[cairo-bugs] [Bug 69470] Race in _cairo_toy_font_face_destroy

Tue Sep 17 08:53:11 PDT 2013

https://bugs.freedesktop.org/show_bug.cgi?id=69470

Chris Wilson <chris at chris-wilson.co.uk> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
         Resolution|---                         |FIXED

--- Comment #1 from Chris Wilson <chris at chris-wilson.co.uk> ---
commit 337ab1f8d9e29086bfb4001508b28835b41c6390
Author: Chris Wilson <chris at chris-wilson.co.uk>
Date:   Tue Sep 17 16:28:19 2013 +0100

    font: Push the last reference dec into the backend->destroy() callback

    In order to close a race between locking the backend and resurrecting a
    font via the cache, we need to keep the font face alive until after we
    take the backend lock. Once we have that lock, we can drop our reference
    and test if that was the last. Otherwise we must abort the destroy().

    This fixes the double-free exposed by multithreaded applications trying
    to create and destroy the same font concurrently.

    Reported-by: Weeble <clockworksaint at gmail.com>
    Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=69470
    Signed-off-by: Chris Wilson <chris at chris-wilson.co.uk>

-- 
You are receiving this mail because:
You are the QA Contact for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cairographics.org/archives/cairo-bugs/attachments/20130917/04dfed90/attachment.html>