeakEPKv_t)(void* thisptr, void* id);
+static ZNK7android7RefBase10createWeakEPKv_t ZNK7android7RefBase10createWeakEPKv = nullptr;
+typedef void(*ZN7android7RefBase12weakref_type7decWeakEPKv_t)(void* thisptr, void* id);
+static ZN7android7RefBase12weakref_type7decWeakEPKv_t ZN7android7RefBase12weakref_type7decWeakEPKv = nullptr;
+typedef int32_t(*ZN7android10AudioTrack3setE19audio_stream_type_tj14audio_format_t20audio_channel_mask_tm20audio_output_flags_tRKNS_2wpINS0_19IAudioTrackCallbackEEEiRKNS_2spINS_7IMemoryEEEb15audio_session_tNS0_13transfer_typeEPK20audio_offload_info_tRKNS_7content22AttributionSourceStateEPK18audio_attributes_tbfi_t)
+        (void* thisptr, int32_t streamType, uint32_t sampleRate, uint32_t format, uint32_t channelMask, size_t frameCount /* = 0 */, uint32_t flags /* = 0 */, fake_wp callback /* = nullptr */, int32_t notificationFrames /* = 0 */, fake_sp sharedMemory /* = nullptr */, bool threadCanCallJava /* = false */, int32_t audioSessionId /* = 0 */, transfer_type transferType /* = TRANSFER_DEFAULT */, void* offloadInfo /* = nullptr */, void* attributionSource, void* attributes /* = nullptr */, bool doNotReconnect /* = false */, float maxRequiredSpeed /* = 1.0f */, int selectedDeviceId /* = 0 */);
+static ZN7android10AudioTrack3setE19audio_stream_type_tj14audio_format_t20audio_channel_mask_tm20audio_output_flags_tRKNS_2wpINS0_19IAudioTrackCallbackEEEiRKNS_2spINS_7IMemoryEEEb15audio_session_tNS0_13transfer_typeEPK20audio_offload_info_tRKNS_7content22AttributionSourceStateEPK18audio_attributes_tbfi_t ZN7android10AudioTrack3setE19audio_stream_type_tj14audio_format_t20audio_channel_mask_tm20audio_output_flags_tRKNS_2wpINS0_19IAudioTrackCallbackEEEiRKNS_2spINS_7IMemoryEEEb15audio_session_tNS0_13transfer_typeEPK20audio_offload_info_tRKNS_7content22AttributionSourceStateEPK18audio_attributes_tbfi = nullptr;
 
-// last observed AOSP size (arm64) was 1312
-#define AUDIO_TRACK_SIZE 5000
-// last observed AOSP size (arm64) was 152
-#define ATTRIBUTION_SOURCE_SIZE 500
-#define FAKE_PTR_SIZE 32
+/*class MyCallback : virtual android::AudioTrack::IAudioTrackCallback {
+public:
+    MyCallback() : RefBase() {};
+    void onUnderrun() override {
+        ALOGI("MyCallback::onMoreData called");
+    }
+    void onMarker(uint32_t markerPosition) override {
+        ALOGI("MyCallback::onMarker called");
+    }
+    void onNewPos(uint32_t newPos) override {
+        ALOGI("MyCallback::onNewPos called");
+    }
+    void onNewIAudioTrack() override {
+        ALOGI("MyCallback::onNewIAudioTrack called");
+    }
+    void onStreamEnd() override {
+        ALOGI("MyCallback::onStreamEnd called");
+    }
+};*/
 
-// make sure to call RefBase::incStrong on thePtr before giving fake_sp away, and call
-// decStrong when you don't need it anymore :)
-struct fake_sp {
-    void* thePtr;
-};
-// make sure to call RefBase::createWeak(thePtr, <arbitrary unique id>) and save returned pointer
