commit 5f6b5390aeb51297e4dcb995c8fbbdc46559b8b7
author Riddle Hsu <riddlehsu@google.com> Thu Jul 04 16:10:08 2019 +0800
committer android-build-team Robot <android-build-team-robot@google.com> Tue Feb 11 19:07:06 2020 +0000
tree 6b31d92ed0d2b84dd30a1aa52e31ac2d8d6ec6cc
parent 40dd65db3996399530cf549b3afe0c3a5f884b78

Fix potential double destroy of AssetManager

Assume there is a XmlBlock [X] created by a AssetManager [A]
([A] will have mNumRefs = 2). After [A].close is called
(mNumRefs = 1) and then both [X] and [A] are going to be GCed,
if [A].finalize is called first (nativeDestroy), the later
[X].finalize will invoke [A].xmlBlockGone that triggers the
second nativeDestroy of [A] and leads to crash.

By clearing the mObject in AssetManager.finalize, the
decRefsLocked from other paths won't call nativeDestroy again.

Bug: 136721562
Bug: 144028297
Test: atest AssetManagerTest
Test: Build and install CorePerfTests
      adb shell am instrument -w -r --no-hidden-api-checks -e class \
      android.app.ResourcesPerfTest#getLayoutAndTravese,android.graphics.perftests.RenderNodePerfTest \
      com.android.perftests.core/androidx.test.runner.AndroidJUnitRunner

Change-Id: Ia938502d2443f5a6de6a3cabdb7ce1d41d3ff6d1
Merged-In: Ia938502d2443f5a6de6a3cabdb7ce1d41d3ff6d1
(cherry picked from commit 0a8a1e9d40a3cdff06150c43c623fa4c415226b6)

core/java/android/content/res/AssetManager.java

diff --git a/core/java/android/content/res/AssetManager.java b/core/java/android/content/res/AssetManager.java
index e5ef67b..2420a61 100644
--- a/core/java/android/content/res/AssetManager.java
+++ b/core/java/android/content/res/AssetManager.java
@@ -1157,8 +1157,11 @@
             }
         }
 
-        if (mObject != 0) {
-            nativeDestroy(mObject);
+        synchronized (this) {
+            if (mObject != 0) {
+                nativeDestroy(mObject);
+                mObject = 0;
+            }
         }
     }