Bug 836260

Summary: crashes with -vga vmware and Ubuntu guest
Product: [Fedora] Fedora Reporter: Jan Kratochvil <jan.kratochvil>
Component: qemuAssignee: Fedora Virtualization Maintainers <virt-maint>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 17CC: amit.shah, berrange, cfergeau, crobinso, dwmw2, itamar, jan.kratochvil, knoel, pbonzini, scottt.tw, stephent98, virt-maint
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-04-11 19:37:32 EDT Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Description Jan Kratochvil 2012-06-28 09:56:25 EDT
Description of problem:
Tried to reproduce some issue on Ubuntu buggy BIOSes but qemu-kvm keeps crashing.

Version-Release number of selected component (if applicable):

How reproducible:
Tried 3 times, always.

Steps to Reproduce:
Install ubuntu-12.04-dvd-amd64.iso.
qemu-kvm -drive file=/xxx/ubuntu12.04.qcow2,index=0,media=disk,snapshot=on,if=virtio,boot=on -vga vmware -net none -m 1024 -vnc :10

Actual results:
Program terminated with signal 11, Segmentation fault.
#0  set_bit (addr=<optimized out>, nr=-4) at ./bitops.h:122
122		*p  |= mask;
#0  set_bit (addr=<optimized out>, nr=-4) at ./bitops.h:122
#1  vnc_dpy_update (ds=<optimized out>, x=-64, y=<optimized out>, w=2359, h=<optimized out>) at ui/vnc.c:396
#2  0x00007feb3b66a13f in dpy_update (s=0x7feb3d95ebb0, h=1770, w=2360, y=0, x=-65) at ../console.h:240
#3  vmsvga_update_rect (h=1770, w=2360, y=0, x=-65, s=0x7feb3dcfea20) at /usr/src/debug/qemu-kvm-0.15.1/hw/vmware_vga.c:330
#4  vmsvga_update_rect_flush (s=0x7feb3dcfea20) at /usr/src/debug/qemu-kvm-0.15.1/hw/vmware_vga.c:369
#5  vmsvga_update_display (opaque=0x7feb3dcfea20) at /usr/src/debug/qemu-kvm-0.15.1/hw/vmware_vga.c:985
#6  0x00007feb3b55f415 in vnc_refresh (opaque=0x7feb3e3b5010) at ui/vnc.c:2444
#7  0x00007feb3b5761e8 in qemu_run_timers (clock=<optimized out>) at qemu-timer.c:599
#8  0x00007feb3b576625 in qemu_run_timers (clock=<optimized out>) at qemu-timer.c:584
#9  qemu_run_all_timers () at qemu-timer.c:735
#10 0x00007feb3b4b8bb2 in main_loop_wait (nonblocking=<optimized out>) at /usr/src/debug/qemu-kvm-0.15.1/vl.c:1351
#11 0x00007feb3b4a2c89 in main_loop () at /usr/src/debug/qemu-kvm-0.15.1/vl.c:1392
#12 main (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>) at /usr/src/debug/qemu-kvm-0.15.1/vl.c:3378

Expected results:
No crash.

Additional info:
I do not know why but Ubuntu creates with -vga vmware huge screen (2360x1770 may be the size).
Unaware why qemu crashes.
I have the core file here but (uncompressed) it is 758M, I may upload it somewhere.
Comment 2 Fedora End Of Life 2013-01-16 15:44:36 EST
This message is a reminder that Fedora 16 is nearing its end of life.
Approximately 4 (four) weeks from now Fedora will stop maintaining
and issuing updates for Fedora 16. It is Fedora's policy to close all
bug reports from releases that are no longer maintained. At that time
this bug will be closed as WONTFIX if it remains open with a Fedora 
'version' of '16'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version prior to Fedora 16's end of life.

Bug Reporter: Thank you for reporting this issue and we are sorry that 
we may not be able to fix it before Fedora 16 is end of life. If you 
would still like to see this bug fixed and are able to reproduce it 
against a later version of Fedora, you are encouraged to click on 
"Clone This Bug" and open it against that version of Fedora.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events. Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.

