[cairo] Toy font face race condition / heap corruption?
Chris Wilson
chris at chris-wilson.co.uk
Mon Jan 26 11:13:10 PST 2009
On Mon, 2009-01-26 at 18:26 +0000, Paul Messmer wrote:
>
> > From: chris at chris-wilson.co.uk
> >
> > As I read it, the check on the reference count needs to be performed
> > before we remove the entry from the hash table - but otherwise the
> > analysis is spot on.
>
> As long as the check on the reference count is performed AFTER the
> hash table is locked and before the entry is removed, then it seems
> good (and this is almost certainly what you meant, but I wanted to
> clarify) and won't leave any orphaned objects like my suggestion. In
> the existing code there's already a check (in the calling function)
> before the entry is removed and before the table is locked, yet
> there's a race because the reaching a reference count of 0 isn't
> atomic with entry removal.
Yes, this is the patch I had in mind. At the moment its held up in a
queue pending resolution of a few issues (in the current tree) found by
memfault.
-ickle
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001--font-face-Close-a-race-when-resurrecting-fonts.patch
Type: text/x-patch
Size: 0 bytes
Desc:
Url : http://lists.cairographics.org/archives/cairo/attachments/20090126/d29ad1e4/attachment.bin
More information about the cairo
mailing list