{"id":108891,"date":"2023-10-13T07:00:00","date_gmt":"2023-10-13T14:00:00","guid":{"rendered":"https:\/\/devblogs.microsoft.com\/oldnewthing\/?p=108891"},"modified":"2023-10-13T08:29:40","modified_gmt":"2023-10-13T15:29:40","slug":"20231013-00","status":"publish","type":"post","link":"https:\/\/devblogs.microsoft.com\/oldnewthing\/20231013-00\/?p=108891","title":{"rendered":"On detecting improper use of std::enable_shared_from_this<\/CODE>"},"content":{"rendered":"

We saw some time ago that you must publicly derive from std::enable_shared_from_this<\/code><\/a> in order for shared_from_this()<\/code> to work. Can we fix it so that the problem is detected at compile time rather than failing mysteriously at runtime?<\/p>\n

template<class T>\r\nclass enable_shared_from_this\r\n{\r\n    static_assert(                                      <\/span>\r\n        std::is_convertible_v<T*,                       <\/span>\r\n                              enable_shared_from_this*>,<\/span>\r\n        \"You must publicly derive from \"                <\/span>\r\n        \"enable_shared_from_this exactly once\");        <\/span>\r\n\r\npublic:\r\n    using esft_tag = enable_shared_from_this;\r\n\r\n    [[nodiscard]] shared_ptr<T> shared_from_this() {\r\n        return shared_ptr<T>(weak);\r\n    }\r\n\r\n    [[nodiscard]] shared_ptr<T> shared_from_this() const {\r\n        return shared_ptr<const T>(weak);\r\n    }\r\n\r\n    [[nodiscard]] weak_ptr<T> weak_from_this() noexcept {\r\n        return weak;\r\n    }\r\n\r\n    [[nodiscard]] weak_ptr<const T> weak_from_this() const noexcept {\r\n        return weak;\r\n    }\r\n\r\nprotected:\r\n    constexpr enable_shared_from_this() noexcept : weak() {}\r\n\r\n    enable_shared_from_this(const enable_shared_from_this&) noexcept {}\r\n    enable_shared_from_this& operator=(const enable_shared_from_this&) noexcept\r\n    { return *this; }\r\n\r\nprivate:\r\n    template<typename U> friend class shared_ptr;\r\n\r\n    mutable weak_ptr<T> weak;\r\n};\r\n<\/pre>\n
We assert that the class T<\/code> publicly and uniquely derives from enable_shared_from_this<T><\/code>. Unfortunately, this doesn’t work because we are asserting too soon:<\/p>\n
class something : std::enable_shared_from_this<something>\r\n\/\/   instantiated ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^\r\n{\r\n    \u27e6 ... \u27e7\r\n};\r\n<\/pre>\n
At the point that enable_shared_from_this<someting><\/code> is instantiated, the class something<\/code> is incomplete.<\/p>\n
We can defer the assertion to the constructor, because the constructor body is instantiated after the completion of the derived class.<\/p>\n
template<class T>\r\nclass enable_shared_from_this\r\n{\r\npublic:\r\n    using esft_tag = enable_shared_from_this;\r\n\r\n    [[nodiscard]] shared_ptr<T> shared_from_this() {\r\n        return shared_ptr<T>(weak);\r\n    }\r\n\r\n    [[nodiscard]] shared_ptr<T> shared_from_this() const {\r\n        return shared_ptr<const T>(weak);\r\n    }\r\n\r\n    [[nodiscard]] weak_ptr<T> weak_from_this() noexcept {\r\n        return weak;\r\n    }\r\n\r\n    [[nodiscard]] weak_ptr<const T> weak_from_this() const noexcept {\r\n        return weak;\r\n    }\r\n\r\nprotected:\r\n    constexpr enable_shared_from_this() noexcept : weak() {\r\n      static_assert(                                      <\/span>\r\n          std::is_convertible_v<T*,                       <\/span>\r\n                                enable_shared_from_this*>,<\/span>\r\n          \"You must publicly derive from \"                <\/span>\r\n          \"enable_shared_from_this exactly once\");        <\/span>\r\n\r\n    }\r\n\r\n    enable_shared_from_this(const enable_shared_from_this&) noexcept {}\r\n    enable_shared_from_this& operator=(const enable_shared_from_this&) noexcept\r\n    { return *this; }\r\n\r\nprivate:\r\n    template<typename U> friend class shared_ptr;\r\n\r\n    mutable weak_ptr<T> weak;\r\n};\r\n<\/pre>\n
But wait, there’s this other mistake: Deriving from two different specializations of enable_shared_from_this<\/code>:<\/p>\n
struct B1 : std::enable_shared_from_this<B1> {};\r\nstruct B2 : std::enable_shared_from_this<B2> {};\r\n\r\nstruct D : B1, B2 {};\r\n\r\n\/\/ No complaint!\r\nauto p = std::make_shared<D>();\r\n\r\n\/\/ This throws bad_weak_ptr\r\nauto b1 = p->B1::shared_from_this();\r\n<\/pre>\n
The make_shared<D>()<\/code> executes just fine, but the resulting object’s std::enable_shared_from_this<B1><\/code> and std::enable_shared_from_this<B2><\/code> objects are nonfunctional because D<\/code> derived multiple times from std::enable_shared_from_this<\/code>. We failed to detect this in our static_assert<\/code> because the static_assert<\/code> checks only that each individual specialization is unique.<\/p>\n
Remember, enable_shared_from_this<\/code> is not referring to “all specializations of this template”. It is referring to the specific specialization being instantiated, since it is the  injected class name<\/a>. In other words, the full version of the static assertion is<\/p>\n
