diff options
author | I-Jui (Ray) Sung <ijsung@google.com> | 2017-05-12 16:05:14 -0700 |
---|---|---|
committer | I-Jui (Ray) Sung <ijsung@google.com> | 2017-05-19 11:33:43 -0700 |
commit | efc33a921195c313007d9471efcd00cc825b0055 (patch) | |
tree | 35f63ffb81b29c722013651a3c2bcdf06ce42aae /cpu_ref | |
parent | f186c5d799bf401d0384d0145f01de76a6ab6e0e (diff) | |
download | rs-efc33a921195c313007d9471efcd00cc825b0055.tar.gz |
Fix crashing CPU driver runtime on null input allocation
Part of the CPU driver runtime assumed non-null input allocation and
blindly dereferenced the handle of the input allocation. This caused
crashes when running RsBalls, in which a null input allocation was given
to rsForEach(). This CL fixes the crashing problem by guarding those
codes dereferencing the input allocation with null pointer checks.
Bug: 37754476
Test: CTS with and without debug.rs.debug=1, RsBalls
Change-Id: I8bec116fa8b846c6801353234e24b07d7a0fbbf4
Diffstat (limited to 'cpu_ref')
-rw-r--r-- | cpu_ref/rsCpuCore.cpp | 7 | ||||
-rw-r--r-- | cpu_ref/rsCpuScript.cpp | 18 |
2 files changed, 22 insertions, 3 deletions
diff --git a/cpu_ref/rsCpuCore.cpp b/cpu_ref/rsCpuCore.cpp index 7fcaef9f..14b1e66f 100644 --- a/cpu_ref/rsCpuCore.cpp +++ b/cpu_ref/rsCpuCore.cpp @@ -332,7 +332,14 @@ static inline void FepPtrSetup(const MTLaunchStructForEach *mtls, RsExpandKernel uint32_t z = 0, uint32_t lod = 0, RsAllocationCubemapFace face = RS_ALLOCATION_CUBEMAP_FACE_POSITIVE_X, uint32_t a1 = 0, uint32_t a2 = 0, uint32_t a3 = 0, uint32_t a4 = 0) { + // When rsForEach passes a null input allocation (as opposed to no input), + // fep->inLen can be 1 with mtls->ains[0] being null. + // This should only happen on old style kernels. for (uint32_t i = 0; i < fep->inLen; i++) { + if (mtls->ains[i] == nullptr) { + rsAssert(fep->inLen == 1); + continue; + } fep->inPtr[i] = (const uint8_t *)mtls->ains[i]->getPointerUnchecked(x, y, z, lod, face, a1, a2, a3, a4); } if (mtls->aout[0] != nullptr) { diff --git a/cpu_ref/rsCpuScript.cpp b/cpu_ref/rsCpuScript.cpp index dec9ab29..60d08be1 100644 --- a/cpu_ref/rsCpuScript.cpp +++ b/cpu_ref/rsCpuScript.cpp @@ -641,7 +641,13 @@ bool RsdCpuScriptImpl::forEachMtlsSetup(const Allocation ** ains, return false; } - if (inLen > 0) { + // The only situation where ains[j] is null is when inLen==1 and j==0; + // and that can only happen for an old-style kernel in API level 11~13, + // where the input allocation cannot be skipped if the output allocation is specified. + if (inLen != 0) + rsAssert((inLen == 1) || (ains[0] != nullptr)); + + if (inLen > 0 && ains[0]) { const Allocation *ain0 = ains[0]; const Type *inType = ain0->getType(); @@ -652,7 +658,7 @@ bool RsdCpuScriptImpl::forEachMtlsSetup(const Allocation ** ains, for (int Index = inLen; --Index >= 1;) { if (!ain0->hasSameDims(ains[Index])) { mCtx->getContext()->setError(RS_ERROR_BAD_SCRIPT, - "Failed to launch kernel; dimensions of input" + "Failed to launch kernel; dimensions of input " "allocations do not match."); return false; } @@ -675,7 +681,7 @@ bool RsdCpuScriptImpl::forEachMtlsSetup(const Allocation ** ains, } if (inLen > 0 && aout != nullptr) { - if (!ains[0]->hasSameDims(aout)) { + if (ains[0] && !ains[0]->hasSameDims(aout)) { mCtx->getContext()->setError(RS_ERROR_BAD_SCRIPT, "Failed to launch kernel; dimensions of input and output allocations do not match."); @@ -705,6 +711,12 @@ bool RsdCpuScriptImpl::forEachMtlsSetup(const Allocation ** ains, if (inLen > 0) { mtls->fep.inLen = inLen; for (int index = inLen; --index >= 0;) { + if (ains[index] == nullptr) { + // In old style kernels, the first and only input allocation could be null. + // Not allowed in newer styles. + rsAssert(inLen == 1 && index == 0); + continue; + } mtls->fep.inPtr[index] = (const uint8_t*)ains[index]->mHal.drvState.lod[0].mallocPtr; mtls->fep.inStride[index] = ains[index]->getType()->getElementSizeBytes(); } |