Fix use of invalid iterator. The code grabbed an iterator to a slot, but eventually does an erase of the iterator. Unfortunately, the code then attempts to use this invalid iterator which can introduce subtle crashes by putting a garbage value on the free buffer list. Bug: 28351886 Change-Id: I42a4431b182cee4de829f15fa4ddc175a3d141f7

commit: 87e94cd1d16281051d5241a25035aa1db0b073d8 [log] [tgz]
author: Christopher Ferris <cferris@google.com> Tue Apr 26 11:29:08 2016 -0700
committer: Christopher Ferris <cferris@google.com> Wed Apr 27 11:02:21 2016 -0700
tree: 6bdf3d639b443d390562a0853a9848d7c4bc3ca6
parent: 2ee735c97c760cec76c1385f1896b822ff45cba5 [diff] [blame]
diff --git a/libs/gui/BufferQueueProducer.cpp b/libs/gui/BufferQueueProducer.cpp
index 0b7ce17..73f61c5 100644
--- a/libs/gui/BufferQueueProducer.cpp
+++ b/libs/gui/BufferQueueProducer.cpp

@@ -1280,11 +1280,14 @@
 
                 // freeBufferLocked puts this slot on the free slots list. Since
                 // we then attached a buffer, move the slot to free buffer list.
-                mCore->mFreeSlots.erase(slot);
                 mCore->mFreeBuffers.push_front(*slot);
 
                 BQ_LOGV("allocateBuffers: allocated a new buffer in slot %d",
                         *slot);
+
+                // Make sure the erase is done after all uses of the slot
+                // iterator since it will be invalid after this point.
+                mCore->mFreeSlots.erase(slot);
             }
 
             mCore->mIsAllocating = false;
commit	87e94cd1d16281051d5241a25035aa1db0b073d8	[log] [tgz]
author	Christopher Ferris <cferris@google.com>	Tue Apr 26 11:29:08 2016 -0700
committer	Christopher Ferris <cferris@google.com>	Wed Apr 27 11:02:21 2016 -0700
tree	6bdf3d639b443d390562a0853a9848d7c4bc3ca6
parent	2ee735c97c760cec76c1385f1896b822ff45cba5 [diff] [blame]