On Tue, 2 Aug 2016 11:41:41 +0800
Fam Zheng <f...@redhat.com> wrote:
> Since 69382d8b (qdev: Fix object reference leak in case device.realize()
> fails), object_property_set_bool could release the object. The error
> path wants the type name, so hold an reference before realizing it.
>
> Cc: Igor Mammedov <imamm...@redhat.com>
> Signed-off-by: Fam Zheng <f...@redhat.com>
> ---
> hw/core/qdev.c | 2 ++
> 1 file changed, 2 insertions(+)
>
> diff --git a/hw/core/qdev.c b/hw/core/qdev.c
> index ee4a083..5783442 100644
> --- a/hw/core/qdev.c
> +++ b/hw/core/qdev.c
> @@ -354,12 +354,14 @@ void qdev_init_nofail(DeviceState *dev)
>
> assert(!dev->realized);
>
> + object_ref(OBJECT(dev));
> object_property_set_bool(OBJECT(dev), true, "realized", &err);
> if (err) {
> error_reportf_err(err, "Initialization of device %s failed: ",
> object_get_typename(OBJECT(dev)));
> exit(1);
> }
> + object_unref(OBJECT(dev));
> }
>
> void qdev_machine_creation_done(void)
I'm not sure that this is the right fix, commit 69382d8b only affects
reference created by realize() itself.
Probably reference counting wrong somewhere else,
for typical device call sequence is following:
qdev_create() {
object_new() -> ref == 1
qdev_set_parent_bus() -> ref == 2
object_unref() -> ref == 1
} -> ref == 1
do property settings and other stuff ...
qdev_init_nofail() { called with ref == 1
object_property_set_bool(true, "realized")
if error:
ref == 1
else:
ref == 2 (+1 for implicitly assigned parent)
}
