741533 – Malformed command on SPICE connect/disconnect causes libvirt crash

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 741533 - Malformed command on SPICE connect/disconnect causes libvirt crash

Summary: Malformed command on SPICE connect/disconnect causes libvirt crash

Keywords:
Status:	CLOSED DUPLICATE of bug 737881
Alias:	None
Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	libvirt
Sub Component:
Version:	6.1
Hardware:	Unspecified
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	rc
Target Release:	---
Assignee:	Peter Krempa
QA Contact:	Virtualization Bugs
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	730297
TreeView+	depends on / blocked

Reported:	2011-09-27 08:16 UTC by Daniel Paikov
Modified:	2015-11-20 07:23 UTC (History)
CC List:	11 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2011-10-03 13:55:29 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)
libvirtd.log (1.27 MB, application/x-gzip) 2011-09-27 08:18 UTC, Daniel Paikov	no flags	Details
View All

Description Daniel Paikov 2011-09-27 08:16:06 UTC

Malformed command on SPICE connect/disconnect causes libvirt crash:

13:24:33.725: 30379: debug : virDomainUpdateDeviceFlags:8227 : dom=0x7fed0805d5d0, (VM: name=VmTicket3, uuid=669247c4-4fb4-476a-9bde-4c38ba9ea155), xml=<graphics autoport="yes" connected="disconnect" keymap="en-us" listen="0" passwd="Vqysi+oRVB9y" passwdValidTo="2035-01-01T00:00:01" port="5900" tlsPort="5901" type="spice">
<listen address="0" type="address"/>
<channel mode="secure" name="main"/>
<channel mode="secure" name="inputs"/>
</graphics>, flags=0


(gdb) thread apply all bt full

Thread 11 (Thread 0x7fed1b453700 (LWP 30384)):
#0  0x000000380f80b3cc in pthread_cond_wait@@GLIBC_2.3.2 () from /lib64/libpthread.so.0
No symbol table info available.
#1  0x000000351be57d36 in virCondWait (c=<value optimized out>, m=<value optimized out>) at util/threads-pthread.c:117
        ret = <value optimized out>
#2  0x000000351be582d3 in virThreadPoolWorker (opaque=<value optimized out>) at util/threadpool.c:103
        data = 0x0
        pool = 0xaf4080
        cond = 0xaf4170
        priority = true
        job = <value optimized out>
#3  0x000000351be57b52 in virThreadHelper (data=<value optimized out>) at util/threads-pthread.c:157
        args = 0xad3880
#4  0x000000380f8077e1 in start_thread () from /lib64/libpthread.so.0
No symbol table info available.
#5  0x000000380f0e57bd in clone () from /lib64/libc.so.6
No symbol table info available.

Thread 10 (Thread 0x7fed1be54700 (LWP 30383)):
#0  0x000000380f80b3cc in pthread_cond_wait@@GLIBC_2.3.2 () from /lib64/libpthread.so.0
No symbol table info available.
#1  0x000000351be57d36 in virCondWait (c=<value optimized out>, m=<value optimized out>) at util/threads-pthread.c:117
        ret = <value optimized out>
#2  0x000000351be582d3 in virThreadPoolWorker (opaque=<value optimized out>) at util/threadpool.c:103
        data = 0x0
        pool = 0xaf4080
        cond = 0xaf4170
        priority = true
        job = <value optimized out>
#3  0x000000351be57b52 in virThreadHelper (data=<value optimized out>) at util/threads-pthread.c:157
        args = 0xad3930
#4  0x000000380f8077e1 in start_thread () from /lib64/libpthread.so.0
---Type <return> to continue, or q <return> to quit---
No symbol table info available.
#5  0x000000380f0e57bd in clone () from /lib64/libc.so.6
No symbol table info available.

