Bug 679006

Summary: QEMU/spice server crashes when saving to a file due to no client migrate info
Product: Red Hat Enterprise Linux 6 Reporter: Johnny Liu <jialiu>
Component: spice-serverAssignee: Uri Lublin <uril>
Status: CLOSED DUPLICATE QA Contact: Desktop QE <desktop-qa-list>
Severity: high Docs Contact:
Priority: high    
Version: 6.1CC: berrange, dblechte, dyuan, eblake, jyang, llim, mkenneth, xen-maint
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-02-23 23:23:08 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Attachments:
Description Flags
libvirtd log none

Description Johnny Liu 2011-02-21 09:26:45 UTC 
Description of problem:
Create a domain with spice graphics:
<graphics type='spice' autoport='yes' listen='0'/>

When save this domain, it failed.
# virsh save rhel55 /tmp/rhel55.save
error: Failed to save domain rhel55 to /tmp/rhel55.save
error: cannot send monitor command '{"execute":"query-migrate"}': Connection reset by peer


Version-Release number of selected component (if applicable):
libvirt-0.8.7-7.el6.x86_64
kernel-2.6.32-113.el6.x86_64
qemu-kvm-0.12.1.2-2.147.el6.x86_64
spice-server-0.7.2-4.el6.x86_64

How reproducible:
Always

Steps to Reproduce:
1. Create a domain with spice graphics.
2. Save the domain
3.
  
Actual results:
Save operation failed.

log:
2011-02-21 12:17:35.271: starting up
LC_ALL=C PATH=/sbin:/usr/sbin:/bin:/usr/bin QEMU_AUDIO_DRV=spice /usr/libexec/qemu-kvm -S -M rhel6.0.0 -enable-kvm -m 1024 -smp 1,sockets=1,cores=1,threads=1 -name rhel55 -uuid 2814d348-ee12-9dd3-2373-99bb9301e8a7 -nodefconfig -nodefaults -chardev socket,id=charmonitor,path=/var/lib/libvirt/qemu/rhel55.monitor,server,nowait -mon chardev=charmonitor,id=monitor,mode=control -rtc base=utc -boot c -drive file=/var/lib/libvirt/images/rhel55.img,if=none,id=drive-ide0-0-0,format=raw,cache=none -device ide-drive,bus=ide.0,unit=0,drive=drive-ide0-0-0,id=ide0-0-0 -netdev tap,fd=22,id=hostnet0 -device rtl8139,netdev=hostnet0,id=net0,mac=52:54:00:8e:71:23,bus=pci.0,addr=0x3 -chardev pty,id=charserial0 -device isa-serial,chardev=charserial0,id=serial0 -usb -spice port=5900,addr=0,disable-ticketing -vga cirrus -device virtio-balloon-pci,id=balloon0,bus=pci.0,addr=0x4
char device redirected to /dev/pts/1
do_spice_init: starting 0.7.2
spice_server_add_interface: SPICE_INTERFACE_KEYBOARD
spice_server_add_interface: SPICE_INTERFACE_MOUSE
Using CPU model "cpu64-rhel6"
spice_server_add_interface: SPICE_INTERFACE_QXL
red_worker_main: begin
handle_dev_input: start
handle_dev_input: stop
0+0 records in
0+0 records out
0 bytes (0 B) copied, 6.375e-06 s, 0.0 kB/s
0+684 records in
0+684 records out
39426630 bytes (39 MB) copied, 1.13367 s, 34.8 MB/s
reds_mig_switch:
2011-02-21 12:17:52.312: shutting down


Expected results:
Save should be work fine.

Additional info:
When modify spice graphics to vnc, save operation works fine.
Comment 2 Daniel Berrangé 2011-02-21 12:10:14 UTC 
"Connection reset by peer" is an indication the QEMU exited unexpectedly, most likely a crash. We need to capture a little more logging to libvirt so we can see what we're telling qemu todo

Can you enable logging in libvirtd.conf

  log_filters="1:qemu 1:util 1:security 1:libvirt"
  log_outputs="1:file:/var/log/libvirt/libvirtd.log"

And restart libvirtd, and then reproduce the crash & attach the libvirtd.log file
Comment 3 Johnny Liu 2011-02-22 02:21:49 UTC 
Yes, indeed. I can see qemu-kvm segfault in /var/log/messages.
...
Feb 22 05:18:07 dhcp-93-91 kernel: qemu-kvm[14747]: segfault at b8 ip 000000361b2165d6 sp 00007fff42af2f90 error 4 in libspice-server.so.1.0.2[361b200000+dd000]
...

libvirtd log have been attached.
Comment 4 Johnny Liu 2011-02-22 02:23:01 UTC 
Created attachment 480036 [details]
libvirtd log
Comment 5 Daniel Berrangé 2011-02-22 10:45:35 UTC 
I can't reproduce the crash myself. Can you try capture a stack trace of QEMU crashing 

 1. virsh start $GUEST
 2. gdb /usr/libexec/qemu-kvm $GUEST_PID
 3. virsh save $GUEST /tmp/$GUEST.save

And then 'thread apply all bt' when QEMU crashes.
Comment 6 Johnny Liu 2011-02-23 06:37:03 UTC 
(In reply to comment #5)
> I can't reproduce the crash myself. Can you try capture a stack trace of QEMU
> crashing 
> 
>  1. virsh start $GUEST
>  2. gdb /usr/libexec/qemu-kvm $GUEST_PID
>  3. virsh save $GUEST /tmp/$GUEST.save
> 
> And then 'thread apply all bt' when QEMU crashes.