static_assert(\r\n    std::is_convertible_v<T*,\r\n                          enable_shared_from_this<T><\/span>*>,\r\n    \"You must publicly derive from \"\r\n    \"enable_shared_from_this exactly once\");\r\n<\/pre>\n
But we want to check all<\/i> specializations, not just the one being instantiated. How can we do that?<\/p>\n
We can take advantage of the esft_tag<\/code> that is used by make_shared()<\/code> to locate the enable_shared_from_this()<\/code> base class.<\/p>\n
static_assert(\r\n    std::is_convertible_v<T*,\r\n                          typename T::esft_tag<\/span>*>,\r\n    \"You must publicly derive from \"\r\n    \"enable_shared_from_this exactly once\");\r\n<\/pre>\n
If T<\/code> has multiple base classes which are specializations of enable_shared_from_this<T><\/code>, there are two cases:<\/p>\n
    \n
  • All of the base classes are the same enable_shared_from_this<T><\/code>. In this case, the conversion from T*<\/code> to enable_shared_from_this<T>*<\/code> is ambiguous, and is_convertible_v<\/code> returns false<\/code>.<\/li>\n
  • There are two base classes which are different specializations, say enable_shared_from_this<B1><\/code> and enable_shared_from_this<B2><\/code> (where B1<\/code> \u2260 B2<\/code>). In this case, tthe nested type T::esft_tag<\/code> will have conflicting definitions, and you get an ambiguous type error.<\/li>\n<\/ul>\n
    The standard enable_shared_from_this<T><\/code> doesn’t do this extra enforcement because you are allowed to specialize enable_shared_from_this<T><\/code> with an incomplete type!<\/p>\n
    struct D;\r\n\r\nstruct B : std::enable_shared_from_this<D>\r\n{\r\n};\r\n\r\nstruct D : B\r\n{\r\n};\r\n\r\nauto p = std::make_shared<D>();\r\nauto q = p->shared_from_this();\r\n<\/pre>\n
    We made B<\/code> derive from std::enable_shared_from_this<D><\/code> even though we don’t know what D<\/code> is yet. This is legal. It just means that if you ever decide to put B<\/code> inside a shared_ptr<\/code>, it had better be a base class of a larger D<\/code> object.<\/p>\n
    So let’s just declare that case as out of scope for our “strict enable_shared_from_this<\/code>“.<\/p>\n
    Can we augment the standard enable_shared_from_this<\/code> to add this sort of safety checking? Let’s try it:<\/p>\n
    template<typename T>\r\nstruct strict_enable_shared_from_this\r\n    : std::enable_shared_from_this<T>\r\n{\r\n    using esft_tag = std::enable_shared_from_this<T>;\r\n};\r\n\r\ntemplate<typename T, typename... Args>\r\nstd::shared_ptr<T>\r\nstrict_make_shared(Args&&... args)\r\n{\r\n    static_assert(\r\n        std::is_convertible_v<T*,\r\n                              typename T::esft_tag*>,\r\n        \"You must publicly derive from \"\r\n        \"strict_enable_shared_from_this exactly once\");\r\n    return std::make_shared<T>(std::forward<Args>(args)...);\r\n}\r\n<\/pre>\n
    If we can be sure that everybody uses strict_enable_shared_from_this<\/code>, then strict_make_shared<\/code> can verify that the resulting shared_ptr<\/code> owns an object which indeed holds a weak pointer to itself. On the other hand, if somebody sneaks in and uses a standard enable_shared_from_this<\/code>, then they can avoid the detection.<\/p>\n
    struct B1 : strict_enable_shared_from_this<D> {};\r\nstruct B2 : std::enable_shared_from_this<D> {};\r\nstruct D: B1, B2 {};\r\n\r\n\/\/ No complaint, but the shared_from_this method fails.\r\nauto p = strict_make_shared<D>();\r\n<\/pre>\n
    It would be nice if the C++ standard library had a type trait<\/p>\n
    template<typename T>\r\nstruct can_enable_shared_from_this;\r\n\r\ntemplate<typename T>\r\ninline constexpr bool can_enable_shared_from_this_v =\r\n    can_enable_shared_from_this<T>::value;\r\n<\/pre>\n
    Then we can we can define our own (or maybe the C++ standard libray can also provide)<\/p>\n
    template<typename T, typename... Args>\r\nstd::shared_ptr<T>\r\nmake_shared_with_weak_ptr(Args&&... args)\r\n{\r\n    static_assert(\r\n        std::can_enable_shared_from_this_v<T>);\r\n    return std::make_shared<T>(std::forward<Args>(args)...);\r\n}\r\n<\/pre>\n","protected":false},"excerpt":{"rendered":"
    Playing around with the standard library.<\/p>\n","protected":false},"author":1069,"featured_media":111744,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1],"tags":[25],"class_list":["post-108891","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-oldnewthing","tag-code"],"acf":[],"blog_post_summary":"
    Playing around with the standard library.<\/p>\n","_links":{"self":[{"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/posts\/108891","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/users\/1069"}],"replies":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/comments?post=108891"}],"version-history":[{"count":0,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/posts\/108891\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/media\/111744"}],"wp:attachment":[{"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/media?parent=108891"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/categories?post=108891"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/tags?post=108891"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}