cef/include/base/cef_weak_ptr.h
Marshall Greenblatt d2c884da86 Prevent UB if a WeakPtr to an already-destroyed object is dereferenced.
If a WeakPtr references an already-destroyed object, operator-> and
operator* end up simply dereferencing nullptr. However, dereferencing
nullptr is undefined behavior and can be optimized in surprising ways
by compilers. To prevent this from happening, add a defence of last
resort and CHECK that the WeakPtr is still valid.

Based on https://crrev.com/bbb64b5c69
2020-11-10 11:51:50 -05:00

386 lines
13 KiB
C++

// Copyright (c) 2014 Marshall A. Greenblatt. Portions copyright (c) 2012
// Google Inc. All rights reserved.
//
// Redistribution and use in source and binary forms, with or without
// modification, are permitted provided that the following conditions are
// met:
//
// * Redistributions of source code must retain the above copyright
// notice, this list of conditions and the following disclaimer.
// * Redistributions in binary form must reproduce the above
// copyright notice, this list of conditions and the following disclaimer
// in the documentation and/or other materials provided with the
// distribution.
// * Neither the name of Google Inc. nor the name Chromium Embedded
// Framework nor the names of its contributors may be used to endorse
// or promote products derived from this software without specific prior
// written permission.
//
// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
// A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
// OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
// SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
// LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
// DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
// (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
// Weak pointers are pointers to an object that do not affect its lifetime,
// and which may be invalidated (i.e. reset to NULL) by the object, or its
// owner, at any time, most commonly when the object is about to be deleted.
// Weak pointers are useful when an object needs to be accessed safely by one
// or more objects other than its owner, and those callers can cope with the
// object vanishing and e.g. tasks posted to it being silently dropped.
// Reference-counting such an object would complicate the ownership graph and
// make it harder to reason about the object's lifetime.
// EXAMPLE:
//
// class Controller {
// public:
// Controller() : weak_factory_(this) {}
// void SpawnWorker() { Worker::StartNew(weak_factory_.GetWeakPtr()); }
// void WorkComplete(const Result& result) { ... }
// private:
// // Member variables should appear before the WeakPtrFactory, to ensure
// // that any WeakPtrs to Controller are invalidated before its members
// // variable's destructors are executed, rendering them invalid.
// WeakPtrFactory<Controller> weak_factory_;
// };
//
// class Worker {
// public:
// static void StartNew(const WeakPtr<Controller>& controller) {
// Worker* worker = new Worker(controller);
// // Kick off asynchronous processing...
// }
// private:
// Worker(const WeakPtr<Controller>& controller)
// : controller_(controller) {}
// void DidCompleteAsynchronousProcessing(const Result& result) {
// if (controller_)
// controller_->WorkComplete(result);
// }
// WeakPtr<Controller> controller_;
// };
//
// With this implementation a caller may use SpawnWorker() to dispatch multiple
// Workers and subsequently delete the Controller, without waiting for all
// Workers to have completed.
// ------------------------- IMPORTANT: Thread-safety -------------------------
// Weak pointers may be passed safely between threads, but must always be
// dereferenced and invalidated on the same thread otherwise checking the
// pointer would be racey.
//
// To ensure correct use, the first time a WeakPtr issued by a WeakPtrFactory
// is dereferenced, the factory and its WeakPtrs become bound to the calling
// thread, and cannot be dereferenced or invalidated on any other thread. Bound
// WeakPtrs can still be handed off to other threads, e.g. to use to post tasks
// back to object on the bound thread.
//
// If all WeakPtr objects are destroyed or invalidated then the factory is
// unbound from the SequencedTaskRunner/Thread. The WeakPtrFactory may then be
// destroyed, or new WeakPtr objects may be used, from a different sequence.
//
// Thus, at least one WeakPtr object must exist and have been dereferenced on
// the correct thread to enforce that other WeakPtr objects will enforce they
// are used on the desired thread.
#ifndef CEF_INCLUDE_BASE_CEF_WEAK_PTR_H_
#define CEF_INCLUDE_BASE_CEF_WEAK_PTR_H_
#pragma once
#if defined(BASE_MEMORY_WEAK_PTR_H_)
// Do nothing if the Chromium header has already been included.
// This can happen in cases where Chromium code is used directly by the
// client application. When using Chromium code directly always include
// the Chromium header first to avoid type conflicts.
#elif defined(USING_CHROMIUM_INCLUDES)
// When building CEF include the Chromium header directly.
