Bug 994388 - SpiceWorker-CRITICAL **: red_worker.c:4894:red_update_area: condition `area->left >= 0 && area->top >= 0 && area->left < area->right && area->top < area->bottom' failed
SpiceWorker-CRITICAL **: red_worker.c:4894:red_update_area: condition `area->...
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: qemu-kvm (Show other bugs)
6.5
Unspecified Unspecified
low Severity medium
: rc
: ---
Assigned To: Gerd Hoffmann
Virtualization Bugs
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2013-08-07 03:45 EDT by Chao Yang
Modified: 2014-10-14 02:49 EDT (History)
14 users (show)

See Also:
Fixed In Version: qemu-kvm-0.12.1.2-2.433.el6
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2014-10-14 02:49:52 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Chao Yang 2013-08-07 03:45:59 EDT
Description of problem:
Keeping switching consoles by sending ctrl+alt+F[1-7] to remote viewer crashed qemu-kvm.

Version-Release number of selected component (if applicable):
qemu-kvm-0.12.1.2-2.382.el6.x86_64
spice-server-0.12.4-2.el6.x86_64


How reproducible:
100%

Steps to Reproduce:
1. fresh install a rhel guest
2. connect by remote-viewer
3. keep switching consoles by ctrl+alf+F[1-7]

Actual results:
qemu-kvm instance crashed.

Expected results:


Additional info:
 SpiceWorker-CRITICAL **: red_worker.c:4894:red_update_area: condition `area->left >= 0 && area->top >= 0 && area->left < area->right && area->top < area->bottom' failed

0x00007ffff5707925 in raise (sig=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:64
64	  return INLINE_SYSCALL (tgkill, 3, pid, selftid, sig);

(gdb) bt
#0  0x00007ffff5707925 in raise (sig=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:64
#1  0x00007ffff5709105 in abort () at abort.c:92
#2  0x00007ffff5f69875 in spice_logv (log_domain=0x7ffff5fe7075 "SpiceWorker", log_level=SPICE_LOG_LEVEL_CRITICAL, 
    strloc=0x7ffff5fe8578 "red_worker.c:4894", function=0x7ffff5fe9690 "red_update_area", format=0x7ffff5fe8550 "condition `%s' failed", 
    args=0x7fffe4df98a0) at log.c:109
#3  0x00007ffff5f699aa in spice_log (log_domain=<value optimized out>, log_level=<value optimized out>, strloc=<value optimized out>, 
    function=<value optimized out>, format=<value optimized out>) at log.c:123
#4  0x00007ffff5f371bf in red_update_area (worker=0x7ffeb40008c0, area=0x7fffe4df9a90, surface_id=0) at red_worker.c:4893
#5  0x00007ffff5f3f048 in handle_dev_update_async (opaque=0x7ffeb40008c0, payload=<value optimized out>) at red_worker.c:11132
#6  0x00007ffff5f24607 in dispatcher_handle_single_read (dispatcher=0x7ffff9d11538) at dispatcher.c:139
#7  dispatcher_handle_recv_read (dispatcher=0x7ffff9d11538) at dispatcher.c:162
#8  0x00007ffff5f40226 in red_worker_main (arg=<value optimized out>) at red_worker.c:12276
#9  0x00007ffff77289d1 in start_thread (arg=0x7fffe4dfa700) at pthread_create.c:301
#10 0x00007ffff57bda8d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:115
Comment 1 Chao Yang 2013-08-07 03:47:15 EDT
CLI:
/usr/libexec/qemu-kvm -name test -M rhel6.5.0 -cpu host -enable-kvm -m 4096 -smp 8,sockets=2,cores=2,threads=2,maxcpus=160 -rtc base=utc,clock=host,driftfix=slew -device piix3-usb-uhci,id=usb,bus=pci.0,addr=0x1.0x2 -drive file=/home/test.qcow2,if=none,id=drive-virtio-disk0,format=qcow2,cache=none,werror=stop,rerror=stop,aio=native -device virtio-blk-pci,scsi=off,bus=pci.0,addr=0x6,drive=drive-virtio-disk0,id=virtio-disk0,bootindex=2 -netdev tap,id=hostnet0,vhost=on -device virtio-net-pci,netdev=hostnet0,id=net0,mac=00:1a:4a:42:48:ab,bus=pci.0,addr=0x3,bootindex=3 -spice port=5900,disable-ticketing,seamless-migration=on -k en-us -vga qxl -global qxl-vga.ram_size=67108864 -global qxl-vga.vram_size=33554432 -device intel-hda,id=sound0,bus=pci.0,addr=0x4 -device hda-duplex,id=sound0-codec0,bus=sound0.0,cad=0 -balloon virtio -monitor stdio -serial unix:/tmp/serial,server,nowait -global PIIX4_PM.disable_s3=0 -global PIIX4_PM.disable_s4=0 -kernel vmlinuz -initrd initrd.img -append repo=http://download.englab.nay.redhat.com/pub/rhel/nightly/RHEL6.5-20130806.n.0/6.5/Server/i386/os
Comment 3 RHEL Product and Program Management 2013-10-13 22:49:34 EDT
This request was not resolved in time for the current release.
Red Hat invites you to ask your support representative to
propose this request, if still desired, for consideration in
the next release of Red Hat Enterprise Linux.
Comment 4 Marc-Andre Lureau 2014-06-18 17:04:10 EDT
The condition check takes arguments coming directly from spice_qxl_update_area_async() call from qemu. This indicates a guest bug.

