Bug 821235

Summary: various spice crashes using Visio on Windows XP
Product: Red Hat Enterprise Linux 6 Reporter: Alon Levy <alevy>
Component: spice-serverAssignee: Uri Lublin <uril>
Status: CLOSED ERRATA QA Contact: Desktop QE <desktop-qa-list>
Severity: high Docs Contact:
Priority: high    
Version: 6.3CC: acathrow, alevy, alexl, cfergeau, dblechte, dyasny, hdegoede, jforbes, jlmagee, kraxel, marcandre.lureau, mkenneth, mkrcmari, syeghiay, yhalperi
Target Milestone: rc   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: spice-server-0.10.1-9.el6 Doc Type: Bug Fix
Doc Text:
No documentation needed
 Story Points: ---
Clone Of: 808936 Environment:
Last Closed: 2012-06-20 12:17:29 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 808936    
Bug Blocks:    

Description Alon Levy 2012-05-13 11:55:40 UTC 
This bug should be the same in RHEL 6.3, has a patch upstream, I want to propose it as a blocker to get into RHEL 6.3.

 http://lists.freedesktop.org/archives/spice-devel/2012-May/009129.html

+++ This bug was initially created as a clone of Bug #808936 +++

Description of problem:
Various operations on guest in Visio 2007 and 2010 crash qemu-kvm in various manner. 

Version-Release number of selected component (if applicable):
Host: F16 x86_64 all updates including updates-testing and virt-preview; also fails on F17 Beta RC2
Guest: fully updated Win XP SP3 32-bit with latest virtio, qxl, and vdagent/vdservice drivers.

How reproducible:
scroll around a Visio diagram for awhile.

Steps to Reproduce:
1. Open Visio in guest
2. scroll diagram various ways
3.
  
Actual results: 
qemu-kvm crashes 

Expected results:
no crash

Additional info:
I've had similar issues with various levels of the related software

--- Additional comment from jlmagee on 2012-04-01 21:51:48 EDT ---

Created attachment 574392 [details]
abrt directory, qemu log, spice logs, guest vd* logs

--- Additional comment from alevy on 2012-04-05 11:22:58 EDT ---

Hi John,

 Thanks for reporting. Unfortunately I haven't managed to get a stack trace yet, I am running F17 which makes this a bit of a problem to do fast (AFAICT I need to downgrade to the F16 version and install it's debug symbols). If you could reproduce with the F17, or maybe there is a free version of Visio I could download to run, it would help.

 The F17 latest version of qemu-kvm I have right now is:
Name        : qemu-kvm
Epoch       : 2
Version     : 1.0
Release     : 10.fc17

Thanks,
Alon

--- Additional comment from jlmagee on 2012-04-05 13:03:35 EDT ---

Alon- I got the same failures on F17 Beta RC2. It was just easier to report from my F16 system. Are there debuginfo packages for F17? Let me know exactly what you'd like. Perhaps I could send you a vm image for testing. It would be 7 or 8 GB probably.

--- Additional comment from alevy on 2012-04-06 02:34:06 EDT ---

OK. A VM could be nice, but seems a bit overkill - but if you can put it somewhere and give me a url it would be good. Actually I'm mostly interested in the stacktrace of the faulting qemu process (all threads), so you could just post that here if possible. The 200-300 MB abrt package is also easier/faster to download, and this time I could look at it in a timely manner, since it will be for F17, which I'm running on here.

Thanks.
Alon

--- Additional comment from jlmagee on 2012-04-07 12:32:42 EDT ---

Created attachment 575951 [details]
qemu log spicec log  cegui log and package list

This is a backtrace and memory map in the qemu log. even with qemu debuginfo I don't get abrt on F17

--- Additional comment from alevy on 2012-04-30 09:18:01 EDT ---

Can reproduce on an image provided by John L Magee, using his instructions, reproduced here:

Open visio file provided.
Select all by pressing Ctrl-A
view->zoom 200%
press ok
scroll horizontally left wise
get segmentation fault at red_put_image, on double free:

