diff options
| author | 2020-03-06 14:46:07 -0800 | |
|---|---|---|
| committer | 2020-03-09 11:47:58 -0700 | |
| commit | a79435bd6f7de397ac7f65f68c8db0f7173eabe5 (patch) | |
| tree | e8101c24f3821ab1be33d3b935152f8b6baac873 /services/surfaceflinger/BufferQueueLayer.cpp | |
| parent | 34560b6d0950b54497d70a319d5496ccc0ffec10 (diff) | |
SurfaceFlinger: Avoid destroying Layer on Binder thread
BufferQueueLayer::onFrameAvailable passes 'this' as an sp<Layer>
to SurfaceInterceptor. This constructs a temporary sp<Layer>. We are
on a binder thread and not holding any locks, so at this point the main
thread could drop it's last references. Then when we destroy our
temporary sp<Layer> it is the last reference and we end up
invoking ~Layer from the Binder thread, an invalid operation
which in this case leads to dead-lock (as we attempt to reacquire
the already acquired BufferQueue mutex from the BufferQueueLayer d'tor)
Bug: 149473038
Test: Existing tests pass
Change-Id: I77a20bedf2db3b974ac03d804f70993514478fb2
Diffstat (limited to 'services/surfaceflinger/BufferQueueLayer.cpp')
| -rw-r--r-- | services/surfaceflinger/BufferQueueLayer.cpp | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/services/surfaceflinger/BufferQueueLayer.cpp b/services/surfaceflinger/BufferQueueLayer.cpp index 18f7f44fa5..fac9024121 100644 --- a/services/surfaceflinger/BufferQueueLayer.cpp +++ b/services/surfaceflinger/BufferQueueLayer.cpp @@ -441,7 +441,7 @@ void BufferQueueLayer::onFrameAvailable(const BufferItem& item) { mQueueItemCondition.broadcast(); } - mFlinger->mInterceptor->saveBufferUpdate(this, item.mGraphicBuffer->getWidth(), + mFlinger->mInterceptor->saveBufferUpdate(layerId, item.mGraphicBuffer->getWidth(), item.mGraphicBuffer->getHeight(), item.mFrameNumber); mFlinger->signalLayerUpdate(); |