diff options
Diffstat (limited to '')
| -rw-r--r-- | results/classifier/108/other/1728 | 33 | ||||
| -rw-r--r-- | results/classifier/108/other/1728325 | 92 | ||||
| -rw-r--r-- | results/classifier/108/other/1728448 | 87 | ||||
| -rw-r--r-- | results/classifier/108/other/1728615 | 540 | ||||
| -rw-r--r-- | results/classifier/108/other/1728635 | 209 | ||||
| -rw-r--r-- | results/classifier/108/other/1728639 | 126 | ||||
| -rw-r--r-- | results/classifier/108/other/1728643 | 131 | ||||
| -rw-r--r-- | results/classifier/108/other/1728660 | 75 | ||||
| -rw-r--r-- | results/classifier/108/other/1728661 | 133 |
9 files changed, 1426 insertions, 0 deletions
diff --git a/results/classifier/108/other/1728 b/results/classifier/108/other/1728 new file mode 100644 index 000000000..9231bc0a0 --- /dev/null +++ b/results/classifier/108/other/1728 @@ -0,0 +1,33 @@ +graphic: 0.912 +device: 0.889 +vnc: 0.818 +performance: 0.734 +network: 0.711 +PID: 0.651 +semantic: 0.622 +debug: 0.582 +boot: 0.564 +socket: 0.420 +permissions: 0.330 +KVM: 0.266 +other: 0.239 +files: 0.132 + +blockdev parameter does not accept dots in pool name in json config +Description of problem: +I'm trying to provision a VM using qemu 6.2.0 and pass the remote disk parameters like libvirt. When I start the VM, I get an error saying + + +``` +qemu-system-x86_64: -blockdev {driver:rbd,pool:cloud.disk.hiops,image:csi-vol-8577fffd-0f48-3344-b333-02000038163a,server:[{host:1.2.3.4,port:6789},{host:1.2.3.5,port:6789},{host:1.2.3.6,port:6789}],user:compute-staging,auth-client-required:[cephx,none],key-secret:ceph-secret,node-name:pv-MD7PBV3SRD21L08115JUJ94HMG,cache:{direct:false,no-flush:false},auto-read-only:true,discard:unmap}: JSON parse error, stray '.' +``` + + +I changed the ip address and some fields. + + +My question is should we avoid dots in pool name? I tried to look at the source code of json parser but in its doc, it did not mention a sequence of characters for escaping dots. +Steps to reproduce: +1. Provision a VM with the provided config +Additional information: +bl diff --git a/results/classifier/108/other/1728325 b/results/classifier/108/other/1728325 new file mode 100644 index 000000000..b70574289 --- /dev/null +++ b/results/classifier/108/other/1728325 @@ -0,0 +1,92 @@ +other: 0.728 +graphic: 0.704 +device: 0.695 +performance: 0.686 +PID: 0.632 +vnc: 0.596 +debug: 0.589 +semantic: 0.587 +permissions: 0.583 +files: 0.577 +network: 0.477 +boot: 0.464 +socket: 0.462 +KVM: 0.246 + +POWER8: Wrong behaviour with float-to-int punning + +Building a reduced test program with 'gcc -O2 -fno-inline -mcpu=power8' produces wrong results at runtime. I don't think gcc is at fault here. + +--- +#include <stdio.h> + +int getWord(const float x) +{ + return *(int*)&x; +} + +void main() +{ + int foo = getWord(+123.456f); + int bar = getWord(-123.456f); + + printf("%d\n", foo); + printf("%d\n", bar); + return; +} +--- + +This prints: +--- +0 +0 +--- + +Compiling with 'gcc -O2 -fno-inline -mcpu=power7' and you instead get the expected result: +--- +1123477881 +-1024005767 +--- + + +The different between the two programs is: + +--- power7.s ++++ power8.s +@@ -6,9 +6,9 @@ + .globl getWord + .type getWord, @function + getWord: +- stfs 1,-16(1) +- ori 2,2,0 +- lwa 3,-16(1) ++ xscvdpspn 0,1 ++ mfvsrwz 3,0 ++ extsw 3,3 + blr + .long 0 + .byte 0,0,0,0,0,0,0,0 + .size getWord,.