From 64d949207686a0225a78de572548a5361e340ae3 Mon Sep 17 00:00:00 2001 From: Thiago Macieira Date: Tue, 30 Jul 2019 08:54:30 -0700 Subject: Fix race condition on qt_create_tls() on Windows If this function is called by multiple threads, more than one could reach the mutex locking and call TlsAlloc(), but only the last one would save the data. The others would be leaked and, worse, be used by those other threads. [ChangeLog][QtCore][QObject] Fixed a resource leak caused by a race condition if multiple QObjects were created at the same time, for the first time in an application, from multiple threads (implies threads not started with QThread). Fixes: QTBUG-77238 Change-Id: Ife213d861bb14c1787e1fffd15b63a5818bcc807 Reviewed-by: Marc Mutz Reviewed-by: Olivier Goffart (Woboq GmbH) --- src/corelib/thread/qthread_win.cpp | 2 ++ 1 file changed, 2 insertions(+) (limited to 'src/corelib') diff --git a/src/corelib/thread/qthread_win.cpp b/src/corelib/thread/qthread_win.cpp index e56fe2c6ae..5c7642c26e 100644 --- a/src/corelib/thread/qthread_win.cpp +++ b/src/corelib/thread/qthread_win.cpp @@ -99,6 +99,8 @@ void qt_create_tls() return; static QBasicMutex mutex; QMutexLocker locker(&mutex); + if (qt_current_thread_data_tls_index != TLS_OUT_OF_INDEXES) + return; qt_current_thread_data_tls_index = TlsAlloc(); } -- cgit v1.2.3 From 787e498487831c55be89979824709622ba29f17c Mon Sep 17 00:00:00 2001 From: Marc Mutz Date: Mon, 24 Jun 2019 09:41:07 +0200 Subject: QMutexPool: fix memory order of atomic operations The array of QAtomicPointer can be initialized using relaxed stores of nullptr, since nullptr is the whole data. But once we store an actual QMutex pointer in the array, we need to publish the indirect data thus created. We did this, with testAndSetRelease(); what was missing was a corresponding acquire fence on load, without which there is no happens-before relationship between the writes performed by the QMutex ctor and the reads performed by a subsequent mutex.lock(), say, on the same data. Fix by adding acquire fences to all loads. That includes the dtor, since mutexes may have been created in different threads, and never been imported into this_thread before the dtor is running. As a drive-by, return a new'ed QMutex that was successfully installed directly to the caller, without again going through a load-acquire. Fixes: QTBUG-59164 Change-Id: Ia25d205b1127c8c4de0979cef997d1a88123c5c3 Reviewed-by: David Faure Reviewed-by: Giuseppe D'Angelo Reviewed-by: Thiago Macieira (cherry picked from commit 65b8f59e045bb41fef99b1a44f462115de65064a) (cherry picked from commit da38f0d691d9d7eacfac5fbcbd47b887bd59bd39) --- src/corelib/thread/qmutexpool.cpp | 9 ++++++--- src/corelib/thread/qmutexpool_p.h | 2 +- 2 files changed, 7 insertions(+), 4 deletions(-) (limited to 'src/corelib') diff --git a/src/corelib/thread/qmutexpool.cpp b/src/corelib/thread/qmutexpool.cpp index 3f9e8da942..bb063b8ab6 100644 --- a/src/corelib/thread/qmutexpool.cpp +++ b/src/corelib/thread/qmutexpool.cpp @@ -104,7 +104,7 @@ QMutexPool::QMutexPool(QMutex::RecursionMode recursionMode, int size) QMutexPool::~QMutexPool() { for (int index = 0; index < mutexes.count(); ++index) - delete mutexes[index].load(); + delete mutexes[index].loadAcquire(); } /*! @@ -129,9 +129,12 @@ QMutex *QMutexPool::createMutex(int index) { // mutex not created, create one QMutex *newMutex = new QMutex(recursionMode); - if (!mutexes[index].testAndSetRelease(0, newMutex)) + if (!mutexes[index].testAndSetRelease(nullptr, newMutex)) { delete newMutex; - return mutexes[index].load(); + return mutexes[index].loadAcquire(); + } else { + return newMutex; + } } /*! diff --git a/src/corelib/thread/qmutexpool_p.h b/src/corelib/thread/qmutexpool_p.h index 89d006ac29..00710199b8 100644 --- a/src/corelib/thread/qmutexpool_p.h +++ b/src/corelib/thread/qmutexpool_p.h @@ -68,7 +68,7 @@ public: inline QMutex *get(const void *address) { int index = uint(quintptr(address)) % mutexes.count(); - QMutex *m = mutexes[index].load(); + QMutex *m = mutexes[index].loadAcquire(); if (m) return m; else -- cgit v1.2.3