Re: QEMU device refcounting when device creates a container MR

[Peter Maydell]

On Thu, 10 Mar 2022 at 16:30, Igor Mammedov <imammedo@redhat.com> wrote:
>
> Do On Thu, 10 Mar 2022 16:05:24 +0000
> Peter Maydell <peter.maydell@linaro.org> wrote:
>
> > On Thu, 10 Mar 2022 at 15:36, Igor Mammedov <imammedo@redhat.com> wrote:
> > >
> > > On Wed, 9 Mar 2022 16:56:21 +0000
> > > Peter Maydell <peter.maydell@linaro.org> wrote:
> > > > ...also, in the device-introspect-test where I see this problem,
> > > > unrealize is never going to be called anyway, because the device
> > > > is only put through "instance_init" and then dereffed (which
> > > > does not result in instance_finalize being called, because the
> > > > refcount is still non-zero).
> > >
> > > question is why introspected device is deferred instead of being
> > > destroyed if it's no longer needed?
> >
> > ...because the reference count is not zero.
> >
> > What is supposed to happen is:
> >  * device is created (inited), and has refcount of 1
> >  * introspection code does its thing
> >  * introspection code derefs the device, and it gets deinited
> >
> > This bug means that when the device is inited it has a refcount
> > that is too high, and so despite the code that creates it
> > correctly dereffing it, it's still lying around.
>
> looks like ref count leak somewhere, instance_finalize() take care
> of cleaning up instance_init() actions.

If you read the rest of the thread, we know why the refcount
is too high. And instance_finalize *is never called*, so it
cannot clean up what instance_init has done.

> Do you have an example/reproducer?

Yes, see the thread -- device-introspect-test shows it.
(You can put printfs in ehci_sysbus_init and ehci_sysbus_finalize
and see that for some devices we don't ever call finalize.)

-- PMM