-getWord + + +Seems like qemu doesn't handle xscvdpspn/mfvsrwz correctly. + +https://github.com/qemu/qemu/commit/7ee19fb9d682689d36c849576c808cf92e3bae40 +https://github.com/qemu/qemu/commit/f5c0f7f981333da59cc35c3210d05ec1775c97c1 + +I am running: + +qemu-ppc64le-static -L /usr/powerpc64le-linux-gnu ./a.out + +This is buggy C. + +https://gcc.gnu.org/bugs/#nonbugs_c + +The original code used a union. It generates the same assembler all the same. + +The QEMU project is currently considering to move its bug tracking to another system. For this we need to know which bugs are still valid and which could be closed already. Thus we are setting older bugs to "Incomplete" now. +If you still think this bug report here is valid, then please switch the state back to "New" within the next 60 days, otherwise this report will be marked as "Expired". Or mark it as "Fix Released" if the problem has been solved with a newer version of QEMU already. Thank you and sorry for the inconvenience. + + +[Expired for QEMU because there has been no activity for 60 days.] + diff --git a/results/classifier/108/other/1728448 b/results/classifier/108/other/1728448 new file mode 100644 index 000000000..799ed3d47 --- /dev/null +++ b/results/classifier/108/other/1728448 @@ -0,0 +1,87 @@ +device: 0.885 +other: 0.832 +permissions: 0.797 +PID: 0.776 +graphic: 0.767 +debug: 0.746 +semantic: 0.733 +boot: 0.729 +socket: 0.726 +files: 0.707 +network: 0.687 +performance: 0.682 +KVM: 0.604 +vnc: 0.422 + +qemu-system-arm segmentation fault with cpu cortex-m* + +I try to run an emulation with qemu-system-arm under a cpu cortex-m3 but any execution under the processor result by a segmentation fault. + +My command is : qemu-system-arm -m 256 -M versatilepb -cpu cortex-m3 -kernel ~/qemu/wheezy/vmlinuz-3.2.0-4-versatile -initrd ~/qemu/wheezy/initrd.img-3.2.0-4-versatile -hda ~/qemu/wheezy/hda.img -append 'root=/dev/sda1' + +If a lauch the emulation without specifying a cpu equivalent to cortex-m*, the vm opens up well and works but I absolutely need to run it under cortex-m3. + + +Do you have any idea why I have this problem only with this type of processor ? + +I also try with other boards different from versatilepb but I have the same result. + +I am under ubuntu 17 64bits during my test. + +On 29 October 2017 at 19:24, Kevin <email address hidden> wrote: +> I try to run an emulation with qemu-system-arm under a cpu cortex-m3 but +> any execution under the processor result by a segmentation fault. +> +> My command is : qemu-system-arm -m 256 -M versatilepb -cpu cortex-m3 +> -kernel ~/qemu/wheezy/vmlinuz-3.2.0-4-versatile -initrd +> ~/qemu/wheezy/initrd.img-3.2.0-4-versatile -hda ~/qemu/wheezy/hda.img +> -append 'root=/dev/sda1' + +This command line is never going to work, for multiple reasons. +Unfortunately QEMU currently doesn't do a good job