summary refs log tree commit diff stats
path: root/results/classifier/108/other/2261
diff options
context:
space:
mode:
Diffstat (limited to 'results/classifier/108/other/2261')
-rw-r--r--results/classifier/108/other/2261102
1 files changed, 102 insertions, 0 deletions
diff --git a/results/classifier/108/other/2261 b/results/classifier/108/other/2261
new file mode 100644
index 00000000..c2823e26
--- /dev/null
+++ b/results/classifier/108/other/2261
@@ -0,0 +1,102 @@
+other: 0.886
+permissions: 0.872
+performance: 0.821
+graphic: 0.805
+network: 0.795
+semantic: 0.788
+device: 0.782
+debug: 0.782
+PID: 0.752
+boot: 0.707
+vnc: 0.690
+KVM: 0.688
+socket: 0.677
+files: 0.565
+
+qemu-system-x86_64 crashs in cursor_put functions
+Description of problem:
+This problem cannot be stably reproduced,but we try enable --enable-sanitizers and catch the following information,why qemu_spice_cursor_refresh_bh be called twice at the same time?
+
+==57296==ERROR: AddressSanitizer: heap-use-after-free on address 0x623000738110 at pc 0x55cec2ed06aa bp 0x7ffc54d1fea0 sp 0x7ffc54d1fe90
+READ of size 4 at 0x623000738110 thread T0
+    #0 0x55cec2ed06a9 in cursor_put ../qemu-6.0.1/ui/cursor.c:112
+    #1 0x55cec2f05d40 in vnc_dpy_cursor_define ../qemu-6.0.1/ui/vnc.c:1041
+    #2 0x55cec2ec6352 in dpy_cursor_define ../qemu-6.0.1/ui/console.c:1841
+    #3 0x55cec3ab176c in qemu_spice_cursor_refresh_bh ../qemu-6.0.1/ui/spice-display.c:469
+    #4 0x55cec4abc6eb in aio_bh_call ../qemu-6.0.1/util/async.c:136
+    #5 0x55cec4abce43 in aio_bh_poll ../qemu-6.0.1/util/async.c:164
+    #6 0x55cec4a5f457 in aio_dispatch ../qemu-6.0.1/util/aio-posix.c:381
+    #7 0x55cec4abe386 in aio_ctx_dispatch ../qemu-6.0.1/util/async.c:306
+    #8 0x7fa4fadcdd3a in g_main_context_dispatch (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x55d3a)
+    #9 0x55cec4b0b5d6 in glib_pollfds_poll ../qemu-6.0.1/util/main-loop.c:231
+    #10 0x55cec4b0b7c0 in os_host_main_loop_wait ../qemu-6.0.1/util/main-loop.c:254
+    #11 0x55cec4b0bac5 in main_loop_wait ../qemu-6.0.1/util/main-loop.c:530
+    #12 0x55cec3f49e70 in qemu_main_loop ../qemu-6.0.1/softmmu/runstate.c:786
+    #13 0x55cec2e7f679 in main ../qemu-6.0.1/softmmu/main.c:50
+    #14 0x7fa4f96f4d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
+    #15 0x7fa4f96f4e3f in __libc_start_main_impl ../csu/libc-start.c:392
+    #16 0x55cec2e7f584 in _start (/usr/bin/qemu-system-x86_64+0x298a584)
+
+0x623000738110 is located 16 bytes inside of 6416-byte region [0x623000738100,0x623000739a10)
+freed by thread T0 here:
+    #0 0x7fa4fb7d9537 in __interceptor_free ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:127
+    #1 0x55cec2ed0769 in cursor_put ../qemu-6.0.1/ui/cursor.c:115
+    #2 0x55cec3ab1818 in qemu_spice_cursor_refresh_bh ../qemu-6.0.1/ui/spice-display.c:471
+    #3 0x55cec4abc6eb in aio_bh_call ../qemu-6.0.1/util/async.c:136
+    #4 0x55cec4abce43 in aio_bh_poll ../qemu-6.0.1/util/async.c:164
+    #5 0x55cec4a5f457 in aio_dispatch ../qemu-6.0.1/util/aio-posix.c:381
+    #6 0x55cec4abe386 in aio_ctx_dispatch ../qemu-6.0.1/util/async.c:306
+    #7 0x7fa4fadcdd3a in g_main_context_dispatch (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x55d3a)
+
+previously allocated by thread T14 here:
+    #0 0x7fa4fb7d9a57 in __interceptor_calloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:154
+    #1 0x7fa4fadd6c50 in g_malloc0 (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x5ec50)
+    #2 0x55cec3b16918 in qxl_cursor ../qemu-6.0.1/hw/display/qxl-render.c:361
+    #3 0x55cec3b18698 in qxl_render_cursor ../qemu-6.0.1/hw/display/qxl-render.c:448
+    #4 0x55cec3af53a5 in interface_get_cursor_command ../qemu-6.0.1/hw/display/qxl.c:856
+    #5 0x7fa4fb39ca1f in red_process_cursor ../../server/red-worker.c:152
+    #6 0x7fa4fb39ca1f in red_process_cursor ../../server/red-worker.c:140
+
+Thread T14 created by T0 here:
+    #0 0x7fa4fb77d685 in __interceptor_pthread_create ../../../../src/libsanitizer/asan/asan_interceptors.cpp:216
+    #1 0x7fa4fb39ece5 in red_worker_run ../../server/red-worker.c:1588
+    #2 0x62100002d94f  (<unknown module>)
+
+SUMMARY: AddressSanitizer: heap-use-after-free ../qemu-6.0.1/ui/cursor.c:112 in cursor_put
+Shadow bytes around the buggy address:
+  0x0c46800defd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
+  0x0c46800defe0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
+  0x0c46800deff0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
+  0x0c46800df000: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
+  0x0c46800df010: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
+=>0x0c46800df020: fd fd[fd]fd fd fd fd fd fd fd fd fd fd fd fd fd
+  0x0c46800df030: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
+  0x0c46800df040: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
+  0x0c46800df050: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
+  0x0c46800df060: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
+  0x0c46800df070: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
+Shadow byte legend (one shadow byte represents 8 application bytes):
+  Addressable:           00
+  Partially addressable: 01 02 03 04 05 06 07
+  Heap left redzone:       fa
+  Freed heap region:       fd
+  Stack left redzone:      f1
+  Stack mid redzone:       f2
+  Stack right redzone:     f3
+  Stack after return:      f5
+  Stack use after scope:   f8
+  Global redzone:          f9
+  Global init order:       f6
+  Poisoned by user:        f7
+  Container overflow:      fc
+  Array cookie:            ac
+  Intra object redzone:    bb
+  ASan internal:           fe
+  Left alloca redzone:     ca
+  Right alloca redzone:    cb
+  Shadow gap:              cc
+==57296==ABORTING
+Steps to reproduce:
+This problem cannot be stably reproduced
+Additional information:
+/label ~"kind::Bug"