Bug 1048654

Summary: qemu-kvm crashed when using '-spice port=3000,disable-ticketing -device qxl,id=qxl-1'
Product: Red Hat Enterprise Linux 7 Reporter: Xiaoqing Wei <xwei>
Component: qemu-kvmAssignee: Gerd Hoffmann <kraxel>
Status: CLOSED DUPLICATE QA Contact: Virtualization Bugs <virt-bugs>
Severity: high Docs Contact:
Priority: high    
Version: 7.0CC: acathrow, hhuang, juzhang, mazhang, michen, shuang, virt-maint
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-01-15 15:40:37 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
core dump - part 1
none
core dump - part 2
none
thread apply all bt full none

Description Xiaoqing Wei 2014-01-06 02:46:27 UTC 
Description of problem:

qemu-kvm crashed when using '-spice port=3000,disable-ticketing -device qxl,id=qxl-1'
Version-Release number of selected component (if applicable):
qemu-kvm-rhev-1.5.3-30.el7.x86_64
spice-server-0.12.4-3.el7.x86_64
seabios-bin-1.7.2.2-6.el7.x86_64
seavgabios-bin-1.7.2.2-6.el7.x86_64


How reproducible:
100%

Steps to Reproduce:
1./home/staf-kvm-devel/autotest-devel/client/tests/virt/qemu/qemu -monitor stdio -S -name 'virt-tests-vm1' -sandbox off -M pc -nodefaults -chardev socket,id=qmp_id_qmpmonitor1,path=/tmp/monitor-qmpmonitor1-20140103-011103-iBw6vAzE,server,nowait -mon chardev=qmp_id_qmpmonitor1,mode=control -chardev socket,id=serial_id_serial0,path=/tmp/serial-serial0-20140103-011103-iBw6vAzE,server,nowait -device isa-serial,chardev=serial_id_serial0 -chardev socket,id=seabioslog_id_20140103-011103-iBw6vAzE,path=/tmp/seabios-20140103-011103-iBw6vAzE,server,nowait -device isa-debugcon,chardev=seabioslog_id_20140103-011103-iBw6vAzE,iobase=0x402 -device ich9-usb-uhci1,id=usb1,bus=pci.0,addr=03 -drive id=drive_image1,if=none,cache=none,snapshot=off,aio=native,file=/home/win7-32-virtio.qcow2 -device virtio-blk-pci,id=image1,drive=drive_image1,bootindex=0,bus=pci.0,addr=04 -device virtio-net-pci,mac=9a:22:23:24:25:26,id=idEAV2Ng,netdev=idX0l904,bus=pci.0,addr=05 -netdev tap,id=idX0l904,vhost=on -m 2048 -smp 2,maxcpus=2,cores=1,threads=1,sockets=2 -cpu 'SandyBridge',hv_relaxed,hv_spinlocks=0x1fff,hv_vapic -drive id=drive_cd1,if=none,snapshot=off,aio=native,media=cdrom,file=/home/staf-kvm-devel/autotest-devel/client/tests/virt/shared/data/isos/windows/winutils.iso -device ide-cd,id=cd1,drive=drive_cd1,bootindex=1,bus=ide.0,unit=0 -device usb-tablet,id=usb-tablet1,bus=usb1.0,port=1 \
  \
 -spice port=3000,disable-ticketing -device qxl,id=qxl-1 \
 \
 -rtc base=localtime,clock=host,driftfix=slew -boot order=cdn,once=c,menu=off -enable-kvm
2.
enter 'c' to start the vm
3. remote-viewer spice://10.66.9.255:3000


