Details
-
Bug
-
Resolution: Fixed
-
P2: Important
-
6.7.0 Beta1
-
None
-
763ab0e62 (dev), 946f39b47 (6.7)
Description
A use after free occurs on futex-less (!futexAvailable()) platforms, within these screenshotted code-blocks, because somebody thought they were being cute by improperly implementing lock-less wakes paths to mitigate a thundering herd around lock-heavy condvar sleeps. However, this code doesn't account for spurious wakes of std::condition_variable (or similar), or OS sync primitives that will spin for awhile. As soon as `d->avail += n` occurs under lock, the acquire is free to run off and destroy the semaphore, all the while a waking thread is releasing its' `qt_scoped_lock` followed by an invalid reference to cond wake[_all]. This is dumb, and not how you should implement barrier primitives; semaphores are not barriers.
Attachments
| For Gerrit Dashboard: QTBUG-120762 | ||||||
|---|---|---|---|---|---|---|
| # | Subject | Branch | Project | Status | CR | V |
| 529892,3 | QSemaphore::release: Revert "Optimize cond var notification" | dev | qt/qtbase | Status: MERGED | +2 | 0 |
| 530326,2 | QSemaphore::release: Revert "Optimize cond var notification" | 6.7 | qt/qtbase | Status: MERGED | +2 | 0 |
| 530432,1 | QSemaphore::release: Revert "Optimize cond var notification" | 6.6 | qt/qtbase | Status: ABANDONED | 0 | 0 |