fixing a race condition on MsgTask::destroy() when MsgTask::destroy() happens, msg_q_unblock() triggers the running thread to come out from blocking state. A race condition may happen such that that thread may complete first, causing msgTask obj to be already deleted. A next allocation may change the value at MsgTask::mThread. Then when control comes back to destroy(), it may try to check mThread and call delete on it to crash the program. mThread is a heap obj, so it is possible to delete it after the hosting msgTask obj is deleted. We just have to keep its value on the stack before calling msg_q_unblock(). Change-Id: If15884815eea05fbfa523ec92aa300ed21ef897c CR-Fixed: 1091530

commit: 4eda8e1eabead3a9115bdd9cedd7e336ed431dbe [log] [tgz]
author: Dante Russo <[email protected]> Wed Nov 23 13:57:56 2016 -0800
committer: Alain Vongsouvanh <[email protected]> Tue Jan 03 10:56:19 2017 -0800
tree: f22cd1cc12470731d1fc63c67eb6963b0395a630
parent: 47b626358ac5f0c29465623c255f0aa8c2d11458 [diff] [blame]
diff --git a/msm8909/utils/MsgTask.cpp b/msm8909/utils/MsgTask.cpp
index 6f9d0e9..0e7a3a2 100644
--- a/msm8909/utils/MsgTask.cpp
+++ b/msm8909/utils/MsgTask.cpp

@@ -63,9 +63,9 @@
 }
 
 void MsgTask::destroy() {
+    LocThread* thread = mThread;
     msg_q_unblock((void*)mQ);
-    if (mThread) {
-        LocThread* thread = mThread;
+    if (thread) {
         mThread = NULL;
         delete thread;
     } else {
commit	4eda8e1eabead3a9115bdd9cedd7e336ed431dbe	[log] [tgz]
author	Dante Russo <[email protected]>	Wed Nov 23 13:57:56 2016 -0800
committer	Alain Vongsouvanh <[email protected]>	Tue Jan 03 10:56:19 2017 -0800
tree	f22cd1cc12470731d1fc63c67eb6963b0395a630
parent	47b626358ac5f0c29465623c255f0aa8c2d11458 [diff] [blame]