Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1077076

Summary: Qemu coredumpd when reboot rhel7 guest with qxl under rhel6.0.0 machine type
Product: Red Hat Enterprise Linux 6 Reporter: Qian Guo <qiguo>
Component: spice-serverAssignee: Default Assignee for SPICE Bugs <rh-spice-bugs>
Status: CLOSED DUPLICATE QA Contact: Desktop QE <desktop-qa-list>
Severity: low Docs Contact:
Priority: low    
Version: 6.6CC: acathrow, bsarathy, cfergeau, dblechte, djasa, juzhang, marcandre.lureau, michen, mkenneth, qiguo, qzhang, virt-maint
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-06-30 13:58:50 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 995931    
Bug Blocks:    

Description Qian Guo 2014-03-17 07:10:23 UTC 
Description of problem:
Boot rhel7 guest with qxl in rhel6.6 host, and set machine type as rhel6.0.0, when try to reboot this guest, qemu coredumpd

Version-Release number of selected component (if applicable):
# rpm -q qemu-kvm-rhev
qemu-kvm-rhev-0.12.1.2-2.422.el6.x86_64
# uname -r
2.6.32-448.el6.x86_64

How reproducible:
100%

Steps to Reproduce:
1.Boot rhel7 guest with qxl and rhel6.0.0 machine type:

# /usr/libexec/qemu-kvm -name rhel7 -S -M rhel6.0.0 -cpu Penryn -enable-kvm -m 4096 -realtime mlock=off -smp 4,sockets=1,cores=4,threads=1 -uuid a7b2f2ee-bd4d-2848-d5bf-0c631a9bfd2a -nodefconfig -nodefaults -chardev socket,id=charmonitor,path=/var/lib/libvirt/qemu/rhel7.monitor,server,nowait -mon chardev=charmonitor,id=monitor2,mode=control -rtc base=utc -no-shutdown -device piix3-usb-uhci,id=usb,bus=pci.0,addr=0x1.0x2 -device virtio-serial-pci,id=virtio-serial0,bus=pci.0,addr=0x5 -drive file=/mnt/rhel7.img,if=none,id=drive-virtio-disk0,format=qcow2,cache=none -device virtio-blk-pci,scsi=off,bus=pci.0,addr=0x6,drive=drive-virtio-disk0,id=virtio-disk0,bootindex=1 -netdev tap,script=/etc/ovs-ifup,downscript=/etc/ovs-ifdown,id=hostnet0,vhost=on -device rtl8139,netdev=hostnet0,id=net0,mac=52:54:00:6b:4a:67,bus=pci.0,addr=0x3 -chardev pty,id=charserial0 -device isa-serial,chardev=charserial0,id=serial0 -chardev spicevmc,id=charchannel0,name=vdagent -device virtserialport,bus=virtio-serial0.0,nr=1,chardev=charchannel0,id=channel0,name=com.redhat.spice.0 -device usb-tablet,id=input0 -spice port=5900,disable-ticketing,seamless-migration=on -vga qxl -global qxl-vga.ram_size=67108864  -global qxl-vga.vram_size=67108864 -device intel-hda,id=sound0,bus=pci.0,addr=0x4 -device hda-duplex,id=sound0-codec0,bus=sound0.0,cad=0 -device virtio-balloon-pci,id=balloon0,bus=pci.0,addr=0x7  -monitor stdio -serial unix:/tmp/s1,server,nowait -qmp unix:/tmp/q1,server,nowait

2.Use remote-viewer to connect guest, after guest bootup, GUI does not work, and
From dmesg, guest does not support qxl (rhel6.5.0 support rhel6.0.0 not support)
# dmesg |grep qxl
[    0.687886] [drm:qxl_pci_probe] *ERROR* qxl too old, doesn't support client_monitors_config, use xf86-video-qxl in user mode
[    0.688993] qxl: probe of 0000:00:02.0 failed with error -22

3.Try to reboot guest, I tried qmp/hmp: {"execute":"system_reset"} , and #reboot inside guest.

