[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Qemu-devel] [Bug 938431] Re: Reproducible crash in slirp_remque (qemu 1
From: |
Jan Kiszka |
Subject: |
[Qemu-devel] [Bug 938431] Re: Reproducible crash in slirp_remque (qemu 1.0.1) |
Date: |
Thu, 15 Mar 2012 02:03:59 -0000 |
Please re-test over git head. There were related fixes merged recently.
--
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/938431
Title:
Reproducible crash in slirp_remque (qemu 1.0.1)
Status in QEMU:
New
Bug description:
Heya
I've been testing some automated data conversion scripts with qemu
1.0.1. They work fine with qemu-kvm 0.15.1, but on qemu 1.0.1 (from
the website, built from source using gcc 4.6.1, i686 host), when the
script runs qemu I see qemu crash in slirp_remque a few seconds after
it's launched. This crash is consistent and reproducible.
The qemu guest is SCO OpenServer 5.0.5. I'm using it for some data
conversion from a legacy application. qemu is launched "-display none
-monitor stdio" and controlled from a Python script that then connects
to the VM over usermode port forwards to ftp data to/from the VM and
send commands over telnet.
qemu is launched fine with the following command:
/usr/local/qemu/bin/qemu-system-i386 -display none -vga cirrus -M pc
-no-acpi -no-hpet -monitor stdio -net
user,net=10.0.2.0/24,host=10.0.2.2,dns=10.0.2.3,hostfwd=tcp:127.0.0.1:2222-10.0.2.1:22,hostfwd=tcp:127.0.0.1:2323-10.0.2.1:23,hostfwd=tcp:127.0.0.1:2121-10.0.2.1:21,hostfwd=tcp:127.0.0.1:2020-10.0.2.1:20
-net nic,model=pcnet -drive
file=sco/sco.qcow2,format=qcow2,cache=unsafe,snapshot=on -drive
file=sco/booksys.qcow2,format=qcow2,cache=unsafe,snapshot=on -snapshot
> qemu-log
and images:
$ for f in *.qcow2; do qemu-img info $f; echo; done
image: booksys-blank-compressed.qcow2
file format: qcow2
virtual size: 4.0G (4294967296 bytes)
disk size: 696K
cluster_size: 65536
image: booksys.qcow2
file format: qcow2
virtual size: 4.0G (4294967296 bytes)
disk size: 140K
cluster_size: 65536
backing file: booksys-blank-compressed.qcow2 (actual path:
booksys-blank-compressed.qcow2)
image: sco-base-compressed.qcow2
file format: qcow2
virtual size: 512M (536870912 bytes)
disk size: 142M
cluster_size: 65536
image: sco.qcow2
file format: qcow2
virtual size: 512M (536870912 bytes)
disk size: 140K
cluster_size: 65536
backing file: sco-base-compressed.qcow2 (actual path:
sco-base-compressed.qcow2)
The VM guest begins booting fine, and nothing of interest appears in the
monitor log:
QEMU 1.0,1 monitor - type 'help' for more information
(qemu)
After a few seconds the controlling scripts begins trying to ftp into
the guest over the user-mode port forward on port 2121, and it's at
this point that qemu crashes with the following backtrace:
Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0xb63e46e0 (LWP 25453)]
0xb768753b in slirp_remque (a=0xb90ee408) at slirp/misc.c:39
39 ((struct quehead *)(element->qh_rlink))->qh_link = element->qh_link;
(gdb) bt
#0 0xb768753b in slirp_remque (a=0xb90ee408) at slirp/misc.c:39
#1 0xb76854ad in if_start (slirp=0xb879beb0) at slirp/if.c:189
#2 0xb76853b3 in if_output (so=0xb8eb1380, ifm=0xb90eea60) at slirp/if.c:138
#3 0xb7686bb5 in ip_output (so=0xb8eb1380, m0=0xb90eea60)
at slirp/ip_output.c:84
#4 0xb768f59c in tcp_output (tp=0xb906fd48) at slirp/tcp_output.c:456
#5 0xb7691b9b in tcp_timers (tp=0xb906fd48, timer=0) at slirp/tcp_timer.c:242
#6 0xb76918d4 in tcp_slowtimo (slirp=0xb879beb0) at slirp/tcp_timer.c:88
#7 0xb768965a in slirp_select_poll (readfds=0xbf9e3dcc, writefds=0xbf9e3e4c,
xfds=0xbf9e3ecc, select_error=0) at slirp/slirp.c:433
#8 0xb763e2a0 in main_loop_wait (nonblocking=0) at main-loop.c:465
#9 0xb7633042 in main_loop () at /home/craig/build/qemu-1.0.1/vl.c:1481
#10 0xb76388a0 in main (argc=20, argv=0xbf9e42d4, envp=0xbf9e4328)
at /home/craig/build/qemu-1.0.1/vl.c:3485
(gdb) frame 0
#0 0xb768753b in slirp_remque (a=0xb90ee408) at slirp/misc.c:39
39 ((struct quehead *)(element->qh_rlink))->qh_link = element->qh_link;
A more detailed backtrace, as supplied by "thread apply all bt full",
follows at the end of this post.
