QEMU

qemu-io crashes with SIGABRT and Assertion `c->entries[i].offset != 0' failed

Bug #1728615 reported by R.Nageswara Sastry on 2017-10-30

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	QEMU	Fix Released	Undecided	Unassigned

Bug Description

git is at HEAD a93ece47fd9edbd4558db24300056c9a57d3bcd4
This is on ppc64le architecture.

Re-production steps:

1. Copy the attached files named backing_img.file and test.img to a directory
2. And customize the following command to point to the above directory and run the same.
/usr/bin/qemu-io <path to>/test.img -c "write 1352192 1707520"

3.Output of the above command.
qemu-io: block/qcow2-cache.c:411: qcow2_cache_entry_mark_dirty: Assertion `c->entries[i].offset != 0' failed.
Aborted (core dumped)

from gdb:
(gdb) bt
#0 0x00003fff833eeff0 in raise () from /lib64/libc.so.6
#1 0x00003fff833f136c in abort () from /lib64/libc.so.6
#2 0x00003fff833e4c44 in __assert_fail_base () from /lib64/libc.so.6
#3 0x00003fff833e4d34 in __assert_fail () from /lib64/libc.so.6
#4 0x000000001006a594 in qcow2_cache_entry_mark_dirty (bs=0x2e886f60, c=0x2e879700, table=0x3fff81200000) at block/qcow2-cache.c:411
#5 0x0000000010056154 in alloc_refcount_block (bs=0x2e886f60, cluster_index=2, refcount_block=0x3fff80cff808) at block/qcow2-refcount.c:417
#6 0x0000000010057520 in update_refcount (bs=0x2e886f60, offset=1048576, length=524288, addend=1, decrease=false, type=QCOW2_DISCARD_NEVER)
    at block/qcow2-refcount.c:834
#7 0x0000000010057dc8 in qcow2_alloc_clusters_at (bs=0x2e886f60, offset=1048576, nb_clusters=1) at block/qcow2-refcount.c:1032
#8 0x00000000100636d8 in do_alloc_cluster_offset (bs=0x2e886f60, guest_offset=2097152, host_offset=0x3fff80cff9e0, nb_clusters=0x3fff80cff9d8)
    at block/qcow2-cluster.c:1221
#9 0x0000000010063afc in handle_alloc (bs=0x2e886f60, guest_offset=2097152, host_offset=0x3fff80cffab0, bytes=0x3fff80cffab8, m=0x3fff80cffb60)
    at block/qcow2-cluster.c:1324
#10 0x0000000010064178 in qcow2_alloc_cluster_offset (bs=0x2e886f60, offset=1572864, bytes=0x3fff80cffb4c, host_offset=0x3fff80cffb58, m=0x3fff80cffb60)
    at block/qcow2-cluster.c:1511
#11 0x000000001004d3f4 in qcow2_co_pwritev (bs=0x2e886f60, offset=1572864, bytes=1486848, qiov=0x3fffc85f0bf0, flags=0) at block/qcow2.c:1919
#12 0x00000000100a9648 in bdrv_driver_pwritev (bs=0x2e886f60, offset=1352192, bytes=1707520, qiov=0x3fffc85f0bf0, flags=16) at block/io.c:898
#13 0x00000000100ab630 in bdrv_aligned_pwritev (child=0x2e8927f0, req=0x3fff80cffdd8, offset=1352192, bytes=1707520, align=1, qiov=0x3fffc85f0bf0, flags=16)
    at block/io.c:1440
#14 0x00000000100ac4ac in bdrv_co_pwritev (child=0x2e8927f0, offset=1352192, bytes=1707520, qiov=0x3fffc85f0bf0, flags=BDRV_REQ_FUA) at block/io.c:1691
#15 0x000000001008da0c in blk_co_pwritev (blk=0x2e879410, offset=1352192, bytes=1707520, qiov=0x3fffc85f0bf0, flags=BDRV_REQ_FUA) at block/block-backend.c:1085
#16 0x000000001008db68 in blk_write_entry (opaque=0x3fffc85f0c08) at block/block-backend.c:1110
#17 0x00000000101aa444 in coroutine_trampoline (i0=780753552, i1=0) at util/coroutine-ucontext.c:79
#18 0x00003fff83402b9c in makecontext () from /lib64/libc.so.6
#19 0x0000000000000000 in ?? ()
(gdb) bt full
#0 0x00003fff833eeff0 in raise () from /lib64/libc.so.6
No symbol table info available.
#1 0x00003fff833f136c in abort () from /lib64/libc.so.6
No symbol table info available.
#2 0x00003fff833e4c44 in __assert_fail_base () from /lib64/libc.so.6
No symbol table info available.
#3 0x00003fff833e4d34 in __assert_fail () from /lib64/libc.so.6
No symbol table info available.
#4 0x000000001006a594 in qcow2_cache_entry_mark_dirty (bs=0x2e886f60, c=0x2e879700, table=0x3fff81200000) at block/qcow2-cache.c:411
        i = 0
        __PRETTY_FUNCTION__ = "qcow2_cache_entry_mark_dirty"
#5 0x0000000010056154 in alloc_refcount_block (bs=0x2e886f60, cluster_index=2, refcount_block=0x3fff80cff808) at block/qcow2-refcount.c:417
        s = 0x2e893210
        refcount_table_index = 0
        ret = 0
        new_block = 0
        blocks_used = 72057594818669408
        meta_offset = 1572863
#6 0x0000000010057520 in update_refcount (bs=0x2e886f60, offset=1048576, length=524288, addend=1, decrease=false, type=QCOW2_DISCARD_NEVER)
    at block/qcow2-refcount.c:834
        block_index = 268870408
        refcount = 780741808
        cluster_index = 2
        table_index = 0
        s = 0x2e893210
