diff options
author | Keun young Park <keunyoung@google.com> | 2012-03-28 14:13:09 -0700 |
---|---|---|
committer | Keun young Park <keunyoung@google.com> | 2012-03-28 14:13:09 -0700 |
commit | d8973a71a3d1dd670e5dcdf6e94ec0cd45444eec (patch) | |
tree | 5499bb2d33aa98100c1fdb4cef50a715f3d95f66 /services/camera/libcameraservice/CameraService.h | |
parent | 559bf2836f5da25b75bfb229fec0d20d540ee426 (diff) | |
download | frameworks_av-d8973a71a3d1dd670e5dcdf6e94ec0cd45444eec.zip frameworks_av-d8973a71a3d1dd670e5dcdf6e94ec0cd45444eec.tar.gz frameworks_av-d8973a71a3d1dd670e5dcdf6e94ec0cd45444eec.tar.bz2 |
Fix deadlock in camera destruction after client app's crash
* why deadlock happened: when an app (CTS camera test) crashes while using
camera, its binder is closed and reference counter is decreased. If camera
is inside callback, sp<Client> inside callback will hold the Client instance,
and Client instance is destroyed when the callback ends as sp<Client> to hold
it no longer exists. The destructor of Client instance tries to clean up
camera H/W which tries to stop threads created by camera HAL including the
thread context where the callback is running. This causes deadlock where the
callback thread itself is waiting for itself to terminate.
Note that the deadlock will not happen if camera callback is not active. In
that case, closing of binder will force the destruction of Client instance,
and the destruction happens in binder thread.
* Fix: Forces Client descruction in binder thread
- remove sp<Client> from callbacks to prevent destruction in callback context
- add client lock to allow callback to use raw pointer safely. This prevents
the destructor from deleting the instance while callback is using it.
- add status change inside destructor with client lock to safely destroy Client
Bug: 6214383
Change-Id: Ic6d6396d4d95ce9e72a16ec2480ae65c100fe806
Diffstat (limited to 'services/camera/libcameraservice/CameraService.h')
-rw-r--r-- | services/camera/libcameraservice/CameraService.h | 16 |
1 files changed, 13 insertions, 3 deletions
diff --git a/services/camera/libcameraservice/CameraService.h b/services/camera/libcameraservice/CameraService.h index 457c79b..7972201 100644 --- a/services/camera/libcameraservice/CameraService.h +++ b/services/camera/libcameraservice/CameraService.h @@ -49,7 +49,10 @@ public: virtual sp<ICamera> connect(const sp<ICameraClient>& cameraClient, int cameraId, bool force, bool keep); virtual void removeClient(const sp<ICameraClient>& cameraClient); - virtual sp<Client> getClientById(int cameraId); + // returns plain pointer of client. Note that mClientLock should be acquired to + // prevent the client from destruction. The result can be NULL. + virtual Client* getClientByIdUnsafe(int cameraId); + virtual Mutex* getClientLockById(int cameraId); virtual status_t dump(int fd, const Vector<String16>& args); virtual status_t onTransact(uint32_t code, const Parcel& data, @@ -69,6 +72,7 @@ public: private: Mutex mServiceLock; wp<Client> mClient[MAX_CAMERAS]; // protected by mServiceLock + Mutex mClientLock[MAX_CAMERAS]; // prevent Client destruction inside callbacks int mNumberOfCameras; // atomics to record whether the hardware is allocated to some client. @@ -147,8 +151,9 @@ private: static void dataCallback(int32_t msgType, const sp<IMemory>& dataPtr, camera_frame_metadata_t *metadata, void* user); static void dataCallbackTimestamp(nsecs_t timestamp, int32_t msgType, const sp<IMemory>& dataPtr, void* user); - // convert client from cookie - static sp<Client> getClientFromCookie(void* user); + static Mutex* getClientLockFromCookie(void* user); + // convert client from cookie. Client lock should be acquired before getting Client. + static Client* getClientFromCookie(void* user); // handlers for messages void handleShutter(void); void handlePreviewData(int32_t msgType, const sp<IMemory>& mem, @@ -204,6 +209,11 @@ private: // of the original one), we allocate mPreviewBuffer and reuse it if possible. sp<MemoryHeapBase> mPreviewBuffer; + // the instance is in the middle of destruction. When this is set, + // the instance should not be accessed from callback. + // CameraService's mClientLock should be acquired to access this. + bool mDestructionStarted; + // We need to avoid the deadlock when the incoming command thread and // the CameraHardwareInterface callback thread both want to grab mLock. // An extra flag is used to tell the callback thread that it should stop |