Bug 1684172
| Summary: | malloc corruption with virgl/opengl | ||||||
|---|---|---|---|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Dr. David Alan Gilbert <dgilbert> | ||||
| Component: | qemu | Assignee: | Fedora Virtualization Maintainers <virt-maint> | ||||
| Status: | CLOSED EOL | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||
| Severity: | unspecified | Docs Contact: | |||||
| Priority: | unspecified | ||||||
| Version: | 30 | CC: | amit, berrange, cfergeau, dinechin, dwmw2, fziglio, itamar, lmouillart, pbonzini, rjones, virt-maint | ||||
| Target Milestone: | --- | ||||||
| Target Release: | --- | ||||||
| Hardware: | Unspecified | ||||||
| OS: | Unspecified | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2020-05-26 17:53:52 UTC | Type: | Bug | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Attachments: |
|
||||||
Created attachment 1539793 [details]
libvirt xml description for failing VM
I would try launching the VM manually without libvirt and to compile Qemu with address sanitizer enabled. so to catch the corruption when it's happening. OK, I can reproduce outside of libvirt connecting with:
remote-viewer spice+unix:///tmp/spice.sock
to
LC_ALL=C PATH=/usr/lib64/ccache:/usr/local/bin:/usr/bin:/bin:/usr/local/sbin:/usr/sbin:/home/dgilbert/.local/bin:/home/dgilbert/bin HOME=/home/dgilbert USER=dgilbert LOGNAME=dgilbert QEMU_AUDIO_DRV=spice /usr/bin/qemu-kvm -name guest=fedora29,debug-threads=on -S -machine pc-q35-3.0,accel=kvm,usb=off,vmport=off,dump-guest-core=off -cpu Skylake-Client-IBRS,ss=on,vmx=on,hypervisor=on,tsc_adjust=on,clflushopt=on,ssbd=on,xsaves=on,pdpe1gb=on -m 4096 -realtime mlock=off -smp 4,sockets=4,cores=1,threads=1 -uuid d070c898-4323-46f6-b8c2-566061a2f88d -no-user-config -nodefaults -rtc base=utc,driftfix=slew -global kvm-pit.lost_tick_policy=delay -no-hpet -no-shutdown -global ICH9-LPC.disable_s3=1 -global ICH9-LPC.disable_s4=1 -boot strict=on -device pcie-root-port,port=0x10,chassis=1,id=pci.1,bus=pcie.0,multifunction=on,addr=0x2 -device pcie-root-port,port=0x11,chassis=2,id=pci.2,bus=pcie.0,addr=0x2.0x1 -device pcie-root-port,port=0x12,chassis=3,id=pci.3,bus=pcie.0,addr=0x2.0x2 -device pcie-root-port,port=0x13,chassis=4,id=pci.4,bus=pcie.0,addr=0x2.0x3 -device pcie-root-port,port=0x14,chassis=5,id=pci.5,bus=pcie.0,addr=0x2.0x4 -device pcie-root-port,port=0x15,chassis=6,id=pci.6,bus=pcie.0,addr=0x2.0x5 -device pcie-root-port,port=0x16,chassis=7,id=pci.7,bus=pcie.0,addr=0x2.0x6 -device qemu-xhci,p2=15,p3=15,id=usb,bus=pci.2,addr=0x0 -device virtio-serial-pci,id=virtio-serial0,bus=pci.3,addr=0x0 -drive file=/home/vmimages/fedora29.qcow2,format=qcow2,if=none,id=drive-virtio-disk0 -device virtio-blk-pci,scsi=off,bus=pci.4,addr=0x0,drive=drive-virtio-disk0,id=virtio-disk0,bootindex=1 -drive if=none,id=drive-sata0-0-0,media=cdrom,readonly=on -device ide-cd,bus=ide.0,drive=drive-sata0-0-0,id=sata0-0-0 -netdev user,id=hostnet0 -device virtio-net-pci,netdev=hostnet0,id=net0,mac=52:54:00:c3:dc:36,bus=pci.1,addr=0x0 -chardev pty,id=charserial0 -device isa-serial,chardev=charserial0,id=serial0 -chardev spicevmc,id=charchannel1,name=vdagent -device virtserialport,bus=virtio-serial0.0,nr=2,chardev=charchannel1,id=channel1,name=com.redhat.spice.0 -device usb-tablet,id=input0,bus=usb.0,port=1 -spice unix,addr=/tmp/spice.sock,disable-ticketing,image-compression=off,gl=on,seamless-migration=on -device virtio-vga,id=video0,virgl=on,max_outputs=1,bus=pcie.0,addr=0x1 -device ich9-intel-hda,id=sound0,bus=pcie.0,addr=0x1b -device hda-duplex,id=sound0-codec0,bus=sound0.0,cad=0 -chardev spicevmc,id=charredir0,name=usbredir -device usb-redir,chardev=charredir0,id=redir0,bus=usb.0,port=2 -chardev spicevmc,id=charredir1,name=usbredir -device usb-redir,chardev=charredir1,id=redir1,bus=usb.0,port=3 -device virtio-balloon-pci,id=balloon0,bus=pci.5,addr=0x0 -object rng-random,id=objrng0,filename=/dev/urandom -device virtio-rng-pci,rng=objrng0,id=rng0,bus=pci.6,addr=0x0 -sandbox off,obsolete=deny,elevateprivileges=deny,spawn=deny,resourcecontrol=deny -msg timestamp=on -monitor stdio
unfortunately the head build of qemu hangs with this, but if I cut off the usb-redir stuff I get a similar linked list corrupted:
(qemu) gl_version 45 - core profile enabled
malloc(): unsorted double linked list corrupted
./z: line 2: 29669 Aborted (core dumped) LC_ALL=C PATH=/usr/lib64/ccache:/usr/local/bin:/usr/bin:/bin:/usr/local/sbin:/usr/sbin:/home/dgilbert/.local/bin:/home/dgilbert/bin HOME=/home/dgilbert USER=dgilbert LOGNAME=dgilbert QEMU_AUDIO_DRV=spice $QEMU -name guest=fedora29,debug-threads=on -S -machine pc-q35-3.0,accel=kvm,usb=off,vmport=off,dump-guest-core=off -cpu Skylake-Client-IBRS,ss=on,vmx=on,hypervisor=on,tsc_adjust=on,clflushopt=on,ssbd=on,xsaves=on,pdpe1gb=on -m 4096 -realtime mlock=off -smp 4,sockets=4,cores=1,threads=1 -uuid d070c898-4323-46f6-b8c2-566061a2f88d -no-user-config -nodefaults -rtc base=utc,driftfix=slew -global kvm-pit.lost_tick_policy=delay -no-hpet -no-shutdown -global ICH9-LPC.disable_s3=1 -global ICH9-LPC.disable_s4=1 -boot strict=on -device