RCArray is unsafe
Ivan Timokhin via Digitalmars-d
digitalmars-d at puremagic.com
Wed Mar 4 00:55:20 PST 2015
Excuse me if I miss something obvious, but:
void main()
{
auto arr = RCArray!int([0]);
foo(arr, arr[0]);
}
void foo(ref RCArray!int arr, ref int val)
{
{
auto copy = arr; //arr's (and copy's) reference counts are both 2
arr = RCArray!int([]); // There is another owner, so arr
// forgets about the old payload
} // Last owner of the array ('copy') gets destroyed and happily
// frees the payload.
val = 3; // Oops.
}
On Mon, Mar 02, 2015 at 03:22:52PM -0800, Andrei Alexandrescu wrote:
> On 3/2/15 2:57 PM, Walter Bright wrote:
> > His insight was that the deletion of the payload occurred before the end
> > of the lifetime of the RC object, and that this was the source of the
> > problem. If the deletion of the payload occurs during the destructor
> > call, rather than the postblit, then although the ref count of the
> > payload goes to zero, it doesn't actually get deleted.
> >
> > I.e. the postblit manipulates the ref count, but does NOT do payload
> > deletions. The destructor checks the ref count, if it is zero, THEN it
> > does the payload deletion.
> >
> > Pretty dazz idea, dontcha think? And DIP25 still stands unscathed :-)
> >
> > Unless, of course, we missed something obvious.
>
> And since an RCArray may undergo several assignments during its lifetime
> (thus potentially needing to free several chunks of memory), the arrays
> to be destroyed will be kept in a freelist-style structure. Destructor
> walks the freelist and frees the chunks.
>
> Andrei
More information about the Digitalmars-d
mailing list