Thread 9 (Thread 0x7fed1aa52700 (LWP 30385)):
#0  0x000000380f80b3cc in pthread_cond_wait@@GLIBC_2.3.2 () from /lib64/libpthread.so.0
No symbol table info available.
#1  0x000000351be57d36 in virCondWait (c=<value optimized out>, m=<value optimized out>) at util/threads-pthread.c:117
        ret = <value optimized out>
#2  0x000000351be582d3 in virThreadPoolWorker (opaque=<value optimized out>) at util/threadpool.c:103
        data = 0x0
        pool = 0xaf4080
        cond = 0xaf4170
        priority = true
        job = <value optimized out>
#3  0x000000351be57b52 in virThreadHelper (data=<value optimized out>) at util/threads-pthread.c:157
        args = 0xad3810
#4  0x000000380f8077e1 in start_thread () from /lib64/libpthread.so.0
No symbol table info available.
#5  0x000000380f0e57bd in clone () from /lib64/libc.so.6
No symbol table info available.

Thread 8 (Thread 0x7fed1d256700 (LWP 30381)):
#0  0x000000380f80b3cc in pthread_cond_wait@@GLIBC_2.3.2 () from /lib64/libpthread.so.0
No symbol table info available.
#1  0x000000351be57d36 in virCondWait (c=<value optimized out>, m=<value optimized out>) at util/threads-pthread.c:117
        ret = <value optimized out>
#2  0x000000351be582d3 in virThreadPoolWorker (opaque=<value optimized out>) at util/threadpool.c:103
        data = 0x0
        pool = 0xaf4080
        cond = 0xaf4170
        priority = true
        job = <value optimized out>
---Type <return> to continue, or q <return> to quit---
#3  0x000000351be57b52 in virThreadHelper (data=<value optimized out>) at util/threads-pthread.c:157
        args = 0xad3a30
#4  0x000000380f8077e1 in start_thread () from /lib64/libpthread.so.0
No symbol table info available.
#5  0x000000380f0e57bd in clone () from /lib64/libc.so.6
No symbol table info available.

Thread 7 (Thread 0x7fed1dc57700 (LWP 30380)):
#0  0x000000380f80b3cc in pthread_cond_wait@@GLIBC_2.3.2 () from /lib64/libpthread.so.0
No symbol table info available.
#1  0x000000351be57d36 in virCondWait (c=<value optimized out>, m=<value optimized out>) at util/threads-pthread.c:117
        ret = <value optimized out>
#2  0x000000351be582d3 in virThreadPoolWorker (opaque=<value optimized out>) at util/threadpool.c:103
        data = 0x0
        pool = 0xaf4080
        cond = 0xaf40e0
        priority = false
        job = <value optimized out>
#3  0x000000351be57b52 in virThreadHelper (data=<value optimized out>) at util/threads-pthread.c:157
        args = 0xad3aa0
#4  0x000000380f8077e1 in start_thread () from /lib64/libpthread.so.0
No symbol table info available.
#5  0x000000380f0e57bd in clone () from /lib64/libc.so.6
No symbol table info available.

Thread 6 (Thread 0x7fed1c855700 (LWP 30382)):
#0  0x000000380f80b3cc in pthread_cond_wait@@GLIBC_2.3.2 () from /lib64/libpthread.so.0
No symbol table info available.
#1  0x000000351be57d36 in virCondWait (c=<value optimized out>, m=<value optimized out>) at util/threads-pthread.c:117
        ret = <value optimized out>
#2  0x000000351be582d3 in virThreadPoolWorker (opaque=<value optimized out>) at util/threadpool.c:103
        data = 0x0
        pool = 0xaf4080
---Type <return> to continue, or q <return> to quit---
        cond = 0xaf4170
        priority = true
        job = <value optimized out>
#3  0x000000351be57b52 in virThreadHelper (data=<value optimized out>) at util/threads-pthread.c:157
        args = 0xad39c0
#4  0x000000380f8077e1 in start_thread () from /lib64/libpthread.so.0
No symbol table info available.
#5  0x000000380f0e57bd in clone () from /lib64/libc.so.6
No symbol table info available.

