Bug 797082

Created attachment 565526 [details]
This is the output in terminal when I use --debug option

Created attachment 565527 [details]
This is debuginfo of virt-viewer

Created attachment 565528 [details]
This is libvirtd.log

(In reply to comment #0)
> Description of problem:
>   virt-viewer crashed when try reconnect to a guest after restart the guest.
> 
> Version-Release number of selected component (if applicable):
> spice-gtk-tools-0.9-1.el6.x86_64
> spice-glib-0.9-1.el6.x86_64
> spice-gtk-0.9-1.el6.x86_64
> spice-gtk-python-0.9-1.el6.x86_64
> virt-viewer-0.5.1-1.el6.x86_64
> libvirt-0.9.10-1.el6.x86_64
> Linux-2.6.32-220.el6.x86_64
> 
> How reproducible:
> 100%
> 
> Steps to Reproduce:
> 
> 1. Make sure virt-viewer-0.5.1-1.el6.x86_64 installed.
> 
> 2. Make sure you have a guest with spice graphic is running.
> 
> 3. Make sure your guest DOES NOT have spicevmc channel device, or you will hit
> another problem.
> 
> 4. Run #virt-viewer --reconnect <guest name>.
> 
> 5. Shutdown the guest then start it.
> 
> Actual results:
> 
> 1. After step 5, virt-viewer crashed.
> 
> Expected results:
> 
> 1. virt-viewer could reconnect the guest successfully after it restart.
> 
> Additional info:
> 
> 1. This issue cannot be reproduced on the following build combination.
> spice-glib-0.6-2.el6.x86_64
> spice-gtk-0.6-2.el6.x86_64
> spice-gtk-python-0.6-2.el6.x86_64
> virt-viewer-0.4.1-7.el6.x86_64
> libvirt-0.9.10-1.el6.x86_64
> Linux-2.6.32-220.el6.x86_64
> 
> 2. Because there is nothing in virt-manager.log, so I didn't attach it.

The "another problem" mentioned in step3, you can refer to bug 797089

Valgrind shows this is where things start to go crash-happy

(virt-viewer:15894): GSpice-WARNING **: (spice-session.c:1546):spice_session_channel_destroy: code should not be reached
==15894== Invalid read of size 8
==15894==    at 0x3690434121: g_type_instance_get_private (in /lib64/libgobject-2.0.so.0.3000.2)
==15894==    by 0x4E73697: spice_channel_disconnect (spice-channel.c:2423)
==15894==    by 0x4E7386F: spice_channel_dispose (spice-channel.c:144)
==15894==    by 0x36904113DA: g_object_unref (in /lib64/libgobject-2.0.so.0.3000.2)
==15894==    by 0x4157CC: virt_viewer_session_spice_channel_new (virt-viewer-session-spice.c:393)
==15894==    by 0x369040EA23: g_closure_invoke (in /lib64/libgobject-2.0.so.0.3000.2)
==15894==    by 0x3690420D16: ??? (in /lib64/libgobject-2.0.so.0.3000.2)
==15894==    by 0x369042A140: g_signal_emit_valist (in /lib64/libgobject-2.0.so.0.3000.2)
==15894==    by 0x369042A2E1: g_signal_emit (in /lib64/libgobject-2.0.so.0.3000.2)
==15894==    by 0x4E7326F: spice_channel_constructed (spice-channel.c:127)
==15894==    by 0x3690414F02: g_object_newv (in /lib64/libgobject-2.0.so.0.3000.2)
==15894==    by 0x36904157E5: g_object_new_valist (in /lib64/libgobject-2.0.so.0.3000.2)
==15894==  Address 0xdd8b8d0 is 0 bytes inside a block of size 2,992 free'd
==15894==    at 0x4A0662E: free (vg_replace_malloc.c:366)
==15894==    by 0x368E84B7E2: g_free (in /lib64/libglib-2.0.so.0.3000.2)
==15894==    by 0x368E8606BE: g_slice_free1 (in /lib64/libglib-2.0.so.0.3000.2)
==15894==    by 0x36904318B3: g_type_free_instance (in /lib64/libgobject-2.0.so.0.3000.2)
==15894==    by 0x3690435A92: g_value_unset (in /lib64/libgobject-2.0.so.0.3000.2)
==15894==    by 0x369042A173: g_signal_emit_valist (in /lib64/libgobject-2.0.so.0.3000.2)
==15894==    by 0x369042A2E1: g_signal_emit (in /lib64/libgobject-2.0.so.0.3000.2)
==15894==    by 0x4E73862: spice_channel_dispose (spice-channel.c:142)
==15894==    by 0x36904113DA: g_object_unref (in /lib64/libgobject-2.0.so.0.3000.2)
==15894==    by 0x4157CC: virt_viewer_session_spice_channel_new (virt-viewer-session-spice.c:393)
==15894==    by 0x369040EA23: g_closure_invoke (in /lib64/libgobject-2.0.so.0.3000.2)
==15894==    by 0x3690420D16: ??? (in /lib64/libgobject-2.0.so.0.3000.2)
==15894==

The crash is happening in

virt_viewer_session_spice_channel_new(SpiceSession *s,
                                      SpiceChannel *channel,
                                      VirtViewerSession *session)
{

....

    if (SPICE_IS_MAIN_CHANNEL(channel)) {
        if (self->priv->main_channel != NULL) {
            /* FIXME: use telepathy-glib g_signal_connect_object to automatically disconnect.. */
            g_signal_handlers_disconnect_by_func(self->priv->main_channel,
                                                 virt_viewer_session_spice_main_channel_event, self);
            g_object_unref(self->priv->main_channel);
        }

        g_signal_connect(channel, "channel-event",
                         G_CALLBACK(virt_viewer_session_spice_main_channel_event), self);
        self->priv->main_channel = g_object_ref(channel);
    }


This code looks fine to me, but it is obviously making spice-gtk unhappy in some way

bug fixed in virt-viewer upstream, should be part of upcoming 0.5.2 release

I can reproduce this issue with:
virt-viewer-0.5.1-1.el6

verified with :
virt-viewer-0.5.2-1.el6
spick-gtk-0.11-1.el6.x86_64
libvirt-0.9.10-4.el6.x86_64

step:
 1:create spice guest without spicevmc channel device
 2:Run #virt-viewer --reconnect <guest name>
 3:Shutdown the guest and restart it.
  virt-viewer reconnect the guest successfully after it restart.

verification passed.

    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
No documentation needed

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2012-0772.html