Because of lack of mutex lock when get mConsumerName, if one thread
getConsumerName, another thread setConsumerName frequently, an UAF will
be triggered.
Change-Id: Id1bbf0d15de6d16def2f54ecade385058cda3b65
Test: Marling with poc provided in bug report.
Bug: 32706020
(cherry picked from commit d073eb7a3f28fd74bfa24c8b7599465cb7de5436)
(cherry picked from commit 2e16d5fac149dab3c3e8f1b2ca89f45cf55a7b34)
In a4650a5 the concept of a maximum frame number allowance for the consumer was
introduced. A call to acquireBuffers will only return buffers when their frame
number is less-than-or-equal-to this maximum frame number. When SurfaceFlinger
is the consumer, this maximum frame number is calculated in the
onFrameAvailable/onFrameReplaced callbacks. These callbacks are called when a
new buffer is dequeued by the application. The problem is that these callbacks
are called _after_ the fence wait which is used to throttle the frame
production of client apps. When the previous frame needs a long time to draw,
those waits can potentially be a long time. As a result SurfaceFlinger won't do
any composition with the new frame until the wait is over.
Normally this isn't a big problem because there is a queue of buffers for
SurfaceFlinger to work with. However, this changes massively when a client app
is using a swap interval of zero. In this case, a new frame will instantly
replace the previous queued frame. However, SurfaceFlinger doesn't know this
until the onFrameReplaced callback gets called - which is delayed by the fence
wait. If the timing is bad, SurfaceFlinger never gets a chance to pick up a new
frame to do the composition with.
We see this behaviour on our TC development system (slow GPU) with legacy
on-screen benchmarks. Such apps are using a swap interval of zero and sometimes
frames don't get updated for several seconds. This behaviour can be also seen
on a Nexus5, although it isn't as obvious as on our TC.
The fix in this cl is to move the EGL throttling to the end of the queueBuffers
function. This ensures that if a frame gets replaced in the queue, all
consumers who installed the callbacks, get called in a timely fashion.
Change-Id: I36e9ecda162150f41e97d4fb7437963a3d86b371
Signed-off-by: Christian Poetzsch <christian.potzsch@imgtec.com>
Adds a getConsumerName method to IGraphicBufferProducer and Surface.
Currently, the name is cached inside of IGBP and is update on connect
and dequeueBuffer, which should be good enough for most uses.
Bug: 6667401
Change-Id: I22c7881d778e495cf8276de7bbcd769e52429915
Adds a getConsumerName method to IGraphicBufferProducer and Surface.
Currently, the name is cached inside of IGBP and is updated on connect
and dequeueBuffer, which should be good enough for most uses.
Bug: 6667401
Change-Id: Ife94bd89023fe7c00bad916932b9a19233fd2290
This change allows producers to set a generation number on a
BufferQueue. This number will be embedded in any new GraphicBuffers
created in that BufferQueue, and attempts to attach buffers which have
a different generation number will fail.
It also plumbs the setGenerationNumber method through Surface, with the
additional effect that any buffers attached to the Surface after
setting a new generation number will automatically be updated with the
new number (as opposed to failing, as would happen on through IGBP).
Bug: 20923096
Change-Id: I32bf726b035f99c3e5834beaf76afb9f01adcbc2
This change places BufferQueue into a predictable state where
allocation is allowed whenever a producer connects. This allows clients
to disconnect and reconnect without having to worry about being locked
out of allocation.
Bug: 20554276
Change-Id: Ic0f920a3d4204f2cafdfa69e46f3bb4204571d7e
Adds a NATIVE_WINDOW_BUFFER_AGE query, which returns the age of the
contents of the most recently dequeued buffer as the number of frames
that have elapsed since it was last queued.
Change-Id: Ib6fd62945cb62d1e60133a65beee510363218a23
(cherry picked from commit 49f810c72df8d1d64128e376757079825c8decd4)
Adds a new method IGBP::allowAllocation, which controls whether
dequeueBuffer is permitted to allocate a new buffer. If allocation is
disallowed, dequeueBuffer will block or return an error as it
normally would (as controlled by *ControlledByApp).
