From 526721a6ad2c6c24619e35d805ea047b37e224d3 Mon Sep 17 00:00:00 2001
From: Jan Midtgaard <mail@janmidtgaard.dk>
Date: Tue, 24 Oct 2023 10:35:59 +0200
Subject: [PATCH 1/2] Read asserted values only once to avoid a race condition

---
 runtime/domain.c | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/runtime/domain.c b/runtime/domain.c
index 530387261d24..d6ddd104ae21 100644
--- a/runtime/domain.c
+++ b/runtime/domain.c
@@ -1042,14 +1042,17 @@ static void install_backup_thread (dom_internal* di)
 #endif
 
   if (di->backup_thread_running == 0) {
-    CAMLassert (di->backup_thread_msg == BT_INIT || /* Using fresh domain */
-            di->backup_thread_msg == BT_TERMINATE); /* Reusing domain */
+    uintnat msg;
+    msg = atomic_load_acquire(&di->backup_thread_msg);
+    CAMLassert (msg == BT_INIT || /* Using fresh domain */
+                msg == BT_TERMINATE); /* Reusing domain */
 
-    while (atomic_load_acquire(&di->backup_thread_msg) != BT_INIT) {
+    while (msg != BT_INIT) {
       /* Give a chance for backup thread on this domain to terminate */
       caml_plat_unlock (&di->domain_lock);
       cpu_relax ();
       caml_plat_lock (&di->domain_lock);
+      msg = atomic_load_acquire(&di->backup_thread_msg);
     }
 
 #ifndef _WIN32

From 2ed291fb68447301290c7adb83e8e1bce0bb791d Mon Sep 17 00:00:00 2001
From: Jan Midtgaard <mail@janmidtgaard.dk>
Date: Tue, 31 Oct 2023 15:24:58 +0100
Subject: [PATCH 2/2] Add a Changes entry for #12707

---
 Changes | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/Changes b/Changes
index 5a85179984c4..dddbd4e067b2 100644
--- a/Changes
+++ b/Changes
@@ -436,6 +436,9 @@ Working version
 
 ### Bug fixes:
 
+- #11800, #12707: fix an assertion race condition in `install_backup_thread`
+  (Jan Midtgaard, review by Gabriel Scherer)
+
 - #12590, #12595: fix a race in `caml_collect_gc_stats_sample`
   (B. Szilvasy, review by Gabriel Scherer)