Qemu crashes with error "hw/ppc/spapr_drc.c:417:spapr_drc_detach: assertion failed: (drc->dev)" when memory hotplug and hotunplug was done continuously.
Steps to re-produce:
1. git clone (today's i.e 19th Sept)
2. Bring up ppc64le guest with memory hotplug capabilities ( I used libvirt xml to do this).
3. And do continuous memory hotplug and unplug using the following memory xml (mem_hp_8g.xml)
<memory model='dimm'>
<target>
<size unit='KiB'>8388608</size>
<node>1</node>
</target>
</memory>
4. Run the following
for i in `seq 1 100`; do virsh attach-device nrs mem_hp_8g.xml --live; virsh detach-device nrs mem_hp_8g.xml --live; done
5. Guest will crash
6. Following is from qemu log
LC_ALL=C PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin QEMU_AUDIO_DRV=none /usr/local/bin/qemu-system-ppc64 -name guest=nrs,debug-threads=on -S -object secret,id=masterKey0,format=raw,file=/var/lib/libvirt/qemu/domain-19-nrs/master-key.aes -machine pseries-2.10,accel=kvm,usb=off,dump-guest-core=off -m size=8388608k,slots=256,maxmem=419430400k -realtime mlock=off -smp 4,sockets=4,cores=1,threads=1 -numa node,nodeid=0,cpus=0-1,mem=4096 -numa node,nodeid=1,cpus=2-3,mem=4096 -uuid d7987973-2467-43ff-b8d2-acefc6ac59e5 -display none -no-user-config -nodefaults -chardev socket,id=charmonitor,path=/var/lib/libvirt/qemu/domain-19-nrs/monitor.sock,server,nowait -mon chardev=charmonitor,id=monitor,mode=control -rtc base=utc -no-shutdown -boot strict=on -device qemu-xhci,id=usb,bus=pci.0,addr=0x3 -device virtio-scsi-pci,id=scsi0,bus=pci.0,addr=0x2 -drive file=/home/nasastry/pegas-1.0-ppc64le.qcow2,format=qcow2,if=none,id=drive-scsi0-0-0-0 -device scsi-hd,bus=scsi0.0,channel=0,scsi-id=0,lun=0,drive=drive-scsi0-0-0-0,id=scsi0-0-0-0,bootindex=1 -netdev tap,fd=28,id=hostnet0,vhost=on,vhostfd=30 -device virtio-net-pci,netdev=hostnet0,id=net0,mac=52:54:00:89:8a:8b,bus=pci.0,addr=0x1 -chardev pty,id=charserial0 -device spapr-vty,chardev=charserial0,reg=0x30000000 -device virtio-balloon-pci,id=balloon0,bus=pci.0,addr=0x4 -s -msg timestamp=on
2017-09-19 06:59:07.878+0000: Domain id=19 is tainted: custom-argv
2017-09-19T06:59:07.918273Z qemu-system-ppc64: -chardev pty,id=charserial0: char device redirected to /dev/pts/5 (label charserial0)
**
ERROR:/home/nasastry/qemu/hw/ppc/spapr_drc.c:417:spapr_drc_detach: assertion failed: (drc->dev)
2017-09-19 06:59:51.428+0000: shutting down, reason=crashed
(gdb) bt libglib- 2.0.so. 0 message_ expr () at /lib64/ libglib- 2.0.so. 0 qemu/hw/ ppc/spapr_ drc.c:417 unplug_ request (hotplug_ dev=0x2faa60b0, dev=0x2fb8fb10, errp=0x3fffe92b fa90) at /home/nasastry/ qemu/hw/ ppc/spapr. c:3084 device_ unplug_ request (hotplug_ dev=0x2faa60b0, dev=0x2fb8fb10, errp=0x3fffe92b fa90) qemu/hw/ ppc/spapr. c:3354 handler_ unplug_ request (plug_handler= 0x2faa60b0, plugged_ dev=0x2fb8fb10, errp=0x3fffe92b