Re: [sigc] Strange crashes in sigc::trackable on Mac OS X

From: Michael Ekstrand <mekstran scl ameslab gov>
To: "Murray Cumming" <murrayc murrayc com>
Cc: libsigc-list gnome org
Subject: Re: [sigc] Strange crashes in sigc::trackable on Mac OS X
Date: Fri, 21 Jul 2006 09:04:31 -0500

On Jul 21, 2006, at 1:11 AM, Murray Cumming wrote:

[snip]

What was happening:  a slot was being destroyed twice.
slot_rep::disconnect() was being invoked on an already-deallocated
slot object.

[snip]

This suggests that one of your own objects (which owned a slot) isbeing

destroyed twice. Again, valgrind can help with this kind of thing.

OK, I'll give Valgrind a shot sometime here (or at least look in todmalloc's facilities for investigating such problems). I've runValgrind on it before, but haven't been able to make much sense ofthe output. Didn't look at it for very long though. So far dmallocseems to make much more sense to me than valgrind.

However, in my previous e-mail, I did lay out what it seemed to mewas happening in the code from my investigation with dmalloc and GDB- a signal being destroyed during a nofity callback of one of itsslots. And if one of my own objects was being destroyed twice,dmalloc should have made it blow up earlier than this.

I since have done a more thorough investigation of (and more thinkingon) the code paths involved, including digging around in the libsigc++ sources for a while this morning, and suspicions seem to beconfirmed (and clarified - I had some details wrong) - it does infact seem that the slot is being disconnected from both ends in aproblematic manner. In slot_rep::notify, the following sequencehappens:


 * Clear call (invalidate slot)
 * Destroy slot
 * Disconnect slot (noted that it might lead to the deletion of self_)

Now, the destroy call, it seems, destroys the functor. In this case,the functor is a sigc::bind instance maintaining a reference - thelast reference - to the object containing the signal to which thisslot is connected. So destroying the functor releases thereferences, which deletes the object, which deletes signal, and thesignal deletes its list of slots. Our slot is in that list, and thusgets deleted. The signal is thus already deleted before it gets tothe disconnect() call. So in slot_rep::disconnect(), we see data,but the object has been deleted (a fact made evident by dmalloc'sfree blanking).

My previous email said the slot was being destroyed twice - I nowbelieve that is incorrect; it is merely being deleted in the destroy() call in slot_rep::notify, and notify doesn't expect this.

I've tried to duplicate this scenario in a simple test case, but thusfar to no avail.

The question in my mind, though: Is it a problem in my applicationthat I'm even allowing such a scenario to exist (where the signal isdeleted during the slot's destroy() call), or should libsigc++ dealgracefully with this and my problem is therefore a bug in libsigc++?


- Michael

Follow-Ups:
- Re: [sigc] Strange crashes in sigc::trackable on Mac OS X
  - From: Michael Ekstrand

References:
- Re: [sigc] Strange crashes in sigc::trackable on Mac OS X
  - From: Michael Ekstrand
- Re: [sigc] Strange crashes in sigc::trackable on Mac OS X
  - From: Michael Ekstrand
- Re: [sigc] Strange crashes in sigc::trackable on Mac OS X
  - From: Murray Cumming

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]