QEMU

latest qemu.git master -> qemu-system-x86_64 crashes when issuing screendump command over monitor

Bug #1169254 reported by Lucas Meneghel Rodrigues on 2013-04-15

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	QEMU	Fix Released	Undecided	Unassigned

Bug Description

Found the problem during sanity test of the 'next' branch

git commit ID is e2ec3f976803b360c70d9ae2ba13852fa5d11665 (tag v1.4.0-1202-ge2ec3f9)

For reference, kernel is upstream kvm.git

git commit ID is 31880c37c11e28cb81c70757e38392b42e695dc6 (tag v3.8-12524-g31880c3)

Steps to reproduce:

Start qemu, reference cmd:

MALLOC_PERTURB_=1 /usr/local/autotest/tests/virt/qemu/qemu \
    -S \
    -name 'vm1' \
    -nodefaults \
    -chardev socket,id=hmp_id_hmp1,path=/tmp/monitor-hmp1-20130415-120337-CX4dw84y,server,nowait \
    -mon chardev=hmp_id_hmp1,mode=readline \
    -chardev socket,id=qmp_id_qmp1,path=/tmp/monitor-qmp1-20130415-120337-CX4dw84y,server,nowait \
    -mon chardev=qmp_id_qmp1,mode=control \
    -chardev socket,id=serial_id_serial1,path=/tmp/serial-serial1-20130415-120337-CX4dw84y,server,nowait \
    -device isa-serial,chardev=serial_id_serial1 \
    -chardev socket,id=seabioslog_id_20130415-120337-CX4dw84y,path=/tmp/seabios-20130415-120337-CX4dw84y,server,nowait \
    -device isa-debugcon,chardev=seabioslog_id_20130415-120337-CX4dw84y,iobase=0x402 \
    -device ich9-usb-uhci1,id=usb1 \
    -drive file='/usr/local/autotest/tests/virt/shared/data/images/rhel63-64.qcow2',if=none,id=virtio0 \
    -device virtio-blk-pci,drive=virtio0,bootindex=1 \
    -device virtio-net-pci,netdev=id7t6ont,mac='9a:16:17:18:19:1a',id='idQ3SyRX' \
    -netdev tap,id=id7t6ont,vhost=on,fd=24 \
    -m 2048 \
    -smp 2,maxcpus=2,cores=1,threads=1,sockets=2 \
    -cpu 'Opteron_G3' \
    -M pc \
    -drive file='/usr/local/autotest/tests/virt/shared/data/isos/linux/RHEL-6.3-x86_64-DVD.iso',media=cdrom,index=2 \
    -drive file='/usr/local/autotest/tests/virt/shared/data/images/rhel63-64/ks.iso',media=cdrom,index=1 \
    -device usb-tablet,id=usb-tablet1,bus=usb1.0,port=1 \
    -kernel '/usr/local/autotest/tests/virt/shared/data/images/rhel63-64/vmlinuz' \
    -append 'ks=cdrom nicdelay=60 console=ttyS0,115200 console=tty0' \
    -initrd '/usr/local/autotest/tests/virt/shared/data/images/rhel63-64/initrd.img' \
    -vnc :0 \
    -vga std \
    -rtc base=utc,clock=host,driftfix=none \
    -boot order=cdn,once=d,menu=off \
    -enable-kvm

2) Connect to the monitor

nc -U /tmp/monitor-hmp1-20130415-120337-CX4dw84y,server,nowait

3) Unpause the VM

[root@virtblade03 autotest]# nc -U /tmp/monitor-hmp1-20130415-120943-D6zKUQFO
QEMU 1.4.50 monitor - type 'help' for more information
(qemu) cont
cont

4) Ask for a screendump

(qemu) screendump abc.ppm
screendump abc.ppm

At this point, qemu crashes.

