From mboxrd@z Thu Jan  1 00:00:00 1970
From: Anthony Liguori <anthony@codemonkey.ws>
Subject: Re: Another VNC crash, qemu-kvm-0.12.3
Date: Wed, 03 Mar 2010 08:23:23 -0600
Message-ID: <4B8E70DB.4080108@codemonkey.ws>
References: <20100221172358.GH4894@arachsys.com> <4B82462A.7050903@redhat.com> <4B82F8ED.6000303@codemonkey.ws> <20100301181416.GB15908@arachsys.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1;
	format=flowed
Content-Transfer-Encoding: QUOTED-PRINTABLE
Cc: qemu-devel@nongnu.org, kvm@vger.kernel.org
To: Chris Webb <chris@arachsys.com>
Return-path: <kvm-owner@vger.kernel.org>
Received: from mail-pv0-f174.google.com ([74.125.83.174]:39949 "EHLO
	mail-pv0-f174.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1754624Ab0CCOXa (ORCPT <rfc822;kvm@vger.kernel.org>);
	Wed, 3 Mar 2010 09:23:30 -0500
Received: by pva4 with SMTP id 4so444349pva.19
        for <kvm@vger.kernel.org>; Wed, 03 Mar 2010 06:23:29 -0800 (PST)
In-Reply-To: <20100301181416.GB15908@arachsys.com>
Sender: kvm-owner@vger.kernel.org
List-ID: <kvm.vger.kernel.org>

On 03/01/2010 12:14 PM, Chris Webb wrote:
> We've just seen another VNC related qemu-kvm crash, this time an arit=
hmetic
> exception at vnc.c:1424 in the newly release qemu-kvm 0.12.3.
>
>    [...]
>    1423     if (vs->absolute) {
>    1424         kbd_mouse_event(x * 0x7FFF / (ds_get_width(vs->ds) - =
1),
>    1425                         y * 0x7FFF / (ds_get_height(vs->ds) -=
 1),
>    1426                         dz, buttons);
>    1427     } else if (vnc_has_feature(vs, VNC_FEATURE_POINTER_TYPE_C=
HANGE)) {
>    1428         x -=3D 0x7FFF;
>    [...]
>
> and sure enough:
>
>    (gdb) p vs->ds->surface->width
>    $1 =3D 9
>    (gdb) p vs->ds->surface->height
>    $2 =3D 1
>
> What a 9x1 display surface is doing on this guest is a mystery to me,=
 but you
> definitely can't divide by one less than its height!
>   =20

Can you reproduce this reliably?  If so, what's the procedure?

