commit 6edf5af578c1ab1fcd44b7c08ca371456e4b7430
author Mathias Agopian <mathias@google.com> Fri Jun 19 17:00:27 2009 -0700
committer Mathias Agopian <mathias@google.com> Fri Jun 19 17:00:27 2009 -0700
tree 28ae8dec57019f5aac653b1a2d4df5cd061ee976
parent c8fb5b1979da4829e1486e6a1008c06c979b94b0

fix a memory corruption where a SF Client could be used after it's been destroyed

libs/surfaceflinger/SurfaceFlinger.h

diff --git a/libs/surfaceflinger/SurfaceFlinger.h b/libs/surfaceflinger/SurfaceFlinger.h
index ac13340..149eef0 100644
--- a/libs/surfaceflinger/SurfaceFlinger.h
+++ b/libs/surfaceflinger/SurfaceFlinger.h
@@ -64,7 +64,7 @@
 
 // ---------------------------------------------------------------------------
 
-class Client
+class Client : public RefBase
 {
 public:
             Client(ClientID cid, const sp<SurfaceFlinger>& flinger);
@@ -188,20 +188,20 @@
             uint32_t flags);
 
     sp<LayerBaseClient> createNormalSurfaceLocked(
-            Client* client, DisplayID display,
+            const sp<Client>& client, DisplayID display,
             int32_t id, uint32_t w, uint32_t h, 
             PixelFormat format, uint32_t flags);
 
     sp<LayerBaseClient> createBlurSurfaceLocked(
-            Client* client, DisplayID display,
+            const sp<Client>& client, DisplayID display,
             int32_t id, uint32_t w, uint32_t h, uint32_t flags);
 
     sp<LayerBaseClient> createDimSurfaceLocked(
-            Client* client, DisplayID display,
+            const sp<Client>& client, DisplayID display,
             int32_t id, uint32_t w, uint32_t h, uint32_t flags);
 
     sp<LayerBaseClient> createPushBuffersSurfaceLocked(
-            Client* client, DisplayID display,
+            const sp<Client>& client, DisplayID display,
             int32_t id, uint32_t w, uint32_t h, uint32_t flags);
 
     status_t removeSurface(SurfaceID surface_id);
@@ -262,7 +262,7 @@
             bool        lockPageFlip(const LayerVector& currentLayers);
             void        unlockPageFlip(const LayerVector& currentLayers);
             void        handleRepaint();
-            void        scheduleBroadcast(Client* client);
+            void        scheduleBroadcast(const sp<Client>& client);
             void        executeScheduledBroadcasts();
             void        postFramebuffer();
             void        composeSurfaces(const Region& dirty);
@@ -312,11 +312,11 @@
                 
                 // protected by mStateLock (but we could use another lock)
                 Tokenizer                               mTokens;
-                DefaultKeyedVector<ClientID, Client*>   mClientsMap;
+                DefaultKeyedVector<ClientID, sp<Client> >   mClientsMap;
                 DefaultKeyedVector<SurfaceID, sp<LayerBaseClient> >   mLayerMap;
                 GraphicPlane                            mGraphicPlanes[1];
                 bool                                    mLayersRemoved;
-                Vector<Client*>                         mDisconnectedClients;
+                Vector< sp<Client> >                    mDisconnectedClients;
 
                 // constant members (no synchronization needed for access)
                 sp<MemoryDealer>            mServerHeap;
@@ -333,8 +333,8 @@
                 Region                      mDirtyRegion;
                 Region                      mInvalidRegion;
                 Region                      mWormholeRegion;
-                Client*                     mLastScheduledBroadcast;
-                SortedVector<Client*>       mScheduledBroadcasts;
+                wp<Client>                  mLastScheduledBroadcast;
+                SortedVector< wp<Client> >  mScheduledBroadcasts;
                 bool                        mVisibleRegionsDirty;
                 bool                        mDeferReleaseConsole;
                 bool                        mFreezeDisplay;