I updated xen and qemu from xen 4.5.0 with its upstream qemu included to
xen 4.5.1-pre with qemu upstream from stable-4.5 (changed Config.mk to
use revision "master").
After few minutes I booted windows 7 64 bit domU qemu crash, tried 2
times with same result.
In the domU's qemu log:
qemu-system-i386: malloc.c:3096: sYSMALLOc: Assertion `(old_top ==
(((mbinptr) (((char *) &((av)->bins[((1) - 1) * 2])) -
__builtin_offsetof (struct malloc_chunk, fd)))) && old_size == 0) ||
((unsigned long) (old_size) >= (unsigned long)((((__builtin_offsetof
(struct malloc_chunk, fd_nextsize))+((2 * (sizeof(size_t))) - 1)) &
~((2 * (sizeof(size_t))) - 1))) && ((old_top)->size & 0x1) &&
((unsigned long)old_end & pagemask) == 0)' failed.
Killing all inferiors
In attachment the full backtrace of qemu crash.
With a fast search after I saw the backtrace I found a probable cause of
regression (I'm not sure):
http://xenbits.xen.org/gitweb/?p=staging/qemu-upstream-4.5-testing.git;a=commit;h=5c3402816aaddb15156c69df73c54abe4e1c76aa
spice: make sure we don't overflow ssd->buf
Added also qemu-devel and spice-devel as cc.
If you need more informations/tests tell me and I'll post them.
Thanks for any reply and sorry for my bad english.
Program received signal SIGABRT, Aborted.
[Switching to Thread 5234]
0x00007ffff3905165 in raise () from /lib/x86_64-linux-gnu/libc.so.6
(gdb) bt full
#0 0x00007ffff3905165 in raise () from /lib/x86_64-linux-gnu/libc.so.6
No symbol table info available.
#1 0x00007ffff39083e0 in abort () from /lib/x86_64-linux-gnu/libc.so.6
No symbol table info available.
#2 0x00007ffff3948dea in ?? () from /lib/x86_64-linux-gnu/libc.so.6
No symbol table info available.
#3 0x00007ffff394bd13 in ?? () from /lib/x86_64-linux-gnu/libc.so.6
No symbol table info available.
#4 0x00007ffff394da70 in malloc () from /lib/x86_64-linux-gnu/libc.so.6
No symbol table info available.
#5 0x00007ffff4d38550 in spice_malloc (n_bytes=1184900) at mem.c:93
mem = <optimized out>
__FUNCTION__ = "spice_malloc"
#6 0x00007ffff4d389be in spice_chunks_linearize (chunks=0x7fffdc1fb6b0)
at mem.c:226
data = <optimized out>
p = <optimized out>
i = <optimized out>
#7 0x00007ffff4d16b56 in canvas_bitmap_to_surface (
canvas=canvas@entry=0x555556719de0, bitmap=bitmap@entry=0x7fffdc1a2c08,
palette=0x0, want_original=1) at ../spice-common/common/canvas_base.c:635
src = <optimized out>
image = <optimized out>
format = <optimized out>
__FUNCTION__ = "canvas_bitmap_to_surface"
---Type <return> to continue, or q <return> to quit---
#8 0x00007ffff4d16ce2 in canvas_get_bits (want_original=<optimized out>,
bitmap=0x7fffdc1a2c08, canvas=0x555556719de0)
at ../spice-common/common/canvas_base.c:964
palette = <optimized out>
#9 canvas_get_image_internal (canvas=canvas@entry=0x555556719de0,
image=0x7fffdc1a2bf0, want_original=<optimized out>,
want_original@entry=0, real_get=real_get@entry=1)
at ../spice-common/common/canvas_base.c:1141
descriptor = 0x7fffdc1a2bf0
surface = <optimized out>
converted = <optimized out>
wanted_format = 1
surface_format = <optimized out>
saved_want_original = <optimized out>
__FUNCTION__ = "canvas_get_image_internal"
#10 0x00007ffff4d173ba in canvas_get_image (
canvas=canvas@entry=0x555556719de0, image=<optimized out>,
want_original=want_original@entry=0)
at ../spice-common/common/canvas_base.c:1285
No locals.
