From a820af964671ff076cf1007097e284c1375393b9 Mon Sep 17 00:00:00 2001
From: Adithya Srinivasan <adsrini@google.com>
Date: Fri, 1 Nov 2019 13:55:17 -0700
Subject: Fix the call the onFrameDequeued inside dequeueBuffer

Having a separate mutex lock for calling onFrameDequeued at the end of
the dequeueBuffer function seems to be problematic since there is a
chance that the buffer can be acquired before obtaining this lock
resulting in a null pointer dereference. Moving the call inside the
existing auto-lock scoped blocks in this CL.

Test: CtsCameraTestCases:MultiViewTest#testSharedSurfaceYUVImageReaderSwitch on blueline and crosshatch
Bug: 143542027
Change-Id: If9e4b36ca2c54337eb0e5a6647773db20e43a6a3
---
 libs/gui/BufferQueueProducer.cpp | 15 ++++++++++-----
 1 file changed, 10 insertions(+), 5 deletions(-)

diff --git a/libs/gui/BufferQueueProducer.cpp b/libs/gui/BufferQueueProducer.cpp
index 09c74deee4..a307d04a16 100644
--- a/libs/gui/BufferQueueProducer.cpp
+++ b/libs/gui/BufferQueueProducer.cpp
@@ -512,6 +512,12 @@ status_t BufferQueueProducer::dequeueBuffer(int* outSlot, sp<android::Fence>* ou
             mCore->mSharedBufferSlot = found;
             mSlots[found].mBufferState.mShared = true;
         }
+
+        if (!(returnFlags & BUFFER_NEEDS_REALLOCATION)) {
+            if (mCore->mConsumerListener != nullptr) {
+                mCore->mConsumerListener->onFrameDequeued(mSlots[*outSlot].mGraphicBuffer->getId());
+            }
+        }
     } // Autolock scope
 
     if (returnFlags & BUFFER_NEEDS_REALLOCATION) {
@@ -528,6 +534,10 @@ status_t BufferQueueProducer::dequeueBuffer(int* outSlot, sp<android::Fence>* ou
             if (error == NO_ERROR && !mCore->mIsAbandoned) {
                 graphicBuffer->setGenerationNumber(mCore->mGenerationNumber);
                 mSlots[*outSlot].mGraphicBuffer = graphicBuffer;
+                if (mCore->mConsumerListener != nullptr) {
+                    mCore->mConsumerListener->onFrameDequeued(
+                            mSlots[*outSlot].mGraphicBuffer->getId());
+                }
             }
 
             mCore->mIsAllocating = false;
@@ -580,11 +590,6 @@ status_t BufferQueueProducer::dequeueBuffer(int* outSlot, sp<android::Fence>* ou
     }
     addAndGetFrameTimestamps(nullptr, outTimestamps);
 
-    { // Autolock scope
-        std::lock_guard<std::mutex> lock(mCore->mMutex);
-        mCore->mConsumerListener->onFrameDequeued(mSlots[*outSlot].mGraphicBuffer->getId());
-    }
-
     return returnFlags;
 }
 
-- 
cgit v1.2.3-59-g8ed1b