Program terminated with signal 11, Segmentation fault.
#0 pixman_image_get_width (image=0x101010101010101) at pixman-image.c:834
834 if (image->type == BITS)
(gdb) bt
#0 pixman_image_get_width (image=0x101010101010101) at pixman-image.c:834
#1 0x00007f0b44158374 in ppm_save (filename=0x7f0b46762a30 "/dev/shm/scrdump-miGZom.ppm", ds=0x7f0b466b7a50, errp=0x7fff41c08260)
at /usr/local/autotest/tmp/virt/src/qemu/hw/display/vga.c:2401
#2 0x00007f0b4410f18e in qmp_screendump (filename=0x7f0b46762a30 "/dev/shm/scrdump-miGZom.ppm", errp=0x7fff41c08260) at ui/console.c:195
#3 0x00007f0b43ffc77a in hmp_screen_dump (mon=0x7f0b46530d80, qdict=<optimized out>) at hmp.c:1335
#4 0x00007f0b4418c889 in handle_user_command (mon=mon@entry=0x7f0b46530d80, cmdline=<optimized out>) at /usr/local/autotest/tmp/virt/src/qemu/monitor.c:4007
#5 0x00007f0b4418cc0b in monitor_command_cb (mon=0x7f0b46530d80, cmdline=<optimized out>, opaque=<optimized out>)
at /usr/local/autotest/tmp/virt/src/qemu/monitor.c:4623
#6 0x00007f0b440fe69b in readline_handle_byte (rs=0x7f0b46689a30, ch=<optimized out>) at readline.c:373
#7 0x00007f0b4418c954 in monitor_read (opaque=<optimized out>, buf=<optimized out>, size=<optimized out>) at /usr/local/autotest/tmp/virt/src/qemu/monitor.c:4609
#8 0x00007f0b440ec029 in qemu_chr_be_write (len=<optimized out>, buf=0x7fff41c08400 "\n", s=0x7f0b46506c00) at qemu-char.c:187
#9 tcp_chr_read (chan=<optimized out>, cond=<optimized out>, opaque=0x7f0b46506c00) at qemu-char.c:2519
#10 0x00007f0b43622a75 in g_main_dispatch (context=0x7f0b46506240) at gmain.c:2715
#11 g_main_context_dispatch (context=context@entry=0x7f0b46506240) at gmain.c:3219
#12 0x00007f0b440c4c78 in glib_pollfds_poll () at main-loop.c:187
#13 os_host_main_loop_wait (timeout=<optimized out>) at main-loop.c:232
#14 main_loop_wait (nonblocking=<optimized out>) at main-loop.c:468
#15 0x00007f0b43faab55 in main_loop () at vl.c:2043
#16 main (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>) at vl.c:4432

if (image->type == BITS)
image=0x101010101010101

The pointer to the image is invalid. Need to investigate why.

Revision history for this message

Anthony Liguori (anthony-codemonkey) wrote on 2013-04-15: Re: [Bug 1169254] [NEW] latest qemu.git master -> qemu-system-x86_64 crashes when issuing screendump command over monitor

Download full text (5.6 KiB)

Lucas Meneghel Rodrigues <email address hidden> writes:

> Public bug reported:
>
> Found the problem during sanity test of the 'next' branch
>
> git commit ID is e2ec3f976803b360c70d9ae2ba13852fa5d11665 (tag
> v1.4.0-1202-ge2ec3f9)

Can you bisect? I can't reproduce with the following:

[12:04 PM] anthony🐵 titi:~/build/qemu$ echo -e 'cont\nscreendump abc.ppm' | x86_64-softmmu/qemu-system-x86_64 -monitor stdio -vga std -S -vnc :0 -enable-kvm -nodefaults

Which appears to be all of the obvious options in your command line that
would be relevant here. I notice that you're on

Regards,

Anthony Liguori

Lucas Meneghel Rodrigues <lookkas@gmail.com> writes:

> Public bug reported:
>
> Found the problem during sanity test of the 'next' branch
>
> git commit ID is e2ec3f976803b360c70d9ae2ba13852fa5d11665 (tag
> v1.4.0-1202-ge2ec3f9)

Can you bisect?  I can't reproduce with the following:

[12:04 PM] anthony🐵 titi:~/build/qemu$ echo -e 'cont\nscreendump abc.ppm' | x86_64-softmmu/qemu-system-x86_64 -monitor stdio -vga std -S -vnc :0 -enable-kvm -nodefaults

Which appears to be all of the obvious options in your command line that
would be relevant here.  I notice that you're on

