Bug 1151363

Summary:	User interface freezes when entering space character in Xfig
Product:	Red Hat Enterprise Linux 6	Reporter:	Marc-Andre Lureau <marcandre.lureau>
Component:	qemu-kvm	Assignee:	Gerd Hoffmann <kraxel>
Status:	CLOSED ERRATA	QA Contact:	Virtualization Bugs <virt-bugs>
Severity:	unspecified	Docs Contact:
Priority:	unspecified
Version:	6.6	CC:	agajania, alexl, alon, cfergeau, chayang, dblechte, extras-qa, hdegoede, jforbes, marcandre.lureau, mazhang, mkenneth, qiguo, qzhang, rbalakri, rpacheco, sandmann, uril, virt-maint
Target Milestone:	rc
Target Release:	---
Hardware:	Unspecified
OS:	Unspecified
Whiteboard:
Fixed In Version:	qemu-kvm-0.12.1.2-2.454.el6	Doc Type:	Bug Fix
Doc Text:		Story Points:	---
Clone Of:	1151253
Clones:	1151559 (view as bug list)		Environment:
Last Closed:	2015-07-22 06:08:06 UTC	Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:
Bug Depends On:
Bug Blocks:	1151559, 1221909

Description Marc-Andre Lureau 2014-10-10 08:46:07 UTC

the bug can be easily reproduced on rhel

+++ This bug was initially created as a clone of Bug #1151253 +++

Description of problem:

We have a CentOS 6.5 VM with xfig-3.2.5-23.a.el6.x86_64 installed.  We have found that if you create a text area in a figure, typing a space character causes the user interface to freeze.

The VM still running.  You can log in with ssh and shut it down.

The cursor can be moved around but it remains an "I-bar" instead of an arrow.

None of the GNOME 2 panel functions can be used and Ctrl-Alt doesn't work.

Sending Ctrl-Alt-F2 from virt-viewer doesn't seem to do anything.

I could not find any other character besides space which causes this problem.


Version-Release number of selected component (if applicable):
spice-server-0.12.5-2.fc20.x86_64
qemu-kvm-1.6.2-9.fc20.x86_64
libvirt-daemon-kvm-1.1.3.6-1.fc20.x86_64
virt-manager-1.0.1-4.fc20.noarch


How reproducible:
Happens every time.


Steps to Reproduce:
1. Create a VM, install CentOS 6.5, run updates, install xfig, and login.
2. Run xfig.
3. Click on the Xfig toolbar button for Text entry.
4. Click on the diagram to place a text field
5. Press the space bar


Actual results:
The cursor in the text field disappears.  The mouse cursor remains an "I-bar" and you can't do anything else.


Expected results:
The space should be entered in the text field and the UI should continue operating normally.


Additional info:
The same problem happens in RHEV 3 when connecting from remote-viewer and spice-html5.

We are using the virtual desktops to run electronics design software and Xfig is the IEEE standard for figures.

Comment 2 Alon Levy 2014-10-10 09:55:46 UTC

looks like the X driver is hung waiting for an interrupt after an update area:

(gdb) bt
#0  0x00007f96baeeecc0 in __nanosleep_nocancel () at ../sysdeps/unix/syscall-template.S:82
#1  0x00007f96baf23e54 in usleep (useconds=<value optimized out>) at ../sysdeps/unix/sysv/linux/usleep.c:33
#2  0x00007f96b7387a12 in qxl_wait_for_io_command (qxl=<value optimized out>) at qxl_driver.c:157
#3  0x00007f96b738c329 in download_box (surface=<value optimized out>, x1=361, y1=342, x2=<value optimized out>, 
    y2=<value optimized out>) at qxl_surface.c:958
#4  0x00007f96b738cac0 in qxl_surface_prepare_access (surface=0x126d650, pixmap=0xf790f0, region=0x7fff7d1ca9b0, 
    access=<value optimized out>) at qxl_surface.c:993
#5  0x00007f96b7391163 in uxa_prepare_access (pDrawable=<value optimized out>, region=0x7fff7d1caa80, 
    access=UXA_ACCESS_RW) at uxa.c:172
#6  0x00007f96b739c309 in uxa_check_poly_glyph_blt (pDrawable=0x13eafd0, pGC=0x134db10, x=284, y=195, nglyph=1, 
    ppci=0x7fff7d1caae0, pglyphBase=0x0) at uxa-unaccel.c:359
#7  0x00000000005a2b81 in miPolyText8 (pDraw=0x13eafd0, pGC=0x134db10, x=284, y=195, count=<value optimized out>, 
    chars=<value optimized out>) at mipolytext.c:81
#8  0x000000000053858f in damagePolyText8 (pDrawable=0x13eafd0, pGC=0x134db10, x=284, y=195, 
    count=<value optimized out>, chars=<value optimized out>) at damage.c:1389
#9  0x000000000043acd1 in doPolyText (client=0x1596690, c=0x7fff7d1cb400) at dixfonts.c:1295
#10 0x000000000043af59 in PolyText (client=<value optimized out>, pDraw=<value optimized out>, 
    pGC=<value optimized out>, pElt=<value optimized out>, endReq=<value optimized out>, xorg=<value optimized out>, 
    yorg=195, reqType=74, did=44040764) at dixfonts.c:1368
#11 0x0000000000434cd4 in ProcPolyText (client=0x1596690) at dispatch.c:2223
#12 0x0000000000437ee1 in Dispatch () at dispatch.c:430
#13 0x000000000047d08a in main (argc=11, argv=<value optimized out>, envp=<value optimized out>) at main.c:295