rhel qemu has this check:

        if (update.left >= update.right || update.top >= update.bottom) {
            qxl_set_guest_bug(d,
                    "QXL_IO_UPDATE_AREA: invalid area (%ux%u)x(%ux%u)\n",
                    update.left, update.top, update.right, update.bottom);
            return;
        }

While upstream qemu has in addition:

        if (update.left >= update.right || update.top >= update.bottom ||
            update.left < 0 || update.top < 0) {
            qxl_set_guest_bug(d,
                    "QXL_IO_UPDATE_AREA: invalid area (%ux%u)x(%ux%u)\n",
                    update.left, update.top, update.right, update.bottom);
            break;
        }

I think we should patch spice-server with a return_if_fail(), this error can likely be ignored just like in qemu, and should be fixed in guest later on.
Comment 5 Marc-Andre Lureau 2014-06-18 17:25:44 EDT
actually, spice server already has return_if_fail(), but abort() on those conditions by default.

best is to have qemu rhel have the same condition as upstream, reassigning
Comment 6 Gerd Hoffmann 2014-07-02 07:21:34 EDT
upstream commits:
ccc2960d654a233a6ed415b37d8ff41728d817c5
36a03e0ba5202cf49749b2128bb62d41983681d6
Comment 7 Gerd Hoffmann 2014-07-02 08:19:26 EDT
http://brewweb.devel.redhat.com/brew/taskinfo?taskID=7657688
patches posted.
Comment 8 Jeff Nelson 2014-07-30 17:55:50 EDT
Fix included in qemu-kvm-0.12.1.2-2.433.el6
Comment 10 mazhang 2014-08-07 22:52:23 EDT
Reproduced this bug on qemu-kvm-0.12.1.2-2.398.el6.x86_64.

Host:
qemu-kvm-0.12.1.2-2.398.el6.x86_64
qemu-kvm-debuginfo-0.12.1.2-2.398.el6.x86_64
qemu-img-0.12.1.2-2.398.el6.x86_64
gpxe-roms-qemu-0.9.7-6.11.el6.noarch
qemu-kvm-tools-0.12.1.2-2.398.el6.x86_64

Guest:
linuxmint-13-mate-dvd-32bit.iso

Steps:
1. boot guest with follow command line:
Starting program: /usr/libexec/qemu-kvm -enable-kvm -m 1024 -spice port=5900,disable-ticketing -vga qxl -cdrom /home/linuxmint-13-mate-dvd-32bit.iso
[Thread debugging using libthread_db enabled]
Detaching after fork from child process 18366.
[New Thread 0x7fffef467700 (LWP 18372)]
[New Thread 0x7fffed8c2700 (LWP 18373)]
[New Thread 0x7fffecd06700 (LWP 18374)]

main_channel_link: add main channel client
main_channel_handle_parsed: net test: latency 0.316000 ms, bitrate 440335411 bps (419.936572 Mbps)
inputs_connect: inputs channel client create
red_dispatcher_set_cursor_peer: 

(/usr/bin/gdb:18361): SpiceWorker-CRITICAL **: red_worker.c:4894:red_update_area: condition `area->left >= 0 && area->top >= 0 && area->left < area->right && area->top < area->bottom' failed
Detaching after fork from child process 18376.

