From f50b9eaaeeaeae16981f11b05d3f3a6fb0dea30d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Arve=20Hj=C3=B8nnev=C3=A5g?= Date: Thu, 13 Feb 2014 19:22:08 -0800 Subject: [PATCH 1/8] Binder: Make sure binder objects do not overlap Fixes crashing part of bug 11355082. The driver still leaks references. Change-Id: Ibc6a63b151c1fc1f7666237f25255ba781e02071 --- libs/binder/Parcel.cpp | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/libs/binder/Parcel.cpp b/libs/binder/Parcel.cpp index 38e019cb9..882130f9a 100644 --- a/libs/binder/Parcel.cpp +++ b/libs/binder/Parcel.cpp @@ -35,6 +35,7 @@ #include +#include #include #include #include @@ -1317,6 +1318,7 @@ size_t Parcel::ipcObjectsCount() const void Parcel::ipcSetDataReference(const uint8_t* data, size_t dataSize, const size_t* objects, size_t objectsCount, release_func relFunc, void* relCookie) { + binder_size_t minOffset = 0; freeDataNoInit(); mError = NO_ERROR; mData = const_cast(data); @@ -1329,6 +1331,16 @@ void Parcel::ipcSetDataReference(const uint8_t* data, size_t dataSize, mNextObjectHint = 0; mOwner = relFunc; mOwnerCookie = relCookie; + for (size_t i = 0; i < mObjectsSize; i++) { + binder_size_t offset = mObjects[i]; + if (offset < minOffset) { + ALOGE("%s: bad object offset %"PRIu64" < %"PRIu64"\n", + __func__, (uint64_t)offset, (uint64_t)minOffset); + mObjectsSize = 0; + break; + } + minOffset = offset + sizeof(flat_binder_object); + } scanForFds(); } From 6790329358d1c84af2fe9ba093bcfc1c6176e758 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Arve=20Hj=C3=B8nnev=C3=A5g?= Date: Wed, 19 Feb 2014 15:35:52 -0800 Subject: [PATCH 2/8] Fix "Binder: Make sure binder objects do not overlap" to work old binder kernel interface DO NOT MERGE into any branch that uses the new interface Change-Id: Id54308a89327e69a389ac5916c052ad97f57cb28 --- libs/binder/Parcel.cpp | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/libs/binder/Parcel.cpp b/libs/binder/Parcel.cpp index 882130f9a..021060657 100644 --- a/libs/binder/Parcel.cpp +++ b/libs/binder/Parcel.cpp @@ -1318,7 +1318,7 @@ size_t Parcel::ipcObjectsCount() const void Parcel::ipcSetDataReference(const uint8_t* data, size_t dataSize, const size_t* objects, size_t objectsCount, release_func relFunc, void* relCookie) { - binder_size_t minOffset = 0; + size_t minOffset = 0; freeDataNoInit(); mError = NO_ERROR; mData = const_cast(data); @@ -1332,10 +1332,10 @@ void Parcel::ipcSetDataReference(const uint8_t* data, size_t dataSize, mOwner = relFunc; mOwnerCookie = relCookie; for (size_t i = 0; i < mObjectsSize; i++) { - binder_size_t offset = mObjects[i]; + size_t offset = mObjects[i]; if (offset < minOffset) { - ALOGE("%s: bad object offset %"PRIu64" < %"PRIu64"\n", - __func__, (uint64_t)offset, (uint64_t)minOffset); + ALOGE("%s: bad object offset %zu < %zu\n", + __func__, offset, minOffset); mObjectsSize = 0; break; } From 4b84704b97300eff3ebfab85652e64d54149d205 Mon Sep 17 00:00:00 2001 From: Aravind Akella Date: Mon, 3 Mar 2014 19:02:46 -0800 Subject: [PATCH 3/8] Ignore flush complete events when recording last value for a sensor. Bug: 11822806 Change-Id: I1402d6684ed71ed413aef6a7be3aad945b331ec2 --- services/sensorservice/SensorService.cpp | 23 ++++++++++++----------- services/sensorservice/SensorService.h | 2 +- 2 files changed, 13 insertions(+), 12 deletions(-) diff --git a/services/sensorservice/SensorService.cpp b/services/sensorservice/SensorService.cpp index a2f433279..f6705f6be 100644 --- a/services/sensorservice/SensorService.cpp +++ b/services/sensorservice/SensorService.cpp @@ -426,20 +426,21 @@ bool SensorService::threadLoop() } void SensorService::recordLastValue( - sensors_event_t const * buffer, size_t count) -{ + const sensors_event_t* buffer, size_t count) { Mutex::Autolock _l(mLock); - // record the last event for each sensor - int32_t prev = buffer[0].sensor; - for (size_t i=1 ; itype != SENSOR_TYPE_META_DATA) { + if (last && event->sensor != last->sensor) { + mLastEventSeen.editValueFor(last->sensor) = *last; + } + last = event; } } - mLastEventSeen.editValueFor(prev) = buffer[count-1]; + if (last) { + mLastEventSeen.editValueFor(last->sensor) = *last; + } } void SensorService::sortEventBuffer(sensors_event_t* buffer, size_t count) diff --git a/services/sensorservice/SensorService.h b/services/sensorservice/SensorService.h index c9683197f..1dc2dd36a 100644 --- a/services/sensorservice/SensorService.h +++ b/services/sensorservice/SensorService.h @@ -131,7 +131,7 @@ class SensorService : String8 getSensorName(int handle) const; bool isVirtualSensor(int handle) const; - void recordLastValue(sensors_event_t const * buffer, size_t count); + void recordLastValue(const sensors_event_t* buffer, size_t count); static void sortEventBuffer(sensors_event_t* buffer, size_t count); Sensor registerSensor(SensorInterface* sensor); Sensor registerVirtualSensor(SensorInterface* sensor); From 19d648195673b106152610e3787c95886946460f Mon Sep 17 00:00:00 2001 From: Aravind Akella Date: Thu, 5 Dec 2013 16:24:59 -0800 Subject: [PATCH 4/8] Bug fix for SensorFusion data rate. SensorFusion is always returning data at the slowest possible sampling rate (5 Hz). batch() is getting called twice, first time with the requested rate and second time with the slowest rate (which overwrites the requested rate). Fix batch call in SensorFusion::activate() Bug: 12064319 Change-Id: If62f3e514233f69810336fd22b136b4395b667d3 (cherry picked from commit 88509090387eeb400771a786171866710cca230c) --- services/sensorservice/SensorFusion.cpp | 16 ++++------------ services/sensorservice/SensorFusion.h | 1 - 2 files changed, 4 insertions(+), 13 deletions(-) diff --git a/services/sensorservice/SensorFusion.cpp b/services/sensorservice/SensorFusion.cpp index 03f94beb0..8512d6b7d 100644 --- a/services/sensorservice/SensorFusion.cpp +++ b/services/sensorservice/SensorFusion.cpp @@ -102,15 +102,6 @@ status_t SensorFusion::activate(void* ident, bool enabled) { } } - if (enabled) { - ALOGD_IF(DEBUG_CONNECTIONS, "SensorFusion calling batch ident=%p ", ident); - // Activating a sensor in continuous mode is equivalent to calling batch with the default - // period and timeout equal to ZERO, followed by a call to activate. - mSensorDevice.batch(ident, mAcc.getHandle(), 0, DEFAULT_EVENTS_PERIOD, 0); - mSensorDevice.batch(ident, mMag.getHandle(), 0, DEFAULT_EVENTS_PERIOD, 