pcie-root-port,port=0x10,chassis=1,id=pci.1,bus=pcie.0,multifunction=on,addr=0x2 -device pcie-root-port,port=0x11,chassis=2,id=pci.2,bus=pcie.0,addr=0x2.0x1 -device pcie-root-port,port=0x12,chassis=3,id=pci.3,bus=pcie.0,addr=0x2.0x2 -device pcie-root-port,port=0x13,chassis=4,id=pci.4,bus=pcie.0,addr=0x2.0x3 -device pcie-root-port,port=0x14,chassis=5,id=pci.5,bus=pcie.0,addr=0x2.0x4 -device pcie-root-port,port=0x15,chassis=6,id=pci.6,bus=pcie.0,addr=0x2.0x5 -device pcie-root-port,port=0x16,chassis=7,id=pci.7,bus=pcie.0,addr=0x2.0x6 -device qemu-xhci,p2=15,p3=15,id=usb,bus=pci.2,addr=0x0 -device virtio-serial-pci,id=virtio-serial0,bus=pci.3,addr=0x0 -drive file=/home/vmimages/fedora29.qcow2,format=qcow2,if=none,id=drive-virtio-disk0 -device virtio-blk-pci,scsi=off,bus=pci.4,addr=0x0,drive=drive-virtio-disk0,id=virtio-disk0,bootindex=1 -drive if=none,id=drive-sata0-0-0,media=cdrom,readonly=on -device ide-cd,bus=ide.0,drive=drive-sata0-0-0,id=sata0-0-0 -netdev user,id=hostnet0 -device virtio-net-pci,netdev=hostnet0,id=net0,mac=52:54:00:c3:dc:36,bus=pci.1,addr=0x0 -chardev pty,id=charserial0 -device isa-serial,chardev=charserial0,id=serial0 -chardev spicevmc,id=charchannel1,name=vdagent -device virtserialport,bus=virtio-serial0.0,nr=2,chardev=charchannel1,id=channel1,name=com.redhat.spice.0 -device usb-tablet,id=input0,bus=usb.0,port=1 -spice unix,addr=/tmp/spice.sock,disable-ticketing,image-compression=off,gl=on,seamless-migration=on -device virtio-vga,id=video0,virgl=on,max_outputs=1,bus=pcie.0,addr=0x1 -device ich9-intel-hda,id=sound0,bus=pcie.0,addr=0x1b -device hda-duplex,id=sound0-codec0,bus=sound0.0,cad=0 -device virtio-balloon-pci,id=balloon0,bus=pci.5,addr=0x0 -object rng-random,id=objrng0,filename=/dev/urandom -device virtio-rng-pci,rng=objrng0,id=rng0,bus=pci.6,addr=0x0 -sandbox off,obsolete=deny,elevateprivileges=deny,spawn=deny,resourcecontrol=deny -msg timestamp=on -monitor stdio
this time the backtrace has:
#0 0x00007f715a30353f in raise () at /lib64/libc.so.6
#1 0x00007f715a2ed895 in abort () at /lib64/libc.so.6
#2 0x00007f715a346927 in __libc_message () at /lib64/libc.so.6
#3 0x00007f715a34d25c in () at /lib64/libc.so.6
#4 0x00007f715a34ea6c in _int_free () at /lib64/libc.so.6
#5 0x00007f714e0bf2fb in () at /usr/lib64/dri/i965_dri.so
#6 0x00007f714e2f3242 in () at /usr/lib64/dri/i965_dri.so
#7 0x00007f714e3c74bc in () at /usr/lib64/dri/i965_dri.so
#8 0x00007f714e3c9e55 in () at /usr/lib64/dri/i965_dri.so
#9 0x00007f714e3c2933 in () at /usr/lib64/dri/i965_dri.so
#10 0x00007f714e2f6bfe in () at /usr/lib64/dri/i965_dri.so
#11 0x00007f714e150cc4 in () at /usr/lib64/dri/i965_dri.so
#12 0x00007f715d0a5fcf in vrend_compile_shader (ctx=0x55f436956b90, shader=0x55f436a60fd0) at vrend_renderer.c:585
#13 0x00007f715d0a85b2 in vrend_shader_create (key=..., shader=0x55f436a60fd0, ctx=0x55f436956b90) at vrend_renderer.c:2069
#14 0x00007f715d0a85b2 in vrend_shader_select (ctx=ctx@entry=0x55f436956b90, sel=sel@entry=0x55f436a67eb0, dirty=dirty@entry=0x0) at vrend_renderer.c:2110
#15 0x00007f715d0b252f in vrend_finish_shader (tokens=0x55f436a57040, sel=0x55f436a67eb0, ctx=0x55f436956b90) at vrend_renderer.c:2150
#16 0x00007f715d0b252f in vrend_create_shader
(ctx=0x55f436956b90, handle=1250, so_info=so_info@entry=0x7ffc553ba4b0, shd_text=0x55f436a9462c "FRAG\nPROPERTY FS_COLOR0_WRITES_ALL_CBUFS 1\nDCL IN[0].xy, GENERIC[9], PERSPECTIVE\nDCL OUT[0], COLOR\nDCL SAMP[0]\nDCL SVIEW[0], 2D, FLOAT\nDCL CONST[0..2]\nDCL TEMP[0..6], LOCAL\nIMM[0] UINT32 {4294967295, "..., offlen=<optimized out>, offlen@entry=5262, num_tokens=<optimized out>, type=<optimized out>, pkt_length=<optimized out>) at vrend_renderer.c:2260
#17 0x00007f715d0bb060 in vrend_decode_create_shader (ctx=ctx@entry=0x55f4369730d0, handle=handle@entry=1250, length=length@entry=1321)
at vrend_decode.c:107
#18 0x00007f715d0bc5a4 in vrend_decode_create_object (length=1321, ctx=0x55f4369730d0) at vrend_decode.c:674
#19 0x00007f715d0bc5a4 in vrend_decode_block (ctx_id=<optimized out>, block=block@entry=0x55f436a94530, ndw=<optimized out>) at vrend_decode.c:1158
#20 0x00007f715d0a5711 in virgl_renderer_submit_cmd (buffer=buffer@entry=0x55f436a94530, ctx_id=<optimized out>, ndw=<optimized out>) at virglrenderer.c:91
#21 0x000055f433f59fd0 in virgl_cmd_submit_3d (cmd=0x55f43751b710, g=0x55f437bc8b00) at /home/dgilbert/git/qemu/hw/display/virtio-gpu-3d.c:217
#22 0x000055f433f59fd0 in virtio_gpu_virgl_process_cmd (g=g@entry=0x55f437bc8b00, cmd=cmd@entry=0x55f43751b710)
at /home/dgilbert/git/qemu/hw/display/virtio-gpu-3d.c:422
#23 0x000055f433f573f8 in virtio_gpu_process_cmdq (g=g@entry=0x55f437bc8b00) at /home/dgilbert/git/qemu/hw/display/virtio-gpu.c:938
#24 0x000055f433f58a6a in virtio_gpu_handle_ctrl (vq=0x55f437cef2c0, vdev=<optimized out>) at /home/dgilbert/git/qemu/hw/display/virtio-gpu.c:986
#25 0x000055f433f58a6a in virtio_gpu_ctrl_bh (opaque=<optimized out>) at /home/dgilbert/git/qemu/hw/display/virtio-gpu.c:998
#26 0x000055f434336eee in aio_bh_call (bh=0x55f437d0f320) at /home/dgilbert/git/qemu/util/async.c:118
which looks much more fun.
