Merge branch '3659-master-140' into 'master'

use_debug_fission=true

use_debug_fission=true

use_errorprone_java_compiler=false

use_errorprone_java_compiler=false

use_official_google_api_keys=false

use_official_google_api_keys=false

use_relr_relocations=false

use_rtti=false

use_rtti=false

use_stable_package_name_for_trichrome=false

use_stable_package_name_for_trichrome=false

use_sysroot=false

use_sysroot=false

From: csagan5 <32685696+csagan5@users.noreply.github.com>

Date: Tue, 5 May 2020 07:22:20 +0200

Subject: AImageReader CFI crash mitigations

Revert "gpu/android: Remove setup for disabling AImageReader."

This reverts commit dcd5a39518246eb999f1cc63bf1ec95d93fd5b2f.

Revert "Remove flags to enable/disable AImageReader."

This reverts commit 463fa0f2e3b9e418bc26e2c8954463f0b0f76634.

Restore GPU bug blacklist for AImageReader on ARM and Qualcomm CPUs

Restore the AImageReader blacklist for ARM/Qualcomm chipsets which causes

crashes on Android 9 and 10 (at different code locations).

See discussions at:

* https://github.com/bromite/bromite/issues/445

* https://github.com/bromite/bromite/issues/814

* https://github.com/bromite/bromite/issues/1005

License: GPL-3.0-only - https://spdx.org/licenses/GPL-3.0-only.html

---

 base/android/android_image_reader_compat.cc      | 16 ++++++++++++++++

 base/android/android_image_reader_compat.h       | 14 ++++++++++++++

 chrome/browser/flag-metadata.json                |  4 ++++

 .../AImageReader-CFI-crash-mitigations.inc       |  4 ++++

 .../AImageReader-CFI-crash-mitigations.inc       |  1 +

 gpu/config/gpu_driver_bug_list.json              | 16 ++++++++++++++++

 gpu/config/gpu_finch_features.cc                 |  5 +++++

 gpu/config/gpu_finch_features.h                  |  1 +

 gpu/config/gpu_util.cc                           |  8 ++++++++

 gpu/config/gpu_workaround_list.txt               |  1 +

 gpu/ipc/service/gpu_init.cc                      |  8 ++++++++

 media/gpu/android/video_frame_factory_impl.cc    |  4 +++-

 12 files changed, 81 insertions(+), 1 deletion(-)

 create mode 100644 cromite_flags/media/base/media_switches_cc/AImageReader-CFI-crash-mitigations.inc

 create mode 100644 cromite_flags/media/base/media_switches_h/AImageReader-CFI-crash-mitigations.inc

diff --git a/base/android/android_image_reader_compat.cc b/base/android/android_image_reader_compat.cc

--- a/base/android/android_image_reader_compat.cc

+++ b/base/android/android_image_reader_compat.cc

@@ -7,7 +7,23 @@

 namespace base {

 namespace android {

+AndroidImageReader& AndroidImageReader::GetInstance() {

+  // C++11 static local variable initialization is

+  // thread-safe.

+  static AndroidImageReader instance;

+  return instance;

+}

+

+void AndroidImageReader::DisableSupport() {

+  disable_support_ = true;

+}

+

+bool AndroidImageReader::IsSupported() {

+  return !disable_support_;

+}

+

 bool EnableAndroidImageReader() {

+  if (!AndroidImageReader::GetInstance().IsSupported()) return false;

   // Currently we want to enable AImageReader only for android P+ devices.

   if (__builtin_available(android 28, *)) {

     return true;

diff --git a/base/android/android_image_reader_compat.h b/base/android/android_image_reader_compat.h

--- a/base/android/android_image_reader_compat.h

+++ b/base/android/android_image_reader_compat.h

@@ -10,6 +10,20 @@

 namespace base {

 namespace android {

+class BASE_EXPORT AndroidImageReader {

+ public:

+  // Thread safe GetInstance.

+  static AndroidImageReader& GetInstance();

+

+  bool IsSupported();

+

+  // Disable image reader support.

+  void DisableSupport();

+

+ private:

+  bool disable_support_ = false;

+};

+

 // Check if the image reader usage is supported.

