From afee6786959b0f104b0068f2ab7269dbf9bbd115 Mon Sep 17 00:00:00 2001
From: Alex Ionescu <aionescu@gmail.com>
Date: Wed, 14 Jun 2006 04:02:02 +0000
Subject: [PATCH] - Fix some referencing/bugs in Ob functions that I wrote
 which were known fixmes. - Remove every instance of ObDereferenceObject after
 an ObInsertObject that I could find. This temporarily will make the object
 leaks even worse, but it's better to increase leaks and then fix the ref bug,
 then to decrease references while missing spots that forgot to reference them
 (you'd end up with hard to debug randomly dying objects).

svn path=/trunk/; revision=22345
---
 reactos/ntoskrnl/cm/ntfunc.c   |  2 +-
 reactos/ntoskrnl/ex/event.c    |  1 -
 reactos/ntoskrnl/ex/evtpair.c  |  1 -
 reactos/ntoskrnl/ex/mutant.c   |  1 -
 reactos/ntoskrnl/ex/sem.c      |  1 -
 reactos/ntoskrnl/io/device.c   |  1 -
 reactos/ntoskrnl/io/iocomp.c   |  1 -
 reactos/ntoskrnl/lpc/connect.c |  2 +-
 reactos/ntoskrnl/lpc/create.c  |  2 --
 reactos/ntoskrnl/mm/section.c  |  1 -
 reactos/ntoskrnl/ob/obdir.c    |  3 ---
 reactos/ntoskrnl/ob/obhandle.c | 36 ++++------------------------------
 reactos/ntoskrnl/ob/obname.c   | 13 +++++++++---
 reactos/ntoskrnl/ob/obref.c    | 15 +++++---------
 reactos/ntoskrnl/ob/symlink.c  |  3 ---
 reactos/ntoskrnl/ps/thread.c   |  1 -
 reactos/ntoskrnl/se/token.c    |  5 -----
 17 files changed, 21 insertions(+), 68 deletions(-)

diff --git a/reactos/ntoskrnl/cm/ntfunc.c b/reactos/ntoskrnl/cm/ntfunc.c
index d100328bd1a..1e40c645277 100644
--- a/reactos/ntoskrnl/cm/ntfunc.c
+++ b/reactos/ntoskrnl/cm/ntfunc.c
@@ -573,7 +573,7 @@ Cleanup:
   }
   if (ObjectName.Buffer) ObpReleaseCapturedName(&ObjectName);
   if (FreeRemainingPath) RtlFreeUnicodeString(&RemainingPath);
-  if (Object != NULL) ObDereferenceObject(Object);
+  //if (Object != NULL) ObDereferenceObject(Object);
 
   return Status;
 }
diff --git a/reactos/ntoskrnl/ex/event.c b/reactos/ntoskrnl/ex/event.c
index dffb13fc045..9c423ea493d 100644
--- a/reactos/ntoskrnl/ex/event.c
+++ b/reactos/ntoskrnl/ex/event.c
@@ -151,7 +151,6 @@ NtCreateEvent(OUT PHANDLE EventHandle,
                                  0,
                                  NULL,
                                  &hEvent);
-        ObDereferenceObject(Event);
 
         /* Check for success */
         if(NT_SUCCESS(Status))
diff --git a/reactos/ntoskrnl/ex/evtpair.c b/reactos/ntoskrnl/ex/evtpair.c
index ddffa8ec4df..b7dab929c56 100644
--- a/reactos/ntoskrnl/ex/evtpair.c
+++ b/reactos/ntoskrnl/ex/evtpair.c
@@ -110,7 +110,6 @@ NtCreateEventPair(OUT PHANDLE EventPairHandle,
                                  0,
                                  NULL,
                                  &hEventPair);
-        ObDereferenceObject(EventPair);
 
         /* Check for success and return handle */
         if(NT_SUCCESS(Status))
diff --git a/reactos/ntoskrnl/ex/mutant.c b/reactos/ntoskrnl/ex/mutant.c
index ceb2cfc2d56..13fc099cab6 100644
--- a/reactos/ntoskrnl/ex/mutant.c
+++ b/reactos/ntoskrnl/ex/mutant.c
@@ -133,7 +133,6 @@ NtCreateMutant(OUT PHANDLE MutantHandle,
                                 0,
                                 NULL,
                                 &hMutant);
-        ObDereferenceObject(Mutant);
 
