Bug 1151363 - User interface freezes when entering space character in Xfig
Summary: User interface freezes when entering space character in Xfig
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: qemu-kvm
Version: 6.6
Hardware: Unspecified
OS: Unspecified
Target Milestone: rc
: ---
Assignee: Gerd Hoffmann
QA Contact: Virtualization Bugs
Depends On:
Blocks: 1151559 1221909
TreeView+ depends on / blocked
Reported: 2014-10-10 08:46 UTC by Marc-Andre Lureau
Modified: 2015-07-22 06:08 UTC (History)
19 users (show)

Fixed In Version: qemu-kvm-
Doc Type: Bug Fix
Doc Text:
Clone Of: 1151253
: 1151559 (view as bug list)
Last Closed: 2015-07-22 06:08:06 UTC
Target Upstream Version:

Attachments (Terms of Use)

System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2015:1275 normal SHIPPED_LIVE qemu-kvm bug fix and enhancement update 2015-07-20 17:49:16 UTC

Description Marc-Andre Lureau 2014-10-10 08:46:07 UTC
the bug can be easily reproduced on rhel

+++ This bug was initially created as a clone of Bug #1151253 +++

Description of problem:

We have a CentOS 6.5 VM with xfig-3.2.5-23.a.el6.x86_64 installed.  We have found that if you create a text area in a figure, typing a space character causes the user interface to freeze.

The VM still running.  You can log in with ssh and shut it down.

The cursor can be moved around but it remains an "I-bar" instead of an arrow.

None of the GNOME 2 panel functions can be used and Ctrl-Alt doesn't work.

Sending Ctrl-Alt-F2 from virt-viewer doesn't seem to do anything.

I could not find any other character besides space which causes this problem.

Version-Release number of selected component (if applicable):

How reproducible:
Happens every time.

Steps to Reproduce:
1. Create a VM, install CentOS 6.5, run updates, install xfig, and login.
2. Run xfig.
3. Click on the Xfig toolbar button for Text entry.
4. Click on the diagram to place a text field
5. Press the space bar

Actual results:
The cursor in the text field disappears.  The mouse cursor remains an "I-bar" and you can't do anything else.

Expected results:
The space should be entered in the text field and the UI should continue operating normally.

Additional info:
The same problem happens in RHEV 3 when connecting from remote-viewer and spice-html5.

We are using the virtual desktops to run electronics design software and Xfig is the IEEE standard for figures.

Comment 2 Alon Levy 2014-10-10 09:55:46 UTC
looks like the X driver is hung waiting for an interrupt after an update area:

(gdb) bt
#0  0x00007f96baeeecc0 in __nanosleep_nocancel () at ../sysdeps/unix/syscall-template.S:82
#1  0x00007f96baf23e54 in usleep (useconds=<value optimized out>) at ../sysdeps/unix/sysv/linux/usleep.c:33
#2  0x00007f96b7387a12 in qxl_wait_for_io_command (qxl=<value optimized out>) at qxl_driver.c:157
#3  0x00007f96b738c329 in download_box (surface=<value optimized out>, x1=361, y1=342, x2=<value optimized out>, 
    y2=<value optimized out>) at qxl_surface.c:958
#4  0x00007f96b738cac0 in qxl_surface_prepare_access (surface=0x126d650, pixmap=0xf790f0, region=0x7fff7d1ca9b0, 
    access=<value optimized out>) at qxl_surface.c:993
#5  0x00007f96b7391163 in uxa_prepare_access (pDrawable=<value optimized out>, region=0x7fff7d1caa80, 
    access=UXA_ACCESS_RW) at uxa.c:172
#6  0x00007f96b739c309 in uxa_check_poly_glyph_blt (pDrawable=0x13eafd0, pGC=0x134db10, x=284, y=195, nglyph=1, 
    ppci=0x7fff7d1caae0, pglyphBase=0x0) at uxa-unaccel.c:359
#7  0x00000000005a2b81 in miPolyText8 (pDraw=0x13eafd0, pGC=0x134db10, x=284, y=195, count=<value optimized out>, 
    chars=<value optimized out>) at mipolytext.c:81
#8  0x000000000053858f in damagePolyText8 (pDrawable=0x13eafd0, pGC=0x134db10, x=284, y=195, 
    count=<value optimized out>, chars=<value optimized out>) at damage.c:1389
#9  0x000000000043acd1 in doPolyText (client=0x1596690, c=0x7fff7d1cb400) at dixfonts.c:1295
#10 0x000000000043af59 in PolyText (client=<value optimized out>, pDraw=<value optimized out>, 
    pGC=<value optimized out>, pElt=<value optimized out>, endReq=<value optimized out>, xorg=<value optimized out>, 
    yorg=195, reqType=74, did=44040764) at dixfonts.c:1368
#11 0x0000000000434cd4 in ProcPolyText (client=0x1596690) at dispatch.c:2223
#12 0x0000000000437ee1 in Dispatch () at dispatch.c:430
#13 0x000000000047d08a in main (argc=11, argv=<value optimized out>, envp=<value optimized out>) at main.c:295

Maybe changing the revision to 2 would be a workaround until a fix lands. (it would force a different io by the driver that doesn't require waiting for an interrupt).