 BASE_EXPORT bool EnableAndroidImageReader();

diff --git a/chrome/browser/flag-metadata.json b/chrome/browser/flag-metadata.json

--- a/chrome/browser/flag-metadata.json

+++ b/chrome/browser/flag-metadata.json

@@ -3627,6 +3627,10 @@

       "chrome-signin-team@google.com"

     ],

     "expiry_milestone": 138

+  },{

+    "name": "enable-image-reader",          // Bromite: do not expire

+    "owners": [ "vikassoni@chromium.org", "liberato@chromium.org" ],  // flag

+    "expiry_milestone": -1

   },

   {

     "name": "enable-immersive-fullscreen-toolbar",

diff --git a/cromite_flags/media/base/media_switches_cc/AImageReader-CFI-crash-mitigations.inc b/cromite_flags/media/base/media_switches_cc/AImageReader-CFI-crash-mitigations.inc

new file mode 100644

--- /dev/null

+++ b/cromite_flags/media/base/media_switches_cc/AImageReader-CFI-crash-mitigations.inc

@@ -0,0 +1,4 @@

+// Enables the Android Image Reader path for Video decoding(for AVDA and MCVD)

+CROMITE_FEATURE(kAImageReaderVideoOutput,

+                "AImageReaderVideoOutput",

+                base::FEATURE_ENABLED_BY_DEFAULT);

diff --git a/cromite_flags/media/base/media_switches_h/AImageReader-CFI-crash-mitigations.inc b/cromite_flags/media/base/media_switches_h/AImageReader-CFI-crash-mitigations.inc

new file mode 100644

--- /dev/null

+++ b/cromite_flags/media/base/media_switches_h/AImageReader-CFI-crash-mitigations.inc

@@ -0,0 +1 @@

+MEDIA_EXPORT BASE_DECLARE_FEATURE(kAImageReaderVideoOutput);

diff --git a/gpu/config/gpu_driver_bug_list.json b/gpu/config/gpu_driver_bug_list.json

--- a/gpu/config/gpu_driver_bug_list.json

+++ b/gpu/config/gpu_driver_bug_list.json

@@ -2617,6 +2617,22 @@

         "no_downscaled_overlay_promotion"

       ]

     },

+    {

+      "id":335,

+      "cr_bugs": [1051705],

+      "description": "Disable AImageReader on ARM GPUs",

+      "os": {

+        "type": "android",

+        "version": {

+          "op": "<",

+          "value": "10"

+        }

+      },

+      "gl_vendor": "ARM.*|Qualcomm.*",

+      "features": [

+        "disable_aimagereader"

+      ]

+    },

     {

       "id": 381,

       "cr_bugs": [

diff --git a/gpu/config/gpu_finch_features.cc b/gpu/config/gpu_finch_features.cc

--- a/gpu/config/gpu_finch_features.cc

+++ b/gpu/config/gpu_finch_features.cc

@@ -59,6 +59,11 @@ BASE_FEATURE(kAggressiveShaderCacheLimits,

              base::FEATURE_DISABLED_BY_DEFAULT);

 #if BUILDFLAG(IS_ANDROID)

+// Use android AImageReader when playing videos with MediaPlayer.

+CROMITE_FEATURE(kAImageReaderMediaPlayer,

+                "AImageReaderMediaPlayer",

+                base::FEATURE_ENABLED_BY_DEFAULT);

+

 // Use android SurfaceControl API for managing display compositor's buffer queue

 // and using overlays on Android. Also used by webview to disable surface

 // SurfaceControl.

diff --git a/gpu/config/gpu_finch_features.h b/gpu/config/gpu_finch_features.h

--- a/gpu/config/gpu_finch_features.h

+++ b/gpu/config/gpu_finch_features.h

@@ -26,6 +26,7 @@ GPU_CONFIG_EXPORT BASE_DECLARE_FEATURE(kUseGles2ForOopR);

 GPU_CONFIG_EXPORT BASE_DECLARE_FEATURE(kAggressiveShaderCacheLimits);

 #if BUILDFLAG(IS_ANDROID)

