Re: [PATCH] qom: assert integer does not overflow

qemu-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH] qom: assert integer does not overflow

From:	Michael S. Tsirkin
Subject:	Re: [PATCH] qom: assert integer does not overflow
Date:	Mon, 28 Feb 2022 08:51:45 -0500

On Mon, Feb 28, 2022 at 07:16:56AM -0500, Michael S. Tsirkin wrote:
> On Fri, Feb 25, 2022 at 02:35:36PM +0000, Daniel P. Berrangé wrote:
> > On Fri, Feb 25, 2022 at 09:10:44AM -0500, Michael S. Tsirkin wrote:
> > > QOM reference counting is not designed with an infinite amount of
> > > references in mind, trying to take a reference in a loop will overflow
> > > the integer. We will then eventually assert when dereferencing, but the
> > > real problem is in object_ref so let's assert there to make such issues
> > > cleaner and easier to debug.
> > 
> > What is the actual bug / scenario that led you to hit this problem ?
> 
> E.g. if during code development I call object_ref but not object_unref,
> the counter eventually overflows. If this triggers in an error flow
> and not a good path this kind of bug might thinkably make it through QE
> into release code.
> 
> > I'm surprised you saw an assert in object_unref, as that would
> > imply you had exactly  UINT32_MAX calls to object_ref and then
> > one to object_unref.
> 
> Any imbalance with # of unrefs > # refs
> will trigger an existing assert in unref.
> 
> However, an imbalance with # of refs > # unrefs does not trigger an
> assert at the moment.
> 

A vsock patch Stefano just posted would be one example where this can happen.

> > > Some micro-benchmarking shows using fetch and add this is essentially
> > > free on x86.
> > > 
> > > Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
> > > ---
> > >  qom/object.c | 6 +++++-
> > >  1 file changed, 5 insertions(+), 1 deletion(-)
> > > 
> > > diff --git a/qom/object.c b/qom/object.c
> > > index 4f0677cca9..5db3974f04 100644
> > > --- a/qom/object.c
> > > +++ b/qom/object.c
> > > @@ -1167,10 +1167,14 @@ GSList *object_class_get_list_sorted(const char 
> > > *implements_type,
> > >  Object *object_ref(void *objptr)
> > >  {
> > >      Object *obj = OBJECT(objptr);
> > > +    uint32_t ref;
> > > +
> > >      if (!obj) {
> > >          return NULL;
> > >      }
> > > -    qatomic_inc(&obj->ref);
> > > +    ref = qatomic_fetch_inc(&obj->ref);
> > > +    /* Assert waaay before the integer overflows */
> > > +    g_assert(ref < INT_MAX);
> > 
> > Not that I expect this to hit, but why choose this lower
> > bound instead of g_assert(ref > 0) which is the actual
> > failure scenario, matching the existing object_unref
> > assert.
> 
> The earlier we catch it the better, if we overflowed to 0 some other
> thread might already be confused.
> 
> 
> > Regards,
> > Daniel
> > -- 
> > |: https://berrange.com      -o-    https://www.flickr.com/photos/dberrange 
> > :|
> > |: https://libvirt.org         -o-            https://fstop138.berrange.com 
> > :|
> > |: https://entangle-photo.org    -o-    https://www.instagram.com/dberrange 
> > :|

[Prev in Thread]

Current Thread

[Next in Thread]

[PATCH] qom: assert integer does not overflow, Michael S. Tsirkin, 2022/02/25
- Re: [PATCH] qom: assert integer does not overflow, Daniel P . Berrangé, 2022/02/25
  - Re: [PATCH] qom: assert integer does not overflow, Michael S. Tsirkin, 2022/02/28
    - Re: [PATCH] qom: assert integer does not overflow, Michael S. Tsirkin <=

Prev by Date: Re: [PATCH v9 11/11] 9p: darwin: meson: Allow VirtFS on Darwin
Next by Date: Re: [PATCH] ppc/pnv: fix default PHB4 QOM hierarchy
Previous by thread: Re: [PATCH] qom: assert integer does not overflow
Next by thread: Re: [PATCH v3 08/18] ppc/psi: Add support for StoreEOI and 64k ESB pages (POWER10)
Index(es):
- Date
- Thread