| Summary: | QMP device-list-properties crashes for CPU devices | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Markus Armbruster <armbru> |
| Component: | qemu-kvm-rhev | Assignee: | Markus Armbruster <armbru> |
| Status: | CLOSED ERRATA | QA Contact: | Virtualization Bugs <virt-bugs> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 7.0 | CC: | armbru, huding, juzhang, knoel, tlavigne, virt-maint, xfu, xwei |
| Target Milestone: | rc | Keywords: | Regression |
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | qemu-kvm-rhev-2.3.0-30.el7 | Doc Type: | Bug Fix |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2015-12-04 16:58:27 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
Proposed upstream fix https://lists.gnu.org/archive/html/qemu-devel/2015-09/msg04799.html Upstream fix is finally converging. Expecting it to land this week. Backport is straightforward. Fix included in qemu-kvm-rhev-2.3.0-30.el7 on qemu-kvm-rhev-2.3.0-28.el7: qemu core dumped as expected.
qemu-kvm -nodefaults -S -display none -qmp stdio -machine accel=tcg
{"QMP": {"version": {"qemu": {"micro": 0, "minor": 3, "major": 2}, "package": " (qemu-kvm-rhev-2.3.0-28.el7)"}, "capabilities": []}}
{ "execute": "qmp_capabilities" }
{"return": {}}
{ "execute": "device-list-properties", "arguments": { "typename": "host-x86_64-cpu" } }
qemu-kvm: /builddir/build/BUILD/qemu-2.3.0/target-i386/cpu.c:1491: host_x86_cpu_initfn: Assertion `(kvm_allowed)' failed.
Aborted (core dumped)
========================
on qemu-kvm-rhev-2.3.0-30.el7: qemu survive on same qmp cmd
# qemu-kvm -nodefaults -S -display none -qmp stdio -machine accel=tcg
{"QMP": {"version": {"qemu": {"micro": 0, "minor": 3, "major": 2}, "package": " (qemu-kvm-rhev-2.3.0-30.el7)"}, "capabilities": []}}
{ "execute": "qmp_capabilities" }
{"return": {}}
{ "execute": "device-list-properties", "arguments": { "typename": "host-x86_64-cpu" } }
{"error": {"class": "GenericError", "desc": "Can't list properties of device 'host-x86_64-cpu'"}}
can not reproduce with valgrind method, with both tcg and kvm.
there's not error raised after step 4(and 5,6, I just repeat same cmd)
logs as below:
# valgrind qemu-kvm -nodefaults -S -display none -qmp stdio -cpu Opteron_G5 -machine accel=tcg
==16027== Memcheck, a memory error detector
==16027== Copyright (C) 2002-2013, and GNU GPL'd, by Julian Seward et al.
==16027== Using Valgrind-3.10.0 and LibVEX; rerun with -h for copyright info
==16027== Command: qemu-kvm -nodefaults -S -display none -qmp stdio -cpu Opteron_G5 -machine accel=tcg
==16027==
==16027== Syscall param msync(start) points to unaddressable byte(s)
==16027== at 0x5E458F0: __msync_nocancel (syscall-template.S:81)
==16027== by 0xE44FF63: UnknownInlinedFun (Ginit.c:137)
==16027== by 0xE44FF63: access_mem (Ginit.c:171)
==16027== by 0xE452EAE: UnknownInlinedFun (libunwind_i.h:162)
==16027== by 0xE452EAE: apply_reg_state (Gparser.c:800)
==16027== by 0xE454181: _ULx86_64_dwarf_find_save_locs (Gparser.c:884)
==16027== by 0xE454518: _ULx86_64_dwarf_step (Gstep.c:34)
==16027== by 0xE450900: _ULx86_64_step (Gstep.c:71)
==16027== by 0x8DFF8CA: GetStackTrace_libunwind(void**, int, int) (stacktrace_libunwind-inl.h:118)
==16027== by 0x8E000BD: GetStackTrace(void**, int, int) (stacktrace.cc:234)
==16027== by 0x8DF1313: UnknownInlinedFun (page_heap.cc:584)
==16027== by 0x8DF1313: tcmalloc::PageHeap::GrowHeap(unsigned long) (page_heap.cc:610)
==16027== by 0x8DF1632: tcmalloc::PageHeap::New(unsigned long) (page_heap.cc:156)
==16027== by 0x8DEFF63: tcmalloc::CentralFreeList::Populate() (central_freelist.cc:329)
==16027== by 0x8DF0147: tcmalloc::CentralFreeList::FetchFromOneSpansSafe(int, void**, void**) (central_freelist.cc:284)
==16027== Address 0xffefff000 is on thread 1's stack
==16027== 296 bytes below stack pointer
==16027==
==16027== Syscall param msync(start) points to uninitialised byte(s)
==16027== at 0x5E458F0: __msync_nocancel (syscall-template.S:81)
==16027== by 0xE44FF63: UnknownInlinedFun (Ginit.c:137)
==16027== by 0xE44FF63: access_mem (Ginit.c:171)
==16027== by 0xE452EAE: UnknownInlinedFun (libunwind_i.h:162)
==16027== by 0xE452EAE: apply_reg_state (Gparser.c:800)
==16027== by 0xE454181: _ULx86_64_dwarf_find_save_locs (Gparser.c:884)
==16027== by 0xE454518: _ULx86_64_dwarf_step (Gstep.c:34)
==16027== by 0xE450900: _ULx86_64_step (Gstep.c:71)
==16027== by 0x8DFF8CA: GetStackTrace_libunwind(void**, int, int) (stacktrace_libunwind-inl.h:118)
==16027== by 0x8E000BD: GetStackTrace(void**, int, int) (stacktrace.cc:234)
==16027== by 0x8DF1313: UnknownInlinedFun (page_heap.cc:584)
==16027== by 0x8DF1313: tcmalloc::PageHeap::GrowHeap(unsigned long) (page_heap.cc:610)
==16027== by 0x8DF1632: tcmalloc::PageHeap::New(unsigned long) (page_heap.cc:156)
==16027== by 0x8DEFF63: tcmalloc::CentralFreeList::Populate() (central_freelist.cc:329)
==16027== by 0x8DF0147: tcmalloc::CentralFreeList::FetchFromOneSpansSafe(int, void**, void**) (central_freelist.cc:284)
==16027== Address 0xfff000000 is on thread 1's stack
==16027== in frame #10, created by tcmalloc::CentralFreeList::Populate() (central_freelist.cc:321)
==16027==
{"QMP": {"version": {"qemu": {"micro": 0, "minor": 3, "major": 2}, "package": " (qemu-kvm-rhev-2.3.0-28.el7)"}, "capabilities": []}}
{ "execute": "qmp_capabilities" }
{"return": {}}
{ "execute": "device-list-properties", "arguments": { "typename": "Opteron_G5-x86_64-cpu" }}
{"return": [{"name": "filtered-features", "type": "X86CPUFeatureWordInfo"}, {"name": "feature-words", "type": "X86CPUFeatureWordInfo"}, {"name": "apic-id", "type": "int"}, {"name": "tsc-frequency", "type": "int"}, {"name": "model-id", "type": "string"}, {"name": "vendor", "type": "string"}, {"name": "xlevel", "type": "int"}, {"name": "level", "type": "int"}, {"name": "stepping", "type": "int"}, {"name": "model", "type": "int"}, {"name": "family", "type": "int"}, {"name": "kvm", "type": "bool"}, {"name": "enforce", "type": "bool"}, {"name": "check", "type": "bool"}, {"name": "hv-time", "type": "bool"}, {"name": "hv-vapic", "type": "bool"}, {"name": "hv-relaxed", "type": "bool"}, {"name": "hv-spinlocks", "type": "int"}, {"name": "pmu", "type": "bool"}]}