(gdb) bt
#0  __GI___libc_free (mem=0x5000000000d) at malloc.c:2973
#1  0x00007ffff3037d06 in red_put_image (red=0x7fffacc65d30) at red_parse_qxl.c:451
#2  0x00007ffff303da98 in put_red_drawable (worker=0x7fffac0008c0, drawable=0x7fffacc79f20, group_id=1, self_bitmap=0x7fffacc65d30) at red_worker.c:1682
#3  0x00007ffff30479f7 in red_display_free_glz_drawable_instance (dcc=0x7fffac269be0, glz_drawable_instance=0x7fffac99b7d0) at red_worker.c:5154
#4  0x00007ffff3048d04 in glz_usr_free_image (usr=0x7fffac26e6c0, image=0x7fffac99b7d0) at red_worker.c:5507
#5  0x00007ffff3025fa8 in __glz_dictionary_window_free_image (dict=0x7fffe27fe010, image=0x7fffacb18380) at glz_encoder_dictionary.c:362
#6  0x00007ffff30262fa in glz_dictionary_window_remove_head (dict=0x7fffe27fe010, encoder_id=0, end_image=0x7fffac93fb20) at glz_encoder_dictionary.c:449
#7  0x00007ffff302676f in glz_dictionary_pre_encode (encoder_id=0, usr=0x7fffac26e6c0, dict=0x7fffe27fe010, image_type=LZ_IMAGE_TYPE_RGB32, image_width=995, image_height=741, image_stride=3980, first_lines=0x0,
num_first_lines=0, usr_image_context=0x7fffac99a060, image_head_dist=0x7fffe8dde6ac) at glz_encoder_dictionary.c:570
#8  0x00007ffff302502b in glz_encode (opaque_encoder=0x7fffac2c5610, type=LZ_IMAGE_TYPE_RGB32, width=995, height=741, top_down=0, lines=0x0, num_lines=0, stride=3980, io_ptr=0x7fffac3f16c0 "  ZL", num_io_bytes=6
5536, usr_context=0x7fffac99a060, o_enc_dict_context=0x7fffac99a080) at glz_encoder.c:255
#9  0x00007ffff304a500 in red_glz_compress_image (dcc=0x7fffac269be0, dest=0x7fffe8dde8c0, src=0x7fffac2ca678, drawable=0x7fffac198050, o_comp_data=0x7fffe8dde8a0) at red_worker.c:5781
#10 0x00007ffff304b630 in red_compress_image (dcc=0x7fffac269be0, dest=0x7fffe8dde8c0, src=0x7fffac2ca678, drawable=0x7fffac198050, can_lossy=0, o_comp_data=0x7fffe8dde8a0) at red_worker.c:6241
#11 0x00007ffff304bcd0 in fill_bits (dcc=0x7fffac269be0, m=0x7fffac99cc40, simage=0x7fffac2ca660, drawable=0x7fffac198050, can_lossy=0) at red_worker.c:6378
#12 0x00007ffff304da5c in red_marshall_qxl_draw_copy (worker=0x7fffac0008c0, rcc=0x7fffac269be0, base_marshaller=0x7fffac2acf70, dpi=0x7fffac339580, src_allowed_lossy=0) at red_worker.c:7083
#13 0x00007ffff304f842 in red_marshall_qxl_drawable (worker=0x7fffac0008c0, rcc=0x7fffac269be0, m=0x7fffac2acf70, dpi=0x7fffac339580) at red_worker.c:7760
#14 0x00007ffff305078e in marshall_qxl_drawable (rcc=0x7fffac269be0, m=0x7fffac2acf70, dpi=0x7fffac339580) at red_worker.c:8087
#15 0x00007ffff3051fc3 in display_channel_send_item (rcc=0x7fffac269be0, pipe_item=0x7fffac339590) at red_worker.c:8553
#16 0x00007ffff302ddbe in red_channel_client_send_item (rcc=0x7fffac269be0, item=0x7fffac339590) at red_channel.c:423
#17 0x00007ffff302f598 in red_channel_client_push (rcc=0x7fffac269be0) at red_channel.c:883
#18 0x00007ffff302f642 in red_channel_push (channel=0x7fffac23d120) at red_channel.c:899
#19 0x00007ffff3052402 in red_push (worker=0x7fffac0008c0) at red_worker.c:8665
#20 0x00007ffff30598b3 in red_worker_main (arg=0x7fffffffcfa0) at red_worker.c:11209
#21 0x00007ffff6bbad14 in start_thread (arg=0x7fffe8ddf700) at pthread_create.c:309
#22 0x00007ffff283e94d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:115
Comment 3 Alon Levy 2012-05-14 15:07:04 UTC 
Patches on the mailing list:

http://lists.freedesktop.org/archives/spice-devel/2012-May/009129.html
http://lists.freedesktop.org/archives/spice-devel/2012-May/009135.html
http://lists.freedesktop.org/archives/spice-devel/2012-May/009136.html
http://lists.freedesktop.org/archives/spice-devel/2012-May/009137.html
Comment 6 Yonit Halperin 2012-05-16 08:06:29 UTC 
    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
No documentation needed
Comment 10 errata-xmlrpc 2012-06-20 12:17:29 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2012-0765.html