From 311e9c949587e7276eb6a0863e0f2aa66ba2ae5e Mon Sep 17 00:00:00 2001
From: Mathias Agopian <mathias@google.com>
Date: Mon, 3 Apr 2017 17:14:31 -0700
Subject: [PATCH 1/3] fix race condition that can cause a use after free

Backported from 12a0ccd6f7201bac706d903ac3f436c4358fe203.

Bug: 33004354
Test: manual
Change-Id: I9b38ee644b02268c9b995a330db758aa2e568399
(cherry picked from commit 59485525a6047453e6ba16c03989381e2a0d56ec)
---
 libs/gui/BufferQueueProducer.cpp | 20 ++++++++++++++------
 1 file changed, 14 insertions(+), 6 deletions(-)

diff --git a/libs/gui/BufferQueueProducer.cpp b/libs/gui/BufferQueueProducer.cpp
index b2169c84c73..ff85eb5ce8e 100644
--- a/libs/gui/BufferQueueProducer.cpp
+++ b/libs/gui/BufferQueueProducer.cpp
@@ -921,7 +921,11 @@ status_t BufferQueueProducer::queueBuffer(int slot,
 
     // Call back without the main BufferQueue lock held, but with the callback
     // lock held so we can ensure that callbacks occur in order
-    {
+
+    int connectedApi;
+    sp<Fence> lastQueuedFence;
+
+    { // scope for the lock
         Mutex::Autolock lock(mCallbackMutex);
         while (callbackTicket != mCurrentCallbackTicket) {
             mCallbackCondition.wait(mCallbackMutex);
@@ -933,20 +937,24 @@ status_t BufferQueueProducer::queueBuffer(int slot,
             frameReplacedListener->onFrameReplaced(item);
         }
 
+        connectedApi = mCore->mConnectedApi;
+        lastQueuedFence = std::move(mLastQueueBufferFence);
+
+        mLastQueueBufferFence = std::move(fence);
+        mLastQueuedCrop = item.mCrop;
+        mLastQueuedTransform = item.mTransform;
+
         ++mCurrentCallbackTicket;
         mCallbackCondition.broadcast();
     }
 
     // Wait without lock held
-    if (mCore->mConnectedApi == NATIVE_WINDOW_API_EGL) {
+    if (connectedApi == NATIVE_WINDOW_API_EGL) {
         // Waiting here allows for two full buffers to be queued but not a
         // third. In the event that frames take varying time, this makes a
         // small trade-off in favor of latency rather than throughput.
-        mLastQueueBufferFence->waitForever("Throttling EGL Production");
+        lastQueuedFence->waitForever("Throttling EGL Production");
     }
-    mLastQueueBufferFence = fence;
-    mLastQueuedCrop = item.mCrop;
-    mLastQueuedTransform = item.mTransform;
 
     return NO_ERROR;
 }

From cd2df8104e563e950f54c832bc970719a6ed7161 Mon Sep 17 00:00:00 2001
From: "Christopher N. Hesse" <raymanfx@gmail.com>
Date: Thu, 10 Aug 2017 00:10:37 +0200
Subject: [PATCH 2/3] SF: Improve hwrotation handling

Avoid getprop() calls in performance critical display
code paths.
Instead of querying the property each time we need it,
we read it once during initialization and then reuse
the cached value.

This is more appropriate here because we do not expect
the value to change at runtime. In fact, this property
behaves like a compile time constant in the real world:
Set it once and never again (because the angle of your
panel is fixed and does not change after the device
leaves the factory).

