QEMU

Reproducible crash in slirp_remque (qemu 1.0.1)

Bug #938431 reported by Craig Ringer on 2012-02-22

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	QEMU	Fix Released	Undecided	Unassigned

Bug Description

Heya

I've been testing some automated data conversion scripts with qemu 1.0.1. They work fine with qemu-kvm 0.15.1, but on qemu 1.0.1 (from the website, built from source using gcc 4.6.1, i686 host), when the script runs qemu I see qemu crash in slirp_remque a few seconds after it's launched. This crash is consistent and reproducible.

The qemu guest is SCO OpenServer 5.0.5. I'm using it for some data conversion from a legacy application. qemu is launched "-display none -monitor stdio" and controlled from a Python script that then connects to the VM over usermode port forwards to ftp data to/from the VM and send commands over telnet.

qemu is launched fine with the following command:

/usr/local/qemu/bin/qemu-system-i386 -display none -vga cirrus -M pc -no-acpi -no-hpet -monitor stdio -net user,net=10.0.2.0/24,host=10.0.2.2,dns=10.0.2.3,hostfwd=tcp:127.0.0.1:2222-10.0.2.1:22,hostfwd=tcp:127.0.0.1:2323-10.0.2.1:23,hostfwd=tcp:127.0.0.1:2121-10.0.2.1:21,hostfwd=tcp:127.0.0.1:2020-10.0.2.1:20 -net nic,model=pcnet -drive file=sco/sco.qcow2,format=qcow2,cache=unsafe,snapshot=on -drive file=sco/booksys.qcow2,format=qcow2,cache=unsafe,snapshot=on -snapshot > qemu-log

and images:

$ for f in *.qcow2; do qemu-img info $f; echo; done
image: booksys-blank-compressed.qcow2
file format: qcow2
virtual size: 4.0G (4294967296 bytes)
disk size: 696K
cluster_size: 65536

image: booksys.qcow2
file format: qcow2
virtual size: 4.0G (4294967296 bytes)
disk size: 140K
cluster_size: 65536
backing file: booksys-blank-compressed.qcow2 (actual path: booksys-blank-compressed.qcow2)

image: sco-base-compressed.qcow2
file format: qcow2
virtual size: 512M (536870912 bytes)
disk size: 142M
cluster_size: 65536

image: sco.qcow2
file format: qcow2
virtual size: 512M (536870912 bytes)
disk size: 140K
cluster_size: 65536
backing file: sco-base-compressed.qcow2 (actual path: sco-base-compressed.qcow2)

The VM guest begins booting fine, and nothing of interest appears in the monitor log:

QEMU 1.0,1 monitor - type 'help' for more information
(qemu)

After a few seconds the controlling scripts begins trying to ftp into the guest over the user-mode port forward on port 2121, and it's at this point that qemu crashes with the following backtrace:

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0xb63e46e0 (LWP 25453)]
0xb768753b in slirp_remque (a=0xb90ee408) at slirp/misc.c:39
39 ((struct quehead *)(element->qh_rlink))->qh_link = element->qh_link;
(gdb) bt
#0 0xb768753b in slirp_remque (a=0xb90ee408) at slirp/misc.c:39
#1 0xb76854ad in if_start (slirp=0xb879beb0) at slirp/if.c:189
#2 0xb76853b3 in if_output (so=0xb8eb1380, ifm=0xb90eea60) at slirp/if.c:138
#3 0xb7686bb5 in ip_output (so=0xb8eb1380, m0=0xb90eea60)
    at slirp/ip_output.c:84
#4 0xb768f59c in tcp_output (tp=0xb906fd48) at slirp/tcp_output.c:456
#5 0xb7691b9b in tcp_timers (tp=0xb906fd48, timer=0) at slirp/tcp_timer.c:242
#6 0xb76918d4 in tcp_slowtimo (slirp=0xb879beb0) at slirp/tcp_timer.c:88
#7 0xb768965a in slirp_select_poll (readfds=0xbf9e3dcc, writefds=0xbf9e3e4c,
    xfds=0xbf9e3ecc, select_error=0) at slirp/slirp.c:433
#8 0xb763e2a0 in main_loop_wait (nonblocking=0) at main-loop.c:465
#9 0xb7633042 in main_loop () at /home/craig/build/qemu-1.0.1/vl.c:1481
#10 0xb76388a0 in main (argc=20, argv=0xbf9e42d4, envp=0xbf9e4328)
    at /home/craig/build/qemu-1.0.1/vl.c:3485

(gdb) frame 0
#0 0xb768753b in slirp_remque (a=0xb90ee408) at slirp/misc.c:39
39 ((struct quehead *)(element->qh_rlink))->qh_link = element->qh_link;

A more detailed backtrace, as supplied by "thread apply all bt full", follows at the end of this post.

In case it matters, stdout is redirected to a logfile and stdin is attached to the Python script, which hasn't yet written anything to the stdin pipe.

I'll happily post the script, but isn't much good without the OS image which is about 150MB and can't be legally redistributed. I'm happy to test patches, though, or try anything that's suggested.

Host info and full backtrace follows:

$ gcc --version
gcc (Ubuntu/Linaro 4.6.1-9ubuntu3) 4.6.1
Copyright (C) 2011 Free Software Foundation, Inc.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

$ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 11.10
Release: 11.10
Codename: oneiric

$ uname -a
Linux wallace 3.0.0-14-generic-pae #23-Ubuntu SMP Mon Nov 21 22:07:10 UTC 2011 i686 i686 i386 GNU/Linux

(gdb) thread apply all bt full

Thread 5 (Thread 0xb31e1b70 (LWP 25631)):
#0 0xb74e4424 in __kernel_vsyscall ()
No symbol table info available.
#1 0xb7332e04 in pthread_cond_timedwait@@GLIBC_2.3.2 () at ../nptl/sysdeps/unix/sysv/linux/i386/i686/../i486/pthread_cond_timedwait.S:236
No locals.
#2 0xb764f38a in cond_timedwait (cond=0xb7d2e1e0, mutex=0xb7d2e1c0, ts=0xb31e135c) at posix-aio-compat.c:104
        ret = 0
#3 0xb764fb6c in aio_thread (unused=0x0) at posix-aio-compat.c:334
        aiocb = 0xb879dcc0
        ret = 0
        tv = {tv_sec = 1329889894, tv_usec = 299790}
        ts = {tv_sec = 1329889904, tv_nsec = 0}
#4 0xb732ed31 in start_thread (arg=0xb31e1b70) at pthread_create.c:304
        __res = <optimized out>
        pd = 0xb31e1b70
        now = <optimized out>
        unwind_buf = {cancel_jmp_buf = {{jmp_buf = {-1221328908, 0, 4001536, -1289874312, -1127561837, -449321061}, mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x0, 0x0}, data = {prev = 0x0, cleanup = 0x0, canceltype = 0}}}
        not_first_call = <optimized out>
        robust = <optimized out>
        pagesize_m1 = <optimized out>
        sp = <optimized out>
        freesize = <optimized out>
        __PRETTY_FUNCTION__ = "start_thread"
#5 0xb6d9f0ce in clone () at ../sysdeps/unix/sysv/linux/i386/clone.S:130
No locals.
Backtrace stopped: Not enough registers or memory available to unwind further

