summary refs log tree commit diff stats
path: root/gitlab/issues/target_missing/host_missing/accel_missing/2261.toml
blob: 9574a60b780f178085a105f664f9dcc66649fac4 (plain) (blame) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95

id = 2261
title = "qemu-system-x86_64 crashs in cursor_put functions"
state = "opened"
created_at = "2024-04-02T01:35:13.100Z"
closed_at = "n/a"
labels = ["device:graphics", "kind::Bug"]
url = "https://gitlab.com/qemu-project/qemu/-/issues/2261"
host-os = "ubuntu22.04"
host-arch = "x86"
qemu-version = "6.0.1"
guest-os = "Windows 10 21H1"
guest-arch = "x86"
description = """This problem cannot be stably reproduced,but we try enable --enable-sanitizers and catch the following information,why qemu_spice_cursor_refresh_bh be called twice at the same time?

==57296==ERROR: AddressSanitizer: heap-use-after-free on address 0x623000738110 at pc 0x55cec2ed06aa bp 0x7ffc54d1fea0 sp 0x7ffc54d1fe90
READ of size 4 at 0x623000738110 thread T0
    #0 0x55cec2ed06a9 in cursor_put ../qemu-6.0.1/ui/cursor.c:112
    #1 0x55cec2f05d40 in vnc_dpy_cursor_define ../qemu-6.0.1/ui/vnc.c:1041
    #2 0x55cec2ec6352 in dpy_cursor_define ../qemu-6.0.1/ui/console.c:1841
    #3 0x55cec3ab176c in qemu_spice_cursor_refresh_bh ../qemu-6.0.1/ui/spice-display.c:469
    #4 0x55cec4abc6eb in aio_bh_call ../qemu-6.0.1/util/async.c:136
    #5 0x55cec4abce43 in aio_bh_poll ../qemu-6.0.1/util/async.c:164
    #6 0x55cec4a5f457 in aio_dispatch ../qemu-6.0.1/util/aio-posix.c:381
    #7 0x55cec4abe386 in aio_ctx_dispatch ../qemu-6.0.1/util/async.c:306
    #8 0x7fa4fadcdd3a in g_main_context_dispatch (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x55d3a)
    #9 0x55cec4b0b5d6 in glib_pollfds_poll ../qemu-6.0.1/util/main-loop.c:231
    #10 0x55cec4b0b7c0 in os_host_main_loop_wait ../qemu-6.0.1/util/main-loop.c:254
    #11 0x55cec4b0bac5 in main_loop_wait ../qemu-6.0.1/util/main-loop.c:530
    #12 0x55cec3f49e70 in qemu_main_loop ../qemu-6.0.1/softmmu/runstate.c:786
    #13 0x55cec2e7f679 in main ../qemu-6.0.1/softmmu/main.c:50
    #14 0x7fa4f96f4d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
    #15 0x7fa4f96f4e3f in __libc_start_main_impl ../csu/libc-start.c:392
    #16 0x55cec2e7f584 in _start (/usr/bin/qemu-system-x86_64+0x298a584)

0x623000738110 is located 16 bytes inside of 6416-byte region [0x623000738100,0x623000739a10)
freed by thread T0 here:
    #0 0x7fa4fb7d9537 in __interceptor_free ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:127
    #1 0x55cec2ed0769 in cursor_put ../qemu-6.0.1/ui/cursor.c:115
    #2 0x55cec3ab1818 in qemu_spice_cursor_refresh_bh ../qemu-6.0.1/ui/spice-display.c:471
    #3 0x55cec4abc6eb in aio_bh_call ../qemu-6.0.1/util/async.c:136
    #4 0x55cec4abce43 in aio_bh_poll ../qemu-6.0.1/util/async.c:164
    #5 0x55cec4a5f457 in aio_dispatch ../qemu-6.0.1/util/aio-posix.c:381
    #6 0x55cec4abe386 in aio_ctx_dispatch ../qemu-6.0.1/util/async.c:306
    #7 0x7fa4fadcdd3a in g_main_context_dispatch (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x55d3a)

previously allocated by thread T14 here:
    #0 0x7fa4fb7d9a57 in __interceptor_calloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:154
    #1 0x7fa4fadd6c50 in g_malloc0 (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x5ec50)
    #2 0x55cec3b16918 in qxl_cursor ../qemu-6.0.1/hw/display/qxl-render.c:361
    #3 0x55cec3b18698 in qxl_render_cursor ../qemu-6.0.1/hw/display/qxl-render.c:448
    #4 0x55cec3af53a5 in interface_get_cursor_command ../qemu-6.0.1/hw/display/qxl.c:856
    #5 0x7fa4fb39ca1f in red_process_cursor ../../server/red-worker.c:152
    #6 0x7fa4fb39ca1f in red_process_cursor ../../server/red-worker.c:140

Thread T14 created by T0 here:
    #0 0x7fa4fb77d685 in __interceptor_pthread_create ../../../../src/libsanitizer/asan/asan_interceptors.cpp:216
    #1 0x7fa4fb39ece5 in red_worker_run ../../server/red-worker.c:1588
    #2 0x62100002d94f  (<unknown module>)

SUMMARY: AddressSanitizer: heap-use-after-free ../qemu-6.0.1/ui/cursor.c:112 in cursor_put
Shadow bytes around the buggy address:
  0x0c46800defd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c46800defe0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c46800deff0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c46800df000: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c46800df010: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c46800df020: fd fd[fd]fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c46800df030: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c46800df040: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c46800df050: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c46800df060: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c46800df070: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==57296==ABORTING"""
reproduce = """This problem cannot be stably reproduced"""
additional = """/label ~"kind::Bug""""