Thread 5 (Thread 0x7fed1fa5a700 (LWP 30377)):
#0  0x000000380f80b3cc in pthread_cond_wait@@GLIBC_2.3.2 () from /lib64/libpthread.so.0
No symbol table info available.
#1  0x000000351be57d36 in virCondWait (c=<value optimized out>, m=<value optimized out>) at util/threads-pthread.c:117
        ret = <value optimized out>
#2  0x000000351be582d3 in virThreadPoolWorker (opaque=<value optimized out>) at util/threadpool.c:103
        data = 0x0
        pool = 0xaf4080
        cond = 0xaf40e0
        priority = false
        job = <value optimized out>
#3  0x000000351be57b52 in virThreadHelper (data=<value optimized out>) at util/threads-pthread.c:157
        args = 0xad3c50
#4  0x000000380f8077e1 in start_thread () from /lib64/libpthread.so.0
No symbol table info available.
#5  0x000000380f0e57bd in clone () from /lib64/libc.so.6
No symbol table info available.

Thread 4 (Thread 0x7fed1f059700 (LWP 30378)):
#0  0x000000380f80b3cc in pthread_cond_wait@@GLIBC_2.3.2 () from /lib64/libpthread.so.0
No symbol table info available.
#1  0x000000351be57d36 in virCondWait (c=<value optimized out>, m=<value optimized out>) at util/threads-pthread.c:117
        ret = <value optimized out>
---Type <return> to continue, or q <return> to quit---
#2  0x000000351be582d3 in virThreadPoolWorker (opaque=<value optimized out>) at util/threadpool.c:103
        data = 0x0
        pool = 0xaf4080
        cond = 0xaf40e0
        priority = false
        job = <value optimized out>
#3  0x000000351be57b52 in virThreadHelper (data=<value optimized out>) at util/threads-pthread.c:157
        args = 0xad3be0
#4  0x000000380f8077e1 in start_thread () from /lib64/libpthread.so.0
No symbol table info available.
#5  0x000000380f0e57bd in clone () from /lib64/libc.so.6
No symbol table info available.

Thread 3 (Thread 0x7fed1e658700 (LWP 30379)):
#0  0x000000380f80b3cc in pthread_cond_wait@@GLIBC_2.3.2 () from /lib64/libpthread.so.0
No symbol table info available.
#1  0x000000351be57d36 in virCondWait (c=<value optimized out>, m=<value optimized out>) at util/threads-pthread.c:117
        ret = <value optimized out>
#2  0x000000351be582d3 in virThreadPoolWorker (opaque=<value optimized out>) at util/threadpool.c:103
        data = 0x0
        pool = 0xaf4080
        cond = 0xaf40e0
        priority = false
        job = <value optimized out>
#3  0x000000351be57b52 in virThreadHelper (data=<value optimized out>) at util/threads-pthread.c:157
        args = 0xad3b50
#4  0x000000380f8077e1 in start_thread () from /lib64/libpthread.so.0
No symbol table info available.
#5  0x000000380f0e57bd in clone () from /lib64/libc.so.6
No symbol table info available.

Thread 2 (Thread 0x7fed2045b700 (LWP 30376)):
#0  0x000000380f80b3cc in pthread_cond_wait@@GLIBC_2.3.2 () from /lib64/libpthread.so.0
---Type <return> to continue, or q <return> to quit---
No symbol table info available.
#1  0x000000351be57d36 in virCondWait (c=<value optimized out>, m=<value optimized out>) at util/threads-pthread.c:117
        ret = <value optimized out>
#2  0x000000351be582d3 in virThreadPoolWorker (opaque=<value optimized out>) at util/threadpool.c:103
        data = 0x0
        pool = 0xaf4080
        cond = 0xaf40e0
        priority = false
        job = <value optimized out>
#3  0x000000351be57b52 in virThreadHelper (data=<value optimized out>) at util/threads-pthread.c:157
        args = 0xad3d50
#4  0x000000380f8077e1 in start_thread () from /lib64/libpthread.so.0
No symbol table info available.
#5  0x000000380f0e57bd in clone () from /lib64/libc.so.6
No symbol table info available.

