RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1048654 - qemu-kvm crashed when using '-spice port=3000,disable-ticketing -device qxl,id=qxl-1'
Summary: qemu-kvm crashed when using '-spice port=3000,disable-ticketing -device qxl,i...
Keywords:
Status: CLOSED DUPLICATE of bug 987312
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: qemu-kvm
Version: 7.0
Hardware: Unspecified
OS: Unspecified
high
high
Target Milestone: rc
: ---
Assignee: Gerd Hoffmann
QA Contact: Virtualization Bugs
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2014-01-06 02:46 UTC by Xiaoqing Wei
Modified: 2014-01-15 15:40 UTC (History)
7 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2014-01-15 15:40:37 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)
core dump - part 1 (14.65 MB, application/octet-stream)
2014-01-06 05:17 UTC, Xiaoqing Wei 		no flags Details
core dump - part 2 (13.82 MB, application/octet-stream)
2014-01-06 05:19 UTC, Xiaoqing Wei 		no flags Details
thread apply all bt full (12.47 KB, text/plain)
2014-01-06 05:20 UTC, Xiaoqing Wei 		no flags Details
View All

Description Xiaoqing Wei 2014-01-06 02:46:27 UTC 
Description of problem:

qemu-kvm crashed when using '-spice port=3000,disable-ticketing -device qxl,id=qxl-1'
Version-Release number of selected component (if applicable):
qemu-kvm-rhev-1.5.3-30.el7.x86_64
spice-server-0.12.4-3.el7.x86_64
seabios-bin-1.7.2.2-6.el7.x86_64
seavgabios-bin-1.7.2.2-6.el7.x86_64


How reproducible:
100%

Steps to Reproduce:
1./home/staf-kvm-devel/autotest-devel/client/tests/virt/qemu/qemu -monitor stdio -S -name 'virt-tests-vm1' -sandbox off -M pc -nodefaults -chardev socket,id=qmp_id_qmpmonitor1,path=/tmp/monitor-qmpmonitor1-20140103-011103-iBw6vAzE,server,nowait -mon chardev=qmp_id_qmpmonitor1,mode=control -chardev socket,id=serial_id_serial0,path=/tmp/serial-serial0-20140103-011103-iBw6vAzE,server,nowait -device isa-serial,chardev=serial_id_serial0 -chardev socket,id=seabioslog_id_20140103-011103-iBw6vAzE,path=/tmp/seabios-20140103-011103-iBw6vAzE,server,nowait -device isa-debugcon,chardev=seabioslog_id_20140103-011103-iBw6vAzE,iobase=0x402 -device ich9-usb-uhci1,id=usb1,bus=pci.0,addr=03 -drive id=drive_image1,if=none,cache=none,snapshot=off,aio=native,file=/home/win7-32-virtio.qcow2 -device virtio-blk-pci,id=image1,drive=drive_image1,bootindex=0,bus=pci.0,addr=04 -device virtio-net-pci,mac=9a:22:23:24:25:26,id=idEAV2Ng,netdev=idX0l904,bus=pci.0,addr=05 -netdev tap,id=idX0l904,vhost=on -m 2048 -smp 2,maxcpus=2,cores=1,threads=1,sockets=2 -cpu 'SandyBridge',hv_relaxed,hv_spinlocks=0x1fff,hv_vapic -drive id=drive_cd1,if=none,snapshot=off,aio=native,media=cdrom,file=/home/staf-kvm-devel/autotest-devel/client/tests/virt/shared/data/isos/windows/winutils.iso -device ide-cd,id=cd1,drive=drive_cd1,bootindex=1,bus=ide.0,unit=0 -device usb-tablet,id=usb-tablet1,bus=usb1.0,port=1 \
  \
 -spice port=3000,disable-ticketing -device qxl,id=qxl-1 \
 \
 -rtc base=localtime,clock=host,driftfix=slew -boot order=cdn,once=c,menu=off -enable-kvm
2.
enter 'c' to start the vm
3. remote-viewer spice://10.66.9.255:3000


