QEMU

qemu 2.12.0 crash during install windows 10 with vga

Bug #1785197 reported by changlimin on 2018-08-03

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	QEMU	Fix Released	Undecided	Unassigned

Bug Description

Same issue as https://www.qubes-os.org/doc/windows-vm/ , it's not easy to reproduced.
cpu_physical_memory_snapshot_get_dirty: Assertion `start + length <= snap->end’ failed

Qemu version is 2.12.0.
(gdb) bt
#0 0x00007f504ed6fc37 in raise () from /lib/x86_64-linux-gnu/libc.so.6
#1 0x00007f504ed73028 in abort () from /lib/x86_64-linux-gnu/libc.so.6
#2 0x00007f504ed68bf6 in ?? () from /lib/x86_64-linux-gnu/libc.so.6
#3 0x00007f504ed68ca2 in __assert_fail () from /lib/x86_64-linux-gnu/libc.so.6
#4 0x00005585bbdc9641 in cpu_physical_memory_snapshot_get_dirty (snap=snap@entry=0x5585bfdc2ff0, start=<optimized out>, length=<optimized out>)
at /qemu-2.12/exec.c:1264
#5 0x00005585bbe2b4de in memory_region_snapshot_get_dirty (mr=mr@entry=0x5585c06e3d10, snap=snap@entry=0x5585bfdc2ff0, addr=<optimized out>,
size=<optimized out>) at /qemu-2.12/memory.c:1997
#6 0x00005585bbe552a4 in vga_draw_graphic (full_update=0, s=0x5585c06e3d00) at /qemu-2.12/hw/display/vga.c:1671
#7 vga_update_display (opaque=0x5585c06e3d00) at /qemu-2.12/hw/display/vga.c:1767
#8 0x00005585bc0d9a8f in qemu_spice_display_refresh (ssd=0x5585c06e3930) at /qemu-2.12/ui/spice-display.c:478
#9 0x00005585bc0ced72 in dpy_refresh (s=0x5585c081b2a0) at /qemu-2.12/ui/console.c:1629
#10 gui_update (opaque=0x5585c081b2a0) at /qemu-2.12/ui/console.c:203
#11 0x00005585bc1d333c in timerlist_run_timers (timer_list=0x5585bee1f950) at /qemu-2.12/util/qemu-timer.c:536
#12 0x00005585bc1d35a3 in qemu_clock_run_timers (type=QEMU_CLOCK_REALTIME) at /qemu-2.12/util/qemu-timer.c:547
#13 qemu_clock_run_all_timers () at /qemu-2.12/util/qemu-timer.c:674
#14 0x00005585bc1d3aa4 in main_loop_wait (nonblocking=<optimized out>) at /qemu-2.12/util/main-loop.c:528
#15 0x00005585bbdc2f8a in main_loop () at /qemu-2.12/vl.c:1973
#16 main (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>) at /qemu-2.12/vl.c:4804

(gdb) frame 5
(gdb) p/x *snap
$1 = {start = 0x1000c0000, end = 0x1000c0000, dirty = 0x5585bfdc3000}

Here the snap->start is identical to snap->end , I think something is wrong.
In function vga_draw_graphic, the snap is allocated from region_start/region_end.
        snap = memory_region_snapshot_and_clear_dirty(&s->vram, region_start,
                                                      region_end - region_start,
                                                      DIRTY_MEMORY_VGA);
Is that possible for region_start== region_end ?

