al_run_detached_thread: fix segfault on detaching when the thread is already gone

detached_thread_func_trampoline freed the outer thread at its end. If outer->proc
was really fast to finish, _al_thread_detach could get called with &outer->thread
as its argument after outer was already freed.

Usually it would be fast enough to not ever be overwritten after freeing, but tools
like asan explicitly overwrite freed memory, leading to reproducible crash.

Author: dos1

src/threads.c

@@ -92,7 +92,15 @@ static void detached_thread_func_trampoline(_AL_THREAD *inner, void *_outer)
    (void)inner;
 
    ((void *(*)(void *))outer->proc)(outer->arg);
-   al_free(outer);
+
+   _al_mutex_lock(&outer->mutex);
+   if (outer->thread_state == THREAD_STATE_DETACHED) {
+      _al_mutex_destroy(&outer->mutex);
+      al_free(outer);
+   } else {
+      outer->thread_state = THREAD_STATE_DESTROYED;
+      _al_mutex_unlock(&outer->mutex);
+   }
 }
 
 
@@ -147,11 +155,20 @@ ALLEGRO_THREAD *al_create_thread_with_stacksize(
 void al_run_detached_thread(void *(*proc)(void *arg), void *arg)
 {
    ALLEGRO_THREAD *outer = create_thread();
-   outer->thread_state = THREAD_STATE_DETACHED;
+   outer->thread_state = THREAD_STATE_CREATED;
    outer->arg = arg;
    outer->proc = proc;
+   _al_mutex_init(&outer->mutex);
    _al_thread_create(&outer->thread, detached_thread_func_trampoline, outer);
-   _al_thread_detach(&outer->thread);
+   _al_mutex_lock(&outer->mutex);
+   if (outer->thread_state == THREAD_STATE_DESTROYED) {
+      _al_mutex_destroy(&outer->mutex);
+      al_free(outer);
+   } else {
+      _al_thread_detach(&outer->thread);
+      outer->thread_state = THREAD_STATE_DETACHED;
+      _al_mutex_unlock(&outer->mutex);
+   }
 }