         /* Check for success */
         if(NT_SUCCESS(Status))
diff --git a/reactos/ntoskrnl/ex/sem.c b/reactos/ntoskrnl/ex/sem.c
index 0719c255a8e..295fed18663 100644
--- a/reactos/ntoskrnl/ex/sem.c
+++ b/reactos/ntoskrnl/ex/sem.c
@@ -129,7 +129,6 @@ NtCreateSemaphore(OUT PHANDLE SemaphoreHandle,
                                 0,
                                 NULL,
                                 &hSemaphore);
-        ObDereferenceObject(Semaphore);
 
         /* Check for success */
         if(NT_SUCCESS(Status))
diff --git a/reactos/ntoskrnl/io/device.c b/reactos/ntoskrnl/io/device.c
index 6de7723a6fc..5574c063180 100644
--- a/reactos/ntoskrnl/io/device.c
+++ b/reactos/ntoskrnl/io/device.c
@@ -583,7 +583,6 @@ IoCreateDevice(PDRIVER_OBJECT DriverObject,
     CreatedDeviceObject->DriverObject = DriverObject;
     CreatedDeviceObject->NextDevice = DriverObject->DeviceObject;
     DriverObject->DeviceObject = CreatedDeviceObject;
-
     NtClose(TempHandle);
 
     /* Return to caller */
diff --git a/reactos/ntoskrnl/io/iocomp.c b/reactos/ntoskrnl/io/iocomp.c
index e069c21bb9a..446ba0b7fea 100644
--- a/reactos/ntoskrnl/io/iocomp.c
+++ b/reactos/ntoskrnl/io/iocomp.c
@@ -273,7 +273,6 @@ NtCreateIoCompletion(OUT PHANDLE IoCompletionHandle,
                                 0,
                                 NULL,
                                 &hIoCompletionHandle);
-        ObDereferenceObject(Queue);
 
         if (NT_SUCCESS(Status)) {
 
diff --git a/reactos/ntoskrnl/lpc/connect.c b/reactos/ntoskrnl/lpc/connect.c
index 2b828077bdc..3b5c9c3b42c 100644
--- a/reactos/ntoskrnl/lpc/connect.c
+++ b/reactos/ntoskrnl/lpc/connect.c
@@ -878,7 +878,7 @@ NtAcceptConnectPort (PHANDLE			ServerPortHandle,
   ExFreePool(ConnectionRequest);
   ExFreePool(CReply);
 
-  ObDereferenceObject(OurPort);
+  //ObDereferenceObject(OurPort);
   ObDereferenceObject(NamedPort);
 
   return (STATUS_SUCCESS);
diff --git a/reactos/ntoskrnl/lpc/create.c b/reactos/ntoskrnl/lpc/create.c
index 55c8645f979..190693197b1 100644
--- a/reactos/ntoskrnl/lpc/create.c
+++ b/reactos/ntoskrnl/lpc/create.c
@@ -132,8 +132,6 @@ NtCreatePort (PHANDLE		      PortHandle,
   Port->MaxDataLength = LPC_MAX_MESSAGE_LENGTH;
   Port->MaxPoolUsage = MaxPoolUsage;
 
-  ObDereferenceObject (Port);
-
   return (Status);
 }
 
diff --git a/reactos/ntoskrnl/mm/section.c b/reactos/ntoskrnl/mm/section.c
index 6a2bf11e73a..7d75f5c1474 100644
--- a/reactos/ntoskrnl/mm/section.c
+++ b/reactos/ntoskrnl/mm/section.c
@@ -3408,7 +3408,6 @@ NtCreateSection (OUT PHANDLE SectionHandle,
                                0,
                                NULL,
                                SectionHandle);
-      ObDereferenceObject(SectionObject);
    }
 
    return Status;
diff --git a/reactos/ntoskrnl/ob/obdir.c b/reactos/ntoskrnl/ob/obdir.c
index 0612874567f..6e394c4e436 100644
--- a/reactos/ntoskrnl/ob/obdir.c
+++ b/reactos/ntoskrnl/ob/obdir.c
@@ -553,9 +553,6 @@ NtCreateDirectoryObject(OUT PHANDLE DirectoryHandle,
             }
             _SEH_END;
         }
-
-        /* ReactOS HACK: ObInsertObject double-references */
-        ObDereferenceObject(Directory);
     }
 
