[cairo-bugs] [Bug 90318] TSan data races with freed_pool_t's |top| data member

bugzilla-daemon at freedesktop.org bugzilla-daemon at freedesktop.org
Thu Feb 25 08:47:34 UTC 2016


--- Comment #2 from Dmitry Vyukov <dvyukov at google.com> ---
A data race cannot be intentional (unless you intention is to spread exploits
in software). The C standard is pretty clear that any data race results in
undefined behavior of the program. Even a read or a write of an int variable
can corrupt memory and crash the program. See the following for some examples:
In this case a very real possibility is overflow/underflow of the index. E.g.
compiler can compile update of top in increment in _freed_pool_put, then you
can easily get overflow and corrupt memory. Or compiler can re-read top after
the if (i < 0) check, then you get underflow and corrupt memory again.
There is already _cairo_atomic_int_get. Please add _cairo_atomic_int_set and
use these for top manipulation.

You are receiving this mail because:
You are the QA Contact for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.cairographics.org/archives/cairo-bugs/attachments/20160225/94362209/attachment.html>

More information about the cairo-bugs mailing list