From fbcbb4c0258b0e05b310e35d76310480e4933d63 Mon Sep 17 00:00:00 2001 From: Robert Carr Date: Mon, 2 Nov 2020 14:14:34 -0800 Subject: BLASTBufferQueue: Hold sp in transactionCallbackThunk When expecting a callback we perform an incStrong on the BBQ in order to ensure the lifetime extends at least as long as the callback. We remove this reference in BBQ::transactionCallback. The current implementation however has a bug, notice the scope of the lock around mMutex in transactionCallback extends to the whole function. This means after calling decStrong, we may then attempt to unlock the mutex when exiting the function, but we've already destroyed the object. We could move the decStrong to transactionCallbackThunk but the most clear/least brittle fix seems to simply be to hold a sp from transactionCallbackThunk and prevent the object from being destroyed while in a member method. Bug: 168506246 Test: Existing tests pass Change-Id: I905469f58dc7a2e2831b3b29726a42abd394f819 --- libs/gui/BLASTBufferQueue.cpp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'libs/gui/BLASTBufferQueue.cpp') diff --git a/libs/gui/BLASTBufferQueue.cpp b/libs/gui/BLASTBufferQueue.cpp index ff64d65312..678613b1ff 100644 --- a/libs/gui/BLASTBufferQueue.cpp +++ b/libs/gui/BLASTBufferQueue.cpp @@ -159,7 +159,7 @@ static void transactionCallbackThunk(void* context, nsecs_t latchTime, if (context == nullptr) { return; } - BLASTBufferQueue* bq = static_cast(context); + sp bq = static_cast(context); bq->transactionCallback(latchTime, presentFence, stats); } -- cgit v1.2.3-59-g8ed1b