Re: [Xen-devel] A question about SHARE_PFN_WITH_DOMAIN

On 13 Jan 2006, at 07:10, Tian, Kevin wrote:

Secondly, there is the subtle and thorny issue of domain destruction.
Xen assume that any domain that has a non-zero reference count has a
valid shared_info, for example.

Could you please point out where I can find such assumption in the code?

Sure. For example, event channel bindings are torn down only when the domain refcnt falls to zero. If we freed the shared_info page when dom0 kills the domain, the refcnt may remain non-zero for some time after that (because of mappings of network/block ring pages for example). If dom0 tries to notify via an event channel, the evtchn code in Xen will happily dereference the dying domU's shared_info pointer which would no longer be valid.

So we cannot free shared_info until domain_destruct(), and if Xen held a reference on shared_info then domain_destruct() would never be called.

 -- Keir