{ "execute": "device-list-properties", "arguments": { "typename": "Opteron_G5-x86_64-cpu" }}
{"return": [{"name": "filtered-features", "type": "X86CPUFeatureWordInfo"}, {"name": "feature-words", "type": "X86CPUFeatureWordInfo"}, {"name": "apic-id", "type": "int"}, {"name": "tsc-frequency", "type": "int"}, {"name": "model-id", "type": "string"}, {"name": "vendor", "type": "string"}, {"name": "xlevel", "type": "int"}, {"name": "level", "type": "int"}, {"name": "stepping", "type": "int"}, {"name": "model", "type": "int"}, {"name": "family", "type": "int"}, {"name": "kvm", "type": "bool"}, {"name": "enforce", "type": "bool"}, {"name": "check", "type": "bool"}, {"name": "hv-time", "type": "bool"}, {"name": "hv-vapic", "type": "bool"}, {"name": "hv-relaxed", "type": "bool"}, {"name": "hv-spinlocks", "type": "int"}, {"name": "pmu", "type": "bool"}]}
{ "execute": "device-list-properties", "arguments": { "typename": "Opteron_G5-x86_64-cpu" }}
{"return": [{"name": "filtered-features", "type": "X86CPUFeatureWordInfo"}, {"name": "feature-words", "type": "X86CPUFeatureWordInfo"}, {"name": "apic-id", "type": "int"}, {"name": "tsc-frequency", "type": "int"}, {"name": "model-id", "type": "string"}, {"name": "vendor", "type": "string"}, {"name": "xlevel", "type": "int"}, {"name": "level", "type": "int"}, {"name": "stepping", "type": "int"}, {"name": "model", "type": "int"}, {"name": "family", "type": "int"}, {"name": "kvm", "type": "bool"}, {"name": "enforce", "type": "bool"}, {"name": "check", "type": "bool"}, {"name": "hv-time", "type": "bool"}, {"name": "hv-vapic", "type": "bool"}, {"name": "hv-relaxed", "type": "bool"}, {"name": "hv-spinlocks", "type": "int"}, {"name": "pmu", "type": "bool"}]}
{ "execute": "device-list-properties", "arguments": { "typename": "Opteron_G5-x86_64-cpu" }}
{"return": [{"name": "filtered-features", "type": "X86CPUFeatureWordInfo"}, {"name": "feature-words", "type": "X86CPUFeatureWordInfo"}, {"name": "apic-id", "type": "int"}, {"name": "tsc-frequency", "type": "int"}, {"name": "model-id", "type": "string"}, {"name": "vendor", "type": "string"}, {"name": "xlevel", "type": "int"}, {"name": "level", "type": "int"}, {"name": "stepping", "type": "int"}, {"name": "model", "type": "int"}, {"name": "family", "type": "int"}, {"name": "kvm", "type": "bool"}, {"name": "enforce", "type": "bool"}, {"name": "check", "type": "bool"}, {"name": "hv-time", "type": "bool"}, {"name": "hv-vapic", "type": "bool"}, {"name": "hv-relaxed", "type": "bool"}, {"name": "hv-spinlocks", "type": "int"}, {"name": "pmu", "type": "bool"}]}
===============
# valgrind qemu-kvm -nodefaults -S -display none -qmp stdio -cpu Opteron_G5
==16034== Memcheck, a memory error detector
==16034== Copyright (C) 2002-2013, and GNU GPL'd, by Julian Seward et al.
==16034== Using Valgrind-3.10.0 and LibVEX; rerun with -h for copyright info
==16034== Command: qemu-kvm -nodefaults -S -display none -qmp stdio -cpu Opteron_G5
==16034==
==16034== Syscall param msync(start) points to unaddressable byte(s)
==16034== at 0x5E458F0: __msync_nocancel (syscall-template.S:81)
==16034== by 0xE44FF63: UnknownInlinedFun (Ginit.c:137)
==16034== by 0xE44FF63: access_mem (Ginit.c:171)
==16034== by 0xE452EAE: UnknownInlinedFun (libunwind_i.h:162)
==16034== by 0xE452EAE: apply_reg_state (Gparser.c:800)
==16034== by 0xE454181: _ULx86_64_dwarf_find_save_locs (Gparser.c:884)
==16034== by 0xE454518: _ULx86_64_dwarf_step (Gstep.c:34)
==16034== by 0xE450900: _ULx86_64_step (Gstep.c:71)
==16034== by 0x8DFF8CA: GetStackTrace_libunwind(void**, int, int) (stacktrace_libunwind-inl.h:118)
==16034== by 0x8E000BD: GetStackTrace(void**, int, int) (stacktrace.cc:234)
==16034== by 0x8DF1313: UnknownInlinedFun (page_heap.cc:584)
==16034== by 0x8DF1313: tcmalloc::PageHeap::GrowHeap(unsigned long) (page_heap.cc:610)
==16034== by 0x8DF1632: tcmalloc::PageHeap::New(unsigned long) (page_heap.cc:156)
==16034== by 0x8DEFF63: tcmalloc::CentralFreeList::Populate() (central_freelist.cc:329)
==16034== by 0x8DF0147: tcmalloc::CentralFreeList::FetchFromOneSpansSafe(int, void**, void**) (central_freelist.cc:284)
==16034== Address 0xffefff000 is on thread 1's stack
==16034== 328 bytes below stack pointer
==16034==
==16034== Syscall param msync(start) points to uninitialised byte(s)
==16034== at 0x5E458F0: __msync_nocancel (syscall-template.S:81)
==16034== by 0xE44FF63: UnknownInlinedFun (Ginit.c:137)
==16034== by 0xE44FF63: access_mem (Ginit.c:171)
==16034== by 0xE452EAE: UnknownInlinedFun (libunwind_i.h:162)
==16034== by 0xE452EAE: apply_reg_state (Gparser.c:800)
==16034== by 0xE454181: _ULx86_64_dwarf_find_save_locs (Gparser.c:884)
==16034== by 0xE454518: _ULx86_64_dwarf_step (Gstep.c:34)
==16034== by 0xE450900: _ULx86_64_step (Gstep.c:71)
==16034== by 0x8DFF8CA: GetStackTrace_libunwind(void**, int, int) (stacktrace_libunwind-inl.h:118)
==16034== by 0x8E000BD: GetStackTrace(void**, int, int) (stacktrace.cc:234)
==16034== by 0x8DF1313: UnknownInlinedFun (page_heap.cc:584)
==16034== by 0x8DF1313: tcmalloc::PageHeap::GrowHeap(unsigned long) (page_heap.cc:610)
==16034== by 0x8DF1632: tcmalloc::PageHeap::New(unsigned long) (page_heap.cc:156)
==16034== by 0x8DEFF63: tcmalloc::CentralFreeList::Populate() (central_freelist.cc:329)
==16034== by 0x8DF0147: tcmalloc::CentralFreeList::FetchFromOneSpansSafe(int, void**, void**) (central_freelist.cc:284)
==16034== Address 0xfff000010 is on thread 1's stack
==16034== in frame #10, created by tcmalloc::CentralFreeList::Populate() (central_freelist.cc:321)
==16034==
==16034== Warning: noted but unhandled ioctl 0xae47 with no size/direction hints.