     /* Return status to caller */
diff --git a/reactos/ntoskrnl/ob/obhandle.c b/reactos/ntoskrnl/ob/obhandle.c
index e9aff3f7c91..9f3d334675c 100644
--- a/reactos/ntoskrnl/ob/obhandle.c
+++ b/reactos/ntoskrnl/ob/obhandle.c
@@ -345,19 +345,7 @@ ObpIncrementHandleCount(IN PVOID Object,
     }
 
     /* Increase the handle count */
-    if(InterlockedIncrement(&ObjectHeader->HandleCount) == 1)
-    {
-        /*
-         * FIXME: Is really needed? Perhaps we should instead take
-         * advantage of the AddtionalReferences parameter to add the
-         * bias when required. This might be the source of the mysterious
-         * ReactOS bug where ObInsertObject *requires* an immediate dereference
-         * even in a success case.
-         * Will have to think more about this when doing the Increment/Create
-         * split later.
-         */
-        ObReferenceObject(Object);
-    }
+    InterlockedIncrement(&ObjectHeader->HandleCount);
 
     /* FIXME: Use the Handle Database */
     ProcessHandleCount = 0;
@@ -457,19 +445,7 @@ ObpIncrementUnnamedHandleCount(IN PVOID Object,
     }
 
     /* Increase the handle count */
-    if(InterlockedIncrement(&ObjectHeader->HandleCount) == 1)
-    {
-        /*
-         * FIXME: Is really needed? Perhaps we should instead take
-         * advantage of the AddtionalReferences parameter to add the
-         * bias when required. This might be the source of the mysterious
-         * ReactOS bug where ObInsertObject *requires* an immediate dereference
-         * even in a success case.
-         * Will have to think more about this when doing the Increment/Create
-         * split later.
-         */
-        ObReferenceObject(Object);
-    }
+    InterlockedIncrement(&ObjectHeader->HandleCount);
 
     /* FIXME: Use the Handle Database */
     ProcessHandleCount = 0;
@@ -1531,11 +1507,9 @@ ObOpenObjectByName(IN POBJECT_ATTRIBUTES ObjectAttributes,
                              AccessMode,
                              NULL,
                              Handle);
+    if (!NT_SUCCESS(Status)) ObDereferenceObject(Object);
 
 Cleanup:
-    /* Dereference the object */
-    if (Object) ObDereferenceObject(Object);
-
     /* Delete the access state */
     if (PassedAccessState == &AccessState)
     {
@@ -1635,6 +1609,7 @@ ObOpenObjectByPointer(IN PVOID Object,
                              AccessMode,
                              NULL,
                              Handle);
+    if (!NT_SUCCESS(Status)) ObDereferenceObject(Object);
 
     /* Delete the access state */
     if (PassedAccessState == &AccessState)
@@ -1642,9 +1617,6 @@ ObOpenObjectByPointer(IN PVOID Object,
         SeDeleteAccessState(PassedAccessState);
     }
 
-    /* ROS Hack: Dereference the object and return */
-    ObDereferenceObject(Object);
-
     /* Return */
     OBTRACE(OB_HANDLE_DEBUG,
             "%s - returning Object with PC S: %lx %lx\n",
diff --git a/reactos/ntoskrnl/ob/obname.c b/reactos/ntoskrnl/ob/obname.c
index d8afeccfd32..59c3c93636e 100644
--- a/reactos/ntoskrnl/ob/obname.c
+++ b/reactos/ntoskrnl/ob/obname.c
@@ -45,6 +45,7 @@ ObpDeleteNameCheck(IN PVOID Object)
     OBP_LOOKUP_CONTEXT Context;
     POBJECT_HEADER_NAME_INFO ObjectNameInfo;
     POBJECT_TYPE ObjectType;
+    PVOID Directory = NULL;
 
     /* Get object structures */
     ObjectHeader = OBJECT_TO_OBJECT_HEADER(Object);
@@ -68,7 +69,7 @@ ObpDeleteNameCheck(IN PVOID Object)
                                          0,
                                          FALSE,
                                          &Context);
-        if (Object)
+        if ((Object) && !(ObjectHeader->HandleCount))
         {
             /* First delete it from the directory */
             ObpDeleteEntryDirectory(&Context);
@@ -94,10 +95,16 @@ ObpDeleteNameCheck(IN PVOID Object)
             RtlInitEmptyUnicodeString(&ObjectNameInfo->Name, NULL, 0);
 
