AImageReader CFI crash mitigations

Revert "gpu/android: Remove setup for disabling AImageReader."
This reverts commit dcd5a39.

Revert "Remove flags to enable/disable AImageReader."
This reverts commit 463fa0f.

Restore GPU bug blacklist for AImageReader on ARM and Qualcomm CPUs

Restore the AImageReader blacklist for ARM/Qualcomm chipsets which causes
crashes on Android 9 and 10 (at different code locations).

See discussions at:
* bromite/bromite#445
* bromite/bromite#814
* bromite/bromite#1005

License: GPL-3.0-only - https://spdx.org/licenses/GPL-3.0-only.html

Change-Id: I0db87f4107c94f68e846f06f365b8eefd0076599

base/android/android_image_reader_compat.cc

@@ -23,15 +23,21 @@
 namespace base {
 namespace android {
 
+bool AndroidImageReader::disable_support_ = false;
+
 AndroidImageReader& AndroidImageReader::GetInstance() {
   // C++11 static local variable initialization is
   // thread-safe.
   static AndroidImageReader instance;
   return instance;
 }
 
+void AndroidImageReader::DisableSupport() {
+  disable_support_ = true;
+}
+
 bool AndroidImageReader::IsSupported() {
-  return is_supported_;
+  return !disable_support_ && is_supported_;
 }
 
 AndroidImageReader::AndroidImageReader() : is_supported_(LoadFunctions()) {}

base/android/android_image_reader_compat.h

@@ -24,6 +24,9 @@ class BASE_EXPORT AndroidImageReader {
   AndroidImageReader(const AndroidImageReader&) = delete;
   AndroidImageReader& operator=(const AndroidImageReader&) = delete;
 
+  // Disable image reader support.
+  static void DisableSupport();
+
   // Check if the image reader usage is supported. This function returns TRUE
   // if android version is >=OREO, image reader support is not disabled and all
   // the required functions are loaded.
@@ -61,6 +64,7 @@ class BASE_EXPORT AndroidImageReader {
   jobject ANativeWindow_toSurface(JNIEnv* env, ANativeWindow* window);
 
  private:
+  static bool disable_support_;
   friend class base::NoDestructor<AndroidImageReader>;
 
   AndroidImageReader();

chrome/browser/flag-metadata.json

@@ -2957,9 +2957,9 @@
     "expiry_milestone": 125
   },
   {
-    "name": "enable-image-reader",
-    "owners": [ "vikassoni", "liberato" ],
-    "expiry_milestone": 125
+    "name": "enable-image-reader",          // Bromite: do not expire
+    "owners": [ "vikassoni", "liberato" ],  // flag
+    "expiry_milestone": -1
   },
   {
     "name": "enable-immersive-fullscreen-toolbar",

gpu/config/gpu_driver_bug_list.json

@@ -3688,6 +3688,22 @@
         "no_downscaled_overlay_promotion"
       ]
     },
+    {
+      "id":335,
+      "cr_bugs": [1051705],
+      "description": "Disable AImageReader on ARM GPUs",
+      "os": {
+        "type": "android",
+        "version": {
+          "op": "<",
+          "value": "10"
+        }
+      },
+      "gl_vendor": "ARM.*|Qualcomm.*",
+      "features": [
+        "disable_aimagereader"
+      ]
+    },
     {
       "id": 381,
       "cr_bugs": [

gpu/config/gpu_finch_features.cc

@@ -65,6 +65,11 @@ BASE_FEATURE(kUseGles2ForOopR,
 #endif
 );
 
+
+// Use android AImageReader when playing videos with MediaPlayer.
+const base::Feature kAImageReaderMediaPlayer{"AImageReaderMediaPlayer",
+                                  base::FEATURE_ENABLED_BY_DEFAULT};
+
 #if BUILDFLAG(IS_ANDROID)
 // Use android SurfaceControl API for managing display compositor's buffer queue
 // and using overlays on Android. Also used by webview to disable surface

gpu/config/gpu_finch_features.h

@@ -17,6 +17,7 @@ namespace features {
 GPU_EXPORT BASE_DECLARE_FEATURE(kUseGles2ForOopR);
 
 // All features in alphabetical order. The features should be documented
+GPU_EXPORT extern const base::Feature kAImageReaderMediaPlayer;
 // alongside the definition of their values in the .cc file.
 #if BUILDFLAG(IS_ANDROID)
 GPU_EXPORT BASE_DECLARE_FEATURE(kAndroidSurfaceControl);

gpu/config/gpu_util.cc

@@ -122,6 +122,9 @@ GpuFeatureStatus GetAndroidSurfaceControlFeatureStatus(
 #if !BUILDFLAG(IS_ANDROID)
   return kGpuFeatureStatusDisabled;
 #else
+  if (blocklisted_features.count(GPU_FEATURE_TYPE_ANDROID_SURFACE_CONTROL))
+    return kGpuFeatureStatusBlocklisted;
+
   if (!gpu_preferences.enable_android_surface_control)
     return kGpuFeatureStatusDisabled;
 
