From 1938e34e42969053f1b553779fa21257a28d708d Mon Sep 17 00:00:00 2001
From: Suprabh Shukla <suprabh@google.com>
Date: Mon, 14 May 2018 14:22:11 -0700
Subject: Mitigating cache corruption in ArrayMap

Before calling freeArrays, storing the array reference into a temporary
pointer so that the main pointer doesn't end up corrupting the static
pool of arrays on concurrent access. An earlier change missed a rare
case when removeAt was called for the last element in the map.

Test: atest android.util.ArrayMapTest
atest android.util.cts.ArrayMapTest

Bug: 78898947
Change-Id: I454c5b1600eb0a6c690e746df10f6a0ebcd8aa1d
---
 core/java/android/util/ArrayMap.java | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

(limited to 'core/java/android/util/ArrayMap.java')

diff --git a/core/java/android/util/ArrayMap.java b/core/java/android/util/ArrayMap.java
index d51a13f3d119..f1e937e83dc1 100644
--- a/core/java/android/util/ArrayMap.java
+++ b/core/java/android/util/ArrayMap.java
@@ -644,9 +644,11 @@ public final class ArrayMap<K, V> implements Map<K, V> {
         if (osize <= 1) {
             // Now empty.
             if (DEBUG) Log.d(TAG, "remove: shrink from " + mHashes.length + " to 0");
-            freeArrays(mHashes, mArray, osize);
+            final int[] ohashes = mHashes;
+            final Object[] oarray = mArray;
             mHashes = EmptyArray.INT;
             mArray = EmptyArray.OBJECT;
+            freeArrays(ohashes, oarray, osize);
             nsize = 0;
         } else {
             nsize = osize - 1;
-- 
cgit v1.2.3