883654 – qemu crashes when rebooting the guest: SpiceWorker-ERROR **: red_worker.c:4797:qxl_process_cursor: invalid cursor command 235

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 883654 - qemu crashes when rebooting the guest: SpiceWorker-ERROR **: red_worker.c:4797:qxl_process_cursor: invalid cursor command 235

Summary: qemu crashes when rebooting the guest: SpiceWorker-ERROR **: red_worker.c:479...

Keywords:
Status:	CLOSED WONTFIX
Alias:	None
Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	qemu-kvm
Sub Component:
Version:	6.4
Hardware:	Unspecified
OS:	Unspecified
Priority:	medium
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	Gerd Hoffmann
QA Contact:	Virtualization Bugs
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2012-12-05 04:46 UTC by Xiaoqing Wei
Modified:	2013-05-27 03:13 UTC (History)
CC List:	12 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2013-05-26 16:52:52 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)
qemu qmp monitor (42.12 KB, text/plain) 2012-12-07 02:34 UTC, Xiaoqing Wei	no flags	Details
View All

Description Xiaoqing Wei 2012-12-05 04:46:53 UTC

Description of problem:

qemu crashes when rebooting the guest: SpiceWorker-ERROR **: red_worker.c:4797:qxl_process_cursor: invalid cursor command 235
Version-Release number of selected component (if applicable):
qemu-kvm-rhev-0.12.1.2-2.340.el6.x86_64
seabios-0.6.1.2-25.el6.x86_64
sgabios-bin-0-0.3.20110621svn.el6.noarch
spice-server-0.12.0-7.el6.x86_64
vgabios-0.6b-3.7.el6.noarch
Guest: rhel6.3.64 w/ qxl driver installed(and runlevel 5)

How reproducible:
Only once (tried 200+ attempts, but didn't manage to reproduce)

Steps to Reproduce:
1. boot a guest w/qxl spice
/usr/local/staf/test/RHEV/kvm-new/autotest/client/tests/kvm/qemu -name 'vm1' -nodefaults -chardev socket,id=qmp_monitor_id_qmpmonitor1,path=/tmp/monitor-qmpmonitor1-20121204-141011-qcmV,server,nowait -mon chardev=qmp_monitor_id_qmpmonitor1,mode=control -chardev socket,id=serial_id_20121204-141011-qcmV,path=/tmp/serial-20121204-141011-qcmV,server,nowait -device isa-serial,chardev=serial_id_20121204-141011-qcmV -device ich9-usb-uhci1,id=usb1,bus=pci.0,addr=0x4 -drive file='/usr/local/staf/test/RHEV/kvm-new/autotest/client/tests/kvm/images/RHEL-Server-6.3-64-virtio.qcow2',if=none,id=drive-virtio-disk1,media=disk,cache=none,boot=off,snapshot=off,format=qcow2,aio=native -device virtio-blk-pci,bus=pci.0,addr=0x5,drive=drive-virtio-disk1,id=virtio-disk1 -device virtio-net-pci,netdev=id9e6Dya,mac=9a:99:a3:46:7d:0a,id=ndev00id9e6Dya,bus=pci.0,addr=0x3 -netdev tap,id=id9e6Dya,vhost=on,fd=26 -m 2048 -smp 1,cores=0,threads=1,sockets=2 -cpu 'Opteron_G2' -device usb-tablet,id=usb-tablet1,bus=usb1.0,port=1 \
\
 -spice port=3000,password=123456,addr=0,tls-port=3200,x509-dir=/tmp/spice_x509d,tls-channel=main,tls-channel=inputs,image-compression=auto_glz,jpeg-wan-compression=auto,zlib-glz-wan-compression=auto,streaming-video=all,agent-mouse=on,playback-compression=on,ipv4 \
 -vga qxl -global qxl-vga.vram_size=33554432 \
 \
 -rtc base=utc,clock=host,driftfix=slew -M rhel6.4.0 -boot order=cdn,once=c,menu=off    -no-kvm-pit-reinjection -enable-kvm 
2.
3.
  
Actual results:

qemu crashes
Expected results:

guest work well. no core dump
Additional info:


thread apply all bt
Core was generated by `/usr/local/staf/test/RHEV/kvm-new/autotest/client/tests/kvm/qemu -name vm1 -nod'.
Program terminated with signal 6, Aborted.
#0  0x00007f14ffcdc8a5 in raise (sig=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:64
64	  return INLINE_SYSCALL (tgkill, 3, pid, selftid, sig);
(gdb) 
Thread 4 (Thread 0x7f14f8a57700 (LWP 30954)):
#0  __lll_lock_wait () at ../nptl/sysdeps/unix/sysv/linux/x86_64/lowlevellock.S:136
#1  0x00007f1501cd5388 in _L_lock_854 () from /lib64/libpthread-2.12.so
#2  0x00007f1501cd5257 in __pthread_mutex_lock (mutex=0x7f15028879c0) at pthread_mutex_lock.c:61
#3  0x00007f150239d84a in kvm_main_loop_wait (env=0x7f1504dce600, timeout=<value optimized out>) at /usr/src/debug/qemu-kvm-0.12.1.2/qemu-kvm.c:1874
#4  0x00007f150239de9d in kvm_main_loop_cpu (_env=0x7f1504dce600) at /usr/src/debug/qemu-kvm-0.12.1.2/qemu-kvm.c:2007
#5  ap_main_loop (_env=0x7f1504dce600) at /usr/src/debug/qemu-kvm-0.12.1.2/qemu-kvm.c:2060
#6  0x00007f1501cd3851 in start_thread (arg=0x7f14f8a57700) at pthread_create.c:301
#7  0x00007f14ffd9290d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:115

