[cairo] Toy font face race condition / heap corruption?
Chris Wilson
chris at chris-wilson.co.uk
Mon Jan 26 02:52:24 PST 2009
On Mon, 2009-01-26 at 08:32 +0000, Paul Messmer wrote:
> If I add the line "if (CAIRO_REFERENCE_COUNT_HAS_REFERENCE
> (&font_face->base.ref_count)) return;" after the hash table unlock but
> before _cairo_toy_font_face_fini in _cairo_toy_font_face_destroy my
> heap problem seems to go away.
As I read it, the check on the reference count needs to be performed
before we remove the entry from the hash table - but otherwise the
analysis is spot on.
> Does anyone have a feel for whether Cairo is well tested in
> multi-threaded environments? Or is it just more likely that the toy
> text API isn't used with any seriousness?
It's a bit of both. I'd only expect a "serious" application to be
multi-threaded and those applications are unlikely to be using the toy
API. However, _cairo_ft_unscaled_font_destroy() has exactly the same bug
as well...
So we've exposed a limitation in our testing. I guess it's time to take
another look at helgrind and drd.
-ickle
More information about the cairo
mailing list