If there are free buffers, but they are not of the correct dimensions,
format, or usage, they may be freed if a more suitable buffer is not
found first.
Bug: 19801715
Change-Id: I0d604958b78b2fd775c2547690301423f9a52165
BufferQueue used to choose free buffers by scanning through its array
of slots and picking one based on timestamp. This changes that
mechanism to use a pair of free lists: one with buffers attached and
one without. This makes it easier to choose either type of free slot
depending on the needs of the current operation.
Fixes an issue with the first version of this change, found in bugs
20482952, 20443314, and 20464549.
Bug: 13175420
Change-Id: I9b6e83cfe8f9b4329a976025cb8e291d51fb6d4a
BufferQueue used to choose free buffers by scanning through its array
of slots and picking one based on timestamp. This changes that
mechanism to use a pair of free lists: one with buffers attached and
one without. This makes it easier to choose either type of free slot
depending on the needs of the current operation.
Bug: 13175420
Change-Id: Ic8398e7511bd11a60a1c82e3ad2ee271c9822be1
This change adds support for passing surface damage all of the way
down from the EGL interface through the consumer side of the
BufferQueue. Depends on system/core change
Ie645e6a52b37b5c1b3be19481e8348570d1aa62c
Bug: 11239309
Change-Id: I4457ea826e9ade4ec187f973851d855b7b93a31b
- Wire up new dataSpace parameter through buffer queue stack
- Update tests to include the parameter
- Switch eglApi to using dataSpace to indicate sRGB gamma/linear
difference
- Remove RAW_SENSOR in favor of RAW16
- Remove use of sRGB format enums
- Add default dataspace to buffer queue core
- Add query for default dataspace
Cherry pick of I070bd2e7c56506055c419004c29e2e3feac725df
Change-Id: I461952389c18051176c6b75e664f20ad369f5760
Enables -Weverything and -Werror, with just a few exceptions for
warnings we can't (or shouldn't need to) work around.
Cherry pick of I034abec27bf4020d84af60d7acc1939c59986dd6 plus a
couple of minor changes to CpuConsumer.cpp to make it work with a
prior change:
Uncomment CC_LOGV on line 46
Change C-style cast to static_cast on line 71
Change-Id: Iaec610477ea0122317b0578fb74caf2383d4cf08
so we can do NULL checks again, and update calls to IInterface::asBinder()
to use the new static version.
Change-Id: Ia7b10eb38ca55b72278bfd33d3bf647f338b4e6a
Passes the BufferItem for the queued buffer to the onFrameAvailable
callback so the consumer can track the BufferQueue's contents. Also
adds an onFrameReplaced callback, which is necessary if the consumer
wants to do anything more than simple queue length tracking.
Bug: 18111837
Change-Id: If9d07229c9b586c668e5f99074e9b63b0468feb0
On one device there is a bug, not yet root-caused, that causes fence
fds to not make it across binder from producer to consumer in the
IGraphicBufferProducer::queueBuffer call. Rather than returning an
error, which the producer typically treats as a fatal error, this
change allows the buffer to be queued with no fence. This avoids an
application crash at the risk of (likely single-frame) visible
corruption.
Bug: 17946343
Change-Id: I9ca89f94098c455e1e90f5f58d5336c936b04a9c
Throttling was previously controlled by a combination of the
driver and the number of buffers in the queue. This patch makes
a more consistent trade-off, which allows two GPU frames pending
but not three. More buffering could improve throughput in the
case of varying frame times, but this also increases latency.
Bug: 17502897
Change-Id: I4ee68019ca94c635294c5959931a555a6c4ef2df
Commit 78014f32da introduced a bug that
made us pre-allocate buffers into the last available free slots instead
of the first available ones. This in turn caused more re-allocations,
and possibly triggered driver bugs.
Change-Id: Ic4a70e676b4f2bbb054bc873be62ced26e3099a0
BufferQueueProducer::allocateBuffers used to keep the BufferQueueCore
mutex while doing the buffer allocation, which would cause the consumer
(which also needs the mutex) to block if the allocation takes a long
time.