        start = 1048576
        last = 1048576
        cluster_offset = 1048576
        refcount_block = 0x3fff81200000
        old_table_index = -1
        ret = 16383
#7 0x0000000010057dc8 in qcow2_alloc_clusters_at (bs=0x2e886f60, offset=1048576, nb_clusters=1) at block/qcow2-refcount.c:1032
        s = 0x2e893210
        cluster_index = 3
        refcount = 0
        i = 1
        ret = 0
        __PRETTY_FUNCTION__ = "qcow2_alloc_clusters_at"
#8 0x00000000100636d8 in do_alloc_cluster_offset (bs=0x2e886f60, guest_offset=2097152, host_offset=0x3fff80cff9e0, nb_clusters=0x3fff80cff9d8)
    at block/qcow2-cluster.c:1221
        ret = 780743184
        s = 0x2e893210
#9 0x0000000010063afc in handle_alloc (bs=0x2e886f60, guest_offset=2097152, host_offset=0x3fff80cffab0, bytes=0x3fff80cffab8, m=0x3fff80cffb60)
    at block/qcow2-cluster.c:1324
        s = 0x2e893210
        l2_index = 4
        l2_table = 0x0
        entry = 0
        nb_clusters = 1
        ret = 0
---Type <return> to continue, or q <return> to quit---
        keep_old_clusters = false
        alloc_cluster_offset = 1048576
        __PRETTY_FUNCTION__ = "handle_alloc"
        requested_bytes = 17960562528
        avail_bytes = -2133853344
        nb_bytes = 16383
        old_m = 0x100000000
#10 0x0000000010064178 in qcow2_alloc_cluster_offset (bs=0x2e886f60, offset=1572864, bytes=0x3fff80cffb4c, host_offset=0x3fff80cffb58, m=0x3fff80cffb60)
    at block/qcow2-cluster.c:1511
        s = 0x2e893210
        start = 2097152
        remaining = 962560
        cluster_offset = 1048576
        cur_bytes = 962560
        ret = 0
        __PRETTY_FUNCTION__ = "qcow2_alloc_cluster_offset"
#11 0x000000001004d3f4 in qcow2_co_pwritev (bs=0x2e886f60, offset=1572864, bytes=1486848, qiov=0x3fffc85f0bf0, flags=0) at block/qcow2.c:1919
        s = 0x2e893210
        offset_in_cluster = 0
        ret = 0
        cur_bytes = 1486848
        cluster_offset = 524288
        hd_qiov = {iov = 0x2e858660, niov = 1, nalloc = 1, size = 220672}
        bytes_done = 220672
        cluster_data = 0x0
        l2meta = 0x0
        __PRETTY_FUNCTION__ = "qcow2_co_pwritev"
#12 0x00000000100a9648 in bdrv_driver_pwritev (bs=0x2e886f60, offset=1352192, bytes=1707520, qiov=0x3fffc85f0bf0, flags=16) at block/io.c:898
        drv = 0x102036f0 <bdrv_qcow2>
        sector_num = 780706080
        nb_sectors = 3069122264
        ret = -203160320
        __PRETTY_FUNCTION__ = "bdrv_driver_pwritev"
#13 0x00000000100ab630 in bdrv_aligned_pwritev (child=0x2e8927f0, req=0x3fff80cffdd8, offset=1352192, bytes=1707520, align=1, qiov=0x3fffc85f0bf0, flags=16)
    at block/io.c:1440
        bs = 0x2e886f60
        drv = 0x102036f0 <bdrv_qcow2>
        waited = false
        ret = 0
        end_sector = 5976
        bytes_remaining = 1707520
        max_transfer = 2147483647
        __PRETTY_FUNCTION__ = "bdrv_aligned_pwritev"
#14 0x00000000100ac4ac in bdrv_co_pwritev (child=0x2e8927f0, offset=1352192, bytes=1707520, qiov=0x3fffc85f0bf0, flags=BDRV_REQ_FUA) at block/io.c:1691
        bs = 0x2e886f60
        req = {bs = 0x2e886f60, offset = 1352192, bytes = 1707520, type = BDRV_TRACKED_WRITE, serialising = false, overlap_offset = 1352192,
          overlap_bytes = 1707520, list = {le_next = 0x0, le_prev = 0x2e88a1d8}, co = 0x2e895a90, wait_queue = {entries = {sqh_first = 0x0,
              sqh_last = 0x3fff80cffe20}}, waiting_for = 0x0}
        align = 1
        head_buf = 0x0
---Type <return> to continue, or q <return> to quit---
        tail_buf = 0x0
        local_qiov = {iov = 0x3fff80cffdb0, niov = -2133852688, nalloc = 16383, size = 1352192}
        use_local_qiov = false
        ret = 0
        __PRETTY_FUNCTION__ = "bdrv_co_pwritev"
#15 0x000000001008da0c in blk_co_pwritev (blk=0x2e879410, offset=1352192, bytes=1707520, qiov=0x3fffc85f0bf0, flags=BDRV_REQ_FUA) at block/block-backend.c:1085
        ret = 0
        bs = 0x2e886f60
#16 0x000000001008db68 in blk_write_entry (opaque=0x3fffc85f0c08) at block/block-backend.c:1110
        rwco = 0x3fffc85f0c08
#17 0x00000000101aa444 in coroutine_trampoline (i0=780753552, i1=0) at util/coroutine-ucontext.c:79
        arg = {p = 0x2e895a90, i = {780753552, 0}}
        self = 0x2e895a90
        co = 0x2e895a90
#18 0x00003fff83402b9c in makecontext () from /lib64/libc.so.6
No symbol table info available.
#19 0x0000000000000000 in ?? ()
No symbol table info available.