Thread 1 (Thread 0x7fed2045c800 (LWP 30372)):
#0  0x000000380f0752a5 in malloc_consolidate () from /lib64/libc.so.6
No symbol table info available.
#1  0x000000380f078122 in _int_malloc () from /lib64/libc.so.6
No symbol table info available.
#2  0x000000380f07954d in malloc () from /lib64/libc.so.6
No symbol table info available.
#3  0x000000351be4a3ac in virReallocN (ptrptr=0x7fed0c000d40, size=<value optimized out>, count=<value optimized out>) at util/memory.c:161
        tmp = <value optimized out>
#4  0x0000000000493c29 in qemuMonitorIORead (watch=8, fd=<value optimized out>, events=1, opaque=0x7fed0c000cb0) at qemu/qemu_monitor.c:467
        avail = 0
        ret = 0
#5  qemuMonitorIO (watch=8, fd=<value optimized out>, events=1, opaque=0x7fed0c000cb0) at qemu/qemu_monitor.c:558
        got = 21
        mon = 0x7fed0c000cb0
        error = false
        eof = false
---Type <return> to continue, or q <return> to quit---
        __FUNCTION__ = "qemuMonitorIO"
        __func__ = "qemuMonitorIO"
#6  0x000000351be41022 in virEventPollDispatchHandles () at util/event_poll.c:470
        cb = 0x493510 <qemuMonitorIO>
        watch = 8
        opaque = 0x7fed0c000cb0
        hEvents = 1
        i = 7
        n = <value optimized out>
#7  virEventPollRunOnce () at util/event_poll.c:611
        fds = 0xb01640
        ret = <value optimized out>
        timeout = <value optimized out>
        nfds = 10
        __func__ = "virEventPollRunOnce"
        __FUNCTION__ = "virEventPollRunOnce"
#8  0x000000351be3fed7 in virEventRunDefaultImpl () at util/event.c:247
        __func__ = "virEventRunDefaultImpl"
#9  0x000000000043f97d in virNetServerRun (srv=0xaf3f90) at rpc/virnetserver.c:701
        timerid = -1
        timerActive = 0
        i = <value optimized out>
        __FUNCTION__ = "virNetServerRun"
        __func__ = "virNetServerRun"
#10 0x000000000041ed04 in main (argc=<value optimized out>, argv=<value optimized out>) at libvirtd.c:1591
        srv = 0xaf3f90
        remote_config_file = 0xaf3750 "/etc/libvirt/libvirtd.conf"
        statuswrite = -1
        ret = 1
        pid_file = 0xad3e70 "/var/run/libvirtd.pid"
        sock_file = 0xafefa0 "/var/run/libvirt/libvirt-sock"
        sock_file_ro = 0xafef70 "/var/run/libvirt/libvirt-sock-ro"
        timeout = -1
---Type <return> to continue, or q <return> to quit---
        verbose = 0
        godaemon = 0
        ipsock = 1
        config = 0xaf37c0
        privileged = true
        implicit_conf = <value optimized out>
        opts = {{name = 0x4da731 "verbose", has_arg = 0, flag = 0x7fffcab66134, val = 1}, {name = 0x4da739 "daemon", has_arg = 0, 
            flag = 0x7fffcab66130, val = 1}, {name = 0x4f077e "listen", has_arg = 0, flag = 0x7fffcab6612c, val = 1}, {
            name = 0x4f0f33 "config", has_arg = 1, flag = 0x0, val = 102}, {name = 0x4fa81c "timeout", has_arg = 1, flag = 0x0, val = 116}, 
          {name = 0x500ccc "pid-file", has_arg = 1, flag = 0x0, val = 112}, {name = 0x4f7138 "version", has_arg = 0, flag = 0x0, 
            val = 129}, {name = 0x4ead48 "help", has_arg = 0, flag = 0x0, val = 63}, {name = 0x0, has_arg = 0, flag = 0x0, val = 0}}
        __func__ = "main"

Comment 1 Daniel Paikov 2011-09-27 08:18:24 UTC

Created attachment 525048 [details]
libvirtd.log

Comment 3 Daniel Veillard 2011-09-28 00:51:31 UTC

We need a reproducer, how did you end up with the malformed commands
and what are the steps to reproduce the issue. The crash is in malloc()
i.e. the problem was earlier something before corrupted the memory
allocator data so we need to reproduce this and can't debug it just
from the stack trace. Also in case of crash the libvirtd.log should
contain the full debug buffer as saved by the signal error handler
and that's not part of the file you provided, so please provide
the actual libvirtd.log from the crashed libvirt daemon,

  thanks,

Daniel

Comment 4 Peter Krempa 2011-09-30 11:24:18 UTC

It would be helpful, if you could provide:
- versions of other relevant packages (qemu ...)
- configuration file of the domain that caused the problem.
- optional: valgrind run on libvirtd while reproducing the bug

It would help reproducing the bug.