Actual results:
qemu coredumpd

(qemu) id 0, group 0, virt start 0, virt end ffffffffffffffff, generation 0, delta 0
(/usr/libexec/qemu-kvm:20371): Spice-CRITICAL **: red_memslots.c:94:validate_virt: virtual address out of range
    virt=0x1000398+0xbf slot_id=1 group_id=1
    slot=0x0-0x0 delta=0x0
Thread 18 (Thread 0x7f937dbb7700 (LWP 20414)):
#0  0x00007f938533aa1d in sigtimedwait () from /lib64/libc.so.6
#1  0x00007f938848e5a6 in kvm_main_loop_wait (env=0x7f938a401420, timeout=<value optimized out>) at /usr/src/debug/qemu-kvm-0.12.1.2/qemu-kvm.c:1885
#2  0x00007f938848ec0d in kvm_main_loop_cpu (_env=0x7f938a401420) at /usr/src/debug/qemu-kvm-0.12.1.2/qemu-kvm.c:2021
#3  ap_main_loop (_env=0x7f938a401420) at /usr/src/debug/qemu-kvm-0.12.1.2/qemu-kvm.c:2074
#4  0x00007f9387d9e9d1 in start_thread () from /lib64/libpthread.so.0
#5  0x00007f93853efb6d in clone () from /lib64/libc.so.6
Thread 17 (Thread 0x7f937d1b6700 (LWP 20417)):
#0  0x00007f938533aa1d in sigtimedwait () from /lib64/libc.so.6
#1  0x00007f938848e5a6 in kvm_main_loop_wait (env=0x7f938a41b010, timeout=<value optimized out>) at /usr/src/debug/qemu-kvm-0.12.1.2/qemu-kvm.c:1885
#2  0x00007f938848ec0d in kvm_main_loop_cpu (_env=0x7f938a41b010) at /usr/src/debug/qemu-kvm-0.12.1.2/qemu-kvm.c:2021
#3  ap_main_loop (_env=0x7f938a41b010) at /usr/src/debug/qemu-kvm-0.12.1.2/qemu-kvm.c:2074
#4  0x00007f9387d9e9d1 in start_thread () from /lib64/libpthread.so.0
#5  0x00007f93853efb6d in clone () from /lib64/libc.so.6
Thread 16 (Thread 0x7f936ffff700 (LWP 20419)):
#0  0x00007f938533aa1d in sigtimedwait () from /lib64/libc.so.6
#1  0x00007f938848e5a6 in kvm_main_loop_wait (env=0x7f938a428ee0, timeout=<value optimized out>) at /usr/src/debug/qemu-kvm-0.12.1.2/qemu-kvm.c:1885
#2  0x00007f938848ec0d in kvm_main_loop_cpu (_env=0x7f938a428ee0) at /usr/src/debug/qemu-kvm-0.12.1.2/qemu-kvm.c:2021
#3  ap_main_loop (_env=0x7f938a428ee0) at /usr/src/debug/qemu-kvm-0.12.1.2/qemu-kvm.c:2074
#4  0x00007f9387d9e9d1 in start_thread () from /lib64/libpthread.so.0
#5  0x00007f93853efb6d in clone () from /lib64/libc.so.6
Thread 15 (Thread 0x7f936f5fe700 (LWP 20423)):
#0  0x00007f938533aa1d in sigtimedwait () from /lib64/libc.so.6
#1  0x00007f938848e5a6 in kvm_main_loop_wait (env=0x7f938a436db0, timeout=<value optimized out>) at /usr/src/debug/qemu-kvm-0.12.1.2/qemu-kvm.c:1885
#2  0x00007f938848ec0d in kvm_main_loop_cpu (_env=0x7f938a436db0) at /usr/src/debug/qemu-kvm-0.12.1.2/qemu-kvm.c:2021
#3  ap_main_loop (_env=0x7f938a436db0) at /usr/src/debug/qemu-kvm-0.12.1.2/qemu-kvm.c:2074
#4  0x00007f9387d9e9d1 in start_thread () from /lib64/libpthread.so.0
#5  0x00007f93853efb6d in clone () from /lib64/libc.so.6
Thread 14 (Thread 0x7f936dbfc700 (LWP 20429)):
#0  0x00007f9387da575d in read () from /lib64/libpthread.so.0
#1  0x00007f9385b93930 in ?? () from /usr/lib64/libspice-server.so.1
#2  0x00007f9385b9ba60 in ?? () from /usr/lib64/libspice-server.so.1
#3  0x00007f9385b9bb9a in ?? () from /usr/lib64/libspice-server.so.1
#4  0x00007f9385b59093 in ?? () from /usr/lib64/libspice-server.so.1
#5  0x00007f9385b591e3 in ?? () from /usr/lib64/libspice-server.so.1
#6  0x00007f9385b5b1d0 in ?? () from /usr/lib64/libspice-server.so.1
#7  0x00007f9385b6f5eb in ?? () from /usr/lib64/libspice-server.so.1
#8  0x00007f9385b726cb in ?? () from /usr/lib64/libspice-server.so.1
#9  0x00007f9385b734f0 in ?? () from /usr/lib64/libspice-server.so.1
#10 0x00007f9385b56777 in ?? () from /usr/lib64/libspice-server.so.1
#11 0x00007f9385b72396 in ?? () from /usr/lib64/libspice-server.so.1
#12 0x00007f9387d9e9d1 in start_thread () from /lib64/libpthread.so.0
#13 0x00007f93853efb6d in clone () from /lib64/libc.so.6
Thread 13 (Thread 0x7f92435fe700 (LWP 20499)):
#0  0x00007f9387da298e in pthread_cond_timedwait@@GLIBC_2.3.2 () from /lib64/libpthread.so.0
#1  0x00007f93884afe17 in cond_timedwait (unused=<value optimized out>) at /usr/src/debug/qemu-kvm-0.12.1.2/posix-aio-compat.c:102
#2  aio_thread (unused=<value optimized out>) at /usr/src/debug/qemu-kvm-0.12.1.2/posix-aio-compat.c:329
#3  0x00007f9387d9e9d1 in start_thread () from /lib64/libpthread.so.0
#4  0x00007f93853efb6d in clone () from /lib64/libc.so.6
Thread 12 (Thread 0x7f923abfd700 (LWP 20840)):
#0  0x00007f9387da298e in pthread_cond_timedwait@@GLIBC_2.3.2 () from /lib64/libpthread.so.0
#1  0x00007f93884afe17 in cond_timedwait (unused=<value optimized out>) at /usr/src/debug/qemu-kvm-0.12.1.2/posix-aio-compat.c:102
#2  aio_thread (unused=<value optimized out>) at /usr/src/debug/qemu-kvm-0.12.1.2/posix-aio-compat.c:329
#3  0x00007f9387d9e9d1 in start_thread () from /lib64/libpthread.so.0
