libhwui: RenderThread: fix UAF
Thread::run uses RefBase semantics and may delete the RenderThread out
from under the client.
Bug: 184196278
Test: no longer crashes when enhanced sp<> checks are enabled
Change-Id: I9dc306c14339b7142bae5f801970600d75221eb6
diff --git a/libs/hwui/renderthread/RenderThread.cpp b/libs/hwui/renderthread/RenderThread.cpp
index adf4aee..79b9388 100644
--- a/libs/hwui/renderthread/RenderThread.cpp
+++ b/libs/hwui/renderthread/RenderThread.cpp
@@ -153,10 +153,11 @@
}
RenderThread& RenderThread::getInstance() {
- // This is a pointer because otherwise __cxa_finalize
- // will try to delete it like a Good Citizen but that causes us to crash
- // because we don't want to delete the RenderThread normally.
- static RenderThread* sInstance = new RenderThread();
+ [[clang::no_destroy]] static sp<RenderThread> sInstance = []() {
+ sp<RenderThread> thread = sp<RenderThread>::make();
+ thread->start("RenderThread");
+ return thread;
+ }();
gHasRenderThreadInstance = true;
return *sInstance;
}
@@ -171,7 +172,6 @@
, mFunctorManager(WebViewFunctorManager::instance())
, mGlobalProfileData(mJankDataMutex) {
Properties::load();
- start("RenderThread");
}
RenderThread::~RenderThread() {