1264347 – QMP device-list-properties crashes for CPU devices

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1264347 - QMP device-list-properties crashes for CPU devices

Summary: QMP device-list-properties crashes for CPU devices

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	qemu-kvm-rhev
Sub Component:
Version:	7.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	Markus Armbruster
QA Contact:	Virtualization Bugs
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2015-09-18 09:13 UTC by Markus Armbruster
Modified:	2015-12-04 16:58 UTC (History)
CC List:	8 users (show)
Fixed In Version:	qemu-kvm-rhev-2.3.0-30.el7
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2015-12-04 16:58:27 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2015:2546	0	normal	SHIPPED_LIVE	qemu-kvm-rhev bug fix and enhancement update	2015-12-04 21:11:56 UTC

Description Markus Armbruster 2015-09-18 09:13:54 UTC

Description of problem:
QMP command device-list-properties leaves a dangling pointer behind
for CPU devices, to the usual catastrophic effect.  For host CPU
devices, it fails an assertion when KVM is off.

Version-Release number of selected component (if applicable):
Reproduced with a local build of qemu-kvm-rhev-2.3.0-23.el7.  Probably
broken as far back as qemu-kvm-rhev-2.1.*.

How reproducible:
100%

Steps to Reproduce:
1. Start qemu-kvm under valgrind with QMP on stdin/stdout, e.g.
       $ valgrind qemu-kvm -nodefaults -S -display none -qmp stdio
2. Run qmp_capabilities to enter command mode
       { "execute": "qmp_capabilities" }
3. Run device-list-properties for a CPU device
       { "execute": "device-list-properties", "arguments": { "typename": T } }
   where T is the name of a CPU device such as "qemu64-x86_64-cpu".
4. Run device-list-properties for a CPU device again
   Same command as step 3 is fine.

Alternate steps:
1. Start qemu-kvm with KVM off and QMP on stdin/stdout, e.g.
       $ qemu-kvm -nodefaults -S -display none -qmp stdio -machine accel=tcg
2. Run qmp_capabilities to enter command mode
       { "execute": "qmp_capabilities" }
3. Run device-list-properties for CPU device "host-x86_64-cpu"
       { "execute": "device-list-properties", "arguments": { "typename": "host-x86_64-cpu" } }

Actual results:

After step 1, valgrind reports "Syscall param ioctl(generic) points to
uninitialised byte(s)" in ioctl() if KVM is enabled, and "Conditional
jump or move depends on uninitialised value(s)" in tcg_target_init()
if KVM is disabled.  These are false positives.

Valgrind reports "Invalid read of size 8" followed by "Invalid write
of size 8" in cpu_exec_init() after step 4.  This is a use-after-free
flaw.

Alternate actual results:

Step 3 crashes with .../target-i386/cpu.c:1491: host_x86_cpu_initfn:
Assertion `(kvm_allowed)' failed.

Expected results:

Valgrind does not report such flaws.

Alternate expected results:

Step 3 does not crash.

Additional info:

Still broken upstream.  In addition to CPUs, the following devices are
affected there:

* ARM: "versatile_pci", "realview_pci", "pxa2xx-pcmcia", ,
  "allwinner-a10", "digic", "fsl,imx25", "fsl,imx31", "xlnx,zynqmp"

* S/390: "s390-sclp-event-facility", "sclp"

RHEL-7 qemu-kvm fails device-list-properties cleanly, which is good
enough.

RHEL-6 qemu-kvm doesn't suport device-list-properties.

Comment 2 Markus Armbruster 2015-09-18 12:26:55 UTC

Proposed upstream fix
https://lists.gnu.org/archive/html/qemu-devel/2015-09/msg04799.html

Comment 4 Markus Armbruster 2015-10-06 14:28:33 UTC

Upstream fix is finally converging.  Expecting it to land this week.  Backport is straightforward.

Comment 5 Jeff Nelson 2015-10-12 17:57:07 UTC

Fix included in qemu-kvm-rhev-2.3.0-30.el7

Comment 6 Xiaoqing Wei 2015-10-13 07:41:54 UTC

on qemu-kvm-rhev-2.3.0-28.el7: qemu core dumped as expected.

qemu-kvm -nodefaults -S -display none -qmp stdio -machine accel=tcg
{"QMP": {"version": {"qemu": {"micro": 0, "minor": 3, "major": 2}, "package": " (qemu-kvm-rhev-2.3.0-28.el7)"}, "capabilities": []}}
{ "execute": "qmp_capabilities" }
{"return": {}}
{ "execute": "device-list-properties", "arguments": { "typename": "host-x86_64-cpu" } }
qemu-kvm: /builddir/build/BUILD/qemu-2.3.0/target-i386/cpu.c:1491: host_x86_cpu_initfn: Assertion `(kvm_allowed)' failed.
Aborted (core dumped)

========================

on qemu-kvm-rhev-2.3.0-30.el7: qemu survive on same qmp cmd
# qemu-kvm -nodefaults -S -display none -qmp stdio -machine accel=tcg
{"QMP": {"version": {"qemu": {"micro": 0, "minor": 3, "major": 2}, "package": " (qemu-kvm-rhev-2.3.0-30.el7)"}, "capabilities": []}}
{ "execute": "qmp_capabilities" }
{"return": {}}
{ "execute": "device-list-properties", "arguments": { "typename": "host-x86_64-cpu" } }
{"error": {"class": "GenericError", "desc": "Can't list properties of device 'host-x86_64-cpu'"}}

Comment 7 Xiaoqing Wei 2015-10-13 07:58:52 UTC

can not reproduce with valgrind method, with both tcg and kvm.

there's not error raised after step 4(and 5,6, I just repeat same cmd)

logs as below:

# valgrind qemu-kvm -nodefaults -S -display none -qmp stdio -cpu Opteron_G5 -machine accel=tcg
==16027== Memcheck, a memory error detector
==16027== Copyright (C) 2002-2013, and GNU GPL'd, by Julian Seward et al.
==16027== Using Valgrind-3.10.0 and LibVEX; rerun with -h for copyright info
==16027== Command: qemu-kvm -nodefaults -S -display none -qmp stdio -cpu Opteron_G5 -machine accel=tcg
==16027== 
==16027== Syscall param msync(start) points to unaddressable byte(s)
==16027==    at 0x5E458F0: __msync_nocancel (syscall-template.S:81)
==16027==    by 0xE44FF63: UnknownInlinedFun (Ginit.c:137)
==16027==    by 0xE44FF63: access_mem (Ginit.c:171)
==16027==    by 0xE452EAE: UnknownInlinedFun (libunwind_i.h:162)
==16027==    by 0xE452EAE: apply_reg_state (Gparser.c:800)
==16027==    by 0xE454181: _ULx86_64_dwarf_find_save_locs (Gparser.c:884)
==16027==    by 0xE454518: _ULx86_64_dwarf_step (Gstep.c:34)
==16027==    by 0xE450900: _ULx86_64_step (Gstep.c:71)
==16027==    by 0x8DFF8CA: GetStackTrace_libunwind(void**, int, int) (stacktrace_libunwind-inl.h:118)
==16027==    by 0x8E000BD: GetStackTrace(void**, int, int) (stacktrace.cc:234)
==16027==    by 0x8DF1313: UnknownInlinedFun (page_heap.cc:584)
==16027==    by 0x8DF1313: tcmalloc::PageHeap::GrowHeap(unsigned long) (page_heap.cc:610)
==16027==    by 0x8DF1632: tcmalloc::PageHeap::New(unsigned long) (page_heap.cc:156)
==16027==    by 0x8DEFF63: tcmalloc::CentralFreeList::Populate() (central_freelist.cc:329)
==16027==    by 0x8DF0147: tcmalloc::CentralFreeList::FetchFromOneSpansSafe(int, void**, void**) (central_freelist.cc:284)
==16027==  Address 0xffefff000 is on thread 1's stack
==16027==  296 bytes below stack pointer
==16027== 
==16027== Syscall param msync(start) points to uninitialised byte(s)
==16027==    at 0x5E458F0: __msync_nocancel (syscall-template.S:81)
==16027==    by 0xE44FF63: UnknownInlinedFun (Ginit.c:137)
==16027==    by 0xE44FF63: access_mem (Ginit.c:171)
==16027==    by 0xE452EAE: UnknownInlinedFun (libunwind_i.h:162)
==16027==    by 0xE452EAE: apply_reg_state (Gparser.c:800)
==16027==    by 0xE454181: _ULx86_64_dwarf_find_save_locs (Gparser.c:884)
==16027==    by 0xE454518: _ULx86_64_dwarf_step (Gstep.c:34)
==16027==    by 0xE450900: _ULx86_64_step (Gstep.c:71)
==16027==    by 0x8DFF8CA: GetStackTrace_libunwind(void**, int, int) (stacktrace_libunwind-inl.h:118)
==16027==    by 0x8E000BD: GetStackTrace(void**, int, int) (stacktrace.cc:234)
==16027==    by 0x8DF1313: UnknownInlinedFun (page_heap.cc:584)
==16027==    by 0x8DF1313: tcmalloc::PageHeap::GrowHeap(unsigned long) (page_heap.cc:610)
==16027==    by 0x8DF1632: tcmalloc::PageHeap::New(unsigned long) (page_heap.cc:156)
==16027==    by 0x8DEFF63: tcmalloc::CentralFreeList::Populate() (central_freelist.cc:329)
==16027==    by 0x8DF0147: tcmalloc::CentralFreeList::FetchFromOneSpansSafe(int, void**, void**) (central_freelist.cc:284)
==16027==  Address 0xfff000000 is on thread 1's stack
==16027==  in frame #10, created by tcmalloc::CentralFreeList::Populate() (central_freelist.cc:321)
==16027== 
{"QMP": {"version": {"qemu": {"micro": 0, "minor": 3, "major": 2}, "package": " (qemu-kvm-rhev-2.3.0-28.el7)"}, "capabilities": []}}
{ "execute": "qmp_capabilities" }
{"return": {}}
{ "execute": "device-list-properties", "arguments": { "typename": "Opteron_G5-x86_64-cpu" }}
{"return": [{"name": "filtered-features", "type": "X86CPUFeatureWordInfo"}, {"name": "feature-words", "type": "X86CPUFeatureWordInfo"}, {"name": "apic-id", "type": "int"}, {"name": "tsc-frequency", "type": "int"}, {"name": "model-id", "type": "string"}, {"name": "vendor", "type": "string"}, {"name": "xlevel", "type": "int"}, {"name": "level", "type": "int"}, {"name": "stepping", "type": "int"}, {"name": "model", "type": "int"}, {"name": "family", "type": "int"}, {"name": "kvm", "type": "bool"}, {"name": "enforce", "type": "bool"}, {"name": "check", "type": "bool"}, {"name": "hv-time", "type": "bool"}, {"name": "hv-vapic", "type": "bool"}, {"name": "hv-relaxed", "type": "bool"}, {"name": "hv-spinlocks", "type": "int"}, {"name": "pmu", "type": "bool"}]}
{ "execute": "device-list-properties", "arguments": { "typename": "Opteron_G5-x86_64-cpu" }}
{"return": [{"name": "filtered-features", "type": "X86CPUFeatureWordInfo"}, {"name": "feature-words", "type": "X86CPUFeatureWordInfo"}, {"name": "apic-id", "type": "int"}, {"name": "tsc-frequency", "type": "int"}, {"name": "model-id", "type": "string"}, {"name": "vendor", "type": "string"}, {"name": "xlevel", "type": "int"}, {"name": "level", "type": "int"}, {"name": "stepping", "type": "int"}, {"name": "model", "type": "int"}, {"name": "family", "type": "int"}, {"name": "kvm", "type": "bool"}, {"name": "enforce", "type": "bool"}, {"name": "check", "type": "bool"}, {"name": "hv-time", "type": "bool"}, {"name": "hv-vapic", "type": "bool"}, {"name": "hv-relaxed", "type": "bool"}, {"name": "hv-spinlocks", "type": "int"}, {"name": "pmu", "type": "bool"}]}
{ "execute": "device-list-properties", "arguments": { "typename": "Opteron_G5-x86_64-cpu" }}
{"return": [{"name": "filtered-features", "type": "X86CPUFeatureWordInfo"}, {"name": "feature-words", "type": "X86CPUFeatureWordInfo"}, {"name": "apic-id", "type": "int"}, {"name": "tsc-frequency", "type": "int"}, {"name": "model-id", "type": "string"}, {"name": "vendor", "type": "string"}, {"name": "xlevel", "type": "int"}, {"name": "level", "type": "int"}, {"name": "stepping", "type": "int"}, {"name": "model", "type": "int"}, {"name": "family", "type": "int"}, {"name": "kvm", "type": "bool"}, {"name": "enforce", "type": "bool"}, {"name": "check", "type": "bool"}, {"name": "hv-time", "type": "bool"}, {"name": "hv-vapic", "type": "bool"}, {"name": "hv-relaxed", "type": "bool"}, {"name": "hv-spinlocks", "type": "int"}, {"name": "pmu", "type": "bool"}]}
{ "execute": "device-list-properties", "arguments": { "typename": "Opteron_G5-x86_64-cpu" }}
{"return": [{"name": "filtered-features", "type": "X86CPUFeatureWordInfo"}, {"name": "feature-words", "type": "X86CPUFeatureWordInfo"}, {"name": "apic-id", "type": "int"}, {"name": "tsc-frequency", "type": "int"}, {"name": "model-id", "type": "string"}, {"name": "vendor", "type": "string"}, {"name": "xlevel", "type": "int"}, {"name": "level", "type": "int"}, {"name": "stepping", "type": "int"}, {"name": "model", "type": "int"}, {"name": "family", "type": "int"}, {"name": "kvm", "type": "bool"}, {"name": "enforce", "type": "bool"}, {"name": "check", "type": "bool"}, {"name": "hv-time", "type": "bool"}, {"name": "hv-vapic", "type": "bool"}, {"name": "hv-relaxed", "type": "bool"}, {"name": "hv-spinlocks", "type": "int"}, {"name": "pmu", "type": "bool"}]}