0); - mSensorDevice.batch(ident, mGyro.getHandle(), 0, DEFAULT_EVENTS_PERIOD, 0); - } - mSensorDevice.activate(ident, mAcc.getHandle(), enabled); mSensorDevice.activate(ident, mMag.getHandle(), enabled); mSensorDevice.activate(ident, mGyro.getHandle(), enabled); @@ -127,9 +118,10 @@ status_t SensorFusion::activate(void* ident, bool enabled) { } status_t SensorFusion::setDelay(void* ident, int64_t ns) { - mSensorDevice.setDelay(ident, mAcc.getHandle(), ns); - mSensorDevice.setDelay(ident, mMag.getHandle(), ms2ns(20)); - mSensorDevice.setDelay(ident, mGyro.getHandle(), mTargetDelayNs); + // Call batch with timeout zero instead of setDelay(). + mSensorDevice.batch(ident, mAcc.getHandle(), 0, ns, 0); + mSensorDevice.batch(ident, mMag.getHandle(), 0, ms2ns(20), 0); + mSensorDevice.batch(ident, mGyro.getHandle(), 0, mTargetDelayNs, 0); return NO_ERROR; } diff --git a/services/sensorservice/SensorFusion.h b/services/sensorservice/SensorFusion.h index b8f360f52..432adbcfd 100644 --- a/services/sensorservice/SensorFusion.h +++ b/services/sensorservice/SensorFusion.h @@ -37,7 +37,6 @@ class SensorDevice; class SensorFusion : public Singleton { friend class Singleton; - static const nsecs_t DEFAULT_EVENTS_PERIOD = 200000000; // 5 Hz SensorDevice& mSensorDevice; Sensor mAcc; From f0190bff38b6c29abbfc4a877442f71fc3d7dad8 Mon Sep 17 00:00:00 2001 From: Marco Nelissen Date: Thu, 13 Mar 2014 14:17:40 -0700 Subject: [PATCH 5/8] Add support for writing byte arrays to parcels b/13418320 Change-Id: I2285df9e9d3dc8a6a54055b13b352b81660bf45d --- include/binder/Parcel.h | 1 + libs/binder/Parcel.cpp | 10 ++++++++++ 2 files changed, 11 insertions(+) diff --git a/include/binder/Parcel.h b/include/binder/Parcel.h index c95f297b4..98f20de21 100644 --- a/include/binder/Parcel.h +++ b/include/binder/Parcel.h @@ -102,6 +102,7 @@ public: status_t writeStrongBinder(const sp& val); status_t writeWeakBinder(const wp& val); status_t writeInt32Array(size_t len, const int32_t *val); + status_t writeByteArray(size_t len, const uint8_t *val); template status_t write(const Flattenable& val); diff --git a/libs/binder/Parcel.cpp b/libs/binder/Parcel.cpp index 021060657..17ffa05d9 100644 --- a/libs/binder/Parcel.cpp +++ b/libs/binder/Parcel.cpp @@ -628,6 +628,16 @@ status_t Parcel::writeInt32Array(size_t len, const int32_t *val) { } return ret; } +status_t Parcel::writeByteArray(size_t len, const uint8_t *val) { + if (!val) { + return writeAligned(-1); + } + status_t ret = writeAligned(len); + if (ret == NO_ERROR) { + ret = write(val, len * sizeof(*val)); + } + return ret; +} status_t Parcel::writeInt64(int64_t val) { From 37b44969c0ca1d00e213da685dfbb2807f2bab30 Mon Sep 17 00:00:00 2001 From: Marco Nelissen Date: Thu, 13 Mar 2014 14:17:40 -0700 Subject: [PATCH 6/8] Add support for writing byte arrays to parcels b/13418320 Cherrypicked from f0190bff38b6c29abbfc4a877442f71fc3d7dad8 https://googleplex-android-review.git.corp.google.com/#/c/433320/ Change-Id: I2285df9e9d3dc8a6a54055b13b352b81660bf45d --- include/binder/Parcel.h | 1 + libs/binder/Parcel.cpp | 11 +++++++++++ 2 files changed, 12 insertions(+) diff --git a/include/binder/Parcel.h b/include/binder/Parcel.h index 33b2f0050..939cfbea9 