From ee23f61873497efc70045cc4794be9fdf18eed9f Mon Sep 17 00:00:00 2001
From: Seigo Nonaka <nona@google.com>
Date: Sat, 27 Jan 2018 15:08:25 -0800
Subject: [PATCH] Fix JNI abort due to mismatched critical get/release call.

ReleasePrimitiveArrayCritical need to be called after
GetPrimitiveArrayCritical. However doRunAdvance or doOffsetForAdvance
may call JNI::DeleteGlobalRef if the SkTypeface is gone due to cache
overflow. Thus, use GetArrayElements/ReleaseArrayElements with
ScopedCharArrayRO.

Bug: 70660389
Test: Test app attached to the bug.
Change-Id: Ied8e74588783f11b437c3f2c6ea726a9c6d2fc9e
---
 core/jni/android/graphics/Paint.cpp | 11 +++++------
 1 file changed, 5 insertions(+), 6 deletions(-)

diff --git a/core/jni/android/graphics/Paint.cpp b/core/jni/android/graphics/Paint.cpp
index 49cbb545b0198..115d0d5a608b2 100644
--- a/core/jni/android/graphics/Paint.cpp
+++ b/core/jni/android/graphics/Paint.cpp
@@ -24,6 +24,7 @@
 #include "core_jni_helpers.h"
 #include <nativehelper/ScopedStringChars.h>
 #include <nativehelper/ScopedUtfChars.h>
+#include <nativehelper/ScopedPrimitiveArray.h>
 
 #include "SkBlurDrawLooper.h"
 #include "SkColorFilter.h"
@@ -515,11 +516,10 @@ namespace PaintGlue {
             jint start, jint end, jint contextStart, jint contextEnd, jboolean isRtl, jint offset) {
         const Paint* paint = reinterpret_cast<Paint*>(paintHandle);
         const Typeface* typeface = paint->getAndroidTypeface();
-        jchar* textArray = (jchar*) env->GetPrimitiveArrayCritical(text, nullptr);
-        jfloat result = doRunAdvance(paint, typeface, textArray + contextStart,
+        ScopedCharArrayRO textArray(env, text);
+        jfloat result = doRunAdvance(paint, typeface, textArray.get() + contextStart,
                 start - contextStart, end - start, contextEnd - contextStart, isRtl,
                 offset - contextStart);
-        env->ReleasePrimitiveArrayCritical(text, textArray, JNI_ABORT);
         return result;
     }
 
@@ -537,11 +537,10 @@ namespace PaintGlue {
             jboolean isRtl, jfloat advance) {
         const Paint* paint = reinterpret_cast<Paint*>(paintHandle);
         const Typeface* typeface = paint->getAndroidTypeface();
-        jchar* textArray = (jchar*) env->GetPrimitiveArrayCritical(text, nullptr);
-        jint result = doOffsetForAdvance(paint, typeface, textArray + contextStart,
+        ScopedCharArrayRO textArray(env, text);
+        jint result = doOffsetForAdvance(paint, typeface, textArray.get() + contextStart,
                 start - contextStart, end - start, contextEnd - contextStart, isRtl, advance);
         result += contextStart;
-        env->ReleasePrimitiveArrayCritical(text, textArray, JNI_ABORT);
         return result;
     }