==16034== This could cause spurious value errors to appear.
==16034== See README_MISSING_SYSCALL_OR_IOCTL for guidance on writing a proper wrapper.
{"QMP": {"version": {"qemu": {"micro": 0, "minor": 3, "major": 2}, "package": " (qemu-kvm-rhev-2.3.0-28.el7)"}, "capabilities": []}}
{ "execute": "qmp_capabilities" }
{"return": {}}
{ "execute": "device-list-properties", "arguments": { "typename": "Opteron_G5-x86_64-cpu" }}
{"return": [{"name": "filtered-features", "type": "X86CPUFeatureWordInfo"}, {"name": "feature-words", "type": "X86CPUFeatureWordInfo"}, {"name": "apic-id", "type": "int"}, {"name": "tsc-frequency", "type": "int"}, {"name": "model-id", "type": "string"}, {"name": "vendor", "type": "string"}, {"name": "xlevel", "type": "int"}, {"name": "level", "type": "int"}, {"name": "stepping", "type": "int"}, {"name": "model", "type": "int"}, {"name": "family", "type": "int"}, {"name": "kvm", "type": "bool"}, {"name": "enforce", "type": "bool"}, {"name": "check", "type": "bool"}, {"name": "hv-time", "type": "bool"}, {"name": "hv-vapic", "type": "bool"}, {"name": "hv-relaxed", "type": "bool"}, {"name": "hv-spinlocks", "type": "int"}, {"name": "pmu", "type": "bool"}]}
{ "execute": "device-list-properties", "arguments": { "typename": "Opteron_G5-x86_64-cpu" }}
{"return": [{"name": "filtered-features", "type": "X86CPUFeatureWordInfo"}, {"name": "feature-words", "type": "X86CPUFeatureWordInfo"}, {"name": "apic-id", "type": "int"}, {"name": "tsc-frequency", "type": "int"}, {"name": "model-id", "type": "string"}, {"name": "vendor", "type": "string"}, {"name": "xlevel", "type": "int"}, {"name": "level", "type": "int"}, {"name": "stepping", "type": "int"}, {"name": "model", "type": "int"}, {"name": "family", "type": "int"}, {"name": "kvm", "type": "bool"}, {"name": "enforce", "type": "bool"}, {"name": "check", "type": "bool"}, {"name": "hv-time", "type": "bool"}, {"name": "hv-vapic", "type": "bool"}, {"name": "hv-relaxed", "type": "bool"}, {"name": "hv-spinlocks", "type": "int"}, {"name": "pmu", "type": "bool"}]}
{ "execute": "device-list-properties", "arguments": { "typename": "Opteron_G5-x86_64-cpu" }}
{"return": [{"name": "filtered-features", "type": "X86CPUFeatureWordInfo"}, {"name": "feature-words", "type": "X86CPUFeatureWordInfo"}, {"name": "apic-id", "type": "int"}, {"name": "tsc-frequency", "type": "int"}, {"name": "model-id", "type": "string"}, {"name": "vendor", "type": "string"}, {"name": "xlevel", "type": "int"}, {"name": "level", "type": "int"}, {"name": "stepping", "type": "int"}, {"name": "model", "type": "int"}, {"name": "family", "type": "int"}, {"name": "kvm", "type": "bool"}, {"name": "enforce", "type": "bool"}, {"name": "check", "type": "bool"}, {"name": "hv-time", "type": "bool"}, {"name": "hv-vapic", "type": "bool"}, {"name": "hv-relaxed", "type": "bool"}, {"name": "hv-spinlocks", "type": "int"}, {"name": "pmu", "type": "bool"}]}
{ "execute": "device-list-properties", "arguments": { "typename": "Opteron_G5-x86_64-cpu" }}
{"return": [{"name": "filtered-features", "type": "X86CPUFeatureWordInfo"}, {"name": "feature-words", "type": "X86CPUFeatureWordInfo"}, {"name": "apic-id", "type": "int"}, {"name": "tsc-frequency", "type": "int"}, {"name": "model-id", "type": "string"}, {"name": "vendor", "type": "string"}, {"name": "xlevel", "type": "int"}, {"name": "level", "type": "int"}, {"name": "stepping", "type": "int"}, {"name": "model", "type": "int"}, {"name": "family", "type": "int"}, {"name": "kvm", "type": "bool"}, {"name": "enforce", "type": "bool"}, {"name": "check", "type": "bool"}, {"name": "hv-time", "type": "bool"}, {"name": "hv-vapic", "type": "bool"}, {"name": "hv-relaxed", "type": "bool"}, {"name": "hv-spinlocks", "type": "int"}, {"name": "pmu", "type": "bool"}]}
also tried exactly identical cli from C#0,
and still no
Valgrind reports "Invalid read of size 8" followed by "Invalid write
of size 8" in cpu_exec_init() after step 4
# valgrind qemu-kvm -nodefaults -S -display none -qmp stdio
==16050== Memcheck, a memory error detector
==16050== Copyright (C) 2002-2013, and GNU GPL'd, by Julian Seward et al.