Maybe changing the revision to 2 would be a workaround until a fix lands. (it would force a different io by the driver that doesn't require waiting for an interrupt).

Comment 3 Marc-Andre Lureau 2014-10-10 12:44:45 UTC

Infinite loop here:

46	    while (!(ram_header->int_pending & QXL_INTERRUPT_IO_CMD))
(gdb) 
47		usleep (1);
(gdb) bt
#0  qxl_wait_for_io_command (qxl=<value optimized out>) at qxl_io.c:47
#1  0x00007f826a49a299 in qxl_download_box (surface=0x221d030, x1=231, y1=259, 
    x2=<value optimized out>, y2=<value optimized out>) at qxl_surface.c:143
#2  0x00007f826a49a400 in qxl_surface_prepare_access (surface=0x221d030, 
    pixmap=0x1bfa9a0, region=0x7fff5cc76b30, access=<value optimized out>)
    at qxl_surface.c:178
#3  0x00007f826a4a8533 in uxa_prepare_access (pDrawable=<value optimized out>, 
    region=0x7fff5cc76c00, access=UXA_ACCESS_RW) at uxa.c:172
#4  0x00007f826a4b3949 in uxa_check_poly_glyph_blt (pDrawable=0x2067480, 
    pGC=0x2048d10, x=119, y=140, nglyph=1, ppci=0x7fff5cc76c60, pglyphBase=0x0)
    at uxa-unaccel.c:359
#5  0x00000000005975b1 in miPolyText8 (pDraw=0x2067480, pGC=0x2048d10, x=119, 
    y=140, count=<value optimized out>, chars=<value optimized out>)
    at mipolytext.c:81
#6  0x0000000000529e0a in damagePolyText8 (pDrawable=0x2067480, pGC=0x2048d10, 
    x=<value optimized out>, y=140, count=1, chars=0x2a6f282 " ")
    at damage.c:1320
#7  0x000000000043bb29 in doPolyText (client=0x1ef04f0, c=0x7fff5cc77580)
    at dixfonts.c:1312
#8  0x000000000043bd69 in PolyText (client=<value optimized out>, 
    pDraw=<value optimized out>, pGC=<value optimized out>, 
    pElt=<value optimized out>, endReq=<value optimized out>, 
    xorg=<value optimized out>, yorg=140, reqType=74, did=77595196)

Comment 4 Marc-Andre Lureau 2014-10-10 13:07:54 UTC

I am reaching qemu condition:
        if (update.left >= update.right || update.top >= update.bottom ||
            update.left < 0 || update.top < 0) {
            qxl_set_guest_bug(d,
                    "QXL_IO_UPDATE_AREA: invalid area (%ux%u)x(%ux%u)\n",
                    update.left, update.top, update.right, update.bottom);
            break;

Comment 5 Alon Levy 2014-10-10 15:38:55 UTC

You can change the qemu condition to be nicer to old drivers, and (to avoid requiring upgrades of qemu) fix the driver not to do an update area in this case.

Comment 6 Marc-Andre Lureau 2014-10-10 17:11:15 UTC

It is a good idea to have a fix in qemu first, since current qxl driver may hang Xserver and it can be avoided with a simple patch: "keep going if reaching guest bug on empty area"

let's duplicate for xorg qxl driver fixes too.

Comment 7 Marc-Andre Lureau 2014-10-10 18:47:36 UTC

proposed patch: http://lists.nongnu.org/archive/html/qemu-devel/2014-10/msg01207.html

Comment 8 Gerd Hoffmann 2014-10-24 06:48:11 UTC

upstream commit 9e5a25f1c209ff51e4b65124a3b76dd3f1b0fb49
rhel6.6 is done though, moving to 6.7.
if a 6.6 fix is needed set zstream flag please.

Comment 9 Gerd Hoffmann 2015-02-18 13:07:19 UTC

patches posted.

