Two suggestions for safe refcounting

Zach the Mystic via Digitalmars-d digitalmars-d at puremagic.com
Thu Mar 5 23:46:11 PST 2015 

As per deadalnix's request, a summary of my thoughts regarding 
the thread "RCArray is unsafe":

It's rather easy to guarantee memory safety from the safe 
confines of a garbage collected system. Let's take this as a 
given.

It's much harder when you step outside that system and try to 
figure out when it is or isn't safe to delete memory. It 
shouldn't be too surprising, therefore, that there are lots of 
pitfalls. Reference counting is a lonely outpost in the 
wilderness which is otherwise occupied by manual memory 
management. It's the only alternative to chaos.

But the walls protecting this outpost are easily breached by any 
dangling reference which is not accounted for.

We have seen two instances of how this can occur. The first, when 
boiled down to its essence, is that there is no corresponding 
bump in the reference count for a parameter which can alias an 
existing reference:

void fun(ref RCStruct a, ref RCStruct b);
RCStruct c;
fun(c,c); // c aliases itself

void gun(ref RCStruct a);
static RCStruct d;
gun(d); // d aliases global d

Because the workarounds are easy:
{
   RCStruct c;
   auto tmp = c;
   fun(c,tmp);

   auto tmp2 = d;
   gun(tmp2);
}
...it seems okay to mark these rare violations @system.

The second, harder problem, is when you take a reference to a 
subcomponent of an RC'd type, e.g. an individual E of an RCArray 
of E:

struct RCArray(E) {
   E[] array;
   int* count;
   ...
}
auto x =  RCArray([E()]);
E* t = &x[0];

Here's the problem. If x is assigned to a different RCArray, the 
one t points to will be deleted. On the other hand, if some 
special logic allows the definition of t to increment the 
reference count, then you have a memory leak, because t is not 
designed to keep track of x's original counter.

I don't know if we can get out of this mess. My suggestion 
represents a best-effort attempt. The only way I can see out of 
this problem is to redesign RCArray.

The problem with RCArray is that it "owns" the data it 
references. If a type different from RCArray, i.e. an individual 
E* into the array of E[], tries to reference the data, it's 
stuck, because it's not an RCArray!E. Therefore, you need to 
separate out the core data from the different types that can 
point to it. The natural place would be right next to its 
reference counter, in a separate struct:

struct RCData {
   int count = 0;
   void[] chunk;

   this(size_t size) {
     chunk = new void[size];
   }
   void addRef() {
     ++count;
   }
   void decRef() {
     if (--count == 0)
       delete chunk;
   }
}

Now RCArray can be redesigned to point to an RCData type. All new 
RC types will also contain a pointer to an RCData instance:

struct RCArray(E) {
   E[] array;
   private RCData* data;

   this(E[] a) {
     data = new RCData(a * sizeof(a));
     data.chunk = cast(void[]) a;
     array = a;
   }

   this(this) {
     data.addRef();
   }

   ~this() {
     data.decRef();
   }

   ref RCElement!E opIndex(size_t i) return {
     return RCElement!E(array[i], data);
   }
   ...
}

Note how the last member, opIndex, doesn't return a raw E*, but 
only an E* which is paired with a pointer to the same RCData 
instance as the RCArray is:

struct RCElement(E) {
   E* element;
   private RCData* data;

   this(this) {
     data.addRef();
   }
   ~this() {
     data.decRef();
   }
}

This is the best I could do.

More information about the Digitalmars-d mailing list