Self destructing object instance

-
Using reference counting classes always requires some caution. You have to pay attention to reference cycles, using interface reference for referencing such object instances, not calling FreeAndNil and more... it is quite a list...

But every once in a while, new ways of shooting yourself in the foot keep popping up... So here goes the story...

I have two reference counted classes that hold reference to each other instances. One of those references is marked as [weak] to prevent creating strong reference cycle.


type
      TFoo = class(TInterfacedObject)
      private
        [weak]
        FRef: IInterface;
      public
        constructor Create(const ARef: IInterface);
      end;
    
      TBar = class(TInterfacedObject)
      private
        FFoo: IInterface;
      public
        constructor Create; virtual;
        destructor Destroy; override;
        procedure AfterConstruction; override;
      end;
    
    constructor TFoo.Create(const ARef: IInterface);
    begin
      inherited Create;
      FRef := ARef;
    end;
    
    constructor TBar.Create;
    begin
      inherited;
    end;
    
    destructor TBar.Destroy;
    begin
      inherited;
    end;
    
    procedure TBar.AfterConstruction;
    begin
      inherited;
      FFoo := TFoo.Create(Self);
    end;
    
    procedure Test;
    var
      Intf: IInterface;
    begin
      Intf := TBar.Create;
      writeln(Assigned(Intf)); // TRUE as expected
    end; // AV here
But I cannot successfully finish construction of TBar object instance and exiting Test procedure triggers Access Violation exception at _IntfClear.
Exception class $C0000005 with message 'access violation at 0x0040e398: read of address 0x00000009'.
Stepping through debugger shows that TBar.Destroy is called before code reaches writeln(Assigned(Intf)) line and there is no exception during construction process.

Why is destructor called during construction of an object here and why there is no exception?

Reference counting overview

To understand what is happening here we need short overview of how Delphi ARC works on reference counted object instances (ones implementing some interface) under classic compiler.
Reference counting basically counts strong references to an object instance and when last strong reference to an object goes out of scope, reference count will drop to 0 and instance will be destroyed.

Strong references here represent interface references (object references and pointers don't trigger reference counting mechanism) and compiler inserts calls to _AddRef and _Release methods at appropriate places for incrementing and decrementing reference count. For instance, when assigning to interface _AddRef is called, and when that reference goes out of scope _Release.

Simplified those methods generally look like:

function TInterfacedObject._AddRef: Integer;
    begin
      Result := AtomicIncrement(FRefCount);
    end;
    
    function TInterfacedObject._Release: Integer;
    begin
      Result := AtomicDecrement(FRefCount);
      if Result = 0 then
        Destroy;
    end;
Construction of reference counted object instance looks like:
  1. construction - TInterfacedObject.Create -> RefCount = 0
  • executing NewInstance
  • executing chain of constructors
  • executing AfterConstruction chain
  1. assigning to initial strong reference Intf := ...
  • _AddRef -> RefCount = 1
To understand actual problem we need to dig deeper in construction sequence, particularly NewInstance and AfterConstruction methods

class function TInterfacedObject.NewInstance: TObject;
    begin
      Result := inherited NewInstance;
      TInterfacedObject(Result).FRefCount := 1;
    end;

    procedure TInterfacedObject.AfterConstruction;
    begin
      AtomicDecrement(FRefCount);
    end;

Why is initial reference count in NewInstance set to 1 and not to 0?

Initial reference count must be set to 1 because code in constructors can be complex and can trigger transient reference counting which could automatically destroy the object during the construction process before it has chance to be assigned to the initial strong reference that will keep it alive.

That initial reference count is then decreased in AfterConstruction and object instance reference count is properly set for further reference counting.

Problem

Real problem in this questions code is in fact that it triggers transient reference counting in AfterConstruction method after call to inherited which decreases initial object reference count back to 0. Because of that, object will have its count increased, then decreased to 0 and it will self destruct calling Destroy.

While object instance is protected from self destruction inside constructor chain, for a brief moment it will be in fragile state inside AfterConstruction method and we need to make sure that there is no code there that can trigger reference counting mechanism during that time.

Actual code that triggers reference counting in this case is hidden in rather unexpected place and it comes in form of [weak] attribute. So, the very thing that should prevent instance from participating in reference counting mechanism actually triggers it - this is a flaw in [weak] attribute design reported as RSP-20406.

Solution(s)

  • If possible, move code that can trigger reference counting from AfterConstruction to constructor
  • Call inherited at the end of AfterConstruction method instead of the beginning.
  • Perform some explicit reference counting on your own by calling AtomicIncrement(FRefCount) at the beginning and AtomicDecrement(FRefCount) at the end of AfterConstruction (you cannot use _Release because it will destroy the object)
  • Replace [weak] attribute with [unsafe] (this can only be done if TFoo instance lifetime will never exceed TBar instance lifetime

Comments

Post a Comment

Popular posts from this blog

Catch Me If You Can - Part II

-
It has been quite some time since I wrote the Catch Me If You Can post about the inability of LLVM-backed compilers to catch non-call hardware exceptions. In other words, hardware exceptions raised by code written in the same block as the try...except exception handler. Since then, more LLVM-backed compilers have been added to Delphi, and with those, more reasons to change common coding practices... but still, very few developers know about the issue. The original article covered only try...except exception handlers, and exploring what exactly happens with implicit and explicit try...finally handlers was left as an exercise to the readers and to some future, now long overdue, post. And Now: All Hell Breaks Loose When you read about non-call hardware exceptions not being caught by an immediate try...except block, the implications might not look too serious. After all, while plenty of code can raise exceptions, try...except handlers are not that frequently used in places, as mo
Read more

Delphi 12.1 & New Quality Portal Released

-
Image
The Delphi 12.1 update has been released. Besides a number of bug fixes, this release also has a few new features. The most notable ones are the new Split Editor, which allows having multiple files opened side by side; and support for Android API 34. You can find more information about what is new in this update at https://docwiki.embarcadero.com/RADStudio/Athens/en/12_Athens_-_Release_1 However, the greatest change for all Delphi developers is a new bug tracking portal that replaces the old one, still available in read-only mode at https://quality.embarcadero.com/ . The new portal is hosted in Atlassian Cloud https://embt.atlassian.net/servicedesk/customer/portals  or through a redirect https://qp.embarcadero.com and is based on Jira Service Management (JSM), while the internal bug tracking system, which was also migrated to the cloud, was not changed and is running on Jira. This move to the cloud was inevitable, because Atlassian retired their Server line of products. JSM is a
Read more

Coming in Delphi 12: Disabled Floating-Point Exceptions

-
Delphi 12 is in the works. One of its small features that will have a huge impact is a change in the default handling of floating-point exceptions, which will now be masked on all platforms. Previously, floating-point exception handling was different across platforms, and most notably on the Windows platform: In VCL and console applications, floating-point exceptions were not masked and would raise an exception. On the other hand, FireMonkey applications had all floating-exceptions masked by default, regardless of which platform they were running on. Basically if you haven't explicitly changed the exception mask in your code to some value other than the default, and you had code that attempted to divide some number with zero, you would get an EZeroDivide exception in previous Delphi versions on the Windows VCL application. In Delphi 12, there is no exception, and the result of such a division will be +INF . So the following code will no longer raise an exception. If you were r
Read more