Bug 1253276
Summary: | [abrt] qemu-kvm: SLL_Next(): qemu-kvm killed by SIGSEGV | ||||||||||||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | David Jaša <djasa> | ||||||||||||||||||||||||||||||||
Component: | qemu-kvm | Assignee: | Gerd Hoffmann <kraxel> | ||||||||||||||||||||||||||||||||
Status: | CLOSED DUPLICATE | QA Contact: | Virtualization Bugs <virt-bugs> | ||||||||||||||||||||||||||||||||
Severity: | unspecified | Docs Contact: | |||||||||||||||||||||||||||||||||
Priority: | unspecified | ||||||||||||||||||||||||||||||||||
Version: | 7.2 | CC: | areis, armbru, djasa, fziglio, huding, juzhang, knoel, kraxel, mazhang, rbalakri, rh-spice-bugs, thuth, virt-maint, xfu | ||||||||||||||||||||||||||||||||
Target Milestone: | rc | ||||||||||||||||||||||||||||||||||
Target Release: | --- | ||||||||||||||||||||||||||||||||||
Hardware: | x86_64 | ||||||||||||||||||||||||||||||||||
OS: | Unspecified | ||||||||||||||||||||||||||||||||||
Whiteboard: | abrt_hash:e4fb695c975c5f0f5eb875ec6c00894a2efba238 | ||||||||||||||||||||||||||||||||||
Fixed In Version: | Doc Type: | Bug Fix | |||||||||||||||||||||||||||||||||
Doc Text: | Story Points: | --- | |||||||||||||||||||||||||||||||||
Clone Of: | Environment: | ||||||||||||||||||||||||||||||||||
Last Closed: | 2016-04-12 15:01:02 UTC | Type: | --- | ||||||||||||||||||||||||||||||||
Regression: | --- | Mount Type: | --- | ||||||||||||||||||||||||||||||||
Documentation: | --- | CRM: | |||||||||||||||||||||||||||||||||
Verified Versions: | Category: | --- | |||||||||||||||||||||||||||||||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||||||||||||||||||||||||||||
Cloudforms Team: | --- | Target Upstream Version: | |||||||||||||||||||||||||||||||||
Embargoed: | |||||||||||||||||||||||||||||||||||
Attachments: |
|
Description
David Jaša
2015-08-13 11:47:39 UTC
Created attachment 1062496 [details]
File: backtrace
Created attachment 1062497 [details]
File: cgroup
Created attachment 1062498 [details]
File: core_backtrace
Created attachment 1062499 [details]
File: dso_list
Created attachment 1062500 [details]
File: environ
Created attachment 1062501 [details]
File: limits
Created attachment 1062502 [details]
File: machineid
Created attachment 1062503 [details]
File: maps
Created attachment 1062504 [details]
File: open_fds
Created attachment 1062505 [details]
File: proc_pid_status
Created attachment 1062506 [details]
File: var_log_messages
Created attachment 1062507 [details]
File: binary
Abrt has eaten my comment so here it goes: I hit the bug when trying to reproduce some other bug. This involved * Windows 7 64b VM * with 4 large monitors (2560x1600) arranged to a matrix * with firefox playing youtube/flash video at the center of virtual screen (parts of video were on every monitor) * at some point, I resized the firefox window. Then the VM crashed Hmm, it's g_malloc() crashing. So most likely we have a bug (buffer overflow, use-after-free, ...) somewhere which corrupts malloc's data structures. Given the circumstances I's suspect it is somewhere in spice-server. Any chance you can retry with a malloc debugger active, so we find the place where the corruption happens? I'd suggest ElectricFence ... what are suitable arguments to valgrind? OK, I found ElectricFence and how to use it. So far, I got one crash without suitable dump, I'll try tomorrow again. Created attachment 1068672 [details]
backtrace: crash during VM shutdown
after several tries to reproduce, I got the crash with while I was shutting down the VM.
Hmm, crashes within efence library, not very helpful. Also might be some different bug. Can you try playing with efence settings to see whenever you get better results then? I'd suggest EF_PROTECT_FREE=1 first (to catch use-after-free). Eventually also EF_PROTECT_BELOW=1. If that doesn't help you can try valgrind (start without special parameters), although valgrind is slooooow so it might not work that well either, especially with a performance-sensitive workload such as video playback. But worth a try nevertheless. Oh, and does it happen on qemu-kvm only or does it reproduce with qemu-kvm-rhev too? Suggest to try with valgrind --soname-synonyms='somalloc=*tcmalloc*'. See also bug 1271754. I tried unsuccessfully with various tools: * electric fence always stopped qemu as it couldn't allocate enough memory * valgrind/memcheck evenually run qemu but couldn't see anything * injecting mcheck to qemu main couldn't start the VM (probably threading issue, mcheck is marked as thread-unsafe) * Address Sanitizer looked most promising but qemu couldn't ultimately finish its rebuild (in "make check" stage), most probably because of lack of coroutine support in asan What's left is: running qemu without any tool with G_SLICE=always-malloc (as opposed to debug-blocks of the original report) and trying some thread safety tool. Did you reproduce the crash under valgrind? (In reply to Markus Armbruster from comment #24) > Did you reproduce the crash under valgrind? No. I'll attach the valgrind logs nevertheless as they show some definite leaks. Created attachment 1091714 [details]
valgrind log 1
Created attachment 1091715 [details]
valgrind log 2
The valgrind logs also show other things, which may or may not be false positives. I asked whether you reproduced the crash because "valgrind couldn't see anything" is an inconclusive result unless you did. *** This bug has been marked as a duplicate of bug 1253375 *** |