Thread 2 (Thread 0xb1ddab70 (LWP 25455)):
#0 0xb74e4424 in __kernel_vsyscall ()
No symbol table info available.
#1 0xb7335619 in __lll_lock_wait () at ../nptl/sysdeps/unix/sysv/linux/i386/i686/../i486/lowlevellock.S:142
No locals.
#2 0xb73387a0 in _L_cond_lock_704 () from /lib/i386-linux-gnu/libpthread.so.0
        libgcc_s_getcfa = 0
        libgcc_s_resume = 0
        libgcc_s_forcedunwind = 0
        libgcc_s_personality = 0
        libgcc_s_handle = 0x0
#3 0xb7338521 in __pthread_mutex_cond_lock (mutex=0xb7f02c00) at ../nptl/pthread_mutex_lock.c:61
        __PRETTY_FUNCTION__ = "__pthread_mutex_cond_lock"
        type = 3085970432
        id = 25455
#4 0xb7332b0e in pthread_cond_wait@@GLIBC_2.3.2 () at ../nptl/sysdeps/unix/sysv/linux/i386/i686/../i486/pthread_cond_wait.S:255
No locals.
#5 0xb766e54a in qemu_cond_wait (cond=0xb7d3eaa0, mutex=0xb7f02c00) at qemu-thread-posix.c:113
        err = -1191216176
        __func__ = "qemu_cond_wait"
#6 0xb76fc409 in qemu_tcg_wait_io_event () at /home/craig/build/qemu-1.0.1/cpus.c:699
        env = 0x10000
#7 0xb76fc6cf in qemu_tcg_cpu_thread_fn (arg=0xb8ff7bd0) at /home/craig/build/qemu-1.0.1/cpus.c:778
        env = 0x0
#8 0xb732ed31 in start_thread (arg=0xb1ddab70) at pthread_create.c:304
        __res = <optimized out>
        pd = 0xb1ddab70
        now = <optimized out>
        unwind_buf = {cancel_jmp_buf = {{jmp_buf = {-1221328908, 0, 4001536, -1310874504, 1001047446, -449321061}, mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x0, 0x0}, data = {prev = 0x0, cleanup = 0x0, canceltype = 0}}}
        not_first_call = <optimized out>
        robust = <optimized out>
        pagesize_m1 = <optimized out>
        sp = <optimized out>
        freesize = <optimized out>
        __PRETTY_FUNCTION__ = "start_thread"
#9 0xb6d9f0ce in clone () at ../sysdeps/unix/sysv/linux/i386/clone.S:130
No locals.
Backtrace stopped: Not enough registers or memory available to unwind further

Thread 1 (Thread 0xb63e46e0 (LWP 25453)):
#0 0xb768753b in slirp_remque (a=0xb90ee408) at slirp/misc.c:39
        element = 0xb90ee408
#1 0xb76854ad in if_start (slirp=0xb879beb0) at slirp/if.c:189
        now = 182039052034397
        requeued = 0
        ifm = 0xb90ee408
        ifqt = 0x0
#2 0xb76853b3 in if_output (so=0xb8eb1380, ifm=0xb90eea60) at slirp/if.c:138
        slirp = 0xb879beb0
        ifq = 0xb90ee408
        on_fastq = 1
#3 0xb7686bb5 in ip_output (so=0xb8eb1380, m0=0xb90eea60) at slirp/ip_output.c:84
        slirp = 0xb879beb0
        ip = 0xb90eeacc
        m = 0xb90eea60
        hlen = 20
        len = -1190204832
        off = -1199980740
        error = 0
#4 0xb768f59c in tcp_output (tp=0xb906fd48) at slirp/tcp_output.c:456
        so = 0xb8eb1380
        len = 0
        win = 8760
        off = 0
        flags = 2
        error = -1217987977
        m = 0xb90eea60
        ti = 0xb90eeacc
        opt = "\002\004\005\264\001\000\000\000d<\236\277\200\302\221\267\362\260\003\000\000\000\000\000\027\307\002\000q\346\031\003"
        optlen = 4
        hdrlen = 44
        idle = 0
        sendalot = 0
#5 0xb7691b9b in tcp_timers (tp=0xb906fd48, timer=0) at slirp/tcp_timer.c:242
        rexmt = 192
#6 0xb76918d4 in tcp_slowtimo (slirp=0xb879beb0) at slirp/tcp_timer.c:88
        ip = 0xb8eb1380
        ipnxt = 0xb879c8b0
        tp = 0xb906fd48
        i = 0
#7 0xb768965a in slirp_select_poll (readfds=0xbf9e3dcc, writefds=0xbf9e3e4c, xfds=0xbf9e3ecc, select_error=0) at slirp/slirp.c:433
        slirp = 0xb879beb0
        so = 0x0
        so_next = 0x0
        ret = -1080148532
#8 0xb763e2a0 in main_loop_wait (nonblocking=0) at main-loop.c:465
        rfds = {fds_bits = {8, 0 <repeats 31 times>}}
        wfds = {fds_bits = {0 <repeats 32 times>}}
        xfds = {fds_bits = {0 <repeats 32 times>}}
        ret = 1
        nfds = 18
        tv = {tv_sec = 0, tv_usec = 990389}
        timeout = 1000
#9 0xb7633042 in main_loop () at /home/craig/build/qemu-1.0.1/vl.c:1481
        nonblocking = false
        last_io = 0
#10 0xb76388a0 in main (argc=20, argv=0xbf9e42d4, envp=0xbf9e4328) at /home/craig/build/qemu-1.0.1/vl.c:3485
        gdbstub_dev = 0x0
        i = 64
        snapshot = 1
        linux_boot = 0
        icount_option = 0x0
        initrd_filename = 0x0
        kernel_filename = 0x0
        kernel_cmdline = 0xb77f890f ""
        boot_devices = "cad", '\000' <repeats 29 times>
        ds = 0xb8b16bb8
        dcl = 0x0
        cyls = 0
        heads = 0
        secs = 0
        translation = 0
        hda_opts = 0x0
        opts = 0xb7343000
        olist = 0xbf9e4198
        optind = 20
        optarg = 0x0
        loadvm = 0x0
        machine = 0xb7921e60
        cpu_model = 0x0
        pid_file = 0x0
        incoming = 0x0
        show_vnc_port = 0
        defconfig = 1
        log_mask = 0x0
        log_file = 0x0
        mem_trace = {malloc = 0xb7634cb1 <malloc_and_trace>, realloc = 0xb7634d0e <realloc_and_trace>, free = 0xb7634d7f <free_and_trace>, calloc = 0, try_malloc = 0, try_realloc = 0}
        trace_events = 0x0
        trace_file = 0x0
(gdb)

