Wrong destructor called

Hello !

I have class in my driver:
kd> dt reg_val_query_control!value_modifier_cpp::modifier_with_rules 0xfffff8063b1cc100 +0x000 __VFN_table : 0xfffff8063b1cb3c8
+0x008 rules : win_kernel_lib::avl_list_facility::avl_list<rule_facility::rule,&value_modifier_cpp::modifier_with_rules::alloc,&value_modifier_cpp::modifier_with_rules::free>
+0x070 rules_guard : win_kernel_lib::locks::eresource

Note that rules at offset 8 is list of elements of type rule.

However, wrong destructor called for rules:
kd> uf reg_val_query_control!value_modifier_cpp::modifier_with_rules::~modifier_with_rules
reg_val_query_control!value_modifier_cpp::modifier_with_rules::~modifier_with_rules:
mov qword ptr[rsp + 8], rcx
sub rsp, 28h
mov rax, qword ptr[rsp + 30h]
add rax, 70h
mov rcx, rax
call reg_val_query_control!win_kernel_lib::locks::eresource::~eresource
mov rax, qword ptr[rsp + 30h]
add rax, 8
mov rcx, rax
call reg_val_query_control!win_kernel_lib::avl_list_facility::avl_list<win_kernel_lib::string_facility::string, &rule_facility::rule::alloc_paged, &rule_facility::rule::free>::~avl_list<win_kernel_lib::string_facility::string, &rule_facility::rule::alloc_paged, &rule_facility::rule::free>
mov rcx, qword ptr[rsp + 30h]
call reg_val_query_control!value_modifier::modifier::~modifier
add rsp, 28h
ret

Note that list destructor called for class string. I have list of strings in this driver, but this is not it. Destructor called for correct object( I checked address in rcx) but destructor itself is not for that object.

Do you have any ideas what am I doing wrong ?
I can post link to sources if need be, just not sure that people interested in figuring out over people’s code for free.

If you’re doing a release build, it’s entirely possible that the destructors for the templates are all the same, so it only had to generate one set of code. Do you have evidence that this isn’t working, or are you just second-guessing the optimizer?

> @Tim_Roberts said: > If you’re doing a release build, it’s entirely possible that the destructors for the templates are all the same, so it only had to generate one set of code. Do you have evidence that this isn’t working, or are you just second-guessing the optimizer? Thank you ! This is debug build. I am having a bsod and my guess is that wrong destructor corrupt the data he doesn’t expect

I guess you’ll have to post the source.

I have found the error.
I have avl list of classes that contain avl list of other classes.
class class1
{
avl_list list_of_class2;
};

I initialize temp variable of type class1 on stack and then insert it (copy) to avl list. However list_of_class2(rtl_balanced_links.parent) already initialized and points to the stack.

Destructor called for correct object( I checked address in rcx) but destructor itself is not for that object.
Do you have any ideas what am I doing wrong ?

Does your “correct” class derive from the “wrong” one, and if it does, does it derive from any other classes? C++ allows us to create the class hierarchies that may have a fairly complex relationships between them, so that you may, probably, be just getting the wrong pointer due to the improper typecast from the derived class to the base one…

Anton Bassov

@anton_bassov said:

Destructor called for correct object( I checked address in rcx) but destructor itself is not for that object.
Do you have any ideas what am I doing wrong ?

Does your “correct” class derive from the “wrong” one, and if it does, does it derive from any other classes? C++ allows us to create the class hierarchies that may have a fairly complex relationships between them, so that you may, probably, be just getting the wrong pointer due to the improper typecast from the derived class to the base one…

Anton Bassov

I already found my mistake. Avl list head was pointing to stack