Fix race resulting in UAF in class-define-pausing
When we pause class redefinition we use a barrier to make sure that
all threads properly exit the ClassDefinitionPauser code so we can
destroy it without causing UAF. To do this we need to know how many
threads are in ClassDefinitionPauser code. We previously incorrectly
only counted threads after they had already suspended and acquired a
mutex owned by the Pauser. This means that if the transformation
thread managed to finish all work before the loading thread had made
it past the mutex the thread would not be counted. This can easily
lead to a UAF. To fix this we just need to move the count to before
the thread-suspend and perform the release code with all threads
suspended. This will ensure that all threads are counted.
Bug: 147880227
Test: ./test.py --host
Test: ./test/run-test --create-runner --host --prebuild --compact-dex-level fast --optimizing --no-relocate --runtime-option -Xcheck:jni --64 2001-virtual-structural-multithread
tools/parallel_run.py
Change-Id: I3e76ca29a504259270f8cec5574f5c07b27ed02f
1 file changed