Program received signal SIGABRT, Aborted.
[Switching to Thread 0x7fffecd06700 (LWP 18374)]
0x00007ffff4c7d915 in raise () from /lib64/libc.so.6
Missing separate debuginfos, use: debuginfo-install alsa-lib-1.0.22-3.el6.x86_64 celt051-0.5.1.3-0.el6.x86_64 cyrus-sasl-gssapi-2.1.23-15.el6.x86_64 cyrus-sasl-lib-2.1.23-15.el6.x86_64 cyrus-sasl-md5-2.1.23-15.el6.x86_64 cyrus-sasl-plain-2.1.23-15.el6.x86_64 db4-4.7.25-18.el6_4.x86_64 dbus-libs-1.2.24-7.el6_3.x86_64 flac-1.2.1-6.1.el6.x86_64 glib2-2.28.8-1.el6.x86_64 glibc-2.12-1.147.el6.x86_64 glusterfs-api-3.6.0.26-1.el6.x86_64 glusterfs-libs-3.6.0.26-1.el6.x86_64 gnutls-2.8.5-14.el6_5.x86_64 keyutils-libs-1.4-4.el6.x86_64 krb5-libs-1.10.3-25.el6.x86_64 libICE-1.0.6-1.el6.x86_64 libSM-1.2.1-2.el6.x86_64 libX11-1.6.0-2.2.el6.x86_64 libXau-1.0.6-4.el6.x86_64 libXext-1.3.2-2.1.el6.x86_64 libXi-1.7.2-2.1.el6.x86_64 libXtst-1.2.2-2.1.el6.x86_64 libaio-0.3.107-10.el6.x86_64 libasyncns-0.8-1.1.el6.x86_64 libcom_err-1.41.12-20.el6.x86_64 libgcrypt-1.4.5-11.el6_4.x86_64 libgpg-error-1.7-4.el6.x86_64 libjpeg-turbo-1.2.1-3.el6_5.x86_64 libogg-1.1.4-2.1.el6.x86_64 libselinux-2.0.94-5.8.el6.x86_64 libsndfile-1.0.20-5.el6.x86_64 libtasn1-2.3-6.el6_5.x86_64 libuuid-2.17.2-12.17.el6.x86_64 libvorbis-1.2.3-4.el6_2.1.x86_64 libxcb-1.9.1-2.el6.x86_64 nss-softokn-freebl-3.14.3-14.el6.x86_64 openssl-1.0.1e-28.el6.x86_64 pixman-0.32.4-4.el6.x86_64 pulseaudio-libs-0.9.21-17.el6.x86_64 tcp_wrappers-libs-7.6-57.el6.x86_64 usbredir-0.5.1-1.el6.x86_64 zlib-1.2.3-29.el6.x86_64
(gdb) 
(gdb) 
(gdb) bt
#0  0x00007ffff4c7d915 in raise () from /lib64/libc.so.6
#1  0x00007ffff4c7f0f5 in abort () from /lib64/libc.so.6
#2  0x00007ffff54df875 in spice_logv (log_domain=0x7ffff555d075 "SpiceWorker", log_level=SPICE_LOG_LEVEL_CRITICAL, 
    strloc=0x7ffff555e578 "red_worker.c:4894", function=0x7ffff555f690 "red_update_area", 
    format=0x7ffff555e550 "condition `%s' failed", args=0x7fffecd058b0) at log.c:109
#3  0x00007ffff54df9aa in spice_log (log_domain=<value optimized out>, log_level=<value optimized out>, 
    strloc=<value optimized out>, function=<value optimized out>, format=<value optimized out>) at log.c:123
#4  0x00007ffff54ad1bf in red_update_area (worker=0x7fff980008c0, area=0x7fff982e1bf0, surface_id=986)
    at red_worker.c:4893
#5  0x00007ffff54b6ab6 in handle_dev_update (opaque=0x7fff980008c0, payload=<value optimized out>)
    at red_worker.c:11168
#6  0x00007ffff549a607 in dispatcher_handle_single_read (dispatcher=0x7ffff872f6c8) at dispatcher.c:139
#7  dispatcher_handle_recv_read (dispatcher=0x7ffff872f6c8) at dispatcher.c:162
#8  0x00007ffff54b6226 in red_worker_main (arg=<value optimized out>) at red_worker.c:12276
#9  0x00007ffff77029d1 in start_thread () from /lib64/libpthread.so.0
#10 0x00007ffff4d33ccd in clone () from /lib64/libc.so.6


Update qemu-kvm to qemu-kvm-0.12.1.2-2.435.el6.

