<html>
    <head>
      <base href="https://bugs.freedesktop.org/" />
    </head>
    <body><table border="1" cellspacing="0" cellpadding="8">
        <tr>
          <th>Bug ID</th>
          <td><a class="bz_bug_link 
          bz_status_NEW "
   title="NEW - AddressSanitizer: heap-use-after-free: attaching concurrently many snapshots to a surface"
   href="https://bugs.freedesktop.org/show_bug.cgi?id=91431">91431</a>
          </td>
        </tr>

        <tr>
          <th>Summary</th>
          <td>AddressSanitizer: heap-use-after-free: attaching concurrently many snapshots to a surface
          </td>
        </tr>

        <tr>
          <th>Product</th>
          <td>cairo
          </td>
        </tr>

        <tr>
          <th>Version</th>
          <td>unspecified
          </td>
        </tr>

        <tr>
          <th>Hardware</th>
          <td>Other
          </td>
        </tr>

        <tr>
          <th>OS</th>
          <td>All
          </td>
        </tr>

        <tr>
          <th>Status</th>
          <td>NEW
          </td>
        </tr>

        <tr>
          <th>Severity</th>
          <td>normal
          </td>
        </tr>

        <tr>
          <th>Priority</th>
          <td>medium
          </td>
        </tr>

        <tr>
          <th>Component</th>
          <td>general
          </td>
        </tr>

        <tr>
          <th>Assignee</th>
          <td>chris@chris-wilson.co.uk
          </td>
        </tr>

        <tr>
          <th>Reporter</th>
          <td>sixtysix@inwind.it
          </td>
        </tr>

        <tr>
          <th>QA Contact</th>
          <td>cairo-bugs@cairographics.org
          </td>
        </tr></table>
      <p>
        <div>
        <pre>Created <span class=""><a href="attachment.cgi?id=117300" name="attach_117300" title="AddressSanitizer report">attachment 117300</a> <a href="attachment.cgi?id=117300&action=edit" title="AddressSanitizer report">[details]</a></span>
AddressSanitizer report

Running few times (in a bash loop)

<span class="quote">> (cd test; CAIRO_TEST_TARGET_FORMAT=rgba CAIRO_TEST_TARGET=recording ./cairo-test-suite -f pthread-same-source )</span >

on a multi core machine AddressSanitizer once in a while reports:

<span class="quote">> ERROR: AddressSanitizer: heap-use-after-free on address 0x61500000fa98 at pc 0x7f638c08d2ef bp 0x7ffeeba49f70 sp 0x7ffeeba49f60</span >

The problem is that when multiple threads attach concurrently a snapshot
to the same surface as test/pthread-same-source.c does, the list of
snapshots attached to the surface possibly becomes corrupt and when
the surface is destroyed not all snapshots are notified to copy on write
their snapshot, one of them keeps a pointer to the surface destroyed,
when later that snapshot is used it accesses the freed data.

Basically cairo_list_t is not thread safe.

Building without optimizations 

export CFLAGS=-g
./autogen.sh ...

running the same test sometimes instead triggers the assertion: 

<span class="quote">> lt-cairo-test-suite: cairo-surface.c:371: _cairo_surface_attach_snapshot: Assertion `_cairo_surface_has_snapshot (surface, snapshot->backend) == snapshot' failed.</span ></pre>
        </div>
      </p>
      <hr>
      <span>You are receiving this mail because:</span>
      
      <ul>
          <li>You are the QA Contact for the bug.</li>
      </ul>
    </body>
</html>