I have now reproduced the same segfault without the controlling script by running qemu on the command line and connecting to it with lftp. To reproduce the fault it appears to be necessary to attempt to connect to the guest before it is fully booted and ready to accept connections; if I let it "settle" for a while before attempting to connect then it doesn't crash. Even if I start hammering it as soon as it's launched I can only occasionally trigger the crash, so whatever's breaking is a short-lived state of some kind.
If I make an lftp connection then immediately kill lftp, qemu receives a SIGPIPE. I'm wondering if a sigpipe at the wrong time is messing things up, but it's only the vaguest notion. -- You received this bug notification because you are a member of qemu- devel-ml, which is subscribed to QEMU. https://bugs.launchpad.net/bugs/938431 Title: Reproducible crash in slirp_remque (qemu 1.0.1) Status in QEMU: New Bug description: Heya I've been testing some automated data conversion scripts with qemu 1.0.1. They work fine with qemu-kvm 0.15.1, but on qemu 1.0.1 (from the website, built from source using gcc 4.6.1, i686 host), when the script runs qemu I see qemu crash in slirp_remque a few seconds after it's launched. This crash is consistent and reproducible. The qemu guest is SCO OpenServer 5.0.5. I'm using it for some data conversion from a legacy application. qemu is launched "-display none -monitor stdio" and controlled from a Python script that then connects to the VM over usermode port forwards to ftp data to/from the VM and send commands over telnet. qemu is launched fine with the following command: /usr/local/qemu/bin/qemu-system-i386 -display none -vga cirrus -M pc -no-acpi -no-hpet -monitor stdio -net user,net=10.0.2.0/24,host=10.0.2.2,dns=10.0.2.3,hostfwd=tcp:127.0.0.1:2222-10.0.2.1:22,hostfwd=tcp:127.0.0.1:2323-10.0.2.1:23,hostfwd=tcp:127.0.0.1:2121-10.0.2.1:21,hostfwd=tcp:127.0.0.1:2020-10.0.2.1:20 -net nic,model=pcnet -drive file=sco/sco.qcow2,format=qcow2,cache=unsafe,snapshot=on -drive file=sco/booksys.qcow2,format=qcow2,cache=unsafe,snapshot=on -snapshot > qemu-log and images: $ for f in *.qcow2; do qemu-img info $f; echo; done image: booksys-blank-compressed.qcow2 file format: qcow2 virtual size: 4.0G (4294967296 bytes) disk size: 696K cluster_size: 65536 image: booksys.qcow2 file format: qcow2 virtual size: 4.0G (4294967296 bytes) disk size: 140K cluster_size: 65536 backing file: booksys-blank-compressed.qcow2 (actual path: booksys-blank-compressed.qcow2) image: sco-base-compressed.qcow2 file format: qcow2 virtual size: 512M (536870912 bytes) disk size: 142M cluster_size: 65536 image: sco.qcow2 file format: qcow2 virtual size: 512M (536870912 bytes) disk size: 140K cluster_size: 65536 backing file: sco-base-compressed.qcow2 (actual path: sco-base-compressed.qcow2) The VM guest begins booting fine, and nothing of interest appears in the monitor log: QEMU 1.0,1 monitor - type 'help' for more information (qemu) After a few