Commandline:
/usr/bin/kvm -name guest=win10-2,debug-threads=on -S -object secret,id=masterKey0,format=raw,file=/run/lib/libvirt/qemu/domain-51-win10-2/master-key.aes -machine pc-i440fx-2.12,accel=kvm,usb=off,system=windows,dump-guest-core=off -cpu qemu64,hv_time,hv_relaxed,hv_spinlocks=0x2000 -m size=4194304k,slots=10,maxmem=34359738368k -realtime mlock=off -smp 2,maxcpus=24,sockets=24,cores=1,threads=1 -numa node,nodeid=0,cpus=0-23,mem=4096 -uuid cb871760-e684-4926-8f0b-270f7ff35539 -no-user-config -nodefaults -chardev socket,id=charmonitor,path=/run/lib/libvirt/qemu/domain-51-win10-2/monitor.sock,server,nowait -mon chardev=charmonitor,id=monitor,mode=control -chardev socket,id=charmonitor_cas,path=/run/lib/libvirt/qemu/domain-51-win10-2/monitor.sock.cas,server,nowait -mon chardev=charmonitor_cas,id=monitor_cas,mode=control -rtc base=localtime,clock=vm,driftfix=slew -no-hpet -no-shutdown -global PIIX4_PM.disable_s3=1 -global PIIX4_PM.disable_s4=1 -boot strict=on -device piix3-usb-uhci,id=usb,bus=pci.0,addr=0x1.0x2 -device usb-ehci,id=usb1,bus=pci.0,addr=0x4 -device nec-usb-xhci,id=usb2,bus=pci.0,addr=0x5 -device virtio-scsi-pci,id=scsi1,bus=pci.0,addr=0x6 -device virtio-serial-pci,id=virtio-serial0,bus=pci.0,addr=0x7 -device usb-hub,id=hub0,bus=usb.0,port=1 -drive file=/vms/images/win10-2,format=qcow2,if=none,id=drive-virtio-disk0,cache=directsync,aio=native -device virtio-blk-pci,scsi=off,bus=pci.0,addr=0x8,pci_hotpluggable=on,drive=drive-virtio-disk0,id=virtio-disk0,bootindex=1 -drive file=/vms/isos/virtio-win10.vfd,format=raw,if=none,id=drive-fdc0-0-0,readonly=on,cache=directsync,aio=native -global isa-fdc.driveA=drive-fdc0-0-0 -global isa-fdc.bootindexA=4 -drive file=/vms/nfs/windows_msdn_iso/cn_windows_10_multi-edition_version_1709_updated_sept_2017_x64_dvd_100090804.iso,format=raw,if=none,id=drive-ide0-0-0,readonly=on -device ide-cd,bus=ide.0,unit=0,drive=drive-ide0-0-0,id=ide0-0-0,bootindex=2 -netdev tap,fd=62,id=hostnet0,vhost=on,vhostfd=63 -device virtio-net-pci,pci_hotpluggable=on,netdev=hostnet0,id=net0,mac=0c:da:41:1d:11:5b,bus=pci.0,addr=0x3,bootindex=3 -chardev pty,id=charserial0 -device isa-serial,chardev=charserial0,id=serial0 -chardev socket,id=charchannel0,path=/var/lib/libvirt/qemu/win10-2.agent,server,nowait -device virtserialport,bus=virtio-serial0.0,nr=1,chardev=charchannel0,id=channel0,name=org.qemu.guest_agent.0 -device usb-tablet,id=input0,bus=usb.0,port=2 -vnc 0.0.0.0:0 -spice port=5901,tls-port=5902,addr=0.0.0.0,disable-ticketing,x509-dir=/etc/pki/libvirt-spice,seamless-migration=on -device qxl-vga,id=video0,ram_size=67108864,vram_size=16777216,vram64_size_mb=0,vgamem_mb=16,bus=pci.0,addr=0x2 -device virtio-balloon-pci,id=balloon0,bus=pci.0,addr=0x9 -msg timestamp=on

Revision history for this message

changlimin (changlimin) wrote on 2018-08-04:

I have tried many times to reproduce the issue.

1. Add a breakpoint
(gdb) b memory_region_snapshot_and_clear_dirty if size==0
Breakpoint 1 at 0x55ef37b7d450: file /qemu-2.12/memory.c, line 1986.

