[Rd] Custom C finalizers for .Call

[Simon Urbanek]

Jeroen,

I agree that it may be useful to have some kind of "finally"-like infrastructure. However, in the use cases you list there are already ways to do that - the same way that R_alloc uses. First, you don't need to call UNPROTECT - the whole point is that the protection stack is automatically popped in case of an abnormal termination. That is precisely how memory leaks are prevented - as long as you play by the rules it will be released for you. The check for UNPROTECTs at the end of .Call is explicitly there so catch bugs in *normal* termination. So no memory leaks there.

The real case where users may create leaks is if you allocate memory that you don't tell R about. As long as you associate a finalizer with any non-R memory you allocate, there will be no memory leaks -that is how you are supposed to write R packages with external allocations. So the only difference to your example is that you don't register a finalizer with the *function* but rather with the *allocation* you make. That also seems IMHO less error prone.

So to take your example, the way would typically write that code safely is something like

typedef struct {
  xmlNodePtr *node;
 EVP_PKEY_CTX *ctx;
} my_context_t;

// define how to dispose of all things you care about correctly
static void context_fin(SEXP what) {
    my_context_t *c = (my_context_t*) EXTPTR_PTR(what);
    if (!c) return;
    if (c->ctx) EVP_PKEY_CTX_free(c->ctx);
    if (c->node) xmlFreeNode(c->node);
}

[...]
// allocate the context and tell R to manage its protection and finalization
// (you could write a macro to make this one-liner)
my_context_t* c = (my_context_t*) R_Calloc(1, my_context_t);
SEXP res = PROTECT(R_MakeExternalPtr(c, R_NilValue, R_NilValue));
R_RegisterCFinalizer(res, context_fin);

// do all work here ... you safely abort at any point without memory leaks
c->node =  xmlNewNode(...);
c->ctx = EVP_PKEY_CTX_new(...);
[...]

The point of using a finalizer is that no matter what happens the memory is always released. The structure with all allocations is protected until you unprotect it or there is any interrupt/error. Since all regular R rules apply, you can also assign it someplace to make the protection dependent on any other object you care about. This is often useful because you don't need to PROTECT things left and right, but instead you can just have one object that holds references to random things you care about.

Of course, you could write a wrapper for the above with some syntactic sugar to achieve the same - essentially limiting the finalizer to be just a function call on the reference that you create. It may be a bit of overkill since you may end up creating objects for every allocation, but certainly doable. I would argue that in most cases you already tend to have a structure for the things you allocate so the "normal" approach is typically more clear and readable than inlining calls with side-effects, but that may be a matter of taste.

Cheers,
Simon


On Nov 23, 2015, at 6:10 PM, Jeroen Ooms <jeroen.ooms at stat.ucla.edu> wrote:

> WRE explains that R_alloc() can be used to allocate memory which
> automatically gets released by R at the end of a .C, .Call or
> .External, even in the case of an error or interruption. This is a
> really great feature to prevent memory leaks. I was wondering if there
> is a way to extend this mechanism to allow for automatically running
> UNPROTECT and custom finalizers at the end of a .Call as well.
> 
> Currently it is all to easy for package authors to introduce a memory
> leak or stack imbalance by calling Rf_error() or
> R_CheckUserInterrupt() in a way that skips over the usual cleanup
> steps. This holds especially for packages interfacing C libraries
> (libcurl, libxml2, openssl, etc) which require xx_new() and xx_free()
> functions to allocate/free various types of objects, handles and
> contexts. Therefore we cannot use R_alloc() and we need to manually
> clean up when returning, which is tricky for irregular exits.
> 
> Moreover package authors might benefit from an alternative of
> allocVector() which automatically protects the SEXP until the .Call is
> done. Perhaps I don't fully appreciate the complexity of the garbage
> collector, but one could imagine a variant of PROTECT() which
> automatically keeps a counter 'n' for the number of allocated objects
> and makes R run UNPROTECT(n) when .Call exists, along with releasing
> the R_alloc() memory. Yes, there are cases where it is useful to have
> manual control over what can be collected earlier during the .Call
> procedure, but these are rare. A lot of C code in packages might
> become safer and cleaner if authors would have an option to let this
> be automated.
> 
> The most general feature would a hook for adding custom C functions to
> the .Call exit, similar to on.exit() in R:
> 
>  xmlNodePtr *node =  xmlNewNode(...);
>  Rf_on_exit(xmlFreeNode, node);
>  EVP_PKEY_CTX *ctx = EVP_PKEY_CTX_new(...);
>  Rf_on_exit(EVP_PKEY_CTX_free, ctx);
>  SEXP out = PROTECT(allocVector(...));
>  Rf_on_exit(UNPROTECT, 1);
> 
> I don't know R's internals well enough to estimate if something like
> this would be possible. I did put together a simple C example of a
> linked list with object pointers and their corresponding free
> functions, which can easily be free'd with a single call:
> http://git.io/vBqRA . So basically what is mostly missing at this
> point is a way to trigger this at the end of the .Call in a way that
> works for regular returns, errors and interruptions...
> 
> ______________________________________________
> R-devel at r-project.org mailing list
> https://stat.ethz.ch/mailman/listinfo/r-devel
>