{"id":109276,"date":"2024-01-17T07:00:00","date_gmt":"2024-01-17T15:00:00","guid":{"rendered":"https:\/\/devblogs.microsoft.com\/oldnewthing\/?p=109276"},"modified":"2024-01-16T21:15:19","modified_gmt":"2024-01-17T05:15:19","slug":"20240117-00","status":"publish","type":"post","link":"https:\/\/devblogs.microsoft.com\/oldnewthing\/20240117-00\/?p=109276","title":{"rendered":"Getting a strong reference from the this<\/CODE> pointer too soon"},"content":{"rendered":"

A bunch of us were investigating a crash that appeared to be due to the premature destruction of an object while they were still active COM references to it. After some investigation, we tracked it down: An object handed out a COM reference to itself in its constructor, even though it couldn’t fulfill all the requirements of COM strong references.<\/p>\n

Here’s a simplified version of the mistake:<\/p>\n

\/\/ C++\/WinRT - this code is wrong\r\nnamespace winrt::Contoso::implementation\r\n{\r\n    struct MyPage : MyPageT<MyPage>\r\n    {\r\n        MyPage()\r\n        {\r\n            Application::LoadComponent(*this, blah, blah);\r\n            something_that_might_throw();\r\n        }\r\n\r\n        \u27e6 ... \u27e7\r\n    };\r\n}\r\n\r\n\/\/ C++\/WRL - this code is wrong\r\nstruct MyPage : RuntimeClass<IPage>\r\n{\r\n    MyPage()\r\n    {\r\n        Application::LoadComponent(this, blah, blah);\r\n        something_that_might_throw();\r\n    }\r\n\r\n    \u27e6 ... \u27e7\r\n};\r\n\r\n\/\/ Manually implemented - this code is wrong\r\nstruct MyPage : IPage\r\n{\r\n    MyPage() : m_refCount(1)\r\n    {\r\n        Application::LoadComponent(this, blah, blah);\r\n        something_that_might_throw();\r\n    }\r\n\r\n    LONG m_refCount;\r\n    \u27e6 ... \u27e7\r\n};\r\n\r\nCComPtr<IPage> page;\r\npage.Attach(new MyPage());\r\n<\/pre>\n
The C++\/WinRT library convention for producing a COM reference to the current object is to use the *<\/code> operator, so the line<\/p>\n
\/\/ C++\/WinRT\r\nApplication::LoadComponent(*this, blah, blah);\r\n<\/pre>\n
creates an IInspectable<\/code> that refers to the current object and passes it to LoadComponent<\/code>. If you use WRL or some other library that operates at the ABI level, then you just pass this<\/code>, and the compiler will automatically convert it to a pointer to the IInspectable<\/code> base class.<\/p>\n
No matter how you slice it, what happens is that you passed a COM pointer to Application::LoadComponent<\/code>, and therefore LoadComponent<\/code> is within its rights to call AddRef<\/code> on that COM pointer to extend the pointer’s lifetime, and retain the pointer for later use.<\/p>\n
When Application::LoadComponent<\/code> returns, the object’s reference count has been incremented to 2.<\/p>\n
Unfortunately, what might happen next is that an exception or other error is encountered in the next part of the constructor. An exception in the constructor forces the object to destruct, and that means that the MyPage<\/code> destructs without regard for its reference count.\u00b9<\/p>\n
Later, some other code tries to use the COM pointer that Application::LoadComponent<\/code> saved, and it crashes because it now points to freed memory.<\/p>\n
Your code made a promise it couldn’t keep. It told Application::LoadComponent<\/code>, “Here’s a COM pointer,” and one of the things that COM pointers can do is extend their lifetime with the AddRef<\/code> method. But this particular COM pointer doesn’t honor that AddRef<\/code> if an exception occurs.<\/p>\n
The traditional solution to this problem is to have a rule (enforced by code review) that constructors may not throw exceptions if they also hand out COM references to themselves.<\/p>\n
If you do hand out COM references, and you want to do things that might throw exceptions, then use two-phase construction, where all of the potentially-throwing operations are put in the second phase. WRL implements two-phase construction with the Runtime\u00adClass\u00adInitialize()<\/code> method,\u00b2 and starting in C++\/WinRT version 2.0.220331.4,  C++\/WinRT uses the name Initialize\u00adComponent()<\/code> for the second phase<\/a>.<\/p>\n
If the second phase of two-phase construction fails, then the caller is told that the object failed to construct, but if there are any outstanding COM references to the object, the object won’t destruct until those outstanding references are released. You do have to be careful to leave your object in a harmless state after the exception is thrown, because those components which still have COM references will try to use them, and they should get some sort of reasonable behavior out of the zombie object. (What counts as “reasonable” is a domain-specific decision.)<\/p>\n
