I'm looking at the code in mongoose that writes to the configured access log file, (function log_access). In the function, fopen() is invoked to open the file, then flockfile() is used to lock the handle while the log line is written, which happens across several calls to fprintf(), followed by an funlockfile() and fclose().
The man page for flockfile() says that this just locks the file handle to make sure that if multiple threads access the handle, their results do not interleave with each other in the output. It also says that this locking has nothing to do with the file locking done by functions like flock(2) and lockf(3).
This means that in cases where there are multiple threads with their own mg_server instance running, which are configured so that they both share the same access log file name, it's possible that both threads will service a request in such a way that their access file entries will overlap in the file. I wrote a simple example of two threads writing to the same file from different file handles and their results definitely interleave with each other.
In practice I don't know how big a deal that might end up being, so I don't know if it's worth it to implement actual file locking, have the function generate the log to a buffer and then write the buffer, etc. I just thought I'd mention it in case I'm misunderstanding or it's a problem that you're not aware of.
I noticed this while checking to see if the file handle was held open or not to know how easy it would be to implement log rolling at the end of each day.