$ ldd /usr/local/qemu/bin/qemu-system-i386
linux-gate.so.1 => (0xb77d0000)
libnss3.so => /usr/lib/i386-linux-gnu/libnss3.so (0xb6c3a000)
libnspr4.so => /usr/lib/i386-linux-gnu/libnspr4.so (0xb6bfe000)
libpthread.so.0 => /lib/i386-linux-gnu/libpthread.so.0 (0xb6be2000)
librt.so.1 => /lib/i386-linux-gnu/librt.so.1 (0xb6bd9000)
libgthread-2.0.so.0 => /usr/lib/i386-linux-gnu/libgthread-2.0.so.0 (0xb6bd3000)
libglib-2.0.so.0 => /lib/i386-linux-gnu/libglib-2.0.so.0 (0xb6ada000)
libutil.so.1 => /lib/i386-linux-gnu/libutil.so.1 (0xb6ad6000)
libbluetooth.so.3 => /usr/lib/libbluetooth.so.3 (0xb6abb000)
libcurl.so.4 => /usr/lib/i386-linux-gnu/libcurl.so.4 (0xb6a5f000)
libncurses.so.5 => /lib/libncurses.so.5 (0xb6a3d000)
libtinfo.so.5 => /lib/libtinfo.so.5 (0xb6a1e000)
libbrlapi.so.0.5 => /lib/libbrlapi.so.0.5 (0xb6a12000)
libpng12.so.0 => /lib/i386-linux-gnu/libpng12.so.0 (0xb69e7000)
libjpeg.so.62 => /usr/lib/i386-linux-gnu/libjpeg.so.62 (0xb69c3000)
libgnutls.so.26 => /usr/lib/i386-linux-gnu/libgnutls.so.26 (0xb6913000)
libSDL-1.2.so.0 => /usr/lib/libSDL-1.2.so.0 (0xb6879000)
libX11.so.6 => /usr/lib/i386-linux-gnu/libX11.so.6 (0xb6743000)
libm.so.6 => /lib/i386-linux-gnu/libm.so.6 (0xb6718000)
libz.so.1 => /lib/i386-linux-gnu/libz.so.1 (0xb6703000)
libc.so.6 => /lib/i386-linux-gnu/libc.so.6 (0xb6587000)
libnssutil3.so => /usr/lib/i386-linux-gnu/libnssutil3.so (0xb656c000)
libplc4.so => /usr/lib/i386-linux-gnu/libplc4.so (0xb6566000)
libplds4.so => /usr/lib/i386-linux-gnu/libplds4.so (0xb6560000)
libdl.so.2 => /lib/i386-linux-gnu/libdl.so.2 (0xb655b000)
/lib/ld-linux.so.2 (0xb77d1000)
libpcre.so.3 => /lib/i386-linux-gnu/libpcre.so.3 (0xb651c000)
libidn.so.11 => /usr/lib/i386-linux-gnu/libidn.so.11 (0xb64e9000)
liblber-2.4.so.2 => /usr/lib/i386-linux-gnu/liblber-2.4.so.2 (0xb64da000)
libldap_r-2.4.so.2 => /usr/lib/i386-linux-gnu/libldap_r-2.4.so.2 (0xb6488000)
libgssapi_krb5.so.2 => /usr/lib/i386-linux-gnu/libgssapi_krb5.so.2 (0xb644a000)
libssl.so.1.0.0 => /lib/i386-linux-gnu/libssl.so.1.0.0 (0xb63fd000)
libcrypto.so.1.0.0 => /lib/i386-linux-gnu/libcrypto.so.1.0.0 (0xb6259000)
librtmp.so.0 => /usr/lib/i386-linux-gnu/librtmp.so.0 (0xb6240000)
libtasn1.so.3 => /usr/lib/i386-linux-gnu/libtasn1.so.3 (0xb622d000)
libgcrypt.so.11 => /lib/i386-linux-gnu/libgcrypt.so.11 (0xb61a8000)
libpulse-simple.so.0 => /usr/lib/i386-linux-gnu/libpulse-simple.so.0 (0xb61a3000)
libpulse.so.0 => /usr/lib/i386-linux-gnu/libpulse.so.0 (0xb6155000)
libxcb.so.1 => /usr/lib/i386-linux-gnu/libxcb.so.1 (0xb6136000)
libresolv.so.2 => /lib/i386-linux-gnu/libresolv.so.2 (0xb611e000)
libsasl2.so.2 => /usr/lib/i386-linux-gnu/libsasl2.so.2 (0xb6103000)
libkrb5.so.3 => /usr/lib/i386-linux-gnu/libkrb5.so.3 (0xb603a000)
libk5crypto.so.3 => /usr/lib/i386-linux-gnu/libk5crypto.so.3 (0xb6011000)
libcom_err.so.2 => /lib/i386-linux-gnu/libcom_err.so.2 (0xb600d000)
libkrb5support.so.0 => /usr/lib/i386-linux-gnu/libkrb5support.so.0 (0xb6003000)
libgpg-error.so.0 => /lib/i386-linux-gnu/libgpg-error.so.0 (0xb5ffe000)
libpulsecommon-1.0.so => /usr/lib/i386-linux-gnu/libpulsecommon-1.0.so (0xb5f99000)
libjson.so.0 => /usr/lib/i386-linux-gnu/libjson.so.0 (0xb5f91000)
libdbus-1.so.3 => /lib/i386-linux-gnu/libdbus-1.so.3 (0xb5f48000)
libXau.so.6 => /usr/lib/i386-linux-gnu/libXau.so.6 (0xb5f43000)
libXdmcp.so.6 => /usr/lib/i386-linux-gnu/libXdmcp.so.6 (0xb5f3c000)
libkeyutils.so.1 => /lib/i386-linux-gnu/libkeyutils.so.1 (0xb5f38000)
libwrap.so.0 => /lib/i386-linux-gnu/libwrap.so.0 (0xb5f2e000)
libsndfile.so.1 => /usr/lib/i386-linux-gnu/libsndfile.so.1 (0xb5ebd000)
libasyncns.so.0 => /usr/lib/i386-linux-gnu/libasyncns.so.0 (0xb5eb5000)
libnsl.so.1 => /lib/i386-linux-gnu/libnsl.so.1 (0xb5e9c000)
libFLAC.so.8 => /usr/lib/i386-linux-gnu/libFLAC.so.8 (0xb5e4e000)
libvorbisenc.so.2 => /usr/lib/i386-linux-gnu/libvorbisenc.so.2 (0xb5cd6000)
libvorbis.so.0 => /usr/lib/i386-linux-gnu/libvorbis.so.0 (0xb5cab000)
libogg.so.0 => /usr/lib/i386-linux-gnu/libogg.so.0 (0xb5ca2000)

