Comment about lock destruction and unlocking
Add a couple of comments explaining that a mutex can be freed during
the unlock call, immediately after the unlock's atomic exchange call but
before its futex wakeup call.
Bug: http://b/129744706
Test: bionic unit tests
Change-Id: I2d290ebde880f46866098d022720896039e7022e
diff --git a/libc/private/bionic_lock.h b/libc/private/bionic_lock.h
index ec179d1..d70ba6c 100644
--- a/libc/private/bionic_lock.h
+++ b/libc/private/bionic_lock.h
@@ -72,6 +72,12 @@
void unlock() {
bool shared = process_shared; /* cache to local variable */
if (atomic_exchange_explicit(&state, Unlocked, memory_order_release) == LockedWithWaiter) {
+ // The Lock object may have been deallocated between the atomic exchange and the futex wake
+ // call, so avoid accessing any fields of Lock here. In that case, the wake call may target
+ // unmapped memory or trigger a spurious futex wakeup. The same situation happens with
+ // pthread mutexes. References:
+ // - https://lkml.org/lkml/2014/11/27/472
+ // - http://austingroupbugs.net/view.php?id=811#c2267
__futex_wake_ex(&state, shared, 1);
}
}