From 04d7e60fe1b6c4db2030b4d5613a5f6a27a8a996 Mon Sep 17 00:00:00 2001
From: Ilari Liusvaara <ilari.liusvaara@elisanet.fi>
Date: Thu, 14 May 2015 19:20:21 +0300
Subject: [PATCH] Fix race between killing object and drawing object

Previously, it was possible to draw and kill object queue at the same
time, possibly leading to crashes from accessing object state after
destroying it. Fix this.
---
 include/library/framebuffer.hpp | 2 ++
 src/library/framebuffer.cpp     | 4 ++++
 2 files changed, 6 insertions(+)

diff --git a/include/library/framebuffer.hpp b/include/library/framebuffer.hpp
index 040a18f2..e04f976d 100644
--- a/include/library/framebuffer.hpp
+++ b/include/library/framebuffer.hpp
@@ -8,6 +8,7 @@
 #include <map>
 #include <set>
 #include "framebuffer-pixfmt.hpp"
+#include "threads.hpp"
 
 namespace framebuffer
 {
@@ -641,6 +642,7 @@ private:
 	struct node* queue_tail;
 	size_t memory_allocated;
 	size_t pages;
+	threads::lock display_mutex; //Synchronize display and kill.
 	std::map<size_t, page> memory;
 };
 
diff --git a/src/library/framebuffer.cpp b/src/library/framebuffer.cpp
index f520cab2..2dbf57d5 100644
--- a/src/library/framebuffer.cpp
+++ b/src/library/framebuffer.cpp
@@ -543,6 +543,8 @@ void queue::copy_from(queue& q) throw(std::bad_alloc)
 
 template<bool X> void queue::run(struct fb<X>& scr) throw()
 {
+	//Take queue lock in order to syncronize this with killing the queue.
+	threads::alock h(display_mutex);
 	struct node* tmp = queue_head;
 	while(tmp) {
 		try {
@@ -583,6 +585,8 @@ void* queue::alloc(size_t block) throw(std::bad_alloc)
 
 void queue::kill_request(void* obj) throw()
 {
+	//Take queue lock in order to syncronize this with drawing.
+	threads::alock h(display_mutex);
 	struct node* tmp = queue_head;
 	while(tmp) {
 		try {
-- 
2.11.4.GIT