-// to refs, then call RefBase::weakref_type::decWeak(refs) when you don't need it anymore
-struct fake_wp {
-    void* thePtr;
-    void* refs;
+struct track_holder {
+    void* track;
+    void* callback;
+    void* ats;
 };
 
+extern "C" JNIEXPORT jboolean JNICALL
+Java_org_akanework_gramophone_logic_utils_NativeTrack_initDlsym(JNIEnv* env, jobject) {
+    if (!initLib(env))
+        return false;
+    if (android_get_device_api_level() >= 31) {
+        DLSYM_OR_RETURN(libandroid_runtime, ZN7android19parcelForJavaObjectEP7_JNIEnvP8_jobject, false)
+        DLSYM_OR_RETURN(libpermission, ZN7android7content22AttributionSourceState14readFromParcelEPKNS_6ParcelE, false)
+        DLSYM_OR_RETURN(libaudioclient, ZN7android10AudioTrackC1ERKNS_7content22AttributionSourceStateE, false)
+    } else {
+        DLSYM_OR_RETURN(libaudioclient, ZN7android10AudioTrackC1Ev, false)
+    }
+    DLSYM_OR_RETURN(libutils, ZN7android7RefBaseC2Ev, false)
+    DLSYM_OR_RETURN(libutils, ZN7android7RefBaseD2Ev, false)
+    DLSYM_OR_RETURN(libutils, ZNK7android7RefBase9incStrongEPKv, false)
+    DLSYM_OR_RETURN(libutils, ZNK7android7RefBase9decStrongEPKv, false)
+    DLSYM_OR_RETURN(libutils, ZNK7android7RefBase10createWeakEPKv, false)
+    DLSYM_OR_RETURN(libutils, ZN7android7RefBase12weakref_type7decWeakEPKv, false)
+    // TODO support all 5 gazillion variants of set()
+    if (ZN7android10AudioTrack3setE19audio_stream_type_tj14audio_format_t20audio_channel_mask_tm20audio_output_flags_tRKNS_2wpINS0_19IAudioTrackCallbackEEEiRKNS_2spINS_7IMemoryEEEb15audio_session_tNS0_13transfer_typeEPK20audio_offload_info_tRKNS_7content22AttributionSourceStateEPK18audio_attributes_tbfi == nullptr) {
+        ZN7android10AudioTrack3setE19audio_stream_type_tj14audio_format_t20audio_channel_mask_tm20audio_output_flags_tRKNS_2wpINS0_19IAudioTrackCallbackEEEiRKNS_2spINS_7IMemoryEEEb15audio_session_tNS0_13transfer_typeEPK20audio_offload_info_tRKNS_7content22AttributionSourceStateEPK18audio_attributes_tbfi =
+                (ZN7android10AudioTrack3setE19audio_stream_type_tj14audio_format_t20audio_channel_mask_tm20audio_output_flags_tRKNS_2wpINS0_19IAudioTrackCallbackEEEiRKNS_2spINS_7IMemoryEEEb15audio_session_tNS0_13transfer_typeEPK20audio_offload_info_tRKNS_7content22AttributionSourceStateEPK18audio_attributes_tbfi_t)
+                        dlsym(libaudioclient_handle, "_ZN7android10AudioTrack3setE19audio_stream_type_tj14audio_format_t20audio_channel_mask_tm20audio_output_flags_tRKNS_2wpINS0_19IAudioTrackCallbackEEEiRKNS_2spINS_7IMemoryEEEb15audio_session_tNS0_13transfer_typeEPK20audio_offload_info_tRKNS_7content22AttributionSourceStateEPK18audio_attributes_tbfi");
+        if (ZN7android10AudioTrack3setE19audio_stream_type_tj14audio_format_t20audio_channel_mask_tm20audio_output_flags_tRKNS_2wpINS0_19IAudioTrackCallbackEEEiRKNS_2spINS_7IMemoryEEEb15audio_session_tNS0_13transfer_typeEPK20audio_offload_info_tRKNS_7content22AttributionSourceStateEPK18audio_attributes_tbfi == nullptr) {