The process we are following is described here: 
Comment 3 Jan Kratochvil 2013-01-17 09:18:18 EST

vmsvga_update_rect: update width too large x: 1991, w: 372

Program received signal SIGSEGV, Segmentation fault.
set_bit (addr=<optimized out>, nr=-4) at ./bitops.h:122
122		*p  |= mask;
Missing separate debuginfos, use: debuginfo-install bluez-libs-4.99-2.fc17.x86_64 brlapi-0.5.6-4.fc17.x86_64 gsm-1.0.13-6.fc17.x86_64 json-c-0.10-2.fc17.x86_64
(gdb) bt
#0  set_bit (addr=<optimized out>, nr=-4) at ./bitops.h:122
#1  vnc_dpy_update (ds=<optimized out>, x=-64, y=0, w=2359, h=1770) at ui/vnc.c:427
#2  0x0000555555685864 in dpy_update (s=0x5555563eb3b0, h=1770, w=2360, y=0, x=-65) at /usr/src/debug/qemu-kvm-1.0.1/console.h:240
#3  vmsvga_update_rect (h=1770, w=2360, y=0, x=-65, s=0x555556acc630) at /usr/src/debug/qemu-kvm-1.0.1/hw/vmware_vga.c:325
#4  vmsvga_update_rect_flush (s=0x555556acc630) at /usr/src/debug/qemu-kvm-1.0.1/hw/vmware_vga.c:358
#5  vmsvga_update_display (opaque=0x555556acc630) at /usr/src/debug/qemu-kvm-1.0.1/hw/vmware_vga.c:961
#6  0x00005555556e6c24 in vnc_refresh (opaque=0x555557182010) at ui/vnc.c:2475
#7  0x00005555556aeb75 in qemu_run_timers (clock=0x5555563b2fc0) at qemu-timer.c:420
#8  qemu_run_timers (clock=0x5555563b2fc0) at qemu-timer.c:400
#9  0x00005555556aedec in qemu_run_all_timers () at qemu-timer.c:483
#10 0x000055555568884a in main_loop_wait (nonblocking=<optimized out>) at main-loop.c:468
#11 0x00005555555c9729 in main_loop () at /usr/src/debug/qemu-kvm-1.0.1/vl.c:1482
#12 main (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>) at /usr/src/debug/qemu-kvm-1.0.1/vl.c:3528
(gdb) p p
$1 = (long unsigned int *) 0x2000555557182068
Comment 4 Cole Robinson 2013-04-01 16:17:28 EDT
Sounds like this fixes it:

commit 8cb6bfb54e91b1a31a6ae704def595c2099efde1
Author: Michael Tokarev <mjt@tls.msk.ru>
Date:   Fri Jan 25 21:23:24 2013 +0400

    vmware_vga: fix out of bounds and invalid rects updating
Comment 5 Cole Robinson 2013-04-01 20:39:04 EDT
*** Bug 905657 has been marked as a duplicate of this bug. ***
Comment 6 Fedora Update System 2013-04-02 13:00:13 EDT
qemu-1.0.1-5.fc17 has been submitted as an update for Fedora 17.
Comment 7 Jan Kratochvil 2013-04-02 13:05:57 EDT
As I run on F-18 I have the crash reproducible with
as reported in the Bug 905657.
Comment 8 Cole Robinson 2013-04-02 17:02:36 EDT
Jan, I backported this patch to F18 as well, it's in 1.2.2-8 which was just built today.
Comment 9 Fedora Update System 2013-04-03 00:50:40 EDT
Package qemu-1.0.1-5.fc17:
* should fix your issue,
* was pushed to the Fedora 17 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing qemu-1.0.1-5.fc17'
as soon as you are able to.
Please go to the following url:
then log in and leave karma (feedback).
Comment 10 Fedora Update System 2013-04-11 19:37:34 EDT
qemu-1.0.1-5.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.