Thread 3 (Thread 0x7f15022ee980 (LWP 30943)):
#0  0x00007f1501cda54d in read () at ../sysdeps/unix/syscall-template.S:82
#1  0x00007f15004f4933 in read (fd=45, buf=0x7fff003cd61c "\025\177", size=4, block=<value optimized out>) at /usr/include/bits/unistd.h:45
#2  read_safe (fd=45, buf=0x7fff003cd61c "\025\177", size=4, block=<value optimized out>) at dispatcher.c:76
#3  0x00007f15004f4b66 in dispatcher_send_message (dispatcher=0x7f1504df7658, message_type=16, payload=0x7fff003cd650) at dispatcher.c:188
#4  0x00007f15004f517c in red_dispatcher_add_memslot (qxl_worker=<value optimized out>, mem_slot=<value optimized out>) at red_dispatcher.c:393
#5  qxl_worker_add_memslot (qxl_worker=<value optimized out>, mem_slot=<value optimized out>) at red_dispatcher.c:400
#6  0x00007f1502407705 in qemu_spice_create_host_memslot (ssd=0x7f15057f0ab0) at ui/spice-display.c:333
#7  0x00007f150250cae9 in qxl_hard_reset (d=0x7f15057f0840, loadvm=0) at /usr/src/debug/qemu-kvm-0.12.1.2/hw/qxl.c:1100
#8  0x00007f1502376be2 in qemu_system_reset (report=true) at /usr/src/debug/qemu-kvm-0.12.1.2/vl.c:3332
#9  0x00007f150239aed0 in qemu_kvm_system_reset (report=true) at /usr/src/debug/qemu-kvm-0.12.1.2/qemu-kvm.c:1978
#10 0x00007f150239b0d3 in kvm_main_loop () at /usr/src/debug/qemu-kvm-0.12.1.2/qemu-kvm.c:2258
#11 0x00007f150237bbd8 in main_loop (argc=44, argv=<value optimized out>, envp=<value optimized out>) at /usr/src/debug/qemu-kvm-0.12.1.2/vl.c:4187
#12 main (argc=44, argv=<value optimized out>, envp=<value optimized out>) at /usr/src/debug/qemu-kvm-0.12.1.2/vl.c:6525

Thread 2 (Thread 0x7f14fa5f5700 (LWP 1320)):
#0  pthread_cond_timedwait@@GLIBC_2.3.2 () at ../nptl/sysdeps/unix/sysv/linux/x86_64/pthread_cond_timedwait.S:216
#1  0x00007f15023b8c47 in cond_timedwait (unused=<value optimized out>) at posix-aio-compat.c:102
#2  aio_thread (unused=<value optimized out>) at posix-aio-compat.c:329
#3  0x00007f1501cd3851 in start_thread (arg=0x7f14fa5f5700) at pthread_create.c:301
#4  0x00007f14ffd9290d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:115

Thread 1 (Thread 0x7f14f0bc4700 (LWP 30962)):
#0  0x00007f14ffcdc8a5 in raise (sig=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:64
#1  0x00007f14ffcde085 in abort () at abort.c:92
#2  0x00007f15005370d5 in spice_logv (log_domain=0x7f15005b3314 "SpiceWorker", log_level=SPICE_LOG_LEVEL_ERROR, strloc=0x7f15005b37e7 "red_worker.c:4797", function=0x7f15005b56f0 "qxl_process_cursor", format=0x7f15005b37cd "invalid cursor command %u", args=0x7f14f0bc39d0) at log.c:109
#3  0x00007f150053720a in spice_log (log_domain=<value optimized out>, log_level=<value optimized out>, strloc=<value optimized out>, function=<value optimized out>, format=<value optimized out>) at log.c:123
#4  0x00007f15004fbf82 in qxl_process_cursor (worker=0x7f14600008c0, cursor_cmd=0x7f146021dc00, group_id=<value optimized out>) at red_worker.c:4797
#5  0x00007f15004fe032 in red_process_cursor (worker=0x7f14600008c0, ring_is_empty=0x7f14f0bc3bdc, max_pipe_size=50) at red_worker.c:4851
#6  0x00007f1500515e2d in red_worker_main (arg=<value optimized out>) at red_worker.c:11850
#7  0x00007f1501cd3851 in start_thread (arg=0x7f14f0bc4700) at pthread_create.c:301
#8  0x00007f14ffd9290d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:115
(gdb) quit

Comment 1 Xiaoqing Wei 2012-12-05 04:53:03 UTC

The test scenario is same as 
Bug 865767 - qemu crashed when rhel6.3 64 bit guest reboots
but the bt info looks differ and:
accord to https://bugzilla.redhat.com/show_bug.cgi?id=865767#c24 , that bz has fixed.

Comment 7 Xiaoqing Wei 2012-12-07 02:34:22 UTC

Created attachment 659182 [details]
qemu qmp monitor

Comment 8 Gerd Hoffmann 2012-12-10 08:36:59 UTC

Not sure I can do anything about it without a reproducer.

Given that it seems not to reproduce implies this could also be a hardware issue like a flipped bit in RAM.  Likewise can't see a justification for the Regression tag.

Also note that this could be a guest driver bug.

Is the core still somewhere?  If so, can you print cursor_cmd (thread 1, stackframe #4) struct content please?

Note You need to log in before you can comment on or make changes to this bug.