Bug 830695

Summary: Guest win2k3-64 occurs Coredump when using DebugView to capture kernel
Product: Red Hat Enterprise Linux 6 Reporter: Yang Zhao <yanzhao>
Component: virtio-winAssignee: Yvugenfi <yvugenfi>
Status: CLOSED CANTFIX QA Contact: Virtualization Bugs <virt-bugs>
Severity: high Docs Contact:
Priority: high    
Version: 6.3CC: acathrow, bcao, bsarathy, dawu, dyasny, juzhang, knoel, mdeng, michen, mkenneth, rhod, virt-maint, vrozenfe
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-07-17 08:27:38 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Yang Zhao 2012-06-11 08:50:09 UTC 
Description of problem:
Guest win2k3-64 occurs Coredump when using DebugView to capture kernel

Version-Release number of selected component (if applicable):
kernel-2.6.32-274.el6.x86_64
qemu-kvm-0.12.1.2-2.295.el6.x86_64
seabios-0.6.1.2-19.el6.x86_64
guest win2k3-64

How reproducible:
100%

Steps to Reproduce:
1.Start win2k3-64 guest
/usr/libexec/qemu-kvm -boot dc -cpu cpu64-rhel6,+x2apic,family=0xf -smp 4 -m 2G -k en-us -usb -device usb-tablet,id=tablet0 -device intel-hda,id=sound0 -device hda-duplex,id=sound0-codec0,bus=sound0.0,cad=0 -drive file=win2k3-64-0611.raw,format=raw,cache=none,if=none,werror=stop,rerror=stop,id=drive-disk0,media=disk -device ide-drive,drive=drive-disk0,id=disk0 -drive file=en_win_srv_2003_r2_enterprise_x64_with_sp2_cd1_X13-06188.iso,format=raw,cache=none,if=none,werror=stop,rerror=stop,id=drive-disk2,media=cdrom -device ide-drive,drive=drive-disk2,id=disk2,bus=ide.1,unit=1 -drive file=en_win_srv_2003_r2_enterprise_x64_with_sp2_cd2_X13-68588.iso,format=raw,cache=none,if=none,werror=stop,rerror=stop,id=drive-disk3,media=cdrom -device ide-drive,drive=drive-disk3,id=disk3,bus=ide.0,unit=0 -netdev tap,id=hostnet0,vhost=on,script=/etc/qemu-ifup -device rtl8139,netdev=hostnet0,id=net0,mac=00:12:20:1e:36:22 -rtc base=utc,clock=host,driftfix=slew -name win7-64 -spice port=5932,disable-ticketing -vga qxl -uuid c9db4a97-5661-4adb-9f67-8c436c69c1dc -monitor stdio

2.in the guest,choose "write debugging information" to "Kernel memory dump"

3.run DebugView.exe,execute Capture-->Capture Kernel


Actual results:
After step 3, the guest gets coredump

Expected results:
Guest keeps well

Additional info:
Comment 1 Yang Zhao 2012-06-11 08:57:34 UTC 
1: kd> !analyze -v
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

SYSTEM_THREAD_EXCEPTION_NOT_HANDLED (7e)
This is a very common bugcheck.  Usually the exception address pinpoints
the driver/function that caused the problem.  Always note this address
as well as the link date of the driver/image that contains this address.
Arguments:
Arg1: ffffffffc0000096, The exception code that was not handled
Arg2: fffffadfc7814757, The address that the exception occurred at
Arg3: fffffadfc8ca25a0, Exception Record Address
Arg4: fffffadfc8ca1fb0, Context Record Address

Debugging Details:
------------------


EXCEPTION_CODE: (NTSTATUS) 0xc0000096 - {EXCEPTION}  Privileged instruction.

FAULTING_IP: 
Dbgv+1757
fffffadf`c7814757 440f22c0        mov     cr8,rax

EXCEPTION_RECORD:  fffffadfc8ca25a0 -- (.exr 0xfffffadfc8ca25a0)
ExceptionAddress: fffffadfc7814757 (Dbgv+0x0000000000001757)
   ExceptionCode: c0000096
  ExceptionFlags: 00000000
NumberParameters: 0

