Commit 93320661 authored Jan 15, 2020 by Ryan Mitchell

Fix potential double destroy of AssetManager

Assume there is a XmlBlock [X] created by a AssetManager [A]
([A] will have mNumRefs = 2). After [A].close is called
(mNumRefs = 1) and then both [X] and [A] are going to be GCed,
if [A].finalize is called first (nativeDestroy), the later
[X].finalize will invoke [A].xmlBlockGone that triggers the
second nativeDestroy of [A] and leads to crash.

By clearing the mObject in AssetManager.finalize, the
decRefsLocked from other paths won't call nativeDestroy again.

Bug: 144028297
Test: atest android.security.cts.AssetManagerTest

Change-Id: Ia938502d2443f5a6de6a3cabdb7ce1d41d3ff6d1
Merged-In: Ia938502d2443f5a6de6a3cabdb7ce1d41d3ff6d1

parent 5e0b0698

core/java/android/content/res/AssetManager.java

+39 −32

Original line number	Diff line number	Diff line
		@@ -588,7 +588,13 @@ public final class AssetManager implements AutoCloseable {
		}
		}
		}

		synchronized (this) {
		if (mObject != 0) {
		destroy();
		mObject = 0;
		}
		}
		} finally {
		super.finalize();
		}
		@@ -907,8 +913,9 @@ public final class AssetManager implements AutoCloseable {
		mNumRefs--;
		//System.out.println("Dec streams: mNumRefs=" + mNumRefs
		// + " mReleased=" + mReleased);
		if (mNumRefs == 0) {
		if (mNumRefs == 0 && mObject != 0) {
		destroy();
		mObject = 0;
		}
		}
		}