1151363 – User interface freezes when entering space character in Xfig

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1151363 - User interface freezes when entering space character in Xfig

Summary: User interface freezes when entering space character in Xfig

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	qemu-kvm
Sub Component:
Version:	6.6
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	Gerd Hoffmann
QA Contact:	Virtualization Bugs
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1151559 1221909
TreeView+	depends on / blocked

Reported:	2014-10-10 08:46 UTC by Marc-Andre Lureau
Modified:	2015-07-22 06:08 UTC (History)
CC List:	19 users (show)
Fixed In Version:	qemu-kvm-0.12.1.2-2.454.el6
Doc Type:	Bug Fix
Doc Text:
Clone Of:	1151253
Clones:	1151559 (view as bug list)
Environment:
Last Closed:	2015-07-22 06:08:06 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2015:1275	0	normal	SHIPPED_LIVE	qemu-kvm bug fix and enhancement update	2015-07-20 17:49:16 UTC

Description Marc-Andre Lureau 2014-10-10 08:46:07 UTC

the bug can be easily reproduced on rhel

+++ This bug was initially created as a clone of Bug #1151253 +++

Description of problem:

We have a CentOS 6.5 VM with xfig-3.2.5-23.a.el6.x86_64 installed.  We have found that if you create a text area in a figure, typing a space character causes the user interface to freeze.

The VM still running.  You can log in with ssh and shut it down.

The cursor can be moved around but it remains an "I-bar" instead of an arrow.

None of the GNOME 2 panel functions can be used and Ctrl-Alt doesn't work.

Sending Ctrl-Alt-F2 from virt-viewer doesn't seem to do anything.

I could not find any other character besides space which causes this problem.


Version-Release number of selected component (if applicable):
spice-server-0.12.5-2.fc20.x86_64
qemu-kvm-1.6.2-9.fc20.x86_64
libvirt-daemon-kvm-1.1.3.6-1.fc20.x86_64
virt-manager-1.0.1-4.fc20.noarch


How reproducible:
Happens every time.


Steps to Reproduce:
1. Create a VM, install CentOS 6.5, run updates, install xfig, and login.
2. Run xfig.
3. Click on the Xfig toolbar button for Text entry.
4. Click on the diagram to place a text field
5. Press the space bar


Actual results:
The cursor in the text field disappears.  The mouse cursor remains an "I-bar" and you can't do anything else.


Expected results:
The space should be entered in the text field and the UI should continue operating normally.


Additional info:
The same problem happens in RHEV 3 when connecting from remote-viewer and spice-html5.

We are using the virtual desktops to run electronics design software and Xfig is the IEEE standard for figures.

Comment 2 Alon Levy 2014-10-10 09:55:46 UTC

looks like the X driver is hung waiting for an interrupt after an update area:

(gdb) bt
#0  0x00007f96baeeecc0 in __nanosleep_nocancel () at ../sysdeps/unix/syscall-template.S:82
#1  0x00007f96baf23e54 in usleep (useconds=<value optimized out>) at ../sysdeps/unix/sysv/linux/usleep.c:33
#2  0x00007f96b7387a12 in qxl_wait_for_io_command (qxl=<value optimized out>) at qxl_driver.c:157
#3  0x00007f96b738c329 in download_box (surface=<value optimized out>, x1=361, y1=342, x2=<value optimized out>, 
    y2=<value optimized out>) at qxl_surface.c:958
#4  0x00007f96b738cac0 in qxl_surface_prepare_access (surface=0x126d650, pixmap=0xf790f0, region=0x7fff7d1ca9b0, 
    access=<value optimized out>) at qxl_surface.c:993
#5  0x00007f96b7391163 in uxa_prepare_access (pDrawable=<value optimized out>, region=0x7fff7d1caa80, 
    access=UXA_ACCESS_RW) at uxa.c:172
#6  0x00007f96b739c309 in uxa_check_poly_glyph_blt (pDrawable=0x13eafd0, pGC=0x134db10, x=284, y=195, nglyph=1, 
    ppci=0x7fff7d1caae0, pglyphBase=0x0) at uxa-unaccel.c:359
#7  0x00000000005a2b81 in miPolyText8 (pDraw=0x13eafd0, pGC=0x134db10, x=284, y=195, count=<value optimized out>, 
    chars=<value optimized out>) at mipolytext.c:81
#8  0x000000000053858f in damagePolyText8 (pDrawable=0x13eafd0, pGC=0x134db10, x=284, y=195, 
    count=<value optimized out>, chars=<value optimized out>) at damage.c:1389
#9  0x000000000043acd1 in doPolyText (client=0x1596690, c=0x7fff7d1cb400) at dixfonts.c:1295
#10 0x000000000043af59 in PolyText (client=<value optimized out>, pDraw=<value optimized out>, 
    pGC=<value optimized out>, pElt=<value optimized out>, endReq=<value optimized out>, xorg=<value optimized out>, 
    yorg=195, reqType=74, did=44040764) at dixfonts.c:1368
#11 0x0000000000434cd4 in ProcPolyText (client=0x1596690) at dispatch.c:2223
#12 0x0000000000437ee1 in Dispatch () at dispatch.c:430
#13 0x000000000047d08a in main (argc=11, argv=<value optimized out>, envp=<value optimized out>) at main.c:295

Maybe changing the revision to 2 would be a workaround until a fix lands. (it would force a different io by the driver that doesn't require waiting for an interrupt).

