Re: [Qemu-devel] [Bug 1728615] [NEW] qemu-io crashes with SIGABRT and Assertion `c->entries[i].offset != 0' failed

[Alberto Garcia]

On Wed 01 Nov 2017 09:55:21 AM CET, Alberto Garcia wrote:
> On Wed 01 Nov 2017 07:13:08 AM CET, Thomas Huth wrote:
>> On 30.10.2017 15:43, R.Nageswara Sastry wrote:
>>> Public bug reported:
>>> 
>>> git is at HEAD a93ece47fd9edbd4558db24300056c9a57d3bcd4
>>> This is on ppc64le architecture.
>>> 
>>> Re-production steps:
>>> 
>>> 1. Copy the attached files named backing_img.file and test.img to a 
>>> directory
>>> 2. And customize the following command to point to the above directory and 
>>> run the same.
>>> /usr/bin/qemu-io <path to>/test.img -c "write 1352192 1707520"
>>> 
>>> 3.Output of the above command.
>>> qemu-io: block/qcow2-cache.c:411: qcow2_cache_entry_mark_dirty: Assertion 
>>> `c->entries[i].offset != 0' failed.
>>> Aborted (core dumped)
>>> 
>>> from gdb:
>>> (gdb) bt
>>> #0  0x00003fff833eeff0 in raise () from /lib64/libc.so.6
>>> #1  0x00003fff833f136c in abort () from /lib64/libc.so.6
>>> #2  0x00003fff833e4c44 in __assert_fail_base () from /lib64/libc.so.6
>>> #3  0x00003fff833e4d34 in __assert_fail () from /lib64/libc.so.6
>>> #4  0x000000001006a594 in qcow2_cache_entry_mark_dirty (bs=0x2e886f60, 
>>> c=0x2e879700, table=0x3fff81200000) at block/qcow2-cache.c:411
>>> #5  0x0000000010056154 in alloc_refcount_block (bs=0x2e886f60, 
>>> cluster_index=2, refcount_block=0x3fff80cff808) at 
>>> block/qcow2-refcount.c:417
>>> #6  0x0000000010057520 in update_refcount (bs=0x2e886f60, offset=1048576, 
>>> length=524288, addend=1, decrease=false, type=QCOW2_DISCARD_NEVER)
>>>     at block/qcow2-refcount.c:834
>>> #7  0x0000000010057dc8 in qcow2_alloc_clusters_at (bs=0x2e886f60, 
>>> offset=1048576, nb_clusters=1) at block/qcow2-refcount.c:1032
>>> #8  0x00000000100636d8 in do_alloc_cluster_offset (bs=0x2e886f60, 
>>> guest_offset=2097152, host_offset=0x3fff80cff9e0, 
>>> nb_clusters=0x3fff80cff9d8)
>>>     at block/qcow2-cluster.c:1221
>>> #9  0x0000000010063afc in handle_alloc (bs=0x2e886f60, 
>>> guest_offset=2097152, host_offset=0x3fff80cffab0, bytes=0x3fff80cffab8, 
>>> m=0x3fff80cffb60)
>>>     at block/qcow2-cluster.c:1324
>>> #10 0x0000000010064178 in qcow2_alloc_cluster_offset (bs=0x2e886f60, 
>>> offset=1572864, bytes=0x3fff80cffb4c, host_offset=0x3fff80cffb58, 
>>> m=0x3fff80cffb60)
>>>     at block/qcow2-cluster.c:1511
>>> #11 0x000000001004d3f4 in qcow2_co_pwritev (bs=0x2e886f60, offset=1572864, 
>>> bytes=1486848, qiov=0x3fffc85f0bf0, flags=0) at block/qcow2.c:1919
>>> #12 0x00000000100a9648 in bdrv_driver_pwritev (bs=0x2e886f60, 
>>> offset=1352192, bytes=1707520, qiov=0x3fffc85f0bf0, flags=16) at 
>>> block/io.c:898
>>> #13 0x00000000100ab630 in bdrv_aligned_pwritev (child=0x2e8927f0, 
>>> req=0x3fff80cffdd8, offset=1352192, bytes=1707520, align=1, 
>>> qiov=0x3fffc85f0bf0, flags=16)
>>>     at block/io.c:1440
>>> #14 0x00000000100ac4ac in bdrv_co_pwritev (child=0x2e8927f0, 
>>> offset=1352192, bytes=1707520, qiov=0x3fffc85f0bf0, flags=BDRV_REQ_FUA) at 
>>> block/io.c:1691
>>> #15 0x000000001008da0c in blk_co_pwritev (blk=0x2e879410, offset=1352192, 
>>> bytes=1707520, qiov=0x3fffc85f0bf0, flags=BDRV_REQ_FUA) at 
>>> block/block-backend.c:1085
>>> #16 0x000000001008db68 in blk_write_entry (opaque=0x3fffc85f0c08) at 
>>> block/block-backend.c:1110
>>> #17 0x00000000101aa444 in coroutine_trampoline (i0=780753552, i1=0) at 
>>> util/coroutine-ucontext.c:79
>>> #18 0x00003fff83402b9c in makecontext () from /lib64/libc.so.6
>>> #19 0x0000000000000000 in ?? ()
>>> (gdb) bt full
>>> #0  0x00003fff833eeff0 in raise () from /lib64/libc.so.6
>>> No symbol table info available.
