From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from eggs.gnu.org ([208.118.235.92]:42538)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <stefanha@gmail.com>) id 1UcGmy-00008F-HJ
	for qemu-devel@nongnu.org; Tue, 14 May 2013 11:05:21 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <stefanha@gmail.com>) id 1UcGmt-00042y-Rs
	for qemu-devel@nongnu.org; Tue, 14 May 2013 11:05:16 -0400
Received: from mail-qe0-f43.google.com ([209.85.128.43]:34944)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <stefanha@gmail.com>) id 1UcGmt-00042s-OY
	for qemu-devel@nongnu.org; Tue, 14 May 2013 11:05:11 -0400
Received: by mail-qe0-f43.google.com with SMTP id i11so478058qej.2
	for <qemu-devel@nongnu.org>; Tue, 14 May 2013 08:05:11 -0700 (PDT)
MIME-Version: 1.0
In-Reply-To: <51924A40.6090209@profihost.ag>
References: <518C8FD7.9080201@profihost.ag>
	<20130510074217.GB1500@stefanha-thinkpad.redhat.com>
	<518CB8E4.5090305@profihost.ag>
	<CAJSP0QVcmySJSwcXLLTPdiwFUYR-OLjTJan+V0M3QSn9AAV5iQ@mail.gmail.com>
	<51924A40.6090209@profihost.ag>
Date: Tue, 14 May 2013 17:05:10 +0200
Message-ID: <CAJSP0QVAUehdHYuuT3x3omesiSa+N7tTnZxHzict2T-aLJfKmA@mail.gmail.com>
From: Stefan Hajnoczi <stefanha@gmail.com>
Content-Type: text/plain; charset=ISO-8859-1
Subject: Re: [Qemu-devel] segfault in aio_bh_poll async.c:80 WAS: Re: kvm
 process disappears
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: Stefan Priebe - Profihost AG <s.priebe@profihost.ag>
Cc: Paolo Bonzini <pbonzini@redhat.com>, qemu-devel <qemu-devel@nongnu.org>, "pve-devel@pve.proxmox.com" <pve-devel@pve.proxmox.com>, Michael Roth <mdroth@linux.vnet.ibm.com>

On Tue, May 14, 2013 at 4:29 PM, Stefan Priebe - Profihost AG
<s.priebe@profihost.ag> wrote:
> Am 10.05.2013 13:09, schrieb Stefan Hajnoczi:
>> On Fri, May 10, 2013 at 11:07 AM, Stefan Priebe - Profihost AG
>> <s.priebe@profihost.ag> wrote:
>>> Am 10.05.2013 09:42, schrieb Stefan Hajnoczi:
>>>> On Fri, May 10, 2013 at 08:12:39AM +0200, Stefan Priebe - Profihost AG wrote:
>>>> 3. Either use gdb or an LD_PRELOAD library that catches exit(3) and
>>>>    _exit(2) and dumps core using abort(3).  Make sure core dumps are
>>>>    enabled.
>
> This time i had a segfault Qemu 1.4.1 plus
> http://git.qemu.org/?p=qemu.git;a=commitdiff;h=dc7588c1eb3008bda53dde1d6b890cd299758155.
>
> aio_bh_poll    async.c:80
>
> Code...
>
>    for (bh = ctx->first_bh; bh; bh = next) {
>         next = bh->next;
>         if (!bh->deleted && bh->scheduled) {
>             bh->scheduled = 0;
>             if (!bh->idle)
>                 ret = 1;
>             bh->idle = 0;
>             bh->cb(bh->opaque);
>         }
>     }
>
>     ctx->walking_bh--;
>
>     /* remove deleted bhs */
>     if (!ctx->walking_bh) {
>         bhp = &ctx->first_bh;
>         while (*bhp) {
>             bh = *bhp;
> ===== THIS IS THE SEGFAULT LINE =====            if (bh->deleted) {
>                 *bhp = bh->next;
>                 g_free(bh);
>             } else {
>                 bhp = &bh->next;
>             }
>         }
>     }
>
>     return ret;

Interesting crash.  Do you have the output of "thread apply all bt"?

I would try looking at the AioContext using "p *ctx", and print out
the ctx->first_bh linked list.

Stefan