From 1a37b731c88f79f81c4add642b2a06b06d38ea2d Mon Sep 17 00:00:00 2001
From: Patrick Williams <pdwilliams@google.com>
Date: Thu, 22 Aug 2024 15:00:50 -0500
Subject: Fix transactionCallbackThunk lifetime issue

TestBLASTBufferQueue overrides transactionCallback but BLASTBufferQueue::transactionCallback can trigger the destruction of BLASTBufferQueue, causing native crashes. This CL fixes the issue by moving the decStrong call after transactionCallback has completed.

Bug: 294133380
Flag: EXEMPT bugfix
Test: BLASTBufferQueueTest
Change-Id: Ia2344ed6d14e89026f464b32c95c76b3a96a19d0
---
 libs/gui/BLASTBufferQueue.cpp | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

(limited to 'libs/gui/BLASTBufferQueue.cpp')

diff --git a/libs/gui/BLASTBufferQueue.cpp b/libs/gui/BLASTBufferQueue.cpp
index f065ffa611..1fb59fd8e0 100644
--- a/libs/gui/BLASTBufferQueue.cpp
+++ b/libs/gui/BLASTBufferQueue.cpp
@@ -356,8 +356,9 @@ static void transactionCallbackThunk(void* context, nsecs_t latchTime,
     if (context == nullptr) {
         return;
     }
-    sp<BLASTBufferQueue> bq = static_cast<BLASTBufferQueue*>(context);
+    auto bq = static_cast<BLASTBufferQueue*>(context);
     bq->transactionCallback(latchTime, presentFence, stats);
+    bq->decStrong((void*)transactionCallbackThunk);
 }
 
 void BLASTBufferQueue::transactionCallback(nsecs_t /*latchTime*/, const sp<Fence>& /*presentFence*/,
@@ -413,8 +414,6 @@ void BLASTBufferQueue::transactionCallback(nsecs_t /*latchTime*/, const sp<Fence
             BQA_LOGE("No matching SurfaceControls found: mSurfaceControlsWithPendingCallback was "
                      "empty.");
         }
-
-        decStrong((void*)transactionCallbackThunk);
     }
 }
 
-- 
cgit v1.2.3-59-g8ed1b