\nOne of the big advantages of managed code is that you don’t have\nto worry about managing object lifetimes. Here’s an example of\nsome unmanaged code that tries to manage reference counts and\ndoesn’t quite get it right.\nEven a seemingly-simple function has a reference-counting bug.\n<\/p>\n
\ntemplate <class T>\nT *SetObject(T **ppt, T *ptNew)\n{\n if (*ppt) (*ppt)->Release(); \/\/ Out with the old\n *ppt = ptNew; \/\/ In with the new\n if (ptNew) (ptNew)->AddRef();\n return ptNew;\n}\n<\/pre>\n\nThe point of this function is to take a (pointer to)\na variable that points to one object and replace it with\na pointer to another object. This is a function that sits\nat the bottom of many “smart pointer” classes. Here’s\nan example use:\n<\/p>\n
\ntemplate <class T>\nclass SmartPointer {\npublic:\n SmartPointer(T* p = NULL)\n : m_p(NULL) { *this = p; }\n ~SmartPointer() { *this = NULL; }\n T* operator=(T* p)\n { return SetObject(&m_p, p); }\n operator T*() { return m_p; }\n T** operator&() { return &m_p; }\nprivate:\n T* m_p;\n};\nvoid Sample(IStream *pstm)\n{\n SmartPointer<IStream> spstm(pstm);\n SmartPointer<IStream> spstmT;\n if (SUCCEEDED(GetBetterStream(&spstmT))) {\n spstm = spstmT;\n }\n ...\n}\n<\/pre>\n\nOh why am I explaining this? You know how smart pointers work.\n<\/p>\n
\nOkay, so the question is, what’s the bug here?\n<\/p>\n
\nStop reading here and don’t read ahead until you’ve figured it out\nor you’re stumped or you’re just too lazy to think about it.\n<\/p>\n
\n\n
\nThe bug is that the old object is Release()d before the new object\nis AddRef()’d. Consider:\n<\/p>\n
\n SmartPointer<IStream> spstm;\n CreateStream(&spstm);\n spstm = spstm;\n<\/pre>\n\nThis assignment statement looks harmless (albeit wasteful).\nBut is it?\n<\/p>\n
\nThe “smart pointer” is constructed with NULL,\nthen the CreateStream creates a stream and assigns it to\nthe “smart pointer”. The stream’s reference count is now one.\nNow the assignment statement is executed, which turns into\n<\/p>\n
\n SetObject(&spstm.m_p, spstm.m_p);\n<\/pre>\n\nInside the SetObject function, ppt points tp spstm.m_p, and\npptNew equals the original value of spstm.m_p.\n<\/p>\n
\nThe first thing that SetObject does is release the old pointer,\nwhich now drops the reference count of the stream to zero.\nThis destroys the stream object<\/strong>.\nThen the ptNew parameter (which now points to a freed object)\nis assigned to spstm.m_p, and finally the ptNew pointer\n(which still points to a freed object) is AddRef()d.\nOops, we’re invoking a method on an object that has been freed;\nno good can come of that.\n<\/p>\n\nIf you’re lucky, the AddRef() call crashes brilliantly so\nyou can debug the crash and see your error.\nIf you’re not lucky (and you’re usually not lucky),\nthe AddRef() call interprets the freed memory as if it were\nstill valid and increments a reference count somewhere inside\nthat block of memory. Congratulations, you’ve now corrupted memory.\nIf that’s not enough to induce a crash (at some unspecified point\nin the future), when the “smart pointer”\ngoes out of scope or otherwise changes its referent, the invalid\nm_p pointer will be Release()d, corrupting memory yet another time.\n<\/p>\n
\nThis is why “smart pointer” assignment functions must AddRef() the\nincoming pointer before Release()ing the old pointer.<\/p>\n
\ntemplate <class T>\nT *SetObject(T **ppt, T *ptNew)\n{\n if (ptNew) (ptNew)->AddRef();\n if (*ppt) (*ppt)->Release();\n *ppt = ptNew;\n return ptNew;\n}\n<\/pre>\n