Comment 3 Marc-Andre Lureau 2014-10-10 12:44:45 UTC

Infinite loop here:

46	    while (!(ram_header->int_pending & QXL_INTERRUPT_IO_CMD))
(gdb) 
47		usleep (1);
(gdb) bt
#0  qxl_wait_for_io_command (qxl=<value optimized out>) at qxl_io.c:47
#1  0x00007f826a49a299 in qxl_download_box (surface=0x221d030, x1=231, y1=259, 
    x2=<value optimized out>, y2=<value optimized out>) at qxl_surface.c:143
#2  0x00007f826a49a400 in qxl_surface_prepare_access (surface=0x221d030, 
    pixmap=0x1bfa9a0, region=0x7fff5cc76b30, access=<value optimized out>)
    at qxl_surface.c:178
#3  0x00007f826a4a8533 in uxa_prepare_access (pDrawable=<value optimized out>, 
    region=0x7fff5cc76c00, access=UXA_ACCESS_RW) at uxa.c:172
#4  0x00007f826a4b3949 in uxa_check_poly_glyph_blt (pDrawable=0x2067480, 
    pGC=0x2048d10, x=119, y=140, nglyph=1, ppci=0x7fff5cc76c60, pglyphBase=0x0)
    at uxa-unaccel.c:359
#5  0x00000000005975b1 in miPolyText8 (pDraw=0x2067480, pGC=0x2048d10, x=119, 
    y=140, count=<value optimized out>, chars=<value optimized out>)
    at mipolytext.c:81
#6  0x0000000000529e0a in damagePolyText8 (pDrawable=0x2067480, pGC=0x2048d10, 
    x=<value optimized out>, y=140, count=1, chars=0x2a6f282 " ")
    at damage.c:1320
#7  0x000000000043bb29 in doPolyText (client=0x1ef04f0, c=0x7fff5cc77580)
    at dixfonts.c:1312
#8  0x000000000043bd69 in PolyText (client=<value optimized out>, 
    pDraw=<value optimized out>, pGC=<value optimized out>, 
    pElt=<value optimized out>, endReq=<value optimized out>, 
    xorg=<value optimized out>, yorg=140, reqType=74, did=77595196)

Comment 4 Marc-Andre Lureau 2014-10-10 13:07:54 UTC

I am reaching qemu condition:
        if (update.left >= update.right || update.top >= update.bottom ||
            update.left < 0 || update.top < 0) {
            qxl_set_guest_bug(d,
                    "QXL_IO_UPDATE_AREA: invalid area (%ux%u)x(%ux%u)\n",
                    update.left, update.top, update.right, update.bottom);
            break;

Comment 5 Alon Levy 2014-10-10 15:38:55 UTC

You can change the qemu condition to be nicer to old drivers, and (to avoid requiring upgrades of qemu) fix the driver not to do an update area in this case.

Comment 6 Marc-Andre Lureau 2014-10-10 17:11:15 UTC

It is a good idea to have a fix in qemu first, since current qxl driver may hang Xserver and it can be avoided with a simple patch: "keep going if reaching guest bug on empty area"

let's duplicate for xorg qxl driver fixes too.

Comment 7 Marc-Andre Lureau 2014-10-10 18:47:36 UTC

proposed patch: http://lists.nongnu.org/archive/html/qemu-devel/2014-10/msg01207.html

Comment 8 Gerd Hoffmann 2014-10-24 06:48:11 UTC

upstream commit 9e5a25f1c209ff51e4b65124a3b76dd3f1b0fb49
rhel6.6 is done though, moving to 6.7.
if a 6.6 fix is needed set zstream flag please.

Comment 9 Gerd Hoffmann 2015-02-18 13:07:19 UTC

patches posted.