Revision history for this message

Craig Ringer (ringerc) wrote on 2012-02-22:

I have now reproduced the same segfault without the controlling script by running qemu on the command line and connecting to it with lftp. To reproduce the fault it appears to be necessary to attempt to connect to the guest before it is fully booted and ready to accept connections; if I let it "settle" for a while before attempting to connect then it doesn't crash. Even if I start hammering it as soon as it's launched I can only occasionally trigger the crash, so whatever's breaking is a short-lived state of some kind.

If I make an lftp connection then immediately kill lftp, qemu receives a SIGPIPE. I'm wondering if a sigpipe at the wrong time is messing things up, but it's only the vaguest notion.

Revision history for this message

Craig Ringer (ringerc) wrote on 2012-03-15:

Download full text (9.7 KiB)

Another crash site appears to be:

#0 0xb760f0d0 in ifs_insque (ifm=0xba711478, ifmhead=0x0) at slirp/if.c:16
#1 0xb760f2dd in if_output (so=0xba60db70, ifm=0xba711478) at slirp/if.c:98
#2 0xb7610bb5 in ip_output (so=0xba60db70, m0=0xba711478) at slirp/ip_output.c:84
#3 0xb761959c in tcp_output (tp=0xba4b4540) at slirp/tcp_output.c:456
#4 0xb761bb9b in tcp_timers (tp=0xba4b4540, timer=0) at slirp/tcp_timer.c:242
#5 0xb761b8d4 in tcp_slowtimo (slirp=0xb9d9eeb0) at slirp/tcp_timer.c:88
#6 0xb761365a in slirp_select_poll (readfds=0xbff7a78c, writefds=0xbff7a80c, xfds=0xbff7a88c, select_error=0) at slirp/slirp.c:433
#7 0xb75c82a0 in main_loop_wait (nonblocking=0) at main-loop.c:465
#8 0xb75bd042 in main_loop () at /home/craig/build/qemu-1.0.1/vl.c:1481
#9 0xb75c28a0 in main (argc=20, argv=0xbff7ac94, envp=0xbff7ace8) at /home/craig/build/qemu-1.0.1/vl.c:3485

Full trace:

Thread 5 (Thread 0xb1f68b70 (LWP 6148)):
#0 0xb746e424 in __kernel_vsyscall ()
No symbol table info available.
#1 0xb72bce04 in pthread_cond_timedwait@@GLIBC_2.3.2 () at ../nptl/sysdeps/unix/sysv/linux/i386/i686/../i486/pthread_cond_timedwait.S:236
No locals.
#2 0xb75d938a in cond_timedwait (cond=0xb7cb81e0, mutex=0xb7cb81c0, ts=0xb1f6835c) at posix-aio-compat.c:104
        ret = 0
#3 0xb75d9b6c in aio_thread (unused=0x0) at posix-aio-compat.c:334
        aiocb = 0xba432348
        ret = 0
        tv = {tv_sec = 1331775274, tv_usec = 188038}
        ts = {tv_sec = 1331775284, tv_nsec = 0}
#4 0xb72b8d31 in start_thread (arg=0xb1f68b70) at pthread_create.c:304
        __res = <optimized out>
        pd = 0xb1f68b70
        now = <optimized out>
        unwind_buf = {cancel_jmp_buf = {{jmp_buf = {-1221812236, 0, 4001536, -1309244296, -366533283, 1345980240}, mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x0, 0x0}, data = {
              prev = 0x0, cleanup = 0x0, canceltype = 0}}}
        not_first_call = <optimized out>
        robust = <optimized out>
        pagesize_m1 = <optimized out>
        sp = <optimized out>
        freesize = <optimized out>
        __PRETTY_FUNCTION__ = "start_thread"
#5 0xb6d290ce in clone () at ../sysdeps/unix/sysv/linux/i386/clone.S:130
No locals.
Backtrace stopped: Not enough registers or memory available to unwind further

Another crash site appears to be:

#0  0xb760f0d0 in ifs_insque (ifm=0xba711478, ifmhead=0x0) at slirp/if.c:16
#1  0xb760f2dd in if_output (so=0xba60db70, ifm=0xba711478) at slirp/if.c:98
#2  0xb7610bb5 in ip_output (so=0xba60db70, m0=0xba711478) at slirp/ip_output.c:84
#3  0xb761959c in tcp_output (tp=0xba4b4540) at slirp/tcp_output.c:456
#4  0xb761bb9b in tcp_timers (tp=0xba4b4540, timer=0) at slirp/tcp_timer.c:242
#5  0xb761b8d4 in tcp_slowtimo (slirp=0xb9d9eeb0) at slirp/tcp_timer.c:88
#6  0xb761365a in slirp_select_poll (readfds=0xbff7a78c, writefds=0xbff7a80c, xfds=0xbff7a88c, select_error=0) at slirp/slirp.c:433
#7  0xb75c82a0 in main_loop_wait (nonblocking=0) at main-loop.c:465
#8  0xb75bd042 in main_loop () at /home/craig/build/qemu-1.0.1/vl.c:1481
#9  0xb75c28a0 in main (argc=20, argv=0xbff7ac94, envp=0xbff7ace8) at /home/craig/build/qemu-1.0.1/vl.c:3485

Full trace:

Thread 5 (Thread 0xb1f68b70 (LWP 6148)):
#0  0xb746e424 in __kernel_vsyscall ()
No symbol table info available.
#1  0xb72bce04 in pthread_cond_timedwait@@GLIBC_2.3.2 () at ../nptl/sysdeps/unix/sysv/linux/i386/i686/../i486/pthread_cond_timedwait.S:236
No locals.
#2  0xb75d938a in cond_timedwait (cond=0xb7cb81e0, mutex=0xb7cb81c0, ts=0xb1f6835c) at posix-aio-compat.c:104
        ret = 0
#3  0xb75d9b6c in aio_thread (unused=0x0) at posix-aio-compat.c:334
        aiocb = 0xba432348
        ret = 0
        tv = {tv_sec = 1331775274, tv_usec = 188038}
        ts = {tv_sec = 1331775284, tv_nsec = 0}
#4  0xb72b8d31 in start_thread (arg=0xb1f68b70) at pthread_create.c:304
        __res = <optimized out>
        pd = 0xb1f68b70
        now = <optimized out>
        unwind_buf = {cancel_jmp_buf = {{jmp_buf = {-1221812236, 0, 4001536, -1309244296, -366533283, 1345980240}, mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x0, 0x0}, data = {
              prev = 0x0, cleanup = 0x0, canceltype = 0}}}
        not_first_call = <optimized out>
        robust = <optimized out>
        pagesize_m1 = <optimized out>
        sp = <optimized out>
        freesize = <optimized out>
        __PRETTY_FUNCTION__ = "start_thread"
#5  0xb6d290ce in clone () at ../sysdeps/unix/sysv/linux/i386/clone.S:130
No locals.
Backtrace stopped: Not enough registers or memory available to unwind further

