Fix potential double destroy of AssetManager
Assume there is a XmlBlock [X] created by a AssetManager [A]
([A] will have mNumRefs = 2). After [A].close is called
(mNumRefs = 1) and then both [X] and [A] are going to be GCed,
if [A].finalize is called first (nativeDestroy), the later
[X].finalize will invoke [A].xmlBlockGone that triggers the
second nativeDestroy of [A] and leads to crash.
By clearing the mObject in AssetManager.finalize, the
decRefsLocked from other paths won't call nativeDestroy again.
Bug: 136721562
Bug: 144028297
Test: atest AssetManagerTest
Test: Build and install CorePerfTests
adb shell am instrument -w -r --no-hidden-api-checks -e class \
android.app.ResourcesPerfTest#getLayoutAndTravese,android.graphics.perftests.RenderNodePerfTest \
com.android.perftests.core/androidx.test.runner.AndroidJUnitRunner
Change-Id: Ia938502d2443f5a6de6a3cabdb7ce1d41d3ff6d1
Merged-In: Ia938502d2443f5a6de6a3cabdb7ce1d41d3ff6d1
(cherry picked from commit 0a8a1e9d40a3cdff06150c43c623fa4c415226b6)
diff --git a/core/java/android/content/res/AssetManager.java b/core/java/android/content/res/AssetManager.java
index e5ef67b..2420a61 100644
--- a/core/java/android/content/res/AssetManager.java
+++ b/core/java/android/content/res/AssetManager.java
@@ -1157,8 +1157,11 @@
}
}
- if (mObject != 0) {
- nativeDestroy(mObject);
+ synchronized (this) {
+ if (mObject != 0) {
+ nativeDestroy(mObject);
+ mObject = 0;
+ }
}
}