==16050== Using Valgrind-3.10.0 and LibVEX; rerun with -h for copyright info
==16050== Command: qemu-kvm -nodefaults -S -display none -qmp stdio
==16050==
==16050== Syscall param msync(start) points to unaddressable byte(s)
==16050== at 0x5E458F0: __msync_nocancel (syscall-template.S:81)
==16050== by 0xE44FF63: UnknownInlinedFun (Ginit.c:137)
==16050== by 0xE44FF63: access_mem (Ginit.c:171)
==16050== by 0xE452EAE: UnknownInlinedFun (libunwind_i.h:162)
==16050== by 0xE452EAE: apply_reg_state (Gparser.c:800)
==16050== by 0xE454181: _ULx86_64_dwarf_find_save_locs (Gparser.c:884)
==16050== by 0xE454518: _ULx86_64_dwarf_step (Gstep.c:34)
==16050== by 0xE450900: _ULx86_64_step (Gstep.c:71)
==16050== by 0x8DFF8CA: GetStackTrace_libunwind(void**, int, int) (stacktrace_libunwind-inl.h:118)
==16050== by 0x8E000BD: GetStackTrace(void**, int, int) (stacktrace.cc:234)
==16050== by 0x8DF1313: UnknownInlinedFun (page_heap.cc:584)
==16050== by 0x8DF1313: tcmalloc::PageHeap::GrowHeap(unsigned long) (page_heap.cc:610)
==16050== by 0x8DF1632: tcmalloc::PageHeap::New(unsigned long) (page_heap.cc:156)
==16050== by 0x8DEFF63: tcmalloc::CentralFreeList::Populate() (central_freelist.cc:329)
==16050== by 0x8DF0147: tcmalloc::CentralFreeList::FetchFromOneSpansSafe(int, void**, void**) (central_freelist.cc:284)
==16050== Address 0xffefff000 is on thread 1's stack
==16050== 360 bytes below stack pointer
==16050==
==16050== Syscall param msync(start) points to uninitialised byte(s)
==16050== at 0x5E458F0: __msync_nocancel (syscall-template.S:81)
==16050== by 0xE44FF63: UnknownInlinedFun (Ginit.c:137)
==16050== by 0xE44FF63: access_mem (Ginit.c:171)
==16050== by 0xE452EAE: UnknownInlinedFun (libunwind_i.h:162)
==16050== by 0xE452EAE: apply_reg_state (Gparser.c:800)
==16050== by 0xE454181: _ULx86_64_dwarf_find_save_locs (Gparser.c:884)
==16050== by 0xE454518: _ULx86_64_dwarf_step (Gstep.c:34)
==16050== by 0xE450900: _ULx86_64_step (Gstep.c:71)
==16050== by 0x8DFF8CA: GetStackTrace_libunwind(void**, int, int) (stacktrace_libunwind-inl.h:118)
==16050== by 0x8E000BD: GetStackTrace(void**, int, int) (stacktrace.cc:234)
==16050== by 0x8DF1313: UnknownInlinedFun (page_heap.cc:584)
==16050== by 0x8DF1313: tcmalloc::PageHeap::GrowHeap(unsigned long) (page_heap.cc:610)
==16050== by 0x8DF1632: tcmalloc::PageHeap::New(unsigned long) (page_heap.cc:156)
==16050== by 0x8DEFF63: tcmalloc::CentralFreeList::Populate() (central_freelist.cc:329)
==16050== by 0x8DF0147: tcmalloc::CentralFreeList::FetchFromOneSpansSafe(int, void**, void**) (central_freelist.cc:284)
==16050== Address 0xfff000030 is on thread 1's stack
==16050== in frame #10, created by tcmalloc::CentralFreeList::Populate() (central_freelist.cc:321)
==16050==
==16050== Warning: noted but unhandled ioctl 0xae47 with no size/direction hints.
==16050== This could cause spurious value errors to appear.
==16050== See README_MISSING_SYSCALL_OR_IOCTL for guidance on writing a proper wrapper.
{"QMP": {"version": {"qemu": {"micro": 0, "minor": 3, "major": 2}, "package": " (qemu-kvm-rhev-2.3.0-28.el7)"}, "capabilities": []}}
{ "execute": "qmp_capabilities" }
{"return": {}}
{ "execute": "device-list-properties", "arguments": { "typename": "qemu64-x86_64-cpu"}}
{"return": [{"name": "filtered-features", "type": "X86CPUFeatureWordInfo"}, {"name": "feature-words", "type": "X86CPUFeatureWordInfo"}, {"name": "apic-id", "type": "int"}, {"name": "tsc-frequency", "type": "int"}, {"name": "model-id", "type": "string"}, {"name": "vendor", "type": "string"}, {"name": "xlevel", "type": "int"}, {"name": "level", "type": "int"}, {"name": "stepping", "type": "int"}, {"name": "model", "type": "int"}, {"name": "family", "type": "int"}, {"name": "kvm", "type": "bool"}, {"name": "enforce", "type": "bool"}, {"name": "check", "type": "bool"}, {"name": "hv-time", "type": "bool"}, {"name": "hv-vapic", "type": "bool"}, {"name": "hv-relaxed", "type": "bool"}, {"name": "hv-spinlocks", "type": "int"}, {"name": "pmu", "type": "bool"}]}
{ "execute": "device-list-properties", "arguments": { "typename": "qemu64-x86_64-cpu"}}
{"return": [{"name": "filtered-features", "type": "X86CPUFeatureWordInfo"}, {"name": "feature-words", "type": "X86CPUFeatureWordInfo"}, {"name": "apic-id", "type": "int"}, {"name": "tsc-frequency", "type": "int"}, {"name": "model-id", "type": "string"}, {"name": "vendor", "type": "string"}, {"name": "xlevel", "type": "int"}, {"name": "level", "type": "int"}, {"name": "stepping", "type": "int"}, {"name": "model", "type": "int"}, {"name": "family", "type": "int"}, {"name": "kvm", "type": "bool"}, {"name": "enforce", "type": "bool"}, {"name": "check", "type": "bool"}, {"name": "hv-time", "type": "bool"}, {"name": "hv-vapic", "type": "bool"}, {"name": "hv-relaxed", "type": "bool"}, {"name": "hv-spinlocks", "type": "int"}, {"name": "pmu", "type": "bool"}]}
{ "execute": "device-list-properties", "arguments": { "typename": "qemu64-x86_64-cpu"}}
{"return": [{"name": "filtered-features", "type": "X86CPUFeatureWordInfo"}, {"name": "feature-words", "type": "X86CPUFeatureWordInfo"}, {"name": "apic-id", "type": "int"}, {"name": "tsc-frequency", "type": "int"}, {"name": "model-id", "type": "string"}, {"name": "vendor", "type": "string"}, {"name": "xlevel", "type": "int"}, {"name": "level", "type": "int"}, {"name": "stepping", "type": "int"}, {"name": "model", "type": "int"}, {"name": "family", "type": "int"}, {"name": "kvm", "type": "bool"}, {"name": "enforce", "type": "bool"}, {"name": "check", "type": "bool"}, {"name": "hv-time", "type": "bool"}, {"name": "hv-vapic", "type": "bool"}, {"name": "hv-relaxed", "type": "bool"}, {"name": "hv-spinlocks", "type": "int"}, {"name": "pmu", "type": "bool"}]}