I rebuilt with asan, it of course didn't crash. Just gave a horribly corrupted display. The actual backtraces are mostuly non-repeatable;
I'm setting M_PERTURB that's tending to change them a bit, but
(gdb) where
#0 0x00007f1d0f02689c in vrend_fb_bind_texture (res=0x5581f3bd4a00, idx=0, level=0, layer=0) at vrend_renderer.c:1342
#1 0x00007f1d0f02c762 in vrend_set_framebuffer_state
(ctx=0x5581f48de890, nr_cbufs=1, surf_handle=surf_handle@entry=0x7ffdae9069f0, zsurf_handle=<optimized out>) at vrend_renderer.c:1527
#2 0x00007f1d0f039d49 in vrend_decode_set_framebuffer_state (length=3, ctx=0x5581f3c357f0) at vrend_decode.c:145
#3 0x00007f1d0f039d49 in vrend_decode_block (ctx_id=<optimized out>, block=block@entry=0x5581f3e7f280, ndw=<optimized out>) at vrend_decode.c:1173
#4 0x00007f1d0f023711 in virgl_renderer_submit_cmd (buffer=buffer@entry=0x5581f3e7f280, ctx_id=<optimized out>, ndw=<optimized out>) at virglrenderer.c:91
#5 0x00005581f1d850b0 in virgl_cmd_submit_3d (cmd=0x5581f3bcd190, g=0x5581f4dd2900) at /home/dgilbert/git/qemu/hw/display/virtio-gpu-3d.c:217
#6 0x00005581f1d850b0 in virtio_gpu_virgl_process_cmd (g=g@entry=0x5581f4dd2900, cmd=cmd@entry=0x5581f3bcd190)
at /home/dgilbert/git/qemu/hw/display/virtio-gpu-3d.c:422
#7 0x00005581f1d824d8 in virtio_gpu_process_cmdq (g=g@entry=0x5581f4dd2900) at /home/dgilbert/git/qemu/hw/display/virtio-gpu.c:938
#8 0x00005581f1d83b4a in virtio_gpu_handle_ctrl (vq=0x5581f4ef9920, vdev=<optimized out>) at /home/dgilbert/git/qemu/hw/display/virtio-gpu.c:986
#9 0x00005581f1d83b4a in virtio_gpu_ctrl_bh (opaque=<optimized out>) at /home/dgilbert/git/qemu/hw/display/virtio-gpu.c:998
#10 0x00005581f215f94e in aio_bh_call (bh=0x5581f4f19980) at /home/dgilbert/git/qemu/util/async.c:118
#11 0x00005581f215f94e in aio_bh_poll (ctx=ctx@entry=0x5581f3273780) at /home/dgilbert/git/qemu/util/async.c:118
#12 0x00005581f2162f00 in aio_dispatch (ctx=0x5581f3273780) at /home/dgilbert/git/qemu/util/aio-posix.c:460
#13 0x00005581f215f82e in aio_ctx_dispatch (source=<optimized out>, callback=<optimized out>, user_data=<optimized out>)
at /home/dgilbert/git/qemu/util/async.c:261
#14 0x00007f1d0eed406d in g_main_context_dispatch () at /lib64/libglib-2.0.so.0
#15 0x00005581f2162118 in glib_pollfds_poll () at /home/dgilbert/git/qemu/util/main-loop.c:215
#16 0x00005581f2162118 in os_host_main_loop_wait (timeout=<optimized out>) at /home/dgilbert/git/qemu/util/main-loop.c:238
#17 0x00005581f2162118 in main_loop_wait (nonblocking=<optimized out>) at /home/dgilbert/git/qemu/util/main-loop.c:514
#18 0x00005581f1e60209 in main_loop () at /home/dgilbert/git/qemu/vl.c:1923
#19 0x00005581f1ce49ef in main (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>) at /home/dgilbert/git/qemu/vl.c:4578
and:
Thread 1 "qemu-system-x86" received signal SIGSEGV, Segmentation fault.
vrend_get_iovec_size (iov=0x55df2b448ff8, iov@entry=0x55df29727508, iovlen=<optimized out>, iovlen@entry=1392850536) at iov.c:48
48 iov.c: No such file or directory.
(gdb) where
#0 0x00007f98fda48dd0 in vrend_get_iovec_size (iov=0x55df2b448ff8, iov@entry=0x55df29727508, iovlen=<optimized out>, iovlen@entry=1392850536) at iov.c:48
#1 0x00007f98fda31f22 in check_iov_bounds
(info=info@entry=0x7ffc237546e0, iov=iov@entry=0x55df29727508, num_iovs=num_iovs@entry=1392850536, res=<optimized out>, res=<optimized out>)
at vrend_renderer.c:4517
#2 0x00007f98fda3ba57 in vrend_renderer_transfer_iov (info=info@entry=0x7ffc237546e0, transfer_mode=transfer_mode@entry=1) at vrend_renderer.c:5050
#3 0x00007f98fda3077a in virgl_renderer_transfer_write_iov
(handle=handle@entry=71, ctx_id=<optimized out>, level=<optimized out>, stride=<optimized out>, layer_stride=<optimized out>, box=box@entry=0x7ffc237547c8, offset=0, iovec=0x0, iovec_cnt=0) at virglrenderer.c:116
#4 0x000055df26ee2c71 in virgl_cmd_transfer_to_host_3d (g=0x55df2a86cc40, cmd=0x55df2a377260, cmd=0x55df2a377260)
at /home/dgilbert/git/qemu/hw/display/virtio-gpu-3d.c:256
#5 0x000055df26ee2c71 in virtio_gpu_virgl_process_cmd (g=g@entry=0x55df2a86cc40, cmd=cmd@entry=0x55df2a377260)
at /home/dgilbert/git/qemu/hw/display/virtio-gpu-3d.c:428
#6 0x000055df26ee04d8 in virtio_gpu_process_cmdq (g=g@entry=0x55df2a86cc40) at /home/dgilbert/git/qemu/hw/display/virtio-gpu.c:938
#7 0x000055df26ee1b4a in virtio_gpu_handle_ctrl (vq=0x55df2a993300, vdev=<optimized out>) at /home/dgilbert/git/qemu/hw/display/virtio-gpu.c:986
#8 0x000055df26ee1b4a in virtio_gpu_ctrl_bh (opaque=<optimized out>) at /home/dgilbert/git/qemu/hw/display/virtio-gpu.c:998
#9 0x000055df272bd94e in aio_bh_call (bh=0x55df2a9b3360) at /home/dgilbert/git/qemu/util/async.c:118
#10 0x000055df272bd94e in aio_bh_poll (ctx=ctx@entry=0x55df28d0d780) at /home/dgilbert/git/qemu/util/async.c:118
#11 0x000055df272c0f00 in aio_dispatch (ctx=0x55df28d0d780) at /home/dgilbert/git/qemu/util/aio-posix.c:460
#12 0x000055df272bd82e in aio_ctx_dispatch (source=<optimized out>, callback=<optimized out>, user_data=<optimized out>)
at /home/dgilbert/git/qemu/util/async.c:261
#13 0x00007f98fd8e106d in g_main_context_dispatch () at /lib64/libglib-2.0.so.0
#14 0x000055df272c0118 in glib_pollfds_poll () at /home/dgilbert/git/qemu/util/main-loop.c:215
#15 0x000055df272c0118 in os_host_main_loop_wait (timeout=<optimized out>) at /home/dgilbert/git/qemu/util/main-loop.c:238
#16 0x000055df272c0118 in main_loop_wait (nonblocking=<optimized out>) at /home/dgilbert/git/qemu/util/main-loop.c:514
#17 0x000055df26fbe209 in main_loop () at /home/dgilbert/git/qemu/vl.c:1923
#18 0x000055df26e429ef in main (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>) at /home/dgilbert/git/qemu/vl.c:4578
(gdb) q
are just two very different backtraces.
