Hi,
I'm trying to investigate a bug (crash) that I see when attaching a USB device
(a UVC webcam) from the host to the guest.
I'm running it as:
sudo gdb --args /opt/bin/qemu -hda ubuntu-test -name kubuntu-qemu -usb -device
usb-tablet -m 1024 -serial stdio -usbdevice host:0c45:6450
(I've tried running with -m 512 too, not discernibly different).
Host and guest are the same - kubuntu 10.10. The device works fine on the host.
The guest runs for a while, and has no ill-effects (that I've seen) until I try
to use the webcam. If I open the device (using cheese or luvcview), I see some
traffic, then qemu segfaults:
Program received signal SIGSEGV, Segmentation fault.
0x00007ffff5a4e66c in malloc_consolidate (av=0x7ffff5d55e40) at malloc.c:5161
5161 malloc.c: No such file or directory.
in malloc.c
(gdb) bt
#0 0x00007ffff5a4e66c in malloc_consolidate (av=0x7ffff5d55e40) at
malloc.c:5161
#1 0x00007ffff5a51e82 in _int_malloc (av=0x7ffff5d55e40, bytes=2128) at
malloc.c:4373
#2 0x00007ffff5a5338e in __libc_malloc (bytes=2128) at malloc.c:3660
#3 0x000000000042b3d6 in qemu_malloc (size=2128) at qemu-malloc.c:49
#4 0x000000000056100f in uhci_async_alloc (s=0x15dcc10) at
/home/bradh/qemu-codingstyle.git/hw/usb-uhci.c:167
#5 0x00000000005620d4 in uhci_handle_td (s=0x15dcc10, addr=684474656,
td=0x7fffffffdf80, int_mask=0x7fffffffdfac) at
/home/bradh/qemu-codingstyle.git/hw/usb-uhci.c:808
#6 0x0000000000562665 in uhci_process_frame (s=0x15dcc10) at
/home/bradh/qemu-codingstyle.git/hw/usb-uhci.c:1007
#7 0x00000000005628a8 in uhci_frame_timer (opaque=0x15dcc10) at
/home/bradh/qemu-codingstyle.git/hw/usb-uhci.c:1092
#8 0x00000000004da94c in qemu_run_timers (clock=0x1171ff0) at qemu-timer.c:505
#9 0x00000000004dac0c in qemu_run_all_timers () at qemu-timer.c:616
#10 0x00000000005484c2 in main_loop_wait (nonblocking=1) at
/home/bradh/qemu-codingstyle.git/vl.c:1324
#11 0x0000000000548549 in main_loop () at
/home/bradh/qemu-codingstyle.git/vl.c:1365
#12 0x000000000054c725 in main (argc=14, argv=0x7fffffffe648,
envp=0x7fffffffe6c0) at /home/bradh/qemu-codingstyle.git/vl.c:3195
Line 167 in hw/usb-uhci.c is in in static UHCIAsync *uhci_async_alloc(UHCIState
*s)
It looks like:
UHCIAsync *async = qemu_malloc(sizeof(UHCIAsync));
UHCIState is fairly large, so the size looks possible:
typedef struct UHCIState {
PCIDevice dev;
USBBus bus;
uint16_t cmd; /* cmd register */
uint16_t status;
uint16_t intr; /* interrupt enable register */
uint16_t frnum; /* frame number */
uint32_t fl_base_addr; /* frame list base address */
uint8_t sof_timing;
uint8_t status2; /* bit 0 and 1 are used to generate UHCI_STS_USBINT */
int64_t expire_time;
QEMUTimer *frame_timer;
UHCIPort ports[NB_PORTS];
/* Interrupts that should be raised at the end of the current frame. */
uint32_t pending_int_mask;
/* Active packets */
UHCIAsync *async_pending;
UHCIAsync *async_pool;
uint8_t num_ports_vmstate;
} UHCIState;
Line 49 in qemu_malloc.c is in void *qemu_malloc(size_t size).
It looks like.
ptr = qemu_oom_check(malloc(size ? size : 1));
So I guess malloc is failing. However I don't see how / why. The host is a
laptop
machine with 6G RAM, and it appears to remain quite responsive.
Any suggestions on how to proceed with debugging this?
Brad