#include "base/memory/weak_ptr.h"
#else // !USING_CHROMIUM_INCLUDES
// The following is substantially similar to the Chromium implementation.
// If the Chromium implementation diverges the below implementation should be
// updated to match.
#include "include/base/cef_basictypes.h"
#include "include/base/cef_logging.h"
#include "include/base/cef_ref_counted.h"
#include "include/base/cef_template_util.h"
#include "include/base/cef_thread_checker.h"
namespace base {
template <typename T>
class SupportsWeakPtr;
template <typename T>
class WeakPtr;
namespace cef_internal {
// These classes are part of the WeakPtr implementation.
// DO NOT USE THESE CLASSES DIRECTLY YOURSELF.
class WeakReference {
public:
// Although Flag is bound to a specific thread, it may be deleted from another
// via base::WeakPtr::~WeakPtr().
class Flag : public RefCountedThreadSafe<Flag> {
public:
Flag();
void Invalidate();
bool IsValid() const;
private:
friend class base::RefCountedThreadSafe<Flag>;
~Flag();
// The current Chromium implementation uses SequenceChecker instead of
// ThreadChecker to support SequencedWorkerPools. CEF does not yet expose
// the concept of SequencedWorkerPools.
ThreadChecker thread_checker_;
bool is_valid_;
};
WeakReference();
explicit WeakReference(const Flag* flag);
~WeakReference();
bool is_valid() const;
private:
scoped_refptr<const Flag> flag_;
};
class WeakReferenceOwner {
public:
WeakReferenceOwner();
~WeakReferenceOwner();
WeakReference GetRef() const;
bool HasRefs() const { return flag_.get() && !flag_->HasOneRef(); }
void Invalidate();
private:
mutable scoped_refptr<WeakReference::Flag> flag_;
};
// This class simplifies the implementation of WeakPtr's type conversion
// constructor by avoiding the need for a public accessor for ref_. A
// WeakPtr<T> cannot access the private members of WeakPtr<U>, so this
// base class gives us a way to access ref_ in a protected fashion.
class WeakPtrBase {
public:
WeakPtrBase();
~WeakPtrBase();
protected:
explicit WeakPtrBase(const WeakReference& ref);
WeakReference ref_;
};
// This class provides a common implementation of common functions that would
// otherwise get instantiated separately for each distinct instantiation of
// SupportsWeakPtr<>.
class SupportsWeakPtrBase {
public:
// A safe static downcast of a WeakPtr<Base> to WeakPtr<Derived>. This
// conversion will only compile if there is exists a Base which inherits
// from SupportsWeakPtr<Base>. See base::AsWeakPtr() below for a helper
// function that makes calling this easier.
template <typename Derived>
static WeakPtr<Derived> StaticAsWeakPtr(Derived* t) {
typedef is_convertible<Derived, cef_internal::SupportsWeakPtrBase&>
convertible;
COMPILE_ASSERT(convertible::value,
AsWeakPtr_argument_inherits_from_SupportsWeakPtr);
return AsWeakPtrImpl<Derived>(t, *t);
}
private:
// This template function uses type inference to find a Base of Derived
// which is an instance of SupportsWeakPtr<Base>. We can then safely
// static_cast the Base* to a Derived*.
template <typename Derived, typename Base>
static WeakPtr<Derived> AsWeakPtrImpl(Derived* t,
const SupportsWeakPtr<Base>&) {
WeakPtr<Base> ptr = t->Base::AsWeakPtr();
return WeakPtr<Derived>(ptr.ref_, static_cast<Derived*>(ptr.ptr_));
}
};
} // namespace cef_internal
template <typename T>
class WeakPtrFactory;
// The WeakPtr class holds a weak reference to |T*|.
//
// This class is designed to be used like a normal pointer. You should always
// null-test an object of this class before using it or invoking a method that
// may result in the underlying object being destroyed.
//
// EXAMPLE:
//
// class Foo { ... };
// WeakPtr<Foo> foo;
// if (foo)
// foo->method();
//
template <typename T>
class WeakPtr : public cef_internal::WeakPtrBase {
public:
WeakPtr() : ptr_(NULL) {}
// Allow conversion from U to T provided U "is a" T. Note that this
// is separate from the (implicit) copy constructor.
template <typename U>
WeakPtr(const WeakPtr<U>& other) : WeakPtrBase(other), ptr_(other.ptr_) {}
T* get() const { return ref_.is_valid() ? ptr_ : NULL; }
T& operator*() const {
CHECK(ref_.is_valid());
return *get();
}
T* operator->() const {
CHECK(ref_.is_valid());
return get();
}
// Allow WeakPtr<element_type> to be used in boolean expressions, but not
// implicitly convertible to a real bool (which is dangerous).