Testing with current head virgl-renderer (why is the f29 version so old?)
Standard build behaves the same
Debug build fails with:
vrend_formats.c:545:vrend_renderer_query_multisample_caps: Assertion `epoxy_glGetError() == 0 && "Stale error state detected, please check for failures in initialization"' failed.
(gdb) where
#0 0x00007f319dfa3f66 in _debug_assert_fail
(expr=expr@entry=0x7f319dfb03c8 "epoxy_glGetError() == 0 && \"Stale error state detected, please check for failures in initialization\"", file=file@entry=0x7f319dfb042d "vrend_formats.c", line=line@entry=545, function=function@entry=0x7f319dfb0440 <__func__.36408> "vrend_renderer_query_multisample_caps")
at util/u_debug.c:308
#1 0x00007f319df929b7 in vrend_renderer_query_multisample_caps (max_samples=16, caps=caps@entry=0x558fe0a10fb8) at vrend_formats.c:579
#2 0x00007f319df7220e in vrend_renderer_fill_caps_v2 (caps=0x558fe0a10fb8, gles_ver=0, gl_ver=45) at vrend_renderer.c:8522
#3 0x00007f319df7220e in vrend_renderer_fill_caps (set=<optimized out>, version=<optimized out>, caps=caps@entry=0x558fe0a10fb8) at vrend_renderer.c:8676
#4 0x00007f319df61705 in virgl_renderer_fill_caps (set=<optimized out>, version=<optimized out>, caps=caps@entry=0x558fe0a10fb8) at virglrenderer.c:93
#5 0x0000558fdc414196 in virgl_cmd_get_capset (cmd=0x558fdeffb570, g=0x558fe0651640) at /home/dgilbert/git/qemu/hw/display/virtio-gpu-3d.c:395
#6 0x0000558fdc414196 in virtio_gpu_virgl_process_cmd (g=g@entry=0x558fe0651640, cmd=cmd@entry=0x558fdeffb570)
at /home/dgilbert/git/qemu/hw/display/virtio-gpu-3d.c:460
#7 0x0000558fdc4114d8 in virtio_gpu_process_cmdq (g=g@entry=0x558fe0651640) at /home/dgilbert/git/qemu/hw/display/virtio-gpu.c:938
#8 0x0000558fdc412b4a in virtio_gpu_handle_ctrl (vq=0x558fe0777e10, vdev=<optimized out>) at /home/dgilbert/git/qemu/hw/display/virtio-gpu.c:986
#9 0x0000558fdc412b4a in virtio_gpu_ctrl_bh (opaque=<optimized out>) at /home/dgilbert/git/qemu/hw/display/virtio-gpu.c:998
#10 0x0000558fdc7ee94e in aio_bh_call (bh=0x558fe0797e70) at /home/dgilbert/git/qemu/util/async.c:118
#11 0x0000558fdc7ee94e in aio_bh_poll (ctx=ctx@entry=0x558fdeaf3780) at /home/dgilbert/git/qemu/util/async.c:118
#12 0x0000558fdc7f1f00 in aio_dispatch (ctx=0x558fdeaf3780) at /home/dgilbert/git/qemu/util/aio-posix.c:460
#13 0x0000558fdc7ee82e in aio_ctx_dispatch (source=<optimized out>, callback=<optimized out>, user_data=<optimized out>)
at /home/dgilbert/git/qemu/util/async.c:261
#14 0x00007f319dded06d in g_main_context_dispatch () at /lib64/libglib-2.0.so.0
#15 0x0000558fdc7f1118 in glib_pollfds_poll () at /home/dgilbert/git/qemu/util/main-loop.c:215
#16 0x0000558fdc7f1118 in os_host_main_loop_wait (timeout=<optimized out>) at /home/dgilbert/git/qemu/util/main-loop.c:238
#17 0x0000558fdc7f1118 in main_loop_wait (nonblocking=<optimized out>) at /home/dgilbert/git/qemu/util/main-loop.c:514
#18 0x0000558fdc4ef209 in main_loop () at /home/dgilbert/git/qemu/vl.c:1923
#19 0x0000558fdc3739ef in main (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>) at /home/dgilbert/git/qemu/vl.c:4578
very early on.
I've tried to reproduce in a variety of ways. I essentially took your exact XML and ran it either from user or system sessions. So far, everything seems to behave quite normally. I've only extensively tested on a ThinkPad with Intel HD graphics, but unfortunately, that's i915 and not i965. That may be making a difference. The chipset driver may be playing a role, because it shows up in the stack trace in comment #3. Also, the other crash cases all point to relatively early init where a lot of setup is being done (e.g. one stack trace shows compilation of shaders). However, the connexion is not solid, because at least one person reported being unable to reproduce despite also having an i965 chipset. So far, the tests I'm aware of are: - Reliable crash on UHD Graphics 620. That's i965, i965 shows in at least one stack trace (dgilbert) - No crash on P530, also i965 (eskultet) - No crash on "Intel Corporation 2nd Generation Core Processor Family Integrated Graphics Controller (rev 09)" (i915) (cdupontd) - No crash on Intel Corporation HD Graphics 630 (rev 04) (i915) (cdupontd) - No crash on "NVIDIA Corporation GM206GL [Quadro M2000] (rev a1)" (cdupontd) - Host graphics lost on "NVIDIA Corporation GF110 [GeForce GTX 580]", so not tested yet So at this point, it looks like we have only one known machine that reliably reproduces the problem. It might be that it's i965 specific, but it also could be image specific with my guest xfce setup. (In reply to Dr. David Alan Gilbert from comment #9) > It might be that it's i965 specific, but it also could be image specific with my guest xfce setup. That's possible. Here is a new tidbit. I just noticed that on the on the HD630, glxgears reliably displays a black screen. So something in GL is broken. I did not see that on other machines. I'm going to try and install Tao3D to see if I can investigate more about this GL issue. Unclear if it is at all related to yours. I'll leave it running just in case it trips the malloc issue over time. FYI: Still does it on f30-beta host
using head of tree upstream qemu.