#4  0x00007f93853efb6d in clone () from /lib64/libc.so.6
Thread 11 (Thread 0x7f9232bfd700 (LWP 20846)):
#0  0x00007f9387da298e in pthread_cond_timedwait@@GLIBC_2.3.2 () from /lib64/libpthread.so.0
#1  0x00007f93884afe17 in cond_timedwait (unused=<value optimized out>) at /usr/src/debug/qemu-kvm-0.12.1.2/posix-aio-compat.c:102
#2  aio_thread (unused=<value optimized out>) at /usr/src/debug/qemu-kvm-0.12.1.2/posix-aio-compat.c:329
#3  0x00007f9387d9e9d1 in start_thread () from /lib64/libpthread.so.0
#4  0x00007f93853efb6d in clone () from /lib64/libc.so.6
Thread 10 (Thread 0x7f9240dfa700 (LWP 21336)):
#0  0x00007f9387da298e in pthread_cond_timedwait@@GLIBC_2.3.2 () from /lib64/libpthread.so.0
#1  0x00007f93884afe17 in cond_timedwait (unused=<value optimized out>) at /usr/src/debug/qemu-kvm-0.12.1.2/posix-aio-compat.c:102
#2  aio_thread (unused=<value optimized out>) at /usr/src/debug/qemu-kvm-0.12.1.2/posix-aio-compat.c:329
#3  0x00007f9387d9e9d1 in start_thread () from /lib64/libpthread.so.0
#4  0x00007f93853efb6d in clone () from /lib64/libc.so.6
Thread 9 (Thread 0x7f923a1fc700 (LWP 21337)):
#0  0x00007f9387da298e in pthread_cond_timedwait@@GLIBC_2.3.2 () from /lib64/libpthread.so.0
#1  0x00007f93884afe17 in cond_timedwait (unused=<value optimized out>) at /usr/src/debug/qemu-kvm-0.12.1.2/posix-aio-compat.c:102
#2  aio_thread (unused=<value optimized out>) at /usr/src/debug/qemu-kvm-0.12.1.2/posix-aio-compat.c:329
#3  0x00007f9387d9e9d1 in start_thread () from /lib64/libpthread.so.0
#4  0x00007f93853efb6d in clone () from /lib64/libc.so.6
Thread 8 (Thread 0x7f923bfff700 (LWP 21338)):
#0  0x00007f9387da298e in pthread_cond_timedwait@@GLIBC_2.3.2 () from /lib64/libpthread.so.0
#1  0x00007f93884afe17 in cond_timedwait (unused=<value optimized out>) at /usr/src/debug/qemu-kvm-0.12.1.2/posix-aio-compat.c:102
#2  aio_thread (unused=<value optimized out>) at /usr/src/debug/qemu-kvm-0.12.1.2/posix-aio-compat.c:329
#3  0x00007f9387d9e9d1 in start_thread () from /lib64/libpthread.so.0
#4  0x00007f93853efb6d in clone () from /lib64/libc.so.6
Thread 7 (Thread 0x7f937f95d700 (LWP 21339)):d=<value optimized out>) at /usr/src/debug/qemu-kvm-0.12.1.2/posix-aio-compat.c:329
#3  0x00007f9387d9e9d1 in start_thread () from /lib64/libpthread.so.0
#4  0x00007f93853efb6d in clone () from /lib64/libc.so.6
Thread 3 (Thread 0x7f9259dfa700 (LWP 21343)):
#0  0x00007f9387da298e in pthread_cond_timedwait@@GLIBC_2.3.2 () from /lib64/libpthread.so.0
#1  0x00007f93884afe17 in cond_timedwait (unused=<value optimized out>) at /usr/src/debug/qemu-kvm-0.12.1.2/posix-aio-compat.c:102
#2  aio_thread (unused=<value optimized out>) at /usr/src/debug/qemu-kvm-0.12.1.2/posix-aio-compat.c:329
#3  0x00007f9387d9e9d1 in start_thread () from /lib64/libpthread.so.0
#4  0x00007f93853efb6d in clone () from /lib64/libc.so.6
Thread 2 (Thread 0x7f92593f9700 (LWP 21448)):
#0  0x00007f9387da298e in pthread_cond_timedwait@@GLIBC_2.3.2 () from /lib64/libpthread.so.0
#1  0x00007f93884afe17 in cond_timedwait (unused=<value optimized out>) at /usr/src/debug/qemu-kvm-0.12.1.2/posix-aio-compat.c:102
#2  aio_thread (unused=<value optimized out>) at /usr/src/debug/qemu-kvm-0.12.1.2/posix-aio-compat.c:329
#3  0x00007f9387d9e9d1 in start_thread () from /lib64/libpthread.so.0
#4  0x00007f93853efb6d in clone () from /lib64/libc.so.6
Thread 1 (Thread 0x7f93883ae980 (LWP 20371)):
#0  0x00007f9387da575d in read () from /lib64/libpthread.so.0
#1  0x00007f9385b56403 in ?? () from /usr/lib64/libspice-server.so.1
#2  0x00007f9385b56636 in ?? () from /usr/lib64/libspice-server.so.1
#3  0x00007f9385b56af8 in ?? () from /usr/lib64/libspice-server.so.1
#4  0x00007f9388615f68 in qxl_spice_destroy_surfaces (qxl=0x7f938b84f840, async=<value optimized out>) at /usr/src/debug/qemu-kvm-0.12.1.2/hw/qxl.c:258
#5  0x00007f93886175a5 in qxl_reset_surfaces (d=0x7f938b84f840, loadvm=0) at /usr/src/debug/qemu-kvm-0.12.1.2/hw/qxl.c:1236
#6  qxl_hard_reset (d=0x7f938b84f840, loadvm=0) at /usr/src/debug/qemu-kvm-0.12.1.2/hw/qxl.c:1102
#7  0x00007f9388466492 in qemu_system_reset (report=true) at /usr/src/debug/qemu-kvm-0.12.1.2/vl.c:3340
#8  0x00007f938848bbc0 in qemu_kvm_system_reset (report=true) at /usr/src/debug/qemu-kvm-0.12.1.2/qemu-kvm.c:1992
#9  0x00007f938848bdc3 in kvm_main_loop () at /usr/src/debug/qemu-kvm-0.12.1.2/qemu-kvm.c:2272
#10 0x00007f938846ba10 in main_loop (argc=68, argv=<value optimized out>, envp=<value optimized out>) at /usr/src/debug/qemu-kvm-0.12.1.2/vl.c:4268
#11 main (argc=68, argv=<value optimized out>, envp=<value optimized out>) at /usr/src/debug/qemu-kvm-0.12.1.2/vl.c:6706
Aborted (core dumped)


