994388 – SpiceWorker-CRITICAL **: red_worker.c:4894:red_update_area: condition `area->left >= 0 && area->top >= 0 && area->left < area->right && area->top < area->bottom' failed

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 994388 - SpiceWorker-CRITICAL **: red_worker.c:4894:red_update_area: condition `area->left >= 0 && area->top >= 0 && area->left < area->right && area->top < area->bottom' failed

Summary: SpiceWorker-CRITICAL **: red_worker.c:4894:red_update_area: condition `area->...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	qemu-kvm
Sub Component:
Version:	6.5
Hardware:	Unspecified
OS:	Unspecified
Priority:	low
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	Gerd Hoffmann
QA Contact:	Virtualization Bugs
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2013-08-07 07:45 UTC by Chao Yang
Modified:	2014-10-14 06:49 UTC (History)
CC List:	14 users (show)
Fixed In Version:	qemu-kvm-0.12.1.2-2.433.el6
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2014-10-14 06:49:52 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2014:1490	0	normal	SHIPPED_LIVE	qemu-kvm bug fix and enhancement update	2014-10-14 01:28:27 UTC

Description Chao Yang 2013-08-07 07:45:59 UTC

Description of problem:
Keeping switching consoles by sending ctrl+alt+F[1-7] to remote viewer crashed qemu-kvm.

Version-Release number of selected component (if applicable):
qemu-kvm-0.12.1.2-2.382.el6.x86_64
spice-server-0.12.4-2.el6.x86_64


How reproducible:
100%

Steps to Reproduce:
1. fresh install a rhel guest
2. connect by remote-viewer
3. keep switching consoles by ctrl+alf+F[1-7]

Actual results:
qemu-kvm instance crashed.

Expected results:


Additional info:
 SpiceWorker-CRITICAL **: red_worker.c:4894:red_update_area: condition `area->left >= 0 && area->top >= 0 && area->left < area->right && area->top < area->bottom' failed

0x00007ffff5707925 in raise (sig=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:64
64	  return INLINE_SYSCALL (tgkill, 3, pid, selftid, sig);

(gdb) bt
#0  0x00007ffff5707925 in raise (sig=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:64
#1  0x00007ffff5709105 in abort () at abort.c:92
#2  0x00007ffff5f69875 in spice_logv (log_domain=0x7ffff5fe7075 "SpiceWorker", log_level=SPICE_LOG_LEVEL_CRITICAL, 
    strloc=0x7ffff5fe8578 "red_worker.c:4894", function=0x7ffff5fe9690 "red_update_area", format=0x7ffff5fe8550 "condition `%s' failed", 
    args=0x7fffe4df98a0) at log.c:109
#3  0x00007ffff5f699aa in spice_log (log_domain=<value optimized out>, log_level=<value optimized out>, strloc=<value optimized out>, 
    function=<value optimized out>, format=<value optimized out>) at log.c:123
#4  0x00007ffff5f371bf in red_update_area (worker=0x7ffeb40008c0, area=0x7fffe4df9a90, surface_id=0) at red_worker.c:4893
#5  0x00007ffff5f3f048 in handle_dev_update_async (opaque=0x7ffeb40008c0, payload=<value optimized out>) at red_worker.c:11132
#6  0x00007ffff5f24607 in dispatcher_handle_single_read (dispatcher=0x7ffff9d11538) at dispatcher.c:139
#7  dispatcher_handle_recv_read (dispatcher=0x7ffff9d11538) at dispatcher.c:162
#8  0x00007ffff5f40226 in red_worker_main (arg=<value optimized out>) at red_worker.c:12276
#9  0x00007ffff77289d1 in start_thread (arg=0x7fffe4dfa700) at pthread_create.c:301
#10 0x00007ffff57bda8d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:115