//
// Note that this trick is only safe when the == and != operators
// are declared explicitly, as otherwise "weak_ptr1 == weak_ptr2"
// will compile but do the wrong thing (i.e., convert to Testable
// and then do the comparison).
private:
typedef T* WeakPtr::*Testable;
public:
operator Testable() const { return get() ? &WeakPtr::ptr_ : NULL; }
void reset() {
ref_ = cef_internal::WeakReference();
ptr_ = NULL;
}
private:
// Explicitly declare comparison operators as required by the bool
// trick, but keep them private.
template <class U>
bool operator==(WeakPtr<U> const&) const;
template <class U>
bool operator!=(WeakPtr<U> const&) const;
friend class cef_internal::SupportsWeakPtrBase;
template <typename U>
friend class WeakPtr;
friend class SupportsWeakPtr<T>;
friend class WeakPtrFactory<T>;
WeakPtr(const cef_internal::WeakReference& ref, T* ptr)
: WeakPtrBase(ref), ptr_(ptr) {}
// This pointer is only valid when ref_.is_valid() is true. Otherwise, its
// value is undefined (as opposed to NULL).
T* ptr_;
};
// A class may be composed of a WeakPtrFactory and thereby
// control how it exposes weak pointers to itself. This is helpful if you only
// need weak pointers within the implementation of a class. This class is also
// useful when working with primitive types. For example, you could have a
// WeakPtrFactory<bool> that is used to pass around a weak reference to a bool.
template <class T>
class WeakPtrFactory {
public:
explicit WeakPtrFactory(T* ptr) : ptr_(ptr) {}
~WeakPtrFactory() { ptr_ = NULL; }
WeakPtr<T> GetWeakPtr() {
DCHECK(ptr_);
return WeakPtr<T>(weak_reference_owner_.GetRef(), ptr_);
}
// Call this method to invalidate all existing weak pointers.
void InvalidateWeakPtrs() {
DCHECK(ptr_);
weak_reference_owner_.Invalidate();
}
// Call this method to determine if any weak pointers exist.
bool HasWeakPtrs() const {
DCHECK(ptr_);
return weak_reference_owner_.HasRefs();
}
private:
cef_internal::WeakReferenceOwner weak_reference_owner_;
T* ptr_;
DISALLOW_IMPLICIT_CONSTRUCTORS(WeakPtrFactory);
};
// A class may extend from SupportsWeakPtr to let others take weak pointers to
// it. This avoids the class itself implementing boilerplate to dispense weak
// pointers. However, since SupportsWeakPtr's destructor won't invalidate
// weak pointers to the class until after the derived class' members have been
// destroyed, its use can lead to subtle use-after-destroy issues.
template <class T>
class SupportsWeakPtr : public cef_internal::SupportsWeakPtrBase {
public:
SupportsWeakPtr() {}
WeakPtr<T> AsWeakPtr() {
return WeakPtr<T>(weak_reference_owner_.GetRef(), static_cast<T*>(this));
}
protected:
~SupportsWeakPtr() {}
private:
cef_internal::WeakReferenceOwner weak_reference_owner_;
DISALLOW_COPY_AND_ASSIGN(SupportsWeakPtr);
};
// Helper function that uses type deduction to safely return a WeakPtr<Derived>
// when Derived doesn't directly extend SupportsWeakPtr<Derived>, instead it
// extends a Base that extends SupportsWeakPtr<Base>.
//
// EXAMPLE:
// class Base : public base::SupportsWeakPtr<Producer> {};
// class Derived : public Base {};
//
// Derived derived;
// base::WeakPtr<Derived> ptr = base::AsWeakPtr(&derived);
//
// Note that the following doesn't work (invalid type conversion) since
// Derived::AsWeakPtr() is WeakPtr<Base> SupportsWeakPtr<Base>::AsWeakPtr(),
// and there's no way to safely cast WeakPtr<Base> to WeakPtr<Derived> at
// the caller.
//
// base::WeakPtr<Derived> ptr = derived.AsWeakPtr(); // Fails.
template <typename Derived>
WeakPtr<Derived> AsWeakPtr(Derived* t) {
return cef_internal::SupportsWeakPtrBase::StaticAsWeakPtr<Derived>(t);
}
} // namespace base
#endif // !USING_CHROMIUM_INCLUDES
#endif // CEF_INCLUDE_BASE_CEF_WEAK_PTR_H_