Bug 91431

Summary: AddressSanitizer: heap-use-after-free: attaching concurrently many snapshots to a surface
Product: cairo Reporter: Massimo <sixtysix>
Component: generalAssignee: Chris Wilson <chris>
Status: RESOLVED MOVED QA Contact: cairo-bugs mailing list <cairo-bugs>
Severity: normal    
Priority: medium    
Version: unspecified   
Hardware: Other   
OS: All   
Whiteboard:
i915 platform: i915 features:
Attachments: AddressSanitizer report

Description Massimo 2015-07-22 17:40:36 UTC
Created attachment 117300 [details]
AddressSanitizer report

Running few times (in a bash loop)

> (cd test; CAIRO_TEST_TARGET_FORMAT=rgba CAIRO_TEST_TARGET=recording ./cairo-test-suite -f pthread-same-source )

on a multi core machine AddressSanitizer once in a while reports:

> ERROR: AddressSanitizer: heap-use-after-free on address 0x61500000fa98 at pc 0x7f638c08d2ef bp 0x7ffeeba49f70 sp 0x7ffeeba49f60

The problem is that when multiple threads attach concurrently a snapshot
to the same surface as test/pthread-same-source.c does, the list of
snapshots attached to the surface possibly becomes corrupt and when
the surface is destroyed not all snapshots are notified to copy on write
their snapshot, one of them keeps a pointer to the surface destroyed,
when later that snapshot is used it accesses the freed data.

Basically cairo_list_t is not thread safe.

Building without optimizations 

export CFLAGS=-g
./autogen.sh ...

running the same test sometimes instead triggers the assertion: 

> lt-cairo-test-suite: cairo-surface.c:371: _cairo_surface_attach_snapshot: Assertion `_cairo_surface_has_snapshot (surface, snapshot->backend) == snapshot' failed.
Comment 1 GitLab Migration User 2018-08-25 13:53:18 UTC
-- GitLab Migration Automatic Message --

This bug has been migrated to freedesktop.org's GitLab instance and has been closed from further activity.

You can subscribe and participate further through the new bug through this link to our GitLab instance: https://gitlab.freedesktop.org/cairo/cairo/issues/249.

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.