Why we need more than one Message?

[Sheepbye]

Hi, thank you very much for sharing this research. I notice that in makeHolderLeakerWithRewind(), first a Message of a large size (might reach the max size?) was transacted, and then the second one will leak some value from another Parcel. I wonder why we need the first Message. I have tried to only transact one, and transact three Message. Three Message is okay, the only thing to be modified is that in ValueLeaker.doLeak(), data.writeInt(2), pointing the third Message. But I get failed with only one Message. There was similar log: Parcel : Attempt to read object from Parcel 0xb40000733c44c180 at offset 28 that is not in the object list In ValueLeaker.doLeak(), I've tried dump the whole Parcel from getQueue(). After key "android.os.Message", there's nothing: // key android.os.Message 12:00:00:00:61:00:6E:00:64:00:72:00:6F:00:69:00:64:00:2E:00:6F:00:73:00:2E:00:4D:00:65:00:73:00:73:00:61:00:67:00:65:00:00:00:00:00: // second key %$#@! 05:00:00:00:25:00:24:00:23:00:40:00:21:00:00:00: If we transact two or three Message, it would be like: // key android.os.Message 12:00:00:00:61:00:6E:00:64:00:72:00:6F:00:69:00:64:00:2E:00:6F:00:73:00:2E:00:4D:00:65:00:73:00:73:00:61:00:67:00:65:00:00:00:00:00: // things from another Parcel 69:00:76:00:69:00:74:00:79:00:54:00:61:00:73:00:6B:00:4D:00:61:00:6E:00:61:00:67:0065:00:72:00:00:00:00:00:85:2A:68:73:13:01:00:00:FE:09:00:00:00:00:00:00:00:00:00:00: // seconde key %$#@! 05:00:00:00:25:00:24:00:23:00:40:00:21:00:00:00:02:00:00:00:04:00:00:00:00:00:00:00:6F:00:74:00:65:00:56:00:69:00:65:00:77:00:73:00:00:00:00:00:00:00:00:00:85:2A:62:73:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00 So, if we only use one Message, it would fail at leaking value from another Parcel. And I haven't found the reason. Would you please share about why we needs a, or more than one Message before the leaking one? Thank you very much :). (Sorry for my bad English, it might be noticed in README but I didn‘t realize it.)