qemu-devel
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Qemu-devel] [PATCH 0/4] Fix memory leaks in QEMU


From: Kirill Batuzov
Subject: Re: [Qemu-devel] [PATCH 0/4] Fix memory leaks in QEMU
Date: Fri, 18 Apr 2014 21:08:02 +0400
User-agent: Roundcube Webmail/0.8.5


Note that generally these "leaks" are not really leaks, because we
set up the board and wire IRQs together once, and they remain
that way for the lifetime of QEMU and are freed automatically
when QEMU exits.


Unfortunately they are really leaks. As I said qemu_allocate_irqs
allocates two chunks of memory, not one. This is what happening.
qemu_allocate_irqs calls qemu_extend_irqs which starts allocating memory:
(old is NULL and n_old is 0 here)

    s = old ? g_renew(qemu_irq, old, n + n_old) : g_new(qemu_irq, n);
    p = old ? g_renew(struct IRQState, s[0], n + n_old) :
                g_new(struct IRQState, n);

We'll call the first chunk S, and the second P. I have capitalized
letters to avoid confusion with variable names. Chunk P indeed will
be wired, but chunk S will be leaked.

What happens next:

    for (i = 0; i < n + n_old; i++) {
        if (i >= n_old) {
            p->handler = handler;
            p->opaque = opaque;
            p->n = i;
        }
        s[i] = p;
        p++;
    }

Now chunk S has pointers to chunk P stored in it.

After that s (a pointer to chunk S) is returned to the caller.

    return s;

Let's have a look at the caller. Suppose it was omap2420_mpu_init.
Here is the code:

    s->wakeup = qemu_allocate_irqs(omap_mpu_wakeup, s, 1)[0];

qemu_allocate_irqs returned pointer to chunk S. It got immediately
dereferenced. Result of this dereference - a pointer to P - is written
to s->wakeup. But all pointers to chunk S are lost. We have a memory leak.

And something like this happens every time qemu_allocate_irqs is called.

--
Kirill



reply via email to

[Prev in Thread] Current Thread [Next in Thread]