[cairo-bugs] [Bug 90318] TSan data races with freed_pool_t's |top| data member
bugzilla-daemon at freedesktop.org
bugzilla-daemon at freedesktop.org
Thu Feb 25 08:47:34 UTC 2016
https://bugs.freedesktop.org/show_bug.cgi?id=90318
--- Comment #2 from Dmitry Vyukov <dvyukov at google.com> ---
A data race cannot be intentional (unless you intention is to spread exploits
in software). The C standard is pretty clear that any data race results in
undefined behavior of the program. Even a read or a write of an int variable
can corrupt memory and crash the program. See the following for some examples:
https://software.intel.com/en-us/blogs/2013/01/06/benign-data-races-what-could-possibly-go-wrong
http://hboehm.info/boehm-hotpar11.pdf
In this case a very real possibility is overflow/underflow of the index. E.g.
compiler can compile update of top in increment in _freed_pool_put, then you
can easily get overflow and corrupt memory. Or compiler can re-read top after
the if (i < 0) check, then you get underflow and corrupt memory again.
There is already _cairo_atomic_int_get. Please add _cairo_atomic_int_set and
use these for top manipulation.
--
You are receiving this mail because:
You are the QA Contact for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.cairographics.org/archives/cairo-bugs/attachments/20160225/94362209/attachment.html>
More information about the cairo-bugs
mailing list