BTW, I'd suggest filing this at http://bugs.launchpad.net/qemu

Regards,

Anthony Liguori

>    (gdb) p *vs
>    $3 =3D {csock =3D 19, ds =3D 0x1c60fa0, dirty =3D {{4294967295, 42=
94967295, 4294967295, 4294967295,
>          4294967295}<repeats 2048 times>}, vd =3D 0x26a0110, need_upd=
ate =3D 1, force_update =3D 0, features =3D 67,
>      absolute =3D 1, last_x =3D -1, last_y =3D -1, vnc_encoding =3D 5=
, tight_quality =3D 9 '\t', tight_compression =3D 9 '\t',
>      major =3D 3, minor =3D 8, challenge =3D "=B9{\177\226\200k=D5j=E9=
P=F1=C4A=A4o)", output =3D {capacity =3D 925115, offset =3D 0,
>        buffer =3D 0x28ba4b0 ""}, input =3D {capacity =3D 5120, offset=
 =3D 6, buffer =3D 0x28b90a0 "\005"},
>      write_pixels =3D 0x4bb9e0<vnc_write_pixels_generic>, send_hextil=
e_tile =3D 0x4bcdf0<send_hextile_tile_generic_32>,
>      clientds =3D {flags =3D 0 '\0', width =3D 800, height =3D 600, l=
inesize =3D 3200, data =3D 0x7fcd00ab6010 "", pf =3D {
>          bits_per_pixel =3D 32 ' ', bytes_per_pixel =3D 4 '\004', dep=
th =3D 24 '\030', rmask =3D 0, gmask =3D 0, bmask =3D 0,
>          amask =3D 0, rshift =3D 16 '\020', gshift =3D 8 '\b', bshift=
 =3D 0 '\0', ashift =3D 24 '\030', rmax =3D 255 '=FF',
>          gmax =3D 255 '=FF', bmax =3D 255 '=FF', amax =3D 255 '=FF', =
rbits =3D 8 '\b', gbits =3D 8 '\b', bbits =3D 8 '\b',
>          abits =3D 8 '\b'}}, audio_cap =3D 0x0, as =3D {freq =3D 4410=
0, nchannels =3D 2, fmt =3D AUD_FMT_S16, endianness =3D 0},
>      read_handler =3D 0x4beac0<protocol_client_msg>, read_handler_exp=
ect =3D 6, modifiers_state =3D '\0'<repeats 255 times>,
>      zlib =3D {capacity =3D 0, offset =3D 0, buffer =3D 0x0}, zlib_tm=
p =3D {capacity =3D 0, offset =3D 0, buffer =3D 0x0},
>      zlib_stream =3D {{next_in =3D 0x0, avail_in =3D 0, total_in =3D =
0, next_out =3D 0x0, avail_out =3D 0, total_out =3D 0, msg =3D 0x0,
>          state =3D 0x0, zalloc =3D 0, zfree =3D 0, opaque =3D 0x0, da=
ta_type =3D 0, adler =3D 0, reserved =3D 0}, {next_in =3D 0x0,
>          avail_in =3D 0, total_in =3D 0, next_out =3D 0x0, avail_out =
=3D 0, total_out =3D 0, msg =3D 0x0, state =3D 0x0, zalloc =3D 0,
>          zfree =3D 0, opaque =3D 0x0, data_type =3D 0, adler =3D 0, r=
eserved =3D 0}, {next_in =3D 0x0, avail_in =3D 0, total_in =3D 0,
>          next_out =3D 0x0, avail_out =3D 0, total_out =3D 0, msg =3D =
0x0, state =3D 0x0, zalloc =3D 0, zfree =3D 0, opaque =3D 0x0,
>          data_type =3D 0, adler =3D 0, reserved =3D 0}, {next_in =3D =
0x0, avail_in =3D 0, total_in =3D 0, next_out =3D 0x0,
>          avail_out =3D 0, total_out =3D 0, msg =3D 0x0, state =3D 0x0=
, zalloc =3D 0, zfree =3D 0, opaque =3D 0x0, data_type =3D 0,
>          adler =3D 0, reserved =3D 0}}, next =3D 0x0}
>
>    (gdb) p *vs->ds
>    $4 =3D {surface =3D 0x1c81f40, opaque =3D 0x26a0110, gui_timer =3D=
 0x0, allocator =3D 0x8199d0, listeners =3D 0x1c95fa0,
>      mouse_set =3D 0, cursor_define =3D 0, next =3D 0x0}
>
>    (gdb) p *vs->ds->surface
>    $5 =3D {flags =3D 2 '\002', width =3D 9, height =3D 1, linesize =3D=
 36, data =3D 0x7fcd00ab6010 "", pf =3D {
>        bits_per_pixel =3D 32 ' ', bytes_per_pixel =3D 4 '\004', depth=
 =3D 24 '\030', rmask =3D 16711680, gmask =3D 65280,
>        bmask =3D 255, amask =3D 0, rshift =3D 16 '\020', gshift =3D 8=
 '\b', bshift =3D 0 '\0', ashift =3D 24 '\030', rmax =3D 255 '=FF',
>        gmax =3D 255 '=FF', bmax =3D 255 '=FF', amax =3D 255 '=FF', rb=
its =3D 8 '\b', gbits =3D 8 '\b', bbits =3D 8 '\b', abits =3D 8 '\b'}}
>
> Cheers,
>
> Chris.
> --
> To unsubscribe from this list: send the line "unsubscribe kvm" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>   =20