Starting program: /usr/libexec/qemu-kvm -enable-kvm -m 1024 -spice port=5900,disable-ticketing -vga qxl -cdrom /home/linuxmint-13-mate-dvd-32bit.iso
[Thread debugging using libthread_db enabled]
Detaching after fork from child process 18299.
[New Thread 0x7fffeeb0c700 (LWP 18304)]
[New Thread 0x7fffecf67700 (LWP 18305)]
[New Thread 0x7fff9e9fb700 (LWP 18306)]

main_channel_link: add main channel client
main_channel_handle_parsed: net test: latency 0.300000 ms, bitrate 485999050 bps (463.484812 Mbps)
red_dispatcher_set_cursor_peer:
inputs_connect: inputs channel client create
[Thread 0x7fffeeb0c700 (LWP 18304) exited]
[New Thread 0x7fffeeb0c700 (LWP 18308)]
(/usr/bin/gdb:18294): SpiceWorker-Warning **: red_worker.c:1286:validate_surface: canvas address is 0x7fff980248c0 for 965 (and is NULL)

(/usr/bin/gdb:18294): SpiceWorker-Warning **: red_worker.c:1287:validate_surface: failed on 965
(/usr/bin/gdb:18294): SpiceWorker-Warning **: red_worker.c:1288:validate_surface: condition `!worker->surfaces[surface_id].context.canvas' reached
(/usr/bin/gdb:18294): SpiceWorker-Warning **: red_worker.c:157:rendering_incorrect: rendering incorrect from now on: handle_dev_update
(/usr/bin/gdb:18294): SpiceWorker-Warning **: red_worker.c:1286:validate_surface: canvas address is 0x7fff98024828 for 964 (and is NULL)

(/usr/bin/gdb:18294): SpiceWorker-Warning **: red_worker.c:1287:validate_surface: failed on 964
(/usr/bin/gdb:18294): SpiceWorker-Warning **: red_worker.c:1288:validate_surface: condition `!worker->surfaces[surface_id].context.canvas' reached
(/usr/bin/gdb:18294): SpiceWorker-Warning **: red_worker.c:157:rendering_incorrect: rendering incorrect from now on: handle_dev_update
(/usr/bin/gdb:18294): SpiceWorker-Warning **: red_worker.c:1286:validate_surface: canvas address is 0x7fff98024790 for 963 (and is NULL)

(/usr/bin/gdb:18294): SpiceWorker-Warning **: red_worker.c:1287:validate_surface: failed on 963
(/usr/bin/gdb:18294): SpiceWorker-Warning **: red_worker.c:1288:validate_surface: condition `!worker->surfaces[surface_id].context.canvas' reached
(/usr/bin/gdb:18294): SpiceWorker-Warning **: red_worker.c:157:rendering_incorrect: rendering incorrect from now on: handle_dev_update
(/usr/bin/gdb:18294): SpiceWorker-Warning **: red_worker.c:1286:validate_surface: canvas address is 0x7fff980246f8 for 962 (and is NULL)

(/usr/bin/gdb:18294): SpiceWorker-Warning **: red_worker.c:1287:validate_surface: failed on 962
(/usr/bin/gdb:18294): SpiceWorker-Warning **: red_worker.c:1288:validate_surface: condition `!worker->surfaces[surface_id].context.canvas' reached
(/usr/bin/gdb:18294): SpiceWorker-Warning **: red_worker.c:157:rendering_incorrect: rendering incorrect from now on: handle_dev_update
(/usr/bin/gdb:18294): SpiceWorker-Warning **: red_worker.c:1286:validate_surface: canvas address is 0x7fff980245c8 for 960 (and is NULL)

(/usr/bin/gdb:18294): SpiceWorker-Warning **: red_worker.c:1287:validate_surface: failed on 960
(/usr/bin/gdb:18294): SpiceWorker-Warning **: red_worker.c:1288:validate_surface: condition `!worker->surfaces[surface_id].context.canvas' reached
(/usr/bin/gdb:18294): SpiceWorker-Warning **: red_worker.c:157:rendering_incorrect: rendering incorrect from now on: handle_dev_update
[Thread 0x7fffeeb0c700 (LWP 18308) exited]

Qemu-kvm didn't crash, but spice prompt warning and guest hang.

Gerd, is this expected, if so, will set this bug verified.

Thanks,
Mazhang.
Comment 11 Gerd Hoffmann 2014-08-25 10:22:16 EDT
  Hi,

> Qemu-kvm didn't crash, but spice prompt warning and guest hang.

Behavior hints the guest driver is broken.
Guest bug doesn't crash qemu any more -> good, qemu bug is fixed.
Comment 13 errata-xmlrpc 2014-10-14 02:49:52 EDT
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2014-1490.html

Note You need to log in before you can comment on or make changes to this bug.