Details
-
Bug
-
Resolution: Fixed
-
P2: Important
-
6.7.0 Beta1
-
None
-
763ab0e62 (dev), 946f39b47 (6.7)
Description
A use after free occurs on futex-less (!futexAvailable()) platforms, within these screenshotted code-blocks, because somebody thought they were being cute by improperly implementing lock-less wakes paths to mitigate a thundering herd around lock-heavy condvar sleeps. However, this code doesn't account for spurious wakes of std::condition_variable (or similar), or OS sync primitives that will spin for awhile. As soon as `d->avail += n` occurs under lock, the acquire is free to run off and destroy the semaphore, all the while a waking thread is releasing its' `qt_scoped_lock` followed by an invalid reference to cond wake[_all]. This is dumb, and not how you should implement barrier primitives; semaphores are not barriers.