The backtraces still vary wildly, here are a couple that looks almost sane:
(gdb) where
#0 0x00007fa9c8ab7eb5 in raise () at /lib64/libc.so.6
#1 0x00007fa9c8aa2895 in abort () at /lib64/libc.so.6
#2 0x00007fa9c8afaee7 in __libc_message () at /lib64/libc.so.6
#3 0x00007fa9c8b017bc in () at /lib64/libc.so.6
#4 0x00007fa9c8b0467c in _int_malloc () at /lib64/libc.so.6
#5 0x00007fa9c8b069d6 in calloc () at /lib64/libc.so.6
#6 0x00007fa9b7796086 in _mesa_new_framebuffer (ctx=<optimized out>, name=331) at ../src/mesa/main/framebuffer.c:112
#7 0x00007fa9b778e149 in bind_framebuffer (target=<optimized out>, framebuffer=331) at ../src/mesa/main/fbobject.c:2845
#8 0x00007fa9cb3a2c55 in vrend_transfer_send_readpixels (info=0x7ffc8f9e2820, num_iovs=1, iov=0x55afb3ab36d0, res=0x55afb3bde7c0, ctx=<optimized out>)
at vrend_renderer.c:6432
#9 0x00007fa9cb3a2c55 in vrend_renderer_transfer_send_iov (info=0x7ffc8f9e2820, num_iovs=1, iov=0x55afb3ab36d0, res=0x55afb3bde7c0, ctx=<optimized out>)
at vrend_renderer.c:6600
#10 0x00007fa9cb3a2c55 in vrend_renderer_transfer_iov (info=info@entry=0x7ffc8f9e2820, transfer_mode=transfer_mode@entry=2) at vrend_renderer.c:6666
#11 0x00007fa9cb393dca in virgl_renderer_transfer_read_iov
(handle=handle@entry=78, ctx_id=<optimized out>, level=<optimized out>, stride=<optimized out>, layer_stride=<optimized out>, box=box@entry=0x7ffc8f9e2908, offset=0, iovec=0x0, iovec_cnt=0) at virglrenderer.c:147
#12 0x000055afb1c84ff4 in virgl_cmd_transfer_from_host_3d (g=<optimized out>, cmd=<optimized out>, cmd=<optimized out>)
at /home/dgilbert/git/qemu/hw/display/virtio-gpu-3d.c:274
#13 0x000055afb1c84ff4 in virtio_gpu_virgl_process_cmd (g=g@entry=0x55afb4e2b0a0, cmd=cmd@entry=0x55afb394c590)
at /home/dgilbert/git/qemu/hw/display/virtio-gpu-3d.c:431
#14 0x000055afb1c82bc3 in virtio_gpu_process_cmdq (g=g@entry=0x55afb4e2b0a0) at /home/dgilbert/git/qemu/hw/display/virtio-gpu.c:938
#15 0x000055afb1c842aa in virtio_gpu_handle_ctrl (vq=0x55afb4f52fb0, vdev=<optimized out>) at /home/dgilbert/git/qemu/hw/display/virtio-gpu.c:986
#16 0x000055afb1c842aa in virtio_gpu_ctrl_bh (opaque=<optimized out>) at /home/dgilbert/git/qemu/hw/display/virtio-gpu.c:998
#17 0x000055afb206857c in aio_bh_call (bh=0x55afb4f0e7e0) at /home/dgilbert/git/qemu/util/async.c:118
#18 0x000055afb206857c in aio_bh_poll (ctx=ctx@entry=0x55afb32d9260) at /home/dgilbert/git/qemu/util/async.c:118
#19 0x000055afb206bbc0 in aio_dispatch (ctx=0x55afb32d9260) at /home/dgilbert/git/qemu/util/aio-posix.c:460
#20 0x000055afb206844e in aio_ctx_dispatch (source=<optimized out>, callback=<optimized out>, user_data=<optimized out>)
at /home/dgilbert/git/qemu/util/async.c:261
#21 0x00007fa9cb238fa0 in g_main_context_dispatch () at /lib64/libglib-2.0.so.0
#22 0x000055afb206ada8 in glib_pollfds_poll () at /home/dgilbert/git/qemu/util/main-loop.c:213
#23 0x000055afb206ada8 in os_host_main_loop_wait (timeout=<optimized out>) at /home/dgilbert/git/qemu/util/main-loop.c:236
#24 0x000055afb206ada8 in main_loop_wait (nonblocking=<optimized out>) at /home/dgilbert/git/qemu/util/main-loop.c:512
#25 0x000055afb1d72239 in main_loop () at /home/dgilbert/git/qemu/vl.c:1970
#26 0x000055afb1bdff95 in main (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>) at /home/dgilbert/git/qemu/vl.c:4604
---
#0 0x00007fb955864eb5 in raise () at /lib64/libc.so.6
#1 0x00007fb95584f895 in abort () at /lib64/libc.so.6
#2 0x00007fb9558a7ee7 in __libc_message () at /lib64/libc.so.6
#3 0x00007fb9558ae7bc in () at /lib64/libc.so.6
#4 0x00007fb9558b167c in _int_malloc () at /lib64/libc.so.6
#5 0x00007fb9558b39d6 in calloc () at /lib64/libc.so.6
#6 0x00007fb9485a928b in make_surface
(brw=brw@entry=0x556e6086fe30, target=target@entry=3553, format=format@entry=MESA_FORMAT_R8G8B8A8_UNORM, first_level=first_level@entry=0, last_level=last_level@entry=0, width0=width0@entry=24, height0=24, depth0=1, num_samples=1, tiling_flags=1, isl_usage_flags=9, alloc_flags=0, row_pitch_B=96, bo=0x556e60b9a610) at ../src/mesa/drivers/dri/i965/intel_mipmap_tree.c:556
#7 0x00007fb9485a9d00 in intel_miptree_create_for_bo
(brw=brw@entry=0x556e6086fe30, bo=bo@entry=0x556e60b9a610, format=format@entry=MESA_FORMAT_R8G8B8A8_UNORM, offset=0, width=width@entry=24, height=height@entry=24, depth=1, pitch=96, tiling=ISL_TILING_LINEAR, flags=MIPTREE_CREATE_DEFAULT) at ../src/mesa/drivers/dri/i965/intel_mipmap_tree.c:828
#8 0x00007fb9485747db in brw_blorp_upload_miptree
(brw=brw@entry=0x556e6086fe30, dst_mt=0x556e609fd750, dst_format=MESA_FORMAT_R8G8B8A8_UNORM, level=level@entry=0, x=x@entry=0, y=y@entry=0, z=0, width=24, height=24, depth=1, target=3553, format=6408, type=5121, pixels=0x7fb8f8a3e000, packing=0x556e60879838) at ../src/mesa/drivers/dri/i965/brw_blorp.c:1004
#9 0x00007fb9485b366f in intel_texsubimage_blorp
(dims=2, packing=0x556e60879838, pixels=0x7fb8f8a3e000, type=5121, format=6408, depth=1, height=24, width=24, z=0, y=0, x=0, tex_image=0x556e60a72840, brw=0x556e6086fe30) at ../src/mesa/drivers/dri/i965/intel_tex_image.c:146
#10 0x00007fb9485b366f in intel_upload_tex