Actual results:
(qemu) c
(qemu) main_channel_link: add main channel client
main_channel_handle_parsed: net test: latency 151.121000 ms, bitrate 485883748 bps (463.374851 Mbps)
(/home/staf-kvm-devel/autotest-devel/client/tests/virt/qemu/qemu:31336): Spice-ERROR **: reds.c:1464:reds_send_link_ack: assertion `link->link_mess->channel_type == SPICE_CHANNEL_MAIN' failed
Thread 5 (Thread 0x7f8aa9aa0700 (LWP 31347)):
#0  0x00007f8ab4c47890 in sem_timedwait () from /lib64/libpthread.so.0
#1  0x00007f8ab6f2dec7 in qemu_sem_timedwait (sem=sem@entry=0x7f8ab7f990e8, ms=ms@entry=10000) at util/qemu-thread-posix.c:238
#2  0x00007f8ab6de716c in worker_thread (opaque=0x7f8ab7f99050) at thread-pool.c:96
#3  0x00007f8ab4c41de3 in start_thread () from /lib64/libpthread.so.0
#4  0x00007f8ab195f26d in clone () from /lib64/libc.so.6
Thread 4 (Thread 0x7f8aa909e700 (LWP 31348)):
#0  0x00007f8ab1956357 in ioctl () from /lib64/libc.so.6
#1  0x00007f8ab6e67b65 in kvm_vcpu_ioctl (cpu=cpu@entry=0x7f8ab8104de0, type=type@entry=44672) at /usr/src/debug/qemu-1.5.3/kvm-all.c:1756
#2  0x00007f8ab6e67c9c in kvm_cpu_exec (env=env@entry=0x7f8ab8104ef0) at /usr/src/debug/qemu-1.5.3/kvm-all.c:1641
#3  0x00007f8ab6e108f5 in qemu_kvm_cpu_thread_fn (arg=0x7f8ab8104ef0) at /usr/src/debug/qemu-1.5.3/cpus.c:793
#4  0x00007f8ab4c41de3 in start_thread () from /lib64/libpthread.so.0
#5  0x00007f8ab195f26d in clone () from /lib64/libc.so.6
Thread 3 (Thread 0x7f8aa889d700 (LWP 31349)):
#0  0x00007f8ab1956357 in ioctl () from /lib64/libc.so.6
#1  0x00007f8ab6e67b65 in kvm_vcpu_ioctl (cpu=cpu@entry=0x7f8ab81340e0, type=type@entry=44672) at /usr/src/debug/qemu-1.5.3/kvm-all.c:1756
#2  0x00007f8ab6e67c9c in kvm_cpu_exec (env=env@entry=0x7f8ab81341f0) at /usr/src/debug/qemu-1.5.3/kvm-all.c:1641
#3  0x00007f8ab6e108f5 in qemu_kvm_cpu_thread_fn (arg=0x7f8ab81341f0) at /usr/src/debug/qemu-1.5.3/cpus.c:793
#4  0x00007f8ab4c41de3 in start_thread () from /lib64/libpthread.so.0
#5  0x00007f8ab195f26d in clone () from /lib64/libc.so.6
Thread 2 (Thread 0x7f8a135ff700 (LWP 31351)):
#0  0x00007f8ab1954c9d in poll () from /lib64/libc.so.6
#1  0x00007f8ab2632ecf in poll (__timeout=<optimized out>, __nfds=20, __fds=0x7f8a0c0008f8) at /usr/include/bits/poll2.h:46
#2  red_worker_main (arg=<optimized out>) at red_worker.c:12245
#3  0x00007f8ab4c41de3 in start_thread () from /lib64/libpthread.so.0
#4  0x00007f8ab195f26d in clone () from /lib64/libc.so.6
Thread 1 (Thread 0x7f8ab6bb7a00 (LWP 31336)):
#0  0x00007f8ab4c4824d in read () from /lib64/libpthread.so.0
#1  0x00007f8ab264bd71 in read (__nbytes=255, __buf=0x7fffe52a2960, __fd=<optimized out>) at /usr/include/bits/unistd.h:44
#2  spice_backtrace_gstack () at backtrace.c:100
#3  0x00007f8ab264beb9 in spice_backtrace () at backtrace.c:131
#4  0x00007f8ab2653517 in spice_logv (log_domain=0x7f8ab26c91c6 "Spice", log_level=SPICE_LOG_LEVEL_ERROR, strloc=0x7f8ab26d4b53 "reds.c:1464", function=0x7f8ab26d67e0 <__FUNCTION__.30572> "reds_send_link_ack", format=0x7f8ab26c919e "assertion `%s' failed", args=args@entry=0x7fffe52a2af8) at log.c:108
#5  0x00007f8ab2653668 in spice_log (log_domain=log_domain@entry=0x7f8ab26c91c6 "Spice", log_level=log_level@entry=SPICE_LOG_LEVEL_ERROR, strloc=strloc@entry=0x7f8ab26d4b53 "reds.c:1464", function=function@entry=0x7f8ab26d67e0 <__FUNCTION__.30572> "reds_send_link_ack", format=format@entry=0x7f8ab26c919e "assertion `%s' failed") at log.c:123
#6  0x00007f8ab263cb97 in reds_send_link_ack (link=0x7f8ab811f640) at reds.c:1464
#7  reds_handle_read_link_done (opaque=0x7f8ab811f640) at reds.c:2726
#8  0x00007f8ab263be36 in spice_server_add_client (s=<optimized out>, socket=socket@entry=31, skip_auth=skip_auth@entry=0) at reds.c:2997
#9  0x00007f8ab263be9a in reds_accept (fd=<optimized out>, event=<optimized out>, data=<optimized out>) at reds.c:2974
#10 0x00007f8ab6d8efae in qemu_iohandler_poll (pollfds=0x7f8ab7f69800, ret=ret@entry=1) at iohandler.c:143
#11 0x00007f8ab6d94688 in main_loop_wait (nonblocking=<optimized out>) at main-loop.c:465
#12 0x00007f8ab6c98ae0 in main_loop () at vl.c:1984
#13 main (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>) at vl.c:4343
2008r2.sh: line 28: 31336 Aborted                 (core dumped) 

