{"id":108831,"date":"2023-09-27T07:00:00","date_gmt":"2023-09-27T14:00:00","guid":{"rendered":"https:\/\/devblogs.microsoft.com\/oldnewthing\/?p=108831"},"modified":"2023-09-27T06:51:53","modified_gmt":"2023-09-27T13:51:53","slug":"20230927-00-3","status":"publish","type":"post","link":"https:\/\/devblogs.microsoft.com\/oldnewthing\/20230927-00\/?p=108831","title":{"rendered":"The dangers of releasing the last strong reference from within its own callback"},"content":{"rendered":"

A common callback pattern is that unregistering a callback will wait until any outstanding callbacks have completed. This avoids the problem of freeing the data out from under a running callback.<\/p>\n\n\n\n\n\n\n\n\n\n\n
Thread 1<\/th>\nThread 2<\/th>\n<\/tr>\n
RegisterCallback(callback, this);<\/code><\/td>\n <\/td>\n<\/tr>\n
\u00a0<\/td>\ncallback<\/code> begins<\/td>\n<\/tr>\n
Destructor begins<\/td>\n\u22ee do stuff with this<\/code><\/td>\n<\/tr>\n
UnregisterCallback(callback)<\/code><\/td>\n\u22ee do stuff with this<\/code><\/td>\n<\/tr>\n
Destructor completes<\/td>\n\u22ee do stuff with this<\/code><\/td>\n<\/tr>\n
\u00a0<\/td>\n\u22ee do stuff with this<\/code><\/td>\n<\/tr>\n
\u00a0<\/td>\ncallback<\/code> returns<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

In the above example, the Unregister\u00adCallback<\/code> doesn’t wait for the outstanding callback to complete, and as a result, the object is destructed while there is code still using it.<\/p>\n

Forcing Unregister\u00adCallback<\/code> to wait for outstanding callbacks to complete avoids this problem:<\/p>\n\n\n\n\n\n\n\n\n\n\n\n\n
Thread 1<\/th>\nThread 2<\/th>\n<\/tr>\n
RegisterCallback(callback, this);<\/code><\/td>\n <\/td>\n<\/tr>\n
\u00a0<\/td>\ncallback<\/code> begins<\/td>\n<\/tr>\n
Destructor begins<\/td>\n\u22ee do stuff with this<\/code><\/td>\n<\/tr>\n
UnregisterCallback(callback)<\/code><\/td>\n\u22ee do stuff with this<\/code><\/td>\n<\/tr>\n
\u22ee waiting for callback to finish<\/td>\n\u22ee do stuff with this<\/code><\/td>\n<\/tr>\n
\u22ee waiting for callback to finish<\/td>\n\u22ee do stuff with this<\/code><\/td>\n<\/tr>\n
\u22ee waiting for callback to finish<\/td>\ncallback<\/code> returns<\/td>\n<\/tr>\n
UnregisterCallback(callback)<\/code> returns<\/td>\n <\/td>\n<\/tr>\n
Destructor completes<\/td>\n <\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

This pattern avoids a use-after-free problem, but it creates a new one: Deadlock.<\/p>\n

If your callback takes a strong reference to the containing object, then when that strong reference is destructed at the end of the callback, that may end up destructing the last strong pointer to the object, causing the object itself to destruct from inside the callback. That destructor will wait for the callback to complete, and we have deadlocked.<\/p>\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n
Thread 1<\/th>\nThread 2<\/th>\nReference count<\/th>\n<\/tr>\n
Constructor<\/td>\n <\/td>\n\u00a0<\/td>\n<\/tr>\n
\u22eeRegisterCallback(callback, this);<\/code><\/td>\n <\/td>\n1<\/td>\n<\/tr>\n
Retain strong reference<\/td>\n <\/td>\n1<\/td>\n<\/tr>\n
\u00a0<\/td>\ncallback<\/code> begins<\/td>\n\u00a0<\/td>\n<\/tr>\n
\u00a0<\/td>\n\u22ee create strong reference to self<\/td>\n2<\/td>\n<\/tr>\n
\u00a0<\/td>\n\u22ee do stuff with this<\/code><\/td>\n\u00a0<\/td>\n<\/tr>\n
Release strong reference<\/td>\n\u22ee do stuff with this<\/code><\/td>\n1<\/td>\n<\/tr>\n
\u00a0<\/td>\n\u22ee do stuff with this<\/code><\/td>\n\u00a0<\/td>\n<\/tr>\n
\u00a0<\/td>\n\u22ee do stuff with this<\/code><\/td>\n\u00a0<\/td>\n<\/tr>\n
\u00a0<\/td>\n\u22ee destruct local strong reference<\/td>\n0<\/td>\n<\/tr>\n
\u00a0<\/td>\n\u22ee\u22eeDestructor runs<\/td>\n\u00a0<\/td>\n<\/tr>\n
\u00a0<\/td>\n\u22ee\u22eeUnregisterCallback(callback)<\/code> hangs<\/td>\n\u00a0<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

The call to UnregisterCallback<\/code> hangs because it is waiting for the callback to complete, but the callback is itself waiting for the destructor to finish, and the destructor is stuck in the UnregisterCallback<\/code>.<\/p>\n

For thread pool callbacks, we could use Disassociate\u00adCurrent\u00adThread\u00adFrom\u00adCallback<\/code><\/a> to break the deadlock. But other types of callbacks may not have a way to say, “Act as if I returned (even though I haven’t yet).”<\/p>\n