Comment 1 Chao Yang 2013-08-07 07:47:15 UTC

CLI:
/usr/libexec/qemu-kvm -name test -M rhel6.5.0 -cpu host -enable-kvm -m 4096 -smp 8,sockets=2,cores=2,threads=2,maxcpus=160 -rtc base=utc,clock=host,driftfix=slew -device piix3-usb-uhci,id=usb,bus=pci.0,addr=0x1.0x2 -drive file=/home/test.qcow2,if=none,id=drive-virtio-disk0,format=qcow2,cache=none,werror=stop,rerror=stop,aio=native -device virtio-blk-pci,scsi=off,bus=pci.0,addr=0x6,drive=drive-virtio-disk0,id=virtio-disk0,bootindex=2 -netdev tap,id=hostnet0,vhost=on -device virtio-net-pci,netdev=hostnet0,id=net0,mac=00:1a:4a:42:48:ab,bus=pci.0,addr=0x3,bootindex=3 -spice port=5900,disable-ticketing,seamless-migration=on -k en-us -vga qxl -global qxl-vga.ram_size=67108864 -global qxl-vga.vram_size=33554432 -device intel-hda,id=sound0,bus=pci.0,addr=0x4 -device hda-duplex,id=sound0-codec0,bus=sound0.0,cad=0 -balloon virtio -monitor stdio -serial unix:/tmp/serial,server,nowait -global PIIX4_PM.disable_s3=0 -global PIIX4_PM.disable_s4=0 -kernel vmlinuz -initrd initrd.img -append repo=http://download.englab.nay.redhat.com/pub/rhel/nightly/RHEL6.5-20130806.n.0/6.5/Server/i386/os

Comment 3 RHEL Program Management 2013-10-14 02:49:34 UTC

This request was not resolved in time for the current release.
Red Hat invites you to ask your support representative to
propose this request, if still desired, for consideration in
the next release of Red Hat Enterprise Linux.

Comment 4 Marc-Andre Lureau 2014-06-18 21:04:10 UTC

The condition check takes arguments coming directly from spice_qxl_update_area_async() call from qemu. This indicates a guest bug.

rhel qemu has this check:

        if (update.left >= update.right || update.top >= update.bottom) {
            qxl_set_guest_bug(d,
                    "QXL_IO_UPDATE_AREA: invalid area (%ux%u)x(%ux%u)\n",
                    update.left, update.top, update.right, update.bottom);
            return;
        }

While upstream qemu has in addition:

        if (update.left >= update.right || update.top >= update.bottom ||
            update.left < 0 || update.top < 0) {
            qxl_set_guest_bug(d,
                    "QXL_IO_UPDATE_AREA: invalid area (%ux%u)x(%ux%u)\n",
                    update.left, update.top, update.right, update.bottom);
            break;
        }

I think we should patch spice-server with a return_if_fail(), this error can likely be ignored just like in qemu, and should be fixed in guest later on.

Comment 5 Marc-Andre Lureau 2014-06-18 21:25:44 UTC

actually, spice server already has return_if_fail(), but abort() on those conditions by default.

best is to have qemu rhel have the same condition as upstream, reassigning

Comment 6 Gerd Hoffmann 2014-07-02 11:21:34 UTC

upstream commits:
ccc2960d654a233a6ed415b37d8ff41728d817c5
36a03e0ba5202cf49749b2128bb62d41983681d6

Comment 7 Gerd Hoffmann 2014-07-02 12:19:26 UTC

http://brewweb.devel.redhat.com/brew/taskinfo?taskID=7657688
patches posted.

Comment 8 Jeff Nelson 2014-07-30 21:55:50 UTC

Fix included in qemu-kvm-0.12.1.2-2.433.el6

Comment 10 mazhang 2014-08-08 02:52:23 UTC

Reproduced this bug on qemu-kvm-0.12.1.2-2.398.el6.x86_64.

Host:
qemu-kvm-0.12.1.2-2.398.el6.x86_64
qemu-kvm-debuginfo-0.12.1.2-2.398.el6.x86_64
qemu-img-0.12.1.2-2.398.el6.x86_64
gpxe-roms-qemu-0.9.7-6.11.el6.noarch
qemu-kvm-tools-0.12.1.2-2.398.el6.x86_64

Guest:
linuxmint-13-mate-dvd-32bit.iso

Steps:
1. boot guest with follow command line:
Starting program: /usr/libexec/qemu-kvm -enable-kvm -m 1024 -spice port=5900,disable-ticketing -vga qxl -cdrom /home/linuxmint-13-mate-dvd-32bit.iso
[Thread debugging using libthread_db enabled]
Detaching after fork from child process 18366.
[New Thread 0x7fffef467700 (LWP 18372)]
[New Thread 0x7fffed8c2700 (LWP 18373)]
[New Thread 0x7fffecd06700 (LWP 18374)]

main_channel_link: add main channel client
main_channel_handle_parsed: net test: latency 0.316000 ms, bitrate 440335411 bps (419.936572 Mbps)
inputs_connect: inputs channel client create
red_dispatcher_set_cursor_peer: 

(/usr/bin/gdb:18361): SpiceWorker-CRITICAL **: red_worker.c:4894:red_update_area: condition `area->left >= 0 && area->top >= 0 && area->left < area->right && area->top < area->bottom' failed
Detaching after fork from child process 18376.