{ "execute": "device-list-properties", "arguments": { "typename": "qemu64-x86_64-cpu"}}
{ "execute": "device-list-properties", "arguments": { "typename": "qemu64-x86_64-cpu"}}
{"return": [{"name": "filtered-features", "type": "X86CPUFeatureWordInfo"}, {"name": "feature-words", "type": "X86CPUFeatureWordInfo"}, {"name": "apic-id", "type": "int"}, {"name": "tsc-frequency", "type": "int"}, {"name": "model-id", "type": "string"}, {"name": "vendor", "type": "string"}, {"name": "xlevel", "type": "int"}, {"name": "level", "type": "int"}, {"name": "stepping", "type": "int"}, {"name": "model", "type": "int"}, {"name": "family", "type": "int"}, {"name": "kvm", "type": "bool"}, {"name": "enforce", "type": "bool"}, {"name": "check", "type": "bool"}, {"name": "hv-time", "type": "bool"}, {"name": "hv-vapic", "type": "bool"}, {"name": "hv-relaxed", "type": "bool"}, {"name": "hv-spinlocks", "type": "int"}, {"name": "pmu", "type": "bool"}]}
{"return": [{"name": "filtered-features", "type": "X86CPUFeatureWordInfo"}, {"name": "feature-words", "type": "X86CPUFeatureWordInfo"}, {"name": "apic-id", "type": "int"}, {"name": "tsc-frequency", "type": "int"}, {"name": "model-id", "type": "string"}, {"name": "vendor", "type": "string"}, {"name": "xlevel", "type": "int"}, {"name": "level", "type": "int"}, {"name": "stepping", "type": "int"}, {"name": "model", "type": "int"}, {"name": "family", "type": "int"}, {"name": "kvm", "type": "bool"}, {"name": "enforce", "type": "bool"}, {"name": "check", "type": "bool"}, {"name": "hv-time", "type": "bool"}, {"name": "hv-vapic", "type": "bool"}, {"name": "hv-relaxed", "type": "bool"}, {"name": "hv-spinlocks", "type": "int"}, {"name": "pmu", "type": "bool"}]}
{ "execute": "quit"}
{"return": {}}
{"timestamp": {"seconds": 1444722794, "microseconds": 198814}, "event": "SHUTDOWN"}
==16050== Invalid read of size 4
==16050== at 0x5E42E18: pthread_cond_broadcast@@GLIBC_2.3.2 (pthread_cond_broadcast.S:41)
==16050== by 0x408E08: qemu_cond_broadcast (qemu-thread-posix.c:123)
==16050== by 0x1C2E6F: qemu_cpu_kick (cpus.c:1085)
==16050== by 0x1C3606: pause_all_vcpus (cpus.c:1157)
==16050== by 0x19C203: main (vl.c:4396)
==16050== Address 0x0 is not stack'd, malloc'd or (recently) free'd
==16050==
==16050==
==16050== Process terminating with default action of signal 11 (SIGSEGV)
==16050== Access not within mapped region at address 0x0
==16050== at 0x5E42E18: pthread_cond_broadcast@@GLIBC_2.3.2 (pthread_cond_broadcast.S:41)
==16050== by 0x408E08: qemu_cond_broadcast (qemu-thread-posix.c:123)
==16050== by 0x1C2E6F: qemu_cpu_kick (cpus.c:1085)
==16050== by 0x1C3606: pause_all_vcpus (cpus.c:1157)
==16050== by 0x19C203: main (vl.c:4396)
==16050== If you believe this happened as a result of a stack
==16050== overflow in your program's main thread (unlikely but
==16050== possible), you can try to increase the size of the
==16050== main thread stack using the --main-stacksize= flag.
==16050== The main thread stack size used in this run was 8388608.
==16050==
==16050== HEAP SUMMARY:
==16050== in use at exit: 0 bytes in 0 blocks
==16050== total heap usage: 0 allocs, 0 frees, 0 bytes allocated
==16050==
==16050== All heap blocks were freed -- no leaks are possible
==16050==
==16050== For counts of detected and suppressed errors, rerun with: -v
==16050== Use --track-origins=yes to see where uninitialised values come from
==16050== ERROR SUMMARY: 3 errors from 3 contexts (suppressed: 1 from 1)
Killed
(In reply to Xiaoqing Wei from comment #9) > {"return": [{"name": "filtered-features", "type": "X86CPUFeatureWordInfo"}, > {"name": "feature-words", "type": "X86CPUFeatureWordInfo"}, {"name": > "apic-id", "type": "int"}, {"name": "tsc-frequency", "type": "int"}, > {"name": "model-id", "type": "string"}, {"name": "vendor", "type": > "string"}, {"name": "xlevel", "type": "int"}, {"name": "level", "type": > "int"}, {"name": "stepping", "type": "int"}, {"name": "model", "type": > "int"}, {"name": "family", "type": "int"}, {"name": "kvm", "type": "bool"}, > {"name": "enforce", "type": "bool"}, {"name": "check", "type": "bool"}, > {"name": "hv-time", "type": "bool"}, {"name": "hv-vapic", "type": "bool"}, > {"name": "hv-relaxed", "type": "bool"}, {"name": "hv-spinlocks", "type": > "int"}, {"name": "pmu", "type": "bool"}]} > { "execute": "quit"} > {"return": {}} > {"timestamp": {"seconds": 1444722794, "microseconds": 198814}, "event": > "SHUTDOWN"} > ==16050== Invalid read of size 4 this is the only error catched by valgrind, but no identical to the actual result listed in C#0 could be C#0 used local build and I'm using vanilla from brew. the same test steps on version -30 do no have such invalid read error. but it returning {"error": {"class": "GenericError", "desc": "Can't list properties of device 'Opteron_G5-x86_64-cpu'"}} see below: valgrind qemu-kvm -nodefaults -S -display none -qmp stdio -cpu Opteron_G5 ==16159== Memcheck, a memory error detector ==16159== Copyright (C) 2002-2013, and GNU GPL'd, by Julian Seward et al. ==16159== Using Valgrind-3.10.0 and LibVEX; rerun with -h for copyright info ==16159== Command: qemu-kvm -nodefaults -S -display none -qmp