echo $?
134

Expected results:
qemu-kvm running success, not core dump

Additional info:
Comment 2 Xiaoqing Wei 2014-01-06 05:01:35 UTC 
Change to use

   -spice port=3000,disable-ticketing \
    -vga qxl \


and qemu runs well.
Comment 3 Xiaoqing Wei 2014-01-06 05:17:27 UTC 
Created attachment 845910 [details]
core dump - part 1

cat xaa xab > coredump.tar.xz

tar xJf coredump.tar.xz
Comment 4 Xiaoqing Wei 2014-01-06 05:19:31 UTC 
Created attachment 845911 [details]
core dump - part 2
Comment 5 Xiaoqing Wei 2014-01-06 05:20:38 UTC 
Created attachment 845912 [details]
thread apply all bt full
Comment 6 mazhang 2014-01-08 07:34:38 UTC 
Just have a try "-device qxl" can work with "-vga qxl", will core dumped with "-vga cirrus" and "-vga std".

Host:
qemu-kvm-1.5.3-31.el7.x86_64
kernel-3.10.0-66.el7.x86_64

Result:
Starting program: /usr/libexec/qemu-kvm -monitor stdio -qmp tcp:0:6666,server,nowait -boot menu=on -spice port=5900,disable-ticketing -vga cirrus -device qxl,id=qxl0
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib64/libthread_db.so.1".
QEMU 1.5.3 monitor - type 'help' for more information
(qemu) [New Thread 0x7fffeabb9700 (LWP 8290)]
[New Thread 0x7fffd3fff700 (LWP 8292)]

(qemu) 
(qemu) 
(qemu) main_channel_link: add main channel client
main_channel_handle_parsed: net test: latency 0.553000 ms, bitrate 532916991 bps (508.229247 Mbps)
(/usr/bin/gdb:8284): Spice-ERROR **: reds.c:1464:reds_send_link_ack: assertion `link->link_mess->channel_type == SPICE_CHANNEL_MAIN' failed
Detaching after fork from child process 8293.

