[cairo-bugs] [Bug 98883] New: BadAccess errors in ShmAttach due to thread races with XNextRequest() usage in cairo-xlib-surface-shm.c
bugzilla-daemon at freedesktop.org
bugzilla-daemon at freedesktop.org
Mon Nov 28 02:03:49 UTC 2016
https://bugs.freedesktop.org/show_bug.cgi?id=98883
Bug ID: 98883
Summary: BadAccess errors in ShmAttach due to thread races with
XNextRequest() usage in cairo-xlib-surface-shm.c
Product: cairo
Version: 1.12.16
Hardware: All
OS: All
Status: NEW
Severity: normal
Priority: medium
Component: xlib backend
Assignee: chris at chris-wilson.co.uk
Reporter: bugs.freedesktop at karlt.net
QA Contact: cairo-bugs at cairographics.org
_cairo_xlib_display_fini_shm sets pool->attached to XNextRequest() assuming
the approaching XShmAttach() will be the next request.
https://cgit.freedesktop.org/cairo/tree/src/cairo-xlib-surface-shm.c?id=3f1a6f7225e31057a8af9313f051a1d311df0c69#n602
This assumption can be invalid when another request is performed on another
thread before the XShmAttach() reads |request| from the display.
An |attached| sequence number that is too old means that
_cairo_xlib_shm_pool_cleanup() can call _cairo_xlib_display_shm_pool_destroy()
and so shmdt() before the server processes the ShmAttach request, resulting in
BadAccess errors.
Similarly _cairo_xlib_shm_surface_mark_active() is called and uses
XNextRequest() before the corresponding request, leading to similar races
affecting _cairo_xlib_shm_surface_flush() and get_compositor() and
_cairo_xlib_shm_info_cleanup(). I assume _cairo_xlib_shm_surface_get_obdata()
has similar issues.
--
You are receiving this mail because:
You are the QA Contact for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.cairographics.org/archives/cairo-bugs/attachments/20161128/e5ad6f5e/attachment.html>
More information about the cairo-bugs
mailing list