stdio -cpu Opteron_G5 ==16159== ==16159== Syscall param msync(start) points to unaddressable byte(s) ==16159== at 0x5E458F0: __msync_nocancel (syscall-template.S:81) ==16159== by 0xE44FF63: UnknownInlinedFun (Ginit.c:137) ==16159== by 0xE44FF63: access_mem (Ginit.c:171) ==16159== by 0xE452EAE: UnknownInlinedFun (libunwind_i.h:162) ==16159== by 0xE452EAE: apply_reg_state (Gparser.c:800) ==16159== by 0xE454181: _ULx86_64_dwarf_find_save_locs (Gparser.c:884) ==16159== by 0xE454518: _ULx86_64_dwarf_step (Gstep.c:34) ==16159== by 0xE450900: _ULx86_64_step (Gstep.c:71) ==16159== by 0x8DFF8CA: GetStackTrace_libunwind(void**, int, int) (stacktrace_libunwind-inl.h:118) ==16159== by 0x8E000BD: GetStackTrace(void**, int, int) (stacktrace.cc:234) ==16159== by 0x8DF1313: UnknownInlinedFun (page_heap.cc:584) ==16159== by 0x8DF1313: tcmalloc::PageHeap::GrowHeap(unsigned long) (page_heap.cc:610) ==16159== by 0x8DF1632: tcmalloc::PageHeap::New(unsigned long) (page_heap.cc:156) ==16159== by 0x8DEFF63: tcmalloc::CentralFreeList::Populate() (central_freelist.cc:329) ==16159== by 0x8DF0147: tcmalloc::CentralFreeList::FetchFromOneSpansSafe(int, void**, void**) (central_freelist.cc:284) ==16159== Address 0xffefff000 is on thread 1's stack ==16159== 328 bytes below stack pointer ==16159== ==16159== Syscall param msync(start) points to uninitialised byte(s) ==16159== at 0x5E458F0: __msync_nocancel (syscall-template.S:81) ==16159== by 0xE44FF63: UnknownInlinedFun (Ginit.c:137) ==16159== by 0xE44FF63: access_mem (Ginit.c:171) ==16159== by 0xE452EAE: UnknownInlinedFun (libunwind_i.h:162) ==16159== by 0xE452EAE: apply_reg_state (Gparser.c:800) ==16159== by 0xE454181: _ULx86_64_dwarf_find_save_locs (Gparser.c:884) ==16159== by 0xE454518: _ULx86_64_dwarf_step (Gstep.c:34) ==16159== by 0xE450900: _ULx86_64_step (Gstep.c:71) ==16159== by 0x8DFF8CA: GetStackTrace_libunwind(void**, int, int) (stacktrace_libunwind-inl.h:118) ==16159== by 0x8E000BD: GetStackTrace(void**, int, int) (stacktrace.cc:234) ==16159== by 0x8DF1313: UnknownInlinedFun (page_heap.cc:584) ==16159== by 0x8DF1313: tcmalloc::PageHeap::GrowHeap(unsigned long) (page_heap.cc:610) ==16159== by 0x8DF1632: tcmalloc::PageHeap::New(unsigned long) (page_heap.cc:156) ==16159== by 0x8DEFF63: tcmalloc::CentralFreeList::Populate() (central_freelist.cc:329) ==16159== by 0x8DF0147: tcmalloc::CentralFreeList::FetchFromOneSpansSafe(int, void**, void**) (central_freelist.cc:284) ==16159== Address 0xfff000010 is on thread 1's stack ==16159== in frame #10, created by tcmalloc::CentralFreeList::Populate() (central_freelist.cc:321) ==16159== ==16159== Warning: noted but unhandled ioctl 0xae47 with no size/direction hints. ==16159== This could cause spurious value errors to appear. ==16159== See README_MISSING_SYSCALL_OR_IOCTL for guidance on writing a proper wrapper. {"QMP": {"version": {"qemu": {"micro": 0, "minor": 3, "major": 2}, "package": " (qemu-kvm-rhev-2.3.0-30.el7)"}, "capabilities": []}} { "execute": "qmp_capabilities" } {"return": {}} { "execute": "device-list-properties", "arguments": { "typename": "Opteron_G5-x86_64-cpu" }} {"error": {"class": "GenericError", "desc": "Can't list properties of device 'Opteron_G5-x86_64-cpu'"}} { "execute": "device-list-properties", "arguments": { "typename": "Opteron_G5-x86_64-cpu" }} {"error": {"class": "GenericError", "desc": "Can't list properties of device 'Opteron_G5-x86_64-cpu'"}} { "execute": "device-list-properties", "arguments": { "typename": "Opteron_G5-x86_64-cpu" }} {"error": {"class": "GenericError", "desc": "Can't list properties of device 'Opteron_G5-x86_64-cpu'"}} { "execute": "device-list-properties", "arguments": { "typename": "Opteron_G5-x86_64-cpu" }} {"error": {"class": "GenericError", "desc": "Can't list properties of device 'Opteron_G5-x86_64-cpu'"}} { "execute": "quit"} {"return": {}} {"timestamp": {"seconds": 1444723493, "microseconds": 271327}, "event": "SHUTDOWN"} ==16159== ==16159== HEAP SUMMARY: ==16159== in use at exit: 0 bytes in 0 blocks ==16159== total heap usage: 0 allocs, 0 frees, 0 bytes allocated ==16159== ==16159== All heap blocks were freed -- no leaks are possible ==16159== ==16159== For counts of detected and suppressed errors, rerun with: -v ==16159== Use --track-origins=yes to see where uninitialised values come from ==16159== ERROR SUMMARY: 2 errors from 2 contexts (suppressed: 1 from 1) Hello Markus, could you pls have a look from c#6 to c#10, the alternative method in c#0 reproduced and verified as expected. While the another one seems a bit different as your input in c#0, could you comment ? Thanks, Xiaoqing. I experimented with quick local builds under F22 to figure out what's happening here. * I can't reproduce my reproducer when I compile with --enable-tcmalloc. This is how our build compiles. * I can reproduce when I compile with tcmalloc disabled. This is how I compiled when I created the reproducer. My apologies for misleading you. * Searching for a work-around, I found the valgrind user manual suggests --soname-synonyms=somalloc=*tcmalloc*. http://www.valgrind.org/docs/manual/manual-core.html#manual-core.rareopts With "valgrind --soname-synonyms='somalloc=*tcmalloc*' ..." I can reproduce my reproducer again. Conclusions: * tcmalloc appears to blind valgrind. * Valgrind option --soname-synonyms='somalloc=*tcmalloc*' is required to unblind it. Please try to reproduce with that option. (In reply to