surfaceflinger: IBinder leak

TransactionCompletedThread never deleted its Listener sp<IBinder>
tokens from its pending thread which can lead to SurfaceFlinger
crashes. This patch adds the support for removing the sp<IBinder>
tokens when SurfaceFlinger is done with them.

Test: TransactionTest
Bug: 130430082

Change-Id: Icd773fc18f1a0440857bc65111c51c890746a42b
diff --git a/services/surfaceflinger/TransactionCompletedThread.cpp b/services/surfaceflinger/TransactionCompletedThread.cpp
index 6b2b583..34df606 100644
--- a/services/surfaceflinger/TransactionCompletedThread.cpp
+++ b/services/surfaceflinger/TransactionCompletedThread.cpp
@@ -144,6 +144,9 @@
         } else {
             ALOGW("cannot find listener in mPendingTransactions");
         }
+        if (listener->second.size() == 0) {
+            mPendingTransactions.erase(listener);
+        }
 
         status_t err = addCallbackHandle(handle);
         if (err != NO_ERROR) {
@@ -231,7 +234,9 @@
 
                 // If we are still waiting on the callback handles for this transaction, stop
                 // here because all transaction callbacks for the same listener must come in order
-                if (mPendingTransactions[listener].count(transactionStats.callbackIds) != 0) {
+                auto pendingTransactions = mPendingTransactions.find(listener);
+                if (pendingTransactions != mPendingTransactions.end() &&
+                    pendingTransactions->second.count(transactionStats.callbackIds) != 0) {
                     break;
                 }