fa90) at hw/core/ hotplug. c:45 fa90) at qdev-monitor.c:878 fa90) at qdev-monitor.c:888 device_ del (args=0x30658db0, ret=0x3fffe92bfb50, errp=0x3fffe92b fb48) at qmp-marshal.c:1462 fbc0) at qapi/qmp- dispatch. c:104 dispatch. c:131 qemu/monitor. c:3852 process_ token (lexer=0x2fae1e88, input=0x2faa2420, type=JSON_RCURLY, x=70, y=374) at qobject/ json-streamer. c:105 feed_char (lexer=0x2fae1e88, ch=125 '}', flush=false) at qobject/ json-lexer. c:323 0x3fffe92bff88 "}", size=1) at qobject/ json-lexer. c:373 parser_ feed (parser=0x2fae1e80, buffer= 0x3fffe92bff88 "}", size=1) at qobject/ json-streamer. c:124 qemu/monitor. c:3894 be_write_ impl (s=0x2fab36b0, buf=0x3fffe92bff88 "}", len=1) at chardev/char.c:167 char-socket. c:441 fd_source_ dispatch (source=0x2fab4770, callback=0x1079a760 <tcp_chr_read>, user_data= 0x2fab36b0) at io/channel- watch.c: 84 context_ dispatch () at /lib64/ libglib- 2.0.so. 0 loop.c: 213 main_loop_ wait (timeout=-1) at util/main- loop.c: 261 loop.c: 515 1988, envp=0x3fff...
#0 0x00003fffb24beff0 in raise () at /lib64/libc.so.6
#1 0x00003fffb24c136c in abort () at /lib64/libc.so.6
#2 0x00003fffb2bcaa04 in g_assertion_message () at /lib64/
#3 0x00003fffb2bcab0c in g_assertion_
#4 0x00000000101b85a0 in spapr_drc_detach (drc=0x2fc31220) at /home/nasastry/
#5 0x00000000101972e0 in spapr_memory_
#6 0x000000001019856c in spapr_machine_
at /home/nasastry/
#7 0x00000000104461a8 in hotplug_
#8 0x000000001036e15c in qdev_unplug (dev=0x2fb8fb10, errp=0x3fffe92b
#9 0x000000001036e1e4 in qmp_device_del (id=0x2fab2880 "dimm0", errp=0x3fffe92b
#10 0x000000001038975c in qmp_marshal_
#11 0x000000001081fd98 in do_qmp_dispatch (cmds=0x10c0e078 <qmp_commands>, request=0x3093ebf0, errp=0x3fffe92b
#12 0x000000001081ff84 in qmp_dispatch (cmds=0x10c0e078 <qmp_commands>, request=0x3093ebf0) at qapi/qmp-
#13 0x00000000100983dc in handle_qmp_command (parser=0x2fae1e80, tokens=0x2faa44e0) at /home/nasastry/
#14 0x000000001082aef0 in json_message_
#15 0x000000001086d5d0 in json_lexer_
#16 0x000000001086d7c4 in json_lexer_feed (lexer=0x2fae1e88, buffer=
#17 0x000000001082b004 in json_message_
#18 0x000000001009863c in monitor_qmp_read (opaque=0x2fae1df0, buf=0x3fffe92bff88 "}", size=1) at /home/nasastry/
#19 0x000000001078e3c8 in qemu_chr_
#20 0x000000001078e484 in qemu_chr_be_write (s=0x2fab36b0, buf=0x3fffe92bff88 "}", len=1) at chardev/char.c:179
#21 0x000000001079a910 in tcp_chr_read (chan=0x2fbfbbc0, cond=G_IO_IN, opaque=0x2fab36b0) at chardev/
#22 0x00000000107be3d4 in qio_channel_
#23 0x00003fffb2b93ab0 in g_main_
#24 0x0000000010837e9c in glib_pollfds_poll () at util/main-
#25 0x0000000010838064 in os_host_
#26 0x000000001083818c in main_loop_wait (nonblocking=0) at util/main-
#27 0x00000000103771c4 in main_loop () at vl.c:1999
#28 0x0000000010381828 in main (argc=54, argv=0x3fffe92c