From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from mailman by lists.gnu.org with tmda-scanned (Exim 4.43)
	id 1NmpU6-0000uu-2P
	for qemu-devel@nongnu.org; Wed, 03 Mar 2010 09:23:34 -0500
Received: from [199.232.76.173] (port=37140 helo=monty-python.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.43) id 1NmpU5-0000ue-J1
	for qemu-devel@nongnu.org; Wed, 03 Mar 2010 09:23:33 -0500
Received: from Debian-exim by monty-python.gnu.org with spam-scanned (Exim
	4.60) (envelope-from <anthony@codemonkey.ws>) id 1NmpU3-0004eu-Ds
	for qemu-devel@nongnu.org; Wed, 03 Mar 2010 09:23:33 -0500
Received: from mail-pv0-f173.google.com ([74.125.83.173]:37049)
	by monty-python.gnu.org with esmtp (Exim 4.60)
	(envelope-from <anthony@codemonkey.ws>) id 1NmpU3-0004ek-1G
	for qemu-devel@nongnu.org; Wed, 03 Mar 2010 09:23:31 -0500
Received: by pvg12 with SMTP id 12so398377pvg.4
	for <qemu-devel@nongnu.org>; Wed, 03 Mar 2010 06:23:29 -0800 (PST)
Message-ID: <4B8E70DB.4080108@codemonkey.ws>
Date: Wed, 03 Mar 2010 08:23:23 -0600
From: Anthony Liguori <anthony@codemonkey.ws>
MIME-Version: 1.0
References: <20100221172358.GH4894@arachsys.com> <4B82462A.7050903@redhat.com>
	<4B82F8ED.6000303@codemonkey.ws>
	<20100301181416.GB15908@arachsys.com>
In-Reply-To: <20100301181416.GB15908@arachsys.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 8bit
Subject: [Qemu-devel] Re: Another VNC crash, qemu-kvm-0.12.3
List-Id: qemu-devel.nongnu.org
List-Unsubscribe: <http://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/pipermail/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <http://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: Chris Webb <chris@arachsys.com>
Cc: qemu-devel@nongnu.org, kvm@vger.kernel.org

On 03/01/2010 12:14 PM, Chris Webb wrote:
> We've just seen another VNC related qemu-kvm crash, this time an arithmetic
> exception at vnc.c:1424 in the newly release qemu-kvm 0.12.3.
>
>    [...]
>    1423     if (vs->absolute) {
>    1424         kbd_mouse_event(x * 0x7FFF / (ds_get_width(vs->ds) - 1),
>    1425                         y * 0x7FFF / (ds_get_height(vs->ds) - 1),
>    1426                         dz, buttons);
>    1427     } else if (vnc_has_feature(vs, VNC_FEATURE_POINTER_TYPE_CHANGE)) {
>    1428         x -= 0x7FFF;
>    [...]
>
> and sure enough:
>
>    (gdb) p vs->ds->surface->width
>    $1 = 9
>    (gdb) p vs->ds->surface->height
>    $2 = 1
>
> What a 9x1 display surface is doing on this guest is a mystery to me, but you
> definitely can't divide by one less than its height!
>    

Can you reproduce this reliably?  If so, what's the procedure?