Program received signal SIGABRT, Aborted.
0x00007ffff2cb2979 in raise () from /lib64/libc.so.6
Missing separate debuginfos, use: debuginfo-install alsa-lib-1.0.27.2-1.el7.x86_64 celt051-0.5.1.3-6.el7.x86_64 cyrus-sasl-lib-2.1.26-13.el7.x86_64 cyrus-sasl-md5-2.1.26-13.el7.x86_64 cyrus-sasl-plain-2.1.26-13.el7.x86_64 cyrus-sasl-scram-2.1.26-13.el7.x86_64 dbus-libs-1.6.12-6.el7.x86_64 flac-libs-1.3.0-2.el7.x86_64 glib2-2.36.3-2.el7.x86_64 glibc-2.17-40.el7.x86_64 glusterfs-api-3.4.0.51rhs-1.el7.x86_64 glusterfs-libs-3.4.0.51rhs-1.el7.x86_64 gmp-5.1.1-3.el7.x86_64 gnutls-3.1.16-1.el7.x86_64 gsm-1.0.13-9.el7.x86_64 json-c-0.11-1.el7.x86_64 keyutils-libs-1.5.8-1.el7.x86_64 krb5-libs-1.11.3-37.el7.x86_64 libICE-1.0.8-5.el7.x86_64 libSM-1.2.1-5.el7.x86_64 libX11-1.6.0-1.el7.x86_64 libXau-1.0.8-1.el7.x86_64 libXext-1.3.2-1.el7.x86_64 libXi-1.7.2-1.el7.x86_64 libXtst-1.2.2-1.el7.x86_64 libaio-0.3.109-10.el7.x86_64 libasyncns-0.8-5.el7.x86_64 libattr-2.4.46-10.el7.x86_64 libcap-2.22-6.el7.x86_64 libcom_err-1.42.8-2.el7.x86_64 libdb-5.3.21-14.el7.x86_64 libgcc-4.8.2-7.el7.x86_64 libgcrypt-1.5.3-1.el7.x86_64 libgpg-error-1.12-1.el7.x86_64 libibverbs-1.1.7-3.el7.x86_64 libiscsi-1.9.0-4.el7.x86_64 libjpeg-turbo-1.2.90-3.el7.x86_64 libogg-1.3.0-5.el7.x86_64 libpng-1.5.13-2.el7.x86_64 librdmacm-1.0.17-1.el7.x86_64 libseccomp-2.1.1-0.el7.x86_64 libselinux-2.2.1-2.el7.x86_64 libsndfile-1.0.25-7.el7.x86_64 libtasn1-3.3-1.el7.x86_64 libusbx-1.0.15-2.el7.x86_64 libuuid-2.23.2-7.el7.x86_64 libvorbis-1.3.3-4.el7.x86_64 libxcb-1.9-3.el7.x86_64 nettle-2.6-3.el7.x86_64 nspr-4.10.2-2.el7.x86_64 nss-3.15.3-2.el7.x86_64 nss-softokn-freebl-3.15.3-1.el7.x86_64 nss-util-3.15.3-1.el7.x86_64 openssl-libs-1.0.1e-25.el7.x86_64 p11-kit-0.18.7-2.el7.x86_64 pcre-8.32-8.el7.x86_64 pixman-0.30.0-1.el7.x86_64 pulseaudio-libs-3.0-11.el7.x86_64 tcp_wrappers-libs-7.6-75.el7.x86_64 usbredir-0.6-5.el7.x86_64 xz-libs-5.1.2-5alpha.el7.x86_64 zlib-1.2.7-10.el7.x86_64
(gdb) bt full
#0  0x00007ffff2cb2979 in raise () from /lib64/libc.so.6
No symbol table info available.
#1  0x00007ffff2cb4088 in abort () from /lib64/libc.so.6
No symbol table info available.
#2  0x00007ffff3a6751c in spice_logv (log_domain=0x7ffff3add1c6 "Spice", log_level=SPICE_LOG_LEVEL_ERROR, strloc=0x7ffff3ae8b53 "reds.c:1464", 
    function=0x7ffff3aea7e0 <__FUNCTION__.30572> "reds_send_link_ack", format=0x7ffff3add19e "assertion `%s' failed", args=args@entry=0x7fffffffddb8) at log.c:109
        level = 0x7ffff3aed538 "ERROR"
#3  0x00007ffff3a67668 in spice_log (log_domain=log_domain@entry=0x7ffff3add1c6 "Spice", log_level=log_level@entry=SPICE_LOG_LEVEL_ERROR, 