(gdb) bt
#0  0x00007ffff4c8c925 in raise () from /lib64/libc.so.6
#1  0x00007ffff4c8e105 in abort () from /lib64/libc.so.6
#2  0x00007ffff54eea65 in ?? () from /usr/lib64/libspice-server.so.1
#3  0x00007ffff54eeb9a in ?? () from /usr/lib64/libspice-server.so.1
#4  0x00007ffff54ac093 in ?? () from /usr/lib64/libspice-server.so.1
#5  0x00007ffff54ac1e3 in ?? () from /usr/lib64/libspice-server.so.1
#6  0x00007ffff54ae1d0 in ?? () from /usr/lib64/libspice-server.so.1
#7  0x00007ffff54c25eb in ?? () from /usr/lib64/libspice-server.so.1
#8  0x00007ffff54c56cb in ?? () from /usr/lib64/libspice-server.so.1
#9  0x00007ffff54c64f0 in ?? () from /usr/lib64/libspice-server.so.1
#10 0x00007ffff54a9777 in ?? () from /usr/lib64/libspice-server.so.1
#11 0x00007ffff54c5396 in ?? () from /usr/lib64/libspice-server.so.1
#12 0x00007ffff76f19d1 in start_thread () from /lib64/libpthread.so.0
#13 0x00007ffff4d42b6d in clone () from /lib64/libc.so.6




