From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from [140.186.70.92] (port=37876 helo=eggs.gnu.org) by lists.gnu.org with esmtp (Exim 4.43) id 1PuxVG-0006n8-Td for qemu-devel@nongnu.org; Wed, 02 Mar 2011 20:38:56 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1PuxVF-0001KE-ID for qemu-devel@nongnu.org; Wed, 02 Mar 2011 20:38:54 -0500 Received: from [222.73.24.84] (port=50076 helo=song.cn.fujitsu.com) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1PuxVF-0001J0-2U for qemu-devel@nongnu.org; Wed, 02 Mar 2011 20:38:53 -0500 Message-ID: <4D6EF0DD.1010405@cn.fujitsu.com> Date: Thu, 03 Mar 2011 09:37:33 +0800 From: Wen Congyang MIME-Version: 1.0 Subject: Re: [Qemu-devel] Re: [PATCH RESEND 2/2] vnc: Fix heap corruption References: <4D6DBDA4.3050909@cn.fujitsu.com> <4D6DC06B.6070308@cn.fujitsu.com> <4D6E8E3A.50106@mail.berlios.de> <4D6EBE4B.8070705@mail.berlios.de> <4D6EC463.50807@mail.berlios.de> In-Reply-To: <4D6EC463.50807@mail.berlios.de> Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset=UTF-8 List-Id: qemu-devel.nongnu.org List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: Stefan Weil Cc: Peter Maydell , Anthony Liguori , qemu-devel , Corentin Chary At 03/03/2011 06:27 AM, Stefan Weil Write: > Am 02.03.2011 23:01, schrieb Stefan Weil: >> Am 02.03.2011 19:47, schrieb Peter Maydell: >>> On 2 March 2011 18:36, Stefan Weil wrote: >>>> No. I dont't think that the third parameter of bitmap_clear is >>>> ok like that. See my patch for the correct value. >>> >>> Wen's patch: >>> >>> + const size_t width = ds_get_width(vd->ds) / 16; >>> [...] >>> - bitmap_set(width_mask, 0, (ds_get_width(vd->ds) / 16)); >>> - bitmap_clear(width_mask, (ds_get_width(vd->ds) / 16), >>> - VNC_DIRTY_WORDS * BITS_PER_LONG); >>> + bitmap_set(width_mask, 0, width); >>> + bitmap_clear(width_mask, width, VNC_DIRTY_WORDS * BITS_PER_LONG >>> - width); >>> >>> Your patch: >>> >>> bitmap_clear(width_mask, (ds_get_width(vd->ds) / 16), >>> - VNC_DIRTY_WORDS * BITS_PER_LONG); >>> + (VNC_MAX_WIDTH - ds_get_width(vd->ds)) / 16); >>> >>> Since ui/vnc.h has: >>> >>> #define VNC_DIRTY_WORDS (VNC_MAX_WIDTH / (16 * BITS_PER_LONG)) >>> >>> the third parameter to bitmap_clear is the same value in >>> both cases, isn't it? Or is this a rounding bug? >>> >>> -- PMM >> >> Because of rounding effects, both values can be different. >> >> The part missing in my patch is correct handling of another >> rounding effect: >> >> VNC_DIRTY_WORDS is exact for 32 bit long values (and the >> "old" code which used uint32_t until some weeks ago), where >> VNC_DIRTY_WORDS = 2560/16/32 = 5. >> >> For 64 bit values, VNC_DIRTY_WORDS = 2560/16/64 = 2 (rounded)! >> >> Stefan W. > > > Is bitmap_clear() really needed here? Meanwhile I think it is not, > so this might be a new patch variant... I do not know why we call bitmap_clear() hear. I only know it is the same as the old code: -static inline void vnc_set_bits(uint32_t *d, int n, int nb_words) -{ - int j; - - j = 0; - while (n >= 32) { - d[j++] = -1; - n -= 32; - } - if (n > 0) - d[j++] = (1 << n) - 1; - while (j < nb_words) <=== bitmap_clear() - d[j++] = 0; -} - vnc_set_bits(width_mask, (ds_get_width(vd->ds) / 16), VNC_DIRTY_WORDS); + bitmap_set(width_mask, 0, (ds_get_width(vd->ds) / 16)); + bitmap_clear(width_mask, (ds_get_width(vd->ds) / 16), + VNC_DIRTY_WORDS * BITS_PER_LONG); > > >