Ensure objects remain valid after calling policy am: 7d7ac48 am: 8d8ffe0

Original change: https://googleplex-android-review.googlesource.com/c/platform/frameworks/native/+/31313194

Change-Id: I62b8288022080f25406e21dc97168e2294ec049a
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>

Author: vishniakou

services/inputflinger/dispatcher/InputDispatcher.cpp

@@ -5745,9 +5745,7 @@ void InputDispatcher::doDispatchCycleFinishedCommand(nsecs_t finishTime,
 
     bool restartEvent;
     if (dispatchEntry->eventEntry->type == EventEntry::Type::KEY) {
-        KeyEntry& keyEntry = static_cast<KeyEntry&>(*(dispatchEntry->eventEntry));
-        restartEvent =
-                afterKeyEventLockedInterruptable(connection, dispatchEntry, keyEntry, handled);
+        restartEvent = afterKeyEventLockedInterruptable(connection, dispatchEntry, handled);
     } else if (dispatchEntry->eventEntry->type == EventEntry::Type::MOTION) {
         MotionEntry& motionEntry = static_cast<MotionEntry&>(*(dispatchEntry->eventEntry));
         restartEvent = afterMotionEventLockedInterruptable(connection, dispatchEntry, motionEntry,
@@ -5975,7 +5973,17 @@ void InputDispatcher::processConnectionResponsiveLocked(const Connection& connec
 
 bool InputDispatcher::afterKeyEventLockedInterruptable(const sp<Connection>& connection,
                                                        DispatchEntry* dispatchEntry,
-                                                       KeyEntry& keyEntry, bool handled) {
+                                                       bool handled) {
+    // The dispatchEntry is currently valid, but it might point to a deleted object after we release
+    // the lock. For simplicity, make copies of the data of interest here and assume that
+    // 'dispatchEntry' is not valid after this section.
+    // Hold a strong reference to the EventEntry to ensure it's valid for the duration of this
+    // function, even if the DispatchEntry gets destroyed and releases its share of the ownership.
+    std::shared_ptr<EventEntry> eventEntry = dispatchEntry->eventEntry;
+    const bool hasForegroundTarget = dispatchEntry->hasForegroundTarget();
+    KeyEntry& keyEntry = static_cast<KeyEntry&>(*(eventEntry));
+    // To prevent misuse, ensure dispatchEntry is no longer valid.
+    dispatchEntry = nullptr;
     if (keyEntry.flags & AKEY_EVENT_FLAG_FALLBACK) {
         if (!handled) {
             // Report the key as unhandled, since the fallback was not handled.
@@ -5992,7 +6000,7 @@ bool InputDispatcher::afterKeyEventLockedInterruptable(const sp<Connection>& con
         connection->inputState.removeFallbackKey(originalKeyCode);
     }
 
-    if (handled || !dispatchEntry->hasForegroundTarget()) {
+    if (handled || !hasForegroundTarget) {
         // If the application handles the original key for which we previously
         // generated a fallback or if the window is not a foreground window,
         // then cancel the associated fallback key, if any.

services/inputflinger/dispatcher/InputDispatcher.h

@@ -666,7 +666,7 @@ class InputDispatcher : public android::InputDispatcherInterface {
     void updateLastAnrStateLocked(const std::string& windowLabel, const std::string& reason)
             REQUIRES(mLock);
     bool afterKeyEventLockedInterruptable(const sp<Connection>& connection,
-                                          DispatchEntry* dispatchEntry, KeyEntry& keyEntry,
+                                          DispatchEntry* dispatchEntry,
                                           bool handled) REQUIRES(mLock);
     bool afterMotionEventLockedInterruptable(const sp<Connection>& connection,
                                              DispatchEntry* dispatchEntry, MotionEntry& motionEntry,