Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 896457

Summary: qemu core dump because of SpiceWorker-ERROR
Product: Red Hat Enterprise Linux 6 Reporter: Xu Tian <xutian>
Component: spice-serverAssignee: Uri Lublin <uril>
Status: CLOSED INSUFFICIENT_DATA QA Contact: Desktop QE <desktop-qa-list>
Severity: medium Docs Contact:
Priority: high    
Version: 6.4CC: acathrow, bsarathy, cfergeau, dblechte, juzhang, mkenneth, virt-maint
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-07-03 16:07:10 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
full backtrace none

Description Xu Tian 2013-01-17 11:03:22 UTC 
Created attachment 680129 [details]
full backtrace

Description of problem:

qemu crash when execute reboot test case with autotest tool, in this test autotest will send "screendump /dev/shm/xxx.pmp", and guest reboot in reboot loop too; see backtrack below:
(gdb) bt
#0  0x00007f41d00378a5 in raise () from /lib64/libc.so.6
#1  0x00007f41d0039085 in abort () from /lib64/libc.so.6
#2  0x00007f41d0891d55 in spice_logv (log_domain=0x7f41d090df3c "SpiceWorker", log_level=SPICE_LOG_LEVEL_ERROR, strloc=0x7f41d090e984 "red_worker.c:4885", function=0x7f41d0910330 "red_process_cursor", 
    format=0x7f41d090e973 "bad command type", args=0x7f41c0dfca00) at log.c:109
#3  0x00007f41d0891e8a in spice_log (log_domain=<value optimized out>, log_level=<value optimized out>, strloc=<value optimized out>, function=<value optimized out>, format=<value optimized out>)
    at log.c:123
#4  0x00007f41d0858ff5 in red_process_cursor (worker=0x7f41300008c0, ring_is_empty=0x7f41c0dfcbdc, max_pipe_size=50) at red_worker.c:4885
#5  0x00007f41d0870abd in red_worker_main (arg=<value optimized out>) at red_worker.c:11857
#6  0x00007f41d202e851 in start_thread () from /lib64/libpthread.so.0
#7  0x00007f41d00ed90d in clone () from /lib64/libc.so.6


Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1. start guest with command:
qemu -name 'vm1' -nodefaults -chardev socket,id=qmp_monitor_id_qmpmonitor1,path=/tmp/monitor-qmpmonitor1-20130117-162553-O6NU,server,nowait -mon chardev=qmp_monitor_id_qmpmonitor1,mode=control -chardev socket,id=serial_id_20130117-162553-O6NU,path=/tmp/serial-20130117-162553-O6NU,server,nowait -device isa-serial,chardev=serial_id_20130117-162553-O6NU -device ich9-usb-uhci1,id=usb1,bus=pci.0,addr=0x4 -drive file='/usr/local/staf/test/RHEV/kvm-new/autotest/client/tests/kvm/images/RHEL-Server-6.3-64.qcow2',if=none,id=drive-ide0-0-0,media=disk,cache=none,boot=off,snapshot=off,format=qcow2,aio=threads -device ide-drive,bus=ide.0,unit=0,drive=drive-ide0-0-0,id=ide0-0-0 -device e1000,netdev=idV7ZVHT,mac=9a:67:50:5c:65:5c,id=ndev00idV7ZVHT,bus=pci.0,addr=0x3 -netdev tap,id=idV7ZVHT,fd=26 -m 2048 -smp 1,cores=0,threads=1,sockets=2 -cpu 'Opteron_G2' -drive file='/usr/local/staf/test/RHEV/kvm-new/autotest/client/tests/kvm/isos/linux/RHEL6.3-Server-x86_64.iso',if=none,id=drive-ide0-0-1,media=cdrom,snapshot=off,format=raw -device ide-drive,bus=ide.0,unit=1,drive=drive-ide0-0-1,id=ide0-0-1 -drive file='/usr/local/staf/test/RHEV/kvm-new/autotest/client/tests/kvm/images/rhel63-64/ks.iso',if=none,id=drive-ide0-1-0,media=cdrom,snapshot=off,format=raw -device ide-drive,bus=ide.1,unit=0,drive=drive-ide0-1-0,id=ide0-1-0 -device usb-tablet,id=usb-tablet1,bus=usb1.0,port=1 -kernel '/usr/local/staf/test/RHEV/kvm-new/autotest/client/tests/kvm/images/rhel63-64/vmlinuz' -append 'ks=cdrom nicdelay=60 console=ttyS0,115200 console=tty0' -initrd '/usr/local/staf/test/RHEV/kvm-new/autotest/client/tests/kvm/images/rhel63-64/initrd.img' -spice port=3000,password=123456,addr=0,tls-port=3200,x509-dir=/tmp/spice_x509d,tls-channel=main,tls-channel=inputs,image-compression=auto_glz,jpeg-wan-compression=auto,zlib-glz-wan-compression=auto,streaming-video=all,agent-mouse=on,playback-compression=on,ipv4 -vga qxl -global qxl-vga.vram_size=33554432 -rtc base=utc,clock=host,driftfix=slew -M rhel6.4.0 -boot order=cdn,once=d,menu=off    -no-kvm-pit-reinjection -no-shutdown -enable-kvm
2. send command {'execute': 'human-monitor-command', 'arguments': {'command-line': 'screendump /dev/shm/scrdump-XWlKib.ppm'}, 'id': 'zYKHudxn'} to qmp monior
3. reboot guest in loop with command "shutdown -r now"
  