Will attach the 'image_fuzzer' images.

Revision history for this message

R.Nageswara Sastry (nasastry) wrote on 2017-10-30:

images tar file Edit (6.3 MiB, application/x-tar)

Revision history for this message

Alberto Garcia (berto) wrote on 2017-11-01: Re: [Qemu-devel] [Bug 1728615] [NEW] qemu-io crashes with SIGABRT and Assertion `c->entries[i].offset != 0' failed

Download full text (9.1 KiB)

On Wed 01 Nov 2017 07:13:08 AM CET, Thomas Huth wrote:
> On 30.10.2017 15:43, R.Nageswara Sastry wrote:
>> Public bug reported:
>> 
>> git is at HEAD a93ece47fd9edbd4558db24300056c9a57d3bcd4
>> This is on ppc64le architecture.
>> 
>> Re-production steps:
>> 
>> 1. Copy the attached files named backing_img.file and test.img to a directory
>> 2. And customize the following command to point to the above directory and run the same.
>> /usr/bin/qemu-io <path to>/test.img -c "write 1352192 1707520"
>> 
>> 3.Output of the above command.
>> qemu-io: block/qcow2-cache.c:411: qcow2_cache_entry_mark_dirty: Assertion `c->entries[i].offset != 0' failed.
>> Aborted (core dumped)
>> 
>> from gdb:
>> (gdb) bt
>> #0  0x00003fff833eeff0 in raise () from /lib64/libc.so.6
>> #1  0x00003fff833f136c in abort () from /lib64/libc.so.6
>> #2  0x00003fff833e4c44 in __assert_fail_base () from /lib64/libc.so.6
>> #3  0x00003fff833e4d34 in __assert_fail () from /lib64/libc.so.6
>> #4  0x000000001006a594 in qcow2_cache_entry_mark_dirty (bs=0x2e886f60, c=0x2e879700, table=0x3fff81200000) at block/qcow2-cache.c:411
>> #5  0x0000000010056154 in alloc_refcount_block (bs=0x2e886f60, cluster_index=2, refcount_block=0x3fff80cff808) at block/qcow2-refcount.c:417
>> #6  0x0000000010057520 in update_refcount (bs=0x2e886f60, offset=1048576, length=524288, addend=1, decrease=false, type=QCOW2_DISCARD_NEVER)
>>     at block/qcow2-refcount.c:834
>> #7  0x0000000010057dc8 in qcow2_alloc_clusters_at (bs=0x2e886f60, offset=1048576, nb_clusters=1) at block/qcow2-refcount.c:1032
>> #8  0x00000000100636d8 in do_alloc_cluster_offset (bs=0x2e886f60, guest_offset=2097152, host_offset=0x3fff80cff9e0, nb_clusters=0x3fff80cff9d8)
>>     at block/qcow2-cluster.c:1221
>> #9  0x0000000010063afc in handle_alloc (bs=0x2e886f60, guest_offset=2097152, host_offset=0x3fff80cffab0, bytes=0x3fff80cffab8, m=0x3fff80cffb60)
>>     at block/qcow2-cluster.c:1324
>> #10 0x0000000010064178 in qcow2_alloc_cluster_offset (bs=0x2e886f60, offset=1572864, bytes=0x3fff80cffb4c, host_offset=0x3fff80cffb58, m=0x3fff80cffb60)
>>     at block/qcow2-cluster.c:1511
>> #11 0x000000001004d3f4 in qcow2_co_pwritev (bs=0x2e886f60, offset=1572864, bytes=1486848, qiov=0x3fffc85f0bf0, flags=0) at block/qcow2.c:1919
>> #12 0x00000000100a9648 in bdrv_driver_pwritev (bs=0x2e886f60, offset=1352192, bytes=1707520, qiov=0x3fffc85f0bf0, flags=16) at block/io.c:898
>> #13 0x00000000100ab630 in bdrv_aligned_pwritev (child=0x2e8927f0, req=0x3fff80cffdd8, offset=1352192, bytes=1707520, align=1, qiov=0x3fffc85f0bf0, flags=16)
>>     at block/io.c:1440
>> #14 0x00000000100ac4ac in bdrv_co_pwritev (child=0x2e8927f0, offset=1352192, bytes=1707520, qiov=0x3fffc85f0bf0, flags=BDRV_REQ_FUA) at block/io.c:1691
