qemu-devel.nongnu.org archive mirror
 help / color / mirror / Atom feed
From: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com>
To: qemu-devel <qemu-devel@nongnu.org>
Cc: Denis Lunev <den@virtuozzo.com>,
	"spice-devel@lists.freedesktop.org"
	<spice-devel@lists.freedesktop.org>,
	Gerd Hoffmann <kraxel@redhat.com>,
	"cfergeau@redhat.com" <cfergeau@redhat.com>,
	"fziglio@redhat.com" <fziglio@redhat.com>
Subject: qxl - spice crash, memslot_get_virt: address generation is not valid
Date: Fri, 8 Nov 2019 13:17:36 +0000	[thread overview]
Message-ID: <c6cd8eba-dbb1-10fd-7f55-989de1503c03@virtuozzo.com> (raw)

Hi all!

Hope someone could help me with the following.

Seems we've faced https://bugzilla.redhat.com/show_bug.cgi?id=1540919 Qemu bug. It was
(AFAIU) workarounded in spice, in https://bugzilla.redhat.com/show_bug.cgi?id=1567944 ,
which marked is fixed in spice-0.14.0-4..

Still, our crash is on spice-server-0.14.0-7 , which is higher..
Qemu is based on rhev-2.12.0-33, and I don't see in upstream any related fixes.

1567944 discussions has fixes in attachments by Christophe and Frediano.. But I can't find
anything in Qemu mailing list archives. What is the problem with the patch?

===
backtrace

#0  0x00007fd1785f8337 in __GI_raise (sig=sig@entry=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:55
#1  0x00007fd1785f9a28 in __GI_abort () at abort.c:90
#2  0x00007fd179e3ecfc in spice_logv (log_domain=0x7fd179eafbf1 "Spice", args=0x7fd12561e460, format=0x7fd179eb6d30 "address generation is not valid, group_id %d, slot_id %d, gen %d, slot_gen %d\n",
     function=0x7fd179eb6f30 <__FUNCTION__.16041> "memslot_get_virt", strloc=0x7fd179eb6e26 "memslot.c:122", log_level=G_LOG_LEVEL_CRITICAL) at log.c:183
#3  spice_log (log_level=log_level@entry=G_LOG_LEVEL_CRITICAL, strloc=strloc@entry=0x7fd179eb6e26 "memslot.c:122", function=function@entry=0x7fd179eb6f30 <__FUNCTION__.16041> "memslot_get_virt",
     format=format@entry=0x7fd179eb6d30 "address generation is not valid, group_id %d, slot_id %d, gen %d, slot_gen %d\n") at log.c:196
#4  0x00007fd179e0579f in memslot_get_virt (info=info@entry=0x556f209c44f0, addr=addr@entry=844424930131968, add_size=add_size@entry=20, group_id=group_id@entry=1, error=error@entry=0x7fd12561e5d4)
     at memslot.c:121
#5  0x00007fd179e0e007 in red_get_data_chunks_ptr (slots=slots@entry=0x556f209c44f0, group_id=group_id@entry=1, memslot_id=0, red=red@entry=0x7fd12561e630, qxl=0x7fd128e04016) at red-parse-qxl.c:146
#6  0x00007fd179e106ae in red_get_cursor (addr=72057594044235776, red=0x556f209d8d48, group_id=1, slots=0x556f209c44f0) at red-parse-qxl.c:1441
#7  red_get_cursor_cmd (slots=slots@entry=0x556f209c44f0, group_id=1, red=red@entry=0x556f209d8d20, addr=<optimized out>) at red-parse-qxl.c:1482
#8  0x00007fd179e2138f in red_process_cursor_cmd (worker=worker@entry=0x556f209c4460, ext=ext@entry=0x556f22f58000) at red-worker.c:111
#9  0x00007fd179e2152b in loadvm_command (ext=0x556f22f58000, worker=0x556f209c4460) at red-worker.c:980
#10 handle_dev_loadvm_commands (opaque=0x556f209c4460, payload=<optimized out>) at red-worker.c:1002
#11 0x00007fd179ded65d in dispatcher_handle_single_read (dispatcher=0x556f21b6b8d0) at dispatcher.c:284
#12 dispatcher_handle_recv_read (dispatcher=0x556f21b6b8d0) at dispatcher.c:304
#13 0x00007fd179df3e6b in watch_func (source=<optimized out>, condition=<optimized out>, data=0x556f208dc090) at event-loop.c:128
#14 0x00007fd190742049 in g_main_dispatch (context=0x556f2095efd0) at gmain.c:3175
#15 g_main_context_dispatch (context=context@entry=0x556f2095efd0) at gmain.c:3828
#16 0x00007fd1907423a8 in g_main_context_iterate (context=0x556f2095efd0, block=block@entry=1, dispatch=dispatch@entry=1, self=<optimized out>) at gmain.c:3901
#17 0x00007fd19074267a in g_main_loop_run (loop=0x556f22aeea00) at gmain.c:4097
#18 0x00007fd179e225da in red_worker_main (arg=0x556f209c4460) at red-worker.c:1372
#19 0x00007fd178997e65 in start_thread (arg=0x7fd125621700) at pthread_create.c:307
#20 0x00007fd1786c088d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:111