Thanks 

Peter

Comment 5 Daniel Paikov 2011-10-02 06:48:39 UTC

These are the versions I'm using:
libvirt-0.9.4-12.el6.x86_64
qemu-kvm-0.12.1.2-2.192.el6.x86_64
vdsm-4.9-104.el6.x86_64

Steps to reproduce:
This crash happened during my attempt to verify bug #730297 - opening two SPICE sessions to the same VM. While the first SPICE session is running, opening the 2nd SPICE session produces this crash. This can be done either by opening both the admin portal and the user portal on the same client machine, or by opening two user portal sessions on two client machines.

As for the other questions, please contact me on IRC (dpaikov). This is my first libvirt bug and I'm not familiar with all the terminology.

Comment 7 Jakub Libosvar 2011-10-03 12:51:56 UTC

==10822== Thread 1:
==10822== Invalid free() / delete / delete[]
==10822==    at 0x4C2695D: free (vg_replace_malloc.c:366)
==10822==    by 0x50792B8: virFree (memory.c:310)
==10822==    by 0x50ADC49: virDomainEventFree (domain_event.c:489)
==10822==    by 0x50ADF42: virDomainEventQueueDispatch (domain_event.c:1154)
==10822==    by 0x50AF13D: virDomainEventStateFlush (domain_event.c:1195)
==10822==    by 0x4778B1: qemuDomainEventFlush (qemu_domain.c:134)
==10822==    by 0x506FDA5: virEventPollRunOnce (event_poll.c:421)
==10822==    by 0x506EED6: virEventRunDefaultImpl (event.c:247)
==10822==    by 0x43F97C: virNetServerRun (virnetserver.c:701)
==10822==    by 0x41ED03: main (libvirtd.c:1591)
==10822==  Address 0x1aa48a80 is 0 bytes inside a block of size 13 free'd
==10822==    at 0x4C2695D: free (vg_replace_malloc.c:366)
==10822==    by 0x6D90967: xdr_string (in /lib64/libc-2.12.so)
==10822==    by 0x43898D: xdr_remote_nonnull_string (remote_protocol.c:30)
==10822==    by 0x438C5B: xdr_remote_domain_event_graphics_address (remote_protocol.c:3907)
==10822==    by 0x43C37B: xdr_remote_domain_event_graphics_msg (remote_protocol.c:3934)
==10822==    by 0x6D90114: xdr_free (in /lib64/libc-2.12.so)
==10822==    by 0x4344E8: remoteRelayDomainEventGraphics (remote.c:333)
==10822==    by 0x50AE0DA: virDomainEventDispatchDefaultFunc (domain_event.c:1064)
==10822==    by 0x477907: qemuDomainEventDispatchFunc (qemu_domain.c:125)
==10822==    by 0x50ADECA: virDomainEventDispatch (domain_event.c:1136)
==10822==    by 0x50ADF31: virDomainEventQueueDispatch (domain_event.c:1153)
==10822==    by 0x50AF13D: virDomainEventStateFlush (domain_event.c:1195)
==10822== 
==10822== Invalid free() / delete / delete[]
==10822==    at 0x4C2695D: free (vg_replace_malloc.c:366)
==10822==    by 0x50792B8: virFree (memory.c:310)
==10822==    by 0x50ADC5B: virDomainEventFree (domain_event.c:490)
==10822==    by 0x50ADF42: virDomainEventQueueDispatch (domain_event.c:1154)
==10822==    by 0x50AF13D: virDomainEventStateFlush (domain_event.c:1195)
==10822==    by 0x4778B1: qemuDomainEventFlush (qemu_domain.c:134)
==10822==    by 0x506FDA5: virEventPollRunOnce (event_poll.c:421)
==10822==    by 0x506EED6: virEventRunDefaultImpl (event.c:247)
==10822==    by 0x43F97C: virNetServerRun (virnetserver.c:701)