===============

# valgrind qemu-kvm -nodefaults -S -display none -qmp stdio -cpu Opteron_G5
==16034== Memcheck, a memory error detector
==16034== Copyright (C) 2002-2013, and GNU GPL'd, by Julian Seward et al.
==16034== Using Valgrind-3.10.0 and LibVEX; rerun with -h for copyright info
==16034== Command: qemu-kvm -nodefaults -S -display none -qmp stdio -cpu Opteron_G5
==16034== 
==16034== Syscall param msync(start) points to unaddressable byte(s)
==16034==    at 0x5E458F0: __msync_nocancel (syscall-template.S:81)
==16034==    by 0xE44FF63: UnknownInlinedFun (Ginit.c:137)
==16034==    by 0xE44FF63: access_mem (Ginit.c:171)
==16034==    by 0xE452EAE: UnknownInlinedFun (libunwind_i.h:162)
==16034==    by 0xE452EAE: apply_reg_state (Gparser.c:800)
==16034==    by 0xE454181: _ULx86_64_dwarf_find_save_locs (Gparser.c:884)
==16034==    by 0xE454518: _ULx86_64_dwarf_step (Gstep.c:34)
==16034==    by 0xE450900: _ULx86_64_step (Gstep.c:71)
==16034==    by 0x8DFF8CA: GetStackTrace_libunwind(void**, int, int) (stacktrace_libunwind-inl.h:118)
==16034==    by 0x8E000BD: GetStackTrace(void**, int, int) (stacktrace.cc:234)
==16034==    by 0x8DF1313: UnknownInlinedFun (page_heap.cc:584)
==16034==    by 0x8DF1313: tcmalloc::PageHeap::GrowHeap(unsigned long) (page_heap.cc:610)
==16034==    by 0x8DF1632: tcmalloc::PageHeap::New(unsigned long) (page_heap.cc:156)
==16034==    by 0x8DEFF63: tcmalloc::CentralFreeList::Populate() (central_freelist.cc:329)
==16034==    by 0x8DF0147: tcmalloc::CentralFreeList::FetchFromOneSpansSafe(int, void**, void**) (central_freelist.cc:284)
==16034==  Address 0xffefff000 is on thread 1's stack
==16034==  328 bytes below stack pointer
==16034== 
==16034== Syscall param msync(start) points to uninitialised byte(s)
==16034==    at 0x5E458F0: __msync_nocancel (syscall-template.S:81)
==16034==    by 0xE44FF63: UnknownInlinedFun (Ginit.c:137)
==16034==    by 0xE44FF63: access_mem (Ginit.c:171)
==16034==    by 0xE452EAE: UnknownInlinedFun (libunwind_i.h:162)
==16034==    by 0xE452EAE: apply_reg_state (Gparser.c:800)
==16034==    by 0xE454181: _ULx86_64_dwarf_find_save_locs (Gparser.c:884)
==16034==    by 0xE454518: _ULx86_64_dwarf_step (Gstep.c:34)
==16034==    by 0xE450900: _ULx86_64_step (Gstep.c:71)
==16034==    by 0x8DFF8CA: GetStackTrace_libunwind(void**, int, int) (stacktrace_libunwind-inl.h:118)
==16034==    by 0x8E000BD: GetStackTrace(void**, int, int) (stacktrace.cc:234)
==16034==    by 0x8DF1313: UnknownInlinedFun (page_heap.cc:584)
==16034==    by 0x8DF1313: tcmalloc::PageHeap::GrowHeap(unsigned long) (page_heap.cc:610)
==16034==    by 0x8DF1632: tcmalloc::PageHeap::New(unsigned long) (page_heap.cc:156)
==16034==    by 0x8DEFF63: tcmalloc::CentralFreeList::Populate() (central_freelist.cc:329)
==16034==    by 0x8DF0147: tcmalloc::CentralFreeList::FetchFromOneSpansSafe(int, void**, void**) (central_freelist.cc:284)
==16034==  Address 0xfff000010 is on thread 1's stack
==16034==  in frame #10, created by tcmalloc::CentralFreeList::Populate() (central_freelist.cc:321)
==16034== 
==16034== Warning: noted but unhandled ioctl 0xae47 with no size/direction hints.
==16034==    This could cause spurious value errors to appear.
==16034==    See README_MISSING_SYSCALL_OR_IOCTL for guidance on writing a proper wrapper.
{"QMP": {"version": {"qemu": {"micro": 0, "minor": 3, "major": 2}, "package": " (qemu-kvm-rhev-2.3.0-28.el7)"}, "capabilities": []}}
{ "execute": "qmp_capabilities" }
{"return": {}}
{ "execute": "device-list-properties", "arguments": { "typename": "Opteron_G5-x86_64-cpu" }}
{"return": [{"name": "filtered-features", "type": "X86CPUFeatureWordInfo"}, {"name": "feature-words", "type": "X86CPUFeatureWordInfo"}, {"name": "apic-id", "type": "int"}, {"name": "tsc-frequency", "type": "int"}, {"name": "model-id", "type": "string"}, {"name": "vendor", "type": "string"}, {"name": "xlevel", "type": "int"}, {"name": "level", "type": "int"}, {"name": "stepping", "type": "int"}, {"name": "model", "type": "int"}, {"name": "family", "type": "int"}, {"name": "kvm", "type": "bool"}, {"name": "enforce", "type": "bool"}, {"name": "check", "type": "bool"}, {"name": "hv-time", "type": "bool"}, {"name": "hv-vapic", "type": "bool"}, {"name": "hv-relaxed", "type": "bool"}, {"name": "hv-spinlocks", "type": "int"}, {"name": "pmu", "type": "bool"}]}
{ "execute": "device-list-properties", "arguments": { "typename": "Opteron_G5-x86_64-cpu" }}
{"return": [{"name": "filtered-features", "type": "X86CPUFeatureWordInfo"}, {"name": "feature-words", "type": "X86CPUFeatureWordInfo"}, {"name": "apic-id", "type": "int"}, {"name": "tsc-frequency", "type": "int"}, {"name": "model-id", "type": "string"}, {"name": "vendor", "type": "string"}, {"name": "xlevel", "type": "int"}, {"name": "level", "type": "int"}, {"name": "stepping", "type": "int"}, {"name": "model", "type": "int"}, {"name": "family", "type": "int"}, {"name": "kvm", "type": "bool"}, {"name": "enforce", "type": "bool"}, {"name": "check", "type": "bool"}, {"name": "hv-time", "type": "bool"}, {"name": "hv-vapic", "type": "bool"}, {"name": "hv-relaxed", "type": "bool"}, {"name": "hv-spinlocks", "type": "int"}, {"name": "pmu", "type": "bool"}]}
{ "execute": "device-list-properties", "arguments": { "typename": "Opteron_G5-x86_64-cpu" }}
{"return": [{"name": "filtered-features", "type": "X86CPUFeatureWordInfo"}, {"name": "feature-words", "type": "X86CPUFeatureWordInfo"}, {"name": "apic-id", "type": "int"}, {"name": "tsc-frequency", "type": "int"}, {"name": "model-id", "type": "string"}, {"name": "vendor", "type": "string"}, {"name": "xlevel", "type": "int"}, {"name": "level", "type": "int"}, {"name": "stepping", "type": "int"}, {"name": "model", "type": "int"}, {"name": "family", "type": "int"}, {"name": "kvm", "type": "bool"}, {"name": "enforce", "type": "bool"}, {"name": "check", "type": "bool"}, {"name": "hv-time", "type": "bool"}, {"name": "hv-vapic", "type": "bool"}, {"name": "hv-relaxed", "type": "bool"}, {"name": "hv-spinlocks", "type": "int"}, {"name": "pmu", "type": "bool"}]}
{ "execute": "device-list-properties", "arguments": { "typename": "Opteron_G5-x86_64-cpu" }}
{"return": [{"name": "filtered-features", "type": "X86CPUFeatureWordInfo"}, {"name": "feature-words", "type": "X86CPUFeatureWordInfo"}, {"name": "apic-id", "type": "int"}, {"name": "tsc-frequency", "type": "int"}, {"name": "model-id", "type": "string"}, {"name": "vendor", "type": "string"}, {"name": "xlevel", "type": "int"}, {"name": "level", "type": "int"}, {"name": "stepping", "type": "int"}, {"name": "model", "type": "int"}, {"name": "family", "type": "int"}, {"name": "kvm", "type": "bool"}, {"name": "enforce", "type": "bool"}, {"name": "check", "type": "bool"}, {"name": "hv-time", "type": "bool"}, {"name": "hv-vapic", "type": "bool"}, {"name": "hv-relaxed", "type": "bool"}, {"name": "hv-spinlocks", "type": "int"}, {"name": "pmu", "type": "bool"}]}