(gdb) fr 2
#2  0x00007fd179e3ecfc in spice_logv (log_domain=0x7fd179eafbf1 "Spice", args=0x7fd12561e460, format=0x7fd179eb6d30 "address generation is not valid, group_id %d, slot_id %d, gen %d, slot_gen %d\n",
     function=0x7fd179eb6f30 <__FUNCTION__.16041> "memslot_get_virt", strloc=0x7fd179eb6e26 "memslot.c:122", log_level=G_LOG_LEVEL_CRITICAL) at log.c:183
183             abort();
(gdb) list
178         g_log(log_domain, log_level, "%s", log_msg->str);
179         g_string_free(log_msg, TRUE);
180
181         if ((abort_mask & log_level) != 0) {
182             spice_backtrace();
183             abort();
184         }
185     }
186
187     void spice_log(GLogLevelFlags log_level,
(gdb) fr 4
#4  0x00007fd179e0579f in memslot_get_virt (info=info@entry=0x556f209c44f0, addr=addr@entry=844424930131968, add_size=add_size@entry=20, group_id=group_id@entry=1, error=error@entry=0x7fd12561e5d4)
     at memslot.c:121
121             spice_critical("address generation is not valid, group_id %d, slot_id %d, gen %d, slot_gen %d\n",
(gdb) list
116         slot = &info->mem_slots[group_id][slot_id];
117
118         generation = memslot_get_generation(info, addr);
119         if (generation != slot->generation) {
120             print_memslots(info);
121             spice_critical("address generation is not valid, group_id %d, slot_id %d, gen %d, slot_gen %d\n",
122                   group_id, slot_id, generation, slot->generation);
123             *error = 1;
124             return 0;
125         }
(gdb) p group_id
$1 = 1
(gdb) p slot_id
$2 = 0
(gdb) p generation
$3 = 3
(gdb) p slot->generation
$4 = 0


-- 
Best regards,
Vladimir

                 reply	other threads:[~2019-11-08 13:22 UTC|newest]

Thread overview: [no followups] expand[flat|nested]  mbox.gz  Atom feed

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=c6cd8eba-dbb1-10fd-7f55-989de1503c03@virtuozzo.com \
    --to=vsementsov@virtuozzo.com \
    --cc=cfergeau@redhat.com \
    --cc=den@virtuozzo.com \
    --cc=fziglio@redhat.com \
    --cc=kraxel@redhat.com \
    --cc=qemu-devel@nongnu.org \
    --cc=spice-devel@lists.freedesktop.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).