>> #15 0x000000001008da0c in blk_co_pwritev (blk=0x2e879410, offset=1352192, bytes=1707520, qiov=0x3fffc85f0bf0, flags=BDRV_REQ_FUA) at block/block-backend.c:1085
>> #16 0x000000001008db68 in blk_write_entry (opaque=0x3fffc85f0c08) at block/block-backend.c:1110
>> #17 0x00000000101aa444 in coroutine_trampoline (i0=780753552, i1=0) at util/coroutine-ucontext.c:79
>> #18 0x00003fff83402b9c in makecontext () from /lib64/libc.so.6
>> #19 0x0000000000000000 in ?? ()
>> (gdb) bt full
>> #0  0x00003fff833eeff0 in raise () from /lib64/libc.so.6
>> No symbol table info available.
>> #1  0x00003fff833f136c in abort () from /lib64/libc.so.6
>> No symbol table info available.
>> #2  0x00003fff833e4c44 in __assert_fail_base () from /lib64/libc.so.6
>> No symbol table info available.
>> #3  0x00003fff833e4d34 in __assert_fail () from /lib64/libc.so.6
>> No symbol table info available.
>> #4  0x000000001006a594 in qcow2_cache_entry_mark_dirty (bs=0x2e886f60, c=0x2e879700, table=0x3fff81200000) at block/qcow2-cache.c:411
>>         i = 0
>>         __PRETTY_FUNCTION__ = "qcow2_cache_entry_mark_dirty"
>> #5  0x0000000010056154 in alloc_refcount_block (bs=0x2e886f60, cluster_index=2, refcount_block=0x3fff80cff808) at block/qcow2-refcount.c:417
>>         s = 0x2e893210
>>         refcount_table_index = 0
>>         ret = 0
>>         new_block = 0
>>         blocks_used = 72057594818669408
>>         meta_offset = 1572863
>> #6  0x0000000010057520 in update_refcount (bs=0x2e886f60, offset=1048576, length=524288, addend=1, decrease=false, type=QCOW2_DISCARD_NEVER)
>>     at block/qcow2-refcount.c:834
>>         block_index = 268870408
>>         refcount = 780741808
>>         cluster_index = 2
>>         table_index = 0
>>         s = 0x2e893210
>>         start = 1048576
>>         last = 1048576
>>         cluster_offset = 1048576
>>         refcount_block = 0x3fff81200000
>>         old_table_index = -1
>>         ret = 16383
>> #7  0x0000000010057dc8 in qcow2_alloc_clusters_at (bs=0x2e886f60, offset=1048576, nb_clusters=1) at block/qcow2-refcount.c:1032
>>         s = 0x2e893210
>>         cluster_index = 3
>>         refcount = 0
>>         i = 1
>>         ret = 0
>>         __PRETTY_FUNCTION__ = "qcow2_alloc_clusters_at"
>> #8  0x00000000100636d8 in do_alloc_cluster_offset (bs=0x2e886f60, guest_offset=2097152, host_offset=0x3fff80cff9e0, nb_clusters=0x3fff80cff9d8)
>>     at block/qcow2-cluster.c:1221
>>         ret = 780743184
>>         s = 0x2e893210
>> #9  0x0000000010063afc in handle_alloc (bs=0x2e886f60, guest_offset=2097152, host_offset=0x3fff80cffab0, bytes=0x3fff80cffab8, m=0x3fff80cffb60)
>>     at block/qcow2-cluster.c:1324
>>         s = 0x2e893210
>>         l2_index = 4
>>         l2_table = 0x0
>>         entry = 0
>>         nb_clusters = 1
>>         ret = 0
>> ---Type <return> to continue, or q <return> to quit---
>>         keep_old_clusters = false
>>         alloc_cluster_offset = 1048576
>>         __PRETTY_FUNCTION__ = "handle_alloc"
>>         requested_bytes = 17960562528
>>         avail_bytes = -2133853344
>>         nb_bytes = 16383
>>         old_m = 0x100000000
>> #10 0x0000000010064178 in qcow2_alloc_cluster_offset (bs=0x2e886f60, offset=1572864, bytes=0x3fff80cffb4c, host_offset=0x3fff80cffb58, m=0x3fff80cffb60)