In case it matters, stdout is redirected to a logfile and stdin is
attached to the Python script, which hasn't yet written anything to
the stdin pipe.
I'll happily post the script, but isn't much good without the OS image
which is about 150MB and can't be legally redistributed. I'm happy to
test patches, though, or try anything that's suggested.
Host info and full backtrace follows:
$ gcc --version
gcc (Ubuntu/Linaro 4.6.1-9ubuntu3) 4.6.1
Copyright (C) 2011 Free Software Foundation, Inc.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
$ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 11.10
Release: 11.10
Codename: oneiric
$ uname -a
Linux wallace 3.0.0-14-generic-pae #23-Ubuntu SMP Mon Nov 21 22:07:10 UTC
2011 i686 i686 i386 GNU/Linux
(gdb) thread apply all bt full
Thread 5 (Thread 0xb31e1b70 (LWP 25631)):
#0 0xb74e4424 in __kernel_vsyscall ()
No symbol table info available.
#1 0xb7332e04 in pthread_cond_timedwait@@GLIBC_2.3.2 () at
../nptl/sysdeps/unix/sysv/linux/i386/i686/../i486/pthread_cond_timedwait.S:236
No locals.
#2 0xb764f38a in cond_timedwait (cond=0xb7d2e1e0, mutex=0xb7d2e1c0,
ts=0xb31e135c) at posix-aio-compat.c:104
ret = 0
#3 0xb764fb6c in aio_thread (unused=0x0) at posix-aio-compat.c:334
aiocb = 0xb879dcc0
ret = 0
tv = {tv_sec = 1329889894, tv_usec = 299790}
ts = {tv_sec = 1329889904, tv_nsec = 0}
#4 0xb732ed31 in start_thread (arg=0xb31e1b70) at pthread_create.c:304
__res = <optimized out>
pd = 0xb31e1b70
now = <optimized out>
unwind_buf = {cancel_jmp_buf = {{jmp_buf = {-1221328908, 0, 4001536,
-1289874312, -1127561837, -449321061}, mask_was_saved = 0}}, priv = {pad =
{0x0, 0x0, 0x0, 0x0}, data = {prev = 0x0, cleanup = 0x0, canceltype = 0}}}
not_first_call = <optimized out>
robust = <optimized out>
pagesize_m1 = <optimized out>
sp = <optimized out>
freesize = <optimized out>
__PRETTY_FUNCTION__ = "start_thread"
#5 0xb6d9f0ce in clone () at ../sysdeps/unix/sysv/linux/i386/clone.S:130
No locals.
Backtrace stopped: Not enough registers or memory available to unwind further
Thread 2 (Thread 0xb1ddab70 (LWP 25455)):
#0 0xb74e4424 in __kernel_vsyscall ()
No symbol table info available.
#1 0xb7335619 in __lll_lock_wait () at
../nptl/sysdeps/unix/sysv/linux/i386/i686/../i486/lowlevellock.S:142
No locals.
#2 0xb73387a0 in _L_cond_lock_704 () from /lib/i386-linux-gnu/libpthread.so.0
libgcc_s_getcfa = 0
libgcc_s_resume = 0
libgcc_s_forcedunwind = 0
libgcc_s_personality = 0
libgcc_s_handle = 0x0
#3 0xb7338521 in __pthread_mutex_cond_lock (mutex=0xb7f02c00) at
../nptl/pthread_mutex_lock.c:61
__PRETTY_FUNCTION__ = "__pthread_mutex_cond_lock"
type = 3085970432
id = 25455
#4 0xb7332b0e in pthread_cond_wait@@GLIBC_2.3.2 () at
../nptl/sysdeps/unix/sysv/linux/i386/i686/../i486/pthread_cond_wait.S:255
No locals.