Thread 4 (Thread 0xb0d62b70 (LWP 6149)):
#0  0xb746e424 in __kernel_vsyscall ()
No symbol table info available.
#1  0xb72bf619 in __lll_lock_wait () at ../nptl/sysdeps/unix/sysv/linux/i386/i686/../i486/lowlevellock.S:142
No locals.
#2  0xb72c27a0 in _L_cond_lock_704 () from /lib/i386-linux-gnu/libpthread.so.0
        libgcc_s_getcfa = 0
        libgcc_s_resume = 0
        libgcc_s_forcedunwind = 0
        libgcc_s_personality = 0
        libgcc_s_handle = 0x0
#3  0xb72c2521 in __pthread_mutex_cond_lock (mutex=0xb7e8cc00) at ../nptl/pthread_mutex_lock.c:61
        __PRETTY_FUNCTION__ = "__pthread_mutex_cond_lock"
        type = 3085487104
        id = 6149
#4  0xb72bcb0e in pthread_cond_wait@@GLIBC_2.3.2 () at ../nptl/sysdeps/unix/sysv/linux/i386/i686/../i486/pthread_cond_wait.S:255
No locals.
#5  0xb75f854a in qemu_cond_wait (cond=0xb7cc8aa0, mutex=0xb7e8cc00) at qemu-thread-posix.c:113
        err = -1168134704
        __func__ = "qemu_cond_wait"
#6  0xb7686409 in qemu_tcg_wait_io_event () at /home/craig/build/qemu-1.0.1/cpus.c:699
        env = 0x10000
#7  0xb76866cf in qemu_tcg_cpu_thread_fn (arg=0xba5fadd0) at /home/craig/build/qemu-1.0.1/cpus.c:778
        env = 0x0
#8  0xb72b8d31 in start_thread (arg=0xb0d62b70) at pthread_create.c:304
        __res = <optimized out>
        pd = 0xb0d62b70
        now = <optimized out>
        unwind_buf = {cancel_jmp_buf = {{jmp_buf = {-1221812236, 0, 4001536, -1328143240, -1419303585, 1345980240}, mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x0, 0x0}, data = {
              prev = 0x0, cleanup = 0x0, canceltype = 0}}}
        not_first_call = <optimized out>
        robust = <optimized out>
        pagesize_m1 = <optimized out>
        sp = <optimized out>
        freesize = <optimized out>
        __PRETTY_FUNCTION__ = "start_thread"
#9  0xb6d290ce in clone () at ../sysdeps/unix/sysv/linux/i386/clone.S:130
No locals.
Backtrace stopped: Not enough registers or memory available to unwind further

Thread 3 (Thread 0xb296ab70 (LWP 6147)):
#0  0xb746e424 in __kernel_vsyscall ()
No symbol table info available.
#1  0xb72bce04 in pthread_cond_timedwait@@GLIBC_2.3.2 () at ../nptl/sysdeps/unix/sysv/linux/i386/i686/../i486/pthread_cond_timedwait.S:236
No locals.
#2  0xb75d938a in cond_timedwait (cond=0xb7cb81e0, mutex=0xb7cb81c0, ts=0xb296a35c) at posix-aio-compat.c:104
        ret = 0
#3  0xb75d9b6c in aio_thread (unused=0x0) at posix-aio-compat.c:334
        aiocb = 0xba432348
        ret = 0
        tv = {tv_sec = 1331775274, tv_usec = 185444}
        ts = {tv_sec = 1331775284, tv_nsec = 0}
#4  0xb72b8d31 in start_thread (arg=0xb296ab70) at pthread_create.c:304
        __res = <optimized out>
        pd = 0xb296ab70
        now = <optimized out>
        unwind_buf = {cancel_jmp_buf = {{jmp_buf = {-1221812236, 0, 4001536, -1298750344, 711402843, 1345980240}, mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x0, 0x0}, data = {
              prev = 0x0, cleanup = 0x0, canceltype = 0}}}
        not_first_call = <optimized out>
        robust = <optimized out>
        pagesize_m1 = <optimized out>
        sp = <optimized out>
        freesize = <optimized out>
        __PRETTY_FUNCTION__ = "start_thread"
#5  0xb6d290ce in clone () at ../sysdeps/unix/sysv/linux/i386/clone.S:130
No locals.
Backtrace stopped: Not enough registers or memory available to unwind further

Thread 2 (Thread 0xb316bb70 (LWP 6146)):
#0  0xb746e424 in __kernel_vsyscall ()
No symbol table info available.
#1  0xb72bce04 in pthread_cond_timedwait@@GLIBC_2.3.2 () at ../nptl/sysdeps/unix/sysv/linux/i386/i686/../i486/pthread_cond_timedwait.S:236
No locals.
#2  0xb75d938a in cond_timedwait (cond=0xb7cb81e0, mutex=0xb7cb81c0, ts=0xb316b35c) at posix-aio-compat.c:104
        ret = 0
#3  0xb75d9b6c in aio_thread (unused=0x0) at posix-aio-compat.c:334
        aiocb = 0xba432348
        ret = 0
        tv = {tv_sec = 1331775274, tv_usec = 185217}
        ts = {tv_sec = 1331775284, tv_nsec = 0}
#4  0xb72b8d31 in start_thread (arg=0xb316bb70) at pthread_create.c:304
        __res = <optimized out>
        pd = 0xb316bb70
        now = <optimized out>
        unwind_buf = {cancel_jmp_buf = {{jmp_buf = {-1221812236, 0, 4001536, -1290357640, 709305688, 1345980240}, mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x0, 0x0}, data = {
              prev = 0x0, cleanup = 0x0, canceltype = 0}}}
        not_first_call = <optimized out>
        robust = <optimized out>
        pagesize_m1 = <optimized out>
        sp = <optimized out>
        freesize = <optimized out>
        __PRETTY_FUNCTION__ = "start_thread"
#5  0xb6d290ce in clone () at ../sysdeps/unix/sysv/linux/i386/clone.S:130
No locals.
Backtrace stopped: Not enough registers or memory available to unwind further