>>     at block/qcow2-cluster.c:1511
>>         s = 0x2e893210
>>         start = 2097152
>>         remaining = 962560
>>         cluster_offset = 1048576
>>         cur_bytes = 962560
>>         ret = 0
>>         __PRETTY_FUNCTION__ = "qcow2_alloc_cluster_offset"
>> #11 0x000000001004d3f4 in qcow2_co_pwritev (bs=0x2e886f60, offset=1572864, bytes=1486848, qiov=0x3fffc85f0bf0, flags=0) at block/qcow2.c:1919
>>         s = 0x2e893210
>>         offset_in_cluster = 0
>>         ret = 0
>>         cur_bytes = 1486848
>>         cluster_offset = 524288
>>         hd_qiov = {iov = 0x2e858660, niov = 1, nalloc = 1, size = 220672}
>>         bytes_done = 220672
>>         cluster_data = 0x0
>>         l2meta = 0x0
>>         __PRETTY_FUNCTION__ = "qcow2_co_pwritev"
>> #12 0x00000000100a9648 in bdrv_driver_pwritev (bs=0x2e886f60, offset=1352192, bytes=1707520, qiov=0x3fffc85f0bf0, flags=16) at block/io.c:898
>>         drv = 0x102036f0 <bdrv_qcow2>
>>         sector_num = 780706080
>>         nb_sectors = 3069122264
>>         ret = -203160320
>>         __PRETTY_FUNCTION__ = "bdrv_driver_pwritev"
>> #13 0x00000000100ab630 in bdrv_aligned_pwritev (child=0x2e8927f0, req=0x3fff80cffdd8, offset=1352192, bytes=1707520, align=1, qiov=0x3fffc85f0bf0, flags=16)
>>     at block/io.c:1440
>>         bs = 0x2e886f60
>>         drv = 0x102036f0 <bdrv_qcow2>
>>         waited = false
>>         ret = 0
>>         end_sector = 5976
>>         bytes_remaining = 1707520
>>         max_transfer = 2147483647
>>         __PRETTY_FUNCTION__ = "bdrv_aligned_pwritev"
>> #14 0x00000000100ac4ac in bdrv_co_pwritev (child=0x2e8927f0, offset=1352192, bytes=1707520, qiov=0x3fffc85f0bf0, flags=BDRV_REQ_FUA) at block/io.c:1691
>>         bs = 0x2e886f60
>>         req = {bs = 0x2e886f60, offset = 1352192, bytes = 1707520, type = BDRV_TRACKED_WRITE, serialising = false, overlap_offset = 1352192,
>>           overlap_bytes = 1707520, list = {le_next = 0x0, le_prev = 0x2e88a1d8}, co = 0x2e895a90, wait_queue = {entries = {sqh_first = 0x0,
>>               sqh_last = 0x3fff80cffe20}}, waiting_for = 0x0}
>>         align = 1
>>         head_buf = 0x0
>> ---Type <return> to continue, or q <return> to quit---
>>         tail_buf = 0x0
>>         local_qiov = {iov = 0x3fff80cffdb0, niov = -2133852688, nalloc = 16383, size = 1352192}
>>         use_local_qiov = false
>>         ret = 0
>>         __PRETTY_FUNCTION__ = "bdrv_co_pwritev"
>> #15 0x000000001008da0c in blk_co_pwritev (blk=0x2e879410, offset=1352192, bytes=1707520, qiov=0x3fffc85f0bf0, flags=BDRV_REQ_FUA) at block/block-backend.c:1085
>>         ret = 0
>>         bs = 0x2e886f60
>> #16 0x000000001008db68 in blk_write_entry (opaque=0x3fffc85f0c08) at block/block-backend.c:1110
>>         rwco = 0x3fffc85f0c08
>> #17 0x00000000101aa444 in coroutine_trampoline (i0=780753552, i1=0) at util/coroutine-ucontext.c:79
>>         arg = {p = 0x2e895a90, i = {780753552, 0}}
>>         self = 0x2e895a90
>>         co = 0x2e895a90
>> #18 0x00003fff83402b9c in makecontext () from /lib64/libc.so.6
>> No symbol table info available.
>> #19 0x0000000000000000 in ?? ()
>> No symbol table info available.
>
> Can you also reproduce this on x86, or is it specific to ppc64?