#5 0xb766e54a in qemu_cond_wait (cond=0xb7d3eaa0, mutex=0xb7f02c00) at
qemu-thread-posix.c:113
err = -1191216176
__func__ = "qemu_cond_wait"
#6 0xb76fc409 in qemu_tcg_wait_io_event () at
/home/craig/build/qemu-1.0.1/cpus.c:699
env = 0x10000
#7 0xb76fc6cf in qemu_tcg_cpu_thread_fn (arg=0xb8ff7bd0) at
/home/craig/build/qemu-1.0.1/cpus.c:778
env = 0x0
#8 0xb732ed31 in start_thread (arg=0xb1ddab70) at pthread_create.c:304
__res = <optimized out>
pd = 0xb1ddab70
now = <optimized out>
unwind_buf = {cancel_jmp_buf = {{jmp_buf = {-1221328908, 0, 4001536,
-1310874504, 1001047446, -449321061}, mask_was_saved = 0}}, priv = {pad = {0x0,
0x0, 0x0, 0x0}, data = {prev = 0x0, cleanup = 0x0, canceltype = 0}}}
not_first_call = <optimized out>
robust = <optimized out>
pagesize_m1 = <optimized out>
sp = <optimized out>
freesize = <optimized out>
__PRETTY_FUNCTION__ = "start_thread"
#9 0xb6d9f0ce in clone () at ../sysdeps/unix/sysv/linux/i386/clone.S:130
No locals.
Backtrace stopped: Not enough registers or memory available to unwind further
Thread 1 (Thread 0xb63e46e0 (LWP 25453)):
#0 0xb768753b in slirp_remque (a=0xb90ee408) at slirp/misc.c:39
element = 0xb90ee408
#1 0xb76854ad in if_start (slirp=0xb879beb0) at slirp/if.c:189
now = 182039052034397
requeued = 0
ifm = 0xb90ee408
ifqt = 0x0
#2 0xb76853b3 in if_output (so=0xb8eb1380, ifm=0xb90eea60) at slirp/if.c:138
slirp = 0xb879beb0
ifq = 0xb90ee408
on_fastq = 1
#3 0xb7686bb5 in ip_output (so=0xb8eb1380, m0=0xb90eea60) at
slirp/ip_output.c:84
slirp = 0xb879beb0
ip = 0xb90eeacc
m = 0xb90eea60
hlen = 20
len = -1190204832
off = -1199980740
error = 0
#4 0xb768f59c in tcp_output (tp=0xb906fd48) at slirp/tcp_output.c:456
so = 0xb8eb1380
len = 0
win = 8760
off = 0
flags = 2
error = -1217987977
m = 0xb90eea60
ti = 0xb90eeacc
opt =
"\002\004\005\264\001\000\000\000d<\236\277\200\302\221\267\362\260\003\000\000\000\000\000\027\307\002\000q\346\031\003"
optlen = 4
hdrlen = 44
idle = 0
sendalot = 0
#5 0xb7691b9b in tcp_timers (tp=0xb906fd48, timer=0) at slirp/tcp_timer.c:242
rexmt = 192
#6 0xb76918d4 in tcp_slowtimo (slirp=0xb879beb0) at slirp/tcp_timer.c:88
ip = 0xb8eb1380
ipnxt = 0xb879c8b0
tp = 0xb906fd48
i = 0
#7 0xb768965a in slirp_select_poll (readfds=0xbf9e3dcc, writefds=0xbf9e3e4c,
xfds=0xbf9e3ecc, select_error=0) at slirp/slirp.c:433
slirp = 0xb879beb0
so = 0x0
so_next = 0x0
ret = -1080148532
#8 0xb763e2a0 in main_loop_wait (nonblocking=0) at main-loop.c:465
rfds = {fds_bits = {8, 0 <repeats 31 times>}}
wfds = {fds_bits = {0 <repeats 32 times>}}
xfds = {fds_bits = {0 <repeats 32 times>}}
ret = 1
nfds = 18
tv = {tv_sec = 0, tv_usec = 990389}
timeout = 1000
#9 0xb7633042 in main_loop () at /home/craig/build/qemu-1.0.1/vl.c:1481
nonblocking = false
last_io = 0
#10 0xb76388a0 in main (argc=20, argv=0xbf9e42d4, envp=0xbf9e4328) at