    strloc=strloc@entry=0x7ffff3ae8b53 "reds.c:1464", function=function@entry=0x7ffff3aea7e0 <__FUNCTION__.30572> "reds_send_link_ack", 
    format=format@entry=0x7ffff3add19e "assertion `%s' failed") at log.c:123
        args = {{gp_offset = 48, fp_offset = 48, overflow_arg_area = 0x7fffffffde90, reg_save_area = 0x7fffffffddd0}}
#4  0x00007ffff3a50b97 in reds_send_link_ack (link=0x5555565b8260) at reds.c:1464
        ack = {error = 0, 
          pub_key = "\377\177\000\000\000\000\000\000\000\000\000\000[\000\000\000n", '\000' <repeats 19 times>, "w\000\000\000|\000\000\000\377\336\377\377\377\177\000\000\260\265\\VUU\000\000\001\000\000\000\000\000\000\000`\202[VUU\000\000\000hRVUU\000\000\247\352C\362\377\177\000\000\000GKVUU\000\000\260\265\\VUU\000\000\001\000\000\000\000\000\000\000`w\003\363\377\177\000\000\032\000\000\000\000\000\000\000\001\000\000\000\000\000\000\000\000hRVUU\000\000 f\217UUU\000\000\000GKVUU", num_common_caps = 3260612608, 
          num_channel_caps = 2147481093, caps_offset = 0}
        channel = 0x0
        ret = 0
        header = {magic = 1363428690, major_version = 2, minor_version = 2, size = 178}
        channel_caps = <optimized out>
        bmBuf = 0x0
        bio = <optimized out>
#5  reds_handle_read_link_done (opaque=0x5555565b8260) at reds.c:2726
        link = 0x5555565b8260
        link_mess = <optimized out>
        obj = 0x5555565b8268
        num_caps = <optimized out>
        caps = <optimized out>
        auth_selection = 1
        __FUNCTION__ = "reds_handle_read_link_done"
#6  0x00007ffff3a4fe36 in spice_server_add_client (s=<optimized out>, socket=socket@entry=23, skip_auth=skip_auth@entry=0) at reds.c:2997
        link = <optimized out>
        stream = <optimized out>
        __FUNCTION__ = "spice_server_add_client"
#7  0x00007ffff3a4fe9a in reds_accept (fd=<optimized out>, event=<optimized out>, data=<optimized out>) at reds.c:2974
        socket = 23
#8  0x00005555556f424e in qemu_iohandler_poll (pollfds=0x555556526800, ret=ret@entry=1) at iohandler.c:143
        revents = 1
        pioh = 0x55555652cf20
        ioh = 0x555556527cf0
#9  0x00005555556f9928 in main_loop_wait (nonblocking=<optimized out>) at main-loop.c:465
        ret = 1
        timeout = 1000
#10 0x0000555555601050 in main_loop () at vl.c:1984
        nonblocking = <optimized out>
        last_io = 1
Comment 7 Gerd Hoffmann 2014-01-15 15:40:37 UTC 
Mixing qxl and non-qxl devices is not supported atm.

*** This bug has been marked as a duplicate of bug 987312 ***
Note You need to log in before you can comment on or make changes to this bug.