From 76ec382218da25fb87cab979f676d2b2cda96ee2 Mon Sep 17 00:00:00 2001
From: Steven Moreland <smoreland@google.com>
Date: Fri, 2 Apr 2021 16:26:03 +0000
Subject: libhwui: RenderThread: fix UAF

Thread::run uses RefBase semantics and may delete the RenderThread out
from under the client.

Bug: 184196278
Test: no longer crashes when enhanced sp<> checks are enabled
Change-Id: I9dc306c14339b7142bae5f801970600d75221eb6
---
 libs/hwui/renderthread/RenderThread.cpp | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

(limited to 'libs/hwui/renderthread/RenderThread.cpp')

diff --git a/libs/hwui/renderthread/RenderThread.cpp b/libs/hwui/renderthread/RenderThread.cpp
index adf4aee8b931..79b938841bc2 100644
--- a/libs/hwui/renderthread/RenderThread.cpp
+++ b/libs/hwui/renderthread/RenderThread.cpp
@@ -153,10 +153,11 @@ JVMAttachHook RenderThread::getOnStartHook() {
 }
 
 RenderThread& RenderThread::getInstance() {
-    // This is a pointer because otherwise __cxa_finalize
-    // will try to delete it like a Good Citizen but that causes us to crash
-    // because we don't want to delete the RenderThread normally.
-    static RenderThread* sInstance = new RenderThread();
+    [[clang::no_destroy]] static sp<RenderThread> sInstance = []() {
+        sp<RenderThread> thread = sp<RenderThread>::make();
+        thread->start("RenderThread");
+        return thread;
+    }();
     gHasRenderThreadInstance = true;
     return *sInstance;
 }
@@ -171,7 +172,6 @@ RenderThread::RenderThread()
         , mFunctorManager(WebViewFunctorManager::instance())
         , mGlobalProfileData(mJankDataMutex) {
     Properties::load();
-    start("RenderThread");
 }
 
 RenderThread::~RenderThread() {
-- 
cgit v1.2.3