/home/craig/build/qemu-1.0.1/vl.c:3485
gdbstub_dev = 0x0
i = 64
snapshot = 1
linux_boot = 0
icount_option = 0x0
initrd_filename = 0x0
kernel_filename = 0x0
kernel_cmdline = 0xb77f890f ""
boot_devices = "cad", '\000' <repeats 29 times>
ds = 0xb8b16bb8
dcl = 0x0
cyls = 0
heads = 0
secs = 0
translation = 0
hda_opts = 0x0
opts = 0xb7343000
olist = 0xbf9e4198
optind = 20
optarg = 0x0
loadvm = 0x0
machine = 0xb7921e60
cpu_model = 0x0
pid_file = 0x0
incoming = 0x0
show_vnc_port = 0
defconfig = 1
log_mask = 0x0
log_file = 0x0
mem_trace = {malloc = 0xb7634cb1 <malloc_and_trace>, realloc =
0xb7634d0e <realloc_and_trace>, free = 0xb7634d7f <free_and_trace>, calloc = 0,
try_malloc = 0, try_realloc = 0}
trace_events = 0x0
trace_file = 0x0
(gdb)
$ ldd /usr/local/qemu/bin/qemu-system-i386
linux-gate.so.1 => (0xb77d0000)
libnss3.so => /usr/lib/i386-linux-gnu/libnss3.so (0xb6c3a000)
libnspr4.so => /usr/lib/i386-linux-gnu/libnspr4.so (0xb6bfe000)
libpthread.so.0 => /lib/i386-linux-gnu/libpthread.so.0 (0xb6be2000)
librt.so.1 => /lib/i386-linux-gnu/librt.so.1 (0xb6bd9000)
libgthread-2.0.so.0 => /usr/lib/i386-linux-gnu/libgthread-2.0.so.0
(0xb6bd3000)
libglib-2.0.so.0 => /lib/i386-linux-gnu/libglib-2.0.so.0 (0xb6ada000)
libutil.so.1 => /lib/i386-linux-gnu/libutil.so.1 (0xb6ad6000)
libbluetooth.so.3 => /usr/lib/libbluetooth.so.3 (0xb6abb000)
libcurl.so.4 => /usr/lib/i386-linux-gnu/libcurl.so.4 (0xb6a5f000)
libncurses.so.5 => /lib/libncurses.so.5 (0xb6a3d000)
libtinfo.so.5 => /lib/libtinfo.so.5 (0xb6a1e000)
libbrlapi.so.0.5 => /lib/libbrlapi.so.0.5 (0xb6a12000)
libpng12.so.0 => /lib/i386-linux-gnu/libpng12.so.0 (0xb69e7000)
libjpeg.so.62 => /usr/lib/i386-linux-gnu/libjpeg.so.62 (0xb69c3000)
libgnutls.so.26 => /usr/lib/i386-linux-gnu/libgnutls.so.26 (0xb6913000)
libSDL-1.2.so.0 => /usr/lib/libSDL-1.2.so.0 (0xb6879000)
libX11.so.6 => /usr/lib/i386-linux-gnu/libX11.so.6 (0xb6743000)
libm.so.6 => /lib/i386-linux-gnu/libm.so.6 (0xb6718000)
libz.so.1 => /lib/i386-linux-gnu/libz.so.1 (0xb6703000)
libc.so.6 => /lib/i386-linux-gnu/libc.so.6 (0xb6587000)
libnssutil3.so => /usr/lib/i386-linux-gnu/libnssutil3.so (0xb656c000)
libplc4.so => /usr/lib/i386-linux-gnu/libplc4.so (0xb6566000)
libplds4.so => /usr/lib/i386-linux-gnu/libplds4.so (0xb6560000)
libdl.so.2 => /lib/i386-linux-gnu/libdl.so.2 (0xb655b000)
/lib/ld-linux.so.2 (0xb77d1000)
libpcre.so.3 => /lib/i386-linux-gnu/libpcre.so.3 (0xb651c000)
libidn.so.11 => /usr/lib/i386-linux-gnu/libidn.so.11 (0xb64e9000)
liblber-2.4.so.2 => /usr/lib/i386-linux-gnu/liblber-2.4.so.2
(0xb64da000)
libldap_r-2.4.so.2 => /usr/lib/i386-linux-gnu/libldap_r-2.4.so.2
(0xb6488000)
libgssapi_krb5.so.2 => /usr/lib/i386-linux-gnu/libgssapi_krb5.so.2
(0xb644a000)
libssl.so.1.0.0 => /lib/i386-linux-gnu/libssl.so.1.0.0 (0xb63fd000)
libcrypto.so.1.0.0 => /lib/i386-linux-gnu/libcrypto.so.1.0.0