Comment 10 Jeff Nelson 2015-02-24 21:33:57 UTC

Fix included in qemu-kvm-0.12.1.2-2.454.el6

Comment 12 Qian Guo 2015-02-26 09:22:26 UTC

Reproduced this with qemu-kvm-0.12.1.2-2.453.el6.x86_64

Steps:
1.Boot RHEL6.5GA guest with qxl, and with xfig-3.2.5-23.a.el6.x86_64 installed:
# /usr/libexec/qemu-kvm -cpu Opteron_G1 -m 4G -smp 4 -M pc -enable-kvm -name rhel6u4 -nodefaults -nodefconfig -monitor stdio -drive file=/home/rhel6.5GAcp1.qcow2,if=none,id=drive-virtio-disk0,format=qcow2,werror=stop,rerror=stop,aio=native,cache=none -device virtio-blk-pci,drive=drive-virtio-disk0,id=virtio-disk0 -spice disable-ticketing,port=5900 -vga qxl -netdev tap,id=hostnet0,vhost=on,script=/etc/qemu-ifup -device virtio-net-pci,netdev=hostnet0,id=virtio-netpci0,mac=54:52:1b:36:1a:02 -qmp unix:/tmp/q1,server,nowait

2.Start the xfig UI

3.Type "space" in the text field

Result, the guest GUI hangs

And from the ssh session, get the x11 log from type "space":
(EE) [mi] EQ overflow continuing.  1000 events have been dropped.
(EE) [mi] No further overflow reports will be reported until the clog is cleared.
(EE) 
(EE) Backtrace:
(EE) 0: /usr/bin/Xorg (xorg_backtrace+0x36) [0x46d196]
(EE) 1: /usr/bin/Xorg (QueuePointerEvents+0x4e) [0x44fa7e]
(EE) 2: /usr/bin/Xorg (xf86PostMotionEvent+0xce) [0x49b3de]
(EE) 3: /usr/lib64/xorg/modules/input/vmmouse_drv.so (0x7fd03c7e0000+0x1a77) [0x7fd03c7e1a77]
(EE) 4: /usr/lib64/xorg/modules/input/vmmouse_drv.so (0x7fd03c7e0000+0x1cc2) [0x7fd03c7e1cc2]
(EE) 5: /usr/lib64/xorg/modules/input/vmmouse_drv.so (0x7fd03c7e0000+0x1d75) [0x7fd03c7e1d75]
(EE) 6: /usr/bin/Xorg (0x400000+0x8ba57) [0x48ba57]
(EE) 7: /usr/bin/Xorg (0x400000+0xb710b) [0x4b710b]
(EE) 8: /lib64/libpthread.so.0 (0x7fd04b92d000+0xf710) [0x7fd04b93c710]
(EE) 9: /lib64/libc.so.6 (nanosleep+0x10) [0x7fd04a0bbcc0]
(EE) 10: /lib64/libc.so.6 (usleep+0x34) [0x7fd04a0f0e54]
(EE) 11: /usr/lib64/xorg/modules/drivers/qxl_drv.so (0x7fd046550000+0x4a12) [0x7fd046554a12]
(EE) 12: /usr/lib64/xorg/modules/drivers/qxl_drv.so (0x7fd046550000+0x9329) [0x7fd046559329]
(EE) 13: /usr/lib64/xorg/modules/drivers/qxl_drv.so (0x7fd046550000+0x9ac0) [0x7fd046559ac0]
(EE) 14: /usr/lib64/xorg/modules/drivers/qxl_drv.so (0x7fd046550000+0xe163) [0x7fd04655e163]
(EE) 15: /usr/lib64/xorg/modules/drivers/qxl_drv.so (0x7fd046550000+0x19309) [0x7fd046569309]
(EE) 16: /usr/bin/Xorg (miPolyText8+0x91) [0x5a2b81]
(EE) 17: /usr/bin/Xorg (0x400000+0x13858f) [0x53858f]
(EE) 18: /usr/bin/Xorg (doPolyText+0x411) [0x43acd1]
(EE) 19: /usr/bin/Xorg (PolyText+0x49) [0x43af59]
(EE) 20: /usr/bin/Xorg (0x400000+0x34cd4) [0x434cd4]
(EE) 21: /usr/bin/Xorg (0x400000+0x37ee1) [0x437ee1]
(EE) 22: /usr/bin/Xorg (0x400000+0x7d08a) [0x47d08a]
(EE) 23: /lib64/libc.so.6 (__libc_start_main+0xfd) [0x7fd04a02dd1d]
(EE) 24: /usr/bin/Xorg (0x400000+0x26189) [0x426189]
(EE) 



So this bug is reproduced

Verify this bug with 
qemu-kvm-0.12.1.2-2.454.el6.x86_64

Steps as above, guest GUI works well, and test not only "space", I have test all the ASSCII codes.

During type the charactors, only find the logs:
...
[   102.195] AUDIT: Thu Feb 26 04:15:14 2015: 1898: client 26 disconnected
[   187.682] AUDIT: Thu Feb 26 04:16:40 2015: 1898: client 26 connected from local host ( uid=0 gid=0 pid=2210 )
  Auth name: MIT-MAGIC-COOKIE-1 ID: 274
[   187.685] AUDIT: Thu Feb 26 04:16:40 2015: 1898: client 26 disconnected
...

So the bug is fixed according to above.

Comment 14 errata-xmlrpc 2015-07-22 06:08:06 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-1275.html

Note You need to log in before you can comment on or make changes to this bug.