>>> #1  0x00003fff833f136c in abort () from /lib64/libc.so.6
>>> No symbol table info available.
>>> #2  0x00003fff833e4c44 in __assert_fail_base () from /lib64/libc.so.6
>>> No symbol table info available.
>>> #3  0x00003fff833e4d34 in __assert_fail () from /lib64/libc.so.6
>>> No symbol table info available.
>>> #4  0x000000001006a594 in qcow2_cache_entry_mark_dirty (bs=0x2e886f60, 
>>> c=0x2e879700, table=0x3fff81200000) at block/qcow2-cache.c:411
>>>         i = 0
>>>         __PRETTY_FUNCTION__ = "qcow2_cache_entry_mark_dirty"
>>> #5  0x0000000010056154 in alloc_refcount_block (bs=0x2e886f60, 
>>> cluster_index=2, refcount_block=0x3fff80cff808) at 
>>> block/qcow2-refcount.c:417
>>>         s = 0x2e893210
>>>         refcount_table_index = 0
>>>         ret = 0
>>>         new_block = 0
>>>         blocks_used = 72057594818669408
>>>         meta_offset = 1572863
>>> #6  0x0000000010057520 in update_refcount (bs=0x2e886f60, offset=1048576, 
>>> length=524288, addend=1, decrease=false, type=QCOW2_DISCARD_NEVER)
>>>     at block/qcow2-refcount.c:834
>>>         block_index = 268870408
>>>         refcount = 780741808
>>>         cluster_index = 2
>>>         table_index = 0
>>>         s = 0x2e893210
>>>         start = 1048576
>>>         last = 1048576
>>>         cluster_offset = 1048576
>>>         refcount_block = 0x3fff81200000
>>>         old_table_index = -1
>>>         ret = 16383
>>> #7  0x0000000010057dc8 in qcow2_alloc_clusters_at (bs=0x2e886f60, 
>>> offset=1048576, nb_clusters=1) at block/qcow2-refcount.c:1032
>>>         s = 0x2e893210
>>>         cluster_index = 3
>>>         refcount = 0
>>>         i = 1
>>>         ret = 0
>>>         __PRETTY_FUNCTION__ = "qcow2_alloc_clusters_at"
>>> #8  0x00000000100636d8 in do_alloc_cluster_offset (bs=0x2e886f60, 
>>> guest_offset=2097152, host_offset=0x3fff80cff9e0, 
>>> nb_clusters=0x3fff80cff9d8)
>>>     at block/qcow2-cluster.c:1221
>>>         ret = 780743184
>>>         s = 0x2e893210
>>> #9  0x0000000010063afc in handle_alloc (bs=0x2e886f60, 
>>> guest_offset=2097152, host_offset=0x3fff80cffab0, bytes=0x3fff80cffab8, 
>>> m=0x3fff80cffb60)
>>>     at block/qcow2-cluster.c:1324
>>>         s = 0x2e893210
>>>         l2_index = 4
>>>         l2_table = 0x0
>>>         entry = 0
>>>         nb_clusters = 1
>>>         ret = 0
>>> ---Type <return> to continue, or q <return> to quit---
>>>         keep_old_clusters = false
>>>         alloc_cluster_offset = 1048576
>>>         __PRETTY_FUNCTION__ = "handle_alloc"
>>>         requested_bytes = 17960562528
>>>         avail_bytes = -2133853344
>>>         nb_bytes = 16383
>>>         old_m = 0x100000000
>>> #10 0x0000000010064178 in qcow2_alloc_cluster_offset (bs=0x2e886f60, 
>>> offset=1572864, bytes=0x3fff80cffb4c, host_offset=0x3fff80cffb58, 
>>> m=0x3fff80cffb60)
>>>     at block/qcow2-cluster.c:1511
>>>         s = 0x2e893210
>>>         start = 2097152
>>>         remaining = 962560
>>>         cluster_offset = 1048576
>>>         cur_bytes = 962560
>>>         ret = 0
>>>         __PRETTY_FUNCTION__ = "qcow2_alloc_cluster_offset"