Comment 3 Marc-Andre Lureau 2014-10-10 12:44:45 UTC
Infinite loop here:

46	    while (!(ram_header->int_pending & QXL_INTERRUPT_IO_CMD))
47		usleep (1);
(gdb) bt
#0  qxl_wait_for_io_command (qxl=<value optimized out>) at qxl_io.c:47
#1  0x00007f826a49a299 in qxl_download_box (surface=0x221d030, x1=231, y1=259, 
    x2=<value optimized out>, y2=<value optimized out>) at qxl_surface.c:143
#2  0x00007f826a49a400 in qxl_surface_prepare_access (surface=0x221d030, 
    pixmap=0x1bfa9a0, region=0x7fff5cc76b30, access=<value optimized out>)
    at qxl_surface.c:178
#3  0x00007f826a4a8533 in uxa_prepare_access (pDrawable=<value optimized out>, 
    region=0x7fff5cc76c00, access=UXA_ACCESS_RW) at uxa.c:172
#4  0x00007f826a4b3949 in uxa_check_poly_glyph_blt (pDrawable=0x2067480, 
    pGC=0x2048d10, x=119, y=140, nglyph=1, ppci=0x7fff5cc76c60, pglyphBase=0x0)
    at uxa-unaccel.c:359
#5  0x00000000005975b1 in miPolyText8 (pDraw=0x2067480, pGC=0x2048d10, x=119, 
    y=140, count=<value optimized out>, chars=<value optimized out>)
    at mipolytext.c:81
#6  0x0000000000529e0a in damagePolyText8 (pDrawable=0x2067480, pGC=0x2048d10, 
    x=<value optimized out>, y=140, count=1, chars=0x2a6f282 " ")
    at damage.c:1320
#7  0x000000000043bb29 in doPolyText (client=0x1ef04f0, c=0x7fff5cc77580)
    at dixfonts.c:1312
#8  0x000000000043bd69 in PolyText (client=<value optimized out>, 
    pDraw=<value optimized out>, pGC=<value optimized out>, 
    pElt=<value optimized out>, endReq=<value optimized out>, 
    xorg=<value optimized out>, yorg=140, reqType=74, did=77595196)

Comment 4 Marc-Andre Lureau 2014-10-10 13:07:54 UTC
I am reaching qemu condition:
        if (update.left >= update.right || update.top >= update.bottom ||
            update.left < 0 || update.top < 0) {
                    "QXL_IO_UPDATE_AREA: invalid area (%ux%u)x(%ux%u)\n",
                    update.left, update.top, update.right, update.bottom);

Comment 5 Alon Levy 2014-10-10 15:38:55 UTC
You can change the qemu condition to be nicer to old drivers, and (to avoid requiring upgrades of qemu) fix the driver not to do an update area in this case.

Comment 6 Marc-Andre Lureau 2014-10-10 17:11:15 UTC
It is a good idea to have a fix in qemu first, since current qxl driver may hang Xserver and it can be avoided with a simple patch: "keep going if reaching guest bug on empty area"

let's duplicate for xorg qxl driver fixes too.

Comment 7 Marc-Andre Lureau 2014-10-10 18:47:36 UTC
proposed patch: http://lists.nongnu.org/archive/html/qemu-devel/2014-10/msg01207.html

Comment 8 Gerd Hoffmann 2014-10-24 06:48:11 UTC
upstream commit 9e5a25f1c209ff51e4b65124a3b76dd3f1b0fb49
rhel6.6 is done though, moving to 6.7.
if a 6.6 fix is needed set zstream flag please.

Comment 9 Gerd Hoffmann 2015-02-18 13:07:19 UTC
patches posted.

