vst3_base Reference counter race condition

Reference counter race condition

Open jpcima opened this issue 3 years ago • 0 comments

Hi, I believe there may exist a race condition at FObject::release. (as of 3.7.1)

At function's end, the refCount is reloaded a second time, after the atomic decrementation. One could provide a slightly different implementation to prevent this.

	int32 newCount = FUnknownPrivate::atomicAdd (refCount, -1);
	if (newCount == 0)
	{
		refCount = -1000;
		delete this;
		return 0;
	}       
	return newCount;

Taking the original implementation as a reference, I imagine we can met a following problem scenario:

(1)	if (FUnknownPrivate::atomicAdd (refCount, -1) == 0)
	{
		refCount = -1000;
		delete this;
(2)		return 0;
	}
(3)	return refCount;

T1 executes the atomic decrementation at (1)
T2 executes the atomic decrementation at (1), and proceeds to (2), deleting the object
T1 loads at (3) from the deleted object and crashes

Dec 12 '20 04:12 jpcima

vst3_base vst3_base copied to clipboard

Reference counter race condition

vst3_base
vst3_base copied to clipboard