SurfaceFlinger: Avoid destroying Layer on Binder thread BufferQueueLayer::onFrameAvailable passes 'this' as an sp<Layer> to SurfaceInterceptor. This constructs a temporary sp<Layer>. We are on a binder thread and not holding any locks, so at this point the main thread could drop it's last references. Then when we destroy our temporary sp<Layer> it is the last reference and we end up invoking ~Layer from the Binder thread, an invalid operation which in this case leads to dead-lock (as we attempt to reacquire the already acquired BufferQueue mutex from the BufferQueueLayer d'tor) Bug: 149473038 Test: Existing tests pass Change-Id: I77a20bedf2db3b974ac03d804f70993514478fb2

commit: a79435bd6f7de397ac7f65f68c8db0f7173eabe5 [log] [tgz]
author: Rob Carr <racarr@google.com> Fri Mar 06 14:46:07 2020 -0800
committer: Rob Carr <racarr@google.com> Mon Mar 09 11:47:58 2020 -0700
tree: e8101c24f3821ab1be33d3b935152f8b6baac873
parent: 34560b6d0950b54497d70a319d5496ccc0ffec10 [diff] [blame]
diff --git a/services/surfaceflinger/BufferQueueLayer.cpp b/services/surfaceflinger/BufferQueueLayer.cpp
index 18f7f44..fac9024 100644
--- a/services/surfaceflinger/BufferQueueLayer.cpp
+++ b/services/surfaceflinger/BufferQueueLayer.cpp

@@ -441,7 +441,7 @@
         mQueueItemCondition.broadcast();
     }
 
-    mFlinger->mInterceptor->saveBufferUpdate(this, item.mGraphicBuffer->getWidth(),
+    mFlinger->mInterceptor->saveBufferUpdate(layerId, item.mGraphicBuffer->getWidth(),
                                              item.mGraphicBuffer->getHeight(), item.mFrameNumber);
 
     mFlinger->signalLayerUpdate();
commit	a79435bd6f7de397ac7f65f68c8db0f7173eabe5	[log] [tgz]
author	Rob Carr <racarr@google.com>	Fri Mar 06 14:46:07 2020 -0800
committer	Rob Carr <racarr@google.com>	Mon Mar 09 11:47:58 2020 -0700
tree	e8101c24f3821ab1be33d3b935152f8b6baac873
parent	34560b6d0950b54497d70a319d5496ccc0ffec10 [diff] [blame]