Expected results:
Though rhel6.0.0 not support guest to use qxl, should not make qemu coredumpd.

Additional info:
RHEL6.4.0/6.5.0 works well

RHEl6.1.0/6.2.0/6.3.0/ does not hit such issue, when boot same guest, it will get same dmesg as 
# dmesg |grep qxl
[    0.687886] [drm:qxl_pci_probe] *ERROR* qxl too old, doesn't support client_monitors_config, use xf86-video-qxl in user mode
[    0.688993] qxl: probe of 0000:00:02.0 failed with error -22

but guest can boot successfully and GUI works well, and works well after reboot.

My cli is from the virt-manager.
Comment 2 David Jaša 2014-04-09 15:52:58 UTC 
hi Qian, could you install spice-server-debuginfo on rhel6 host and regenerate the backtrace, please?
Comment 3 Qian Guo 2014-04-10 01:58:38 UTC 
(In reply to David Jaša from comment #2)
> hi Qian, could you install spice-server-debuginfo on rhel6 host and
> regenerate the backtrace, please?
Ok, will update here once I got it.
Comment 4 Qian Guo 2014-04-10 05:28:22 UTC 
Test this with 
spice-server-0.12.4-6.el6.x86_64
spice-server-debuginfo-0.12.4-6.el6.x86_64
qemu-kvm-0.12.1.2-2.423.el6.x86_6

# uname -r
2.6.32-456.el6.x86_64

After "system_rest", qemu crashed:


(gdb) bt
#0  0x00007ffff4c92925 in raise () from /lib64/libc.so.6
#1  0x00007ffff4c94105 in abort () from /lib64/libc.so.6
#2  0x00007ffff54f4a65 in spice_logv (log_domain=0x7ffff556bc06 "Spice", log_level=SPICE_LOG_LEVEL_CRITICAL, 
    strloc=0x7ffff557063a "red_memslots.c:94", function=0x7ffff557071f "validate_virt", 
    format=0x7ffff5570448 "virtual address out of range\n    virt=0x%lx+0x%x slot_id=%d group_id=%d\n    slot=0x%lx-0x%lx delta=0x%lx", args=0x7fffe59c9680) at log.c:109
#3  0x00007ffff54f4b9a in spice_log (log_domain=<value optimized out>, log_level=<value optimized out>, 
    strloc=<value optimized out>, function=<value optimized out>, format=<value optimized out>) at log.c:123
#4  0x00007ffff54b2093 in validate_virt (info=<value optimized out>, virt=16778136, slot_id=1, add_size=191, group_id=1)
    at red_memslots.c:90
#5  0x00007ffff54b21e3 in get_virt (info=<value optimized out>, addr=<value optimized out>, add_size=<value optimized out>, 
    group_id=1, error=0x7fffe59c982c) at red_memslots.c:142
#6  0x00007ffff54b41d0 in red_get_native_drawable (slots=0x7ffec81d5e58, group_id=1, red=0x7ffec82c5b00, 
    addr=<value optimized out>, flags=0) at red_parse_qxl.c:934
#7  red_get_drawable (slots=0x7ffec81d5e58, group_id=1, red=0x7ffec82c5b00, addr=<value optimized out>, flags=0)
    at red_parse_qxl.c:1105
#8  0x00007ffff54c85eb in red_process_commands (worker=0x7ffec80008c0, ring_is_empty=0x7fffe59c9a5c, max_pipe_size=50)
    at red_worker.c:5190
#9  0x00007ffff54cb6cb in flush_display_commands (worker=0x7ffec80008c0) at red_worker.c:9712
#10 flush_all_qxl_commands (worker=0x7ffec80008c0) at red_worker.c:9795
#11 0x00007ffff54cc4f0 in dev_destroy_surfaces (opaque=<value optimized out>, payload=<value optimized out>)
    at red_worker.c:11270
#12 handle_dev_destroy_surfaces (opaque=<value optimized out>, payload=<value optimized out>) at red_worker.c:11299
#13 0x00007ffff54af777 in dispatcher_handle_single_read (dispatcher=0x7ffff88d9408) at dispatcher.c:139
#14 dispatcher_handle_recv_read (dispatcher=0x7ffff88d9408) at dispatcher.c:162
#15 0x00007ffff54cb396 in red_worker_main (arg=<value optimized out>) at red_worker.c:12276
#16 0x00007ffff76f79d1 in start_thread () from /lib64/libpthread.so.0
#17 0x00007ffff4d48b6d in clone () from /lib64/libc.so.6