Instead, release the mutex while doing the allocation, and grab it again
before filling the slots. Keep a bool state and a condvar to prevent
other producers from trying to allocate the slots while the mutex is
released.
Bug: 11792166
Change-Id: I4ab1319995ef892be2beba892f1fdbf50ce0416d
(cherry picked from commit ea96044470)
Bug: 15116722
- Adds a sticky transform field that can be set from a
SurfaceFlinger client Surface. This transform is
added to any transform applied to the Surface.
Change-Id: Idaa4311dfd027b2d2b8ea5e2c6cba2da5779d753
This adds an allocateBuffers method to BufferQueue, which instructs
it to allocate up to the maximum number of buffers allowed by the
current configuration. The goal is that this method can be called
ahead of render time, which will prevent dequeueBuffers from blocking
in allocation and inducing jank.
This interface is also plumbed up to the native Surface (and, in
another change, up to the Java Surface and ThreadedRenderer).
Bug: 11792166
Change-Id: I4aa96b4351ea1c95ed5db228ca3ef98303229c74
Adds logic to dequeueBuffer that blocks if there are currently too
many buffers in the queue. This prevents unbounded growth around
times where the slots are cleared but the queue is not (e.g.,
during rapid connect/disconnect or setBufferCount activity). This
replaces the fix from ag/377958 in a more general way.
Bug: 11293214
Change-Id: Ieb7adfcd076ff7ffe3d4d369397b2c29cf5099c3
Adds a new method, IGBP::detachNextBuffer, that effectively does
dequeue + request + detach in a single call, but does not need to
know anything about the dequeued buffer, and will not block on
dequeue. This is mostly for the upcoming StreamSplitter to use in
its onBufferReleased callback.
Change-Id: Ie88a69de109003acebaa486a5b44c8a455726550
- Notify a listener when sideband stream is set
- Mark a layer as visible when sideband stream is set, even though
no buffer is queued.
Change-Id: I9652bf530f2b5ce331533ec1bb3b10a815ca191c
Add a callback to the producer side, onBufferReleased, which will be
called every time the consumer releases a buffer back to the
BufferQueue. This will enable a buffer stream splitter to work
autonomously without having to block on dequeueBuffer.
The binder object used for the callback replaces the generic IBinder
token that was passed into IGraphicBufferProducer::connect to detect
the death of the producer. If a producer does not wish to listen for
buffer release events, it can pass in an instance of the
DummyProducerListener class defined in IProducerListener.h, if it even
cares about death events (BufferQueue doesn't enforce the token being
non-NULL, though perhaps we should).
Change-Id: I23935760673524abeafea2b58dccc3583b368710
When a buffer is attached to the producer side, it needs to be marked
as having been requested so that it can be queued successfully.
Change-Id: I90a88b332c415a57921bd094ae635afdf65bff99
Sideband streams are essentially a device-specific buffer queue that
bypasses the BufferQueue system. They can be used for situations with
hard real-time requirements like high-quality TV and video playback
with A/V sync. A handle to the stream is provided by the source HAL,
and attached to a BufferQueue. The sink HAL can read buffers via the
stream handle rather than acquiring individual buffers from the
BufferQueue.
Change-Id: Ib3f262eddfc520f4bbe3d9b91753ed7dd09d3a9b
Adds detachBuffer and attachBuffer calls to both the producer and
consumer sides of BufferQueue. Buffers may be detached while dequeued
by the producer or acquired by the consumer, and when attached, enter
the dequeued and acquired states, respectively.
Bug: 13173343
Change-Id: Ic152692b0a94d99e0135b9bfa62747dab2a54220
Now that BufferQueue has been split into core + producer + consumer,
rewrite BufferQueue to be a thin layer over a producer and consumer
interface. Eventually, this layer will be deprecated in favor of
only using either the producer or consumer interface, as applicable.
Change-Id: I340ae5f5b633b244fb594615ff52ba50b9e2f7e4
Fabien Sanglard