I updated xen and qemu from xen 4.5.0 with its upstream qemu included to xen 4.5.1-pre with qemu upstream from stable-4.5 (changed Config.mk to use revision "master"). After few minutes I booted windows 7 64 bit domU qemu crash, tried 2 times with same result.

In the domU's qemu log:
qemu-system-i386: malloc.c:3096: sYSMALLOc: Assertion `(old_top == (((mbinptr) (((char *) &((av)->bins[((1) - 1) * 2])) - __builtin_offsetof (struct malloc_chunk, fd)))) && old_size == 0) || ((unsigned long) (old_size) >= (unsigned long)((((__builtin_offsetof (struct malloc_chunk, fd_nextsize))+((2 * (sizeof(size_t))) - 1)) & ~((2 * (sizeof(size_t))) - 1))) && ((old_top)->size & 0x1) && ((unsigned long)old_end & pagemask) == 0)' failed.
Killing all inferiors

In attachment the full backtrace of qemu crash.

With a fast search after I saw the backtrace I found a probable cause of regression (I'm not sure):
http://xenbits.xen.org/gitweb/?p=staging/qemu-upstream-4.5-testing.git;a=commit;h=5c3402816aaddb15156c69df73c54abe4e1c76aa
spice: make sure we don't overflow ssd->buf

Added also qemu-devel and spice-devel as cc.

If you need more informations/tests tell me and I'll post them.

Thanks for any reply and sorry for my bad english.