Comment 10 Jeff Nelson 2015-02-24 21:33:57 UTC
Fix included in qemu-kvm-

Comment 12 Qian Guo 2015-02-26 09:22:26 UTC
Reproduced this with qemu-kvm-

1.Boot RHEL6.5GA guest with qxl, and with xfig-3.2.5-23.a.el6.x86_64 installed:
# /usr/libexec/qemu-kvm -cpu Opteron_G1 -m 4G -smp 4 -M pc -enable-kvm -name rhel6u4 -nodefaults -nodefconfig -monitor stdio -drive file=/home/rhel6.5GAcp1.qcow2,if=none,id=drive-virtio-disk0,format=qcow2,werror=stop,rerror=stop,aio=native,cache=none -device virtio-blk-pci,drive=drive-virtio-disk0,id=virtio-disk0 -spice disable-ticketing,port=5900 -vga qxl -netdev tap,id=hostnet0,vhost=on,script=/etc/qemu-ifup -device virtio-net-pci,netdev=hostnet0,id=virtio-netpci0,mac=54:52:1b:36:1a:02 -qmp unix:/tmp/q1,server,nowait

2.Start the xfig UI

3.Type "space" in the text field

Result, the guest GUI hangs

And from the ssh session, get the x11 log from type "space":
(EE) [mi] EQ overflow continuing.  1000 events have been dropped.
(EE) [mi] No further overflow reports will be reported until the clog is cleared.
(EE) Backtrace:
(EE) 0: /usr/bin/Xorg (xorg_backtrace+0x36) [0x46d196]
(EE) 1: /usr/bin/Xorg (QueuePointerEvents+0x4e) [0x44fa7e]
(EE) 2: /usr/bin/Xorg (xf86PostMotionEvent+0xce) [0x49b3de]
(EE) 3: /usr/lib64/xorg/modules/input/vmmouse_drv.so (0x7fd03c7e0000+0x1a77) [0x7fd03c7e1a77]
(EE) 4: /usr/lib64/xorg/modules/input/vmmouse_drv.so (0x7fd03c7e0000+0x1cc2) [0x7fd03c7e1cc2]
(EE) 5: /usr/lib64/xorg/modules/input/vmmouse_drv.so (0x7fd03c7e0000+0x1d75) [0x7fd03c7e1d75]
(EE) 6: /usr/bin/Xorg (0x400000+0x8ba57) [0x48ba57]
(EE) 7: /usr/bin/Xorg (0x400000+0xb710b) [0x4b710b]
(EE) 8: /lib64/libpthread.so.0 (0x7fd04b92d000+0xf710) [0x7fd04b93c710]
(EE) 9: /lib64/libc.so.6 (nanosleep+0x10) [0x7fd04a0bbcc0]
(EE) 10: /lib64/libc.so.6 (usleep+0x34) [0x7fd04a0f0e54]
(EE) 11: /usr/lib64/xorg/modules/drivers/qxl_drv.so (0x7fd046550000+0x4a12) [0x7fd046554a12]
(EE) 12: /usr/lib64/xorg/modules/drivers/qxl_drv.so (0x7fd046550000+0x9329) [0x7fd046559329]
(EE) 13: /usr/lib64/xorg/modules/drivers/qxl_drv.so (0x7fd046550000+0x9ac0) [0x7fd046559ac0]
(EE) 14: /usr/lib64/xorg/modules/drivers/qxl_drv.so (0x7fd046550000+0xe163) [0x7fd04655e163]
(EE) 15: /usr/lib64/xorg/modules/drivers/qxl_drv.so (0x7fd046550000+0x19309) [0x7fd046569309]
(EE) 16: /usr/bin/Xorg (miPolyText8+0x91) [0x5a2b81]
(EE) 17: /usr/bin/Xorg (0x400000+0x13858f) [0x53858f]
(EE) 18: /usr/bin/Xorg (doPolyText+0x411) [0x43acd1]
(EE) 19: /usr/bin/Xorg (PolyText+0x49) [0x43af59]
(EE) 20: /usr/bin/Xorg (0x400000+0x34cd4) [0x434cd4]
(EE) 21: /usr/bin/Xorg (0x400000+0x37ee1) [0x437ee1]
(EE) 22: /usr/bin/Xorg (0x400000+0x7d08a) [0x47d08a]
(EE) 23: /lib64/libc.so.6 (__libc_start_main+0xfd) [0x7fd04a02dd1d]
(EE) 24: /usr/bin/Xorg (0x400000+0x26189) [0x426189]

So this bug is reproduced

Verify this bug with 

Steps as above, guest GUI works well, and test not only "space", I have test all the ASSCII codes.

During type the charactors, only find the logs:
[   102.195] AUDIT: Thu Feb 26 04:15:14 2015: 1898: client 26 disconnected
[   187.682] AUDIT: Thu Feb 26 04:16:40 2015: 1898: client 26 connected from local host ( uid=0 gid=0 pid=2210 )
  Auth name: MIT-MAGIC-COOKIE-1 ID: 274
[   187.685] AUDIT: Thu Feb 26 04:16:40 2015: 1898: client 26 disconnected

So the bug is fixed according to above.

Comment 14 errata-xmlrpc 2015-07-22 06:08:06 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.