Program received signal SIGABRT, Aborted.
[Switching to Thread 0x7fffecd06700 (LWP 18374)]
0x00007ffff4c7d915 in raise () from /lib64/libc.so.6
Missing separate debuginfos, use: debuginfo-install alsa-lib-1.0.22-3.el6.x86_64 celt051-0.5.1.3-0.el6.x86_64 cyrus-sasl-gssapi-2.1.23-15.el6.x86_64 cyrus-sasl-lib-2.1.23-15.el6.x86_64 cyrus-sasl-md5-2.1.23-15.el6.x86_64 cyrus-sasl-plain-2.1.23-15.el6.x86_64 db4-4.7.25-18.el6_4.x86_64 dbus-libs-1.2.24-7.el6_3.x86_64 flac-1.2.1-6.1.el6.x86_64 glib2-2.28.8-1.el6.x86_64 glibc-2.12-1.147.el6.x86_64 glusterfs-api-3.6.0.26-1.el6.x86_64 glusterfs-libs-3.6.0.26-1.el6.x86_64 gnutls-2.8.5-14.el6_5.x86_64 keyutils-libs-1.4-4.el6.x86_64 krb5-libs-1.10.3-25.el6.x86_64 libICE-1.0.6-1.el6.x86_64 libSM-1.2.1-2.el6.x86_64 libX11-1.6.0-2.2.el6.x86_64 libXau-1.0.6-4.el6.x86_64 libXext-1.3.2-2.1.el6.x86_64 libXi-1.7.2-2.1.el6.x86_64 libXtst-1.2.2-2.1.el6.x86_64 libaio-0.3.107-10.el6.x86_64 libasyncns-0.8-1.1.el6.x86_64 libcom_err-1.41.12-20.el6.x86_64 libgcrypt-1.4.5-11.el6_4.x86_64 libgpg-error-1.7-4.el6.x86_64 libjpeg-turbo-1.2.1-3.el6_5.x86_64 libogg-1.1.4-2.1.el6.x86_64 libselinux-2.0.94-5.8.el6.x86_64 libsndfile-1.0.20-5.el6.x86_64 libtasn1-2.3-6.el6_5.x86_64 libuuid-2.17.2-12.17.el6.x86_64 libvorbis-1.2.3-4.el6_2.1.x86_64 libxcb-1.9.1-2.el6.x86_64 nss-softokn-freebl-3.14.3-14.el6.x86_64 openssl-1.0.1e-28.el6.x86_64 pixman-0.32.4-4.el6.x86_64 pulseaudio-libs-0.9.21-17.el6.x86_64 tcp_wrappers-libs-7.6-57.el6.x86_64 usbredir-0.5.1-1.el6.x86_64 zlib-1.2.3-29.el6.x86_64
(gdb) 
(gdb) 
(gdb) bt
#0  0x00007ffff4c7d915 in raise () from /lib64/libc.so.6
#1  0x00007ffff4c7f0f5 in abort () from /lib64/libc.so.6
#2  0x00007ffff54df875 in spice_logv (log_domain=0x7ffff555d075 "SpiceWorker", log_level=SPICE_LOG_LEVEL_CRITICAL, 
    strloc=0x7ffff555e578 "red_worker.c:4894", function=0x7ffff555f690 "red_update_area", 
    format=0x7ffff555e550 "condition `%s' failed", args=0x7fffecd058b0) at log.c:109
#3  0x00007ffff54df9aa in spice_log (log_domain=<value optimized out>, log_level=<value optimized out>, 
    strloc=<value optimized out>, function=<value optimized out>, format=<value optimized out>) at log.c:123
#4  0x00007ffff54ad1bf in red_update_area (worker=0x7fff980008c0, area=0x7fff982e1bf0, surface_id=986)
    at red_worker.c:4893
#5  0x00007ffff54b6ab6 in handle_dev_update (opaque=0x7fff980008c0, payload=<value optimized out>)
    at red_worker.c:11168
#6  0x00007ffff549a607 in dispatcher_handle_single_read (dispatcher=0x7ffff872f6c8) at dispatcher.c:139
#7  dispatcher_handle_recv_read (dispatcher=0x7ffff872f6c8) at dispatcher.c:162
#8  0x00007ffff54b6226 in red_worker_main (arg=<value optimized out>) at red_worker.c:12276
#9  0x00007ffff77029d1 in start_thread () from /lib64/libpthread.so.0
#10 0x00007ffff4d33ccd in clone () from /lib64/libc.so.6


Update qemu-kvm to qemu-kvm-0.12.1.2-2.435.el6.

