From: "Daniel P. Berrangé" <berrange@redhat.com>
To: Paolo Bonzini <pbonzini@redhat.com>
Cc: qemu-devel@nongnu.org, armbru@redhat.com
Subject: Re: [PATCH] qobject: make refcount atomic
Date: Wed, 8 Oct 2025 17:16:25 +0100 [thread overview]
Message-ID: <aOaOWbrE443LpqPX@redhat.com> (raw)
In-Reply-To: <20251008152701.411964-1-pbonzini@redhat.com>
On Wed, Oct 08, 2025 at 05:27:01PM +0200, Paolo Bonzini wrote:
> The Rust bindings for QObject will only operate on complete objects,
> treating them as immutable as long as the Rust QObject is live.
>
> With that constraint, it is trivial for Rust code to treat QObjects as
> thread-safe; all that's needed is to make reference count operations
> atomic. Do the same when the C code adds or removes references, since
> we don't really know what the Rust code is up to; of course C code will
> have to agree with not making changes to the QObjects after they've
> been passed to Rust code.
I wonder whether that latter constraint on the C code will hold
true in practice ? Particularly thinking about scenarios where
we add/remove link properties to QObject's, potentially at any
time during life of QEMU via QMP/HMP commands ?
>
> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
> ---
> include/qobject/qobject.h | 5 +++--
> 1 file changed, 3 insertions(+), 2 deletions(-)
>
> diff --git a/include/qobject/qobject.h b/include/qobject/qobject.h
> index a6244d0ce00..02f4c6a6eb2 100644
> --- a/include/qobject/qobject.h
> +++ b/include/qobject/qobject.h
> @@ -32,6 +32,7 @@
> #ifndef QOBJECT_H
> #define QOBJECT_H
>
> +#include "qemu/atomic.h"
> #include "qapi/qapi-builtin-types.h"
>
> /* Not for use outside include/qobject/ */
> @@ -73,7 +74,7 @@ QEMU_BUILD_BUG_MSG(QTYPE__MAX != 7,
> static inline void qobject_ref_impl(QObject *obj)
> {
> if (obj) {
> - obj->base.refcnt++;
> + qatomic_inc(&obj->base.refcnt);
> }
> }
>
> @@ -95,7 +96,7 @@ void qobject_destroy(QObject *obj);
> static inline void qobject_unref_impl(QObject *obj)
> {
> assert(!obj || obj->base.refcnt);
> - if (obj && --obj->base.refcnt == 0) {
> + if (obj && qatomic_fetch_dec(&obj->base.refcnt) == 1) {
> qobject_destroy(obj);
> }
> }
With this unref method being void, how does the Rust code
know when a QObject is no longer alive after it has called
unref ? Does it need to know this to provide any safety
guarantees ?
With regards,
Daniel
--
|: https://berrange.com -o- https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org -o- https://fstop138.berrange.com :|
|: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
next prev parent reply other threads:[~2025-10-08 16:18 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-10-08 15:27 [PATCH] qobject: make refcount atomic Paolo Bonzini
2025-10-08 16:06 ` Richard Henderson
2025-10-08 16:14 ` Paolo Bonzini
2025-10-08 16:53 ` Richard Henderson
2025-10-08 17:04 ` Paolo Bonzini
2025-10-08 16:16 ` Daniel P. Berrangé [this message]
2025-10-08 17:00 ` Paolo Bonzini
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=aOaOWbrE443LpqPX@redhat.com \
--to=berrange@redhat.com \
--cc=armbru@redhat.com \
--cc=pbonzini@redhat.com \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.