BTW, I'd suggest filing this at http://bugs.launchpad.net/qemu

Regards,

Anthony Liguori

>    (gdb) p *vs
>    $3 = {csock = 19, ds = 0x1c60fa0, dirty = {{4294967295, 4294967295, 4294967295, 4294967295,
>          4294967295}<repeats 2048 times>}, vd = 0x26a0110, need_update = 1, force_update = 0, features = 67,
>      absolute = 1, last_x = -1, last_y = -1, vnc_encoding = 5, tight_quality = 9 '\t', tight_compression = 9 '\t',
>      major = 3, minor = 8, challenge = "¹{\177\226\200kÕjéPñÄA¤o)", output = {capacity = 925115, offset = 0,
>        buffer = 0x28ba4b0 ""}, input = {capacity = 5120, offset = 6, buffer = 0x28b90a0 "\005"},
>      write_pixels = 0x4bb9e0<vnc_write_pixels_generic>, send_hextile_tile = 0x4bcdf0<send_hextile_tile_generic_32>,
>      clientds = {flags = 0 '\0', width = 800, height = 600, linesize = 3200, data = 0x7fcd00ab6010 "", pf = {
>          bits_per_pixel = 32 ' ', bytes_per_pixel = 4 '\004', depth = 24 '\030', rmask = 0, gmask = 0, bmask = 0,
>          amask = 0, rshift = 16 '\020', gshift = 8 '\b', bshift = 0 '\0', ashift = 24 '\030', rmax = 255 'ÿ',
>          gmax = 255 'ÿ', bmax = 255 'ÿ', amax = 255 'ÿ', rbits = 8 '\b', gbits = 8 '\b', bbits = 8 '\b',
>          abits = 8 '\b'}}, audio_cap = 0x0, as = {freq = 44100, nchannels = 2, fmt = AUD_FMT_S16, endianness = 0},
>      read_handler = 0x4beac0<protocol_client_msg>, read_handler_expect = 6, modifiers_state = '\0'<repeats 255 times>,
>      zlib = {capacity = 0, offset = 0, buffer = 0x0}, zlib_tmp = {capacity = 0, offset = 0, buffer = 0x0},
>      zlib_stream = {{next_in = 0x0, avail_in = 0, total_in = 0, next_out = 0x0, avail_out = 0, total_out = 0, msg = 0x0,
>          state = 0x0, zalloc = 0, zfree = 0, opaque = 0x0, data_type = 0, adler = 0, reserved = 0}, {next_in = 0x0,
>          avail_in = 0, total_in = 0, next_out = 0x0, avail_out = 0, total_out = 0, msg = 0x0, state = 0x0, zalloc = 0,
>          zfree = 0, opaque = 0x0, data_type = 0, adler = 0, reserved = 0}, {next_in = 0x0, avail_in = 0, total_in = 0,
>          next_out = 0x0, avail_out = 0, total_out = 0, msg = 0x0, state = 0x0, zalloc = 0, zfree = 0, opaque = 0x0,
>          data_type = 0, adler = 0, reserved = 0}, {next_in = 0x0, avail_in = 0, total_in = 0, next_out = 0x0,
>          avail_out = 0, total_out = 0, msg = 0x0, state = 0x0, zalloc = 0, zfree = 0, opaque = 0x0, data_type = 0,
>          adler = 0, reserved = 0}}, next = 0x0}
>
>    (gdb) p *vs->ds
>    $4 = {surface = 0x1c81f40, opaque = 0x26a0110, gui_timer = 0x0, allocator = 0x8199d0, listeners = 0x1c95fa0,
>      mouse_set = 0, cursor_define = 0, next = 0x0}
>
>    (gdb) p *vs->ds->surface
>    $5 = {flags = 2 '\002', width = 9, height = 1, linesize = 36, data = 0x7fcd00ab6010 "", pf = {
>        bits_per_pixel = 32 ' ', bytes_per_pixel = 4 '\004', depth = 24 '\030', rmask = 16711680, gmask = 65280,
>        bmask = 255, amask = 0, rshift = 16 '\020', gshift = 8 '\b', bshift = 0 '\0', ashift = 24 '\030', rmax = 255 'ÿ',
>        gmax = 255 'ÿ', bmax = 255 'ÿ', amax = 255 'ÿ', rbits = 8 '\b', gbits = 8 '\b', bbits = 8 '\b', abits = 8 '\b'}}
>
> Cheers,
>
> Chris.
> --
> To unsubscribe from this list: send the line "unsubscribe kvm" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>