>>> #11 0x000000001004d3f4 in qcow2_co_pwritev (bs=0x2e886f60, offset=1572864, 
>>> bytes=1486848, qiov=0x3fffc85f0bf0, flags=0) at block/qcow2.c:1919
>>>         s = 0x2e893210
>>>         offset_in_cluster = 0
>>>         ret = 0
>>>         cur_bytes = 1486848
>>>         cluster_offset = 524288
>>>         hd_qiov = {iov = 0x2e858660, niov = 1, nalloc = 1, size = 220672}
>>>         bytes_done = 220672
>>>         cluster_data = 0x0
>>>         l2meta = 0x0
>>>         __PRETTY_FUNCTION__ = "qcow2_co_pwritev"
>>> #12 0x00000000100a9648 in bdrv_driver_pwritev (bs=0x2e886f60, 
>>> offset=1352192, bytes=1707520, qiov=0x3fffc85f0bf0, flags=16) at 
>>> block/io.c:898
>>>         drv = 0x102036f0 <bdrv_qcow2>
>>>         sector_num = 780706080
>>>         nb_sectors = 3069122264
>>>         ret = -203160320
>>>         __PRETTY_FUNCTION__ = "bdrv_driver_pwritev"
>>> #13 0x00000000100ab630 in bdrv_aligned_pwritev (child=0x2e8927f0, 
>>> req=0x3fff80cffdd8, offset=1352192, bytes=1707520, align=1, 
>>> qiov=0x3fffc85f0bf0, flags=16)
>>>     at block/io.c:1440
>>>         bs = 0x2e886f60
>>>         drv = 0x102036f0 <bdrv_qcow2>
>>>         waited = false
>>>         ret = 0
>>>         end_sector = 5976
>>>         bytes_remaining = 1707520
>>>         max_transfer = 2147483647
>>>         __PRETTY_FUNCTION__ = "bdrv_aligned_pwritev"
>>> #14 0x00000000100ac4ac in bdrv_co_pwritev (child=0x2e8927f0, 
>>> offset=1352192, bytes=1707520, qiov=0x3fffc85f0bf0, flags=BDRV_REQ_FUA) at 
>>> block/io.c:1691
>>>         bs = 0x2e886f60
>>>         req = {bs = 0x2e886f60, offset = 1352192, bytes = 1707520, type = 
>>> BDRV_TRACKED_WRITE, serialising = false, overlap_offset = 1352192,
>>>           overlap_bytes = 1707520, list = {le_next = 0x0, le_prev = 
>>> 0x2e88a1d8}, co = 0x2e895a90, wait_queue = {entries = {sqh_first = 0x0,
>>>               sqh_last = 0x3fff80cffe20}}, waiting_for = 0x0}
>>>         align = 1
>>>         head_buf = 0x0
>>> ---Type <return> to continue, or q <return> to quit---
>>>         tail_buf = 0x0
>>>         local_qiov = {iov = 0x3fff80cffdb0, niov = -2133852688, nalloc = 
>>> 16383, size = 1352192}
>>>         use_local_qiov = false
>>>         ret = 0
>>>         __PRETTY_FUNCTION__ = "bdrv_co_pwritev"
>>> #15 0x000000001008da0c in blk_co_pwritev (blk=0x2e879410, offset=1352192, 
>>> bytes=1707520, qiov=0x3fffc85f0bf0, flags=BDRV_REQ_FUA) at 
>>> block/block-backend.c:1085
>>>         ret = 0
>>>         bs = 0x2e886f60
>>> #16 0x000000001008db68 in blk_write_entry (opaque=0x3fffc85f0c08) at 
>>> block/block-backend.c:1110
>>>         rwco = 0x3fffc85f0c08
>>> #17 0x00000000101aa444 in coroutine_trampoline (i0=780753552, i1=0) at 
>>> util/coroutine-ucontext.c:79
>>>         arg = {p = 0x2e895a90, i = {780753552, 0}}
>>>         self = 0x2e895a90
>>>         co = 0x2e895a90
>>> #18 0x00003fff83402b9c in makecontext () from /lib64/libc.so.6
>>> No symbol table info available.
>>> #19 0x0000000000000000 in ?? ()
>>> No symbol table info available.
>>
>> Can you also reproduce this on x86, or is it specific to ppc64?

I'm working on a fix, I'll send the patch later today.

Berto