CONTEXT:  fffffadfc8ca1fb0 -- (.cxr 0xfffffadfc8ca1fb0)
rax=000000000000001f rbx=fffffadfc8ca2840 rcx=fffffadfce41d2b0
rdx=0000000000000000 rsi=0000000000000000 rdi=fffffadfce41d2b0
rip=fffffadfc7814757 rsp=fffffadfc8ca27c0 rbp=0000000000000004
 r8=fffffadfc8ca2840  r9=fffffadfc8ca2848 r10=5bf9c8f204bf0101
r11=fffff800011b0180 r12=0000000000000004 r13=000000000000000f
r14=fffffadfc7815950 r15=0000000000000001
iopl=0         nv up ei ng nz na po nc
cs=0010  ss=0018  ds=002b  es=002b  fs=0053  gs=002b             efl=00010286
Dbgv+0x1757:
fffffadf`c7814757 440f22c0        mov     cr8,rax
Resetting default scope

PROCESS_NAME:  Idle

CURRENT_IRQL:  2

ERROR_CODE: (NTSTATUS) 0xc0000096 - {EXCEPTION}  Privileged instruction.

BUGCHECK_STR:  0x7E

DEFAULT_BUCKET_ID:  STATUS_PRIVILEGED_INSTRUCTION

LAST_CONTROL_TRANSFER:  from fffffadfc7814945 to fffffadfc7814757

STACK_TEXT:  
fffffadf`c8ca27c0 fffffadf`c7814945 : fffffadf`ce4e0410 fffffadf`c8ca2848 fffffadf`ce4e0430 00000000`00000004 : Dbgv+0x1757
fffffadf`c8ca27f0 fffffadf`c7815095 : fffffadf`00000000 fffffadf`00000004 fffffadf`ce05a6a0 fffffadf`ce3d2000 : Dbgv+0x1945
fffffadf`c8ca2840 fffff800`0131a32e : fffffadf`00000000 00000000`00000000 fffffadf`ce05a6a0 00000000`0000001c : Dbgv+0x2095
fffffadf`c8ca2ad0 fffff800`0131a656 : fffffadf`ce8d37a0 fffffadf`c887b180 fffffadf`ce8d37a0 fffffadf`c6635c10 : nt!IopLoadDriver+0xbad
fffffadf`c8ca2c90 fffff800`010375ca : 00000000`00000000 fffffadf`c6635c10 00000000`00000000 fffff800`011cda18 : nt!IopLoadUnloadDriver+0x86
fffffadf`c8ca2d00 fffff800`0124a972 : fffffadf`ce8d37a0 00000000`00000080 fffffadf`ce8d37a0 fffffadf`c8893680 : nt!ExpWorkerThread+0x13b
fffffadf`c8ca2d70 fffff800`01020226 : fffffadf`c888b180 fffffadf`ce8d37a0 fffffadf`c8893680 fffff800`011b4dc0 : nt!PspSystemThreadStartup+0x3e
fffffadf`c8ca2dd0 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KxStartSystemThread+0x16


FOLLOWUP_IP: 
Dbgv+1757
fffffadf`c7814757 440f22c0        mov     cr8,rax

SYMBOL_STACK_INDEX:  0

SYMBOL_NAME:  Dbgv+1757

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: Dbgv

IMAGE_NAME:  Dbgv.sys

DEBUG_FLR_IMAGE_TIMESTAMP:  4d7ce5ca

STACK_COMMAND:  .cxr 0xfffffadfc8ca1fb0 ; kb

FAILURE_BUCKET_ID:  X64_0x7E_Dbgv+1757

BUCKET_ID:  X64_0x7E_Dbgv+1757

Followup: MachineOwner
---------
Comment 4 Yvugenfi@redhat.com 2012-07-03 13:19:52 UTC 
Please indicate where can I get the exact spice (QXL) drivers used on the guest.

Thanks.
Comment 6 Avi Kivity 2012-07-15 16:41:30 UTC 
Bits 4-63 of cr8 are reserved.  You are trying to set bit 4, and the #GP is expected.
Comment 7 Yvugenfi@redhat.com 2012-07-17 08:27:38 UTC 
fffffadf`c7814749 4c894c2438      mov     qword ptr [rsp+38h],r9
fffffadf`c781474e 440f20c6        mov     rsi,cr8
fffffadf`c7814752 b81f000000      mov     eax,1Fh
fffffadf`c7814757 440f22c0        mov     cr8,rax

Looks like DebugView driver bug. As this is MS component we cannot fix it and just document it for future reference.
Comment 8 Avi Kivity 2012-07-17 10:15:18 UTC 
Does it crash on real hardware?  Maybe real hardware is more relaxed.