+            ALOGE("dlsym returned nullptr for _ZN7android10AudioTrack3setE19audio_stream_type_tj14audio_format_t20audio_channel_mask_tm20audio_output_flags_tRKNS_2wpINS0_19IAudioTrackCallbackEEEiRKNS_2spINS_7IMemoryEEEb15audio_session_tNS0_13transfer_typeEPK20audio_offload_info_tRKNS_7content22AttributionSourceStateEPK18audio_attributes_tbfi: %s",
+                  dlerror());
+            return false;
+        }
+    }
+    return true;
+}
+
 extern "C" JNIEXPORT jlong JNICALL
 Java_org_akanework_gramophone_logic_utils_NativeTrack_create(
         JNIEnv *env, jobject, jobject parcel) {
-    if (!initLib(env))
-        return NULL;
     auto theTrack = ::operator new(AUDIO_TRACK_SIZE);
-    memset(theTrack, 0, AUDIO_TRACK_SIZE);
+    memset(theTrack, 0xdeadbeef, AUDIO_TRACK_SIZE);
+    auto holder = new track_holder();
     if (parcel != nullptr) { // implies SDK >= 31
-        auto ats = ::operator new(ATTRIBUTION_SOURCE_SIZE);
-        memset(ats, 0, ATTRIBUTION_SOURCE_SIZE);
-        if (!ZN7android19parcelForJavaObjectEP7_JNIEnvP8_jobject) {
-            ZN7android19parcelForJavaObjectEP7_JNIEnvP8_jobject =
-                    (ZN7android19parcelForJavaObjectEP7_JNIEnvP8_jobject_t)
-                            dlsym(libandroid_runtime_handle,"_ZN7android19parcelForJavaObjectEP7_JNIEnvP8_jobject");
-            if (ZN7android19parcelForJavaObjectEP7_JNIEnvP8_jobject == nullptr) {
-                ALOGE("dlsym returned nullptr for _ZN7android19parcelForJavaObjectEP7_JNIEnvP8_jobject: %s",
-                      dlerror());
-                return NULL;
-            }
-        }
+        // I'm too cool to call AttributionSourceState ctor before using it.
         auto myParcel = ZN7android19parcelForJavaObjectEP7_JNIEnvP8_jobject(env, parcel);
         if (myParcel == nullptr) {
             ALOGE("myParcel is NULL");
+            ::operator delete(theTrack);
             return NULL;
         }
-        if (!ZN7android7content22AttributionSourceState14readFromParcelEPKNS_6ParcelE) {
-            ZN7android7content22AttributionSourceState14readFromParcelEPKNS_6ParcelE =
-                    (ZN7android7content22AttributionSourceState14readFromParcelEPKNS_6ParcelE_t)
-                    dlsym(libpermission_handle,"_ZN7android7content22AttributionSourceState14readFromParcelEPKNS_6ParcelE");
-            if (ZN7android7content22AttributionSourceState14readFromParcelEPKNS_6ParcelE == nullptr) {
-                ALOGE("dlsym returned nullptr for _ZN7android7content22AttributionSourceState14readFromParcelEPKNS_6ParcelE: %s",
-                      dlerror());
-                return NULL;
-            }
-        }
-        // I'm too cool to call AttributionSourceState ctor before using it.