Program received signal SIGABRT, Aborted.
[Switching to Thread 5234]
0x00007ffff3905165 in raise () from /lib/x86_64-linux-gnu/libc.so.6
(gdb) bt full
#0  0x00007ffff3905165 in raise () from /lib/x86_64-linux-gnu/libc.so.6
No symbol table info available.
#1  0x00007ffff39083e0 in abort () from /lib/x86_64-linux-gnu/libc.so.6
No symbol table info available.
#2  0x00007ffff3948dea in ?? () from /lib/x86_64-linux-gnu/libc.so.6
No symbol table info available.
#3  0x00007ffff394bd13 in ?? () from /lib/x86_64-linux-gnu/libc.so.6
No symbol table info available.
#4  0x00007ffff394da70 in malloc () from /lib/x86_64-linux-gnu/libc.so.6
No symbol table info available.
#5  0x00007ffff4d38550 in spice_malloc (n_bytes=1184900) at mem.c:93
        mem = <optimized out>
        __FUNCTION__ = "spice_malloc"
#6  0x00007ffff4d389be in spice_chunks_linearize (chunks=0x7fffdc1fb6b0)
    at mem.c:226
        data = <optimized out>
        p = <optimized out>
        i = <optimized out>
#7  0x00007ffff4d16b56 in canvas_bitmap_to_surface (
    canvas=canvas@entry=0x555556719de0, bitmap=bitmap@entry=0x7fffdc1a2c08, 
    palette=0x0, want_original=1) at ../spice-common/common/canvas_base.c:635
        src = <optimized out>
        image = <optimized out>
        format = <optimized out>
        __FUNCTION__ = "canvas_bitmap_to_surface"
---Type <return> to continue, or q <return> to quit---
#8  0x00007ffff4d16ce2 in canvas_get_bits (want_original=<optimized out>, 
    bitmap=0x7fffdc1a2c08, canvas=0x555556719de0)
    at ../spice-common/common/canvas_base.c:964
        palette = <optimized out>
#9  canvas_get_image_internal (canvas=canvas@entry=0x555556719de0, 
    image=0x7fffdc1a2bf0, want_original=<optimized out>, 
    want_original@entry=0, real_get=real_get@entry=1)
    at ../spice-common/common/canvas_base.c:1141
        descriptor = 0x7fffdc1a2bf0
        surface = <optimized out>
        converted = <optimized out>
        wanted_format = 1
        surface_format = <optimized out>
        saved_want_original = <optimized out>
        __FUNCTION__ = "canvas_get_image_internal"
#10 0x00007ffff4d173ba in canvas_get_image (
    canvas=canvas@entry=0x555556719de0, image=<optimized out>, 
    want_original=want_original@entry=0)
    at ../spice-common/common/canvas_base.c:1285
No locals.
#11 0x00007ffff4d1970e in canvas_draw_copy (spice_canvas=0x555556719de0, 
    bbox=0x7fffdc207a50, clip=<optimized out>, copy=0x7fffe4dfc320)
    at ../spice-common/common/canvas_base.c:2258
        canvas = 0x555556719de0
        dest_region = {extents = {x1 = 0, y1 = 708, x2 = 425, y2 = 728}, 
---Type <return> to continue, or q <return> to quit---
          data = 0x0}
        surface_canvas = <optimized out>
        src_image = <optimized out>
        rop = SPICE_ROP_COPY
        __FUNCTION__ = "canvas_draw_copy"
#12 0x00007ffff4cecffc in red_draw_qxl_drawable (
    worker=worker@entry=0x7fffe4423010, 
    drawable=drawable@entry=0x7fffe45d6a88) at red_worker.c:4394
        copy = {src_bitmap = 0x7fffdc1a2bf0, src_area = {left = 0, top = 677, 
            right = 425, bottom = 697}, rop_descriptor = 8, 
          scale_mode = 1 '\001', mask = {flags = 245 '\365', pos = {
              x = -173079809, y = -173079809}, bitmap = 0x0}}
        img1 = {descriptor = {id = 93825007287960, type = 48 '0', 
            flags = 193 '\301', width = 21845, height = 4210421981}, u = {
            bitmap = {format = 55 '7', flags = 10 '\n', x = 0, 
              y = 3867565524, stride = 32767, palette = 0x7fffe805fffc, 
              palette_id = 606579, data = 0x7fffdc000078}, quic = {
              data_size = 2615, data = 0x7fffe6865dd4}, surface = {
              surface_id = 2615}, lz_rgb = {data_size = 2615, 
              data = 0x7fffe6865dd4}, lz_plt = {flags = 55 '7', 
              data_size = 0, palette = 0x7fffe6865dd4, 
              palette_id = 140737086095356, data = 0x94173}, jpeg = {
              data_size = 2615, data = 0x7fffe6865dd4}, zlib_glz = {
              glz_data_size = 2615, data_size = 0, data = 0x7fffe6865dd4}, 
            jpeg_alpha = {flags = 55 '7', jpeg_size = 0, 
---Type <return> to continue, or q <return> to quit---
              data_size = 3867565524, data = 0x7fffe805fffc}}}
        img2 = {descriptor = {id = 140737060953572, type = 236 '\354', 
            flags = 93 ']', width = 32767, height = 0}, u = {bitmap = {
              format = 69 'E', flags = 105 'i', x = 32767, y = 128, 
              stride = 0, palette = 0x555556438fc0, 
              palette_id = 140737060952556, data = 0x9b5}, quic = {
              data_size = 4107102533, data = 0x80}, surface = {
              surface_id = 4107102533}, lz_rgb = {data_size = 4107102533, 
              data = 0x80}, lz_plt = {flags = 69 'E', data_size = 32767, 
              palette = 0x80, palette_id = 93825007849408, 
              data = 0x7fffe68659ec}, jpeg = {data_size = 4107102533, 
              data = 0x80}, zlib_glz = {glz_data_size = 4107102533, 
              data_size = 32767, data = 0x80}, jpeg_alpha = {flags = 69 'E', 
              jpeg_size = 32767, data_size = 128, data = 0x555556438fc0}}}
        surface = 0x7fffe44232f0
        canvas = 0x555556719de0
        clip = {type = 0 '\000', rects = 0x0}
        __FUNCTION__ = "red_draw_qxl_drawable"
#13 0x00007ffff4cf9295 in red_draw_drawable (drawable=0x7fffe45d6a88, 
    worker=0x7fffe4423010) at red_worker.c:4507
No locals.
#14 red_update_area (worker=worker@entry=0x7fffe4423010, 
    area=area@entry=0x7fffe4dfcb60, surface_id=surface_id@entry=0)
    at red_worker.c:4760
        container = <optimized out>
---Type <return> to continue, or q <return> to quit---
        surface = 0x7fffe44232f0
        ring = 0x7fffe4423308
        ring_item = <optimized out>
        rgn = {extents = {x1 = 0, y1 = 0, x2 = 1366, y2 = 768}, data = 0x0}
        last = 0x7fffe45d7898
        now = 0x7fffe45d6a88
        __FUNCTION__ = "red_update_area"
#15 0x00007ffff4d04d76 in handle_dev_update_async (opaque=0x7fffe4423010, 
    payload=<optimized out>) at red_worker.c:10847
        worker = 0x7fffe4423010
        msg = <optimized out>
        rect = {left = 0, top = 0, right = 1366, bottom = 768}
        qxl_dirty_rects = <optimized out>
        num_dirty_rects = <optimized out>
        surface = <optimized out>
        surface_id = 0
        qxl_area = {top = 0, left = 0, bottom = 768, right = 1366}
        clear_dirty_region = 1
        __FUNCTION__ = "handle_dev_update_async"
        __func__ = "handle_dev_update_async"
#16 0x00007ffff4ce5044 in dispatcher_handle_single_read (
    dispatcher=0x555556428db8) at dispatcher.c:139
        ret = <optimized out>
        type = <optimized out>
        msg = 0x5555563cbff0
---Type <return> to continue, or q <return> to quit---
        ack = 4294967295
        payload = 0x5555563a57d0 "P0\032\334\377\177"
#17 dispatcher_handle_recv_read (dispatcher=0x555556428db8)
    at dispatcher.c:162
No locals.
#18 0x00007ffff4d072dc in red_worker_main (arg=<optimized out>)
    at red_worker.c:12021
        events = <optimized out>
        i = <optimized out>
        num_events = 1
        timers_queue_timeout = <optimized out>
        worker = 0x7fffe4423010
        __FUNCTION__ = "red_worker_main"
#19 0x00007ffff3c64b50 in start_thread ()
   from /lib/x86_64-linux-gnu/libpthread.so.0
No symbol table info available.
#20 0x00007ffff39ae95d in clone () from /lib/x86_64-linux-gnu/libc.so.6
No symbol table info available.
#21 0x0000000000000000 in ?? ()
No symbol table info available.

Reply via email to