(ctx=0x556e6086fe30, dims=2, texImage=0x556e60a72840, xoffset=0, yoffset=0, zoffset=0, width=24, height=24, depth=1, format=6408, type=5121, pixels=0x7fb8f8a3e000, packing=0x556e60879838) at ../src/mesa/drivers/dri/i965/intel_tex_image.c:331
#11 0x00007fb9486cf8b7 in texture_sub_image
(ctx=0x556e6086fe30, dims=2, texObj=0x556e60c1afe0, texImage=0x556e60a72840, target=3553, level=0, xoffset=<optimized out>, yoffset=0, zoffset=0, width=24, height=24, depth=1, format=6408, type=5121, pixels=0x7fb8f8a3e000) at ../src/mesa/main/teximage.c:3333
#12 0x00007fb9486d2249 in texsubimage_err
(callerName=0x7fb948c2a458 "glTexSubImage2D", pixels=0x7fb8f8a3e000, type=5121, format=6408, depth=1, height=24, width=24, zoffset=0, yoffset=0, xoffset=0, level=0, target=3553, dims=2, ctx=0x556e6086fe30) at ../src/mesa/main/teximage.c:3391
#13 0x00007fb9486d2249 in texsubimage_err
(ctx=0x556e6086fe30, dims=2, target=3553, level=0, xoffset=0, yoffset=0, zoffset=0, width=24, height=24, depth=1, format=6408, type=5121, pixels=0x7fb8f8a3e000, callerName=0x7fb948c2a458 "glTexSubImage2D") at ../src/mesa/main/teximage.c:3353
#14 0x00007fb9486d5859 in _mesa_TexSubImage2D
(target=<optimized out>, level=<optimized out>, xoffset=<optimized out>, yoffset=<optimized out>, width=<optimized out>, height=<optimized out>, format=6408, type=5121, pixels=0x7fb8f8a3e000) at ../src/mesa/main/teximage.c:3609
#15 0x00007fb95814769e in vrend_renderer_transfer_write_iov
(ctx=ctx@entry=0x556e60704610, res=res@entry=0x556e60d7b490, iov=iov@entry=0x556e60baefa0, num_iovs=num_iovs@entry=1, info=info@entry=0x7fff9f9ef860)
at vrend_renderer.c:6260
#16 0x00007fb95814fa1c in vrend_renderer_transfer_iov (info=info@entry=0x7fff9f9ef860, transfer_mode=transfer_mode@entry=1) at vrend_renderer.c:6663
#17 0x00007fb958140d4a in virgl_renderer_transfer_write_iov
(handle=handle@entry=79, ctx_id=<optimized out>, level=<optimized out>, stride=<optimized out>, layer_stride=<optimized out>, box=box@entry=0x7fff9f9ef948, offset=0, iovec=0x0, iovec_cnt=0) at virglrenderer.c:125
--Type <RET> for more, q to quit, c to continue without paging--
#18 0x0000556e5d654f5d in virgl_cmd_transfer_to_host_3d (g=<optimized out>, cmd=<optimized out>, cmd=<optimized out>)
at /home/dgilbert/git/qemu/hw/display/virtio-gpu-3d.c:256
#19 0x0000556e5d654f5d in virtio_gpu_virgl_process_cmd (g=g@entry=0x556e61e8f0a0, cmd=cmd@entry=0x556e60cde020)
at /home/dgilbert/git/qemu/hw/display/virtio-gpu-3d.c:428
#20 0x0000556e5d652bc3 in virtio_gpu_process_cmdq (g=g@entry=0x556e61e8f0a0) at /home/dgilbert/git/qemu/hw/display/virtio-gpu.c:938
#21 0x0000556e5d6542aa in virtio_gpu_handle_ctrl (vq=0x556e61fb6fb0, vdev=<optimized out>) at /home/dgilbert/git/qemu/hw/display/virtio-gpu.c:986
#22 0x0000556e5d6542aa in virtio_gpu_ctrl_bh (opaque=<optimized out>) at /home/dgilbert/git/qemu/hw/display/virtio-gpu.c:998
#23 0x0000556e5da3857c in aio_bh_call (bh=0x556e61f727e0) at /home/dgilbert/git/qemu/util/async.c:118
#24 0x0000556e5da3857c in aio_bh_poll (ctx=ctx@entry=0x556e6033d260) at /home/dgilbert/git/qemu/util/async.c:118
#25 0x0000556e5da3bbc0 in aio_dispatch (ctx=0x556e6033d260) at /home/dgilbert/git/qemu/util/aio-posix.c:460
#26 0x0000556e5da3844e in aio_ctx_dispatch (source=<optimized out>, callback=<optimized out>, user_data=<optimized out>)
at /home/dgilbert/git/qemu/util/async.c:261
#27 0x00007fb957fe5fa0 in g_main_context_dispatch () at /lib64/libglib-2.0.so.0
#28 0x0000556e5da3ada8 in glib_pollfds_poll () at /home/dgilbert/git/qemu/util/main-loop.c:213
#29 0x0000556e5da3ada8 in os_host_main_loop_wait (timeout=<optimized out>) at /home/dgilbert/git/qemu/util/main-loop.c:236
#30 0x0000556e5da3ada8 in main_loop_wait (nonblocking=<optimized out>) at /home/dgilbert/git/qemu/util/main-loop.c:512
#31 0x0000556e5d742239 in main_loop () at /home/dgilbert/git/qemu/vl.c:1970
#32 0x0000556e5d5aff95 in main (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>) at /home/dgilbert/git/qemu/vl.c:4604
From the virgl_cmd_transfer_to_host_3d
(gdb) p t3d
$7 = {hdr = {type = 517, flags = 1, fence_id = 6964, ctx_id = 1, padding = 0}, box = {x = 0, y = 0, z = 0, w = 24, h = 24, d = 1}, offset = 0,
resource_id = 79, level = 0, stride = 0, layer_stride = 0}
---
#0 0x00007fe1c6a89eb5 in raise () at /lib64/libc.so.6
#1 0x00007fe1c6a74895 in abort () at /lib64/libc.so.6
#2 0x00007fe1c6accee7 in __libc_message () at /lib64/libc.so.6
#3 0x00007fe1c6ad37bc in () at /lib64/libc.so.6
#4 0x00007fe1c6ad51cc in _int_free () at /lib64/libc.so.6
#5 0x00007fe1c9371a7f in vrend_resource_reference (tex=0x0, ptr=0x55c21eb51398) at vrend_renderer.h:356
#6 0x00007fe1c9371a7f in vrend_destroy_surface (surf=0x55c21eb51380) at vrend_renderer.c:741
#7 0x00007fe1c9371bf1 in vrend_surface_reference (surf=0x55c21ef38cc0, ptr=<optimized out>) at vrend_renderer.c:751
#8 0x00007fe1c9371bf1 in vrend_set_framebuffer_state
(ctx=0x55c21e9c8c00, nr_cbufs=1, surf_handle=surf_handle@entry=0x7ffc3fee5b90, zsurf_handle=<optimized out>) at vrend_renderer.c:2058
#9 0x00007fe1c938c84f in vrend_decode_set_framebuffer_state (length=3, ctx=0x55c21e4c2aa0) at vrend_decode.c:156
#10 0x00007fe1c938c84f in vrend_decode_block (ctx_id=<optimized out>, block=block@entry=0x55c21eb50790, ndw=<optimized out>) at vrend_decode.c:1377
