font: Push the last reference dec into the backend->destroy() callback

In order to close a race between locking the backend and resurrecting a font via the cache, we need to keep the font face alive until after we take the backend lock. Once we have that lock, we can drop our reference and test if that was the last. Otherwise we must abort the destroy(). This fixes the double-free exposed by multithreaded applications trying to create and destroy the same font concurrently. Reported-by: Weeble <clockworksaint@gmail.com> Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=69470 Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>
author: Chris Wilson <chris@chris-wilson.co.uk> 2013-09-17 16:28:19 +0100
committer: Chris Wilson <chris@chris-wilson.co.uk> 2013-09-17 16:37:47 +0100
commit: 337ab1f8d9e29086bfb4001508b28835b41c6390 (patch)
tree: 7187ccfda4d59b754b1919e97be7811db9f07eb8 /src/cairo-user-font.c
parent: 0ac81988c199df1a6652dc0ea72627122bf95c6c (diff)
download: cairo-337ab1f8d9e29086bfb4001508b28835b41c6390.tar.gz
1 files changed, 1 insertions, 1 deletions
diff --git a/src/cairo-user-font.c b/src/cairo-user-font.c
index 297f21c91..6d2de2097 100644
--- a/src/cairo-user-font.c
+++ b/src/cairo-user-font.c
@@ -507,7 +507,7 @@ _cairo_user_font_face_scaled_font_create (void                        *abstract_
 const cairo_font_face_backend_t _cairo_user_font_face_backend = {
     CAIRO_FONT_TYPE_USER,
     _cairo_user_font_face_create_for_toy,
-    NULL,	/* destroy */
+    _cairo_font_face_destroy,
     _cairo_user_font_face_scaled_font_create
 };
author	Chris Wilson <chris@chris-wilson.co.uk>	2013-09-17 16:28:19 +0100
committer	Chris Wilson <chris@chris-wilson.co.uk>	2013-09-17 16:37:47 +0100
commit	337ab1f8d9e29086bfb4001508b28835b41c6390 (patch)
tree	7187ccfda4d59b754b1919e97be7811db9f07eb8 /src/cairo-user-font.c
parent	0ac81988c199df1a6652dc0ea72627122bf95c6c (diff)
download	cairo-337ab1f8d9e29086bfb4001508b28835b41c6390.tar.gz