In the above cases, we would do something like this:<\/p>\n
\/\/ C++\/WinRT, non-XAML class\r\nnamespace winrt::Contoso::implementation\r\n{\r\n    struct MyPage : MyPageT<MyPage>\r\n    {\r\n        void InitializeComponent()<\/span>\r\n        {\r\n            Application::LoadComponent(*this, blah, blah);\r\n            something_that_might_throw();\r\n        }\r\n\r\n        \u27e6 ... \u27e7\r\n    };\r\n}\r\n\r\n\/\/ C++\/WinRT, XAML class\r\nnamespace winrt::Contoso::implementation\r\n{\r\n    struct MyPage : MyPageT<MyPage>\r\n    {\r\n        void InitializeComponent()\r\n        {\r\n            MyPageT::InitializeComponent();<\/span> \/\/ let base class initialize\r\n            Application::LoadComponent(*this, blah, blah);\r\n            something_that_might_throw();\r\n        }\r\n\r\n        \u27e6 ... \u27e7\r\n    };\r\n}\r\n\r\n\/\/ C++\/WRL\r\nstruct MyPage : RuntimeClass<IPage>\r\n{\r\n    HRESULT RuntimeClassInitialize()<\/span> try\r\n    {\r\n        Application::LoadComponent(this, blah, blah);\r\n        something_that_might_throw();\r\n        return S_OK;\r\n    }\r\n    CATCH_RETURN();\r\n\r\n    \u27e6 ... \u27e7\r\n};\r\n\r\n\/\/ Manually implemented\r\nstruct MyPage : IPage\r\n{\r\n    MyPage() : m_refCount(1)\r\n    {\r\n    }\r\n\r\n    \/\/ You can call this method anything you want.\r\n    void Phase2Initialize()<\/span>\r\n    {\r\n        Application::LoadComponent(this, blah, blah);\r\n        something_that_might_throw();\r\n    }\r\n\r\n    LONG m_refCount;\r\n    \u27e6 ... \u27e7\r\n};\r\n\r\nCComPtr<IPage> page;\r\npage.Attach(new MyPage());\r\npage->Phase2Initialize();\r\n<\/pre>\n
“What about ATL?”<\/p>\n
Yeah, what about ATL?<\/p>\n
ATL gets its own discussion next time.<\/p>\n
Bonus chatter<\/b>: This problem doesn’t exist for C++ standard library shared_ptr<\/code> because you cannot obtain a shared_ptr<\/code> to yourself from your constructor. If you call shared_from_this()<\/code> from the constructor, you will get a std::bad_weak_ptr<\/code> exception. That’s because,  as we saw some time ago<\/a>, the weak pointer hiding inside enable_shared_from_this<\/code> is not initialized until after the object is constructed.<\/p>\n
\u00b9 This is basically a variant of  getting a strong reference from the this pointer too late<\/a>: We are destructing an object before its reference count goes to zero.<\/p>\n
\u00b2 WRL much prefers that you report failure to initialize the class by returning a failure HRESULT<\/code> from Runtime\u00adClass\u00adInitialize()<\/code> rather than throwing an exception. WRL does nothing to translate the exception, and if the Make\u00adAnd\u00adInitialize()<\/code> call came from Dll\u00adGet\u00adActivation\u00adFactory<\/code> or from the autogenerated implementation of IActivation\u00adFactory::Create\u00adInstance()<\/code>, the exception will go uncaught and escape the ABI boundary.<\/p>\n
WRL does catch exceptions that come from the constructor, but it blindly translates all such exceptions into E_OUT\u00adOF\u00adMEMORY<\/code>, even if the exception was not std::bad_alloc<\/code>.<\/p>\n","protected":false},"excerpt":{"rendered":"
Giving out strong references to an object before you can guarantee that it will work.<\/p>\n","protected":false},"author":1069,"featured_media":111744,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1],"tags":[25],"class_list":["post-109276","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-oldnewthing","tag-code"],"acf":[],"blog_post_summary":"
Giving out strong references to an object before you can guarantee that it will work.<\/p>\n","_links":{"self":[{"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/posts\/109276","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/users\/1069"}],"replies":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/comments?post=109276"}],"version-history":[{"count":0,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/posts\/109276\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/media\/111744"}],"wp:attachment":[{"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/media?parent=109276"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/categories?post=109276"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/tags?post=109276"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}