2. Occasionally the breakpoint hited, size is 0
(gdb) c
Continuing.
Thread 1 "kvm" hit Breakpoint 1, memory_region_snapshot_and_clear_dirty (mr=mr@entry=0x55ef3aff1b40, addr=addr@entry=0, size=size@entry=0, client=client@entry=0)
at /qemu-2.12/memory.c:1986
(gdb) bt
#0 memory_region_snapshot_and_clear_dirty (mr=mr@entry=0x55ef3aff1b40, addr=addr@entry=0, size=size@entry=0, client=client@entry=0)
at /qemu-2.12/memory.c:1986
#1 0x000055ef37ba6d0f in vga_draw_graphic (full_update=0, s=0x55ef3aff1b30) at /qemu-2.12/hw/display/vga.c:1642
#2 vga_update_display (opaque=0x55ef3aff1b30) at /qemu-2.12/hw/display/vga.c:1767
#3 0x000055ef37e2ba8f in qemu_spice_display_refresh (ssd=0x55ef3aff1760) at /qemu-2.12/ui/spice-display.c:478
#4 0x000055ef37e20d72 in dpy_refresh (s=0x55ef3b1290b0) at /qemu-2.12/ui/console.c:1629
#5 gui_update (opaque=0x55ef3b1290b0) at /qemu-2.12/ui/console.c:203
#6 0x000055ef37f2533c in timerlist_run_timers (timer_list=0x55ef396fbc60) at /qemu-2.12/util/qemu-timer.c:536
#7 0x000055ef37f255a3 in qemu_clock_run_timers (type=QEMU_CLOCK_REALTIME) at /qemu-2.12/util/qemu-timer.c:547
#8 qemu_clock_run_all_timers () at /qemu-2.12/util/qemu-timer.c:674
#9 0x000055ef37f25aa4 in main_loop_wait (nonblocking=<optimized out>) at /qemu-2.12/util/main-loop.c:528
#10 0x000055ef37b14f8a in main_loop () at /qemu-2.12/vl.c:1973
#11 main (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>) at /qemu-2.12/vl.c:4804

3. Why the size is 0 ? Why region_start is identical to region_end ?
    region_end = region_start + (ram_addr_t)s->line_offset * height;
    region_end += width * s->get_bpp(s) / 8; /* scanline length */
    region_end -= s->line_offset;

(gdb) p s->line_offset
$4 = 0
(gdb) p width
$5 = 1024
(gdb) p/x s->vbe_regs
$10 = {0xb0c0, 0x400, 0x300, 0x20, 0x0, 0x0, 0x400, 0x1000, 0x0, 0x0}

Because s->vbe_regs[VBE_DISPI_INDEX_ENABLE] is 0, vbe_enabled is false, so vga_get_bpp return 0, and region_end += 0

4. Why s->vbe_regs[VBE_DISPI_INDEX_ENABLE] is 0 ?

I have tried many times to reproduce the issue.

1. Add a breakpoint
(gdb) b memory_region_snapshot_and_clear_dirty if size==0
Breakpoint 1 at 0x55ef37b7d450: file /qemu-2.12/memory.c, line 1986.

2. Occasionally the breakpoint hited, size is 0
(gdb) c
Continuing.
Thread 1 "kvm" hit Breakpoint 1, memory_region_snapshot_and_clear_dirty (mr=mr@entry=0x55ef3aff1b40, addr=addr@entry=0, size=size@entry=0, client=client@entry=0)
    at /qemu-2.12/memory.c:1986
(gdb) bt
#0  memory_region_snapshot_and_clear_dirty (mr=mr@entry=0x55ef3aff1b40, addr=addr@entry=0, size=size@entry=0, client=client@entry=0)
    at /qemu-2.12/memory.c:1986
#1  0x000055ef37ba6d0f in vga_draw_graphic (full_update=0, s=0x55ef3aff1b30) at /qemu-2.12/hw/display/vga.c:1642
#2  vga_update_display (opaque=0x55ef3aff1b30) at /qemu-2.12/hw/display/vga.c:1767
#3  0x000055ef37e2ba8f in qemu_spice_display_refresh (ssd=0x55ef3aff1760) at /qemu-2.12/ui/spice-display.c:478
#4  0x000055ef37e20d72 in dpy_refresh (s=0x55ef3b1290b0) at /qemu-2.12/ui/console.c:1629
#5  gui_update (opaque=0x55ef3b1290b0) at /qemu-2.12/ui/console.c:203
#6  0x000055ef37f2533c in timerlist_run_timers (timer_list=0x55ef396fbc60) at /qemu-2.12/util/qemu-timer.c:536
#7  0x000055ef37f255a3 in qemu_clock_run_timers (type=QEMU_CLOCK_REALTIME) at /qemu-2.12/util/qemu-timer.c:547
#8  qemu_clock_run_all_timers () at /qemu-2.12/util/qemu-timer.c:674
#9  0x000055ef37f25aa4 in main_loop_wait (nonblocking=<optimized out>) at /qemu-2.12/util/main-loop.c:528
#10 0x000055ef37b14f8a in main_loop () at /qemu-2.12/vl.c:1973
#11 main (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>) at /qemu-2.12/vl.c:4804

