qemu 4.0.0 abort()s in audio_get_pdo_in (poisoned drv->driver?)
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
QEMU |
Expired
|
Undecided
|
Unassigned |
Bug Description
After upgrading qemu from 3.0.0 to 4.0.0 (compiled from release tarball), I'm seeing a (reproducible) crash related to audio subsystem.
I recompiled qemu with debugging options and got it to crash under gdb:
Thread 6 "qemu-system-x86" received signal SIGABRT, Aborted.
0x00007ffff52e420b in raise () from /lib64/libc.so.6
(gdb) bt
#0 0x00007ffff52e420b in raise () at /lib64/libc.so.6
#1 0x00007ffff52c6524 in abort () at /lib64/libc.so.6
#2 0x000000000041ec33 in audio_get_pdo_in (dev=<optimized out>) at audio/audio_
#3 0x00000000005d0123 in AUD_open_in
(card=
#4 0x000000000060fe2e in hda_audio_setup (st=0x7ffdde98fd58) at hw/audio/
#5 0x000000000061051b in hda_audio_command (hda=0x7ffdde98
#6 0x000000000060ea20 in intel_hda_
#7 0x000000000060ebbe in intel_hda_corb_run (d=<optimized out>) at hw/audio/
#8 0x000000000060ebbe in intel_hda_corb_run (d=0x7ffff0a2fc00) at hw/audio/
#9 0x0000000000495b99 in memory_
(mr=
at memory.c:502
#10 0x000000000049448e in access_
(addr=
#11 0x00000000004974f3 in memory_
at memory.c:1496
#12 0x000000000042afbc in flatview_
(fv=
#13 0x000000000042b1d6 in flatview_write
(fv=
at exec.c:3318
#14 0x000000000042e2a6 in address_space_write
(as=0xfc5080 <address_
at exec.c:3408
#15 0x000000000042e33a in address_space_rw (as=<optimized out>, addr=<optimized out>, attrs=...,
attrs@
#16 0x00000000004ac3c6 in kvm_cpu_exec (cpu=cpu@
#17 0x00000000004812ae in qemu_kvm_
#18 0x00000000004812ae in qemu_kvm_
#19 0x000000000089d0eb in qemu_thread_start (args=<optimized out>) at util/qemu-
#20 0x00007ffff549319c in start_thread () at /lib64/
#21 0x00007ffff53ba4af in clone () at /lib64/libc.so.6
After some poking around, I think there's something overwriting dev->driver so this switch(dev->driver) statement falls through to abort(): https:/
Here's why I think so:
$ export QEMU_AUDIO_DRV=pa
$ gdb /usr/bin/
(gdb) b qpa_audio_init
Breakpoint 1 at 0x79bcb0: file audio/paaudio.c, line 831.
(gdb) b audio_get_pdo_in
Breakpoint 2 at 0x5ce320: file audio/audio_
(gdb) run -enable-kvm -cpu Nehalem -machine q35 -device intel-iommu -name Workstation -smp 4 -m 8G -soundhw hda -rtc base=localtime -drive file=workstatio
Thread 1 "qemu-system-x86" hit Breakpoint 1, qpa_audio_init (dev=0x7ffff161
(gdb) p (*dev)->driver
$1 = AUDIODEV_DRIVER_PA
(gdb) p/d AUDIODEV_DRIVER_PA
$2 = 5
(gdb) cont
Continuing.
[Thread 0x7ffff09ff700 (LWP 4078) exited]
audio: warning: Using timer based audio emulation
Thread 1 "qemu-system-x86" hit Breakpoint 2, audio_get_pdo_in (dev=0x7ffff161
(gdb) p (*dev)->driver
$3 = AUDIODEV_DRIVER_PA
(gdb) cont
Continuing.
Thread 1 "qemu-system-x86" hit Breakpoint 2, audio_get_pdo_in (dev=0x7ffff161
(gdb) p (*dev)->driver
$4 = AUDIODEV_DRIVER_PA
(gdb) cont
Continuing.
Thread 1 "qemu-system-x86" hit Breakpoint 2, audio_get_pdo_in (dev=0x7ffff161
(gdb) p (*dev)->driver
$5 = AUDIODEV_DRIVER_PA
(gdb) cont
Continuing.
[New Thread 0x7ffff09ff700 (LWP 4483)]
[New Thread 0x7ffddcdff700 (LWP 4489)]
[New Thread 0x7ffddbdff700 (LWP 4490)]
[New Thread 0x7ffddb1ff700 (LWP 4491)]
[New Thread 0x7ffdd2dff700 (LWP 4494)]
[New Thread 0x7ffdd25fe700 (LWP 4495)]
[New Thread 0x7ffdd1dfd700 (LWP 4497)]
[New Thread 0x7ffdda5ff700 (LWP 4500)]
[New Thread 0x7ffdcedff700 (LWP 4501)]
qemu-system-x86_64: warning: guest updated active QH
[Switching to Thread 0x7fffef7ff700 (LWP 4097)]
Thread 4 "qemu-system-x86" hit Breakpoint 2, audio_get_pdo_in (dev=0x7ffff161
(gdb) p (*dev)->driver
$6 = 176
For what it's worth, guest is Fedora 29, host is a Slackware system with qemu compiled (manually) with these options:
CFLAGS="-O2 -fPIC" \
CXXFLAGS="-O2 -fPIC" \
./configure \
--prefix=/usr --libdir=/usr/lib64 --sysconfdir=/etc --localstatedir
--enable-gtk \
--enable-system \
--enable-kvm \
--enable-virtfs \
--enable-sdl \
--enable-gnutls \
--enable-curses \
--enable-virtfs \
--enable-curl \
--enable-
--enable-
--enable-spice \
--enable-libusb \
--enable-
--enable-lzo \
--enable-bzip2 \
--enable-libssh2 \
--enable-numa \
--enable-jemalloc \
--enable-opengl \
--audio-
--enable-vnc --enable-vnc-sasl --enable-vnc-png --enable-vnc-jpeg \
--target-
--enable-debug --extra-
Can you set a watchpoint for (*dev)->driver and see where it fires?