Do not modify vector after getting references
We used to obtain a reference to a specific element inside a vector. We
would then modify the vector, invalidating the reference. But we then
used the reference, and passed it to 'assignPointerIds'.
Refactor the code to modify the collection first, and then to proceed
with modifying / reading the elements.
Bug: 179839665
Test: atest inputflinger_tests (on a hwasan build)
Merged-In: I9204b954884e9c83a50babdad5e08a0f6d18ad78
Change-Id: I9204b954884e9c83a50babdad5e08a0f6d18ad78
(cherry picked from commit 8cf78f9553981600f57e9c829886848172114484)
diff --git a/services/inputflinger/reader/mapper/TouchInputMapper.cpp b/services/inputflinger/reader/mapper/TouchInputMapper.cpp
index 99a572a..decbea4 100644
--- a/services/inputflinger/reader/mapper/TouchInputMapper.cpp
+++ b/services/inputflinger/reader/mapper/TouchInputMapper.cpp
@@ -1413,27 +1413,28 @@
}
void TouchInputMapper::sync(nsecs_t when) {
- const RawState* last =
- mRawStatesPending.empty() ? &mCurrentRawState : &mRawStatesPending.back();
-
// Push a new state.
mRawStatesPending.emplace_back();
- RawState* next = &mRawStatesPending.back();
- next->clear();
- next->when = when;
+ RawState& next = mRawStatesPending.back();
+ next.clear();
+ next.when = when;
// Sync button state.
- next->buttonState =
+ next.buttonState =
mTouchButtonAccumulator.getButtonState() | mCursorButtonAccumulator.getButtonState();
// Sync scroll
- next->rawVScroll = mCursorScrollAccumulator.getRelativeVWheel();
- next->rawHScroll = mCursorScrollAccumulator.getRelativeHWheel();
+ next.rawVScroll = mCursorScrollAccumulator.getRelativeVWheel();
+ next.rawHScroll = mCursorScrollAccumulator.getRelativeHWheel();
mCursorScrollAccumulator.finishSync();
// Sync touch
- syncTouch(when, next);
+ syncTouch(when, &next);
+
+ // The last RawState is the actually second to last, since we just added a new state
+ const RawState& last =
+ mRawStatesPending.size() == 1 ? mCurrentRawState : mRawStatesPending.rbegin()[1];
// Assign pointer ids.
if (!mHavePointerIds) {
@@ -1443,9 +1444,9 @@
#if DEBUG_RAW_EVENTS
ALOGD("syncTouch: pointerCount %d -> %d, touching ids 0x%08x -> 0x%08x, "
"hovering ids 0x%08x -> 0x%08x",
- last->rawPointerData.pointerCount, next->rawPointerData.pointerCount,
- last->rawPointerData.touchingIdBits.value, next->rawPointerData.touchingIdBits.value,
- last->rawPointerData.hoveringIdBits.value, next->rawPointerData.hoveringIdBits.value);
+ last.rawPointerData.pointerCount, next.rawPointerData.pointerCount,
+ last.rawPointerData.touchingIdBits.value, next.rawPointerData.touchingIdBits.value,
+ last.rawPointerData.hoveringIdBits.value, next.rawPointerData.hoveringIdBits.value);
#endif
processRawTouches(false /*timeout*/);
@@ -3679,11 +3680,11 @@
return nullptr;
}
-void TouchInputMapper::assignPointerIds(const RawState* last, RawState* current) {
- uint32_t currentPointerCount = current->rawPointerData.pointerCount;
- uint32_t lastPointerCount = last->rawPointerData.pointerCount;
+void TouchInputMapper::assignPointerIds(const RawState& last, RawState& current) {
+ uint32_t currentPointerCount = current.rawPointerData.pointerCount;
+ uint32_t lastPointerCount = last.rawPointerData.pointerCount;
- current->rawPointerData.clearIdBits();
+ current.rawPointerData.clearIdBits();
if (currentPointerCount == 0) {
// No pointers to assign.