+GPU_CONFIG_EXPORT BASE_DECLARE_FEATURE(kAImageReaderMediaPlayer);

 GPU_CONFIG_EXPORT BASE_DECLARE_FEATURE(kAndroidSurfaceControl);

 GPU_CONFIG_EXPORT BASE_DECLARE_FEATURE(kWebViewSurfaceControl);

 GPU_CONFIG_EXPORT BASE_DECLARE_FEATURE(kWebViewSurfaceControlForTV);

diff --git a/gpu/config/gpu_util.cc b/gpu/config/gpu_util.cc

--- a/gpu/config/gpu_util.cc

+++ b/gpu/config/gpu_util.cc

@@ -127,6 +127,9 @@ GpuFeatureStatus GetAndroidSurfaceControlFeatureStatus(

 #if !BUILDFLAG(IS_ANDROID)

   return kGpuFeatureStatusDisabled;

 #else

+  if (blocklisted_features.count(GPU_FEATURE_TYPE_ANDROID_SURFACE_CONTROL))

+    return kGpuFeatureStatusBlocklisted;

+

   if (!gpu_preferences.enable_android_surface_control)

     return kGpuFeatureStatusDisabled;

@@ -348,6 +351,11 @@ void AdjustGpuFeatureStatusToWorkarounds(GpuFeatureInfo* gpu_feature_info,

           kGpuFeatureStatusSoftware;

     }

   }

+

+  if (gpu_feature_info->IsWorkaroundEnabled(DISABLE_AIMAGEREADER)) {

+    gpu_feature_info->status_values[GPU_FEATURE_TYPE_ANDROID_SURFACE_CONTROL] =

+        kGpuFeatureStatusBlocklisted;

+  }

 }

 // Estimates roughly user total disk space by counting in the drives where

diff --git a/gpu/config/gpu_workaround_list.txt b/gpu/config/gpu_workaround_list.txt

--- a/gpu/config/gpu_workaround_list.txt

+++ b/gpu/config/gpu_workaround_list.txt

@@ -6,6 +6,7 @@ check_egl_fence_before_wait

 check_ycbcr_studio_g22_left_p709_for_nv12_support

 disable_2d_canvas_auto_flush

 disable_accelerated_av1_decode

+disable_aimagereader

 disable_accelerated_av1_encode

 disable_accelerated_h264_decode

 disable_accelerated_h264_encode

diff --git a/gpu/ipc/service/gpu_init.cc b/gpu/ipc/service/gpu_init.cc

--- a/gpu/ipc/service/gpu_init.cc

+++ b/gpu/ipc/service/gpu_init.cc

@@ -69,6 +69,7 @@

 #if BUILDFLAG(IS_ANDROID)

 #include "ui/gfx/android/android_surface_control_compat.h"

+#include "base/android/android_image_reader_compat.h"

 #endif

 #if BUILDFLAG(ENABLE_VULKAN)

@@ -688,6 +689,13 @@ bool GpuInit::InitializeAndStartSandbox(base::CommandLine* command_line,

   }

 #endif  // BUILDFLAG(IS_WIN)

+#if BUILDFLAG(IS_ANDROID)

+  // Disable AImageReader if the workaround is enabled.

+  if (gpu_feature_info_.IsWorkaroundEnabled(DISABLE_AIMAGEREADER)) {

+    base::android::AndroidImageReader::GetInstance().DisableSupport();

+  }

+#endif

+

   if (gpu_feature_info_.status_values[GPU_FEATURE_TYPE_VULKAN] !=

           kGpuFeatureStatusEnabled ||

       !InitializeVulkan()) {

diff --git a/media/gpu/android/video_frame_factory_impl.cc b/media/gpu/android/video_frame_factory_impl.cc

--- a/media/gpu/android/video_frame_factory_impl.cc

+++ b/media/gpu/android/video_frame_factory_impl.cc

@@ -35,10 +35,12 @@ namespace {

 gpu::TextureOwner::Mode GetTextureOwnerMode(

     VideoFrameFactory::OverlayMode overlay_mode) {

+  const bool enabled = base::android::EnableAndroidImageReader() &&

+             base::FeatureList::IsEnabled(features::kAImageReaderMediaPlayer);

   switch (overlay_mode) {

     case VideoFrameFactory::OverlayMode::kDontRequestPromotionHints:

     case VideoFrameFactory::OverlayMode::kRequestPromotionHints:

-      return base::android::EnableAndroidImageReader()

+      return enabled

                  ? gpu::TextureOwner::Mode::kAImageReaderInsecure

                  : gpu::TextureOwner::Mode::kSurfaceTextureInsecure;

     case VideoFrameFactory::OverlayMode::kSurfaceControlSecure:

--

diff --git a/chrome/android/java/src/org/chromium/chrome/browser/app/ChromeActivity.java b/chrome/android/java/src/org/chromium/chrome/browser/app/ChromeActivity.java

diff --git a/chrome/android/java/src/org/chromium/chrome/browser/app/ChromeActivity.java b/chrome/android/java/src/org/chromium/chrome/browser/app/ChromeActivity.java

--- a/chrome/android/java/src/org/chromium/chrome/browser/app/ChromeActivity.java

--- a/chrome/android/java/src/org/chromium/chrome/browser/app/ChromeActivity.java

+++ b/chrome/android/java/src/org/chromium/chrome/browser/app/ChromeActivity.java

+++ b/chrome/android/java/src/org/chromium/chrome/browser/app/ChromeActivity.java

@@ -233,6 +233,7 @@ import org.chromium.content_public.browser.LoadUrlParams;

@@ -236,6 +236,7 @@ import org.chromium.content_public.browser.LoadUrlParams;

 import org.chromium.content_public.browser.SelectionPopupController;

 import org.chromium.content_public.browser.SelectionPopupController;

 import org.chromium.content_public.browser.WebContents;

 import org.chromium.content_public.browser.WebContents;

 import org.chromium.content_public.common.ContentSwitches;

 import org.chromium.content_public.common.ContentSwitches;

 import org.chromium.printing.PrintManagerDelegateImpl;

 import org.chromium.printing.PrintManagerDelegateImpl;

 import org.chromium.printing.PrintingController;

 import org.chromium.printing.PrintingController;

 import org.chromium.printing.PrintingControllerImpl;

 import org.chromium.printing.PrintingControllerImpl;

@@ -977,6 +978,8 @@ public abstract class ChromeActivity extends AsyncInitializationActivity

@@ -985,6 +986,8 @@ public abstract class ChromeActivity extends AsyncInitializationActivity

         super.onStartWithNative();

         super.onStartWithNative();

         ChromeActivitySessionTracker.getInstance().onStartWithNative(getProfileProviderSupplier());

         ChromeActivitySessionTracker.getInstance().onStartWithNative(getProfileProviderSupplier());

diff --git a/chrome/browser/flags/android/chrome_feature_list.cc b/chrome/browser/flags/android/chrome_feature_list.cc

diff --git a/chrome/browser/flags/android/chrome_feature_list.cc b/chrome/browser/flags/android/chrome_feature_list.cc

--- a/chrome/browser/flags/android/chrome_feature_list.cc

--- a/chrome/browser/flags/android/chrome_feature_list.cc

+++ b/chrome/browser/flags/android/chrome_feature_list.cc

+++ b/chrome/browser/flags/android/chrome_feature_list.cc

@@ -179,6 +179,7 @@ const base::Feature* const kFeaturesExposedToJava[] = {

@@ -184,6 +184,7 @@ const base::Feature* const kFeaturesExposedToJava[] = {

     &feed::kFeedPerformanceStudy,

     &feed::kFeedPerformanceStudy,

     &feed::kFeedShowSignInCommand,

     &feed::kFeedShowSignInCommand,

     &feed::kFeedSignedOutViewDemotion,

     &feed::kFeedSignedOutViewDemotion,

     public static final String ADAPTIVE_BUTTON_IN_TOP_TOOLBAR_PAGE_SUMMARY =

     public static final String ADAPTIVE_BUTTON_IN_TOP_TOOLBAR_PAGE_SUMMARY =

             "AdaptiveButtonInTopToolbarPageSummary";