100644 --- a/include/binder/Parcel.h +++ b/include/binder/Parcel.h @@ -101,6 +101,7 @@ public: status_t writeStrongBinder(const sp& val); status_t writeWeakBinder(const wp& val); status_t write(const Flattenable& val); + status_t writeByteArray(size_t len, const uint8_t *val); // Place a native_handle into the parcel (the native_handle's file- // descriptors are dup'ed, so it is safe to delete the native_handle diff --git a/libs/binder/Parcel.cpp b/libs/binder/Parcel.cpp index dea14bb97..1162681bf 100644 --- a/libs/binder/Parcel.cpp +++ b/libs/binder/Parcel.cpp @@ -617,6 +617,17 @@ status_t Parcel::writeInt32(int32_t val) return writeAligned(val); } +status_t Parcel::writeByteArray(size_t len, const uint8_t *val) { + if (!val) { + return writeAligned(-1); + } + status_t ret = writeAligned(len); + if (ret == NO_ERROR) { + ret = write(val, len * sizeof(*val)); + } + return ret; +} + status_t Parcel::writeInt64(int64_t val) { return writeAligned(val); From 5b61ad2cda8ec8ab634ce02f388bb2d3c5ab048d Mon Sep 17 00:00:00 2001 From: Kenny Root Date: Mon, 17 Mar 2014 13:18:16 -0700 Subject: [PATCH 7/8] Check the padded size of the read byte array Bug: 13509200 Change-Id: Id93894fcc617ec1cd4ce66921c6e1f1c3cf40b09 --- libs/binder/Parcel.cpp | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/libs/binder/Parcel.cpp b/libs/binder/Parcel.cpp index 17ffa05d9..db9e0a1e2 100644 --- a/libs/binder/Parcel.cpp +++ b/libs/binder/Parcel.cpp @@ -908,7 +908,8 @@ void Parcel::remove(size_t start, size_t amt) status_t Parcel::read(void* outData, size_t len) const { - if ((mDataPos+PAD_SIZE(len)) >= mDataPos && (mDataPos+PAD_SIZE(len)) <= mDataSize) { + if ((mDataPos+PAD_SIZE(len)) >= mDataPos && (mDataPos+PAD_SIZE(len)) <= mDataSize + && len <= PAD_SIZE(len)) { memcpy(outData, mData+mDataPos, len); mDataPos += PAD_SIZE(len); ALOGV("read Setting data pos of %p to %d\n", this, mDataPos); @@ -919,7 +920,8 @@ status_t Parcel::read(void* outData, size_t len) const const void* Parcel::readInplace(size_t len) const { - if ((mDataPos+PAD_SIZE(len)) >= mDataPos && (mDataPos+PAD_SIZE(len)) <= mDataSize) { + if ((mDataPos+PAD_SIZE(len)) >= mDataPos && (mDataPos+PAD_SIZE(len)) <= mDataSize + && len <= PAD_SIZE(len)) { const void* data = mData+mDataPos; mDataPos += PAD_SIZE(len); ALOGV("readInplace Setting data pos of %p to %d\n", this, mDataPos); From 9c7db08049e1d36c2f60dd703f27c432bc8cfbc5 Mon Sep 17 00:00:00 2001 From: Xia Wang Date: Wed, 26 Feb 2014 18:04:50 -0800 Subject: [PATCH 8/8] Build the benchmark test to /data/local/tmp/ for automated test Change-Id: I27a5ee24636ff9752a35dbab793821f6b7a79221 (cherry picked from commit b7925f1364b56708e072884a5ae9dba2d32b58e6) --- cmds/flatland/Android.mk | 3 +++ 1 file changed, 3 insertions(+) diff --git a/cmds/flatland/Android.mk b/cmds/flatland/Android.mk index 5e57f0279..d9478fea3 100644 --- a/cmds/flatland/Android.mk +++ b/cmds/flatland/Android.mk @@ -1,3 +1,4 @@ +local_target_dir := $(TARGET_OUT_DATA)/local/tmp LOCAL_PATH:= $(call my-dir) include $(CLEAR_VARS) @@ -11,6 +12,8 @@ LOCAL_MODULE:= flatland LOCAL_MODULE_TAGS := tests +LOCAL_MODULE_PATH := $(local_target_dir) + LOCAL_SHARED_LIBRARIES := \ libEGL \ libGLESv2 \