summaryrefslogtreecommitdiff
path: root/core/fxcrt
diff options
context:
space:
mode:
authorTom Sepez <tsepez@chromium.org>2017-05-26 11:11:15 -0700
committerChromium commit bot <commit-bot@chromium.org>2017-05-26 18:38:56 +0000
commitf677e18c985646c4ae1c5ec36445cdbf6bf78a6a (patch)
tree8faf58842229a4f42a0734f95cedef2c431d7f68 /core/fxcrt
parent741c362fb75fd8acd2ed2059c6e3e716a63a7ac8 (diff)
downloadpdfium-f677e18c985646c4ae1c5ec36445cdbf6bf78a6a.tar.xz
Rename Probe() to ProbeForLowSeverityLifetimeIssue().
Use name that clues in bug triage folks as I'm writing Probe -> severity low in each new bug report. Also add comment from the unlanded chromium-side CL. No functional change. Change-Id: I49399e8450eaecd1369a85ea0212bdd69b1d0824 Reviewed-on: https://pdfium-review.googlesource.com/6070 Reviewed-by: Lei Zhang <thestig@chromium.org> Commit-Queue: Tom Sepez <tsepez@chromium.org>
Diffstat (limited to 'core/fxcrt')
-rw-r--r--core/fxcrt/cfx_unowned_ptr.h34
1 files changed, 29 insertions, 5 deletions
diff --git a/core/fxcrt/cfx_unowned_ptr.h b/core/fxcrt/cfx_unowned_ptr.h
index da1875c7ab..5376781d6a 100644
--- a/core/fxcrt/cfx_unowned_ptr.h
+++ b/core/fxcrt/cfx_unowned_ptr.h
@@ -10,6 +10,30 @@
#include <type_traits>
#include <utility>
+// CFX_UnownedPtr is a smart pointer class that behaves very much like a
+// standard C-style pointer. The advantages of using it over raw
+// pointers are:
+//
+// 1. It documents the nature of the pointer with no need to add a comment
+// explaining that is it // Not owned. Additionally, an attempt to delete
+// an unowned ptr will fail to compile rather than silently succeeding,
+// since it is a class and not a raw pointer.
+//
+// 2. When built for a memory tool like ASAN, the class provides a destructor
+// which checks that the object being pointed to is still alive.
+//
+// Hence, when using UnownedPtr, no dangling pointers are ever permitted,
+// even if they are not de-referenced after becoming dangling. The style of
+// programming required is that the lifetime an object containing an
+// UnownedPtr must be strictly less than the object to which it points.
+//
+// The same checks are also performed at assignment time to prove that the
+// old value was not a dangling pointer, either.
+//
+// The array indexing operation [] is not supported on an unowned ptr,
+// because an unowned ptr expresses a one to one relationship with some
+// other heap object.
+
template <class T>
class CFX_UnownedPtr {
public:
@@ -23,16 +47,16 @@ class CFX_UnownedPtr {
// NOLINTNEXTLINE(runtime/explicit)
CFX_UnownedPtr(std::nullptr_t ptr) {}
- ~CFX_UnownedPtr() { Probe(); }
+ ~CFX_UnownedPtr() { ProbeForLowSeverityLifetimeIssue(); }
CFX_UnownedPtr& operator=(T* that) {
- Probe();
+ ProbeForLowSeverityLifetimeIssue();
m_pObj = that;
return *this;
}
CFX_UnownedPtr& operator=(const CFX_UnownedPtr& that) {
- Probe();
+ ProbeForLowSeverityLifetimeIssue();
if (*this != that)
m_pObj = that.Get();
return *this;
@@ -59,7 +83,7 @@ class CFX_UnownedPtr {
T* Get() const { return m_pObj; }
T* Release() {
- Probe();
+ ProbeForLowSeverityLifetimeIssue();
T* pTemp = nullptr;
std::swap(pTemp, m_pObj);
return pTemp;
@@ -70,7 +94,7 @@ class CFX_UnownedPtr {
T* operator->() const { return m_pObj; }
private:
- inline void Probe() {
+ inline void ProbeForLowSeverityLifetimeIssue() {
#if defined(MEMORY_TOOL_REPLACES_ALLOCATOR)
if (m_pObj)
reinterpret_cast<const volatile uint8_t*>(m_pObj)[0];