[cairo-bugs] [Bug 90318] New: TSan data races with freed_pool_t's |top| data member

[bugzilla-daemon at freedesktop.org]

https://bugs.freedesktop.org/show_bug.cgi?id=90318

            Bug ID: 90318
           Summary: TSan data races with freed_pool_t's |top| data member
           Product: cairo
           Version: unspecified
          Hardware: Other
                OS: All
            Status: NEW
          Severity: normal
          Priority: medium
         Component: general
          Assignee: chris at chris-wilson.co.uk
          Reporter: froydnj at gmail.com
        QA Contact: cairo-bugs at cairographics.org

Created attachment 115548
  --> https://bugs.freedesktop.org/attachment.cgi?id=115548&action=edit
data races detected by TSan in Firefox

The attached log file shows two different data races coming from freed_pool_t
during a Firefox test run.  (The stacks are from Firefox's in-tree cairo,
which, while old, is not significantly different from upstream in this
particular case.)

While freed_pool_t is careful to use atomic operations for accessing the pool's
list of free things, no such caution is taking with the pointer for the next
free thing in the pool, |top|.  |top| can be accessed by multiple threads
without any synchronization.

Normally I'd suggest fixing this via mutexes, but it appears cairo doesn't
support dynamically allocated mutexes (?).  Atomic accesses to |top| are also a
possibility, though I'm not entirely convinced that |top| and |pool| couldn't
get out-of-sync somehow.

-- 
You are receiving this mail because:
You are the QA Contact for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cairographics.org/archives/cairo-bugs/attachments/20150505/e7254fd4/attachment.html>