[Qemu-commits] [qemu/qemu] 3a81a1: monitor: Plug memory leak on QMP erro

qemu-commits
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Qemu-commits] [qemu/qemu] 3a81a1: monitor: Plug memory leak on QMP erro

From:	GitHub
Subject:	[Qemu-commits] [qemu/qemu] 3a81a1: monitor: Plug memory leak on QMP error
Date:	Thu, 26 Nov 2015 09:00:04 -0800
  Branch: refs/heads/master
  Home:   https://github.com/qemu/qemu
  Commit: 3a81a10179b702e031d8f84438193d83a64b4122
      
https://github.com/qemu/qemu/commit/3a81a10179b702e031d8f84438193d83a64b4122
  Author: Markus Armbruster <address@hidden>
  Date:   2015-11-26 (Thu, 26 Nov 2015)

  Changed paths:
    M monitor.c

  Log Message:
  -----------
  monitor: Plug memory leak on QMP error

Leak introduced in commit 8a4f501..710aec9, v2.4.0.

Signed-off-by: Markus Armbruster <address@hidden>
Message-Id: <address@hidden>
Reviewed-by: Eric Blake <address@hidden>
Reviewed-by: Luiz Capitulino <address@hidden>


  Commit: 4f2d31fbc0bfdf41feea7d1be49f4f7ffa005534
      
https://github.com/qemu/qemu/commit/4f2d31fbc0bfdf41feea7d1be49f4f7ffa005534
  Author: Markus Armbruster <address@hidden>
  Date:   2015-11-26 (Thu, 26 Nov 2015)

  Changed paths:
    M qobject/json-streamer.c

  Log Message:
  -----------
  qjson: Apply nesting limit more sanely

The nesting limit from commit 29c75dd "json-streamer: limit the
maximum recursion depth and maximum token count" applies separately to
braces and brackets.  This makes no sense.  Apply it to their sum,
because that's actually a measure of recursion depth.

Signed-off-by: Markus Armbruster <address@hidden>
Reviewed-by: Eric Blake <address@hidden>
Message-Id: <address@hidden>


  Commit: 0753113a26bb8c77f951b1ea91fd4f36d099c37a
      
https://github.com/qemu/qemu/commit/0753113a26bb8c77f951b1ea91fd4f36d099c37a
  Author: Markus Armbruster <address@hidden>
  Date:   2015-11-26 (Thu, 26 Nov 2015)

  Changed paths:
    M qobject/json-streamer.c

  Log Message:
  -----------
  qjson: Don't crash when input exceeds nesting limit

We limit nesting depth and input size to defend against input
triggering excessive heap or stack memory use (commit 29c75dd
json-streamer: limit the maximum recursion depth and maximum token
count).  However, when the nesting limit is exceeded,
parser_context_peek_token()'s assertion fails.

Broken in commit 65c0f1e "json-parser: don't replicate tokens at each
level of recursion".

To reproduce stuff 1025 open braces or brackets into QMP.

Fix by taking the error exit instead of the normal one.

Reported-by: Eric Blake <address@hidden>
Signed-off-by: Markus Armbruster <address@hidden>
Reviewed-by: Eric Blake <address@hidden>
Message-Id: <address@hidden>


  Commit: f0ae0304c7a41a42b7d4a6cde450da938d3c2cc7
      
https://github.com/qemu/qemu/commit/f0ae0304c7a41a42b7d4a6cde450da938d3c2cc7
  Author: Markus Armbruster <address@hidden>
  Date:   2015-11-26 (Thu, 26 Nov 2015)

  Changed paths:
    M tests/check-qjson.c

  Log Message:
  -----------
  check-qjson: Add test for JSON nesting depth limit

This would have prevented the regression mentioned in the previous
commit.

Signed-off-by: Markus Armbruster <address@hidden>
Reviewed-by: Eric Blake <address@hidden>
Message-Id: <address@hidden>


  Commit: b8d3b1da3cdbb02e180618d6be346c564723015d
      
https://github.com/qemu/qemu/commit/b8d3b1da3cdbb02e180618d6be346c564723015d
  Author: Markus Armbruster <address@hidden>
  Date:   2015-11-26 (Thu, 26 Nov 2015)

  Changed paths:
    M include/qapi/qmp/json-lexer.h
    M qobject/json-lexer.c

  Log Message:
  -----------
  qjson: Spell out some silent assumptions

Signed-off-by: Markus Armbruster <address@hidden>
Message-Id: <address@hidden>
Reviewed-by: Eric Blake <address@hidden>


  Commit: c54616608af442edf4cfb7397a1909c2653efba0
      
https://github.com/qemu/qemu/commit/c54616608af442edf4cfb7397a1909c2653efba0
  Author: Markus Armbruster <address@hidden>
  Date:   2015-11-26 (Thu, 26 Nov 2015)

  Changed paths:
    M include/qapi/qmp/json-lexer.h
    M qobject/json-lexer.c
    M qobject/json-parser.c
    M qobject/json-streamer.c

  Log Message:
  -----------
  qjson: Give each of the six structural chars its own token type

Simplifies things, because we always check for a specific one.

