qobject: Protect against use-after-free in qobject_decref()

Adding an assertion to qobject_decref() will ensure that a programming error causing use-after-free will result in immediate failure (provided no other thread has started using the memory) instead of silently attempting to wrap refcnt around and leaving the problem to potentially bite later at a harder point to diagnose. Suggested-by: Markus Armbruster <armbru@redhat.com> Signed-off-by: Eric Blake <eblake@redhat.com> Message-Id: <1446791754-23823-4-git-send-email-eblake@redhat.com> Signed-off-by: Markus Armbruster <armbru@redhat.com>
author: Eric Blake <eblake@redhat.com> 2015-11-05 23:35:27 -0700
committer: Markus Armbruster <armbru@redhat.com> 2015-11-09 16:45:05 +0100
commit: cc9f60d4a2a4bf2578a9309a18f1c4602c9f5ce7 (patch)
tree: ec55f8cf81cc96079d17d2eeef3c759e51c28bc6 /include/qapi/qmp
parent: bd20588d19e9ff0e94b2d4ca3b5d6b3b3d6a1274 (diff)
download: qemu-cc9f60d4a2a4bf2578a9309a18f1c4602c9f5ce7.zip
1 files changed, 1 insertions, 0 deletions
diff --git a/include/qapi/qmp/qobject.h b/include/qapi/qmp/qobject.h
index c856f553b7..4b96ed5837 100644
--- a/include/qapi/qmp/qobject.h
+++ b/include/qapi/qmp/qobject.h
@@ -90,6 +90,7 @@ static inline void qobject_incref(QObject *obj)
  */
 static inline void qobject_decref(QObject *obj)
 {
+    assert(!obj || obj->refcnt);
     if (obj && --obj->refcnt == 0) {
         assert(obj->type != NULL);
         assert(obj->type->destroy != NULL);
author	Eric Blake <eblake@redhat.com>	2015-11-05 23:35:27 -0700
committer	Markus Armbruster <armbru@redhat.com>	2015-11-09 16:45:05 +0100
commit	cc9f60d4a2a4bf2578a9309a18f1c4602c9f5ce7 (patch)
tree	ec55f8cf81cc96079d17d2eeef3c759e51c28bc6 /include/qapi/qmp
parent	bd20588d19e9ff0e94b2d4ca3b5d6b3b3d6a1274 (diff)
download	qemu-cc9f60d4a2a4bf2578a9309a18f1c4602c9f5ce7.zip