Actual results:
(qemu) c
(qemu) main_channel_link: add main channel client
main_channel_handle_parsed: net test: latency 151.121000 ms, bitrate 485883748 bps (463.374851 Mbps)
(/home/staf-kvm-devel/autotest-devel/client/tests/virt/qemu/qemu:31336): Spice-ERROR **: reds.c:1464:reds_send_link_ack: assertion `link->link_mess->channel_type == SPICE_CHANNEL_MAIN' failed
Thread 5 (Thread 0x7f8aa9aa0700 (LWP 31347)):
#0  0x00007f8ab4c47890 in sem_timedwait () from /lib64/libpthread.so.0
#1  0x00007f8ab6f2dec7 in qemu_sem_timedwait (sem=sem@entry=0x7f8ab7f990e8, ms=ms@entry=10000) at util/qemu-thread-posix.c:238
#2  0x00007f8ab6de716c in worker_thread (opaque=0x7f8ab7f99050) at thread-pool.c:96
#3  0x00007f8ab4c41de3 in start_thread () from /lib64/libpthread.so.0
#4  0x00007f8ab195f26d in clone () from /lib64/libc.so.6
Thread 4 (Thread 0x7f8aa909e700 (LWP 31348)):
#0  0x00007f8ab1956357 in ioctl () from /lib64/libc.so.6
#1  0x00007f8ab6e67b65 in kvm_vcpu_ioctl (cpu=cpu@entry=0x7f8ab8104de0, type=type@entry=44672) at /usr/src/debug/qemu-1.5.3/kvm-all.c:1756
#2  0x00007f8ab6e67c9c in kvm_cpu_exec (env=env@entry=0x7f8ab8104ef0) at /usr/src/debug/qemu-1.5.3/kvm-all.c:1641
#3  0x00007f8ab6e108f5 in qemu_kvm_cpu_thread_fn (arg=0x7f8ab8104ef0) at /usr/src/debug/qemu-1.5.3/cpus.c:793
#4  0x00007f8ab4c41de3 in start_thread () from /lib64/libpthread.so.0
#5  0x00007f8ab195f26d in clone () from /lib64/libc.so.6
Thread 3 (Thread 0x7f8aa889d700 (LWP 31349)):
#0  0x00007f8ab1956357 in ioctl () from /lib64/libc.so.6
#1  0x00007f8ab6e67b65 in kvm_vcpu_ioctl (cpu=cpu@entry=0x7f8ab81340e0, type=type@entry=44672) at /usr/src/debug/qemu-1.5.3/kvm-all.c:1756
#2  0x00007f8ab6e67c9c in kvm_cpu_exec (env=env@entry=0x7f8ab81341f0) at /usr/src/debug/qemu-1.5.3/kvm-all.c:1641
#3  0x00007f8ab6e108f5 in qemu_kvm_cpu_thread_fn (arg=0x7f8ab81341f0) at /usr/src/debug/qemu-1.5.3/cpus.c:793
#4  0x00007f8ab4c41de3 in start_thread () from /lib64/libpthread.so.0
#5  0x00007f8ab195f26d in clone () from /lib64/libc.so.6
Thread 2 (Thread 0x7f8a135ff700 (LWP 31351)):
#0  0x00007f8ab1954c9d in poll () from /lib64/libc.so.6
#1  0x00007f8ab2632ecf in poll (__timeout=<optimized out>, __nfds=20, __fds=0x7f8a0c0008f8) at /usr/include/bits/poll2.h:46
#2  red_worker_main (arg=<optimized out>) at red_worker.c:12245
#3  0x00007f8ab4c41de3 in start_thread () from /lib64/libpthread.so.0
#4  0x00007f8ab195f26d in clone () from /lib64/libc.so.6
Thread 1 (Thread 0x7f8ab6bb7a00 (LWP 31336)):
#0  0x00007f8ab4c4824d in read () from /lib64/libpthread.so.0
#1  0x00007f8ab264bd71 in read (__nbytes=255, __buf=0x7fffe52a2960, __fd=<optimized out>) at /usr/include/bits/unistd.h:44
#2  spice_backtrace_gstack () at backtrace.c:100
#3  0x00007f8ab264beb9 in spice_backtrace () at backtrace.c:131
#4  0x00007f8ab2653517 in spice_logv (log_domain=0x7f8ab26c91c6 "Spice", log_level=SPICE_LOG_LEVEL_ERROR, strloc=0x7f8ab26d4b53 "reds.c:1464", function=0x7f8ab26d67e0 <__FUNCTION__.30572> "reds_send_link_ack", format=0x7f8ab26c919e "assertion `%s' failed", args=args@entry=0x7fffe52a2af8) at log.c:108
#5  0x00007f8ab2653668 in spice_log (log_domain=log_domain@entry=0x7f8ab26c91c6 "Spice", log_level=log_level@entry=SPICE_LOG_LEVEL_ERROR, strloc=strloc@entry=0x7f8ab26d4b53 "reds.c:1464", function=function@entry=0x7f8ab26d67e0 <__FUNCTION__.30572> "reds_send_link_ack", format=format@entry=0x7f8ab26c919e "assertion `%s' failed") at log.c:123
#6  0x00007f8ab263cb97 in reds_send_link_ack (link=0x7f8ab811f640) at reds.c:1464
#7  reds_handle_read_link_done (opaque=0x7f8ab811f640) at reds.c:2726
#8  0x00007f8ab263be36 in spice_server_add_client (s=<optimized out>, socket=socket@entry=31, skip_auth=skip_auth@entry=0) at reds.c:2997
#9  0x00007f8ab263be9a in reds_accept (fd=<optimized out>, event=<optimized out>, data=<optimized out>) at reds.c:2974
#10 0x00007f8ab6d8efae in qemu_iohandler_poll (pollfds=0x7f8ab7f69800, ret=ret@entry=1) at iohandler.c:143
#11 0x00007f8ab6d94688 in main_loop_wait (nonblocking=<optimized out>) at main-loop.c:465
#12 0x00007f8ab6c98ae0 in main_loop () at vl.c:1984
#13 main (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>) at vl.c:4343
2008r2.sh: line 28: 31336 Aborted                 (core dumped) 