(gdb) p s->line_offset
$4 = 0
(gdb) p width
$5 = 1024
(gdb) p/x s->vbe_regs
$10 = {0xb0c0, 0x400, 0x300, 0x20, 0x0, 0x0, 0x400, 0x1000, 0x0, 0x0}

Because s->vbe_regs[VBE_DISPI_INDEX_ENABLE] is 0, vbe_enabled is false, so vga_get_bpp return 0, and region_end += 0

4. Why s->vbe_regs[VBE_DISPI_INDEX_ENABLE] is 0 ?

Revision history for this message

changlimin (changlimin) wrote on 2018-08-04:

Download full text (4.6 KiB)

1. Add breakpoint at vga.c:790 s->vbe_regs[VBE_DISPI_INDEX_ENABLE] = val;

(gdb) b vga.c:790
Breakpoint 2 at 0x56100ad10521: file /qemu-2.12/hw/display/vga.c, line 790.

(gdb) c
Continuing.

2. When breakpoint is hited , val is 0

Thread 5 "CPU 1/KVM" hit Breakpoint 2, vbe_ioport_write_data (opaque=0x56100e6e7b30, addr=<optimized out>, val=0) at /qemu-2.12/hw/display/vga.c:790

(gdb) bt
#0 vbe_ioport_write_data (opaque=0x56100e6e7b30, addr=<optimized out>, val=0) at /qemu-2.12/hw/display/vga.c:790
#1 0x000056100ace521b in memory_region_write_accessor (mr=0x56100e74e590, addr=1, value=<optimized out>, size=2, shift=<optimized out>, mask=<optimized out>, attrs=...)
    at /qemu-2.12/memory.c:530
#2 0x000056100ace266e in access_with_adjusted_size (addr=addr@entry=1, value=value@entry=0x7fb2aeffc9a8, size=size@entry=2, access_size_min=<optimized out>, access_size_max=<optimized out>,
    access_fn=0x56100ace51a0 <memory_region_write_accessor>, mr=0x56100e74e590, attrs=...) at /qemu-2.12/memory.c:597
#3 0x000056100ace72ca in memory_region_dispatch_write (mr=mr@entry=0x56100e74e590, addr=1, data=<optimized out>, size=size@entry=2, attrs=attrs@entry=...)
    at /qemu-2.12/memory.c:1487
#4 0x000056100ac85807 in flatview_write_continue (mr=0x56100e74e590, l=<optimized out>, addr1=<optimized out>, len=2, buf=0x7fb2bf3e2000 "", attrs=..., addr=463, fv=0x7fb2a458fea0)
    at /qemu-2.12/exec.c:3166
#5 flatview_write (fv=0x7fb2a458fea0, addr=<optimized out>, attrs=..., buf=<optimized out>, len=<optimized out>) at /qemu-2.12/exec.c:3216
#6 0x000056100ac8a2af in address_space_write (as=<optimized out>, addr=<optimized out>, attrs=..., buf=<optimized out>, len=<optimized out>)
    at /qemu-2.12/exec.c:3332
#7 0x000056100ac8a345 in address_space_rw (as=<optimized out>, addr=addr@entry=463, attrs=..., attrs@entry=..., buf=buf@entry=0x7fb2bf3e2000 "", len=len@entry=2, is_write=is_write@entry=true)
    at /qemu-2.12/exec.c:3343
#8 0x000056100acf66f2 in kvm_handle_io (count=1, size=2, direction=<optimized out>, data=<optimized out>, attrs=..., port=463)
    at /qemu-2.12/accel/kvm/kvm-all.c:1730
#9 kvm_cpu_exec (cpu=cpu@entry=0x56100cecc810) at /qemu-2.12/accel/kvm/kvm-all.c:1970
#10 0x000056100acd0ab6 in qemu_kvm_cpu_thread_fn (arg=0x56100cecc810) at /qemu-2.12/cpus.c:1229
#11 0x00007fb2bc1dc184 in start_thread () from /lib/x86_64-linux-gnu/libpthread.so.0
#12 0x00007fb2bbf09bed in clone () from /lib/x86_64-linux-gnu/libc.so.6