I can actually reproduce it myself, I'll take a look.

Berto

Revision history for this message

Alberto Garcia (berto) wrote on 2017-11-01:

Download full text (9.3 KiB)

On Wed 01 Nov 2017 09:55:21 AM CET, Alberto Garcia wrote:
> On Wed 01 Nov 2017 07:13:08 AM CET, Thomas Huth wrote:
>> On 30.10.2017 15:43, R.Nageswara Sastry wrote:
>>> Public bug reported:
>>> 
>>> git is at HEAD a93ece47fd9edbd4558db24300056c9a57d3bcd4
>>> This is on ppc64le architecture.
>>> 
>>> Re-production steps:
>>> 
>>> 1. Copy the attached files named backing_img.file and test.img to a directory
>>> 2. And customize the following command to point to the above directory and run the same.
>>> /usr/bin/qemu-io <path to>/test.img -c "write 1352192 1707520"
>>> 
>>> 3.Output of the above command.
>>> qemu-io: block/qcow2-cache.c:411: qcow2_cache_entry_mark_dirty: Assertion `c->entries[i].offset != 0' failed.
>>> Aborted (core dumped)
>>> 
>>> from gdb:
>>> (gdb) bt
>>> #0  0x00003fff833eeff0 in raise () from /lib64/libc.so.6
>>> #1  0x00003fff833f136c in abort () from /lib64/libc.so.6
>>> #2  0x00003fff833e4c44 in __assert_fail_base () from /lib64/libc.so.6
>>> #3  0x00003fff833e4d34 in __assert_fail () from /lib64/libc.so.6
>>> #4  0x000000001006a594 in qcow2_cache_entry_mark_dirty (bs=0x2e886f60, c=0x2e879700, table=0x3fff81200000) at block/qcow2-cache.c:411
>>> #5  0x0000000010056154 in alloc_refcount_block (bs=0x2e886f60, cluster_index=2, refcount_block=0x3fff80cff808) at block/qcow2-refcount.c:417
>>> #6  0x0000000010057520 in update_refcount (bs=0x2e886f60, offset=1048576, length=524288, addend=1, decrease=false, type=QCOW2_DISCARD_NEVER)
>>>     at block/qcow2-refcount.c:834
>>> #7  0x0000000010057dc8 in qcow2_alloc_clusters_at (bs=0x2e886f60, offset=1048576, nb_clusters=1) at block/qcow2-refcount.c:1032
>>> #8  0x00000000100636d8 in do_alloc_cluster_offset (bs=0x2e886f60, guest_offset=2097152, host_offset=0x3fff80cff9e0, nb_clusters=0x3fff80cff9d8)
>>>     at block/qcow2-cluster.c:1221
>>> #9  0x0000000010063afc in handle_alloc (bs=0x2e886f60, guest_offset=2097152, host_offset=0x3fff80cffab0, bytes=0x3fff80cffab8, m=0x3fff80cffb60)
>>>     at block/qcow2-cluster.c:1324
>>> #10 0x0000000010064178 in qcow2_alloc_cluster_offset (bs=0x2e886f60, offset=1572864, bytes=0x3fff80cffb4c, host_offset=0x3fff80cffb58, m=0x3fff80cffb60)
>>>     at block/qcow2-cluster.c:1511
>>> #11 0x000000001004d3f4 in qcow2_co_pwritev (bs=0x2e886f60, offset=1572864, bytes=1486848, qiov=0x3fffc85f0bf0, flags=0) at block/qcow2.c:1919
>>> #12 0x00000000100a9648 in bdrv_driver_pwritev (bs=0x2e886f60, offset=1352192, bytes=1707520, qiov=0x3fffc85f0bf0, flags=16) at block/io.c:898
>>> #13 0x00000000100ab630 in bdrv_aligned_pwritev (child=0x2e8927f0, req=0x3fff80cffdd8, offset=1352192, bytes=1707520, align=1, qiov=0x3fffc85f0bf0, flags=16)
>>>     at block/io.c:1440
>>> #14 0x00000000100ac4ac in bdrv_co_pwritev (child=0x2e8927f0, offset=1352192, bytes=1707520, qiov=0x3fffc85f0bf0, flags=BDRV_REQ_FUA) at block/io.c:1691
>>> #15 0x000000001008da0c in blk_co_pwritev (blk=0x2e879410, offset=1352192, bytes=1707520, qiov=0x3fffc85f0bf0, flags=BDRV_REQ_FUA) at block/block-backend.c:1085
>>> #16 0x000000001008db68 in blk_write_entry (opaque=0x3fffc85f0c08) at block/block-backend.c:1110
