From 00b5915828f89daaefd9e8fb215658360f76762c Mon Sep 17 00:00:00 2001
From: Mathieu Chartier <mathieuc@google.com>
Date: Fri, 25 Jul 2014 10:13:51 -0700
Subject: [PATCH] Fix dangling pointer bug when transitioning to background.

Dangling pointer left behind from the old rosalloc / dlmalloc
spaces. We now avoid using this pointer by using main_space_
and non_moving_space_ as well as clear the pointer when we remove
the space.

Bug: 16567203

Change-Id: Ida9ff30783e89cd4a4d86a4d0e912701692101f1
---
 runtime/gc/heap.cc | 21 ++++++++++-----------
 1 file changed, 10 insertions(+), 11 deletions(-)

diff --git a/runtime/gc/heap.cc b/runtime/gc/heap.cc
index d6cf52fcc..33ff3bb1f 100644
--- a/runtime/gc/heap.cc
+++ b/runtime/gc/heap.cc
@@ -669,18 +669,11 @@ void Heap::VisitObjects(ObjectCallback callback, void* arg) {
 }
 
 void Heap::MarkAllocStackAsLive(accounting::ObjectStack* stack) {
-  space::ContinuousSpace* space1 = rosalloc_space_ != nullptr ? rosalloc_space_ : non_moving_space_;
-  space::ContinuousSpace* space2 = dlmalloc_space_ != nullptr ? dlmalloc_space_ : non_moving_space_;
-  // This is just logic to handle a case of either not having a rosalloc or dlmalloc space.
+  space::ContinuousSpace* space1 = main_space_ != nullptr ? main_space_ : non_moving_space_;
+  space::ContinuousSpace* space2 = non_moving_space_;
   // TODO: Generalize this to n bitmaps?
-  if (space1 == nullptr) {
-    DCHECK(space2 != nullptr);
-    space1 = space2;
-  }
-  if (space2 == nullptr) {
-    DCHECK(space1 != nullptr);
-    space2 = space1;
-  }
+  CHECK(space1 != nullptr);
+  CHECK(space2 != nullptr);
   MarkAllocStack(space1->GetLiveBitmap(), space2->GetLiveBitmap(),
                  large_object_space_->GetLiveBitmap(), stack);
 }
@@ -1605,6 +1598,12 @@ void Heap::TransitionCollector(CollectorType collector_type) {
         // Remove the main space so that we don't try to trim it, this doens't work for debug
         // builds since RosAlloc attempts to read the magic number from a protected page.
         RemoveSpace(main_space_);
+        // Unset the pointers just in case.
+        if (dlmalloc_space_ == main_space_) {
+          dlmalloc_space_ = nullptr;
+        } else if (rosalloc_space_ == main_space_) {
+          rosalloc_space_ = nullptr;
+        }
         RemoveRememberedSet(main_space_);
         RemoveRememberedSet(main_space_backup_.get());
         main_space_backup_.reset(nullptr);
-- 
2.11.0