libhwui: RenderThread: fix UAF

Thread::run uses RefBase semantics and may delete the RenderThread out
from under the client.

Bug: 184196278
Test: no longer crashes when enhanced sp<> checks are enabled
Change-Id: I9dc306c14339b7142bae5f801970600d75221eb6

1 files changed, 5 insertions, 5 deletions

diff --git a/libs/hwui/renderthread/RenderThread.cpp b/libs/hwui/renderthread/RenderThread.cpp
index adf4aee8b931..79b938841bc2 100644
--- a/libs/hwui/renderthread/RenderThread.cpp
+++ b/libs/hwui/renderthread/RenderThread.cpp
@@ -153,10 +153,11 @@ JVMAttachHook RenderThread::getOnStartHook() {
 }
 
 RenderThread& RenderThread::getInstance() {
-    // This is a pointer because otherwise __cxa_finalize
-    // will try to delete it like a Good Citizen but that causes us to crash
-    // because we don't want to delete the RenderThread normally.
-    static RenderThread* sInstance = new RenderThread();
+    [[clang::no_destroy]] static sp<RenderThread> sInstance = []() {
+        sp<RenderThread> thread = sp<RenderThread>::make();
+        thread->start("RenderThread");
+        return thread;
+    }();
     gHasRenderThreadInstance = true;
     return *sInstance;
 }
@@ -171,7 +172,6 @@ RenderThread::RenderThread()
         , mFunctorManager(WebViewFunctorManager::instance())
         , mGlobalProfileData(mJankDataMutex) {
     Properties::load();
-    start("RenderThread");
 }
 
 RenderThread::~RenderThread() {