QCamera2/HAL3: Avoid double free when handling out of sequence

When a frame drop is detected and cancel buffer is called,
ensure that outOfOrderList is updated in all cases so that
double free is avoided

BUG=31004909

Change-Id: I895fab805b88b08ce886823611d72a0232060138
diff --git a/QCamera2/HAL3/QCamera3Channel.cpp b/QCamera2/HAL3/QCamera3Channel.cpp
index ed8df5d..3b8c2f5 100644
--- a/QCamera2/HAL3/QCamera3Channel.cpp
+++ b/QCamera2/HAL3/QCamera3Channel.cpp
@@ -882,13 +882,15 @@
        if (mOutOfSequenceBuffers.empty()) {
           break;
        } else {
-          for (auto itr = mOutOfSequenceBuffers.begin();
-                  itr != mOutOfSequenceBuffers.end(); itr++) {
-             super_frame = *itr;
-             frameIndex = super_frame->bufs[0]->buf_idx;
-             resultFrameNumber = mMemory.getFrameNumber(frameIndex);
-             lowestFrameNumber = mMemory.getOldestFrameNumber(oldestBufIndex);
-             if ((lowestFrameNumber != -1 ) && (lowestFrameNumber < resultFrameNumber)) {
+            auto itr = mOutOfSequenceBuffers.begin();
+            super_frame = *itr;
+            frameIndex = super_frame->bufs[0]->buf_idx;
+            resultFrameNumber = mMemory.getFrameNumber(frameIndex);
+            lowestFrameNumber = mMemory.getOldestFrameNumber(oldestBufIndex);
+            LOGE("Attempting to recover next frame: result Frame#: %d, resultIdx: %d, "
+                    "Lowest Frame#: %d, oldestBufIndex: %d",
+                    resultFrameNumber, frameIndex, lowestFrameNumber, oldestBufIndex);
+            if ((lowestFrameNumber != -1) && (lowestFrameNumber < resultFrameNumber)) {
                 LOGE("Multiple frame dropped requesting cancel for frame %d, idx:%d",
                         lowestFrameNumber, oldestBufIndex);
                 stream->cancelBuffer(oldestBufIndex);
@@ -896,13 +898,11 @@
              } else if (lowestFrameNumber == resultFrameNumber) {
                 LOGE("Time to flush out head of list continue loop with this new super frame");
                 itr = mOutOfSequenceBuffers.erase(itr);
-                break;
              } else {
                 LOGE("Unexpected condition head of list is not the lowest frame number");
-                assert(0);
+                itr = mOutOfSequenceBuffers.erase(itr);
              }
           }
-       }
     } while (1);
     return;
 }
@@ -1042,12 +1042,18 @@
                 return DEAD_OBJECT;
             }
         }
+        rc = mMemory.markFrameNumber(index, frameNumber);
+        if(rc != NO_ERROR) {
+            LOGE("Error marking frame number:%d for index %d", frameNumber,
+                index);
+            return rc;
+        }
         rc = mStreams[0]->bufDone(index);
         if(rc != NO_ERROR) {
             LOGE("Failed to Q new buffer to stream");
+            mMemory.markFrameNumber(index, -1);
             return rc;
         }
-        rc = mMemory.markFrameNumber(index, frameNumber);
         indexUsed = index;
     }
     return rc;
@@ -1969,14 +1975,19 @@
         }
     }
 
+    rc = mMemory.markFrameNumber((uint32_t)index, frameNumber);
+    if(rc != NO_ERROR) {
+        LOGE("Failed to mark FrameNumber:%d,idx:%d",frameNumber,index);
+        return rc;
+    }
     rc = mStreams[0]->bufDone((uint32_t)index);
     if(rc != NO_ERROR) {
         LOGE("Failed to Q new buffer to stream");
+        mMemory.markFrameNumber(index, -1);
         return rc;
     }
 
     indexUsed = index;
-    rc = mMemory.markFrameNumber((uint32_t)index, frameNumber);
     return rc;
 }
 
@@ -3012,8 +3023,8 @@
                      bufferIndex, resultFrameNumber);
             return BAD_VALUE;
         }
-        mFreeHeapBufferList.push_back(bufferIndex);
         mMemory.markFrameNumber(bufferIndex, -1);
+        mFreeHeapBufferList.push_back(bufferIndex);
         //Move heap buffer into free pool and invalidate the frame number
         ppInfo = mOfflinePpInfoList.erase(ppInfo);
 
@@ -4627,12 +4638,17 @@
                 return DEAD_OBJECT;
             }
         }
+        rc = mGrallocMemory.markFrameNumber(index, frame->frameNumber);
+        if(rc != NO_ERROR) {
+            LOGE("Failed to mark frame#:%d, index:%d",frame->frameNumber,index);
+            return rc;
+        }
         rc = pStream->bufDone(index);
         if(rc != NO_ERROR) {
             LOGE("Failed to Q new buffer to stream");
+            mGrallocMemory.markFrameNumber(index, -1);
             return rc;
         }
-        rc = mGrallocMemory.markFrameNumber(index, frame->frameNumber);
 
     } else if (mReprocessType == REPROCESS_TYPE_JPEG) {
         Mutex::Autolock lock(mFreeBuffersLock);
diff --git a/QCamera2/HAL3/QCamera3Mem.cpp b/QCamera2/HAL3/QCamera3Mem.cpp
index 100d7a2..6f0bd8b 100644
--- a/QCamera2/HAL3/QCamera3Mem.cpp
+++ b/QCamera2/HAL3/QCamera3Mem.cpp
@@ -488,7 +488,8 @@
     for (uint32_t index = 0;
             index < mBufferCount; index++) {
         if (mMemInfo[index].handle) {
-            if ((empty) || (!empty && oldest > mCurrentFrameNumbers[index])) {
+            if ((empty) || (!empty && oldest > mCurrentFrameNumbers[index]
+                && mCurrentFrameNumbers[index] != -1)) {
                 oldest = mCurrentFrameNumbers[index];
                 bufIndex = index;
             }
@@ -1049,7 +1050,9 @@
     for (uint32_t index = mStartIdx;
             index < MM_CAMERA_MAX_NUM_FRAMES; index++) {
         if (mMemInfo[index].handle) {
-            if ((empty) || (!empty && oldest > mCurrentFrameNumbers[index])) {
+            if ((empty) ||
+                (!empty && oldest > mCurrentFrameNumbers[index]
+                && mCurrentFrameNumbers[index] != -1)) {
                 oldest = mCurrentFrameNumbers[index];
                 bufIndex = index;
             }