+        auto ats = ::operator new(ATTRIBUTION_SOURCE_SIZE);
+        memset(ats, 0, ATTRIBUTION_SOURCE_SIZE);
         ZN7android7content22AttributionSourceState14readFromParcelEPKNS_6ParcelE(ats, myParcel);
-        if (!ZN7android10AudioTrackC1ERKNS_7content22AttributionSourceStateE) {
-            ZN7android10AudioTrackC1ERKNS_7content22AttributionSourceStateE =
-                    (ZN7android10AudioTrackC1ERKNS_7content22AttributionSourceStateE_t)
-                    dlsym(libaudioclient_handle,"_ZN7android10AudioTrackC1ERKNS_7content22AttributionSourceStateE");
-            if (ZN7android10AudioTrackC1ERKNS_7content22AttributionSourceStateE == nullptr) {
-                ALOGE("dlsym returned nullptr for _ZN7android10AudioTrackC1ERKNS_7content22AttributionSourceStateE: %s",
-                      dlerror());
-                return NULL;
-            }
-        }
         ZN7android10AudioTrackC1ERKNS_7content22AttributionSourceStateE(theTrack, ats);
-        ::operator delete(ats); // copied by AudioTrack ctor
+        //ZN7android7RefBaseC2Ev(theTrack); // TODO
+        holder->ats = ats;
     } else {
-        if (!ZN7android10AudioTrackC1Ev) {
-            ZN7android10AudioTrackC1Ev = (ZN7android10AudioTrackC1Ev_t)
-                    dlsym(libaudioclient_handle,"_ZN7android10AudioTrackC1Ev");
-            if (ZN7android10AudioTrackC1Ev == nullptr) {
-                ALOGE("dlsym returned nullptr for _ZN7android10AudioTrackC1Ev: %s",
-                      dlerror());
-                return NULL;
-            }
-        }
         ZN7android10AudioTrackC1Ev(theTrack);
     }
-    return (intptr_t)theTrack;
+    ALOGE("0");
+    auto callback = nullptr;//new MyCallback();
+    //ZN7android7RefBaseC2Ev(callback); // TODO
+    ALOGE("1");
+    ZNK7android7RefBase9incStrongEPKv(theTrack, holder);
+    ALOGE("2");
+    //ZNK7android7RefBase9incStrongEPKv(callback, holder);
+    ALOGE("3");
+    holder->track = theTrack;
+    holder->callback = callback;
+    return (intptr_t)holder;
 }
 
 extern "C" JNIEXPORT jint JNICALL
 Java_org_akanework_gramophone_logic_utils_NativeTrack_doSet(
-        JNIEnv *env, jobject, jlong ptr) {
-    // TODO support all 5 gazillion variants of set()
+        JNIEnv *, jobject, jlong ptr) {
+    return 0;
+    auto holder = (track_holder*) ptr;
+    auto refs = ZNK7android7RefBase10createWeakEPKv(holder->callback, holder);
+    auto ret = ZN7android10AudioTrack3setE19audio_stream_type_tj14audio_format_t20audio_channel_mask_tm20audio_output_flags_tRKNS_2wpINS0_19IAudioTrackCallbackEEEiRKNS_2spINS_7IMemoryEEEb15audio_session_tNS0_13transfer_typeEPK20audio_offload_info_tRKNS_7content22AttributionSourceStateEPK18audio_attributes_tbfi(
+            holder->track,
+            /* streamType = */ 3 /* AUDIO_STREAM_MUSIC */,
+            /* sampleRate = */ 13370,
+            /* format = */ 1,
+            /* channelMask = */ 1,
+            /* frameCount = */ 0 /* default */,
+            /* flags = */ 0 /* AUDIO_OUTPUT_FLAG_NONE */,
+            /* callback = */ { .thePtr = holder->callback, .refs = refs },
+            /* notificationFrames = */ 0 /* default */,
+            /* sharedBuffer = */ { .thePtr = nullptr },
+            /* threadCanCallJava = */ true,
+            /* sessionId = */ 0 /* default */,
+            /* transferType = */ TRANSFER_SYNC,
+            /* offloadInfo = */ nullptr,
+            /* attributionSource = */ holder->ats,
+            /* pAttributes = */ nullptr,
+            /* doNotReconnect = */ true, // for emulating DIRECT track developer UX
+            /* maxRequiredSpeed = */ 1.0f,
+            /* selectedDeviceId = */ 0 /* default */
+            );
+    // wp copy constructor increased weak with it's own id, so we're done here
+    ZN7android7RefBase12weakref_type7decWeakEPKv(refs /* yes, refs */, holder);
+    // we own attributionSource, so get rid of it
+    ::operator delete(holder->ats);
+    holder->ats = nullptr;
+    return ret;
+}
 
+extern "C" JNIEXPORT void JNICALL
+Java_org_akanework_gramophone_logic_utils_NativeTrack_dtor(
+        JNIEnv *, jobject, jlong ptr) {
+    auto holder = (track_holder*) ptr;
+    // RefBase will call the dtor
+    ZNK7android7RefBase9decStrongEPKv(holder->track, holder);
+    ZNK7android7RefBase9decStrongEPKv(holder->callback, holder);
+    delete holder;
 }