<html>
    <head>
      <base href="https://bugs.freedesktop.org/" />
    </head>
    <body><table border="1" cellspacing="0" cellpadding="8">
        <tr>
          <th>Priority</th>
          <td>medium
          </td>
        </tr>

        <tr>
          <th>Bug ID</th>
          <td><a class="bz_bug_link 
          bz_status_NEW "
   title="NEW --- - Race in _cairo_toy_font_face_destroy"
   href="https://bugs.freedesktop.org/show_bug.cgi?id=69470">69470</a>
          </td>
        </tr>

        <tr>
          <th>Assignee</th>
          <td>chris@chris-wilson.co.uk
          </td>
        </tr>

        <tr>
          <th>Summary</th>
          <td>Race in _cairo_toy_font_face_destroy
          </td>
        </tr>

        <tr>
          <th>QA Contact</th>
          <td>cairo-bugs@cairographics.org
          </td>
        </tr>

        <tr>
          <th>Severity</th>
          <td>normal
          </td>
        </tr>

        <tr>
          <th>Classification</th>
          <td>Unclassified
          </td>
        </tr>

        <tr>
          <th>OS</th>
          <td>All
          </td>
        </tr>

        <tr>
          <th>Reporter</th>
          <td>clockworksaint@gmail.com
          </td>
        </tr>

        <tr>
          <th>Hardware</th>
          <td>Other
          </td>
        </tr>

        <tr>
          <th>Status</th>
          <td>NEW
          </td>
        </tr>

        <tr>
          <th>Version</th>
          <td>1.12.14
          </td>
        </tr>

        <tr>
          <th>Component</th>
          <td>general
          </td>
        </tr>

        <tr>
          <th>Product</th>
          <td>cairo
          </td>
        </tr></table>
      <p>
        <div>
        <pre>When creating and destroying toy font faces concurrently on multiple threads,
sometimes an assertion is raised:

/build/buildd/cairo-1.12.14/src/cairo-hash.c:506:
_cairo_hash_table_lookup_exact_key: Assertion `!"reached"' failed.

I first observed this in Mono:

<a href="https://bugzilla.xamarin.com/show_bug.cgi?id=2426">https://bugzilla.xamarin.com/show_bug.cgi?id=2426</a>


I asked about it on the mailing list and someone confirmed that it occurs even
in a trivial C program:

<a href="http://lists.cairographics.org/archives/cairo/2013-September/024667.html">http://lists.cairographics.org/archives/cairo/2013-September/024667.html</a>


I think this is the sequence of events:

Thread A runs cairo_toy_font_face_create to create a font. It completes
normally and is added to cairo_toy_font_face_hash_table.

Thread A decrefs the font face. Its refcount drops to 0, and
_cairo_toy_font_face_destroy will run, except--

Thread B runs cairo_toy_font_face_create to create the same font. It is found
in the hash table, a reference is added, and it is returned.

Thread B decrefs the font face. Its refcount drops to 0.

Thread B runs _cairo_toy_font_face_destroy.

Thread B acquires the lock on the hash table, confirms that the refcount is
still 0, then removes the hash table entry, releases the lock and goes on to
deallocate the font.

Thead A wakes up and continues running _cairo_toy_font_face_destroy. It
acquires the lock on the hash table, and - uh-oh! - it confirms that the
refcount is still 0. It is! (I think this was potentially an access-after-free,
too.) Thread A tries to remove the font from the hash table, and asserts.</pre>
        </div>
      </p>
      <hr>
      <span>You are receiving this mail because:</span>
      
      <ul>
          <li>You are the QA Contact for the bug.</li>
      </ul>
    </body>
</html>