seconds the controlling scripts begins trying to ftp into the guest over the user-mode port forward on port 2121, and it's at this point that qemu crashes with the following backtrace: Program received signal SIGSEGV, Segmentation fault. [Switching to Thread 0xb63e46e0 (LWP 25453)] 0xb768753b in slirp_remque (a=0xb90ee408) at slirp/misc.c:39 39 ((struct quehead *)(element->qh_rlink))->qh_link = element->qh_link; (gdb) bt #0 0xb768753b in slirp_remque (a=0xb90ee408) at slirp/misc.c:39 #1 0xb76854ad in if_start (slirp=0xb879beb0) at slirp/if.c:189 #2 0xb76853b3 in if_output (so=0xb8eb1380, ifm=0xb90eea60) at slirp/if.c:138 #3 0xb7686bb5 in ip_output (so=0xb8eb1380, m0=0xb90eea60) at slirp/ip_output.c:84 #4 0xb768f59c in tcp_output (tp=0xb906fd48) at slirp/tcp_output.c:456 #5 0xb7691b9b in tcp_timers (tp=0xb906fd48, timer=0) at slirp/tcp_timer.c:242 #6 0xb76918d4 in tcp_slowtimo (slirp=0xb879beb0) at slirp/tcp_timer.c:88 #7 0xb768965a in slirp_select_poll (readfds=0xbf9e3dcc, writefds=0xbf9e3e4c, xfds=0xbf9e3ecc, select_error=0) at slirp/slirp.c:433 #8 0xb763e2a0 in main_loop_wait (nonblocking=0) at main-loop.c:465 #9 0xb7633042 in main_loop () at /home/craig/build/qemu-1.0.1/vl.c:1481 #10 0xb76388a0 in main (argc=20, argv=0xbf9e42d4, envp=0xbf9e4328) at /home/craig/build/qemu-1.0.1/vl.c:3485 (gdb) frame 0 #0 0xb768753b in slirp_remque (a=0xb90ee408) at slirp/misc.c:39 39 ((struct quehead *)(element->qh_rlink))->qh_link = element->qh_link; A more detailed backtrace, as supplied by "thread apply all bt full", follows at the end of this post. In case it matters, stdout is redirected to a logfile and stdin is attached to the Python script, which hasn't yet written anything to the stdin pipe. I'll happily post the script, but isn't much good without the OS image which is about 150MB and can't be legally redistributed. I'm happy to test patches, though, or try anything that's suggested. Host info and full backtrace follows: $ gcc --version gcc (Ubuntu/Linaro 4.6.1-9ubuntu3) 4.6.1 Copyright (C) 2011 Free Software Foundation, Inc. This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. $ lsb_release -a No LSB modules are available. Distributor ID: Ubuntu Description: Ubuntu 11.10 Release: 11.10 Codename: oneiric $ uname -a Linux wallace 3.0.0-14-generic-pae #23-Ubuntu SMP Mon Nov 21 22:07:10 UTC 2011 i686 i686 i386 GNU/Linux (gdb) thread apply all bt full Thread 5 (Thread 0xb31e1b70 (LWP 25631)): #0 0xb74e4424 in __kernel_vsyscall () No symbol table info available. #1 0xb7332e04 in pthread_cond_timedwait@@GLIBC_2.3.2 () at ../nptl/sysdeps/unix/sysv/linux/i386/i686/../i486/pthread_cond_timedwait.S:236 No locals. #2 0xb764f38a in cond_timedwait (cond=0xb7d2e1e0, mutex=0xb7d2e1c0, ts=0xb31e135c) at posix-aio-compat.c:104 ret = 0 #3 0xb764fb6c in aio_thread (unused=0x0) at posix-aio-compat.c:334 aiocb = 0xb879dcc0 ret = 0 tv = {tv_sec = 1329889894, tv_usec = 299790} ts = {tv_sec = 1329889904, tv_nsec = 0} #4 0xb732ed31 in start_thread (arg=0xb31e1b70) at