>>> #17 0x00000000101aa444 in coroutine_trampoline (i0=780753552, i1=0) at util/coroutine-ucontext.c:79
>>> #18 0x00003fff83402b9c in makecontext () from /lib64/libc.so.6
>>> #19 0x0000000000000000 in ?? ()
>>> (gdb) bt full
>>> #0  0x00003fff833eeff0 in raise () from /lib64/libc.so.6
>>> No symbol table info available.
>>> #1  0x00003fff833f136c in abort () from /lib64/libc.so.6
>>> No symbol table info available.
>>> #2  0x00003fff833e4c44 in __assert_fail_base () from /lib64/libc.so.6
>>> No symbol table info available.
>>> #3  0x00003fff833e4d34 in __assert_fail () from /lib64/libc.so.6
>>> No symbol table info available.
>>> #4  0x000000001006a594 in qcow2_cache_entry_mark_dirty (bs=0x2e886f60, c=0x2e879700, table=0x3fff81200000) at block/qcow2-cache.c:411
>>>         i = 0
>>>         __PRETTY_FUNCTION__ = "qcow2_cache_entry_mark_dirty"
>>> #5  0x0000000010056154 in alloc_refcount_block (bs=0x2e886f60, cluster_index=2, refcount_block=0x3fff80cff808) at block/qcow2-refcount.c:417
>>>         s = 0x2e893210
>>>         refcount_table_index = 0
>>>         ret = 0
>>>         new_block = 0
>>>         blocks_used = 72057594818669408
>>>         meta_offset = 1572863
>>> #6  0x0000000010057520 in update_refcount (bs=0x2e886f60, offset=1048576, length=524288, addend=1, decrease=false, type=QCOW2_DISCARD_NEVER)
>>>     at block/qcow2-refcount.c:834
>>>         block_index = 268870408
>>>         refcount = 780741808
>>>         cluster_index = 2
>>>         table_index = 0
>>>         s = 0x2e893210
>>>         start = 1048576
>>>         last = 1048576
>>>         cluster_offset = 1048576
>>>         refcount_block = 0x3fff81200000
>>>         old_table_index = -1
>>>         ret = 16383
>>> #7  0x0000000010057dc8 in qcow2_alloc_clusters_at (bs=0x2e886f60, offset=1048576, nb_clusters=1) at block/qcow2-refcount.c:1032
>>>         s = 0x2e893210
>>>         cluster_index = 3
>>>         refcount = 0
>>>         i = 1
>>>         ret = 0
>>>         __PRETTY_FUNCTION__ = "qcow2_alloc_clusters_at"
>>> #8  0x00000000100636d8 in do_alloc_cluster_offset (bs=0x2e886f60, guest_offset=2097152, host_offset=0x3fff80cff9e0, nb_clusters=0x3fff80cff9d8)
>>>     at block/qcow2-cluster.c:1221
>>>         ret = 780743184
>>>         s = 0x2e893210
>>> #9  0x0000000010063afc in handle_alloc (bs=0x2e886f60, guest_offset=2097152, host_offset=0x3fff80cffab0, bytes=0x3fff80cffab8, m=0x3fff80cffb60)
>>>     at block/qcow2-cluster.c:1324
>>>         s = 0x2e893210
>>>         l2_index = 4
>>>         l2_table = 0x0
>>>         entry = 0
>>>         nb_clusters = 1
>>>         ret = 0
>>> ---Type <return> to continue, or q <return> to quit---
>>>         keep_old_clusters = false
>>>         alloc_cluster_offset = 1048576
>>>         __PRETTY_FUNCTION__ = "handle_alloc"
>>>         requested_bytes = 17960562528
>>>         avail_bytes = -2133853344
>>>         nb_bytes = 16383
>>>         old_m = 0x100000000
>>> #10 0x0000000010064178 in qcow2_alloc_cluster_offset (bs=0x2e886f60, offset=1572864, bytes=0x3fff80cffb4c, host_offset=0x3fff80cffb58, m=0x3fff80cffb60)
>>>     at block/qcow2-cluster.c:1511
>>>         s = 0x2e893210
>>>         start = 2097152
>>>         remaining = 962560
>>>         cluster_offset = 1048576
>>>         cur_bytes = 962560
>>>         ret = 0
>>>         __PRETTY_FUNCTION__ = "qcow2_alloc_cluster_offset"
