Gitiles
Code Review Sign In
gerrit.omnirom.org / android_frameworks_av / 9fabbf8a8ae755c3c07637f8ca7677c63a1607bb^! / . / services / audioflinger / Threads.cpp
commit9fabbf8a8ae755c3c07637f8ca7677c63a1607bb[log] [tgz]
authorPhil Burk <philburk@google.com>Thu Aug 03 12:02:00 2017 -0700
committerPhil Burk <philburk@google.com>Thu Aug 03 15:27:38 2017 -0700
tree9f3be1ca67e5ea192cdd9b2c289c9ebe6095218d
parent909f4a6cada3d5fb7594da7d1809ba62d1b47340 [diff] [blame]
audioflinger: prevent crash in MmapThreadHandle destructor

The mThread smart pointer was getting cleared while the
thread was still in use.

Bug: 64316921
Test: use input_monitor.cpp, see bug for repro steps
Change-Id: I46095b4e67648208a2fb979696fc2d655432448b

diff --git a/services/audioflinger/Threads.cpp b/services/audioflinger/Threads.cpp
index 459e4fb..8c4531a 100644
--- a/services/audioflinger/Threads.cpp
+++ b/services/audioflinger/Threads.cpp

@@ -7503,34 +7503,22 @@
 AudioFlinger::MmapThreadHandle::MmapThreadHandle(const sp<MmapThread>& thread)
     : mThread(thread)
 {
+    assert(thread != 0); // thread must start non-null and stay non-null
 }
 
 AudioFlinger::MmapThreadHandle::~MmapThreadHandle()
 {
-    MmapThread *thread = mThread.get();
-    // clear our strong reference before disconnecting the thread: the last strong reference
-    // will be removed when closeInput/closeOutput is executed upon call from audio policy manager
-    // and the thread removed from mMMapThreads list causing the thread destruction.
-    mThread.clear();
-    if (thread != nullptr) {
-        thread->disconnect();
-    }
+    mThread->disconnect();
 }
 
 status_t AudioFlinger::MmapThreadHandle::createMmapBuffer(int32_t minSizeFrames,
                                   struct audio_mmap_buffer_info *info)
 {
-    if (mThread == 0) {
-        return NO_INIT;
-    }
     return mThread->createMmapBuffer(minSizeFrames, info);
 }
 
 status_t AudioFlinger::MmapThreadHandle::getMmapPosition(struct audio_mmap_position *position)
 {
-    if (mThread == 0) {
-        return NO_INIT;
-    }
     return mThread->getMmapPosition(position);
 }
 
@@ -7538,25 +7526,16 @@
         audio_port_handle_t *handle)
 
 {
-    if (mThread == 0) {
-        return NO_INIT;
-    }
     return mThread->start(client, handle);
 }
 
 status_t AudioFlinger::MmapThreadHandle::stop(audio_port_handle_t handle)
 {
-    if (mThread == 0) {
-        return NO_INIT;
-    }
     return mThread->stop(handle);
 }
 
 status_t AudioFlinger::MmapThreadHandle::standby()
 {
-    if (mThread == 0) {
-        return NO_INIT;
-    }
     return mThread->standby();
 }
 
@@ -7588,7 +7567,7 @@
     for (const sp<MmapTrack> &t : mActiveTracks) {
         stop(t->portId());
     }
-    // this will cause the destruction of this thread.
+    // This will decrement references and may cause the destruction of this thread.
     if (isOutput()) {
         AudioSystem::releaseOutput(mId, streamType(), mSessionId);
     } else {