Regards,

Anthony Liguori

>
> For reference, kernel is upstream kvm.git
>
> git commit ID is 31880c37c11e28cb81c70757e38392b42e695dc6 (tag
> v3.8-12524-g31880c3)
>
> Steps to reproduce:
>
> Start qemu, reference cmd:
>
> MALLOC_PERTURB_=1 /usr/local/autotest/tests/virt/qemu/qemu \
>     -S \
>     -name 'vm1' \
>     -nodefaults \
>     -chardev socket,id=hmp_id_hmp1,path=/tmp/monitor-hmp1-20130415-120337-CX4dw84y,server,nowait \
>     -mon chardev=hmp_id_hmp1,mode=readline \
>     -chardev socket,id=qmp_id_qmp1,path=/tmp/monitor-qmp1-20130415-120337-CX4dw84y,server,nowait \
>     -mon chardev=qmp_id_qmp1,mode=control \
>     -chardev socket,id=serial_id_serial1,path=/tmp/serial-serial1-20130415-120337-CX4dw84y,server,nowait \
>     -device isa-serial,chardev=serial_id_serial1 \
>     -chardev socket,id=seabioslog_id_20130415-120337-CX4dw84y,path=/tmp/seabios-20130415-120337-CX4dw84y,server,nowait \
>     -device isa-debugcon,chardev=seabioslog_id_20130415-120337-CX4dw84y,iobase=0x402 \
>     -device ich9-usb-uhci1,id=usb1 \
>     -drive file='/usr/local/autotest/tests/virt/shared/data/images/rhel63-64.qcow2',if=none,id=virtio0 \
>     -device virtio-blk-pci,drive=virtio0,bootindex=1 \
>     -device virtio-net-pci,netdev=id7t6ont,mac='9a:16:17:18:19:1a',id='idQ3SyRX' \
>     -netdev tap,id=id7t6ont,vhost=on,fd=24 \
>     -m 2048 \
>     -smp 2,maxcpus=2,cores=1,threads=1,sockets=2 \
>     -cpu 'Opteron_G3' \
>     -M pc \
>     -drive file='/usr/local/autotest/tests/virt/shared/data/isos/linux/RHEL-6.3-x86_64-DVD.iso',media=cdrom,index=2 \
>     -drive file='/usr/local/autotest/tests/virt/shared/data/images/rhel63-64/ks.iso',media=cdrom,index=1 \
>     -device usb-tablet,id=usb-tablet1,bus=usb1.0,port=1 \
>     -kernel '/usr/local/autotest/tests/virt/shared/data/images/rhel63-64/vmlinuz' \
>     -append 'ks=cdrom nicdelay=60 console=ttyS0,115200 console=tty0' \
>     -initrd '/usr/local/autotest/tests/virt/shared/data/images/rhel63-64/initrd.img' \
>     -vnc :0 \
>     -vga std \
>     -rtc base=utc,clock=host,driftfix=none  \
>     -boot order=cdn,once=d,menu=off  \
>     -enable-kvm
>
> 2) Connect to the monitor
>
> nc -U /tmp/monitor-hmp1-20130415-120337-CX4dw84y,server,nowait
>
> 3) Unpause the VM
>
> [root@virtblade03 autotest]# nc -U /tmp/monitor-hmp1-20130415-120943-D6zKUQFO
> QEMU 1.4.50 monitor - type 'help' for more information
> (qemu) cont
> cont
>
> 4) Ask for a screendump
>
> (qemu) screendump abc.ppm
> screendump abc.ppm
>
> At this point, qemu crashes.
>
>  Program terminated with signal 11, Segmentation fault.
>  #0  pixman_image_get_width (image=0x101010101010101) at pixman-image.c:834
>  834         if (image->type == BITS)
>  (gdb) bt
>  #0  pixman_image_get_width (image=0x101010101010101) at pixman-image.c:834
>  #1  0x00007f0b44158374 in ppm_save (filename=0x7f0b46762a30 "/dev/shm/scrdump-miGZom.ppm", ds=0x7f0b466b7a50, errp=0x7fff41c08260)
>      at /usr/local/autotest/tmp/virt/src/qemu/hw/display/vga.c:2401
>  #2  0x00007f0b4410f18e in qmp_screendump (filename=0x7f0b46762a30 "/dev/shm/scrdump-miGZom.ppm", errp=0x7fff41c08260) at ui/console.c:195
>  #3  0x00007f0b43ffc77a in hmp_screen_dump (mon=0x7f0b46530d80, qdict=<optimized out>) at hmp.c:1335
>  #4  0x00007f0b4418c889 in handle_user_command (mon=mon@entry=0x7f0b46530d80, cmdline=<optimized out>) at /usr/local/autotest/tmp/virt/src/qemu/monitor.c:4007
>  #5  0x00007f0b4418cc0b in monitor_command_cb (mon=0x7f0b46530d80, cmdline=<optimized out>, opaque=<optimized out>)
>      at /usr/local/autotest/tmp/virt/src/qemu/monitor.c:4623
>  #6  0x00007f0b440fe69b in readline_handle_byte (rs=0x7f0b46689a30, ch=<optimized out>) at readline.c:373
>  #7  0x00007f0b4418c954 in monitor_read (opaque=<optimized out>, buf=<optimized out>, size=<optimized out>) at /usr/local/autotest/tmp/virt/src/qemu/monitor.c:4609
>  #8  0x00007f0b440ec029 in qemu_chr_be_write (len=<optimized out>, buf=0x7fff41c08400 "\n", s=0x7f0b46506c00) at qemu-char.c:187
>  #9  tcp_chr_read (chan=<optimized out>, cond=<optimized out>, opaque=0x7f0b46506c00) at qemu-char.c:2519
>  #10 0x00007f0b43622a75 in g_main_dispatch (context=0x7f0b46506240) at gmain.c:2715
>  #11 g_main_context_dispatch (context=context@entry=0x7f0b46506240) at gmain.c:3219
>  #12 0x00007f0b440c4c78 in glib_pollfds_poll () at main-loop.c:187
>  #13 os_host_main_loop_wait (timeout=<optimized out>) at main-loop.c:232
>  #14 main_loop_wait (nonblocking=<optimized out>) at main-loop.c:468
>  #15 0x00007f0b43faab55 in main_loop () at vl.c:2043
>  #16 main (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>) at vl.c:4432
>
>  if (image->type == BITS)
>  image=0x101010101010101
>
> The pointer to the image is invalid. Need to investigate why.
>
> ** Affects: qemu
>      Importance: Undecided
>          Status: New
>
> -- 
> You received this bug notification because you are subscribed to QEMU.
> https://bugs.launchpad.net/bugs/1169254
>
> Title:
>   latest qemu.git master -> qemu-system-x86_64 crashes when issuing
>   screendump command over monitor
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/qemu/+bug/1169254/+subscriptions