Comment 10 Jeff Nelson 2015-02-24 21:33:57 UTC

Fix included in qemu-kvm-0.12.1.2-2.454.el6

Comment 12 Qian Guo 2015-02-26 09:22:26 UTC

Reproduced this with qemu-kvm-0.12.1.2-2.453.el6.x86_64

Steps:
1.Boot RHEL6.5GA guest with qxl, and with xfig-3.2.5-23.a.el6.x86_64 installed:
# /usr/libexec/qemu-kvm -cpu Opteron_G1 -m 4G -smp 4 -M pc -enable-kvm -name rhel6u4 -nodefaults -nodefconfig -monitor stdio -drive file=/home/rhel6.5GAcp1.qcow2,if=none,id=drive-virtio-disk0,format=qcow2,werror=stop,rerror=stop,aio=native,cache=none -device virtio-blk-pci,drive=drive-virtio-disk0,id=virtio-disk0 -spice disable-ticketing,port=5900 -vga qxl -netdev tap,id=hostnet0,vhost=on,script=/etc/qemu-ifup -device virtio-net-pci,netdev=hostnet0,id=virtio-netpci0,mac=54:52:1b:36:1a:02 -qmp unix:/tmp/q1,server,nowait

2.Start the xfig UI

3.Type "space" in the text field

Result, the guest GUI hangs

And from the ssh session, get the x11 log from type "space":
(EE) [mi] EQ overflow continuing.  1000 events have been dropped.
(EE) [mi] No further overflow reports will be reported until the clog is cleared.
(EE) 
(EE) Backtrace:
(EE) 0: /usr/bin/Xorg (xorg_backtrace+0x36) [0x46d196]
(EE) 1: /usr/bin/Xorg (QueuePointerEvents+0x4e) [0x44fa7e]
(EE) 2: /usr/bin/Xorg (xf86PostMotionEvent+0xce) [0x49b3de]
(EE) 3: /usr/lib64/xorg/modules/input/vmmouse_drv.so (0x7fd03c7e0000+0x1a77) [0x7fd03c7e1a77]
(EE) 4: /usr/lib64/xorg/modules/input/vmmouse_drv.so (0x7fd03c7e0000+0x1cc2) [0x7fd03c7e1cc2]
(EE) 5: /usr/lib64/xorg/modules/input/vmmouse_drv.so (0x7fd03c7e0000+0x1d75) [0x7fd03c7e1d75]
(EE) 6: /usr/bin/Xorg (0x400000+0x8ba57) [0x48ba57]
(EE) 7: /usr/bin/Xorg (0x400000+0xb710b) [0x4b710b]
(EE) 8: /lib64/libpthread.so.0 (0x7fd04b92d000+0xf710) [0x7fd04b93c710]
(EE) 9: /lib64/libc.so.6 (nanosleep+0x10) [0x7fd04a0bbcc0]
(EE) 10: /lib64/libc.so.6 (usleep+0x34) [0x7fd04a0f0e54]
(EE) 11: /usr/lib64/xorg/modules/drivers/qxl_drv.so (0x7fd046550000+0x4a12) [0x7fd046554a12]
(EE) 12: /usr/lib64/xorg/modules/drivers/qxl_drv.so (0x7fd046550000+0x9329) [0x7fd046559329]
(EE) 13: /usr/lib64/xorg/modules/drivers/qxl_drv.so (0x7fd046550000+0x9ac0) [0x7fd046559ac0]
(EE) 14: /usr/lib64/xorg/modules/drivers/qxl_drv.so (0x7fd046550000+0xe163) [0x7fd04655e163]
(EE) 15: /usr/lib64/xorg/modules/drivers/qxl_drv.so (0x7fd046550000+0x19309) [0x7fd046569309]
(EE) 16: /usr/bin/Xorg (miPolyText8+0x91) [0x5a2b81]
(EE) 17: /usr/bin/Xorg (0x400000+0x13858f) [0x53858f]
(EE) 18: /usr/bin/Xorg (doPolyText+0x411) [0x43acd1]
(EE) 19: /usr/bin/Xorg (PolyText+0x49) [0x43af59]
(EE) 20: /usr/bin/Xorg (0x400000+0x34cd4) [0x434cd4]
(EE) 21: /usr/bin/Xorg (0x400000+0x37ee1) [0x437ee1]
(EE) 22: /usr/bin/Xorg (0x400000+0x7d08a) [0x47d08a]
(EE) 23: /lib64/libc.so.6 (__libc_start_main+0xfd) [0x7fd04a02dd1d]
(EE) 24: /usr/bin/Xorg (0x400000+0x26189) [0x426189]
(EE) 



So this bug is reproduced

Verify this bug with 
qemu-kvm-0.12.1.2-2.454.el6.x86_64

Steps as above, guest GUI works well, and test not only "space", I have test all the ASSCII codes.

During type the charactors, only find the logs:
...
[   102.195] AUDIT: Thu Feb 26 04:15:14 2015: 1898: client 26 disconnected
[   187.682] AUDIT: Thu Feb 26 04:16:40 2015: 1898: client 26 connected from local host ( uid=0 gid=0 pid=2210 )
  Auth name: MIT-MAGIC-COOKIE-1 ID: 274
[   187.685] AUDIT: Thu Feb 26 04:16:40 2015: 1898: client 26 disconnected
...

So the bug is fixed according to above.

Comment 14 errata-xmlrpc 2015-07-22 06:08:06 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-1275.html