Comment 9 Xiaoqing Wei 2015-10-13 08:00:50 UTC

also tried exactly identical cli from C#0,
and still no 
Valgrind reports "Invalid read of size 8" followed by "Invalid write
of size 8" in cpu_exec_init() after step 4

# valgrind qemu-kvm -nodefaults -S -display none -qmp stdio
==16050== Memcheck, a memory error detector
==16050== Copyright (C) 2002-2013, and GNU GPL'd, by Julian Seward et al.
==16050== Using Valgrind-3.10.0 and LibVEX; rerun with -h for copyright info
==16050== Command: qemu-kvm -nodefaults -S -display none -qmp stdio
==16050== 
==16050== Syscall param msync(start) points to unaddressable byte(s)
==16050==    at 0x5E458F0: __msync_nocancel (syscall-template.S:81)
==16050==    by 0xE44FF63: UnknownInlinedFun (Ginit.c:137)
==16050==    by 0xE44FF63: access_mem (Ginit.c:171)
==16050==    by 0xE452EAE: UnknownInlinedFun (libunwind_i.h:162)
==16050==    by 0xE452EAE: apply_reg_state (Gparser.c:800)
==16050==    by 0xE454181: _ULx86_64_dwarf_find_save_locs (Gparser.c:884)
==16050==    by 0xE454518: _ULx86_64_dwarf_step (Gstep.c:34)
==16050==    by 0xE450900: _ULx86_64_step (Gstep.c:71)
==16050==    by 0x8DFF8CA: GetStackTrace_libunwind(void**, int, int) (stacktrace_libunwind-inl.h:118)
==16050==    by 0x8E000BD: GetStackTrace(void**, int, int) (stacktrace.cc:234)
==16050==    by 0x8DF1313: UnknownInlinedFun (page_heap.cc:584)
==16050==    by 0x8DF1313: tcmalloc::PageHeap::GrowHeap(unsigned long) (page_heap.cc:610)
==16050==    by 0x8DF1632: tcmalloc::PageHeap::New(unsigned long) (page_heap.cc:156)
==16050==    by 0x8DEFF63: tcmalloc::CentralFreeList::Populate() (central_freelist.cc:329)
==16050==    by 0x8DF0147: tcmalloc::CentralFreeList::FetchFromOneSpansSafe(int, void**, void**) (central_freelist.cc:284)
==16050==  Address 0xffefff000 is on thread 1's stack
==16050==  360 bytes below stack pointer
==16050== 
==16050== Syscall param msync(start) points to uninitialised byte(s)
==16050==    at 0x5E458F0: __msync_nocancel (syscall-template.S:81)
==16050==    by 0xE44FF63: UnknownInlinedFun (Ginit.c:137)
==16050==    by 0xE44FF63: access_mem (Ginit.c:171)
==16050==    by 0xE452EAE: UnknownInlinedFun (libunwind_i.h:162)
==16050==    by 0xE452EAE: apply_reg_state (Gparser.c:800)
==16050==    by 0xE454181: _ULx86_64_dwarf_find_save_locs (Gparser.c:884)
==16050==    by 0xE454518: _ULx86_64_dwarf_step (Gstep.c:34)
==16050==    by 0xE450900: _ULx86_64_step (Gstep.c:71)
==16050==    by 0x8DFF8CA: GetStackTrace_libunwind(void**, int, int) (stacktrace_libunwind-inl.h:118)
==16050==    by 0x8E000BD: GetStackTrace(void**, int, int) (stacktrace.cc:234)
==16050==    by 0x8DF1313: UnknownInlinedFun (page_heap.cc:584)
==16050==    by 0x8DF1313: tcmalloc::PageHeap::GrowHeap(unsigned long) (page_heap.cc:610)
==16050==    by 0x8DF1632: tcmalloc::PageHeap::New(unsigned long) (page_heap.cc:156)
==16050==    by 0x8DEFF63: tcmalloc::CentralFreeList::Populate() (central_freelist.cc:329)
==16050==    by 0x8DF0147: tcmalloc::CentralFreeList::FetchFromOneSpansSafe(int, void**, void**) (central_freelist.cc:284)
==16050==  Address 0xfff000030 is on thread 1's stack
==16050==  in frame #10, created by tcmalloc::CentralFreeList::Populate() (central_freelist.cc:321)
==16050== 
==16050== Warning: noted but unhandled ioctl 0xae47 with no size/direction hints.
==16050==    This could cause spurious value errors to appear.
==16050==    See README_MISSING_SYSCALL_OR_IOCTL for guidance on writing a proper wrapper.
{"QMP": {"version": {"qemu": {"micro": 0, "minor": 3, "major": 2}, "package": " (qemu-kvm-rhev-2.3.0-28.el7)"}, "capabilities": []}}
{ "execute": "qmp_capabilities" }
{"return": {}}
{ "execute": "device-list-properties", "arguments": { "typename": "qemu64-x86_64-cpu"}}
{"return": [{"name": "filtered-features", "type": "X86CPUFeatureWordInfo"}, {"name": "feature-words", "type": "X86CPUFeatureWordInfo"}, {"name": "apic-id", "type": "int"}, {"name": "tsc-frequency", "type": "int"}, {"name": "model-id", "type": "string"}, {"name": "vendor", "type": "string"}, {"name": "xlevel", "type": "int"}, {"name": "level", "type": "int"}, {"name": "stepping", "type": "int"}, {"name": "model", "type": "int"}, {"name": "family", "type": "int"}, {"name": "kvm", "type": "bool"}, {"name": "enforce", "type": "bool"}, {"name": "check", "type": "bool"}, {"name": "hv-time", "type": "bool"}, {"name": "hv-vapic", "type": "bool"}, {"name": "hv-relaxed", "type": "bool"}, {"name": "hv-spinlocks", "type": "int"}, {"name": "pmu", "type": "bool"}]}
{ "execute": "device-list-properties", "arguments": { "typename": "qemu64-x86_64-cpu"}}