Thread 1 (Thread 0xb636e6e0 (LWP 6145)):
#0  0xb760f0d0 in ifs_insque (ifm=0xba711478, ifmhead=0x0) at slirp/if.c:16
No locals.
#1  0xb760f2dd in if_output (so=0xba60db70, ifm=0xba711478) at slirp/if.c:98
        slirp = 0xb9d9eeb0
        ifq = 0xba711478
        on_fastq = 1
#2  0xb7610bb5 in ip_output (so=0xba60db70, m0=0xba711478) at slirp/ip_output.c:84
        slirp = 0xb9d9eeb0
        ip = 0xba7114e4
        m = 0xba711478
        hlen = 20
        len = -1166994312
        off = -1176899780
        error = 0
#3  0xb761959c in tcp_output (tp=0xba4b4540) at slirp/tcp_output.c:456
        so = 0xba60db70
        len = 0
        win = 8760
        off = 0
        flags = 2
        error = 179984
        m = 0xba711478
        ti = 0xba7114e4
        opt = "\002\004\005\264\001\000\000\000$\246\367\277\266\064ζ·_\267\064\246\367\277\260\237\001\000\063T$\024"
        optlen = 4
        hdrlen = 44
        idle = 0
        sendalot = 0
#4  0xb761bb9b in tcp_timers (tp=0xba4b4540, timer=0) at slirp/tcp_timer.c:242
        rexmt = 96
#5  0xb761b8d4 in tcp_slowtimo (slirp=0xb9d9eeb0) at slirp/tcp_timer.c:88
        ip = 0xba60db70
        ipnxt = 0xb9d9f8b0
        tp = 0xba4b4540
        i = 0
#6  0xb761365a in slirp_select_poll (readfds=0xbff7a78c, writefds=0xbff7a80c, xfds=0xbff7a88c, select_error=0) at slirp/slirp.c:433
        slirp = 0xb9d9eeb0
        so = 0x0
        so_next = 0x0
        ret = -1074288756
#7  0xb75c82a0 in main_loop_wait (nonblocking=0) at main-loop.c:465
        rfds = {fds_bits = {2048, 0 <repeats 31 times>}}
        wfds = {fds_bits = {0 <repeats 32 times>}}
        xfds = {fds_bits = {0 <repeats 32 times>}}
        ret = 1
        nfds = 18
        tv = {tv_sec = 0, tv_usec = 997895}
        timeout = 1000
#8  0xb75bd042 in main_loop () at /home/craig/build/qemu-1.0.1/vl.c:1481
        nonblocking = false
        last_io = 0
#9  0xb75c28a0 in main (argc=20, argv=0xbff7ac94, envp=0xbff7ace8) at /home/craig/build/qemu-1.0.1/vl.c:3485
        gdbstub_dev = 0x0
        i = 64
        snapshot = 1
        linux_boot = 0
        icount_option = 0x0
        initrd_filename = 0x0
        kernel_filename = 0x0
        kernel_cmdline = 0xb778290f ""
        boot_devices = "cad", '\000' <repeats 29 times>
        ds = 0xba0a8f78
        dcl = 0x0
        cyls = 0
        heads = 0
        secs = 0
        translation = 0
        hda_opts = 0x0
        opts = 0xb72cd000
        olist = 0xbff7ab58
        optind = 20
        optarg = 0x0
        loadvm = 0x0
        machine = 0xb78abe60
        cpu_model = 0x0
        pid_file = 0x0
        incoming = 0x0
        show_vnc_port = 0
        defconfig = 1
        log_mask = 0x0
        log_file = 0x0
        mem_trace = {malloc = 0xb75becb1 <malloc_and_trace>, realloc = 0xb75bed0e <realloc_and_trace>, free = 0xb75bed7f <free_and_trace>, calloc = 0, try_malloc = 0, try_realloc = 0}
        trace_events = 0x0
        trace_file = 0x0

Revision history for this message

Jan Kiszka (jan-kiszka) wrote on 2012-03-15:

Please re-test over git head. There were related fixes merged recently.

Revision history for this message

Craig Ringer (ringerc) wrote on 2012-03-15:

Thanks Jan. I was pulling git master as I saw your comment. When configured using the same command line and built with the same tools in the same environment, git master does not appear to crash the way 1.0.1 does. Given that there have been fixes in the area merged between 1.0.1 and master it seems safe to say they've done the trick.

Revision history for this message

Craig Ringer (ringerc) wrote on 2012-03-15:

Download full text (7.6 KiB)

Correction, the bug is still present in qemu-git. It seems to be slightly harder to trigger, but that might just be luck too. Here's the crash in qemu master 217bfb445b54db618a30f3a39170bebd9fd9dbf2 .

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0xb63d36e0 (LWP 32412)]
0xb7679517 in slirp_remque (a=0xb9119cf0) at slirp/misc.c:39
39 ((struct quehead *)(element->qh_rlink))->qh_link = element->qh_link;
(gdb) bt
#0 0xb7679517 in slirp_remque (a=0xb9119cf0) at slirp/misc.c:39
#1 0xb7677489 in if_start (slirp=0xb87a6eb8) at slirp/if.c:189
#2 0xb767738f in if_output (so=0xb8f6e348, ifm=0xb911a348) at slirp/if.c:138
#3 0xb7678b91 in ip_output (so=0xb8f6e348, m0=0xb911a348) at slirp/ip_output.c:84
#4 0xb7681578 in tcp_output (tp=0xb8eacb48) at slirp/tcp_output.c:456
#5 0xb7683b77 in tcp_timers (tp=0xb8eacb48, timer=0) at slirp/tcp_timer.c:242
#6 0xb76838b0 in tcp_slowtimo (slirp=0xb87a6eb8) at slirp/tcp_timer.c:88
#7 0xb767b636 in slirp_select_poll (readfds=0xbfb3a1ec, writefds=0xbfb3a26c, xfds=0xbfb3a2ec, select_error=0) at slirp/slirp.c:433
#8 0xb7630028 in main_loop_wait (nonblocking=0) at main-loop.c:465
#9 0xb7624dca in main_loop () at /home/craig/projects/QEMU/vl.c:1481
#10 0xb762a628 in main (argc=20, argv=0xbfb3a6f4, envp=0xbfb3a748) at /home/craig/projects/QEMU/vl.c:3485
(gdb)