Actual results:


Expected results:


Additional info:
kernel version: 2.6.32-354.el6.x86_64
qemu version: qemu-kvm-rhev-0.12.1.2-2.352.el6.x86_64
spice-server version: spice-server-0.12.0-12.el6.x86_64
Comment 2 juzhang 2013-01-18 05:05:58 UTC 
Not sure it's related,  FYI
Bug 883654 - qemu crashes when rebooting the guest: SpiceWorker-ERROR **: red_worker.c:4797:qxl_process_cursor: invalid cursor command 235
Bug 887775 - qemu-kvm crashed on ../spice-common/common/ring.h:121:ring_next: assertion `pos->next != NULL && pos->prev != NULL' failed
Comment 3 RHEL Program Management 2013-01-21 06:47:45 UTC 
This request was not resolved in time for the current release.
Red Hat invites you to ask your support representative to
propose this request, if still desired, for consideration in
the next release of Red Hat Enterprise Linux.
Comment 4 juzhang 2013-01-21 07:42:19 UTC 
FYI
From bt
very similar Bug 868807 - Qemu aborted when change the resolution of guest from 1024x768 to 2560x1600  

--snip of Bug 868807 bt--
Program received signal SIGABRT, Aborted.
0x00007ffff574c8a5 in raise () from /lib64/libc.so.6
(gdb) bt
#0  0x00007ffff574c8a5 in raise () from /lib64/libc.so.6
#1  0x00007ffff574e085 in abort () from /lib64/libc.so.6
#2  0x00007ffff5fa5c35 in spice_logv (log_domain=0x7ffff6021d9c "SpiceWorker", log_level=SPICE_LOG_LEVEL_CRITICAL, strloc=0x7ffff60220bd "red_worker.c:10916", function=
    0x7ffff6023d90 "red_push_monitors_config", format=0x7ffff60220a7 "condition `%s' failed", args=0x7fffe5bfb970) at log.c:109
#3  0x00007ffff5fa5d6a in spice_log (log_domain=<value optimized out>, log_level=<value optimized out>, strloc=<value optimized out>, function=<value optimized out>, 
    format=<value optimized out>) at log.c:123
#4  0x00007ffff5f8390d in on_new_display_channel_client (opaque=<value optimized out>, payload=0x7ffec421d0b0) at red_worker.c:9489
#5  handle_new_display_channel (opaque=<value optimized out>, payload=0x7ffec421d0b0) at red_worker.c:10376
#6  handle_dev_display_connect (opaque=<value optimized out>, payload=0x7ffec421d0b0) at red_worker.c:11216
#7  0x00007ffff5f63cc7 in dispatcher_handle_single_read (dispatcher=0x7ffff8b86c78) at dispatcher.c:139
#8  dispatcher_handle_recv_read (dispatcher=0x7ffff8b86c78) at dispatcher.c:162
#9  0x00007ffff5f8488e in red_worker_main (arg=<value optimized out>) at red_worker.c:11782
#10 0x00007ffff7740851 in start_thread () from /lib64/libpthread.so.0
#11 0x00007ffff580167d in clone () from /lib64/libc.so.6
(gdb)

