When `owner` == `mr`, `object_unparent` will crash: object_unparent(mr) -> object_property_del_child(mr, mr) -> object_finalize_child_property(mr, name, mr) -> object_unref(mr) -> object_finalize(mr) -> object_property_del_all(mr) -> object_finalize_child_property(mr, name, mr) -> object_unref(mr) -> fail on g_assert(obj->ref > 0)
However, passing a different `owner` to `memory_region_init` is not enough. `memory_region_ref` has an optimization where it takes a ref only on the owner. It specifically warns against calling unparent on the memory region. So we initialize the memory region first and then patch in the owner with itself. Signed-off-by: Joelle van Dyne <[email protected]> --- hw/display/virtio-gpu-virgl.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/hw/display/virtio-gpu-virgl.c b/hw/display/virtio-gpu-virgl.c index 18404be5892..70e0aff0ca3 100644 --- a/hw/display/virtio-gpu-virgl.c +++ b/hw/display/virtio-gpu-virgl.c @@ -123,7 +123,8 @@ virtio_gpu_virgl_map_resource_blob(VirtIOGPU *g, vmr->g = g; mr = &vmr->mr; - memory_region_init_ram_ptr(mr, OBJECT(mr), "blob", size, data); + memory_region_init_ram_ptr(mr, OBJECT(g), "blob", size, data); + mr->owner = OBJECT(mr); memory_region_add_subregion(&b->hostmem, offset, mr); memory_region_set_enabled(mr, true); -- 2.50.1 (Apple Git-155)
