On Tue, Sep 03, 2013 at 02:32:51PM +0200, Paolo Bonzini wrote:
> QOM splits the destruction of a device in two phases:
>
> - unrealize, also known as "exit" from qdev times, should isolate
> the device from the guest. After unrealize returns, the guest
> should not be able to issue new requests.
>
> - instance_finalize will reclaim the memory. This is only called
> after all requests terminate and drop the references on the
> device.
>
> Though overlooked, this is important even now: QEMU's little secret is
> that devices already do access memory out of the iothread mutex (with
> address_space_map/unmap and AIO), and this can be MMIO memory too
> through a bounce buffer. This series prepares things so that, once
> we'll put the memory_region_ref/unref infrastructure to complete use,
> things will just work.
>
> Of course this split will be particularly important for devices that
> will be able to do unlocked MMIO.
>
> This series changes all PCI devices (the sole to support hotplug _and_
> use MemoryRegions) to do memory_region_del_subregion at unrealize time,
> and memory_region_destroy at instance_finalize time. As it is mostly
> a PCI patch, it should go through mst's tree.
>
> Paolo
OK so this is the problem.
Memory region reference counting actually does not
have a reference count per MR.
Instead it takes a reference to device:
void memory_region_ref(MemoryRegion *mr)
{
if (mr && mr->owner) {
object_ref(mr->owner);
}
}
void memory_region_unref(MemoryRegion *mr)
{
if (mr && mr->owner) {
object_unref(mr->owner);
}
}
Now object_ref only delays finalize.
Ergo, to make sure a referenced MR does not get
destroyed, we must make sure only finalize
calls memory_region_destroy.
So I think this patchset should do exactly that,
not try to move out more stuff to finalize.
--
MST