Hi, Xu

Would you please update the following 2 question?
1. How reproducible?
2. It is a regressional bug?

Best Regards & Thanks,
Junyi
Comment 5 Xu Tian 2013-01-21 07:59:26 UTC 
(In reply to comment #4)
> FYI
> From bt
> very similar Bug 868807 - Qemu aborted when change the resolution of guest
> from 1024x768 to 2560x1600  
> 
> --snip of Bug 868807 bt--
> Program received signal SIGABRT, Aborted.
> 0x00007ffff574c8a5 in raise () from /lib64/libc.so.6
> (gdb) bt
> #0  0x00007ffff574c8a5 in raise () from /lib64/libc.so.6
> #1  0x00007ffff574e085 in abort () from /lib64/libc.so.6
> #2  0x00007ffff5fa5c35 in spice_logv (log_domain=0x7ffff6021d9c
> "SpiceWorker", log_level=SPICE_LOG_LEVEL_CRITICAL, strloc=0x7ffff60220bd
> "red_worker.c:10916", function=
>     0x7ffff6023d90 "red_push_monitors_config", format=0x7ffff60220a7
> "condition `%s' failed", args=0x7fffe5bfb970) at log.c:109
> #3  0x00007ffff5fa5d6a in spice_log (log_domain=<value optimized out>,
> log_level=<value optimized out>, strloc=<value optimized out>,
> function=<value optimized out>, 
>     format=<value optimized out>) at log.c:123
> #4  0x00007ffff5f8390d in on_new_display_channel_client (opaque=<value
> optimized out>, payload=0x7ffec421d0b0) at red_worker.c:9489
> #5  handle_new_display_channel (opaque=<value optimized out>,
> payload=0x7ffec421d0b0) at red_worker.c:10376
> #6  handle_dev_display_connect (opaque=<value optimized out>,
> payload=0x7ffec421d0b0) at red_worker.c:11216
> #7  0x00007ffff5f63cc7 in dispatcher_handle_single_read
> (dispatcher=0x7ffff8b86c78) at dispatcher.c:139
> #8  dispatcher_handle_recv_read (dispatcher=0x7ffff8b86c78) at
> dispatcher.c:162
> #9  0x00007ffff5f8488e in red_worker_main (arg=<value optimized out>) at
> red_worker.c:11782
> #10 0x00007ffff7740851 in start_thread () from /lib64/libpthread.so.0
> #11 0x00007ffff580167d in clone () from /lib64/libc.so.6
> (gdb)
> 
> Hi, Xu
> 
> Would you please update the following 2 question?
> 1. How reproducible?
> 2. It is a regressional bug?
> 
> Best Regards & Thanks,
> Junyi

Hi, Junyi

This defeat found in anaysis autotest job reboot testcase, it just happend once and I have try to reporduce but no stable way to reporduce it;

thanks,
Xu
Comment 6 Uri Lublin 2013-07-03 16:07:10 UTC 
Since this bug only happened once and is not reproducible (comment #5),
I'm closing the bug (insufficient data).

Please reopen if a way to reproduce this bug is found.