Thread 18 (Thread 0xb29cfb70 (LWP 32487)):
#0 0xb74d3424 in __kernel_vsyscall ()
No symbol table info available.
#1 0xb7321e04 in pthread_cond_timedwait@@GLIBC_2.3.2 () at ../nptl/sysdeps/unix/sysv/linux/i386/i686/../i486/pthread_cond_timedwait.S:236
No locals.
#2 0xb7641112 in cond_timedwait (cond=0xb7d201e0, mutex=0xb7d201c0, ts=0xb29cf35c) at posix-aio-compat.c:104
        ret = 0
#3 0xb76418f4 in aio_thread (unused=0x0) at posix-aio-compat.c:334
        aiocb = 0xb8dd9f68
        ret = 0
        tv = {tv_sec = 1331787612, tv_usec = 760876}
        ts = {tv_sec = 1331787622, tv_nsec = 0}
#4 0xb731dd31 in start_thread (arg=0xb29cfb70) at pthread_create.c:304
        __res = <optimized out>
        pd = 0xb29cfb70
        now = <optimized out>
        unwind_buf = {cancel_jmp_buf = {{jmp_buf = {-1221398540, 0, 4001536, -1298336648, -1135928557, -434751208}, mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x0, 0x0}, data = {
              prev = 0x0, cleanup = 0x0, canceltype = 0}}}
        not_first_call = <optimized out>
        robust = <optimized out>
        pagesize_m1 = <optimized out>
        sp = <optimized out>
        freesize = <optimized out>
        __PRETTY_FUNCTION__ = "start_thread"
#5 0xb6d8e0ce in clone () at ../sysdeps/unix/sysv/linux/i386/clone.S:130
No locals.
Backtrace stopped: Not enough registers or memory available to unwind further

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0xb63d36e0 (LWP 32412)]
0xb7679517 in slirp_remque (a=0xb9119cf0) at slirp/misc.c:39
39	  ((struct quehead *)(element->qh_rlink))->qh_link = element->qh_link;
(gdb) bt
#0  0xb7679517 in slirp_remque (a=0xb9119cf0) at slirp/misc.c:39
#1  0xb7677489 in if_start (slirp=0xb87a6eb8) at slirp/if.c:189
#2  0xb767738f in if_output (so=0xb8f6e348, ifm=0xb911a348) at slirp/if.c:138
#3  0xb7678b91 in ip_output (so=0xb8f6e348, m0=0xb911a348) at slirp/ip_output.c:84
#4  0xb7681578 in tcp_output (tp=0xb8eacb48) at slirp/tcp_output.c:456
#5  0xb7683b77 in tcp_timers (tp=0xb8eacb48, timer=0) at slirp/tcp_timer.c:242
#6  0xb76838b0 in tcp_slowtimo (slirp=0xb87a6eb8) at slirp/tcp_timer.c:88
#7  0xb767b636 in slirp_select_poll (readfds=0xbfb3a1ec, writefds=0xbfb3a26c, xfds=0xbfb3a2ec, select_error=0) at slirp/slirp.c:433
#8  0xb7630028 in main_loop_wait (nonblocking=0) at main-loop.c:465
#9  0xb7624dca in main_loop () at /home/craig/projects/QEMU/vl.c:1481
#10 0xb762a628 in main (argc=20, argv=0xbfb3a6f4, envp=0xbfb3a748) at /home/craig/projects/QEMU/vl.c:3485
(gdb)

Thread 18 (Thread 0xb29cfb70 (LWP 32487)):
#0  0xb74d3424 in __kernel_vsyscall ()
No symbol table info available.
#1  0xb7321e04 in pthread_cond_timedwait@@GLIBC_2.3.2 () at ../nptl/sysdeps/unix/sysv/linux/i386/i686/../i486/pthread_cond_timedwait.S:236
No locals.
#2  0xb7641112 in cond_timedwait (cond=0xb7d201e0, mutex=0xb7d201c0, ts=0xb29cf35c) at posix-aio-compat.c:104
        ret = 0
#3  0xb76418f4 in aio_thread (unused=0x0) at posix-aio-compat.c:334
        aiocb = 0xb8dd9f68
        ret = 0
        tv = {tv_sec = 1331787612, tv_usec = 760876}
        ts = {tv_sec = 1331787622, tv_nsec = 0}
#4  0xb731dd31 in start_thread (arg=0xb29cfb70) at pthread_create.c:304
        __res = <optimized out>
        pd = 0xb29cfb70
        now = <optimized out>
        unwind_buf = {cancel_jmp_buf = {{jmp_buf = {-1221398540, 0, 4001536, -1298336648, -1135928557, -434751208}, mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x0, 0x0}, data = {
              prev = 0x0, cleanup = 0x0, canceltype = 0}}}
        not_first_call = <optimized out>
        robust = <optimized out>
        pagesize_m1 = <optimized out>
        sp = <optimized out>
        freesize = <optimized out>
        __PRETTY_FUNCTION__ = "start_thread"
#5  0xb6d8e0ce in clone () at ../sysdeps/unix/sysv/linux/i386/clone.S:130
No locals.
Backtrace stopped: Not enough registers or memory available to unwind further

Thread 2 (Thread 0xaadbbb70 (LWP 32428)):
#0  0xb74d3424 in __kernel_vsyscall ()
No symbol table info available.
#1  0xb7324619 in __lll_lock_wait () at ../nptl/sysdeps/unix/sysv/linux/i386/i686/../i486/lowlevellock.S:142
No locals.
#2  0xb73277a0 in _L_cond_lock_704 () from /lib/i386-linux-gnu/libpthread.so.0
        libgcc_s_getcfa = 0
        libgcc_s_resume = 0
        libgcc_s_forcedunwind = 0
        libgcc_s_personality = 0
        libgcc_s_handle = 0x0
#3  0xb7327521 in __pthread_mutex_cond_lock (mutex=0xb7ef4c00) at ../nptl/pthread_mutex_lock.c:61
        __PRETTY_FUNCTION__ = "__pthread_mutex_cond_lock"
        type = 3085913088
        id = 32428
#4  0xb7321b0e in pthread_cond_wait@@GLIBC_2.3.2 () at ../nptl/sysdeps/unix/sysv/linux/i386/i686/../i486/pthread_cond_wait.S:255
No locals.
#5  0xb7660526 in qemu_cond_wait (cond=0xb7d30aa0, mutex=0xb7ef4c00) at qemu-thread-posix.c:113
        err = -1191168176
        __func__ = "qemu_cond_wait"
#6  0xb76ee271 in qemu_tcg_wait_io_event () at /home/craig/projects/QEMU/cpus.c:699
        env = 0x10000
#7  0xb76ee537 in qemu_tcg_cpu_thread_fn (arg=0xb9003750) at /home/craig/projects/QEMU/cpus.c:778
        env = 0x0
#8  0xb731dd31 in start_thread (arg=0xaadbbb70) at pthread_create.c:304
        __res = <optimized out>
        pd = 0xaadbbb70
        now = <optimized out>
        unwind_buf = {cancel_jmp_buf = {{jmp_buf = {-1221398540, 0, 4001536, -1428441992, 852171555, -434751208}, mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x0, 0x0}, data = {
              prev = 0x0, cleanup = 0x0, canceltype = 0}}}
        not_first_call = <optimized out>
        robust = <optimized out>
        pagesize_m1 = <optimized out>
        sp = <optimized out>
        freesize = <optimized out>
        __PRETTY_FUNCTION__ = "start_thread"
#9  0xb6d8e0ce in clone () at ../sysdeps/unix/sysv/linux/i386/clone.S:130
No locals.
Backtrace stopped: Not enough registers or memory available to unwind further

