On 25.02.2013, at 12:10, Christian Borntraeger wrote: > On 25/02/13 11:44, Paolo Bonzini wrote: >> Il 25/02/2013 09:09, Christian Borntraeger ha scritto: >>> Hmm, the old sequence was >>> >>> object_unparent(OBJECT(dev)); >>> qdev_free(dev) ---+ >>> | >>> V >>> ... >>> object_unparent(OBJECT(dev)); now the last reference is gone, >>> object is freed >>> object_unref(OBJECT(dev)); now the reference of a deleted >>> object becomes -1 >>> ... >>> >>> Isnt that a problem in itself that we modify a reference counter in an >>> deleted object? >> >> The second object_unparent should do nothing. So before you had: >> >> object_unparent(OBJECT(dev)); leaves refcount=1 >> qdev_free(dev) ---+ >> | >> V >> object_unparent(OBJECT(dev)); do nothing >> object_unref(OBJECT(dev)); refcount=0, object freed >> >> After the object_unref was removed you had: >> >> object_unparent(OBJECT(dev)); refcount=0, object freed >> qdev_free(dev) ---+ >> | >> V >> object_unparent(OBJECT(dev)); dangling pointer! >> > > > Got it. Thanks
So is the patch valid? Alex