echo $?
134

Expected results:
qemu-kvm running success, not core dump

Additional info:
Comment 2 Xiaoqing Wei 2014-01-06 05:01:35 UTC 
Change to use

   -spice port=3000,disable-ticketing \
    -vga qxl \


and qemu runs well.
Comment 3 Xiaoqing Wei 2014-01-06 05:17:27 UTC 
Created attachment 845910 [details]
core dump - part 1

cat xaa xab > coredump.tar.xz

tar xJf coredump.tar.xz
Comment 4 Xiaoqing Wei 2014-01-06 05:19:31 UTC 
Created attachment 845911 [details]
core dump - part 2
Comment 5 Xiaoqing Wei 2014-01-06 05:20:38 UTC 
Created attachment 845912 [details]
thread apply all bt full
Comment 6 mazhang 2014-01-08 07:34:38 UTC 
Just have a try "-device qxl" can work with "-vga qxl", will core dumped with "-vga cirrus" and "-vga std".

Host:
qemu-kvm-1.5.3-31.el7.x86_64
kernel-3.10.0-66.el7.x86_64

Result:
Starting program: /usr/libexec/qemu-kvm -monitor stdio -qmp tcp:0:6666,server,nowait -boot menu=on -spice port=5900,disable-ticketing -vga cirrus -device qxl,id=qxl0
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib64/libthread_db.so.1".
QEMU 1.5.3 monitor - type 'help' for more information
(qemu) [New Thread 0x7fffeabb9700 (LWP 8290)]
[New Thread 0x7fffd3fff700 (LWP 8292)]

(qemu) 
(qemu) 
(qemu) main_channel_link: add main channel client
main_channel_handle_parsed: net test: latency 0.553000 ms, bitrate 532916991 bps (508.229247 Mbps)
(/usr/bin/gdb:8284): Spice-ERROR **: reds.c:1464:reds_send_link_ack: assertion `link->link_mess->channel_type == SPICE_CHANNEL_MAIN' failed
Detaching after fork from child process 8293.