Starting program: /usr/libexec/qemu-kvm -enable-kvm -m 1024 -spice port=5900,disable-ticketing -vga qxl -cdrom /home/linuxmint-13-mate-dvd-32bit.iso
[Thread debugging using libthread_db enabled]
Detaching after fork from child process 18299.
[New Thread 0x7fffeeb0c700 (LWP 18304)]
[New Thread 0x7fffecf67700 (LWP 18305)]
[New Thread 0x7fff9e9fb700 (LWP 18306)]

main_channel_link: add main channel client
main_channel_handle_parsed: net test: latency 0.300000 ms, bitrate 485999050 bps (463.484812 Mbps)
red_dispatcher_set_cursor_peer:
inputs_connect: inputs channel client create
[Thread 0x7fffeeb0c700 (LWP 18304) exited]
[New Thread 0x7fffeeb0c700 (LWP 18308)]
(/usr/bin/gdb:18294): SpiceWorker-Warning **: red_worker.c:1286:validate_surface: canvas address is 0x7fff980248c0 for 965 (and is NULL)

(/usr/bin/gdb:18294): SpiceWorker-Warning **: red_worker.c:1287:validate_surface: failed on 965
(/usr/bin/gdb:18294): SpiceWorker-Warning **: red_worker.c:1288:validate_surface: condition `!worker->surfaces[surface_id].context.canvas' reached
(/usr/bin/gdb:18294): SpiceWorker-Warning **: red_worker.c:157:rendering_incorrect: rendering incorrect from now on: handle_dev_update
(/usr/bin/gdb:18294): SpiceWorker-Warning **: red_worker.c:1286:validate_surface: canvas address is 0x7fff98024828 for 964 (and is NULL)

(/usr/bin/gdb:18294): SpiceWorker-Warning **: red_worker.c:1287:validate_surface: failed on 964
(/usr/bin/gdb:18294): SpiceWorker-Warning **: red_worker.c:1288:validate_surface: condition `!worker->surfaces[surface_id].context.canvas' reached
(/usr/bin/gdb:18294): SpiceWorker-Warning **: red_worker.c:157:rendering_incorrect: rendering incorrect from now on: handle_dev_update
(/usr/bin/gdb:18294): SpiceWorker-Warning **: red_worker.c:1286:validate_surface: canvas address is 0x7fff98024790 for 963 (and is NULL)

(/usr/bin/gdb:18294): SpiceWorker-Warning **: red_worker.c:1287:validate_surface: failed on 963
(/usr/bin/gdb:18294): SpiceWorker-Warning **: red_worker.c:1288:validate_surface: condition `!worker->surfaces[surface_id].context.canvas' reached
(/usr/bin/gdb:18294): SpiceWorker-Warning **: red_worker.c:157:rendering_incorrect: rendering incorrect from now on: handle_dev_update
(/usr/bin/gdb:18294): SpiceWorker-Warning **: red_worker.c:1286:validate_surface: canvas address is 0x7fff980246f8 for 962 (and is NULL)

(/usr/bin/gdb:18294): SpiceWorker-Warning **: red_worker.c:1287:validate_surface: failed on 962
(/usr/bin/gdb:18294): SpiceWorker-Warning **: red_worker.c:1288:validate_surface: condition `!worker->surfaces[surface_id].context.canvas' reached
(/usr/bin/gdb:18294): SpiceWorker-Warning **: red_worker.c:157:rendering_incorrect: rendering incorrect from now on: handle_dev_update
(/usr/bin/gdb:18294): SpiceWorker-Warning **: red_worker.c:1286:validate_surface: canvas address is 0x7fff980245c8 for 960 (and is NULL)

(/usr/bin/gdb:18294): SpiceWorker-Warning **: red_worker.c:1287:validate_surface: failed on 960
(/usr/bin/gdb:18294): SpiceWorker-Warning **: red_worker.c:1288:validate_surface: condition `!worker->surfaces[surface_id].context.canvas' reached
(/usr/bin/gdb:18294): SpiceWorker-Warning **: red_worker.c:157:rendering_incorrect: rendering incorrect from now on: handle_dev_update
[Thread 0x7fffeeb0c700 (LWP 18308) exited]

Qemu-kvm didn't crash, but spice prompt warning and guest hang.

Gerd, is this expected, if so, will set this bug verified.

Thanks,
Mazhang.

Comment 11 Gerd Hoffmann 2014-08-25 14:22:16 UTC

  Hi,

> Qemu-kvm didn't crash, but spice prompt warning and guest hang.

Behavior hints the guest driver is broken.
Guest bug doesn't crash qemu any more -> good, qemu bug is fixed.

Comment 13 errata-xmlrpc 2014-10-14 06:49:52 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2014-1490.html

Note You need to log in before you can comment on or make changes to this bug.