Revision history for this message

Lucas Meneghel Rodrigues (lmr) wrote on 2013-04-15:

1 thing I don't see in your command line: MALLOC_PERTURB=1. I did build it on my Fedora 19 work laptop and it is easily reproducible. I just didn't use the echo -e:

[lmr@thinkpad-t420s qemu]$ MALLOC_PERTURB_=1 x86_64-softmmu/qemu-system-x86_64 -monitor stdio -vga std -S -vnc :0 -enable-kvm -nodefaults
QEMU 1.4.50 monitor - type 'help' for more information
(qemu) cont
(qemu) screendump abc.ppm
Segmentation fault

Revision history for this message

Lucas Meneghel Rodrigues (lmr) wrote on 2013-04-15:

I've hacked up a (admittedly not very pretty) reproducer script

PATH_DEVEL=x86_64-softmmu/qemu-system-x86_64
MALLOC_PERTURB_=1 $PATH_DEVEL -chardev socket,id=hmp1,path=/tmp/hmp1-lmr,server,nowait -mon chardev=hmp1,mode=readline -vga std -S -vnc :0 -enable-kvm -nodefaults&
QEMU_PID=$(pidof qemu-system-x86_64)

echo "QEMU PID is $QEMU_PID"
sleep 2
echo 'cont' | nc -U /tmp/hmp1-lmr
sleep 2
echo 'screendump abc.ppm' | nc -U /tmp/hmp1-lmr

if ps -p $QEMU_PID > /dev/null
then
    echo "PASS: QEMU is still alive"
    kill $QEMU_PID
    exit 0
else
    echo "FAIL: QEMU segfaulted"
    exit 1
fi

And let me try git bisect here...

Revision history for this message

Lucas Meneghel Rodrigues (lmr) wrote on 2013-04-15:

First bad commit is

commit c78f71378a345ea240c288993ca1378ded5504b9
Author: Gerd Hoffmann <email address hidden>
Date: Tue Mar 5 15:24:14 2013 +0100

console: stop using DisplayState in gfx hardware emulation

Use QemuConsole instead. Updates interfaces in console.[ch] and adapts
gfx hardware emulation code.

Signed-off-by: Gerd Hoffmann <email address hidden>

Revision history for this message

Lucas Meneghel Rodrigues (lmr) wrote on 2013-04-18:

Gerd sent a pull request that was merged, fixing the problem

top commit: 09dada400328d75daf79e3eca1e48e024fec148d

Problem is now fixed on latest qemu.git master.

Changed in qemu:
status:	New → Fix Committed

Aurelien Jarno (aurel32) on 2013-05-20

Changed in qemu:
status:	Fix Committed → Fix Released

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.