Gitiles
Code Review Sign In
gerrit.omnirom.org / android_frameworks_native / 7584836d4ac4ecc0cf8166491b84533e67f300f2^! / .
commit7584836d4ac4ecc0cf8166491b84533e67f300f2[log] [tgz]
authorDominik Laskowski <domlaskowski@google.com>Mon Nov 11 17:57:20 2019 -0800
committerDominik Laskowski <domlaskowski@google.com>Mon Nov 11 23:01:49 2019 -0800
treebdba9301c1e934088b25594372afd5f8e4a7169b
parente00dd195c59f5511e64d8ac28de8ed88c5990f3b [diff]
SF: Register layers on first strong reference

In ag/9549429, LayerHistory stores a wp<Layer> on Layer construction, at
which point RefBase::mStrong is not yet 1. Since wp<T>::promote succeeds
in that case, LayerHistory may concurrently create a sp<Layer> with sole
ownership on the main thread while checking for expired weak references,
resulting in premature layer destruction.

Bug: 144218964
Test: None (sporadic crash)
Change-Id: Ia7c89a090920588b216b719fce36c9f64a126e81

diff --git a/services/surfaceflinger/Layer.cpp b/services/surfaceflinger/Layer.cpp
index 215e240..93c0b52 100644
--- a/services/surfaceflinger/Layer.cpp
+++ b/services/surfaceflinger/Layer.cpp

@@ -120,7 +120,10 @@
 
     mCallingPid = args.callingPid;
     mCallingUid = args.callingUid;
-    mFlinger->onLayerCreated(this);
+}
+
+void Layer::onFirstRef() {
+    mFlinger->onLayerFirstRef(this);
 }
 
 Layer::~Layer() {

diff --git a/services/surfaceflinger/Layer.h b/services/surfaceflinger/Layer.h
index cdd8d3f..8ad0116 100644
--- a/services/surfaceflinger/Layer.h
+++ b/services/surfaceflinger/Layer.h

@@ -221,6 +221,8 @@
     explicit Layer(const LayerCreationArgs& args);
     virtual ~Layer();
 
+    void onFirstRef() override;
+
     int getWindowType() const { return mWindowType; }
 
     void setPrimaryDisplayOnly() { mPrimaryDisplayOnly = true; }

diff --git a/services/surfaceflinger/SurfaceFlinger.cpp b/services/surfaceflinger/SurfaceFlinger.cpp
index 96c17a1..a908780 100644
--- a/services/surfaceflinger/SurfaceFlinger.cpp
+++ b/services/surfaceflinger/SurfaceFlinger.cpp

@@ -5508,7 +5508,7 @@
     return nullptr;
 }
 
-void SurfaceFlinger::onLayerCreated(Layer* layer) {
+void SurfaceFlinger::onLayerFirstRef(Layer* layer) {
     mNumLayers++;
     mScheduler->registerLayer(layer);
 }

diff --git a/services/surfaceflinger/SurfaceFlinger.h b/services/surfaceflinger/SurfaceFlinger.h
index e7ad295..e6ebb35 100644
--- a/services/surfaceflinger/SurfaceFlinger.h
+++ b/services/surfaceflinger/SurfaceFlinger.h

@@ -310,7 +310,7 @@
     bool authenticateSurfaceTextureLocked(
         const sp<IGraphicBufferProducer>& bufferProducer) const;
 
-    void onLayerCreated(Layer*);
+    void onLayerFirstRef(Layer*);
     void onLayerDestroyed(Layer*);
 
     TransactionCompletedThread& getTransactionCompletedThread() {