{"return": [{"name": "filtered-features", "type": "X86CPUFeatureWordInfo"}, {"name": "feature-words", "type": "X86CPUFeatureWordInfo"}, {"name": "apic-id", "type": "int"}, {"name": "tsc-frequency", "type": "int"}, {"name": "model-id", "type": "string"}, {"name": "vendor", "type": "string"}, {"name": "xlevel", "type": "int"}, {"name": "level", "type": "int"}, {"name": "stepping", "type": "int"}, {"name": "model", "type": "int"}, {"name": "family", "type": "int"}, {"name": "kvm", "type": "bool"}, {"name": "enforce", "type": "bool"}, {"name": "check", "type": "bool"}, {"name": "hv-time", "type": "bool"}, {"name": "hv-vapic", "type": "bool"}, {"name": "hv-relaxed", "type": "bool"}, {"name": "hv-spinlocks", "type": "int"}, {"name": "pmu", "type": "bool"}]}
{ "execute": "device-list-properties", "arguments": { "typename": "qemu64-x86_64-cpu"}}
{"return": [{"name": "filtered-features", "type": "X86CPUFeatureWordInfo"}, {"name": "feature-words", "type": "X86CPUFeatureWordInfo"}, {"name": "apic-id", "type": "int"}, {"name": "tsc-frequency", "type": "int"}, {"name": "model-id", "type": "string"}, {"name": "vendor", "type": "string"}, {"name": "xlevel", "type": "int"}, {"name": "level", "type": "int"}, {"name": "stepping", "type": "int"}, {"name": "model", "type": "int"}, {"name": "family", "type": "int"}, {"name": "kvm", "type": "bool"}, {"name": "enforce", "type": "bool"}, {"name": "check", "type": "bool"}, {"name": "hv-time", "type": "bool"}, {"name": "hv-vapic", "type": "bool"}, {"name": "hv-relaxed", "type": "bool"}, {"name": "hv-spinlocks", "type": "int"}, {"name": "pmu", "type": "bool"}]}
{ "execute": "device-list-properties", "arguments": { "typename": "qemu64-x86_64-cpu"}}
{ "execute": "device-list-properties", "arguments": { "typename": "qemu64-x86_64-cpu"}}
{"return": [{"name": "filtered-features", "type": "X86CPUFeatureWordInfo"}, {"name": "feature-words", "type": "X86CPUFeatureWordInfo"}, {"name": "apic-id", "type": "int"}, {"name": "tsc-frequency", "type": "int"}, {"name": "model-id", "type": "string"}, {"name": "vendor", "type": "string"}, {"name": "xlevel", "type": "int"}, {"name": "level", "type": "int"}, {"name": "stepping", "type": "int"}, {"name": "model", "type": "int"}, {"name": "family", "type": "int"}, {"name": "kvm", "type": "bool"}, {"name": "enforce", "type": "bool"}, {"name": "check", "type": "bool"}, {"name": "hv-time", "type": "bool"}, {"name": "hv-vapic", "type": "bool"}, {"name": "hv-relaxed", "type": "bool"}, {"name": "hv-spinlocks", "type": "int"}, {"name": "pmu", "type": "bool"}]}
{"return": [{"name": "filtered-features", "type": "X86CPUFeatureWordInfo"}, {"name": "feature-words", "type": "X86CPUFeatureWordInfo"}, {"name": "apic-id", "type": "int"}, {"name": "tsc-frequency", "type": "int"}, {"name": "model-id", "type": "string"}, {"name": "vendor", "type": "string"}, {"name": "xlevel", "type": "int"}, {"name": "level", "type": "int"}, {"name": "stepping", "type": "int"}, {"name": "model", "type": "int"}, {"name": "family", "type": "int"}, {"name": "kvm", "type": "bool"}, {"name": "enforce", "type": "bool"}, {"name": "check", "type": "bool"}, {"name": "hv-time", "type": "bool"}, {"name": "hv-vapic", "type": "bool"}, {"name": "hv-relaxed", "type": "bool"}, {"name": "hv-spinlocks", "type": "int"}, {"name": "pmu", "type": "bool"}]}
{ "execute": "quit"}
{"return": {}}
{"timestamp": {"seconds": 1444722794, "microseconds": 198814}, "event": "SHUTDOWN"}
==16050== Invalid read of size 4
==16050==    at 0x5E42E18: pthread_cond_broadcast@@GLIBC_2.3.2 (pthread_cond_broadcast.S:41)
==16050==    by 0x408E08: qemu_cond_broadcast (qemu-thread-posix.c:123)
==16050==    by 0x1C2E6F: qemu_cpu_kick (cpus.c:1085)
==16050==    by 0x1C3606: pause_all_vcpus (cpus.c:1157)
==16050==    by 0x19C203: main (vl.c:4396)
==16050==  Address 0x0 is not stack'd, malloc'd or (recently) free'd
==16050== 
==16050== 
==16050== Process terminating with default action of signal 11 (SIGSEGV)
==16050==  Access not within mapped region at address 0x0
==16050==    at 0x5E42E18: pthread_cond_broadcast@@GLIBC_2.3.2 (pthread_cond_broadcast.S:41)
==16050==    by 0x408E08: qemu_cond_broadcast (qemu-thread-posix.c:123)
==16050==    by 0x1C2E6F: qemu_cpu_kick (cpus.c:1085)
==16050==    by 0x1C3606: pause_all_vcpus (cpus.c:1157)
==16050==    by 0x19C203: main (vl.c:4396)
==16050==  If you believe this happened as a result of a stack
==16050==  overflow in your program's main thread (unlikely but
==16050==  possible), you can try to increase the size of the
==16050==  main thread stack using the --main-stacksize= flag.
==16050==  The main thread stack size used in this run was 8388608.
==16050== 
==16050== HEAP SUMMARY:
==16050==     in use at exit: 0 bytes in 0 blocks
==16050==   total heap usage: 0 allocs, 0 frees, 0 bytes allocated
==16050== 
==16050== All heap blocks were freed -- no leaks are possible
==16050== 
==16050== For counts of detected and suppressed errors, rerun with: -v
==16050== Use --track-origins=yes to see where uninitialised values come from
==16050== ERROR SUMMARY: 3 errors from 3 contexts (suppressed: 1 from 1)
Killed