pthread_create.c:304 __res = <optimized out> pd = 0xb31e1b70 now = <optimized out> unwind_buf = {cancel_jmp_buf = {{jmp_buf = {-1221328908, 0, 4001536, -1289874312, -1127561837, -449321061}, mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x0, 0x0}, data = {prev = 0x0, cleanup = 0x0, canceltype = 0}}} not_first_call = <optimized out> robust = <optimized out> pagesize_m1 = <optimized out> sp = <optimized out> freesize = <optimized out> __PRETTY_FUNCTION__ = "start_thread" #5 0xb6d9f0ce in clone () at ../sysdeps/unix/sysv/linux/i386/clone.S:130 No locals. Backtrace stopped: Not enough registers or memory available to unwind further Thread 2 (Thread 0xb1ddab70 (LWP 25455)): #0 0xb74e4424 in __kernel_vsyscall () No symbol table info available. #1 0xb7335619 in __lll_lock_wait () at ../nptl/sysdeps/unix/sysv/linux/i386/i686/../i486/lowlevellock.S:142 No locals. #2 0xb73387a0 in _L_cond_lock_704 () from /lib/i386-linux-gnu/libpthread.so.0 libgcc_s_getcfa = 0 libgcc_s_resume = 0 libgcc_s_forcedunwind = 0 libgcc_s_personality = 0 libgcc_s_handle = 0x0 #3 0xb7338521 in __pthread_mutex_cond_lock (mutex=0xb7f02c00) at ../nptl/pthread_mutex_lock.c:61 __PRETTY_FUNCTION__ = "__pthread_mutex_cond_lock" type = 3085970432 id = 25455 #4 0xb7332b0e in pthread_cond_wait@@GLIBC_2.3.2 () at ../nptl/sysdeps/unix/sysv/linux/i386/i686/../i486/pthread_cond_wait.S:255 No locals. #5 0xb766e54a in qemu_cond_wait (cond=0xb7d3eaa0, mutex=0xb7f02c00) at qemu-thread-posix.c:113 err = -1191216176 __func__ = "qemu_cond_wait" #6 0xb76fc409 in qemu_tcg_wait_io_event () at /home/craig/build/qemu-1.0.1/cpus.c:699 env = 0x10000 #7 0xb76fc6cf in qemu_tcg_cpu_thread_fn (arg=0xb8ff7bd0) at /home/craig/build/qemu-1.0.1/cpus.c:778 env = 0x0 #8 0xb732ed31 in start_thread (arg=0xb1ddab70) at pthread_create.c:304 __res = <optimized out> pd = 0xb1ddab70 now = <optimized out> unwind_buf = {cancel_jmp_buf = {{jmp_buf = {-1221328908, 0, 4001536, -1310874504, 1001047446, -449321061}, mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x0, 0x0}, data = {prev = 0x0, cleanup = 0x0, canceltype = 0}}} not_first_call = <optimized out> robust = <optimized out> pagesize_m1 = <optimized out> sp = <optimized out> freesize = <optimized out> __PRETTY_FUNCTION__ = "start_thread" #9 0xb6d9f0ce in clone () at ../sysdeps/unix/sysv/linux/i386/clone.S:130 No locals. Backtrace stopped: Not enough registers or memory available to unwind further Thread 1 (Thread 0xb63e46e0 (LWP 25453)): #0 0xb768753b in slirp_remque (a=0xb90ee408) at slirp/misc.c:39 element = 0xb90ee408 #1 0xb76854ad in if_start (slirp=0xb879beb0) at slirp/if.c:189 now = 182039052034397 requeued = 0 ifm = 0xb90ee408 ifqt = 0x0 #2 0xb76853b3 in if_output (so=0xb8eb1380, ifm=0xb90eea60) at slirp/if.c:138 slirp = 0xb879beb0 ifq = 0xb90ee408 on_fastq = 1 #3 0xb7686bb5 in ip_output (so=0xb8eb1380, m0=0xb90eea60) at slirp/ip_output.c:84 slirp = 0xb879beb0 ip = 0xb90eeacc m = 0xb90eea60 hlen = 20 len = -1190204832 off = -1199980740 error = 0 #4 0xb768f59c in