RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 891326 - spice-server crash when trying on guest (XP) to change settings of "3D Flying Objects" screen-saver
Summary: spice-server crash when trying on guest (XP) to change settings of "3D Flying...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: spice-server
Version: 6.4
Hardware: Unspecified
OS: Unspecified
high
high
Target Milestone: rc
: ---
Assignee: Uri Lublin
QA Contact: Desktop QE
URL:
Whiteboard:
Depends On:
Blocks: 895654
TreeView+ depends on / blocked
 
Reported: 2013-01-02 15:50 UTC by Uri Lublin
Modified: 2013-07-03 12:19 UTC (History)
12 users (show)

Fixed In Version: spice-server-0.12.0-11.el6
Doc Type: Bug Fix
Doc Text:
Cause: - General: Trying to change settings of "3D Flying Objects" screen-saver (and others) made spice-server access already freed pointers. - More technical: Inserting a new image into spice-tree may result in drawing of an area containing the new image. Also it may cause stopping video streams that intersect with that area. Drawing the area after detaching video streams, may have caused spice-server to access already freed memory. Consequence: spice-server crashed. Fix: The order of operation has changed. First insert the image into spice-tree (which may cause drawing of the area), and then detach the video streams. Result: Spice-server does not crash.
Clone Of:
Environment:
Last Closed: 2013-02-21 10:04:12 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)
fixing patch (7.96 KB, patch)
2013-01-08 18:12 UTC, Yonit Halperin 		no flags Details | Diff
screen recording (1.11 MB, video/mp4)
2013-01-15 14:50 UTC, David Jaša 		no flags Details
View All


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2013:0529 0 normal SHIPPED_LIVE spice-server bug fix and enhancement update 2013-02-20 21:51:04 UTC

Description Uri Lublin 2013-01-02 15:50:13 UTC 
Description of problem:
spice-server crash when trying to set properties of 3d screen-saver.


Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x7fffeccca700 (LWP 31320)]
__current_add_drawable (worker=0x7fff980008c0, ring=0x7fff98376db8, drawable=0x7fff9818fca8) at red_worker.c:2363
2363	    ring_add_after(&drawable->tree_item.base.siblings_link, pos);

(gdb) bt
#0  __current_add_drawable (worker=0x7fff980008c0, ring=0x7fff98376db8, drawable=0x7fff9818fca8)
    at red_worker.c:2363
#1  red_current_add (worker=0x7fff980008c0, ring=0x7fff98376db8, drawable=0x7fff9818fca8) at red_worker.c:3491
#2  0x00007ffff5f7c111 in red_current_add_qxl (worker=0x7fff980008c0, ring_is_empty=0x7fffeccc9bdc, max_pipe_size=
    50) at red_worker.c:3624
#3  red_process_drawable (worker=0x7fff980008c0, ring_is_empty=0x7fffeccc9bdc, max_pipe_size=50)
    at red_worker.c:3965
#4  red_process_commands (worker=0x7fff980008c0, ring_is_empty=0x7fffeccc9bdc, max_pipe_size=50)
    at red_worker.c:4908
#5  0x00007ffff5f7edea in red_worker_main (arg=<value optimized out>) at red_worker.c:11842
#6  0x00007ffff773a851 in start_thread (arg=0x7fffeccca700) at pthread_create.c:301
#7  0x00007ffff57fb90d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:115
(gdb) 


Version-Release number of selected component (if applicable):
$ rpm -q spice-server qemu-kvm
spice-server-0.12.0-10.el6.x86_64
qemu-kvm-0.12.1.2-2.348.el6.x86_64


How reproducible:
very reproducible, always fail.
sometimes instead of crashing, spice-server aborts.
sometimes steps 4-5 below need to be done twice (chose a different 3d screen saver).

Steps to Reproduce:
1. Start a guest running Windows XP (log in if needed)
2. Right-click the desktop and chose "Properties"
3. Click on the "Screen Saver" tab
4. Chose the "3D Flying Objects" screen-saver from the drop-down
5. Click "Settings"
6. spice-server segfaults
Comment 2 Uri Lublin 2013-01-06 16:06:18 UTC 
bisecting shows the first bad commit is:
  81fe00b08ad4f8abe848f9840c4879e8c1e645c1
  server/red_worker/video: upgrade stream by a screenshot
  instead of the last frame, if needed
Comment 3 Yonit Halperin 2013-01-08 18:12:52 UTC 
Created attachment 674984 [details]
fixing patch

I posted the attached patch upstream
Comment 5 David Jaša 2013-01-15 14:50:48 UTC 
Created attachment 678812 [details]
screen recording

In spice-server-0.12.0-10, I've encoutered freezes in the scenario but not asserts (maybe caused by using clean VM without QXL driver).

The freezes are gone in -11 but I encountered cosmetic problem: when running the reproducer the very first time, the graphics of guest flashes no matter what driver is used (qxl or generic vga) as in video. When doing it second time, no such thing occurs.
Comment 6 Yonit Halperin 2013-01-15 19:00:52 UTC 
(In reply to comment #5)
> Created attachment 678812 [details]
> screen recording
> 
> In spice-server-0.12.0-10, I've encoutered freezes in the scenario but not
> asserts (maybe caused by using clean VM without QXL driver).
> 
You must install qxl driver in order to reproduce 

> The freezes are gone in -11 but I encountered cosmetic problem: when running
> the reproducer the very first time, the graphics of guest flashes no matter
> what driver is used (qxl or generic vga) as in video. When doing it second
> time, no such thing occurs.
Are you referring to the flash that occur when you just choose the screen saver in the list? and What do you mean by "as in video"? In any case I'm not sure it is a bug, and if it is a bug, I don't think it is related to the one discussed. Did this flash happen before the fix (with an older spice-server and all the tools installed)? Did it happen just as you opened the client, or was the client already opened for a while? Does it happen without agent running?
Comment 7 David Jaša 2013-01-16 17:30:03 UTC 
(In reply to comment #6)
> > In spice-server-0.12.0-10, I've encoutered freezes in the scenario but not
> > asserts (maybe caused by using clean VM without QXL driver).
> > 
> You must install qxl driver in order to reproduce 

As such, I'll mark the bug as verified because the asserts didn't occur with -11 server and qxl driver installed.

> > The freezes are gone in -11 but I encountered cosmetic problem: when running
> > the reproducer the very first time, the graphics of guest flashes no matter
> > what driver is used (qxl or generic vga) as in video. When doing it second
> > time, no such thing occurs.
> Are you referring to the flash that occur when you just choose the screen
> saver in the list? 

Yes.

> and What do you mean by "as in video"?

"what you can see in the recorded video".

> In any case I'm
> not sure it is a bug, and if it is a bug, I don't think it is related to the
> one discussed. Did this flash happen before the fix (with an older
> spice-server and all the tools installed)?

No idea and I have no resources to try it right now.

> Did it happen just as you opened
> the client, or was the client already opened for a while?

It didn't seem to have any influence at all as well as driver used. What did matter was if you did the same before: if you selected the screen saver the very first time in VM life, the flash occurred, when it was 2nd or any later try, the flash didn't happen.

> Does it happen without agent running?

No, agent wasn't running at either case.

One more observation: the same flash occurs usually when the driver is being installed (no matter if via RHEV Tools or manually via Device Manager -> Update Driver).
Comment 10 errata-xmlrpc 2013-02-21 10:04:12 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2013-0529.html
Note You need to log in before you can comment on or make changes to this bug.