Program received signal SIGABRT, Aborted.
0x00007ffff2cb2979 in raise () from /lib64/libc.so.6
Missing separate debuginfos, use: debuginfo-install alsa-lib-1.0.27.2-1.el7.x86_64 celt051-0.5.1.3-6.el7.x86_64 cyrus-sasl-lib-2.1.26-13.el7.x86_64 cyrus-sasl-md5-2.1.26-13.el7.x86_64 cyrus-sasl-plain-2.1.26-13.el7.x86_64 cyrus-sasl-scram-2.1.26-13.el7.x86_64 dbus-libs-1.6.12-6.el7.x86_64 flac-libs-1.3.0-2.el7.x86_64 glib2-2.36.3-2.el7.x86_64 glibc-2.17-40.el7.x86_64 glusterfs-api-3.4.0.51rhs-1.el7.x86_64 glusterfs-libs-3.4.0.51rhs-1.el7.x86_64 gmp-5.1.1-3.el7.x86_64 gnutls-3.1.16-1.el7.x86_64 gsm-1.0.13-9.el7.x86_64 json-c-0.11-1.el7.x86_64 keyutils-libs-1.5.8-1.el7.x86_64 krb5-libs-1.11.3-37.el7.x86_64 libICE-1.0.8-5.el7.x86_64 libSM-1.2.1-5.el7.x86_64 libX11-1.6.0-1.el7.x86_64 libXau-1.0.8-1.el7.x86_64 libXext-1.3.2-1.el7.x86_64 libXi-1.7.2-1.el7.x86_64 libXtst-1.2.2-1.el7.x86_64 libaio-0.3.109-10.el7.x86_64 libasyncns-0.8-5.el7.x86_64 libattr-2.4.46-10.el7.x86_64 libcap-2.22-6.el7.x86_64 libcom_err-1.42.8-2.el7.x86_64 libdb-5.3.21-14.el7.x86_64 libgcc-4.8.2-7.el7.x86_64 libgcrypt-1.5.3-1.el7.x86_64 libgpg-error-1.12-1.el7.x86_64 libibverbs-1.1.7-3.el7.x86_64 libiscsi-1.9.0-4.el7.x86_64 libjpeg-turbo-1.2.90-3.el7.x86_64 libogg-1.3.0-5.el7.x86_64 libpng-1.5.13-2.el7.x86_64 librdmacm-1.0.17-1.el7.x86_64 libseccomp-2.1.1-0.el7.x86_64 libselinux-2.2.1-2.el7.x86_64 libsndfile-1.0.25-7.el7.x86_64 libtasn1-3.3-1.el7.x86_64 libusbx-1.0.15-2.el7.x86_64 libuuid-2.23.2-7.el7.x86_64 libvorbis-1.3.3-4.el7.x86_64 libxcb-1.9-3.el7.x86_64 nettle-2.6-3.el7.x86_64 nspr-4.10.2-2.el7.x86_64 nss-3.15.3-2.el7.x86_64 nss-softokn-freebl-3.15.3-1.el7.x86_64 nss-util-3.15.3-1.el7.x86_64 openssl-libs-1.0.1e-25.el7.x86_64 p11-kit-0.18.7-2.el7.x86_64 pcre-8.32-8.el7.x86_64 pixman-0.30.0-1.el7.x86_64 pulseaudio-libs-3.0-11.el7.x86_64 tcp_wrappers-libs-7.6-75.el7.x86_64 usbredir-0.6-5.el7.x86_64 xz-libs-5.1.2-5alpha.el7.x86_64 zlib-1.2.7-10.el7.x86_64
(gdb) bt full
#0  0x00007ffff2cb2979 in raise () from /lib64/libc.so.6
No symbol table info available.
#1  0x00007ffff2cb4088 in abort () from /lib64/libc.so.6
No symbol table info available.
#2  0x00007ffff3a6751c in spice_logv (log_domain=0x7ffff3add1c6 "Spice", log_level=SPICE_LOG_LEVEL_ERROR, strloc=0x7ffff3ae8b53 "reds.c:1464", 
    function=0x7ffff3aea7e0 <__FUNCTION__.30572> "reds_send_link_ack", format=0x7ffff3add19e "assertion `%s' failed", args=args@entry=0x7fffffffddb8) at log.c:109
        level = 0x7ffff3aed538 "ERROR"
#3  0x00007ffff3a67668 in spice_log (log_domain=log_domain@entry=0x7ffff3add1c6 "Spice", log_level=log_level@entry=SPICE_LOG_LEVEL_ERROR, 
