NULL pointer dereference in src/mesa/swrast/s_texrender.c:55
****Crash log:**
pid: 3061, tid: 3061, name: surfaceflinger >>> /system/bin/surfaceflinger <<<
uid: 1000
signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 0x0
Cause: null pointer dereference
rax 0000000000000000 rbx 00007a4d79707580 rcx 00000000ffffffb1 rdx 00007a4d7972a7b0
r8 0000000000000006 r9 0000000000000000 r10 7000000000000000 r11 0000000000000246
r12 00007a4d79707580 r13 00007a4d7972a7b0 r14 00007a4d797067c0 r15 0000000000000000
rdi 0000000000000003 rsi 00007a4d7972a500
rbp 00007ffc24b5f590 rsp 00007ffc24b5f560 rip 00007a4d7b248970
backtrace:
#00 pc 00000000007aa970 /vendor/lib64/dri/i965_dri.so (_swrast_render_texture+80) (BuildId: 930757ac119366b77ecf57d32fe52ef59d2f1bc0)
#01 pc 000000000025c51c /vendor/lib64/dri/i965_dri.so (intel_render_texture+268) (BuildId: 930757ac119366b77ecf57d32fe52ef59d2f1bc0)
#02 pc 000000000063141e /vendor/lib64/dri/i965_dri.so (_mesa_bind_framebuffers+350) (BuildId: 930757ac119366b77ecf57d32fe52ef59d2f1bc0)
#03 pc 0000000000631855 /vendor/lib64/dri/i965_dri.so (bind_framebuffer+373) (BuildId: 930757ac119366b77ecf57d32fe52ef59d2f1bc0)
#04 pc 00000000006316cc /vendor/lib64/dri/i965_dri.so (_mesa_BindFramebuffer+12) (BuildId: 930757ac119366b77ecf57d32fe52ef59d2f1bc0)
#05 pc 000000000014599d /system/lib64/libsurfaceflinger.so (android::renderengine::gl::GLESRenderEngine::bindFrameBuffer(android::renderengine::Framebuffer*)+93) (BuildId: b9dcce59ca55dc1bfa1d8cbc56775fcd)
#06 pc 0000000000146929 /system/lib64/libsurfaceflinger.so (android::renderengine::gl::GLESRenderEngine::drawLayers(android::renderengine::DisplaySettings const&, std::__1::vector<android::renderengine::LayerSettings, std::__1::allocator<android::renderengine::LayerSettings>> const&, ANativeWindowBuffer*, bool, android::base::unique_fd_impl<android::base::DefaultCloser>&&, android::base::unique_fd_impl<android::base::DefaultCloser>*)+489) (BuildId: b9dcce59ca55dc1bfa1d8cbc56775fcd)
#07 pc 00000000000f9eab /system/lib64/libsurfaceflinger.so (android::SurfaceFlinger::doComposeSurfaces(android::sp<android::DisplayDevice> const&, android::Region const&, android::base::unique_fd_impl<android::base::DefaultCloser>*)+5259) (BuildId: b9dcce59ca55dc1bfa1d8cbc56775fcd)
#08 pc 00000000000f6111 /system/lib64/libsurfaceflinger.so (android::SurfaceFlinger::handleMessageRefresh()+3585) (BuildId: b9dcce59ca55dc1bfa1d8cbc56775fcd)
#09 pc 00000000000f4fc2 /system/lib64/libsurfaceflinger.so (android::SurfaceFlinger::onMessageReceived(int)+12066) (BuildId: b9dcce59ca55dc1bfa1d8cbc56775fcd)
#10 pc 0000000000018862 /system/lib64/libutils.so (android::Looper::pollInner(int)+370) (BuildId: c6fec183411f7814fe54a19bc9e91c6d)
#11 pc 000000000001862a /system/lib64/libutils.so (android::Looper::pollOnce(int, int*, int*, void**)+42) (BuildId: c6fec183411f7814fe54a19bc9e91c6d)
#12 pc 00000000000e22bb /system/lib64/libsurfaceflinger.so (android::impl::MessageQueue::waitMessage()+91) (BuildId: b9dcce59ca55dc1bfa1d8cbc56775fcd)
#13 pc 00000000000f15bb /system/lib64/libsurfaceflinger.so (android::SurfaceFlinger::run()+27) (BuildId: b9dcce59ca55dc1bfa1d8cbc56775fcd)
#14 pc 0000000000003405 /system/bin/surfaceflinger (main+933) (BuildId: 9592eba738ba289c9096dd9e5bbe9a88)
#15 pc 0000000000087da5 /apex/com.android.runtime/lib64/bionic/libc.so (__libc_init+101) (BuildId: 7ad7e26e9011b057fc1e091b424b9d01)
Below are the stack trace log
**Stack Trace:**
RELADDR FUNCTION FILE:LINE
v--------------> update_wrapper hardware/intel/external/mesa3d-intel/src/mesa/swrast/s_texrender.c:55
