[libcamera-devel] [PATCH 1/4] Documentation: coding_style: Add object ownership rules

Laurent Pinchart laurent.pinchart at ideasonboard.com
Fri Jan 18 00:59:13 CET 2019 

Object ownership is a complex topic that can lead to many issues, from
memory leak to crashes. Document the rules that libcamera enforces to
make object ownership tracking explicit.

This is a first version of the rules and is expected to be expanded as
the library is developed.

Signed-off-by: Laurent Pinchart <laurent.pinchart at ideasonboard.com>
---
 Documentation/coding-style.rst | 62 ++++++++++++++++++++++++++++++++++
 1 file changed, 62 insertions(+)

diff --git a/Documentation/coding-style.rst b/Documentation/coding-style.rst
index f8d2fdfeda8e..f77325239bfa 100644
--- a/Documentation/coding-style.rst
+++ b/Documentation/coding-style.rst
@@ -81,6 +81,68 @@ C++-11-specific features:
   overused.
 * Variadic class and function templates
 
+Object Ownership
+~~~~~~~~~~~~~~~~
+
+libcamera creates and destroys many objects at runtime, for both objects
+internal to the library and objects exposed to the user. To guarantee proper
+operation without use after free, double free or memory leaks, knowing who owns
+each object at any time is crucial. The project has enacted a set of rules to
+make object ownership tracking as explicit and fool-proof as possible.
+
+In the context of this section, the terms object and instance are used
+interchangeably and both refer to an instance of a class. The term reference
+refers to both C++ references and C++ pointers in their capacity to refer to an
+object. Passing a reference means offering a way to a callee to obtain a
+reference to an object that the caller has a valid reference to. Borrowing a
+reference means using a reference passed by a caller without ownership transfer
+based on the assumption that the caller guarantees the validate of the
+reference for the duration of the operation that borrows the reference.
+
+#. Single Owner Objects
+
+   * By default an object has a single owner at any time.
+   * References to a single owner object can be borrowed by passing them from
+     the owner to the borrower, providing that
+
+     * the owner guarantees the validity of the reference for the whole duration
+       of borrowing, and
+     * the borrower doesn't access the reference after the end of the borrowing.
+
+     When borrowing from caller to callee for the duration of a function call,
+     this implies that the callee shall not keep any stored reference after it
+     returns. These rules applies to the callee and all the functions it calls,
+     directly or indirectly.
+   * When the object doesn't need to be modified and may not be null, borrowed
+     references are passed as 'const &'.
+   * When the object may be modified or can be null, borrowed references are
+     passed as pointers. Unless otherwise specified, pointers passed to
+     functions are considered as borrowed references valid for the duration of
+     the function only.
+   * Single ownership is emphasized as much as possible by storing the unique
+     reference as a std::unique_ptr<>.
+   * Ownership is transfered by passing the reference as a std::unique_ptr<>.
+
+#. Shared Objects
+
+   * Objects that may have multiple owners at a given time are called shared
+     objects. They are reference-counted and live as long as any references to
+     the object exist.
+   * Shared objects are created with std::make_shared<> or
+     std::allocate_shared<> an stored in an std::shared_ptr<>.
+   * Borrowed references to shared objects are passed with the same rules as for
+     single owner objects.
+   * Ownership is shared by creating and passing copies of any valid
+     std::shared_ptr<> reference. Ownership is released by destroying the
+     corresponding std::shared_ptr<>.
+
+.. attention:: Long term borrowing of single owner objects is allowed. Example
+   use cases are implementation of the singleton pattern (where the singleton
+   guarantees the validity of the reference forever), or returning references
+   to global objects whose lifetime matches the lifetime of the application. As
+   long term borrowing isn't marked through language constructs, it shall be
+   documented explicitly in details in the API.
+
 
 Tools
 -----
-- 
Regards,

Laurent Pinchart

More information about the libcamera-devel mailing list