QEMU

segfault with -vga vmware and -display gtk

Bug #1187121 reported by Michael Tokarev
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
QEMU
Fix Released
Undecided
Unassigned
qemu (Debian)
Fix Released
Unknown

Bug Description

When some guest is run with -vga vmware -display gtk, qemu segfaults after certain guest gui operations.

./x86_64-softmmu/qemu-system-x86_64 -cdrom ubuntu-10.04.4-desktop-i386.iso -vga vmware -enable-kvm

(-enable-kvm just to speed things up, it does not depend on kvm).

(Ubuntu desktop image is from http://old-releases.ubuntu.com/releases/lucid/ )

This segfaults in a few moments after initial boot.

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0xf5bccb70 (LWP 23460)]
0xf710792c in g_object_unref ()
   from /usr/lib/i386-linux-gnu/libgobject-2.0.so.0
(gdb) bt
#0 0xf710792c in g_object_unref ()
   from /usr/lib/i386-linux-gnu/libgobject-2.0.so.0
#1 0x5673b635 in gd_cursor_define (dcl=0x57153d44, c=0x5710e7b8)
    at ui/gtk.c:380
#2 0x5673895b in dpy_cursor_define (con=0x570c07f8,
    cursor=cursor@entry=0x5710e7b8) at ui/console.c:1547
#3 0x5665f2a7 in vmsvga_cursor_define (c=0xf5bc6ef0, s=<optimized out>)
    at hw/display/vmware_vga.c:492
#4 vmsvga_fifo_run (s=<optimized out>)
    at hw/display/vmware_vga.c:628
#5 0x567ce6a8 in memory_region_write_accessor (
    opaque=opaque@entry=0x571291d0, addr=1, value=value@entry=0xf5bcc038,
    size=size@entry=4, shift=0, mask=4294967295) at memory.c:334
#6 0x567ce146 in access_with_adjusted_size (addr=<optimized out>,
    value=value@entry=0xf5bcc038, size=size@entry=4,
    access_size_min=<optimized out>, access_size_max=<optimized out>,
    access=access@entry=0x567ce5e0 <memory_region_write_accessor>,
    opaque=opaque@entry=0x571291d0) at memory.c:364
#7 0x567cf28c in memory_region_iorange_write (iorange=0x57243f58, offset=1,
    width=4, data=1) at memory.c:439
#8 0x567c8b48 in ioport_writel_thunk (opaque=0x57243f58, addr=49233, data=1)
    at ioport.c:226
#9 0x567c92d3 in ioport_write (data=1, address=49233, index=2)
...

(gdb) frame 1
#1 0x5673b635 in gd_cursor_define (dcl=0x57153d44, c=0x5710e7b8) at ui/gtk.c:380
380 g_object_unref(cursor);
(gdb) p cursor
$1 = (GdkCursor *) 0x570eb1e0
(gdb) p *cursor
$2 = {type = GDK_CURSOR_IS_PIXMAP, ref_count = 3}

(gdb) frame 2
#2 0x5673895b in dpy_cursor_define (con=0x570c07f8,
    cursor=cursor@entry=0x5710e7b8) at ui/console.c:1547
1547 dcl->ops->dpy_cursor_define(dcl, cursor);
(gdb) p *cursor
$3 = {width = 64, height = 64, hot_x = 0, hot_y = 0, refcount = 1,
  data = 0x5710e7cc}
(gdb) p *cursor->data
$4 = 0
(gdb) l
1542 QLIST_FOREACH(dcl, &s->listeners, next) {
1543 if (con != (dcl->con ? dcl->con : active_console)) {
1544 continue;
1545 }
1546 if (dcl->ops->dpy_cursor_define) {
1547 dcl->ops->dpy_cursor_define(dcl, cursor);
1548 }
1549 }
1550 }
1551
(gdb)

Michael Tokarev (mjt+launchpad-tls)
Changed in qemu:
status: New → Confirmed
Bug Watch Updater (bug-watch-updater)
Changed in qemu (Debian):
status: Unknown → Confirmed
Revision history for this message
Michael Tokarev (mjt+launchpad-tls) wrote :

This has been fixed in 1.6.0.

Changed in qemu:
status: Confirmed → Fix Released
Bug Watch Updater (bug-watch-updater)
Changed in qemu (Debian):
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.