The OutputStream race-condition bug; discovered but not yet solved

I think I was incorrect in my analysis of the problem (as I said, multithreaded programming is not something I have lots of experience with). The problem _may be_ that multiple threads can have an OutputStream*, but not all threads have necessarily wrapped that OutputStream* in a ref-counted OutputStreamPtr.

Using the sample program that I provided, I put a breakpoint in device.cpp, at the entry point to the AbstractDevice::fireStopEvent function. This function's signature is:

void AbstractDevice::fireStopEvent(OutputStream* stream, StopEvent::Reason reason);

After I call OutputStream::stop() on my OutputStream in my program, this breakpoint gets hit twice for the same OutputStream. It gets hit once in the main thread, as a direct result of the call to OutputStream::stop(). The callstack is:

>    audiere.dll!audiere::AbstractDevice::fireStopEvent(audiere::OutputStream * stream=0x01337f38, audiere::StopEvent::Reason reason=STOP_CALLED)  Line 81    C++
     audiere.dll!audiere::DSOutputBuffer::stop ()  Line 69    C++
     audieretest.exe!main(int argc=1, char * * argv=0x00b137d8)  Line 18 + 0x22    C++
     audieretest.exe!mainCRTStartup()  Line 259 + 0x19    C


 It happens again (for the same OutputStream) in a separate audiere-spawned thread. The callstack is:

     >    audiere.dll!audiere::AbstractDevice::fireStopEvent(audiere::OutputStream * stream=0x01337f38, audiere::StopEvent::Reason reason=STREAM_ENDED)  Line 81    C++
     audiere.dll!audiere::DSOutputBuffer::update ()  Line 175    C++
     audiere.dll!audiere::DSAudioDevice::update()  Line 172    C++
     audiere.dll!audiere::ThreadedDevice::run()  Line 332 + 0x25    C++
     audiere.dll!audiere::ThreadedDevice::threadRoutine (void * arg=0x00b061f0)  Line 347    C++
     audiere.dll!audiere::InternalThreadRoutine(void * opaque=0x00b063f8)  Line 76 + 0xe    C++
     audiere.dll!_threadstartex(void * ptd=0x00b06568)  Line 241 + 0xd    C

(Notice that the address of the OutputStream* is the same for both calls).

In the main thread, I unref the OutputStream immediately after calling stop by assigning a new value to its OutputStreamPtr (for reference, here's the code again):

if(NULL != outputStream)
 {
     outputStream->stop();
}
outputStream = audiere::OpenSound(device, kSoundName);

So, immediately after calling stop(), fireStopEvent() is called on the main thread. Some time later, the following two things happen: the OutputStream is unref()'d in the main thread, and fireStopEvent() is called in another thread. When the OutputStream is unref()'d in the main thread, its refcount is decremented from 1 to 0, and it is therefore disposed of. This can occur before fireStopEvent() is called in the other thread, and thus cause crashes.

This other thread is iterating a list of DSOutputBuffer*'s (DSOutputBuffer is a particular implementation OutputStream, and happens to be the implementation that is created by my test program via audiere::OpenSound() -- presumably because my sounds are being buffered to memory instead of streamed from disk) called m_open_buffers (from device_ds.cpp):

BufferList::iterator j = m_open_buffers.begin();
      while (j != m_open_buffers.end()) {
        DSOutputBuffer* b = *j++;
        b->update();
}

The DSOutputBuffer*'s in m_open_buffers aren't ref()'d -- as far as I can tell -- when they are originally inserted into the list. So when the audiere thread is iterating the m_open_buffers, it may be iterating buffers that are in the process of being disposed after having their refcounts reduced to 0 (though it appears that the buffers can't be completely disposed while they're being iterated, because DSOutputBuffer's destructor removes itself from the m_open_buffers list, and the removeBuffer() function is synchronized).