Bug 918169 – Closing window while playing video causes VM to crash

Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.

Bug 918169 - Closing window while playing video causes VM to crash

Summary:	Closing window while playing video causes VM to crash

Status:	CLOSED ERRATA

Aliases:	None

Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	spice-server (Show other bugs)
Sub Component:
Version:	6.4
Hardware:	Unspecified Unspecified

Priority	unspecified Severity urgent
Target Milestone:	rc
Target Release:	---
Assigned To:	Yonit Halperin
QA Contact:	Desktop QE
Docs Contact:

URL:
Whiteboard:
Keywords:	Regression

Depends On:
Blocks:	989711
	Show dependency tree / graph

Reported:	2013-03-05 10:55 EST by Tomas Jamrisko
Modified:	2017-02-06 10:16 EST (History)
CC List:	9 users (show)

See Also:
Fixed In Version:	spice-server-0.12.4-2
Doc Type:	Bug Fix
Doc Text:	For a more detailed explanation -- see commit log of patch http://patchwork.freedesktop.org/patch/14122/ Cause: When two items were to be sent to the client (for example in on_new_cursor_channel), at the time the client got disconnected, the first item was cleared, while the second was not (meaning it was meant to be sent to the client). Consequence: An assert, that makes sure there are no items to be sent when the client is removed, was hit causing spice-server to abort. Fix: The second item is now cleared too. Result: The assert does not hit and spice-server continues to run.
Story Points:	---
Clone Of:
Clones:	989711 (view as bug list)
Environment:
Last Closed:	2013-11-21 02:39:40 EST
Type:	Bug
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
This is what appears in the log generated by qemu. Tried attaching gdb but it didn't fail... also after installation of debuginfo, no stack was attached (25.57 KB, text/plain) 2013-03-05 10:55 EST, Tomas Jamrisko	no flags	Details
From start to crash (39.55 KB, text/plain) 2013-03-13 10:29 EDT, Tomas Jamrisko	no flags	Details
Add an attachment (proposed patch, testcase, etc.)

External Trackers
Tracker	ID	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2013:1571	normal	SHIPPED_LIVE	spice-server bug fix and enhancement update	2013-11-20 16:39:57 EST

Groups: None (edit)

Description Tomas Jamrisko 2013-03-05 10:55:52 EST

Created attachment 705532 [details]
This is what appears in the log generated by qemu. Tried attaching gdb but it didn't fail... also after installation of debuginfo, no stack was attached

Description of problem:
Windows 7 32bit; both client and guest.
Playing back a video (e.g. flash video in a browser) and closing the client window makes the VM crash

Version-Release number of selected component (if applicable):
mingw-virt-viewer-0.5.3-20
spice-server-0.12.0-12.el6.x86_64
qemu-kvm-rhev-0.12.1.2-2.348.el6.x86_64

How reproducible:
80%

Steps to Reproduce:
1. Start a Vm (preferably Windows)
2. Connect to it (from a windows client (hasn't been observed with rhel)
3. Start watching a video
4. Close the virt-viewer window

Actual results:
VM crashes

Expected results:
VM should be up

Comment 1 Marc-Andre Lureau 2013-03-05 10:58:59 EST

please move to appropriate component.

Comment 7 Christophe Fergeau 2013-03-13 06:29:42 EDT

(In reply to comment #0)
> Created attachment 705532 [details]
> This is what appears in the log generated by qemu. Tried attaching gdb but
> it didn't fail... also after installation of debuginfo, no stack was attached

You never can reproduce it with qemu running in gdb? Can you get a coredump instead, and then grab the backtrace from it? You probably need to run 'ulimit -c unlimited' to enable coredump generation

Comment 8 Tomas Jamrisko 2013-03-13 08:31:16 EDT

Tried reproducing repeatedly with gdb attached:

[New Thread 0x7f3458b14700 (LWP 14014)]

Program received signal SIGABRT, Aborted.
0x00007f345e1fb8a5 in raise (sig=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:64
64	  return INLINE_SYSCALL (tgkill, 3, pid, selftid, sig);
(gdb) bt
#0  0x00007f345e1fb8a5 in raise (sig=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:64
#1  0x00007f345e1fd085 in abort () at abort.c:92
#2  0x00007f345e2397b7 in __libc_message (do_abort=2, fmt=0x7f345e320f80 "*** glibc detected *** %s: %s: 0x%s ***\n") at ../sysdeps/unix/sysv/linux/libc_fatal.c:198
#3  0x00007f345e23f0e6 in malloc_printerr (action=3, str=0x7f345e3212e0 "double free or corruption (!prev)", ptr=<value optimized out>) at malloc.c:6311
#4  0x00007f345e241c13 in _int_free (av=0x7f345e557e80, p=0x7f34631e6210, have_lock=0) at malloc.c:4811
#5  0x00007f345c07e5c4 in celt_free (mode=0x7f34631dc700) at os_support.h:78
#6  celt051_mode_destroy (mode=0x7f34631dc700) at modes.c:433
#7  0x00007f345ea48c77 in snd_disconnect_channel (channel=0x7f346304c6c0) at snd_worker.c:216
#8  0x00007f345ea498de in snd_receive (data=0x7f346304c6c0) at snd_worker.c:435
#9  0x00007f345ea499a0 in snd_event (fd=<value optimized out>, event=<value optimized out>, data=<value optimized out>) at snd_worker.c:489
#10 0x00007f346089840f in ?? ()
#11 0x00007f34608ba9ba in ?? ()
#12 0x00007f346089b178 in main ()

Comment 9 Christophe Fergeau 2013-03-13 09:11:45 EDT

Do you have a longer qemu log from before the crash occurs?

Comment 10 Tomas Jamrisko 2013-03-13 10:29:06 EDT

Created attachment 709615 [details]
From start to crash

Comment 11 Christophe Fergeau 2013-03-15 09:32:42 EDT

I could not reproduce while playing back youtube videos.

What seems to be happening is that the sound playback channel gets disconnect and frees the celt data structures, and after that happens, a callback gets called as there is data to read for the sound channel, reading the data fails as the channel has been disconnected, and this triggers a cleanup, where spice tries
again to free the celt data, leading to the crash. No idea why this happens though ;)

Comment 12 Yonit Halperin 2013-04-16 16:35:41 EDT

Can you please attach a qemu log with the highest spice debug level?

Comment 14 Yonit Halperin 2013-07-26 14:11:44 EDT

I posted a patch series, starting with http://patchwork.freedesktop.org/patch/14122/

I managed to reproduced the bug with guest playing video in a loop, and a script on a windows client that connect and disconnects the remote-viewer to the VM repeatedly.
During the disconnection, I also hit another assert that is fixed by this patch series:
(./x86_64-softmmu/qemu-system-x86_64:660): Spice-ERROR **: red_channel.c:1987:red_client_destroy: assertion `rcc->send_data.size == 0' failed

Comment 18 errata-xmlrpc 2013-11-21 02:39:40 EST

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2013-1571.html

Note You need to log in before you can comment on or make changes to this bug.