==10822==    by 0x41ED03: main (libvirtd.c:1591)
==10822==  Address 0x1aa41840 is 0 bytes inside a block of size 1 free'd
==10822==    at 0x4C2695D: free (vg_replace_malloc.c:366)
==10822==    by 0x6D90967: xdr_string (in /lib64/libc-2.12.so)
==10822==    by 0x43898D: xdr_remote_nonnull_string (remote_protocol.c:30)
==10822==    by 0x438C6B: xdr_remote_domain_event_graphics_address (remote_protocol.c:3909)
==10822==    by 0x43C37B: xdr_remote_domain_event_graphics_msg (remote_protocol.c:3934)
==10822==    by 0x6D90114: xdr_free (in /lib64/libc-2.12.so)
==10822==    by 0x4344E8: remoteRelayDomainEventGraphics (remote.c:333)
==10822==    by 0x50AE0DA: virDomainEventDispatchDefaultFunc (domain_event.c:1064)
==10822==    by 0x477907: qemuDomainEventDispatchFunc (qemu_domain.c:125)
==10822==    by 0x50ADECA: virDomainEventDispatch (domain_event.c:1136)
==10822==    by 0x50ADF31: virDomainEventQueueDispatch (domain_event.c:1153)
==10822==    by 0x50AF13D: virDomainEventStateFlush (domain_event.c:1195)
==10822== 
==10822== Invalid free() / delete / delete[]
==10822==    at 0x4C2695D: free (vg_replace_malloc.c:366)
==10822==    by 0x50792B8: virFree (memory.c:310)
==10822==    by 0x50ADC80: virDomainEventFree (domain_event.c:494)
==10822==    by 0x50ADF42: virDomainEventQueueDispatch (domain_event.c:1154)
==10822==    by 0x50AF13D: virDomainEventStateFlush (domain_event.c:1195)
==10822==    by 0x4778B1: qemuDomainEventFlush (qemu_domain.c:134)
==10822==    by 0x506FDA5: virEventPollRunOnce (event_poll.c:421)
==10822==    by 0x506EED6: virEventRunDefaultImpl (event.c:247)
==10822==    by 0x43F97C: virNetServerRun (virnetserver.c:701)
==10822==    by 0x41ED03: main (libvirtd.c:1591)
==10822==  Address 0x1a613fe0 is 0 bytes inside a block of size 13 free'd
==10822==    at 0x4C2695D: free (vg_replace_malloc.c:366)
==10822==    by 0x6D90967: xdr_string (in /lib64/libc-2.12.so)
==10822==    by 0x43898D: xdr_remote_nonnull_string (remote_protocol.c:30)
==10822==    by 0x438C5B: xdr_remote_domain_event_graphics_address (remote_protocol.c:3907)
==10822==    by 0x43C38B: xdr_remote_domain_event_graphics_msg (remote_protocol.c:3936)
==10822==    by 0x6D90114: xdr_free (in /lib64/libc-2.12.so)
==10822==    by 0x4344E8: remoteRelayDomainEventGraphics (remote.c:333)
==10822==    by 0x50AE0DA: virDomainEventDispatchDefaultFunc (domain_event.c:1064)
==10822==    by 0x477907: qemuDomainEventDispatchFunc (qemu_domain.c:125)
==10822==    by 0x50ADECA: virDomainEventDispatch (domain_event.c:1136)
==10822==    by 0x50ADF31: virDomainEventQueueDispatch (domain_event.c:1153)
==10822==    by 0x50AF13D: virDomainEventStateFlush (domain_event.c:1195)
==10822== 
==10822== Invalid free() / delete / delete[]
==10822==    at 0x4C2695D: free (vg_replace_malloc.c:366)
==10822==    by 0x50792B8: virFree (memory.c:310)
==10822==    by 0x50ADC92: virDomainEventFree (domain_event.c:495)
==10822==    by 0x50ADF42: virDomainEventQueueDispatch (domain_event.c:1154)
==10822==    by 0x50AF13D: virDomainEventStateFlush (domain_event.c:1195)