Markus Armbruster from comment #12) # valgrind --soname-synonyms='somalloc=*tcmalloc*' qemu-kvm -nodefaults -S -display none -qmp stdio -cpu Opteron_G5 ==16428== Memcheck, a memory error detector ==16428== Copyright (C) 2002-2013, and GNU GPL'd, by Julian Seward et al. ==16428== Using Valgrind-3.10.0 and LibVEX; rerun with -h for copyright info ==16428== Command: qemu-kvm -nodefaults -S -display none -qmp stdio -cpu Opteron_G5 ==16428== ==16428== Warning: noted but unhandled ioctl 0xae47 with no size/direction hints. ==16428== This could cause spurious value errors to appear. ==16428== See README_MISSING_SYSCALL_OR_IOCTL for guidance on writing a proper wrapper. {"QMP": {"version": {"qemu": {"micro": 0, "minor": 3, "major": 2}, "package": " (qemu-kvm-rhev-2.3.0-28.el7)"}, "capabilities": []}} { "execute": "qmp_capabilities" } {"return": {}} { "execute": "device-list-properties", "arguments": { "typename": "Opteron_G5-x86_64-cpu" }} {"return": [{"name": "filtered-features", "type": "X86CPUFeatureWordInfo"}, {"name": "feature-words", "type": "X86CPUFeatureWordInfo"}, {"name": "apic-id", "type": "int"}, {"name": "tsc-frequency", "type": "int"}, {"name": "model-id", "type": "string"}, {"name": "vendor", "type": "string"}, {"name": "xlevel", "type": "int"}, {"name": "level", "type": "int"}, {"name": "stepping", "type": "int"}, {"name": "model", "type": "int"}, {"name": "family", "type": "int"}, {"name": "kvm", "type": "bool"}, {"name": "enforce", "type": "bool"}, {"name": "check", "type": "bool"}, {"name": "hv-time", "type": "bool"}, {"name": "hv-vapic", "type": "bool"}, {"name": "hv-relaxed", "type": "bool"}, {"name": "hv-spinlocks", "type": "int"}, {"name": "pmu", "type": "bool"}]} { "execute": "device-list-properties", "arguments": { "typename": "Opteron_G5-x86_64-cpu" }} ==16428== Invalid read of size 8 ==16428== at 0x19FEE0: cpu_exec_init (exec.c:541) ==16428== by 0x248822: x86_cpu_initfn (cpu.c:2927) ==16428== by 0x35E5B8: object_init_with_type (object.c:309) ==16428== by 0x35EA6E: object_initialize_with_type (object.c:343) ==16428== by 0x35EBC0: object_new_with_type (object.c:429) ==16428== by 0x299916: qmp_device_list_properties (qmp.c:531) ==16428== by 0x295E4C: qmp_marshal_input_device_list_properties (qmp-marshal.c:4107) ==16428== by 0x1C6530: qmp_call_cmd (monitor.c:5051) ==16428== by 0x1C6530: handle_qmp_command (monitor.c:5113) ==16428== by 0x4053A1: json_message_process_token (json-streamer.c:87) ==16428== by 0x4177CE: json_lexer_feed_char (json-lexer.c:303) ==16428== by 0x41789D: json_lexer_feed (json-lexer.c:356) ==16428== by 0x1C48CE: monitor_control_read (monitor.c:5134) ==16428== Address 0x14d90910 is 33,232 bytes inside a block of size 75,936 free'd ==16428== at 0x4C2ADAD: free (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so) ==16428== by 0x64A836E: g_free (gmem.c:190) ==16428== by 0x2999A1: qmp_device_list_properties (qmp.c:565) ==16428== by 0x295E4C: qmp_marshal_input_device_list_properties (qmp-marshal.c:4107) ==16428== by 0x1C6530: qmp_call_cmd (monitor.c:5051) ==16428== by 0x1C6530: handle_qmp_command (monitor.c:5113) ==16428== by 0x4053A1: json_message_process_token (json-streamer.c:87) ==16428== by 0x4177CE: json_lexer_feed_char (json-lexer.c:303) ==16428== by 0x41789D: json_lexer_feed (json-lexer.c:356) ==16428== by 0x1C48CE: monitor_control_read (monitor.c:5134) ==16428== by 0x281BE0: qemu_chr_be_write (qemu-char.c:305) ==16428== by 0x281BE0: fd_chr_read (qemu-char.c:1012) ==16428== by 0x64A2799: g_main_dispatch (gmain.c:3109) ==16428== by 0x64A2799: g_main_context_dispatch (gmain.c:3708) ==16428== by 0x39A137: glib_pollfds_poll (main-loop.c:209) ==16428== by 0x39A137: UnknownInlinedFun (main-loop.c:254) ==16428== by 0x39A137: main_loop_wait (main-loop.c:503) ==16428== ==16428== Invalid write of size 8 ==16428== at 0x19FF7C: cpu_exec_init (exec.c:553) ==16428== by 0x248822: x86_cpu_initfn (cpu.c:2927) ==16428== by 0x35E5B8: object_init_with_type (object.c:309) ==16428== by 0x35EA6E: object_initialize_with_type (object.c:343) ==16428== by 0x35EBC0: object_new_with_type (object.c:429) ==16428== by 0x299916: qmp_device_list_properties (qmp.c:531) ==16428== by 0x295E4C: qmp_marshal_input_device_list_properties (qmp-marshal.c:4107) ==16428== by 0x1C6530: qmp_call_cmd (monitor.c:5051) ==16428== by 0x1C6530: handle_qmp_command (monitor.c:5113) ==16428== by 0x4053A1: json_message_process_token (json-streamer.c:87) ==16428== by 0x4177CE: json_lexer_feed_char (json-lexer.c:303) ==16428== by 0x41789D: json_lexer_feed (json-lexer.c:356) ==16428== by 0x1C48CE: monitor_control_read (monitor.c:5134) ==16428== Address 0x14d90910 is 33,232 bytes inside a block of size 75,936 free'd ==16428== at 0x4C2ADAD: free (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so) ==16428== by 0x64A836E: g_free (gmem.c:190) ==16428== by 0x2999A1: qmp_device_list_properties (qmp.c:565) ==16428== by 0x295E4C: qmp_marshal_input_device_list_properties (qmp-marshal.c:4107) ==16428== by 0x1C6530: qmp_call_cmd (monitor.c:5051) ==16428== by 0x1C6530: handle_qmp_command (monitor.c:5113) ==16428== by 0x4053A1: json_message_process_token (json-streamer.c:87) ==16428== by 0x4177CE: json_lexer_feed_char (json-lexer.c:303) ==16428== by 0x41789D: json_lexer_feed (json-lexer.c:356) ==16428== by 0x1C48CE: monitor_control_read (monitor.c:5134) ==16428== by 0x281BE0: qemu_chr_be_write (qemu-char.c:305) ==16428== by 0x281BE0: fd_chr_read (qemu-char.c:1012) ==16428== by 0x64A2799: g_main_dispatch (gmain.c:3109) ==16428== by 0x64A2799: g_main_context_dispatch (gmain.c:3708) ==16428== by 0x39A137: glib_pollfds_poll (main-loop.c:209) ==16428== by 0x39A137: UnknownInlinedFun (main-loop.c:254) ==16428== by 0x39A137: main_loop_wait (main-loop.c:503) ==16428== {"return": [{"name": "filtered-features", "type": "X86CPUFeatureWordInfo"}, {"name": "feature-words", "type": "X86CPUFeatureWordInfo"}, {"name": "apic-id", "type": "int"}, {"name": "tsc-frequency", "type": "int"}, {"name": "model-id", "type": "string"}, {"name": "vendor", "type": "string"}, {"name": "xlevel", "type": "int"}, {"name": "level", "type": "int"}, {"name": "stepping", "type": "int"}, {"name": "model", "type": "int"}, {"name": "family", "type": "int"}, {"name": "kvm", "type": "bool"}, {"name": "enforce", "type": "bool"}, {"name": "check", "type": "bool"}, {"name": "hv-time", "type": "bool"}, {"name": "hv-vapic", "type": "bool"}, {"name": "hv-relaxed", "type": "bool"}, {"name": "hv-spinlocks", "type": "int"}, {"name": "pmu", "type": "bool"}]} ================ # valgrind --soname-synonyms='somalloc=*tcmalloc*' qemu-kvm -nodefaults -S -display none -qmp stdio -cpu Opteron_G5 ==16364== Memcheck, a memory error detector ==16364== Copyright (C) 2002-2013, and GNU GPL'd, by Julian Seward et al. ==16364== Using Valgrind-3.10.0 and LibVEX; rerun with -h for copyright info ==16364== Command: qemu-kvm -nodefaults -S -display none -qmp stdio -cpu Opteron_G5 ==16364== ==16364== Warning: noted but unhandled ioctl 0xae47 with no size/direction hints. ==16364== This could cause spurious value errors to appear. ==16364== See README_MISSING_SYSCALL_OR_IOCTL for guidance on writing a proper wrapper. {"QMP": {"version": {"qemu": {"micro": 0, "minor": 3, "major": 2}, "package": " (qemu-kvm-rhev-2.3.0-30.el7)"}, "capabilities": []}} { "execute": "qmp_capabilities" } {"return": {}} { "execute": "device-list-properties", "arguments": { "typename": "Opteron_G5-x86_64-cpu" }} {"error": {"class": "GenericError", "desc": "Can't list properties of device 'Opteron_G5-x86_64-cpu'"}} { "execute": "device-list-properties", "arguments": { "typename": "Opteron_G5-x86_64-cpu" }} {"error": {"class": "GenericError", "desc": "Can't list properties of device 'Opteron_G5-x86_64-cpu'"}} { "execute": "device-list-properties", "arguments": { "typename": "Opteron_G5-x86_64-cpu" }} {"error": {"class": "GenericError", "desc": "Can't list properties of device 'Opteron_G5-x86_64-cpu'"}} { "execute": "device-list-properties", "arguments": { "typename": "Opteron_G5-x86_64-cpu" }} {"error": {"class": "GenericError", "desc": "Can't list properties of device 'Opteron_G5-x86_64-cpu'"}} { "execute": "device-list-properties", "arguments": { "typename": "Opteron_G5-x86_64-cpu" }} {"error": {"class": "GenericError", "desc": "Can't list properties of device 'Opteron_G5-x86_64-cpu'"}} Based on above, this bug has been fixed correctly, on version: qemu-kvm-rhev-2.3.0-30.el7 Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHBA-2015-2546.html |
Description of problem: QMP command device-list-properties leaves a dangling pointer behind for CPU devices, to the usual catastrophic effect. For host CPU devices, it fails an assertion when KVM is off. Version-Release number of selected component (if applicable): Reproduced with a local build of qemu-kvm-rhev-2.3.0-23.el7. Probably broken as far back as qemu-kvm-rhev-2.1.*. How reproducible: 100% Steps to Reproduce: 1. Start qemu-kvm under valgrind with QMP on stdin/stdout, e.g. $ valgrind qemu-kvm -nodefaults -S -display none -qmp stdio 2. Run qmp_capabilities to enter command mode { "execute": "qmp_capabilities" } 3. Run device-list-properties for a CPU device { "execute": "device-list-properties", "arguments": { "typename": T } } where T is the name of a CPU device such as "qemu64-x86_64-cpu". 4. Run device-list-properties for a CPU device again Same command as step 3 is fine. Alternate steps: 1. Start qemu-kvm with KVM off and QMP on stdin/stdout, e.g. $ qemu-kvm -nodefaults -S -display none -qmp stdio -machine accel=tcg 2. Run qmp_capabilities to enter command mode { "execute": "qmp_capabilities" } 3. Run device-list-properties for CPU device "host-x86_64-cpu" { "execute": "device-list-properties", "arguments": { "typename": "host-x86_64-cpu" } } Actual results: After step 1, valgrind reports "Syscall param ioctl(generic) points to uninitialised byte(s)" in ioctl() if KVM is enabled, and "Conditional jump or move depends on uninitialised value(s)" in tcg_target_init() if KVM is disabled. These are false positives. Valgrind reports "Invalid read of size 8" followed by "Invalid write of size 8" in cpu_exec_init() after step 4. This is a use-after-free flaw. Alternate actual results: Step 3 crashes with .../target-i386/cpu.c:1491: host_x86_cpu_initfn: Assertion `(kvm_allowed)' failed. Expected results: Valgrind does not report such flaws. Alternate expected results: Step 3 does not crash. Additional info: Still broken upstream. In addition to CPUs, the following devices are affected there: * ARM: "versatile_pci", "realview_pci", "pxa2xx-pcmcia", , "allwinner-a10", "digic", "fsl,imx25", "fsl,imx31", "xlnx,zynqmp" * S/390: "s390-sclp-event-facility", "sclp" RHEL-7 qemu-kvm fails device-list-properties cleanly, which is good enough. RHEL-6 qemu-kvm doesn't suport device-list-properties.