Comment 10 Xiaoqing Wei 2015-10-13 08:07:52 UTC

(In reply to Xiaoqing Wei from comment #9)

> {"return": [{"name": "filtered-features", "type": "X86CPUFeatureWordInfo"},
> {"name": "feature-words", "type": "X86CPUFeatureWordInfo"}, {"name":
> "apic-id", "type": "int"}, {"name": "tsc-frequency", "type": "int"},
> {"name": "model-id", "type": "string"}, {"name": "vendor", "type":
> "string"}, {"name": "xlevel", "type": "int"}, {"name": "level", "type":
> "int"}, {"name": "stepping", "type": "int"}, {"name": "model", "type":
> "int"}, {"name": "family", "type": "int"}, {"name": "kvm", "type": "bool"},
> {"name": "enforce", "type": "bool"}, {"name": "check", "type": "bool"},
> {"name": "hv-time", "type": "bool"}, {"name": "hv-vapic", "type": "bool"},
> {"name": "hv-relaxed", "type": "bool"}, {"name": "hv-spinlocks", "type":
> "int"}, {"name": "pmu", "type": "bool"}]}
> { "execute": "quit"}
> {"return": {}}
> {"timestamp": {"seconds": 1444722794, "microseconds": 198814}, "event":
> "SHUTDOWN"}
> ==16050== Invalid read of size 4


this is the only error catched by valgrind, but no identical to the actual result listed in C#0

could be C#0 used local build and I'm using vanilla from brew.

the same test steps on version -30 do no have such invalid read error.
but it returning
{"error": {"class": "GenericError", "desc": "Can't list properties of device 'Opteron_G5-x86_64-cpu'"}}

see below:



valgrind qemu-kvm -nodefaults -S -display none -qmp stdio -cpu Opteron_G5
==16159== Memcheck, a memory error detector
==16159== Copyright (C) 2002-2013, and GNU GPL'd, by Julian Seward et al.
==16159== Using Valgrind-3.10.0 and LibVEX; rerun with -h for copyright info
==16159== Command: qemu-kvm -nodefaults -S -display none -qmp stdio -cpu Opteron_G5
==16159== 
==16159== Syscall param msync(start) points to unaddressable byte(s)
==16159==    at 0x5E458F0: __msync_nocancel (syscall-template.S:81)
==16159==    by 0xE44FF63: UnknownInlinedFun (Ginit.c:137)
==16159==    by 0xE44FF63: access_mem (Ginit.c:171)
==16159==    by 0xE452EAE: UnknownInlinedFun (libunwind_i.h:162)
==16159==    by 0xE452EAE: apply_reg_state (Gparser.c:800)
==16159==    by 0xE454181: _ULx86_64_dwarf_find_save_locs (Gparser.c:884)
==16159==    by 0xE454518: _ULx86_64_dwarf_step (Gstep.c:34)
==16159==    by 0xE450900: _ULx86_64_step (Gstep.c:71)
==16159==    by 0x8DFF8CA: GetStackTrace_libunwind(void**, int, int) (stacktrace_libunwind-inl.h:118)
==16159==    by 0x8E000BD: GetStackTrace(void**, int, int) (stacktrace.cc:234)
==16159==    by 0x8DF1313: UnknownInlinedFun (page_heap.cc:584)
==16159==    by 0x8DF1313: tcmalloc::PageHeap::GrowHeap(unsigned long) (page_heap.cc:610)
==16159==    by 0x8DF1632: tcmalloc::PageHeap::New(unsigned long) (page_heap.cc:156)
==16159==    by 0x8DEFF63: tcmalloc::CentralFreeList::Populate() (central_freelist.cc:329)
==16159==    by 0x8DF0147: tcmalloc::CentralFreeList::FetchFromOneSpansSafe(int, void**, void**) (central_freelist.cc:284)
==16159==  Address 0xffefff000 is on thread 1's stack
==16159==  328 bytes below stack pointer
==16159== 
==16159== Syscall param msync(start) points to uninitialised byte(s)
==16159==    at 0x5E458F0: __msync_nocancel (syscall-template.S:81)
==16159==    by 0xE44FF63: UnknownInlinedFun (Ginit.c:137)
==16159==    by 0xE44FF63: access_mem (Ginit.c:171)
==16159==    by 0xE452EAE: UnknownInlinedFun (libunwind_i.h:162)
==16159==    by 0xE452EAE: apply_reg_state (Gparser.c:800)
==16159==    by 0xE454181: _ULx86_64_dwarf_find_save_locs (Gparser.c:884)
==16159==    by 0xE454518: _ULx86_64_dwarf_step (Gstep.c:34)
==16159==    by 0xE450900: _ULx86_64_step (Gstep.c:71)
==16159==    by 0x8DFF8CA: GetStackTrace_libunwind(void**, int, int) (stacktrace_libunwind-inl.h:118)
==16159==    by 0x8E000BD: GetStackTrace(void**, int, int) (stacktrace.cc:234)
==16159==    by 0x8DF1313: UnknownInlinedFun (page_heap.cc:584)
==16159==    by 0x8DF1313: tcmalloc::PageHeap::GrowHeap(unsigned long) (page_heap.cc:610)
==16159==    by 0x8DF1632: tcmalloc::PageHeap::New(unsigned long) (page_heap.cc:156)
==16159==    by 0x8DEFF63: tcmalloc::CentralFreeList::Populate() (central_freelist.cc:329)
==16159==    by 0x8DF0147: tcmalloc::CentralFreeList::FetchFromOneSpansSafe(int, void**, void**) (central_freelist.cc:284)
==16159==  Address 0xfff000010 is on thread 1's stack
==16159==  in frame #10, created by tcmalloc::CentralFreeList::Populate() (central_freelist.cc:321)
==16159== 
==16159== Warning: noted but unhandled ioctl 0xae47 with no size/direction hints.
==16159==    This could cause spurious value errors to appear.
==16159==    See README_MISSING_SYSCALL_OR_IOCTL for guidance on writing a proper wrapper.
{"QMP": {"version": {"qemu": {"micro": 0, "minor": 3, "major": 2}, "package": " (qemu-kvm-rhev-2.3.0-30.el7)"}, "capabilities": []}}
{ "execute": "qmp_capabilities" }
{"return": {}}
{ "execute": "device-list-properties", "arguments": { "typename": "Opteron_G5-x86_64-cpu" }}
{"error": {"class": "GenericError", "desc": "Can't list properties of device 'Opteron_G5-x86_64-cpu'"}}
{ "execute": "device-list-properties", "arguments": { "typename": "Opteron_G5-x86_64-cpu" }}
{"error": {"class": "GenericError", "desc": "Can't list properties of device 'Opteron_G5-x86_64-cpu'"}}
{ "execute": "device-list-properties", "arguments": { "typename": "Opteron_G5-x86_64-cpu" }}
{"error": {"class": "GenericError", "desc": "Can't list properties of device 'Opteron_G5-x86_64-cpu'"}}
{ "execute": "device-list-properties", "arguments": { "typename": "Opteron_G5-x86_64-cpu" }}
{"error": {"class": "GenericError", "desc": "Can't list properties of device 'Opteron_G5-x86_64-cpu'"}}
{ "execute": "quit"}
{"return": {}}
{"timestamp": {"seconds": 1444723493, "microseconds": 271327}, "event": "SHUTDOWN"}
==16159== 
==16159== HEAP SUMMARY:
==16159==     in use at exit: 0 bytes in 0 blocks
==16159==   total heap usage: 0 allocs, 0 frees, 0 bytes allocated
==16159== 
==16159== All heap blocks were freed -- no leaks are possible
==16159== 
==16159== For counts of detected and suppressed errors, rerun with: -v
==16159== Use --track-origins=yes to see where uninitialised values come from
==16159== ERROR SUMMARY: 2 errors from 2 contexts (suppressed: 1 from 1)