00000000007aa970 _swrast_render_texture+80 hardware/intel/external/mesa3d-intel/src/mesa/swrast/s_texrender.c:88
000000000025c51c intel_render_texture+268 hardware/intel/external/mesa3d-intel/src/mesa/drivers/dri/i965/intel_fbo.c:614
v--------------> check_begin_texture_render hardware/intel/external/mesa3d-intel/src/mesa/main/fbobject.c:2772
000000000063141e _mesa_bind_framebuffers+350 hardware/intel/external/mesa3d-intel/src/mesa/main/fbobject.c:2909
0000000000631855 bind_framebuffer+373 hardware/intel/external/mesa3d-intel/src/mesa/main/fbobject.c:2861
00000000006316cc _mesa_BindFramebuffer+12 hardware/intel/external/mesa3d-intel/src/mesa/main/fbobject.c:2930
000000000014599d android::renderengine::gl::GLESRenderEngine::bindFrameBuffer(android::renderengine::Framebuffer*)+93 frameworks/native/libs/renderengine/gl/GLESRenderEngine.cpp:854
v--------------> BindNativeBufferAsFramebuffer frameworks/native/libs/renderengine/include/renderengine/RenderEngine.h:236
0000000000146929 android::renderengine::gl::GLESRenderEngine::drawLayers(android::renderengine::DisplaySettings const&, std::__1::vector<android::renderengine::LayerSettings, std::__1::allocator<android::renderengine::LayerSettings> > const&, ANativeWindowBuffer*, bool, android::base::unique_fd_impl<android::base::DefaultCloser>&&, android::base::unique_fd_impl<android::base::DefaultCloser>*)+489 frameworks/native/libs/renderengine/gl/GLESRenderEngine.cpp:959
00000000000f9eab android::SurfaceFlinger::doComposeSurfaces(android::sp<android::DisplayDevice> const&, android::Region const&, android::base::unique_fd_impl<android::base::DefaultCloser>*)+5259 frameworks/native/services/surfaceflinger/SurfaceFlinger.cpp:3568
v--------------> android::SurfaceFlinger::doDisplayComposition(android::sp<android::DisplayDevice> const&, android::Region const&) frameworks/native/services/surfaceflinger/SurfaceFlinger.cpp:3395
v--------------> android::SurfaceFlinger::doComposition(android::sp<android::DisplayDevice> const&, bool) frameworks/native/services/surfaceflinger/SurfaceFlinger.cpp:2510
00000000000f6111 android::SurfaceFlinger::handleMessageRefresh()+3585 frameworks/native/services/surfaceflinger/SurfaceFlinger.cpp:1832
00000000000f4fc2 android::SurfaceFlinger::onMessageReceived(int)+12066 frameworks/native/services/surfaceflinger/SurfaceFlinger.cpp:1791
0000000000018862 android::Looper::pollInner(int)+370 system/core/libutils/Looper.cpp:323
000000000001862a android::Looper::pollOnce(int, int*, int*, void**)+42 system/core/libutils/Looper.cpp:205
v--------------> android::Looper::pollOnce(int) system/core/libutils/include/utils/Looper.h:267
00000000000e22bb android::impl::MessageQueue::waitMessage()+91 frameworks/native/services/surfaceflinger/Scheduler/MessageQueue.cpp:120
v--------------> android::SurfaceFlinger::waitForEvent() frameworks/native/services/surfaceflinger/SurfaceFlinger.cpp:1427
00000000000f15bb android::SurfaceFlinger::run()+27 frameworks/native/services/surfaceflinger/SurfaceFlinger.cpp:1461
0000000000003405 main+933 frameworks/native/services/surfaceflinger/main_surfaceflinger.cpp:134
0000000000087da5 __libc_init+101 bionic/libc/bionic/libc_init_dynamic.cpp:136**
From our analysis srb is NULL and it is causing crash at srb->Buffer = swImage->ImageSlices[zOffset]; in function update_wrapper(). As i understand srb is Renderbuffer which application is providing. Is the root cause of this issue is application provided NULL Renderbuffer? If so, can we add a NULL check before below line to avoid crash? srb->Buffer = swImage->ImageSlices[zOffset];