    strloc=strloc@entry=0x7ffff3ae8b53 "reds.c:1464", function=function@entry=0x7ffff3aea7e0 <__FUNCTION__.30572> "reds_send_link_ack", 
    format=format@entry=0x7ffff3add19e "assertion `%s' failed") at log.c:123
        args = {{gp_offset = 48, fp_offset = 48, overflow_arg_area = 0x7fffffffde90, reg_save_area = 0x7fffffffddd0}}
#4  0x00007ffff3a50b97 in reds_send_link_ack (link=0x5555565b8260) at reds.c:1464
        ack = {error = 0, 
          pub_key = "\377\177\000\000\000\000\000\000\000\000\000\000[\000\000\000n", '\000' <repeats 19 times>, "w\000\000\000|\000\000\000\377\336\377\377\377\177\000\000\260\265\\VUU\000\000\001\000\000\000\000\000\000\000`\202[VUU\000\000\000hRVUU\000\000\247\352C\362\377\177\000\000\000GKVUU\000\000\260\265\\VUU\000\000\001\000\000\000\000\000\000\000`w\003\363\377\177\000\000\032\000\000\000\000\000\000\000\001\000\000\000\000\000\000\000\000hRVUU\000\000 f\217UUU\000\000\000GKVUU", num_common_caps = 3260612608, 
          num_channel_caps = 2147481093, caps_offset = 0}
        channel = 0x0
        ret = 0
        header = {magic = 1363428690, major_version = 2, minor_version = 2, size = 178}
        channel_caps = <optimized out>
        bmBuf = 0x0
        bio = <optimized out>
#5  reds_handle_read_link_done (opaque=0x5555565b8260) at reds.c:2726
        link = 0x5555565b8260
        link_mess = <optimized out>
        obj = 0x5555565b8268
        num_caps = <optimized out>
        caps = <optimized out>
        auth_selection = 1
        __FUNCTION__ = "reds_handle_read_link_done"
#6  0x00007ffff3a4fe36 in spice_server_add_client (s=<optimized out>, socket=socket@entry=23, skip_auth=skip_auth@entry=0) at reds.c:2997
        link = <optimized out>
        stream = <optimized out>
        __FUNCTION__ = "spice_server_add_client"
#7  0x00007ffff3a4fe9a in reds_accept (fd=<optimized out>, event=<optimized out>, data=<optimized out>) at reds.c:2974
        socket = 23
#8  0x00005555556f424e in qemu_iohandler_poll (pollfds=0x555556526800, ret=ret@entry=1) at iohandler.c:143
        revents = 1
        pioh = 0x55555652cf20
        ioh = 0x555556527cf0
#9  0x00005555556f9928 in main_loop_wait (nonblocking=<optimized out>) at main-loop.c:465
        ret = 1
        timeout = 1000
#10 0x0000555555601050 in main_loop () at vl.c:1984
        nonblocking = <optimized out>
        last_io = 1
Comment 7 Gerd Hoffmann 2014-01-15 15:40:37 UTC 
Mixing qxl and non-qxl devices is not supported atm.

*** This bug has been marked as a duplicate of bug 987312 ***