==10822==    by 0x4778B1: qemuDomainEventFlush (qemu_domain.c:134)
==10822==    by 0x506FDA5: virEventPollRunOnce (event_poll.c:421)
==10822==    by 0x506EED6: virEventRunDefaultImpl (event.c:247)
==10822==    by 0x43F97C: virNetServerRun (virnetserver.c:701)
==10822==    by 0x41ED03: main (libvirtd.c:1591)
==10822==  Address 0x1a613220 is 0 bytes inside a block of size 1 free'd
==10822==    at 0x4C2695D: free (vg_replace_malloc.c:366)
==10822==    by 0x6D90967: xdr_string (in /lib64/libc-2.12.so)
==10822==    by 0x43898D: xdr_remote_nonnull_string (remote_protocol.c:30)
==10822==    by 0x438C6B: xdr_remote_domain_event_graphics_address (remote_protocol.c:3909)
==10822==    by 0x43C38B: xdr_remote_domain_event_graphics_msg (remote_protocol.c:3936)
==10822==    by 0x6D90114: xdr_free (in /lib64/libc-2.12.so)
==10822==    by 0x4344E8: remoteRelayDomainEventGraphics (remote.c:333)
==10822==    by 0x50AE0DA: virDomainEventDispatchDefaultFunc (domain_event.c:1064)
==10822==    by 0x477907: qemuDomainEventDispatchFunc (qemu_domain.c:125)
==10822==    by 0x50ADECA: virDomainEventDispatch (domain_event.c:1136)
==10822==    by 0x50ADF31: virDomainEventQueueDispatch (domain_event.c:1153)
==10822==    by 0x50AF13D: virDomainEventStateFlush (domain_event.c:1195)
==10822== 
==10822== Invalid free() / delete / delete[]
==10822==    at 0x4C2695D: free (vg_replace_malloc.c:366)
==10822==    by 0x50792B8: virFree (memory.c:310)
==10822==    by 0x50ADCAE: virDomainEventFree (domain_event.c:498)
==10822==    by 0x50ADF42: virDomainEventQueueDispatch (domain_event.c:1154)
==10822==    by 0x50AF13D: virDomainEventStateFlush (domain_event.c:1195)
==10822==    by 0x4778B1: qemuDomainEventFlush (qemu_domain.c:134)
==10822==    by 0x506FDA5: virEventPollRunOnce (event_poll.c:421)
==10822==    by 0x506EED6: virEventRunDefaultImpl (event.c:247)
==10822==    by 0x43F97C: virNetServerRun (virnetserver.c:701)
==10822==    by 0x41ED03: main (libvirtd.c:1591)
==10822==  Address 0x1a6175d0 is 0 bytes inside a block of size 6 free'd
==10822==    at 0x4C2695D: free (vg_replace_malloc.c:366)
==10822==    by 0x6D90967: xdr_string (in /lib64/libc-2.12.so)
==10822==    by 0x43898D: xdr_remote_nonnull_string (remote_protocol.c:30)
==10822==    by 0x43C39B: xdr_remote_domain_event_graphics_msg (remote_protocol.c:3938)
==10822==    by 0x6D90114: xdr_free (in /lib64/libc-2.12.so)
==10822==    by 0x4344E8: remoteRelayDomainEventGraphics (remote.c:333)
==10822==    by 0x50AE0DA: virDomainEventDispatchDefaultFunc (domain_event.c:1064)
==10822==    by 0x477907: qemuDomainEventDispatchFunc (qemu_domain.c:125)
==10822==    by 0x50ADECA: virDomainEventDispatch (domain_event.c:1136)
==10822==    by 0x50ADF31: virDomainEventQueueDispatch (domain_event.c:1153)
==10822==    by 0x50AF13D: virDomainEventStateFlush (domain_event.c:1195)
==10822==    by 0x4778B1: qemuDomainEventFlush (qemu_domain.c:134)
==10822==

Comment 8 Peter Krempa 2011-10-03 13:55:29 UTC


*** This bug has been marked as a duplicate of bug 737881 ***

Note You need to log in before you can comment on or make changes to this bug.