Signed-off-by: Markus Armbruster <address@hidden>
Message-Id: <address@hidden>
Reviewed-by: Eric Blake <address@hidden>


  Commit: 50e2a467f5315fa36c547fb6330659ba45f6bb83
      
https://github.com/qemu/qemu/commit/50e2a467f5315fa36c547fb6330659ba45f6bb83
  Author: Markus Armbruster <address@hidden>
  Date:   2015-11-26 (Thu, 26 Nov 2015)

  Changed paths:
    M qobject/json-parser.c

  Log Message:
  -----------
  qjson: Inline token_is_keyword() and simplify

Signed-off-by: Markus Armbruster <address@hidden>
Message-Id: <address@hidden>
Reviewed-by: Eric Blake <address@hidden>


  Commit: 6b9606f68ec589def27bd2a9cea97ec63cffd581
      
https://github.com/qemu/qemu/commit/6b9606f68ec589def27bd2a9cea97ec63cffd581
  Author: Markus Armbruster <address@hidden>
  Date:   2015-11-26 (Thu, 26 Nov 2015)

  Changed paths:
    M qobject/json-parser.c

  Log Message:
  -----------
  qjson: Inline token_is_escape() and simplify

Signed-off-by: Markus Armbruster <address@hidden>
Message-Id: <address@hidden>
Reviewed-by: Eric Blake <address@hidden>


  Commit: d2ca7c0b0d876cf0e219ae7a92252626b0913a28
      
https://github.com/qemu/qemu/commit/d2ca7c0b0d876cf0e219ae7a92252626b0913a28
  Author: Paolo Bonzini <address@hidden>
  Date:   2015-11-26 (Thu, 26 Nov 2015)

  Changed paths:
    M include/qapi/qmp/json-lexer.h
    M include/qapi/qmp/json-streamer.h
    M qobject/json-lexer.c
    M qobject/json-streamer.c

  Log Message:
  -----------
  qjson: replace QString in JSONLexer with GString

JSONLexer only needs a simple resizable buffer.  json-streamer.c
can allocate memory for each token instead of relying on reference
counting of QStrings.

Signed-off-by: Paolo Bonzini <address@hidden>
Message-Id: <address@hidden>
[Straightforwardly rebased on my patches, checkpatch made happy]
Signed-off-by: Markus Armbruster <address@hidden>
Reviewed-by: Eric Blake <address@hidden>


  Commit: d538b25543f4db026bb435066e2403a542522c40
      
https://github.com/qemu/qemu/commit/d538b25543f4db026bb435066e2403a542522c40
  Author: Markus Armbruster <address@hidden>
  Date:   2015-11-26 (Thu, 26 Nov 2015)

  Changed paths:
    M qobject/json-parser.c

  Log Message:
  -----------
  qjson: Convert to parser to recursive descent

We backtrack in parse_value(), even though JSON is LL(1) and thus can
be parsed by straightforward recursive descent.  Do exactly that.

Based on an almost-correct patch from Paolo Bonzini.

Signed-off-by: Paolo Bonzini <address@hidden>
Signed-off-by: Markus Armbruster <address@hidden>
Message-Id: <address@hidden>
Reviewed-by: Eric Blake <address@hidden>


  Commit: 95385fe9ace7db156b924da6b6f5c9082b68ba68
      
https://github.com/qemu/qemu/commit/95385fe9ace7db156b924da6b6f5c9082b68ba68
  Author: Paolo Bonzini <address@hidden>
  Date:   2015-11-26 (Thu, 26 Nov 2015)

  Changed paths:
    M include/qapi/qmp/json-parser.h
    M include/qapi/qmp/json-streamer.h
    M monitor.c
    M qga/main.c
    M qobject/json-parser.c
    M qobject/json-streamer.c
    M qobject/qjson.c
    M tests/libqtest.c

  Log Message:
  -----------
  qjson: store tokens in a GQueue

Even though we still have the "streamer" concept, the tokens can now
be deleted as they are read.  While doing so convert from QList to
GQueue, since the next step will make tokens not a QObject and we
will have to do the conversion anyway.