@@ -3694,20 +3695,20 @@
// All pointers are new.
for (uint32_t i = 0; i < currentPointerCount; i++) {
uint32_t id = i;
- current->rawPointerData.pointers[i].id = id;
- current->rawPointerData.idToIndex[id] = i;
- current->rawPointerData.markIdBit(id, current->rawPointerData.isHovering(i));
+ current.rawPointerData.pointers[i].id = id;
+ current.rawPointerData.idToIndex[id] = i;
+ current.rawPointerData.markIdBit(id, current.rawPointerData.isHovering(i));
}
return;
}
if (currentPointerCount == 1 && lastPointerCount == 1 &&
- current->rawPointerData.pointers[0].toolType == last->rawPointerData.pointers[0].toolType) {
+ current.rawPointerData.pointers[0].toolType == last.rawPointerData.pointers[0].toolType) {
// Only one pointer and no change in count so it must have the same id as before.
- uint32_t id = last->rawPointerData.pointers[0].id;
- current->rawPointerData.pointers[0].id = id;
- current->rawPointerData.idToIndex[id] = 0;
- current->rawPointerData.markIdBit(id, current->rawPointerData.isHovering(0));
+ uint32_t id = last.rawPointerData.pointers[0].id;
+ current.rawPointerData.pointers[0].id = id;
+ current.rawPointerData.idToIndex[id] = 0;
+ current.rawPointerData.markIdBit(id, current.rawPointerData.isHovering(0));
return;
}
@@ -3725,9 +3726,9 @@
for (uint32_t lastPointerIndex = 0; lastPointerIndex < lastPointerCount;
lastPointerIndex++) {
const RawPointerData::Pointer& currentPointer =
- current->rawPointerData.pointers[currentPointerIndex];
+ current.rawPointerData.pointers[currentPointerIndex];
const RawPointerData::Pointer& lastPointer =
- last->rawPointerData.pointers[lastPointerIndex];
+ last.rawPointerData.pointers[lastPointerIndex];
if (currentPointer.toolType == lastPointer.toolType) {
int64_t deltaX = currentPointer.x - lastPointer.x;
int64_t deltaY = currentPointer.y - lastPointer.y;
@@ -3831,12 +3832,12 @@
matchedCurrentBits.markBit(currentPointerIndex);
matchedLastBits.markBit(lastPointerIndex);
- uint32_t id = last->rawPointerData.pointers[lastPointerIndex].id;
- current->rawPointerData.pointers[currentPointerIndex].id = id;
- current->rawPointerData.idToIndex[id] = currentPointerIndex;
- current->rawPointerData.markIdBit(id,
- current->rawPointerData.isHovering(
- currentPointerIndex));
+ uint32_t id = last.rawPointerData.pointers[lastPointerIndex].id;
+ current.rawPointerData.pointers[currentPointerIndex].id = id;
+ current.rawPointerData.idToIndex[id] = currentPointerIndex;
+ current.rawPointerData.markIdBit(id,
+ current.rawPointerData.isHovering(
+ currentPointerIndex));
usedIdBits.markBit(id);
#if DEBUG_POINTER_ASSIGNMENT
@@ -3853,10 +3854,10 @@
uint32_t currentPointerIndex = matchedCurrentBits.markFirstUnmarkedBit();
uint32_t id = usedIdBits.markFirstUnmarkedBit();
- current->rawPointerData.pointers[currentPointerIndex].id = id;
- current->rawPointerData.idToIndex[id] = currentPointerIndex;
- current->rawPointerData.markIdBit(id,
- current->rawPointerData.isHovering(currentPointerIndex));
+ current.rawPointerData.pointers[currentPointerIndex].id = id;
+ current.rawPointerData.idToIndex[id] = currentPointerIndex;
+ current.rawPointerData.markIdBit(id,
+ current.rawPointerData.isHovering(currentPointerIndex));
#if DEBUG_POINTER_ASSIGNMENT
ALOGD("assignPointerIds - assigned: cur=%" PRIu32 ", id=%" PRIu32, currentPointerIndex, id);
diff --git a/services/inputflinger/reader/mapper/TouchInputMapper.h b/services/inputflinger/reader/mapper/TouchInputMapper.h
index 58bfc5c..1c2cc18 100644
--- a/services/inputflinger/reader/mapper/TouchInputMapper.h
+++ b/services/inputflinger/reader/mapper/TouchInputMapper.h
@@ -758,7 +758,7 @@
bool isPointInsideSurface(int32_t x, int32_t y);
const VirtualKey* findVirtualKeyHit(int32_t x, int32_t y);
- static void assignPointerIds(const RawState* last, RawState* current);
+ static void assignPointerIds(const RawState& last, RawState& current);
const char* modeToString(DeviceMode deviceMode);
void rotateAndScale(float& x, float& y);