             /* Clear the current directory and de-reference it */
-            ObDereferenceObject(ObjectNameInfo->Directory);
-            ObDereferenceObject(Object);
+            Directory = ObjectNameInfo->Directory;
             ObjectNameInfo->Directory = NULL;
         }
+
+        /* Check if we were inserted in a directory */
+        if (Directory)
+        {
+            ObDereferenceObject(Directory);
+            ObDereferenceObject(Object);
+        }
     }
 }
 
diff --git a/reactos/ntoskrnl/ob/obref.c b/reactos/ntoskrnl/ob/obref.c
index 1589c14d24c..0621ea2e57d 100644
--- a/reactos/ntoskrnl/ob/obref.c
+++ b/reactos/ntoskrnl/ob/obref.c
@@ -113,6 +113,7 @@ ObfDereferenceObject(IN PVOID Object)
                      Header->NextToFree);
 
             /* Queue the work item */
+            KeBugCheck(0);
             ExQueueWorkItem(&ObpReaperWorkItem, DelayedWorkQueue);
         }
     }
@@ -193,6 +194,7 @@ ObReferenceObjectByName(PUNICODE_STRING ObjectPath,
     }
 
     /* Find the object */
+    *ObjectPtr = NULL;
     Status = ObFindObject(NULL,
                           &ObjectName,
                           Attributes,
@@ -204,19 +206,12 @@ ObReferenceObjectByName(PUNICODE_STRING ObjectPath,
                           NULL,
                           ParseContext,
                           NULL);
-    if (!NT_SUCCESS(Status)) goto Quickie;
-
-    /* ROS Hack */
-    if (Object == NULL)
+    if (NT_SUCCESS(Status))
     {
-        *ObjectPtr = NULL;
-        Status = STATUS_OBJECT_NAME_NOT_FOUND;
-        goto Quickie;
+        /* Return the object */
+        *ObjectPtr = Object;
     }
 
-    /* Return the object */
-    *ObjectPtr = Object;
-
     /* Free the access state */
     if (PassedAccessState == &AccessState)
     {
diff --git a/reactos/ntoskrnl/ob/symlink.c b/reactos/ntoskrnl/ob/symlink.c
index f4a0c5257e9..1b2d48d555a 100644
--- a/reactos/ntoskrnl/ob/symlink.c
+++ b/reactos/ntoskrnl/ob/symlink.c
@@ -359,9 +359,6 @@ NtCreateSymbolicLinkObject(OUT PHANDLE LinkHandle,
             }
             _SEH_END;
         }
-
-        /* ReactOS Hack: Our ObInsertObject references an object twice */
-        ObDereferenceObject(SymbolicLink);
     }
 
     /* Return status to caller */
diff --git a/reactos/ntoskrnl/ps/thread.c b/reactos/ntoskrnl/ps/thread.c
index c96bb95235d..4c4028949ba 100644
--- a/reactos/ntoskrnl/ps/thread.c
+++ b/reactos/ntoskrnl/ps/thread.c
@@ -313,7 +313,6 @@ PspCreateThread(OUT PHANDLE ThreadHandle,
     DPRINT("About to dispatch the thread: %x!\n", &Thread->Tcb);
     OldIrql = KeAcquireDispatcherDatabaseLock ();
     KiUnblockThread(&Thread->Tcb, NULL, 0);
-    ObDereferenceObject(Thread);
     KeReleaseDispatcherDatabaseLock(OldIrql);
 
     /* Return */
diff --git a/reactos/ntoskrnl/se/token.c b/reactos/ntoskrnl/se/token.c
index 7192f501daf..dc042b93e5d 100644
--- a/reactos/ntoskrnl/se/token.c
+++ b/reactos/ntoskrnl/se/token.c
@@ -1507,8 +1507,6 @@ NtDuplicateToken(IN HANDLE ExistingTokenHandle,
     			  NULL,
     			  &hToken);
 
-      ObDereferenceObject(NewToken);
-
       if (NT_SUCCESS(Status))
       {
         _SEH_TRY
@@ -2263,8 +2261,6 @@ NtCreateToken(OUT PHANDLE TokenHandle,
       DPRINT1("ObInsertObject() failed (Status %lx)\n", Status);
     }
 
-  ObDereferenceObject(AccessToken);
-
   if (NT_SUCCESS(Status))
     {
       _SEH_TRY
@@ -2513,7 +2509,6 @@ NtOpenThreadTokenEx(IN HANDLE ThreadHandle,
       Status = ObInsertObject(NewToken, NULL, DesiredAccess, 0, NULL,
                               &hToken);
 
-      ObfDereferenceObject(NewToken);
     }
   else
     {