Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / frameworks / rs / f4b6eebde3653809d3431903195af7aa0e029e9b^! / . / cpu_ref / rsCpuScript.cpp
commitf4b6eebde3653809d3431903195af7aa0e029e9b[log] [tgz]
authorI-Jui (Ray) Sung <ijsung@google.com>Fri May 12 16:05:14 2017 -0700
committerI-Jui (Ray) Sung <ijsung@google.com>Fri May 19 16:25:12 2017 -0700
tree4ec1bb7f1e839069232a4e7c4498ffc3eda666f6
parent62bc41c587bbf80d190483bf08b6d8123181c2a3 [diff] [blame]
Fix crashing CPU driver runtime on null input allocation

Part of the CPU driver runtime assumed non-null input allocation and
blindly dereferenced the handle of the input allocation. This caused
crashes when running RsBalls, in which a null input allocation was given
to rsForEach(). This CL fixes the crashing problem by guarding those
codes dereferencing the input allocation with null pointer checks.

Bug: 37754476
Test: CTS with and without debug.rs.debug=1, RsBalls

Change-Id: I8bec116fa8b846c6801353234e24b07d7a0fbbf4
(cherry picked from commit efc33a921195c313007d9471efcd00cc825b0055)

diff --git a/cpu_ref/rsCpuScript.cpp b/cpu_ref/rsCpuScript.cpp
index dec9ab2..60d08be 100644
--- a/cpu_ref/rsCpuScript.cpp
+++ b/cpu_ref/rsCpuScript.cpp

@@ -641,7 +641,13 @@
         return false;
     }
 
-    if (inLen > 0) {
+    // The only situation where ains[j] is null is when inLen==1 and j==0;
+    // and that can only happen for an old-style kernel in API level 11~13,
+    // where the input allocation cannot be skipped if the output allocation is specified.
+    if (inLen != 0)
+        rsAssert((inLen == 1) || (ains[0] != nullptr));
+
+    if (inLen > 0 && ains[0]) {
         const Allocation *ain0   = ains[0];
         const Type       *inType = ain0->getType();
 
@@ -652,7 +658,7 @@
         for (int Index = inLen; --Index >= 1;) {
             if (!ain0->hasSameDims(ains[Index])) {
                 mCtx->getContext()->setError(RS_ERROR_BAD_SCRIPT,
-                  "Failed to launch kernel; dimensions of input"
+                  "Failed to launch kernel; dimensions of input "
                   "allocations do not match.");
                 return false;
             }
@@ -675,7 +681,7 @@
     }
 
     if (inLen > 0 && aout != nullptr) {
-        if (!ains[0]->hasSameDims(aout)) {
+        if (ains[0] && !ains[0]->hasSameDims(aout)) {
             mCtx->getContext()->setError(RS_ERROR_BAD_SCRIPT,
               "Failed to launch kernel; dimensions of input and output allocations do not match.");
 
@@ -705,6 +711,12 @@
     if (inLen > 0) {
         mtls->fep.inLen = inLen;
         for (int index = inLen; --index >= 0;) {
+            if (ains[index] == nullptr) {
+                // In old style kernels, the first and only input allocation could be null.
+                // Not allowed in newer styles.
+                rsAssert(inLen == 1 && index == 0);
+                continue;
+            }
             mtls->fep.inPtr[index] = (const uint8_t*)ains[index]->mHal.drvState.lod[0].mallocPtr;
             mtls->fep.inStride[index] = ains[index]->getType()->getElementSizeBytes();
         }