Bug 2664

Summary: Connection Handler Reference Counting
Product: TAO Reporter: Iliyan Jeliazkov <jeliazkov_i>
Component: ORBAssignee: DOC Center Support List (internal) <tao-support>
Status: NEW ---    
Severity: minor    
Priority: P4    
Version: 1.5.2   
Hardware: All   
OS: All   

Description Iliyan Jeliazkov 2006-09-29 09:28:55 CDT 
This was borne out of a regression on the test for bug 2074, caused by the fact
 that the recent addition of a call to reset_state () does not account for a
corner case where CH's reference count may be 1.

In the code below, when the connection handler's reference count gets
to 1, close() will cause "delete this" and reset_state() will write to
deallocated memory (line 343, IIOP_Connection_Handler.cpp, TAO 1.5.2-HEAD):

 335 int
 336 TAO_IIOP_Connection_Handler::handle_timeout (const ACE_Time_Value &,
 337                                              const void *)
 338 {
 339   // We don't use this upcall for I/O.  This is only used by the
 340   // Connector to indicate that the connection timedout.  Therefore,
 341   // we should call close().
 342   int const ret = this->close ();
 343   this->reset_state (TAO_LF_Event::LFS_TIMEOUT);
 344   return ret;
 345 }

Perhaps this hints to a problem with CH's reference counting, which is
perhaps more general than this. There are many places where reference
count is manipulated up or down, without using
resource-acquisition-is-initialization idiom (aka "smart pointer"
...). This can often lead to serious trouble down the road and perhaps
is causing this regression. Thus defined however, the problem is
bigger than my understanding of how this stuff works...