of identifying +option combinations which we know are wrong (like -cpu cortex-m3 +with -M versatilepb) and printing an error message. + +The major problem here is that the cortex-m3 is a microcontroller, +which is significantly different from the 'A-profile' devices +that Linux runs on. It has no MMU and usually 16MB of RAM or less: +why are you trying to run Linux on it? This will never work. + +Secondly, the "versatilepb" board is not a board which you can +use a Cortex-M3 with -- it's only intended to work with certain +CPUs, mainly the arm926. + +Thirdly, that looks like a prebuilt versatile kernel image -- it +probably won't work with a random CPU that's not the one the +versatile has, and it *definitely* won't work with the M3. + +Basic rule of thumb for QEMU ARM boards -- don't try to specify +"-cpu" unless you have documentation that specifically tells you +to. You're much more likely to create something that's just +a broken config that guest software can't handle. This is +always true for the Cortex-M3 -- unless the board is intended +to work with the M3 and is creating the correct interrupt +controller, you'll just end up with a broken model. + +If you need to use the Cortex-M3 then use one of the boards +which works with it -- lm3s6965evb, lm3s811evb, mps2-an385, +mps2-an511, or netduino2. You'll also need to run guest code +which is actually built for the board you're using and for +the Cortex-M3 (likely some kind of RTOS, or bare metal code.) +The MPS2 boards have the most RAM, but they're only in recent +QEMU versions. + +thanks +-- PMM + + +Thank you for you answer. + +I wanted to emulate under cortex-M3 because I need to exéutute an executable who will install a kernel but only runs under cortex-M3, for then realized fuzzing on this kernel. + +But, I will try with freeRTOS. + + +I'm closing this bug as it's a command line issue. Please open a new bug if you have further problems. + + diff --git a/results/classifier/108/other/1728615 b/results/classifier/108/other/1728615 new file mode 100644 index 000000000..7a7d7a6f0 --- /dev/null +++ b/results/classifier/108/other/1728615 @@ -0,0 +1,540 @@ +KVM: 0.810 +vnc: 0.784 +other: 0.757 +graphic: 0.662 +boot: 0.618 +performance: 0.599 +permissions: 0.581 +debug: 0.577 +device: 0.575 +files: 0.564 +semantic: 0.530 +PID: 0.487 +socket: 0.480 +network: 0.468 + +qemu-io crashes with SIGABRT and Assertion `c->entries[i].offset != 0' failed + +git is at HEAD a93ece47fd9edbd4558db24300056c9a57d3bcd4 +This is on ppc64le architecture. + +Re-production steps: + +1. Copy the attached files named backing_img.file and test.img to a directory +2. And customize the following command to point to the above directory and run the same. +/usr/bin/qemu-io <path to>/test.img -c "write 1352192 1707520" + +3.Output of the above command. +qemu-io: block/qcow2-cache.c:411: qcow2_cache_entry_mark_dirty: Assertion `c->entries[i].offset != 0' failed. +Aborted (core dumped) + +from gdb: +(gdb) bt +#0 0x00003fff833eeff0 in raise () from /lib64/libc.so.6 +#1 0x00003fff833f136c in abort () from /lib64/libc.so.6 +#2 0x00003fff833e4c44 