             "AdaptiveButtonInTopToolbarPageSummary";

     public static final String ALLOW_TAB_CLOSING_UPON_MINIMIZATION =

     public static final String ALLOW_TAB_CLOSING_UPON_MINIMIZATION =

@@ -728,6 +729,8 @@ public abstract class ChromeFeatureList {

@@ -768,6 +769,8 @@ public abstract class ChromeFeatureList {

     public static final CachedFlag sAndroidWindowPopupLargeScreen =

     public static final CachedFlag sAndroidWindowPopupResizeAfterSpawn =

             newCachedFlag(ANDROID_WINDOW_POPUP_LARGE_SCREEN, false);

             newCachedFlag(ANDROID_WINDOW_POPUP_RESIZE_AFTER_SPAWN, false);

     public static final CachedFlag sAppSpecificHistory = newCachedFlag(APP_SPECIFIC_HISTORY, true);

     public static final CachedFlag sAppSpecificHistory = newCachedFlag(APP_SPECIFIC_HISTORY, true);

+    public static final CachedFlag sAllowUserCertificates =

+    public static final CachedFlag sAllowUserCertificates =

+            newCachedFlag(ALLOW_USER_CERTIFICATES, false);

+            newCachedFlag(ALLOW_USER_CERTIFICATES, false);

     public static final CachedFlag sAppSpecificHistoryViewIntent =

             newCachedFlag(APP_SPECIFIC_HISTORY_VIEW_INTENT, true);

     public static final CachedFlag sAsyncNotificationManager =

     public static final CachedFlag sAsyncNotificationManager =

             newCachedFlag(ASYNC_NOTIFICATION_MANAGER, false, true);

@@ -1080,6 +1083,7 @@ public abstract class ChromeFeatureList {

     public static final CachedFlag sAsyncNotificationManagerForDownload =

@@ -1032,6 +1035,7 @@ public abstract class ChromeFeatureList {

                     sAccountForSuppressedKeyboardInsets,

                     sAccountForSuppressedKeyboardInsets,

                     sAllowTabClosingUponMinimization,

                     sAllowTabClosingUponMinimization,

                     sAndroidAppIntegration,

                     sAndroidAppIntegration,

diff --git a/chrome/android/java/src/org/chromium/chrome/browser/KeyboardShortcuts.java b/chrome/android/java/src/org/chromium/chrome/browser/KeyboardShortcuts.java

diff --git a/chrome/android/java/src/org/chromium/chrome/browser/KeyboardShortcuts.java b/chrome/android/java/src/org/chromium/chrome/browser/KeyboardShortcuts.java

--- a/chrome/android/java/src/org/chromium/chrome/browser/KeyboardShortcuts.java

--- a/chrome/android/java/src/org/chromium/chrome/browser/KeyboardShortcuts.java

+++ b/chrome/android/java/src/org/chromium/chrome/browser/KeyboardShortcuts.java

+++ b/chrome/android/java/src/org/chromium/chrome/browser/KeyboardShortcuts.java

@@ -888,6 +888,11 @@ public class KeyboardShortcuts {

@@ -890,6 +890,11 @@ public class KeyboardShortcuts {

                     KeyEvent.KEYCODE_B,

                     KeyEvent.KEYCODE_B,

                     (KeyEvent.META_CTRL_ON | KeyEvent.META_SHIFT_ON));

                     (KeyEvent.META_CTRL_ON | KeyEvent.META_SHIFT_ON));

         }

         }

diff --git a/net/url_request/url_request_http_job.cc b/net/url_request/url_request_http_job.cc

diff --git a/net/url_request/url_request_http_job.cc b/net/url_request/url_request_http_job.cc

--- a/net/url_request/url_request_http_job.cc

--- a/net/url_request/url_request_http_job.cc

+++ b/net/url_request/url_request_http_job.cc

+++ b/net/url_request/url_request_http_job.cc

@@ -398,6 +398,11 @@ std::unique_ptr<URLRequestJob> URLRequestHttpJob::Create(URLRequest* request) {

@@ -408,6 +408,11 @@ std::unique_ptr<URLRequestJob> URLRequestHttpJob::Create(URLRequest* request) {

       }

       }

     }

     }