(0xb6259000)
librtmp.so.0 => /usr/lib/i386-linux-gnu/librtmp.so.0 (0xb6240000)
libtasn1.so.3 => /usr/lib/i386-linux-gnu/libtasn1.so.3 (0xb622d000)
libgcrypt.so.11 => /lib/i386-linux-gnu/libgcrypt.so.11 (0xb61a8000)
libpulse-simple.so.0 => /usr/lib/i386-linux-gnu/libpulse-simple.so.0
(0xb61a3000)
libpulse.so.0 => /usr/lib/i386-linux-gnu/libpulse.so.0 (0xb6155000)
libxcb.so.1 => /usr/lib/i386-linux-gnu/libxcb.so.1 (0xb6136000)
libresolv.so.2 => /lib/i386-linux-gnu/libresolv.so.2 (0xb611e000)
libsasl2.so.2 => /usr/lib/i386-linux-gnu/libsasl2.so.2 (0xb6103000)
libkrb5.so.3 => /usr/lib/i386-linux-gnu/libkrb5.so.3 (0xb603a000)
libk5crypto.so.3 => /usr/lib/i386-linux-gnu/libk5crypto.so.3
(0xb6011000)
libcom_err.so.2 => /lib/i386-linux-gnu/libcom_err.so.2 (0xb600d000)
libkrb5support.so.0 => /usr/lib/i386-linux-gnu/libkrb5support.so.0
(0xb6003000)
libgpg-error.so.0 => /lib/i386-linux-gnu/libgpg-error.so.0 (0xb5ffe000)
libpulsecommon-1.0.so => /usr/lib/i386-linux-gnu/libpulsecommon-1.0.so
(0xb5f99000)
libjson.so.0 => /usr/lib/i386-linux-gnu/libjson.so.0 (0xb5f91000)
libdbus-1.so.3 => /lib/i386-linux-gnu/libdbus-1.so.3 (0xb5f48000)
libXau.so.6 => /usr/lib/i386-linux-gnu/libXau.so.6 (0xb5f43000)
libXdmcp.so.6 => /usr/lib/i386-linux-gnu/libXdmcp.so.6 (0xb5f3c000)
libkeyutils.so.1 => /lib/i386-linux-gnu/libkeyutils.so.1 (0xb5f38000)
libwrap.so.0 => /lib/i386-linux-gnu/libwrap.so.0 (0xb5f2e000)
libsndfile.so.1 => /usr/lib/i386-linux-gnu/libsndfile.so.1 (0xb5ebd000)
libasyncns.so.0 => /usr/lib/i386-linux-gnu/libasyncns.so.0 (0xb5eb5000)
libnsl.so.1 => /lib/i386-linux-gnu/libnsl.so.1 (0xb5e9c000)
libFLAC.so.8 => /usr/lib/i386-linux-gnu/libFLAC.so.8 (0xb5e4e000)
libvorbisenc.so.2 => /usr/lib/i386-linux-gnu/libvorbisenc.so.2
(0xb5cd6000)
libvorbis.so.0 => /usr/lib/i386-linux-gnu/libvorbis.so.0 (0xb5cab000)
libogg.so.0 => /usr/lib/i386-linux-gnu/libogg.so.0 (0xb5ca2000)
To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/938431/+subscriptions
- [Qemu-devel] [Bug 938431] Re: Reproducible crash in slirp_remque (qemu 1.0.1), Craig Ringer, 2012/03/14
- [Qemu-devel] [Bug 938431] Re: Reproducible crash in slirp_remque (qemu 1.0.1),
Jan Kiszka <=
- [Qemu-devel] [Bug 938431] Re: Reproducible crash in slirp_remque (qemu 1.0.1), Craig Ringer, 2012/03/14
- [Qemu-devel] [Bug 938431] Re: Reproducible crash in slirp_remque (qemu 1.0.1), Craig Ringer, 2012/03/15
- [Qemu-devel] [Bug 938431] Re: Reproducible crash in slirp_remque (qemu 1.0.1), Jan Kiszka, 2012/03/15
- [Qemu-devel] [Bug 938431] Re: Reproducible crash in slirp_remque (qemu 1.0.1), Craig Ringer, 2012/03/19
- [Qemu-devel] [Bug 938431] Re: Reproducible crash in slirp_remque (qemu 1.0.1), Craig Ringer, 2012/03/19
- [Qemu-devel] [Bug 938431] Re: Reproducible crash in slirp_remque (qemu 1.0.1), Stefan Weil, 2012/03/20