tcp_output (tp=0xb906fd48) at slirp/tcp_output.c:456 so = 0xb8eb1380 len = 0 win = 8760 off = 0 flags = 2 error = -1217987977 m = 0xb90eea60 ti = 0xb90eeacc opt = "\002\004\005\264\001\000\000\000d<\236\277\200\302\221\267\362\260\003\000\000\000\000\000\027\307\002\000q\346\031\003" optlen = 4 hdrlen = 44 idle = 0 sendalot = 0 #5 0xb7691b9b in tcp_timers (tp=0xb906fd48, timer=0) at slirp/tcp_timer.c:242 rexmt = 192 #6 0xb76918d4 in tcp_slowtimo (slirp=0xb879beb0) at slirp/tcp_timer.c:88 ip = 0xb8eb1380 ipnxt = 0xb879c8b0 tp = 0xb906fd48 i = 0 #7 0xb768965a in slirp_select_poll (readfds=0xbf9e3dcc, writefds=0xbf9e3e4c, xfds=0xbf9e3ecc, select_error=0) at slirp/slirp.c:433 slirp = 0xb879beb0 so = 0x0 so_next = 0x0 ret = -1080148532 #8 0xb763e2a0 in main_loop_wait (nonblocking=0) at main-loop.c:465 rfds = {fds_bits = {8, 0 <repeats 31 times>}} wfds = {fds_bits = {0 <repeats 32 times>}} xfds = {fds_bits = {0 <repeats 32 times>}} ret = 1 nfds = 18 tv = {tv_sec = 0, tv_usec = 990389} timeout = 1000 #9 0xb7633042 in main_loop () at /home/craig/build/qemu-1.0.1/vl.c:1481 nonblocking = false last_io = 0 #10 0xb76388a0 in main (argc=20, argv=0xbf9e42d4, envp=0xbf9e4328) at /home/craig/build/qemu-1.0.1/vl.c:3485 gdbstub_dev = 0x0 i = 64 snapshot = 1 linux_boot = 0 icount_option = 0x0 initrd_filename = 0x0 kernel_filename = 0x0 kernel_cmdline = 0xb77f890f "" boot_devices = "cad", '\000' <repeats 29 times> ds = 0xb8b16bb8 dcl = 0x0 cyls = 0 heads = 0 secs = 0 translation = 0 hda_opts = 0x0 opts = 0xb7343000 olist = 0xbf9e4198 optind = 20 optarg = 0x0 loadvm = 0x0 machine = 0xb7921e60 cpu_model = 0x0 pid_file = 0x0 incoming = 0x0 show_vnc_port = 0 defconfig = 1 log_mask = 0x0 log_file = 0x0 mem_trace = {malloc = 0xb7634cb1 <malloc_and_trace>, realloc = 0xb7634d0e <realloc_and_trace>, free = 0xb7634d7f <free_and_trace>, calloc = 0, try_malloc = 0, try_realloc = 0} trace_events = 0x0 trace_file = 0x0 (gdb) $ ldd /usr/local/qemu/bin/qemu-system-i386 linux-gate.so.1 => (0xb77d0000) libnss3.so => /usr/lib/i386-linux-gnu/libnss3.so (0xb6c3a000) libnspr4.so => /usr/lib/i386-linux-gnu/libnspr4.so (0xb6bfe000) libpthread.so.0 => /lib/i386-linux-gnu/libpthread.so.0 (0xb6be2000) librt.so.1 => /lib/i386-linux-gnu/librt.so.1 (0xb6bd9000) libgthread-2.0.so.0 => /usr/lib/i386-linux-gnu/libgthread-2.0.so.0 (0xb6bd3000) libglib-2.0.so.0 => /lib/i386-linux-gnu/libglib-2.0.so.0 (0xb6ada000) libutil.so.1 => /lib/i386-linux-gnu/libutil.so.1 (0xb6ad6000) libbluetooth.so.3 => /usr/lib/libbluetooth.so.3 (0xb6abb000) libcurl.so.4 => /usr/lib/i386-linux-gnu/libcurl.so.4 (0xb6a5f000) libncurses.so.5 => /lib/libncurses.so.5 (0xb6a3d000) libtinfo.so.5 => /lib/libtinfo.so.5 (0xb6a1e000) libbrlapi.so.0.5 => /lib/libbrlapi.so.0.5 (0xb6a12000) libpng12.so.0 => /lib/i386-linux-gnu/libpng12.so.0 (0xb69e7000) libjpeg.so.62 => /usr/lib/i386-linux-gnu/libjpeg.so.62 (0xb69c3000) libgnutls.so.26 => /usr/lib/i386-linux-gnu/libgnutls.so.26 (0xb6913000) libSDL-1.2.so.0 => /usr/lib/libSDL-1.2.so.0 (0xb6879000) libX11.so.6 => /usr/lib/i386-linux-gnu/libX11.so.6 (0xb6743000) libm.so.6 => /lib/i386-linux-gnu/libm.so.6 (0xb6718000) libz.so.1 => /lib/i386-linux-gnu/libz.so.1 (0xb6703000) libc.so.6 => /lib/i386-linux-gnu/libc.so.6 (0xb6587000) libnssutil3.so => /usr/lib/i386-linux-gnu/libnssutil3.so (0xb656c000) libplc4.so => /usr/lib/i386-linux-gnu/libplc4.so (0xb6566000) libplds4.so => /usr/lib/i386-linux-gnu/libplds4.so (0xb6560000) libdl.so.2 => /lib/i386-linux-gnu/libdl.so.2 (0xb655b000) /lib/ld-linux.so.2 (0xb77d1000) libpcre.so.3 => /lib/i386-linux-gnu/libpcre.so.3 (0xb651c000) libidn.so.11 => /usr/lib/i386-linux-gnu/libidn.so.11 (0xb64e9000) liblber-2.4.so.2 => /usr/lib/i386-linux-gnu/liblber-2.4.so.2 (0xb64da000) libldap_r-2.4.so.2 => /usr/lib/i386-linux-gnu/libldap_r-2.4.so.2 (0xb6488000) libgssapi_krb5.so.2 => /usr/lib/i386-linux-gnu/libgssapi_krb5.so.2 (0xb644a000) libssl.so.1.0.0 => /lib/i386-linux-gnu/libssl.so.1.0.0 (0xb63fd000) libcrypto.so.1.0.0 => /lib/i386-linux-gnu/libcrypto.so.1.0.0 (0xb6259000) librtmp.so.0 => /usr/lib/i386-linux-gnu/librtmp.so.0 (0xb6240000) libtasn1.so.3 => /usr/lib/i386-linux-gnu/libtasn1.so.3 (0xb622d000) libgcrypt.so.11 => /lib/i386-linux-gnu/libgcrypt.so.11 (0xb61a8000) libpulse-simple.so.0 => /usr/lib/i386-linux-gnu/libpulse-simple.so.0 (0xb61a3000) libpulse.so.0 => /usr/lib/i386-linux-gnu/libpulse.so.0 (0xb6155000) libxcb.so.1 => /usr/lib/i386-linux-gnu/libxcb.so.1 (0xb6136000) libresolv.so.2 => /lib/i386-linux-gnu/libresolv.so.2 (0xb611e000) libsasl2.so.2 => /usr/lib/i386-linux-gnu/libsasl2.so.2 (0xb6103000) libkrb5.so.3 => /usr/lib/i386-linux-gnu/libkrb5.so.3 (0xb603a000) libk5crypto.so.3 => /usr/lib/i386-linux-gnu/libk5crypto.so.3 (0xb6011000) libcom_err.so.2 => /lib/i386-linux-gnu/libcom_err.so.2 (0xb600d000) libkrb5support.so.0 => /usr/lib/i386-linux-gnu/libkrb5support.so.0 (0xb6003000) libgpg-error.so.0 => /lib/i386-linux-gnu/libgpg-error.so.0 (0xb5ffe000) libpulsecommon-1.0.so => /usr/lib/i386-linux-gnu/libpulsecommon-1.0.so (0xb5f99000) libjson.so.0 => /usr/lib/i386-linux-gnu/libjson.so.0 (0xb5f91000) libdbus-1.so.3 => /lib/i386-linux-gnu/libdbus-1.so.3 (0xb5f48000) libXau.so.6 => /usr/lib/i386-linux-gnu/libXau.so.6 (0xb5f43000) libXdmcp.so.6 => /usr/lib/i386-linux-gnu/libXdmcp.so.6 (0xb5f3c000) libkeyutils.so.1 => /lib/i386-linux-gnu/libkeyutils.so.1 (0xb5f38000) libwrap.so.0 => /lib/i386-linux-gnu/libwrap.so.0 (0xb5f2e000) libsndfile.so.1 => /usr/lib/i386-linux-gnu/libsndfile.so.1 (0xb5ebd000) libasyncns.so.0 => /usr/lib/i386-linux-gnu/libasyncns.so.0 (0xb5eb5000) libnsl.so.1 => /lib/i386-linux-gnu/libnsl.so.1 (0xb5e9c000) libFLAC.so.8 => /usr/lib/i386-linux-gnu/libFLAC.so.8 (0xb5e4e000) libvorbisenc.so.2 => /usr/lib/i386-linux-gnu/libvorbisenc.so.2 (0xb5cd6000) libvorbis.so.0 => /usr/lib/i386-linux-gnu/libvorbis.so.0 (0xb5cab000) libogg.so.0 => /usr/lib/i386-linux-gnu/libogg.so.0 (0xb5ca2000) To manage notifications about this bug go to: https://bugs.launchpad.net/qemu/+bug/938431/+subscriptions