Comment 11 Xiaoqing Wei 2015-10-13 08:11:28 UTC

Hello Markus,

could you pls have a look from c#6 to c#10,
the alternative method in c#0 reproduced and verified as expected.

While the another one seems a bit different as your input in c#0,
could you comment ?


Thanks,
Xiaoqing.

Comment 12 Markus Armbruster 2015-10-13 09:21:02 UTC

I experimented with quick local builds under F22 to figure out what's
happening here.

* I can't reproduce my reproducer when I compile with
  --enable-tcmalloc.  This is how our build compiles.

* I can reproduce when I compile with tcmalloc disabled.  This is how
  I compiled when I created the reproducer.  My apologies for
  misleading you.

* Searching for a work-around, I found the valgrind user manual
  suggests --soname-synonyms=somalloc=*tcmalloc*.

  http://www.valgrind.org/docs/manual/manual-core.html#manual-core.rareopts

  With "valgrind --soname-synonyms='somalloc=*tcmalloc*' ..." I can
  reproduce my reproducer again.

Conclusions:

* tcmalloc appears to blind valgrind.

* Valgrind option --soname-synonyms='somalloc=*tcmalloc*' is required
  to unblind it.

Please try to reproduce with that option.

Comment 13 Xiaoqing Wei 2015-10-13 09:28:18 UTC

(In reply to Markus Armbruster from comment #12)
# valgrind --soname-synonyms='somalloc=*tcmalloc*'  qemu-kvm -nodefaults -S -display none -qmp stdio -cpu Opteron_G5
==16428== Memcheck, a memory error detector
==16428== Copyright (C) 2002-2013, and GNU GPL'd, by Julian Seward et al.
==16428== Using Valgrind-3.10.0 and LibVEX; rerun with -h for copyright info
==16428== Command: qemu-kvm -nodefaults -S -display none -qmp stdio -cpu Opteron_G5
==16428== 
==16428== Warning: noted but unhandled ioctl 0xae47 with no size/direction hints.
==16428==    This could cause spurious value errors to appear.
==16428==    See README_MISSING_SYSCALL_OR_IOCTL for guidance on writing a proper wrapper.
{"QMP": {"version": {"qemu": {"micro": 0, "minor": 3, "major": 2}, "package": " (qemu-kvm-rhev-2.3.0-28.el7)"}, "capabilities": []}}
{ "execute": "qmp_capabilities" }
{"return": {}}
{ "execute": "device-list-properties", "arguments": { "typename": "Opteron_G5-x86_64-cpu" }}
{"return": [{"name": "filtered-features", "type": "X86CPUFeatureWordInfo"}, {"name": "feature-words", "type": "X86CPUFeatureWordInfo"}, {"name": "apic-id", "type": "int"}, {"name": "tsc-frequency", "type": "int"}, {"name": "model-id", "type": "string"}, {"name": "vendor", "type": "string"}, {"name": "xlevel", "type": "int"}, {"name": "level", "type": "int"}, {"name": "stepping", "type": "int"}, {"name": "model", "type": "int"}, {"name": "family", "type": "int"}, {"name": "kvm", "type": "bool"}, {"name": "enforce", "type": "bool"}, {"name": "check", "type": "bool"}, {"name": "hv-time", "type": "bool"}, {"name": "hv-vapic", "type": "bool"}, {"name": "hv-relaxed", "type": "bool"}, {"name": "hv-spinlocks", "type": "int"}, {"name": "pmu", "type": "bool"}]}
{ "execute": "device-list-properties", "arguments": { "typename": "Opteron_G5-x86_64-cpu" }}
==16428== Invalid read of size 8
==16428==    at 0x19FEE0: cpu_exec_init (exec.c:541)
==16428==    by 0x248822: x86_cpu_initfn (cpu.c:2927)
==16428==    by 0x35E5B8: object_init_with_type (object.c:309)
==16428==    by 0x35EA6E: object_initialize_with_type (object.c:343)
==16428==    by 0x35EBC0: object_new_with_type (object.c:429)
==16428==    by 0x299916: qmp_device_list_properties (qmp.c:531)
==16428==    by 0x295E4C: qmp_marshal_input_device_list_properties (qmp-marshal.c:4107)
==16428==    by 0x1C6530: qmp_call_cmd (monitor.c:5051)
==16428==    by 0x1C6530: handle_qmp_command (monitor.c:5113)
==16428==    by 0x4053A1: json_message_process_token (json-streamer.c:87)
==16428==    by 0x4177CE: json_lexer_feed_char (json-lexer.c:303)
==16428==    by 0x41789D: json_lexer_feed (json-lexer.c:356)
==16428==    by 0x1C48CE: monitor_control_read (monitor.c:5134)
==16428==  Address 0x14d90910 is 33,232 bytes inside a block of size 75,936 free'd
==16428==    at 0x4C2ADAD: free (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==16428==    by 0x64A836E: g_free (gmem.c:190)
==16428==    by 0x2999A1: qmp_device_list_properties (qmp.c:565)
==16428==    by 0x295E4C: qmp_marshal_input_device_list_properties (qmp-marshal.c:4107)
==16428==    by 0x1C6530: qmp_call_cmd (monitor.c:5051)
==16428==    by 0x1C6530: handle_qmp_command (monitor.c:5113)
==16428==    by 0x4053A1: json_message_process_token (json-streamer.c:87)
==16428==    by 0x4177CE: json_lexer_feed_char (json-lexer.c:303)
==16428==    by 0x41789D: json_lexer_feed (json-lexer.c:356)
==16428==    by 0x1C48CE: monitor_control_read (monitor.c:5134)
==16428==    by 0x281BE0: qemu_chr_be_write (qemu-char.c:305)
==16428==    by 0x281BE0: fd_chr_read (qemu-char.c:1012)
==16428==    by 0x64A2799: g_main_dispatch (gmain.c:3109)
==16428==    by 0x64A2799: g_main_context_dispatch (gmain.c:3708)
==16428==    by 0x39A137: glib_pollfds_poll (main-loop.c:209)
==16428==    by 0x39A137: UnknownInlinedFun (main-loop.c:254)
==16428==    by 0x39A137: main_loop_wait (main-loop.c:503)
