diff options
| -rw-r--r-- | core/jni/android_util_Binder.cpp | 15 |
1 files changed, 10 insertions, 5 deletions
diff --git a/core/jni/android_util_Binder.cpp b/core/jni/android_util_Binder.cpp index ae109c6566cb..abc6c4b5e7cc 100644 --- a/core/jni/android_util_Binder.cpp +++ b/core/jni/android_util_Binder.cpp @@ -556,7 +556,7 @@ jobject javaObjectForIBinder(JNIEnv* env, const sp<IBinder>& val) } // For the rest of the function we will hold this lock, to serialize - // looking/creation of Java proxies for native Binder proxies. + // looking/creation/destruction of Java proxies for native Binder proxies. AutoMutex _l(mProxyLock); // Someone else's... do we know about it? @@ -1225,16 +1225,21 @@ static jboolean android_os_BinderProxy_unlinkToDeath(JNIEnv* env, jobject obj, static void android_os_BinderProxy_destroy(JNIEnv* env, jobject obj) { + // Don't race with construction/initialization + AutoMutex _l(mProxyLock); + IBinder* b = (IBinder*) env->GetLongField(obj, gBinderProxyOffsets.mObject); DeathRecipientList* drl = (DeathRecipientList*) env->GetLongField(obj, gBinderProxyOffsets.mOrgue); LOGDEATH("Destroying BinderProxy %p: binder=%p drl=%p\n", obj, b, drl); - env->SetLongField(obj, gBinderProxyOffsets.mObject, 0); - env->SetLongField(obj, gBinderProxyOffsets.mOrgue, 0); - drl->decStrong((void*)javaObjectForIBinder); - b->decStrong((void*)javaObjectForIBinder); + if (b != nullptr) { + env->SetLongField(obj, gBinderProxyOffsets.mObject, 0); + env->SetLongField(obj, gBinderProxyOffsets.mOrgue, 0); + drl->decStrong((void*)javaObjectForIBinder); + b->decStrong((void*)javaObjectForIBinder); + } IPCThreadState::self()->flushCommands(); } |