Change-Id: I55c4131735a65c7bdde8b00c166913bffa6c4ec3
---
 services/surfaceflinger/DisplayDevice.cpp     | 26 +++++++------------
 services/surfaceflinger/DisplayDevice.h       |  2 ++
 services/surfaceflinger/SurfaceFlinger.h      |  3 +++
 .../surfaceflinger/SurfaceFlinger_hwc1.cpp    | 13 +++++-----
 4 files changed, 21 insertions(+), 23 deletions(-)

diff --git a/services/surfaceflinger/DisplayDevice.cpp b/services/surfaceflinger/DisplayDevice.cpp
index a3b0cfee5fa..92c5e12c9a8 100644
--- a/services/surfaceflinger/DisplayDevice.cpp
+++ b/services/surfaceflinger/DisplayDevice.cpp
@@ -163,6 +163,10 @@ DisplayDevice::DisplayDevice(
             break;
     }
 
+    // we store the value as orientation:
+    // 90 -> 1, 180 -> 2, 270 -> 3
+    mHardwareRotation = property_get_int32("ro.sf.hwrotation", 0) / 90;
+
     mPanelMountFlip = 0;
     // 1: H-Flip, 2: V-Flip, 3: 180 (HV Flip)
     property_get("ro.panel.mountflip", property, "0");
@@ -463,18 +467,10 @@ status_t DisplayDevice::orientationToTransfrom(
         int orientation, int w, int h, Transform* tr)
 {
     uint32_t flags = 0;
-    char value[PROPERTY_VALUE_MAX];
-    property_get("ro.sf.hwrotation", value, "0");
-    int additionalRot = atoi(value);
-
-    if (additionalRot && mType == DISPLAY_PRIMARY) {
-        additionalRot /= 90;
-        if (orientation == DisplayState::eOrientationUnchanged) {
-            orientation = additionalRot;
-        } else {
-            orientation += additionalRot;
-            orientation %= 4;
-        }
+
+    if (mHardwareRotation && mType == DISPLAY_PRIMARY) {
+        orientation += mHardwareRotation;
+        orientation %= 4;
     }
 
     switch (orientation) {
@@ -537,11 +533,7 @@ void DisplayDevice::setProjection(int orientation,
     if (!frame.isValid()) {
         // the destination frame can be invalid if it has never been set,
         // in that case we assume the whole display frame.
-        char value[PROPERTY_VALUE_MAX];
-        property_get("ro.sf.hwrotation", value, "0");
-        int additionalRot = atoi(value);
-
-        if (additionalRot == 90 || additionalRot == 270) {
+        if (mHardwareRotation == 1 || mHardwareRotation == 3) {
             frame = Rect(h, w);
         } else {
             frame = Rect(w, h);
diff --git a/services/surfaceflinger/DisplayDevice.h b/services/surfaceflinger/DisplayDevice.h
index 2198552760f..bd4b04b7265 100644
--- a/services/surfaceflinger/DisplayDevice.h
+++ b/services/surfaceflinger/DisplayDevice.h
@@ -261,6 +261,8 @@ class DisplayDevice : public LightRefBase<DisplayDevice>
     int mPowerMode;
     // Current active config
     int mActiveConfig;
+    // Panel hardware rotation
+    int32_t mHardwareRotation;
     // Panel's mount flip, H, V or 180 (HV)
     uint32_t mPanelMountFlip;
 #ifdef USE_HWC2
diff --git a/services/surfaceflinger/SurfaceFlinger.h b/services/surfaceflinger/SurfaceFlinger.h
index b0d327221d6..900383dd47d 100644
--- a/services/surfaceflinger/SurfaceFlinger.h
+++ b/services/surfaceflinger/SurfaceFlinger.h
@@ -601,6 +601,9 @@ class SurfaceFlinger : public BnSurfaceComposer,
     bool mPrimaryHWVsyncEnabled;
     bool mHWVsyncAvailable;
 