Signed-off-by: Paolo Bonzini <address@hidden>
Message-Id: <address@hidden>
Signed-off-by: Markus Armbruster <address@hidden>
Reviewed-by: Eric Blake <address@hidden>


  Commit: 9bada8971173345ceb37ed1a47b00a01a4dd48cf
      
https://github.com/qemu/qemu/commit/9bada8971173345ceb37ed1a47b00a01a4dd48cf
  Author: Paolo Bonzini <address@hidden>
  Date:   2015-11-26 (Thu, 26 Nov 2015)

  Changed paths:
    M include/qapi/qmp/json-streamer.h
    M qobject/json-parser.c
    M qobject/json-streamer.c

  Log Message:
  -----------
  qjson: surprise, allocating 6 QObjects per token is expensive

Replace the contents of the tokens GQueue with a simple struct.  This cuts
the amount of memory allocated by tests/check-qjson from ~500MB to ~20MB,
and the execution time from 600ms to 80ms on my laptop.  Still a lot (some
could be saved by using an intrusive list, such as QSIMPLEQ, instead of
the GQueue), but the savings are already massive and the right thing to
do would probably be to get rid of json-streamer completely.

Signed-off-by: Paolo Bonzini <address@hidden>
Message-Id: <address@hidden>
[Straightforwardly rebased on my patches]
Signed-off-by: Markus Armbruster <address@hidden>
Reviewed-by: Eric Blake <address@hidden>


  Commit: df649835fe48f635a93316fdefe96ced7189316e
      
https://github.com/qemu/qemu/commit/df649835fe48f635a93316fdefe96ced7189316e
  Author: Markus Armbruster <address@hidden>
  Date:   2015-11-26 (Thu, 26 Nov 2015)

  Changed paths:
    M qobject/json-streamer.c

  Log Message:
  -----------
  qjson: Limit number of tokens in addition to total size

Commit 29c75dd "json-streamer: limit the maximum recursion depth and
maximum token count" attempts to guard against excessive heap usage by
limiting total token size (it says "token count", but that's a lie).

Total token size is a rather imprecise predictor of heap usage: many
small tokens use more space than few large tokens with the same input
size, because there's a constant per-token overhead: 37 bytes on my
system.

Tighten this up: limit the token count to 2Mi.  Chosen to roughly
match the 64MiB total token size limit.

Signed-off-by: Markus Armbruster <address@hidden>
Reviewed-by: Eric Blake <address@hidden>
Message-Id: <address@hidden>


  Commit: a5df35070a4c7fa8e2d9c6bd7175ee8e3e0f7641
      
https://github.com/qemu/qemu/commit/a5df35070a4c7fa8e2d9c6bd7175ee8e3e0f7641
  Author: Peter Maydell <address@hidden>
  Date:   2015-11-26 (Thu, 26 Nov 2015)

  Changed paths:
    M include/qapi/qmp/json-lexer.h
    M include/qapi/qmp/json-parser.h
    M include/qapi/qmp/json-streamer.h
    M monitor.c
    M qga/main.c
    M qobject/json-lexer.c
    M qobject/json-parser.c
    M qobject/json-streamer.c
    M qobject/qjson.c
    M tests/check-qjson.c
    M tests/libqtest.c

  Log Message:
  -----------
  Merge remote-tracking branch 'remotes/armbru/tags/pull-monitor-2015-11-26' 
into staging

QMP and QObject patches

# gpg: Signature made Thu 26 Nov 2015 09:07:18 GMT using RSA key ID EB918653
# gpg: Good signature from "Markus Armbruster <address@hidden>"
# gpg:                 aka "Markus Armbruster <address@hidden>"

* remotes/armbru/tags/pull-monitor-2015-11-26:
  qjson: Limit number of tokens in addition to total size
  qjson: surprise, allocating 6 QObjects per token is expensive
  qjson: store tokens in a GQueue
  qjson: Convert to parser to recursive descent
  qjson: replace QString in JSONLexer with GString
  qjson: Inline token_is_escape() and simplify
  qjson: Inline token_is_keyword() and simplify
  qjson: Give each of the six structural chars its own token type
  qjson: Spell out some silent assumptions
  check-qjson: Add test for JSON nesting depth limit
  qjson: Don't crash when input exceeds nesting limit
  qjson: Apply nesting limit more sanely
  monitor: Plug memory leak on QMP error

Signed-off-by: Peter Maydell <address@hidden>


Compare: https://github.com/qemu/qemu/compare/317e4db6e904...a5df35070a4c
[Prev in Thread]
Current Thread
[Next in Thread]
[Qemu-commits] [qemu/qemu] 3a81a1: monitor: Plug memory leak on QMP error, GitHub <=
Prev by Date: [Qemu-commits] [qemu/qemu] 2b1641: MAINTAINERS: Update TCG CPU cores section
Next by Date: [Qemu-commits] [qemu/qemu] fac862: osdep: Change default value of qemu_hw_version() t...
Previous by thread: [Qemu-commits] [qemu/qemu] 2b1641: MAINTAINERS: Update TCG CPU cores section
Next by thread: [Qemu-commits] [qemu/qemu] fac862: osdep: Change default value of qemu_hw_version() t...
Index(es):
- Date
- Thread