All of lore.kernel.org
 help / color / mirror / Atom feed
From: Kevin Wolf <kwolf@redhat.com>
To: Akihiko Odaki <odaki@rsg.ci.i.u-tokyo.ac.jp>
Cc: qemu-devel@nongnu.org, "Paolo Bonzini" <pbonzini@redhat.com>,
	"Daniel P. Berrangé" <berrange@redhat.com>,
	"Manos Pitsidianakis" <manos.pitsidianakis@linaro.org>,
	qemu-rust@nongnu.org, "Peter Xu" <peterx@redhat.com>,
	"Philippe Mathieu-Daudé" <philmd@mailo.com>,
	"Alberto Garcia" <berto@igalia.com>,
	"Hanna Reitz" <hreitz@redhat.com>,
	qemu-block@nongnu.org
Subject: Re: [PATCH 1/2] qom: Reject temporary object resurrection
Date: Mon, 15 Jun 2026 10:34:03 +0200	[thread overview]
Message-ID: <ai-4-0UkH0uCZwYS@redhat.com> (raw)
In-Reply-To: <20260615-embedded-v1-1-bb0c65bf126c@rsg.ci.i.u-tokyo.ac.jp>

Am 15.06.2026 um 06:11 hat Akihiko Odaki geschrieben:
> If object_ref() is called during finalization, it will temporarily
> "resurrect" the object. Although object_finalize() asserts that no
> resurrecting reference remains before freeing the object, the assertion
> cannot catch the case where the resurrecting reference is dropped before
> freeing the object.

Ok, and why is that a problem?

In the cover letter, you referred to an earlier patch you had posted:

    The temporary object resurrection patch originated from:
    https://lore.kernel.org/qemu-devel/20250906-mr-v2-1-2820f5a3d282@rsg.ci.i.u-tokyo.ac.jp/
    ("[PATCH v2 1/3] qom: Do not finalize twice")

From that patch, it's clear that one problem is that .finalize() can be
called multiple times, which you probably don't want. But what is the
reason for switching from just ignoring the second .finalize() like in
the old patch to completely forbidding a temporary refcount increase?

> One way to catch this would be to add a check in object_ref() to reject
> resurrecting references before they are created. However, object_ref()
> is frequently called so it is better to minimize the overhead.

We're talking about a single comparison with zero here. So if that's the
worse alternative, the other one can't have any drawbacks.

> To avoid adding the overhead, change how the reference count is
> represented and let an existing assertion detect resurrection. More
> concretely, obj->ref now stores the current reference count minus 1. The
> stored count is therefore 0 after object_initialize(), and the final
> object_unref() decrements it from 0 to UINT32_MAX and starts
> finalization. A resurrecting object_ref() will then trip the existing
> obj->ref < INT_MAX assertion.

A refcount field where 0 means that a last reference is still remaining
is highly confusing. If we do want to forbid taking a temporary new
reference in .finalize() for some reason, the explicit check in
object_ref() sounds much better to me.

> Signed-off-by: Akihiko Odaki <odaki@rsg.ci.i.u-tokyo.ac.jp>
> ---
>  include/qom/object.h            |  4 ++--
>  block/throttle-groups.c         |  2 +-
>  qom/object.c                    | 15 ++++++---------
>  tests/unit/check-qom-proplist.c |  8 ++++----
>  4 files changed, 13 insertions(+), 16 deletions(-)

Kevin



  parent reply	other threads:[~2026-06-15  8:34 UTC|newest]

Thread overview: 17+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-06-15  4:11 [PATCH 0/2] qom: Tighten object lifetime handling Akihiko Odaki
2026-06-15  4:11 ` [PATCH 1/2] qom: Reject temporary object resurrection Akihiko Odaki
2026-06-15  8:14   ` Daniel P. Berrangé
2026-06-15  8:34   ` Kevin Wolf [this message]
2026-06-15  8:50     ` Akihiko Odaki
2026-06-15  4:11 ` [PATCH 2/2] qom: Manage references to embedded child objects Akihiko Odaki
2026-06-15  8:12   ` Daniel P. Berrangé
2026-06-15  8:31     ` Peter Maydell
2026-06-15  8:34       ` Daniel P. Berrangé
2026-06-15  9:28         ` Peter Maydell
2026-06-15 13:42           ` Mark Cave-Ayland
2026-06-15 13:55             ` Akihiko Odaki
2026-06-15 14:01             ` Daniel P. Berrangé
2026-06-15 20:09             ` BALATON Zoltan
2026-06-15 13:29     ` Mark Cave-Ayland
2026-06-15 10:59   ` Daniel P. Berrangé
2026-06-15 12:02     ` Akihiko Odaki

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=ai-4-0UkH0uCZwYS@redhat.com \
    --to=kwolf@redhat.com \
    --cc=berrange@redhat.com \
    --cc=berto@igalia.com \
    --cc=hreitz@redhat.com \
    --cc=manos.pitsidianakis@linaro.org \
    --cc=odaki@rsg.ci.i.u-tokyo.ac.jp \
    --cc=pbonzini@redhat.com \
    --cc=peterx@redhat.com \
    --cc=philmd@mailo.com \
    --cc=qemu-block@nongnu.org \
    --cc=qemu-devel@nongnu.org \
    --cc=qemu-rust@nongnu.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.