(gdb) bt ful
#0  0x00007ffff4c92925 in raise () from /lib64/libc.so.6
No symbol table info available.
#1  0x00007ffff4c94105 in abort () from /lib64/libc.so.6
No symbol table info available.
#2  0x00007ffff54f4a65 in spice_logv (log_domain=0x7ffff556bc06 "Spice", log_level=SPICE_LOG_LEVEL_CRITICAL, 
    strloc=0x7ffff557063a "red_memslots.c:94", function=0x7ffff557071f "validate_virt", 
    format=0x7ffff5570448 "virtual address out of range\n    virt=0x%lx+0x%x slot_id=%d group_id=%d\n    slot=0x%lx-0x%lx delta=0x%lx", args=0x7fffe59c9680) at log.c:109
        level = 0x7ffff557c574 "CRITICAL"
#3  0x00007ffff54f4b9a in spice_log (log_domain=<value optimized out>, log_level=<value optimized out>, 
    strloc=<value optimized out>, function=<value optimized out>, format=<value optimized out>) at log.c:123
        args = {{gp_offset = 48, fp_offset = 48, overflow_arg_area = 0x7fffe59c9790, reg_save_area = 0x7fffe59c96a0}}
#4  0x00007ffff54b2093 in validate_virt (info=<value optimized out>, virt=16778136, slot_id=1, add_size=191, group_id=1)
    at red_memslots.c:90
        slot = <value optimized out>
        __FUNCTION__ = "validate_virt"
#5  0x00007ffff54b21e3 in get_virt (info=<value optimized out>, addr=<value optimized out>, add_size=<value optimized out>, 
    group_id=1, error=0x7fffe59c982c) at red_memslots.c:142
        slot_id = 1
        generation = <value optimized out>
        h_virt = 16778136
        slot = 0x7ffec81da4a0
        __FUNCTION__ = "get_virt"
#6  0x00007ffff54b41d0 in red_get_native_drawable (slots=0x7ffec81d5e58, group_id=1, red=0x7ffec82c5b00, 
    addr=<value optimized out>, flags=0) at red_parse_qxl.c:934
        qxl = <value optimized out>
        i = <value optimized out>
        error = 0
#7  red_get_drawable (slots=0x7ffec81d5e58, group_id=1, red=0x7ffec82c5b00, addr=<value optimized out>, flags=0)
    at red_parse_qxl.c:1105
        ret = <value optimized out>
#8  0x00007ffff54c85eb in red_process_commands (worker=0x7ffec80008c0, ring_is_empty=0x7fffe59c9a5c, max_pipe_size=50)
    at red_worker.c:5190
        red_drawable = 0x7ffec82c5b00
        ext_cmd = {cmd = {data = 72057594054706072, type = 1, padding = 0}, group_id = 1, flags = 0}
        n = 0
        start = 18446737195434713059
#9  0x00007ffff54cb6cb in flush_display_commands (worker=0x7ffec80008c0) at red_worker.c:9712
        end_time = <value optimized out>
        ring_is_empty = 0
        display_red_channel = 0x7ffec821f350
#10 flush_all_qxl_commands (worker=0x7ffec80008c0) at red_worker.c:9795
No locals.
#11 0x00007ffff54cc4f0 in dev_destroy_surfaces (opaque=<value optimized out>, payload=<value optimized out>)
    at red_worker.c:11270
        i = <value optimized out>
#12 handle_dev_destroy_surfaces (opaque=<value optimized out>, payload=<value optimized out>) at red_worker.c:11299
        worker = 0x7ffec80008c0
#13 0x00007ffff54af777 in dispatcher_handle_single_read (dispatcher=0x7ffff88d9408) at dispatcher.c:139
        ret = <value optimized out>
        type = <value optimized out>
        msg = 0x7ffff88d96e8
        ack = 4294967295
        payload = 0x7ffec81da300 ""
#14 dispatcher_handle_recv_read (dispatcher=0x7ffff88d9408) at dispatcher.c:162
No locals.
#15 0x00007ffff54cb396 in red_worker_main (arg=<value optimized out>) at red_worker.c:12276
        events = <value optimized out>
        i = <value optimized out>
        num_events = 1
        timers_queue_timeout = <value optimized out>
        worker = 0x7ffec80008c0
        __FUNCTION__ = "red_worker_main"
#16 0x00007ffff76f79d1 in start_thread () from /lib64/libpthread.so.0
No symbol table info available.
#17 0x00007ffff4d48b6d in clone () from /lib64/libc.so.6
No symbol table info available.


.........
Hopes helpful and please let me know if you want something else.

Thanks
Comment 5 David Jaša 2014-04-10 10:09:05 UTC 
Reassigning to spice-server. Qian, could you provide the spice-server version, please?
Comment 6 Christophe Fergeau 2014-04-10 10:32:09 UTC 
Not same backtrace as bug #1052856 but I'd still tend to mark them as duplicates
Comment 7 Qian Guo 2014-04-11 01:17:39 UTC 
(In reply to David Jaša from comment #5)
> Reassigning to spice-server. Qian, could you provide the spice-server
> version, please?

spice-server-0.12.4-6.el6.x86_64
Comment 8 Marc-Andre Lureau 2014-06-18 22:38:27 UTC 
(In reply to Christophe Fergeau from comment #6)
> Not same backtrace as bug #1052856 but I'd still tend to mark them as
> duplicates

I think it's rather a dup of bug 995931: red_process_commands() reading garbage after a reboot. See https://bugzilla.redhat.com/show_bug.cgi?id=995931#c7. However it's interesting to notice that this bug is claimed 100% reproducible here. This could help fixing 995931.
Comment 9 Marc-Andre Lureau 2014-06-18 22:39:28 UTC 
adding dep on bug 995931 for now
Comment 15 Marc-Andre Lureau 2014-06-30 13:58:50 UTC 
thanks, let's close as duplicate

*** This bug has been marked as a duplicate of bug 995931 ***