+    // Panel hardware rotation
+    int32_t mHardwareRotation;
+
     /* ------------------------------------------------------------------------
      * Feature prototyping
      */
diff --git a/services/surfaceflinger/SurfaceFlinger_hwc1.cpp b/services/surfaceflinger/SurfaceFlinger_hwc1.cpp
index 17a84ade224..9af7181ba20 100644
--- a/services/surfaceflinger/SurfaceFlinger_hwc1.cpp
+++ b/services/surfaceflinger/SurfaceFlinger_hwc1.cpp
@@ -199,6 +199,10 @@ SurfaceFlinger::SurfaceFlinger()
     property_get("debug.sf.disable_hwc_vds", value, "0");
     mUseHwcVirtualDisplays = !atoi(value);
     ALOGI_IF(!mUseHwcVirtualDisplays, "Disabling HWC virtual displays");
+
+    // we store the value as orientation:
+    // 90 -> 1, 180 -> 2, 270 -> 3
+    mHardwareRotation = property_get_int32("ro.sf.hwrotation", 0) / 90;
 }
 
 void SurfaceFlinger::onFirstRef()
@@ -671,16 +675,13 @@ status_t SurfaceFlinger::getDisplayConfigs(const sp<IBinder>& display,
             info.orientation = 0;
         }
 
-        char value[PROPERTY_VALUE_MAX];
-        property_get("ro.sf.hwrotation", value, "0");
-        int additionalRot = atoi(value) / 90;
-        if ((type == DisplayDevice::DISPLAY_PRIMARY) && (additionalRot & DisplayState::eOrientationSwapMask)) {
+        if ((type == DisplayDevice::DISPLAY_PRIMARY) &&
+                (mHardwareRotation & DisplayState::eOrientationSwapMask)) {
             info.h = hwConfig.width;
             info.w = hwConfig.height;
             info.xdpi = ydpi;
             info.ydpi = xdpi;
-        }
-        else {
+        } else {
             info.w = hwConfig.width;
             info.h = hwConfig.height;
             info.xdpi = xdpi;

From bc2bb86633bc199653311bc04a6c42f01f837069 Mon Sep 17 00:00:00 2001
From: Adrian DC <radian.dc@gmail.com>
Date: Wed, 16 Nov 2016 13:02:04 +0100
Subject: [PATCH 3/3] native: Increase ART heap limit to 192MB for 1024MB RAM
 devices

 * Needed for Google SetupWizard to start

 * Without this, SetupWizard is compiled by ART on boot
   and runs out of memory (heap) while running, resulting
   in the SetupWizard crashing and blocking boot

Change-Id: Ic5b8caf4352f6d104af9121a09a01adad1c5bcc3
Signed-off-by: Adrian DC <radian.dc@gmail.com>
---
 build/phone-xhdpi-1024-dalvik-heap.mk     | 2 +-
 build/tablet-7in-hdpi-1024-dalvik-heap.mk | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/build/phone-xhdpi-1024-dalvik-heap.mk b/build/phone-xhdpi-1024-dalvik-heap.mk
index 20f365fef5f..88e6fae70e8 100644
--- a/build/phone-xhdpi-1024-dalvik-heap.mk
+++ b/build/phone-xhdpi-1024-dalvik-heap.mk
@@ -18,7 +18,7 @@
 
 PRODUCT_PROPERTY_OVERRIDES += \
     dalvik.vm.heapstartsize=8m \
-    dalvik.vm.heapgrowthlimit=96m \
+    dalvik.vm.heapgrowthlimit=192m \
     dalvik.vm.heapsize=256m \
     dalvik.vm.heaptargetutilization=0.75 \
     dalvik.vm.heapminfree=2m \
diff --git a/build/tablet-7in-hdpi-1024-dalvik-heap.mk b/build/tablet-7in-hdpi-1024-dalvik-heap.mk
index 7fd34b5f150..e61c40ba1dc 100644
--- a/build/tablet-7in-hdpi-1024-dalvik-heap.mk
+++ b/build/tablet-7in-hdpi-1024-dalvik-heap.mk
@@ -18,7 +18,7 @@
 
 PRODUCT_PROPERTY_OVERRIDES += \
     dalvik.vm.heapstartsize=8m \
-    dalvik.vm.heapgrowthlimit=80m \
+    dalvik.vm.heapgrowthlimit=192m \
     dalvik.vm.heapsize=384m \
     dalvik.vm.heaptargetutilization=0.75 \
     dalvik.vm.heapminfree=512k \