I follow your steps, the gdb info is as following:
(gdb) c
Continuing.
[Thread 0x7fc38a3fc710 (LWP 14409) exited]
[New Thread 0x7fc38a3fc710 (LWP 14417)]
[Thread 0x7fc38a3fc710 (LWP 14417) exited]
[New Thread 0x7fc38a3fc710 (LWP 14424)]
[Thread 0x7fc38a3fc710 (LWP 14424) exited]
Detaching after fork from child process 14426.

Program received signal SIGSEGV, Segmentation fault.
reds_mig_switch (s=<value optimized out>) at reds.c:3379
3379	    migrate.port = s->port;
(gdb) thread apply all bt

Thread 4 (Thread 0x7fc3d27c3710 (LWP 14364)):
#0  0x0000003245a33a9d in sigtimedwait () from /lib64/libc.so.6
#1  0x000000000042db3f in kvm_main_loop_wait (env=0x1229a00, timeout=<value optimized out>) at /usr/src/debug/qemu-kvm-0.12.1.2/qemu-kvm.c:1791
#2  0x000000000042e0e5 in kvm_main_loop_cpu (_env=0x1229a00) at /usr/src/debug/qemu-kvm-0.12.1.2/qemu-kvm.c:1935
#3  ap_main_loop (_env=0x1229a00) at /usr/src/debug/qemu-kvm-0.12.1.2/qemu-kvm.c:1982
#4  0x00000032462077e1 in start_thread () from /lib64/libpthread.so.0
#5  0x0000003245ae153d in clone () from /lib64/libc.so.6

Thread 3 (Thread 0x7fc38adfd710 (LWP 14365)):
#0  0x0000003245ae1b33 in epoll_wait () from /lib64/libc.so.6
#1  0x000000361b22c0c2 in red_worker_main (arg=<value optimized out>) at red_worker.c:10271
#2  0x00000032462077e1 in start_thread () from /lib64/libpthread.so.0
#3  0x0000003245ae153d in clone () from /lib64/libc.so.6

Thread 1 (Thread 0x7fc3d29f3940 (LWP 14341)):
#0  reds_mig_switch (s=<value optimized out>) at reds.c:3379
#1  spice_server_migrate_switch (s=<value optimized out>) at reds.c:4184
#2  0x00000000004df239 in notifier_list_notify (list=<value optimized out>) at notify.c:37
#3  0x000000000040baa0 in qemu_run_timers (timeout=1000) at /usr/src/debug/qemu-kvm-0.12.1.2/vl.c:1217
#4  main_loop_wait (timeout=1000) at /usr/src/debug/qemu-kvm-0.12.1.2/vl.c:4458
#5  0x000000000042b2fa in kvm_main_loop () at /usr/src/debug/qemu-kvm-0.12.1.2/qemu-kvm.c:2165
#6  0x000000000040ef0f in main_loop (argc=<value optimized out>, argv=<value optimized out>, envp=<value optimized out>)
    at /usr/src/debug/qemu-kvm-0.12.1.2/vl.c:4634
#7  main (argc=<value optimized out>, argv=<value optimized out>, envp=<value optimized out>) at /usr/src/debug/qemu-kvm-0.12.1.2/vl.c:6848
(gdb) 



I am not sure if it is what you wanted, if not, please tell me.
Comment 7 Daniel Berrangé 2011-02-23 10:33:00 UTC 
This is perfect, it shows a bug in spice-server.

The 'reds_mig_switch' function is called unconditionally, whether libvirt has provided any client migrate info or not.  In save-to-disk, we obviously don't provide any migrate info. So 'reds->mig_spice' is NULL, but this is never checked, so 's->port' gets a NULL pointer crash


static void reds_mig_switch(void)
{
    RedsMigSpice *s = reds->mig_spice;
    SpiceMsgMainMigrationSwitchHost migrate;
    RedsOutItem *item;

    red_printf("");
    item = new_out_item(SPICE_MSG_MAIN_MIGRATE_SWITCH_HOST);

    migrate.port = s->port;
Comment 8 Uri Lublin 2011-02-23 23:23:08 UTC 

*** This bug has been marked as a duplicate of bug 674451 ***