#11 0x00007ffff4d1970e in canvas_draw_copy (spice_canvas=0x555556719de0,
bbox=0x7fffdc207a50, clip=<optimized out>, copy=0x7fffe4dfc320)
at ../spice-common/common/canvas_base.c:2258
canvas = 0x555556719de0
dest_region = {extents = {x1 = 0, y1 = 708, x2 = 425, y2 = 728},
---Type <return> to continue, or q <return> to quit---
data = 0x0}
surface_canvas = <optimized out>
src_image = <optimized out>
rop = SPICE_ROP_COPY
__FUNCTION__ = "canvas_draw_copy"
#12 0x00007ffff4cecffc in red_draw_qxl_drawable (
worker=worker@entry=0x7fffe4423010,
drawable=drawable@entry=0x7fffe45d6a88) at red_worker.c:4394
copy = {src_bitmap = 0x7fffdc1a2bf0, src_area = {left = 0, top = 677,
right = 425, bottom = 697}, rop_descriptor = 8,
scale_mode = 1 '\001', mask = {flags = 245 '\365', pos = {
x = -173079809, y = -173079809}, bitmap = 0x0}}
img1 = {descriptor = {id = 93825007287960, type = 48 '0',
flags = 193 '\301', width = 21845, height = 4210421981}, u = {
bitmap = {format = 55 '7', flags = 10 '\n', x = 0,
y = 3867565524, stride = 32767, palette = 0x7fffe805fffc,
palette_id = 606579, data = 0x7fffdc000078}, quic = {
data_size = 2615, data = 0x7fffe6865dd4}, surface = {
surface_id = 2615}, lz_rgb = {data_size = 2615,
data = 0x7fffe6865dd4}, lz_plt = {flags = 55 '7',
data_size = 0, palette = 0x7fffe6865dd4,
palette_id = 140737086095356, data = 0x94173}, jpeg = {
data_size = 2615, data = 0x7fffe6865dd4}, zlib_glz = {
glz_data_size = 2615, data_size = 0, data = 0x7fffe6865dd4},
jpeg_alpha = {flags = 55 '7', jpeg_size = 0,
---Type <return> to continue, or q <return> to quit---
data_size = 3867565524, data = 0x7fffe805fffc}}}
img2 = {descriptor = {id = 140737060953572, type = 236 '\354',
flags = 93 ']', width = 32767, height = 0}, u = {bitmap = {
format = 69 'E', flags = 105 'i', x = 32767, y = 128,
stride = 0, palette = 0x555556438fc0,
palette_id = 140737060952556, data = 0x9b5}, quic = {
data_size = 4107102533, data = 0x80}, surface = {
surface_id = 4107102533}, lz_rgb = {data_size = 4107102533,
data = 0x80}, lz_plt = {flags = 69 'E', data_size = 32767,
palette = 0x80, palette_id = 93825007849408,
data = 0x7fffe68659ec}, jpeg = {data_size = 4107102533,
data = 0x80}, zlib_glz = {glz_data_size = 4107102533,
data_size = 32767, data = 0x80}, jpeg_alpha = {flags = 69 'E',
jpeg_size = 32767, data_size = 128, data = 0x555556438fc0}}}
surface = 0x7fffe44232f0
canvas = 0x555556719de0
clip = {type = 0 '\000', rects = 0x0}
__FUNCTION__ = "red_draw_qxl_drawable"
#13 0x00007ffff4cf9295 in red_draw_drawable (drawable=0x7fffe45d6a88,
worker=0x7fffe4423010) at red_worker.c:4507
No locals.
#14 red_update_area (worker=worker@entry=0x7fffe4423010,
area=area@entry=0x7fffe4dfcb60, surface_id=surface_id@entry=0)
at red_worker.c:4760
container = <optimized out>
---Type <return> to continue, or q <return> to quit---
surface = 0x7fffe44232f0
ring = 0x7fffe4423308
ring_item = <optimized out>
rgn = {extents = {x1 = 0, y1 = 0, x2 = 1366, y2 = 768}, data = 0x0}
last = 0x7fffe45d7898
now = 0x7fffe45d6a88
__FUNCTION__ = "red_update_area"
#15 0x00007ffff4d04d76 in handle_dev_update_async (opaque=0x7fffe4423010,
payload=<optimized out>) at red_worker.c:10847
worker = 0x7fffe4423010
msg = <optimized out>
rect = {left = 0, top = 0, right = 1366, bottom = 768}
qxl_dirty_rects = <optimized out>
num_dirty_rects = <optimized out>
surface = <optimized out>
surface_id = 0
qxl_area = {top = 0, left = 0, bottom = 768, right = 1366}
clear_dirty_region = 1
__FUNCTION__ = "handle_dev_update_async"
__func__ = "handle_dev_update_async"
#16 0x00007ffff4ce5044 in dispatcher_handle_single_read (
dispatcher=0x555556428db8) at dispatcher.c:139
ret = <optimized out>
type = <optimized out>
msg = 0x5555563cbff0
---Type <return> to continue, or q <return> to quit---
ack = 4294967295
payload = 0x5555563a57d0 "P0\032\334\377\177"
#17 dispatcher_handle_recv_read (dispatcher=0x555556428db8)
at dispatcher.c:162
No locals.
#18 0x00007ffff4d072dc in red_worker_main (arg=<optimized out>)
at red_worker.c:12021
events = <optimized out>
i = <optimized out>
num_events = 1
timers_queue_timeout = <optimized out>
worker = 0x7fffe4423010
__FUNCTION__ = "red_worker_main"
#19 0x00007ffff3c64b50 in start_thread ()
from /lib/x86_64-linux-gnu/libpthread.so.0
No symbol table info available.
#20 0x00007ffff39ae95d in clone () from /lib/x86_64-linux-gnu/libc.so.6
No symbol table info available.
#21 0x0000000000000000 in ?? ()
No symbol table info available.