Bug 963365

Summary: -vga qxl crashes qemu-kvm with CSB
Product: [Fedora] Fedora Reporter: Jan Kratochvil <jan.kratochvil>
Component: qemuAssignee: Fedora Virtualization Maintainers <virt-maint>
Status: CLOSED WONTFIX QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 18CC: amit.shah, berrange, cfergeau, crobinso, dwmw2, itamar, jan.kratochvil, pbonzini, rjones, scottt.tw, virt-maint
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-12-16 20:48:34 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Jan Kratochvil 2013-05-15 17:50:42 UTC
Description of problem:
Tried to run CSB but qemu-kvm crashed..

Version-Release number of selected component (if applicable):
qemu-system-x86-1.2.2-11.fc18.x86_64

How reproducible:
Always.

Steps to Reproduce:
/usr/bin/qemu-kvm -hda vm/rhel61-csb.qcow2 -snapshot -m 2048 -vga qxl
Click some CSB Python error, guest probably tries to set new resolution.

Actual results:
crash

Expected results:
no crash

Additional info:

#0  __memcmp_sse4_1 () at ../sysdeps/x86_64/multiarch/memcmp-sse4.S:73
#1  in qemu_spice_create_update (ssd=0x7fe4778dc410) at ui/spice-display.c:275
#2  qemu_spice_display_refresh (ssd=0x7fe4778dc410) at ui/spice-display.c:462
#3  in dpy_refresh (s=0x7fe4778b7de0) at /usr/src/debug/qemu-kvm-1.2.0/console.h:245
#4  gui_update (opaque=0x7fe4778b7de0) at /usr/src/debug/qemu-kvm-1.2.0/vl.c:1281
#5  in qemu_run_timers (clock=0x7fe4775c5d10) at qemu-timer.c:393
#6  qemu_run_timers (clock=0x7fe4775c5d10) at qemu-timer.c:373
#7  in qemu_run_all_timers () at qemu-timer.c:450
#8  in main_loop_wait (nonblocking=<optimized out>) at main-loop.c:502 
#9  in main_loop () at /usr/src/debug/qemu-kvm-1.2.0/vl.c:1643
#10 main (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>) at /usr/src/debug/qemu-kvm-1.2.0/vl.c:3792

#0  __memcmp_sse4_1 () at ../sysdeps/x86_64/multiarch/memcmp-sse4.S:73
73		movdqu	(%rsi), %xmm1
(gdb) p/x $rsi
$6 = 0x7fe3d2d7f010
(gdb) up
#1  0x00007fe474e1e1f4 in qemu_spice_create_update (ssd=0x7fe4778dc410) at ui/spice-display.c:275
275	            if (memcmp(guest + yoff + xoff,
(gdb) l
270	        yoff = y * ds_get_linesize(ssd->ds);
271	        for (x = ssd->dirty.left; x < ssd->dirty.right; x += blksize) {
272	            xoff = x * bpp;
273	            blk = x / blksize;
274	            bw = MIN(blksize, ssd->dirty.right - x);
275	            if (memcmp(guest + yoff + xoff,
276	                       mirror + yoff + xoff,
277	                       bw * bpp) == 0) {
278	                if (dirty_top[blk] != -1) {
279	                    QXLRect update = {
(gdb) p (((SimpleSpiceDisplay *)0x00007fe4778dc410)->ds)->surface->linesize
$3 = 4096
(gdb) p y
$4 = 282
(gdb) p y*4096
$5 = 1155072
(gdb) p mirror
$8 = (uint8_t *) 0x7fe3d2c65010 ""
(gdb) p 0x7fe3d2d7f010-0x7fe3d2c65010
$9 = 1155072
(gdb) p xoff
$10 = 0
(gdb) p bw
$11 = 32
(gdb) p bpp
$12 = 4
(gdb) x/bx 0x7fe3d2d7f010
0x7fe3d2d7f010:	Cannot access memory at address 0x7fe3d2d7f010

So at 'mirror + yoff' there is no mapped memory.

I have a saved core file if you want one.

Comment 1 Jan Kratochvil 2013-05-15 17:52:02 UTC
Used also MALLOC_CHECK_=3 above but it crashed the same without it.

Comment 3 Cole Robinson 2013-12-16 20:48:34 UTC
F18 is end-of-life soon, so this is unlikely to be fixed there. Closing as WONTFIX, but Jan please reopen if you can reproduce on F19+

And if so, please provide private instructions on where to get CSB media and I'll try and reproduce.

Comment 4 Jan Kratochvil 2014-06-09 11:44:47 UTC
No crash: qemu-system-x86-1.6.2-5.fc20.x86_64