>>> #11 0x000000001004d3f4 in qcow2_co_pwritev (bs=0x2e886f60, offset=1572864, bytes=1486848, qiov=0x3fffc85f0bf0, flags=0) at block/qcow2.c:1919
>>>         s = 0x2e893210
>>>         offset_in_cluster = 0
>>>         ret = 0
>>>         cur_bytes = 1486848
>>>         cluster_offset = 524288
>>>         hd_qiov = {iov = 0x2e858660, niov = 1, nalloc = 1, size = 220672}
>>>         bytes_done = 220672
>>>         cluster_data = 0x0
>>>         l2meta = 0x0
>>>         __PRETTY_FUNCTION__ = "qcow2_co_pwritev"
>>> #12 0x00000000100a9648 in bdrv_driver_pwritev (bs=0x2e886f60, offset=1352192, bytes=1707520, qiov=0x3fffc85f0bf0, flags=16) at block/io.c:898
>>>         drv = 0x102036f0 <bdrv_qcow2>
>>>         sector_num = 780706080
>>>         nb_sectors = 3069122264
>>>         ret = -203160320
>>>         __PRETTY_FUNCTION__ = "bdrv_driver_pwritev"
>>> #13 0x00000000100ab630 in bdrv_aligned_pwritev (child=0x2e8927f0, req=0x3fff80cffdd8, offset=1352192, bytes=1707520, align=1, qiov=0x3fffc85f0bf0, flags=16)
>>>     at block/io.c:1440
>>>         bs = 0x2e886f60
>>>         drv = 0x102036f0 <bdrv_qcow2>
>>>         waited = false
>>>         ret = 0
>>>         end_sector = 5976
>>>         bytes_remaining = 1707520
>>>         max_transfer = 2147483647
>>>         __PRETTY_FUNCTION__ = "bdrv_aligned_pwritev"
>>> #14 0x00000000100ac4ac in bdrv_co_pwritev (child=0x2e8927f0, offset=1352192, bytes=1707520, qiov=0x3fffc85f0bf0, flags=BDRV_REQ_FUA) at block/io.c:1691
>>>         bs = 0x2e886f60
>>>         req = {bs = 0x2e886f60, offset = 1352192, bytes = 1707520, type = BDRV_TRACKED_WRITE, serialising = false, overlap_offset = 1352192,
>>>           overlap_bytes = 1707520, list = {le_next = 0x0, le_prev = 0x2e88a1d8}, co = 0x2e895a90, wait_queue = {entries = {sqh_first = 0x0,
>>>               sqh_last = 0x3fff80cffe20}}, waiting_for = 0x0}
>>>         align = 1
>>>         head_buf = 0x0
>>> ---Type <return> to continue, or q <return> to quit---
>>>         tail_buf = 0x0
>>>         local_qiov = {iov = 0x3fff80cffdb0, niov = -2133852688, nalloc = 16383, size = 1352192}
>>>         use_local_qiov = false
>>>         ret = 0
>>>         __PRETTY_FUNCTION__ = "bdrv_co_pwritev"
>>> #15 0x000000001008da0c in blk_co_pwritev (blk=0x2e879410, offset=1352192, bytes=1707520, qiov=0x3fffc85f0bf0, flags=BDRV_REQ_FUA) at block/block-backend.c:1085
>>>         ret = 0
>>>         bs = 0x2e886f60
>>> #16 0x000000001008db68 in blk_write_entry (opaque=0x3fffc85f0c08) at block/block-backend.c:1110
>>>         rwco = 0x3fffc85f0c08
>>> #17 0x00000000101aa444 in coroutine_trampoline (i0=780753552, i1=0) at util/coroutine-ucontext.c:79
>>>         arg = {p = 0x2e895a90, i = {780753552, 0}}
>>>         self = 0x2e895a90
>>>         co = 0x2e895a90
>>> #18 0x00003fff83402b9c in makecontext () from /lib64/libc.so.6
>>> No symbol table info available.
>>> #19 0x0000000000000000 in ?? ()
>>> No symbol table info available.
>>
>> Can you also reproduce this on x86, or is it specific to ppc64?

I'm working on a fix, I'll send the patch later today.

Berto

Revision history for this message

Alberto Garcia (berto) wrote on 2017-11-01:

The attached image is corrupted and QEMU doesn't handle it correctly.

Here are the fixes for this and other related problems:

https://lists.gnu.org/archive/html/qemu-block/2017-11/msg00010.html