(gdb) c
Continuing.

3. size is 0, region_start is identical to region_end

Thread 1 "kvm" hit Breakpoint 1, memory_region_snapshot_and_clear_dirty (mr=mr@entry=0x56100e6e7b40, addr=addr@entry=0, size=size@entry=0, client=client@entry=0)
at /qemu-2.12/memory.c:1986

(gdb) c
Continuing.

4. Abort

Thread 1 "kvm" received signal SIGABRT, Aborted.
0x00007fb2bbe42c37 in raise () from /lib/x86_64-linux-gnu/libc.so.6

1. Add breakpoint at vga.c:790 s->vbe_regs[VBE_DISPI_INDEX_ENABLE] = val;

(gdb) b vga.c:790
Breakpoint 2 at 0x56100ad10521: file /qemu-2.12/hw/display/vga.c, line 790.

(gdb) c
Continuing.

2. When breakpoint is hited , val is 0

Thread 5 "CPU 1/KVM" hit Breakpoint 2, vbe_ioport_write_data (opaque=0x56100e6e7b30, addr=<optimized out>, val=0) at /qemu-2.12/hw/display/vga.c:790

(gdb) bt
#0  vbe_ioport_write_data (opaque=0x56100e6e7b30, addr=<optimized out>, val=0) at /qemu-2.12/hw/display/vga.c:790
#1  0x000056100ace521b in memory_region_write_accessor (mr=0x56100e74e590, addr=1, value=<optimized out>, size=2, shift=<optimized out>, mask=<optimized out>, attrs=...)
    at /qemu-2.12/memory.c:530
#2  0x000056100ace266e in access_with_adjusted_size (addr=addr@entry=1, value=value@entry=0x7fb2aeffc9a8, size=size@entry=2, access_size_min=<optimized out>, access_size_max=<optimized out>,
    access_fn=0x56100ace51a0 <memory_region_write_accessor>, mr=0x56100e74e590, attrs=...) at /qemu-2.12/memory.c:597
#3  0x000056100ace72ca in memory_region_dispatch_write (mr=mr@entry=0x56100e74e590, addr=1, data=<optimized out>, size=size@entry=2, attrs=attrs@entry=...)
    at /qemu-2.12/memory.c:1487
#4  0x000056100ac85807 in flatview_write_continue (mr=0x56100e74e590, l=<optimized out>, addr1=<optimized out>, len=2, buf=0x7fb2bf3e2000 "", attrs=..., addr=463, fv=0x7fb2a458fea0)
    at /qemu-2.12/exec.c:3166
#5  flatview_write (fv=0x7fb2a458fea0, addr=<optimized out>, attrs=..., buf=<optimized out>, len=<optimized out>) at /qemu-2.12/exec.c:3216
#6  0x000056100ac8a2af in address_space_write (as=<optimized out>, addr=<optimized out>, attrs=..., buf=<optimized out>, len=<optimized out>)
    at /qemu-2.12/exec.c:3332
#7  0x000056100ac8a345 in address_space_rw (as=<optimized out>, addr=addr@entry=463, attrs=..., attrs@entry=..., buf=buf@entry=0x7fb2bf3e2000 "", len=len@entry=2, is_write=is_write@entry=true)
    at /qemu-2.12/exec.c:3343
#8  0x000056100acf66f2 in kvm_handle_io (count=1, size=2, direction=<optimized out>, data=<optimized out>, attrs=..., port=463)
    at /qemu-2.12/accel/kvm/kvm-all.c:1730
#9  kvm_cpu_exec (cpu=cpu@entry=0x56100cecc810) at /qemu-2.12/accel/kvm/kvm-all.c:1970
#10 0x000056100acd0ab6 in qemu_kvm_cpu_thread_fn (arg=0x56100cecc810) at /qemu-2.12/cpus.c:1229
#11 0x00007fb2bc1dc184 in start_thread () from /lib/x86_64-linux-gnu/libpthread.so.0
#12 0x00007fb2bbf09bed in clone () from /lib/x86_64-linux-gnu/libc.so.6