One solution is to forbid taking a strong reference to the containing object from the callback.<\/p>\n

void MyObject::callback(CallbackData* data, void* context)\r\n{\r\n    auto self = reinterpret_cast<MyObject*>(context);\r\n\r\n    \/\/ Calling self->get_strong() or self->shared_from_this()\r\n    \/\/ is forbidden! Or in fact anything else that might result in\r\n    \/\/ a strong reference to MyObject.\r\n    \/\/\r\n    \/\/ Also, cannot access any members that are initialized after\r\n    \/\/ the RegisterCallback call or cleaned up before the\r\n    \/\/ UnregisterCallback call.\r\n\r\n    \u27e6 do stuff with \"self\" \u27e7\r\n}\r\n<\/pre>\n
In addition to forbidding strong references, we must also make sure not to access any members which are initialized in the constructor after the call to Register\u00adCallback<\/code> or cleaned up in the destructor prior to the Unregister\u00adCallback<\/code> call. In the common case that the callback is managed by an RAII type, this means that you cannot access any members which are declared after the RAII type or manually initialized in the constructor body; nor can you access any members which are cleaned up explicitly in the destructor, or declared after the RAII type. (The “declared after the RAII type” restriction comes from the rule that C++ members are initialized in order of declaration in the class definition, and destructed in reverse order.)<\/p>\n
For example, suppose callback_holder<\/code> is an RAII type that calls Unregister\u00adCallback<\/code> at destruction.<\/p>\n
struct MyObject \r\n{\r\n    std::string m_value1;\r\n    Widget m_widget;\r\n    callback_holder m_callback(&MyObject::callback, this);\r\n    std::string m_value2;\r\n\r\n    MyObject()\r\n    {\r\n        m_widget.prime();\r\n    }\r\n\r\n    ~MyObject()\r\n    {\r\n        m_widget.disable();\r\n    }\r\n\r\n    static void callback(CallbackData* data, void* context);\r\n};\r\n<\/pre>\n
Given the above class, the callback<\/code> cannot access m_value2<\/code>, since it is constructed after m_callback<\/code> and destructed before it. It also has to be prepared for running before m_widget<\/code> has been primed or running after m_widget<\/code> has been disabled.<\/p>\n
The fact that the callback is still potentially active before the constructor finishes and after the destructor starts means that the usual rule of thumb that “there won’t be any conflicting threads during construction or destruction” does not apply, since there may be an active callback that is racing the constructor or destructor.<\/p>\n
You can simplify the rules by explicitly registering the callback at the end of the constructor and unregistering it at the start of the destructor:<\/p>\n
    MyObject()\r\n    {\r\n        m_widget.prime();\r\n        \/\/ Do this last: Don't register for callbacks  <\/span>\r\n        \/\/ until all members are ready.                <\/span>\r\n        m_callback.register(&MyObject::callback, this);<\/span>\r\n    }\r\n\r\n    ~MyObject()\r\n    {\r\n        \/\/ Do this first: Ensure all outstanding<\/span>\r\n        \/\/ callbacks have completed.            <\/span>\r\n        m_callback.reset();                     <\/span>\r\n        m_widget.disable();\r\n    }\r\n<\/pre>\n
Now, that’s a lot of rules to remember in the callback. Furthermore, enforcing these rules may be difficult if the “do stuff with self<\/code>” is complex and calls other methods: Those other methods now need to know the rules about forbidden strong references and unsafe member variables, and these are the sorts of rules that are easy to break by accident and hard to detect via static analysis.<\/p>\n
Another option is to queue further work and return from the callback immediately. Give that future work a weak<\/i> reference, with the promise not to resolve the weak reference to a strong reference until after you have arrived on the other thread.<\/p>\n
void MyObject::Callback(CallbackData* data, void* context)\r\n{\r\n    auto self = reinterpret_cast<MyObject*>(context);\r\n\r\n    [](auto weak, auto important) -> fire_and_forget {\r\n        co_await resume_background();\r\n        if (auto strong = weak.get()) {\r\n            \u27e6 do stuff with \"strong\" \u27e7\r\n        }\r\n    }(get_weak(), data->important);\r\n}\r\n<\/pre>\n
The data we carry to the background thread are a weak<\/i> reference to ourselves, as well as any event payload that we need. (We probably can’t capture the raw pointer data<\/code> since that would result in using the data<\/code> pointer after the callback returns.) Only after safely arriving on the background thread do we try to promote the weak reference to a strong reference, and we bail out if the object has already begun destruction.<\/p>\n
Another solution is to break the deadlock by forcing the destructor to run outside of the callback: In C++\/WinRT, you can  declare your class with a final_release<\/code><\/a> and move the destruction to another thread.<\/p>\n
struct MyObject : implements<MyObject, IInspectable>\r\n{\r\n    static fire_and_forget final_release(std::unique_ptr<MyObject> ptr)\r\n    {\r\n        \/\/ Queue continuation on a background thread\r\n        co_await resume_background();\r\n\r\n        \/\/ allow ptr to destruct on a background thread\r\n    }\r\n};\r\n<\/pre>\n
This is probably the simplest solution, assuming you have it available as an option, since it allows the rest of the class to write code “naturally” and not have to worry about all the weird rules.<\/p>\n","protected":false},"excerpt":{"rendered":"
Deadlocking with yourself.<\/p>\n","protected":false},"author":1069,"featured_media":111744,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1],"tags":[25],"class_list":["post-108831","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-oldnewthing","tag-code"],"acf":[],"blog_post_summary":"
Deadlocking with yourself.<\/p>\n","_links":{"self":[{"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/posts\/108831","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/users\/1069"}],"replies":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/comments?post=108831"}],"version-history":[{"count":0,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/posts\/108831\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/media\/111744"}],"wp:attachment":[{"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/media?parent=108831"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/categories?post=108831"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/tags?post=108831"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}