<html>
    <head>
      <base href="https://bugs.freedesktop.org/" />
    </head>
    <body><table border="1" cellspacing="0" cellpadding="8">
        <tr>
          <th>Bug ID</th>
          <td><a class="bz_bug_link 
          bz_status_NEW "
   title="NEW - TSan data races with freed_pool_t's |top| data member"
   href="https://bugs.freedesktop.org/show_bug.cgi?id=90318">90318</a>
          </td>
        </tr>

        <tr>
          <th>Summary</th>
          <td>TSan data races with freed_pool_t's |top| data member
          </td>
        </tr>

        <tr>
          <th>Product</th>
          <td>cairo
          </td>
        </tr>

        <tr>
          <th>Version</th>
          <td>unspecified
          </td>
        </tr>

        <tr>
          <th>Hardware</th>
          <td>Other
          </td>
        </tr>

        <tr>
          <th>OS</th>
          <td>All
          </td>
        </tr>

        <tr>
          <th>Status</th>
          <td>NEW
          </td>
        </tr>

        <tr>
          <th>Severity</th>
          <td>normal
          </td>
        </tr>

        <tr>
          <th>Priority</th>
          <td>medium
          </td>
        </tr>

        <tr>
          <th>Component</th>
          <td>general
          </td>
        </tr>

        <tr>
          <th>Assignee</th>
          <td>chris@chris-wilson.co.uk
          </td>
        </tr>

        <tr>
          <th>Reporter</th>
          <td>froydnj@gmail.com
          </td>
        </tr>

        <tr>
          <th>QA Contact</th>
          <td>cairo-bugs@cairographics.org
          </td>
        </tr></table>
      <p>
        <div>
        <pre>Created <span class=""><a href="attachment.cgi?id=115548" name="attach_115548" title="data races detected by TSan in Firefox">attachment 115548</a> <a href="attachment.cgi?id=115548&action=edit" title="data races detected by TSan in Firefox">[details]</a></span>
data races detected by TSan in Firefox

The attached log file shows two different data races coming from freed_pool_t
during a Firefox test run.  (The stacks are from Firefox's in-tree cairo,
which, while old, is not significantly different from upstream in this
particular case.)

While freed_pool_t is careful to use atomic operations for accessing the pool's
list of free things, no such caution is taking with the pointer for the next
free thing in the pool, |top|.  |top| can be accessed by multiple threads
without any synchronization.

Normally I'd suggest fixing this via mutexes, but it appears cairo doesn't
support dynamically allocated mutexes (?).  Atomic accesses to |top| are also a
possibility, though I'm not entirely convinced that |top| and |pool| couldn't
get out-of-sync somehow.</pre>
        </div>
      </p>
      <hr>
      <span>You are receiving this mail because:</span>
      
      <ul>
          <li>You are the QA Contact for the bug.</li>
      </ul>
    </body>
</html>