(gdb) c
Continuing.

3. size is 0, region_start is identical to region_end

Thread 1 "kvm" hit Breakpoint 1, memory_region_snapshot_and_clear_dirty (mr=mr@entry=0x56100e6e7b40, addr=addr@entry=0, size=size@entry=0, client=client@entry=0)
    at /qemu-2.12/memory.c:1986

(gdb) c
Continuing.

4. Abort

Thread 1 "kvm" received signal SIGABRT, Aborted.
0x00007fb2bbe42c37 in raise () from /lib/x86_64-linux-gnu/libc.so.6

(gdb) bt
#0  0x00007fb2bbe42c37 in raise () from /lib/x86_64-linux-gnu/libc.so.6
#1  0x00007fb2bbe46028 in abort () from /lib/x86_64-linux-gnu/libc.so.6
#2  0x00007fb2bbe3bbf6 in ?? () from /lib/x86_64-linux-gnu/libc.so.6
#3  0x00007fb2bbe3bca2 in __assert_fail () from /lib/x86_64-linux-gnu/libc.so.6
#4  0x000056100ac86641 in cpu_physical_memory_snapshot_get_dirty (snap=snap@entry=0x56100d6b0de0, start=<optimized out>, length=<optimized out>)
    at /qemu-2.12/exec.c:1264
#5  0x000056100ace84de in memory_region_snapshot_get_dirty (mr=mr@entry=0x56100e6e7b40, snap=snap@entry=0x56100d6b0de0, addr=<optimized out>, size=<optimized out>)
    at /qemu-2.12/memory.c:1997
#6  0x000056100ad122a4 in vga_draw_graphic (full_update=0, s=0x56100e6e7b30) at /qemu-2.12/hw/display/vga.c:1671
#7  vga_update_display (opaque=0x56100e6e7b30) at /qemu-2.12/hw/display/vga.c:1767
#8  0x000056100af96a8f in qemu_spice_display_refresh (ssd=0x56100e6e7760) at /qemu-2.12/ui/spice-display.c:478
#9  0x000056100af8bd72 in dpy_refresh (s=0x56100e81f0b0) at /qemu-2.12/ui/console.c:1629
#10 gui_update (opaque=0x56100e81f0b0) at /qemu-2.12/ui/console.c:203
#11 0x000056100b09033c in timerlist_run_timers (timer_list=0x56100cdf1c60) at /qemu-2.12/util/qemu-timer.c:536
#12 0x000056100b0905a3 in qemu_clock_run_timers (type=QEMU_CLOCK_REALTIME) at /qemu-2.12/util/qemu-timer.c:547
#13 qemu_clock_run_all_timers () at /qemu-2.12/util/qemu-timer.c:674
#14 0x000056100b090aa4 in main_loop_wait (nonblocking=<optimized out>) at /qemu-2.12/util/main-loop.c:528
#15 0x000056100ac7ff8a in main_loop () at /qemu-2.12/vl.c:1973
#16 main (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>) at /qemu-2.12/vl.c:4804

5. When guest vga driver set the s->vbe_regs[VBE_DISPI_INDEX_ENABLE] to 0, then if the vga_draw_graphic be called , the qemu crash.

Revision history for this message

changlimin (changlimin) wrote on 2018-08-04:

This commit has fixed it.
https://git.qemu.org/?p=qemu.git;a=commit;h=a89fe6c3297

Changed in qemu:
status:	New → Fix Released

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.