==16428== 
==16428== Invalid write of size 8
==16428==    at 0x19FF7C: cpu_exec_init (exec.c:553)
==16428==    by 0x248822: x86_cpu_initfn (cpu.c:2927)
==16428==    by 0x35E5B8: object_init_with_type (object.c:309)
==16428==    by 0x35EA6E: object_initialize_with_type (object.c:343)
==16428==    by 0x35EBC0: object_new_with_type (object.c:429)
==16428==    by 0x299916: qmp_device_list_properties (qmp.c:531)
==16428==    by 0x295E4C: qmp_marshal_input_device_list_properties (qmp-marshal.c:4107)
==16428==    by 0x1C6530: qmp_call_cmd (monitor.c:5051)
==16428==    by 0x1C6530: handle_qmp_command (monitor.c:5113)
==16428==    by 0x4053A1: json_message_process_token (json-streamer.c:87)
==16428==    by 0x4177CE: json_lexer_feed_char (json-lexer.c:303)
==16428==    by 0x41789D: json_lexer_feed (json-lexer.c:356)
==16428==    by 0x1C48CE: monitor_control_read (monitor.c:5134)
==16428==  Address 0x14d90910 is 33,232 bytes inside a block of size 75,936 free'd
==16428==    at 0x4C2ADAD: free (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==16428==    by 0x64A836E: g_free (gmem.c:190)
==16428==    by 0x2999A1: qmp_device_list_properties (qmp.c:565)
==16428==    by 0x295E4C: qmp_marshal_input_device_list_properties (qmp-marshal.c:4107)
==16428==    by 0x1C6530: qmp_call_cmd (monitor.c:5051)
==16428==    by 0x1C6530: handle_qmp_command (monitor.c:5113)
==16428==    by 0x4053A1: json_message_process_token (json-streamer.c:87)
==16428==    by 0x4177CE: json_lexer_feed_char (json-lexer.c:303)
==16428==    by 0x41789D: json_lexer_feed (json-lexer.c:356)
==16428==    by 0x1C48CE: monitor_control_read (monitor.c:5134)
==16428==    by 0x281BE0: qemu_chr_be_write (qemu-char.c:305)
==16428==    by 0x281BE0: fd_chr_read (qemu-char.c:1012)
==16428==    by 0x64A2799: g_main_dispatch (gmain.c:3109)
==16428==    by 0x64A2799: g_main_context_dispatch (gmain.c:3708)
==16428==    by 0x39A137: glib_pollfds_poll (main-loop.c:209)
==16428==    by 0x39A137: UnknownInlinedFun (main-loop.c:254)
==16428==    by 0x39A137: main_loop_wait (main-loop.c:503)
==16428== 
{"return": [{"name": "filtered-features", "type": "X86CPUFeatureWordInfo"}, {"name": "feature-words", "type": "X86CPUFeatureWordInfo"}, {"name": "apic-id", "type": "int"}, {"name": "tsc-frequency", "type": "int"}, {"name": "model-id", "type": "string"}, {"name": "vendor", "type": "string"}, {"name": "xlevel", "type": "int"}, {"name": "level", "type": "int"}, {"name": "stepping", "type": "int"}, {"name": "model", "type": "int"}, {"name": "family", "type": "int"}, {"name": "kvm", "type": "bool"}, {"name": "enforce", "type": "bool"}, {"name": "check", "type": "bool"}, {"name": "hv-time", "type": "bool"}, {"name": "hv-vapic", "type": "bool"}, {"name": "hv-relaxed", "type": "bool"}, {"name": "hv-spinlocks", "type": "int"}, {"name": "pmu", "type": "bool"}]}
                                                                                            
================



# valgrind --soname-synonyms='somalloc=*tcmalloc*'  qemu-kvm -nodefaults -S -display none -qmp stdio -cpu Opteron_G5
==16364== Memcheck, a memory error detector
==16364== Copyright (C) 2002-2013, and GNU GPL'd, by Julian Seward et al.
==16364== Using Valgrind-3.10.0 and LibVEX; rerun with -h for copyright info
==16364== Command: qemu-kvm -nodefaults -S -display none -qmp stdio -cpu Opteron_G5
==16364== 
==16364== Warning: noted but unhandled ioctl 0xae47 with no size/direction hints.
==16364==    This could cause spurious value errors to appear.
==16364==    See README_MISSING_SYSCALL_OR_IOCTL for guidance on writing a proper wrapper.
{"QMP": {"version": {"qemu": {"micro": 0, "minor": 3, "major": 2}, "package": " (qemu-kvm-rhev-2.3.0-30.el7)"}, "capabilities": []}}
{ "execute": "qmp_capabilities" }
{"return": {}}
{ "execute": "device-list-properties", "arguments": { "typename": "Opteron_G5-x86_64-cpu" }}
{"error": {"class": "GenericError", "desc": "Can't list properties of device 'Opteron_G5-x86_64-cpu'"}}
{ "execute": "device-list-properties", "arguments": { "typename": "Opteron_G5-x86_64-cpu" }}
{"error": {"class": "GenericError", "desc": "Can't list properties of device 'Opteron_G5-x86_64-cpu'"}}
{ "execute": "device-list-properties", "arguments": { "typename": "Opteron_G5-x86_64-cpu" }}
{"error": {"class": "GenericError", "desc": "Can't list properties of device 'Opteron_G5-x86_64-cpu'"}}
{ "execute": "device-list-properties", "arguments": { "typename": "Opteron_G5-x86_64-cpu" }}
{"error": {"class": "GenericError", "desc": "Can't list properties of device 'Opteron_G5-x86_64-cpu'"}}
{ "execute": "device-list-properties", "arguments": { "typename": "Opteron_G5-x86_64-cpu" }}
{"error": {"class": "GenericError", "desc": "Can't list properties of device 'Opteron_G5-x86_64-cpu'"}}

Comment 14 Xiaoqing Wei 2015-10-13 09:31:12 UTC

Based on above, this bug has been fixed correctly, on version:
qemu-kvm-rhev-2.3.0-30.el7

Comment 16 errata-xmlrpc 2015-12-04 16:58:27 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-2546.html

Note You need to log in before you can comment on or make changes to this bug.