#11 0x00007fe1c9365ce1 in virgl_renderer_submit_cmd (buffer=buffer@entry=0x55c21eb50790, ctx_id=<optimized out>, ndw=<optimized out>)
at virglrenderer.c:100
#12 0x000055c21d7006a2 in virgl_cmd_submit_3d (cmd=0x55c21edd0ba0, g=0x55c220173100) at /home/dgilbert/git/qemu/hw/display/virtio-gpu-3d.c:217
#13 0x000055c21d7006a2 in virtio_gpu_virgl_process_cmd (g=g@entry=0x55c220173100, cmd=cmd@entry=0x55c21edd0ba0)
at /home/dgilbert/git/qemu/hw/display/virtio-gpu-3d.c:422
#14 0x000055c21d6fdbc3 in virtio_gpu_process_cmdq (g=g@entry=0x55c220173100) at /home/dgilbert/git/qemu/hw/display/virtio-gpu.c:938
#15 0x000055c21d6ff2aa in virtio_gpu_handle_ctrl (vq=0x55c22029ae60, vdev=<optimized out>) at /home/dgilbert/git/qemu/hw/display/virtio-gpu.c:986
#16 0x000055c21d6ff2aa in virtio_gpu_ctrl_bh (opaque=<optimized out>) at /home/dgilbert/git/qemu/hw/display/virtio-gpu.c:998
#17 0x000055c21dae357c in aio_bh_call (bh=0x55c220256690) at /home/dgilbert/git/qemu/util/async.c:118
#18 0x000055c21dae357c in aio_bh_poll (ctx=ctx@entry=0x55c21e622260) at /home/dgilbert/git/qemu/util/async.c:118
#19 0x000055c21dae6bc0 in aio_dispatch (ctx=0x55c21e622260) at /home/dgilbert/git/qemu/util/aio-posix.c:460
#20 0x000055c21dae344e in aio_ctx_dispatch (source=<optimized out>, callback=<optimized out>, user_data=<optimized out>)
at /home/dgilbert/git/qemu/util/async.c:261
#21 0x00007fe1c920afa0 in g_main_context_dispatch () at /lib64/libglib-2.0.so.0
#22 0x000055c21dae5da8 in glib_pollfds_poll () at /home/dgilbert/git/qemu/util/main-loop.c:213
#23 0x000055c21dae5da8 in os_host_main_loop_wait (timeout=<optimized out>) at /home/dgilbert/git/qemu/util/main-loop.c:236
#24 0x000055c21dae5da8 in main_loop_wait (nonblocking=<optimized out>) at /home/dgilbert/git/qemu/util/main-loop.c:512
#25 0x000055c21d7ed239 in main_loop () at /home/dgilbert/git/qemu/vl.c:1970
#26 0x000055c21d65af95 in main (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>) at /home/dgilbert/git/qemu/vl.c:4604
they all happen just as the guest increases it's desktop size after I login - but before it's drawn anything
This message is a reminder that Fedora 29 is nearing its end of life. Fedora will stop maintaining and issuing updates for Fedora 29 on 2019-11-26. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as EOL if it remains open with a Fedora 'version' of '29'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version. Thank you for reporting this issue and we are sorry that we were not able to fix it before Fedora 29 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora, you are encouraged change the 'version' to a later Fedora version prior this bug is closed as described in the policy above. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete. This message is a reminder that Fedora 30 is nearing its end of life. Fedora will stop maintaining and issuing updates for Fedora 30 on 2020-05-26. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as EOL if it remains open with a Fedora 'version' of '30'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version. Thank you for reporting this issue and we are sorry that we were not able to fix it before Fedora 30 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora, you are encouraged change the 'version' to a later Fedora version prior this bug is closed as described in the policy above. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete. Fedora 30 changed to end-of-life (EOL) status on 2020-05-26. Fedora 30 is no longer maintained, which means that it will not receive any further security or bug fix updates. As a result we are closing this bug. If you can reproduce this bug against a currently maintained version of Fedora please feel free to reopen this bug against that version. If you are unable to reopen this bug, please file a new report against the current release. If you experience problems, please add a comment to this bug. Thank you for reporting this bug and we are sorry it could not be fixed. The needinfo request[s] on this closed bug have been removed as they have been unresolved for 1000 days |
Description of problem: Running a F29 vm on f29, with virgl and opengl enabled, as soon as I log into the desktop qemu dies with: malloc(): unsorted double linked list corrupted backtrace: #0 0x00007fc0f616f53f in raise () at /lib64/libc.so.6 #1 0x00007fc0f6159895 in abort () at /lib64/libc.so.6 #2 0x00007fc0f61b2927 in __libc_message () at /lib64/libc.so.6 #3 0x00007fc0f61b925c in () at /lib64/libc.so.6 #4 0x00007fc0f61bc33c in _int_malloc () at /lib64/libc.so.6 #5 0x00007fc0f61bdc8a in malloc () at /lib64/libc.so.6 #6 0x00007fc0f75fddc6 in g_malloc () at /lib64/libglib-2.0.so.0 #7 0x0000557439b28ec7 in virtqueue_alloc_element (sz=104, out_num=2, in_num=1) at /usr/src/debug/qemu-3.0.0-3.fc29.x86_64/hw/virtio/virtio.c:831 #8 0x0000557439b2ca13 in virtqueue_pop (vq=vq@entry=0x7fc0e58f6010, sz=sz@entry=104) at /usr/src/debug/qemu-3.0.0-3.fc29.x86_64/hw/virtio/virtio.c:952 #9 0x0000557439b03717 in virtio_gpu_handle_ctrl (vq=0x7fc0e58f6010, vdev=<optimized out>) at /usr/src/debug/qemu-3.0.0-3.fc29.x86_64/hw/display/virtio-gpu.c:938 #10 0x0000557439b03717 in virtio_gpu_ctrl_bh (opaque=<optimized out>) at /usr/src/debug/qemu-3.0.0-3.fc29.x86_64/hw/display/virtio-gpu.c:953 #11 0x0000557439e5dfd6 in aio_bh_call (bh=0x55743c7341e0) at /usr/src/debug/qemu-3.0.0-3.fc29.x86_64/util/async.c:118 #12 0x0000557439e5dfd6 in aio_bh_poll (ctx=ctx@entry=0x55743a94eb20) at /usr/src/debug/qemu-3.0.0-3.fc29.x86_64/util/async.c:118 #13 0x0000557439e610e4 in aio_dispatch (ctx=0x55743a94eb20) at /usr/src/debug/qemu-3.0.0-3.fc29.x86_64/util/aio-posix.c:436 #14 0x0000557439e5deb2 in aio_ctx_dispatch (source=<optimized out>, callback=<optimized out>, user_data=<optimized out>) at /usr/src/debug/qemu-3.0.0-3.fc29.x86_64/util/async.c:261 #15 0x00007fc0f75f806d in g_main_context_dispatch () at /lib64/libglib-2.0.so.0 #16 0x0000557439e603d0 in glib_pollfds_poll () at /usr/src/debug/qemu-3.0.0-3.fc29.x86_64/util/main-loop.c:215 #17 0x0000557439e603d0 in os_host_main_loop_wait (timeout=<optimized out>) at /usr/src/debug/qemu-3.0.0-3.fc29.x86_64/util/main-loop.c:238 #18 0x0000557439e603d0 in main_loop_wait (nonblocking=<optimized out>) at /usr/src/debug/qemu-3.0.0-3.fc29.x86_64/util/main-loop.c:497 #19 0x0000557439bc7c39 in main_loop () at /usr/src/debug/qemu-3.0.0-3.fc29.x86_64/vl.c:1866 #20 0x0000557439a71367 in main (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>) at /usr/src/debug/qemu-3.0.0-3.fc29.x86_64/vl.c:4644 Version-Release number of selected component (if applicable): qemu-common-3.0.0-3.fc29.x86_64 virglrenderer-0.6.0-6.20170210git76b3da97b.fc29.x86_64 spice-server-0.14.1-2.fc29.x86_64 spice-gtk3-0.35-3.fc29.x86_64 virt-manager-2.1.0-1.fc29.noarch How reproducible: 100% Steps to Reproduce: 1. qemu command line show below; running in virt-manager user session 2. Start the f29 guest and log in 3. Actual results: Expected results: Additional info: LC_ALL=C PATH=/usr/lib64/ccache:/usr/local/bin:/usr/bin:/bin:/usr/local/sbin:/usr/sbin:/home/dgilbert/.local/bin:/home/dgilbert/bin HOME=/home/dgilbert USER=dgilbert LOGNAME=dgilbert QEMU_AUDIO_DRV=spice /usr/bin/qemu-kvm -name guest=fedora29,debug-threads=on -S -object secret,id=masterKey0,format=raw,file=/home/dgilbert/.config/libvirt/qemu/lib/domain-8-fedora29/master-key.aes -machine pc-q35-3.0,accel=kvm,usb=off,vmport=off,dump-guest-core=off -cpu Skylake-Client-IBRS,ss=on,vmx=on,hypervisor=on,tsc_adjust=on,clflushopt=on,ssbd=on,xsaves=on,pdpe1gb=on -m 4096 -realtime mlock=off -smp 4,sockets=4,cores=1,threads=1 -uuid d070c898-4323-46f6-b8c2-566061a2f88d -no-user-config -nodefaults -chardev socket,id=charmonitor,fd=26,server,nowait -mon chardev=charmonitor,id=monitor,mode=control -rtc base=utc,driftfix=slew -global kvm-pit.lost_tick_policy=delay -no-hpet -no-shutdown -global ICH9-LPC.disable_s3=1 -global ICH9-LPC.disable_s4=1 -boot strict=on -device pcie-root-port,port=0x10,chassis=1,id=pci.1,bus=pcie.0,multifunction=on,addr=0x2 -device pcie-root-port,port=0x11,chassis=2,id=pci.2,bus=pcie.0,addr=0x2.0x1 -device pcie-root-port,port=0x12,chassis=3,id=pci.3,bus=pcie.0,addr=0x2.0x2 -device pcie-root-port,port=0x13,chassis=4,id=pci.4,bus=pcie.0,addr=0x2.0x3 -device pcie-root-port,port=0x14,chassis=5,id=pci.5,bus=pcie.0,addr=0x2.0x4 -device pcie-root-port,port=0x15,chassis=6,id=pci.6,bus=pcie.0,addr=0x2.0x5 -device pcie-root-port,port=0x16,chassis=7,id=pci.7,bus=pcie.0,addr=0x2.0x6 -device qemu-xhci,p2=15,p3=15,id=usb,bus=pci.2,addr=0x0 -device virtio-serial-pci,id=virtio-serial0,bus=pci.3,addr=0x0 -drive file=/home/vmimages/fedora29.qcow2,format=qcow2,if=none,id=drive-virtio-disk0 -device virtio-blk-pci,scsi=off,bus=pci.4,addr=0x0,drive=drive-virtio-disk0,id=virtio-disk0,bootindex=1 -drive if=none,id=drive-sata0-0-0,media=cdrom,readonly=on -device ide-cd,bus=ide.0,drive=drive-sata0-0-0,id=sata0-0-0 -netdev user,id=hostnet0 -device virtio-net-pci,netdev=hostnet0,id=net0,mac=52:54:00:c3:dc:36,bus=pci.1,addr=0x0 -chardev pty,id=charserial0 -device isa-serial,chardev=charserial0,id=serial0 -chardev socket,id=charchannel0,fd=29,server,nowait -device virtserialport,bus=virtio-serial0.0,nr=1,chardev=charchannel0,id=channel0,name=org.qemu.guest_agent.0 -chardev spicevmc,id=charchannel1,name=vdagent -device virtserialport,bus=virtio-serial0.0,nr=2,chardev=charchannel1,id=channel1,name=com.redhat.spice.0 -device usb-tablet,id=input0,bus=usb.0,port=1 -spice port=0,disable-ticketing,image-compression=off,gl=on,seamless-migration=on -device virtio-vga,id=video0,virgl=on,max_outputs=1,bus=pcie.0,addr=0x1 -device ich9-intel-hda,id=sound0,bus=pcie.0,addr=0x1b -device hda-duplex,id=sound0-codec0,bus=sound0.0,cad=0 -chardev spicevmc,id=charredir0,name=usbredir -device usb-redir,chardev=charredir0,id=redir0,bus=usb.0,port=2 -chardev spicevmc,id=charredir1,name=usbredir -device usb-redir,chardev=charredir1,id=redir1,bus=usb.0,port=3 -device virtio-balloon-pci,id=balloon0,bus=pci.5,addr=0x0 -object rng-random,id=objrng0,filename=/dev/urandom -device virtio-rng-pci,rng=objrng0,id=rng0,bus=pci.6,addr=0x0 -sandbox on,obsolete=deny,elevateprivileges=deny,spawn=deny,resourcecontrol=deny -msg timestamp=on