@@ -347,6 +350,11 @@ void AdjustGpuFeatureStatusToWorkarounds(GpuFeatureInfo* gpu_feature_info) {
     gpu_feature_info->status_values[GPU_FEATURE_TYPE_CANVAS_OOP_RASTERIZATION] =
         kGpuFeatureStatusBlocklisted;
   }
+
+  if (gpu_feature_info->IsWorkaroundEnabled(DISABLE_AIMAGEREADER)) {
+    gpu_feature_info->status_values[GPU_FEATURE_TYPE_ANDROID_SURFACE_CONTROL] =
+        kGpuFeatureStatusBlocklisted;
+  }
 }
 
 // Estimates roughly user total disk space by counting in the drives where

gpu/config/gpu_workaround_list.txt

@@ -16,6 +16,7 @@ decode_encode_srgb_for_generatemipmap
 depth_stencil_renderbuffer_resize_emulation
 disable_2d_canvas_auto_flush
 disable_accelerated_av1_decode
+disable_aimagereader
 disable_accelerated_av1_encode
 disable_accelerated_h264_decode
 disable_accelerated_h264_encode

gpu/ipc/service/gpu_init.cc

@@ -628,6 +628,11 @@ bool GpuInit::InitializeAndStartSandbox(base::CommandLine* command_line,
   }
 #endif  // BUILDFLAG(IS_WIN)
 
+  // Disable AImageReader if the workaround is enabled.
+  if (gpu_feature_info_.IsWorkaroundEnabled(DISABLE_AIMAGEREADER)) {
+    base::android::AndroidImageReader::DisableSupport();
+  }
+
   if (gpu_feature_info_.status_values[GPU_FEATURE_TYPE_VULKAN] !=
           kGpuFeatureStatusEnabled ||
       !InitializeVulkan()) {

gpu/ipc/service/stream_texture_android.cc

@@ -6,6 +6,7 @@
 
 #include <string.h>
 
+#include "base/android/android_image_reader_compat.h"
 #include "base/android/scoped_hardware_buffer_fence_sync.h"
 #include "base/feature_list.h"
 #include "base/functional/bind.h"
@@ -50,7 +51,15 @@ std::unique_ptr<ui::ScopedMakeCurrent> MakeCurrent(
 }
 
 TextureOwner::Mode GetTextureOwnerMode() {
-  return features::IsAImageReaderEnabled()
+  const bool a_image_reader_supported =
+      base::android::AndroidImageReader::GetInstance().IsSupported();
+
+  // TODO(vikassoni) : Currently we have 2 different flags to enable/disable
+  // AImageReader - one for MCVD and other for MediaPlayer here. Merge those 2
+  // flags into a single flag. Keeping the 2 flags separate for now since finch
+  // experiment using this flag is in progress.
+  return a_image_reader_supported && features::IsAImageReaderEnabled() &&
+             base::FeatureList::IsEnabled(features::kAImageReaderMediaPlayer)
              ? TextureOwner::Mode::kAImageReaderInsecure
              : TextureOwner::Mode::kSurfaceTextureInsecure;
 }

media/base/media_switches.cc

@@ -985,6 +985,11 @@ BASE_FEATURE(kHardwareSecureDecryptionExperiment,
 // Allows automatically disabling hardware secure Content Decryption Module
 // (CDM) after failures or crashes to fallback to software secure CDMs. If this
 // feature is disabled, the fallback will never happen and users could be stuck
+// Enables the Android Image Reader path for Video decoding(for AVDA and MCVD)
+BASE_FEATURE(kAImageReaderVideoOutput,
+             "AImageReaderVideoOutput",
+             base::FEATURE_ENABLED_BY_DEFAULT);
+
 // in playback failures.
 BASE_FEATURE(kHardwareSecureDecryptionFallback,
              "HardwareSecureDecryptionFallback",

media/base/media_switches.h

@@ -332,6 +332,7 @@ MEDIA_EXPORT BASE_DECLARE_FEATURE(kVideoBlitColorAccuracy);
 MEDIA_EXPORT BASE_DECLARE_FEATURE(kVideoToolboxVideoDecoder);
 #endif  // BUILDFLAG(IS_APPLE)
 MEDIA_EXPORT BASE_DECLARE_FEATURE(kWebRTCColorAccuracy);
+MEDIA_EXPORT BASE_DECLARE_FEATURE(kAImageReaderVideoOutput);
 MEDIA_EXPORT BASE_DECLARE_FEATURE(kVp9kSVCHWDecoding);
 MEDIA_EXPORT BASE_DECLARE_FEATURE(kWebContentsCaptureHiDpi);
 MEDIA_EXPORT BASE_DECLARE_FEATURE(kWebrtcMediaCapabilitiesParameters);