Thread 1 (Thread 0xb63d36e0 (LWP 32412)):
#0  0xb7679517 in slirp_remque (a=0xb9119cf0) at slirp/misc.c:39
        element = 0xb9119cf0
#1  0xb7677489 in if_start (slirp=0xb87a6eb8) at slirp/if.c:189
        now = 118754910412798
        requeued = 0
        ifm = 0xb9119cf0
        ifqt = 0x0
#2  0xb767738f in if_output (so=0xb8f6e348, ifm=0xb911a348) at slirp/if.c:138
        slirp = 0xb87a6eb8
        ifq = 0xb9119cf0
        on_fastq = 1
#3  0xb7678b91 in ip_output (so=0xb8f6e348, m0=0xb911a348) at slirp/ip_output.c:84
        slirp = 0xb87a6eb8
        ip = 0xb911a3b4
        m = 0xb911a348
        hlen = 20
        len = -1190026424
        off = -1199935676
        error = 0
#4  0xb7681578 in tcp_output (tp=0xb8eacb48) at slirp/tcp_output.c:456
        so = 0xb8f6e348
        len = 0
        win = 8760
        off = 0
        flags = 2
        error = 752432
        m = 0xb911a348
        ti = 0xb911a3b4
        opt = "\002\004\005\264\001\000\000\000\204\240\263\277\266\204Զ\252\af\267\224\240\263\277\342\317\001\000·C6"
        optlen = 4
        hdrlen = 44
        idle = 0
        sendalot = 0
#5  0xb7683b77 in tcp_timers (tp=0xb8eacb48, timer=0) at slirp/tcp_timer.c:242
        rexmt = 192
#6  0xb76838b0 in tcp_slowtimo (slirp=0xb87a6eb8) at slirp/tcp_timer.c:88
        ip = 0xb8f6e348
        ipnxt = 0xb87a78b8
        tp = 0xb8eacb48
        i = 0
#7  0xb767b636 in slirp_select_poll (readfds=0xbfb3a1ec, writefds=0xbfb3a26c, xfds=0xbfb3a2ec, select_error=0) at slirp/slirp.c:433
        slirp = 0xb87a6eb8
        so = 0x0
        so_next = 0x0
        ret = -1078746644
#8  0xb7630028 in main_loop_wait (nonblocking=0) at main-loop.c:465
        rfds = {fds_bits = {2048, 0 <repeats 31 times>}}
        wfds = {fds_bits = {0 <repeats 32 times>}}
        xfds = {fds_bits = {0 <repeats 32 times>}}
        ret = 1
        nfds = 18
        tv = {tv_sec = 0, tv_usec = 999852}
        timeout = 1000
#9  0xb7624dca in main_loop () at /home/craig/projects/QEMU/vl.c:1481
        nonblocking = false
        last_io = 0
#10 0xb762a628 in main (argc=20, argv=0xbfb3a6f4, envp=0xbfb3a748) at /home/craig/projects/QEMU/vl.c:3485
        gdbstub_dev = 0x0
        i = 64
        snapshot = 1
        linux_boot = 0
        icount_option = 0x0
        initrd_filename = 0x0
        kernel_filename = 0x0
        kernel_cmdline = 0xb77ea853 ""
        boot_devices = "cad", '\000' <repeats 29 times>
        ds = 0xb89eed90
        dcl = 0x0
        cyls = 0
        heads = 0
        secs = 0
        translation = 0
        hda_opts = 0x0
        opts = 0xb7332000
        olist = 0xbfb3a5b8
        optind = 20
        optarg = 0x0
        loadvm = 0x0
        machine = 0xb7913f40
        cpu_model = 0x0
        pid_file = 0x0
        incoming = 0x0
        show_vnc_port = 0
        defconfig = 1
        log_mask = 0x0
        log_file = 0x0
        mem_trace = {malloc = 0xb7626a39 <malloc_and_trace>, realloc = 0xb7626a96 <realloc_and_trace>, free = 0xb7626b07 <free_and_trace>, calloc = 0, try_malloc = 0, try_realloc = 0}
        trace_events = 0x0
        trace_file = 0x0

Revision history for this message

Jan Kiszka (jan-kiszka) wrote on 2012-03-15:

> Thread 1 (Thread 0xb63d36e0 (LWP 32412)):
> #0 0xb7679517 in slirp_remque (a=0xb9119cf0) at slirp/misc.c:39
> element = 0xb9119cf0
> #1 0xb7677489 in if_start (slirp=0xb87a6eb8) at slirp/if.c:189
> now = 118754910412798
> requeued = 0
> ifm = 0xb9119cf0
> ifqt = 0x0

"requeued" is no longer present in qemu.git. And 217bfb445b54db618a30f3a39170bebd9fd9dbf2 actually predates the important fixes by a lot of commits. It has to be 3e7ecd976b06fc9054a34bda093a70efae99588b or newer.

Revision history for this message

Craig Ringer (ringerc) wrote on 2012-03-20:

Is the GitHub mirror (http://wiki.qemu.org/Download) no long being updated? It looks like it might not be given the last commit, so it should really be fixed or removed from that download page and the mirror deleted.

I used the GitHub mirror because when I tried to clone git://git.qemu.org/qemu.git at the time I was testing I got a msg along the lines of "remote respository has no refs". I didn't record the exact msg, unfortunately, and it seems to be cloning ok now.

The GitHub mirror needs to be updated or deleted.

Revision history for this message

Craig Ringer (ringerc) wrote on 2012-03-20:

This issue appears to be resolved in the *real* current git master, so this bug can be closed. Now it's just a matter of getting rid of or updating that mirror.

Revision history for this message

Stefan Weil (ubuntu-weilnetz) wrote on 2012-03-20:

The latest slirp commits in QEMU git master (commits 953e7f54e679cd40fff28e29189ed9e24bfb0758, e3078bf40a33b59fa11d077b1d0bb8796470982e, f37343197708d90f119007ce5ecc2503be9c04c1, a68adc220603baffc355ecea8865b3ea9707ab00) fixed this issue.

Changed in qemu:
status:	New → Fix Released

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.