in __assert_fail_base () from /lib64/libc.so.6 +#3 0x00003fff833e4d34 in __assert_fail () from /lib64/libc.so.6 +#4 0x000000001006a594 in qcow2_cache_entry_mark_dirty (bs=0x2e886f60, c=0x2e879700, table=0x3fff81200000) at block/qcow2-cache.c:411 +#5 0x0000000010056154 in alloc_refcount_block (bs=0x2e886f60, cluster_index=2, refcount_block=0x3fff80cff808) at block/qcow2-refcount.c:417 +#6 0x0000000010057520 in update_refcount (bs=0x2e886f60, offset=1048576, length=524288, addend=1, decrease=false, type=QCOW2_DISCARD_NEVER) + at block/qcow2-refcount.c:834 +#7 0x0000000010057dc8 in qcow2_alloc_clusters_at (bs=0x2e886f60, offset=1048576, nb_clusters=1) at block/qcow2-refcount.c:1032 +#8 0x00000000100636d8 in do_alloc_cluster_offset (bs=0x2e886f60, guest_offset=2097152, host_offset=0x3fff80cff9e0, nb_clusters=0x3fff80cff9d8) + at block/qcow2-cluster.c:1221 +#9 0x0000000010063afc in handle_alloc (bs=0x2e886f60, guest_offset=2097152, host_offset=0x3fff80cffab0, bytes=0x3fff80cffab8, m=0x3fff80cffb60) + at block/qcow2-cluster.c:1324 +#10 0x0000000010064178 in qcow2_alloc_cluster_offset (bs=0x2e886f60, offset=1572864, bytes=0x3fff80cffb4c, host_offset=0x3fff80cffb58, m=0x3fff80cffb60) + at block/qcow2-cluster.c:1511 +#11 0x000000001004d3f4 in qcow2_co_pwritev (bs=0x2e886f60, offset=1572864, bytes=1486848, qiov=0x3fffc85f0bf0, flags=0) at block/qcow2.c:1919 +#12 0x00000000100a9648 in bdrv_driver_pwritev (bs=0x2e886f60, offset=1352192, bytes=1707520, qiov=0x3fffc85f0bf0, flags=16) at block/io.c:898 +#13 0x00000000100ab630 in bdrv_aligned_pwritev (child=0x2e8927f0, req=0x3fff80cffdd8, offset=1352192, bytes=1707520, align=1, qiov=0x3fffc85f0bf0, flags=16) + at block/io.c:1440 +#14 0x00000000100ac4ac in bdrv_co_pwritev (child=0x2e8927f0, offset=1352192, bytes=1707520, qiov=0x3fffc85f0bf0, flags=BDRV_REQ_FUA) at block/io.c:1691 +#15 0x000000001008da0c in blk_co_pwritev (blk=0x2e879410, offset=1352192, bytes=1707520, qiov=0x3fffc85f0bf0, flags=BDRV_REQ_FUA) at block/block-backend.c:1085 +#16 0x000000001008db68 in blk_write_entry (opaque=0x3fffc85f0c08) at block/block-backend.c:1110 +#17 0x00000000101aa444 in coroutine_trampoline (i0=780753552, i1=0) at util/coroutine-ucontext.c:79 +#18 0x00003fff83402b9c in makecontext () from /lib64/libc.so.6 +#19 0x0000000000000000 in ?? () +(gdb) bt full +#0 0x00003fff833eeff0 in raise () from /lib64/libc.so.6 +No symbol table info available. +#1 0x00003fff833f136c in abort () from /lib64/libc.so.6 +No symbol table info available. +#2 0x00003fff833e4c44 in __assert_fail_base () from /lib64/libc.so.6 +No symbol table info available. +#3 0x00003fff833e4d34 in __assert_fail () from /lib64/libc.so.6 +No symbol table info available. +#4 0x000000001006a594 in qcow2_cache_entry_mark_dirty (bs=0x2e886f60, c=0x2e879700, table=0x3fff81200000) at block/qcow2-cache.c:411 + i = 0 + __PRETTY_FUNCTION__ = "qcow2_cache_entry_mark_dirty" +#5 0x0000000010056154 in alloc_refcount_block (bs=0x2e886f60, cluster_index=2, refcount_block=0x3fff80cff808) at block/qcow2-refcount.c:417 + s = 0x2e893210 + refcount_table_index = 0 + ret = 0 + new_block = 0 + blocks_used = 72057594818669408 + meta_offset = 1572863 +#6 0x0000000010057520 in update_refcount (bs=0x2e886f60, offset=1048576, length=524288, addend=1, decrease=false, type=QCOW2_DISCARD_NEVER) + at block/qcow2-refcount.c:834 + block_index = 268870408 + refcount = 780741808 + cluster_index = 2 + table_index = 0 + s = 0x2e893210 + start = 1048576 + last = 1048576 + cluster_offset = 1048576 + refcount_block = 0x3fff81200000 + old_table_index = -1 + ret = 16383 +#7 0x0000000010057dc8 in qcow2_alloc_clusters_at (bs=0x2e886f60, offset=1048576, nb_clusters=1) at block/qcow2-refcount.c:1032 + s = 0x2e893210 + cluster_index = 3 + refcount = 0 + i = 1 + ret = 0 + __PRETTY_FUNCTION__ = "qcow2_alloc_clusters_at" +#8 0x00000000100636d8 in do_alloc_cluster_offset (bs=0x2e886f60, guest_offset=2097152, host_offset=0x3fff80cff9e0, nb_clusters=0x3fff80cff9d8) + at block/qcow2-cluster.c:1221 + ret = 780743184 + s = 0x2e893210 +#9 0x0000000010063afc in handle_alloc (bs=0x2e886f60, guest_offset=2097152, host_offset=0x3fff80cffab0, bytes=0x3fff80cffab8, m=0x3fff80cffb60) + at block/qcow2-cluster.c:1324 + s = 0x2e893210 + l2_index = 4 + l2_table = 0x0 + entry = 0 + nb_clusters = 1 + ret = 0 +---Type <return> to continue, or q <return> to quit--- + keep_old_clusters = false + alloc_cluster_offset = 1048576 + __PRETTY_FUNCTION__ = "handle_alloc" + requested_bytes = 17960562528 + avail_bytes = -2133853344 + nb_bytes = 16383 + old_m = 0x100000000 +#10 0x0000000010064178 in qcow2_alloc_cluster_offset (bs=0x2e886f60, offset=1572864, bytes=0x3fff80cffb4c, host_offset=0x3fff80cffb58, m=0x3fff80cffb60) + at block/qcow2-cluster.c:1511 + s = 0x2e893210 + start = 2097152 + remaining = 962560 + cluster_offset = 1048576 + cur_bytes = 962560 + ret = 0 + __PRETTY_FUNCTION__ = "qcow2_alloc_cluster_offset" +#11 0x000000001004d3f4 in qcow2_co_pwritev (bs=0x2e886f60, offset=1572864, bytes=1486848, qiov=0x3fffc85f0bf0, flags=0) at block/qcow2.c:1919 + s = 0x2e893210 + offset_in_cluster = 0 + ret = 0 + cur_bytes = 1486848 + cluster_offset = 524288 + hd_qiov = {iov = 0x2e858660, niov = 1, nalloc = 1, size = 220672} + bytes_done = 220672 + cluster_data = 0x0 + l2meta = 0x0 + __PRETTY_FUNCTION__ = "qcow2_co_pwritev" +#12 0x00000000100a9648 in bdrv_driver_pwritev (bs=0x2e886f60, offset=1352192, bytes=1707520, qiov=0x3fffc85f0bf0, flags=16) at block/io.c:898 + drv = 0x102036f0 <bdrv_qcow2> + sector_num = 780706080 + nb_sectors = 3069122264 + ret = -203160320 + __PRETTY_FUNCTION__ = "bdrv_driver_pwritev" +#13 0x00000000100ab630 in bdrv_aligned_pwritev (child=0x2e8927f0, req=0x3fff80cffdd8, offset=1352192, bytes=1707520, align=1, qiov=0x3fffc85f0bf0, flags=16) + at block/io.c:1440 + bs = 0x2e886f60 + drv = 0x102036f0 <bdrv_qcow2> + waited = false + ret = 0 + end_sector = 5976 + bytes_remaining = 1707520 + max_transfer = 2147483647 + __PRETTY_FUNCTION__ = "bdrv_aligned_pwritev" +#14 0x00000000100ac4ac in bdrv_co_pwritev (child=0x2e8927f0, offset=1352192, bytes=1707520, qiov=0x3fffc85f0bf0, flags=BDRV_REQ_FUA) at block/io.c:1691 + bs = 0x2e886f60 + req = {bs = 0x2e886f60, offset = 1352192, bytes = 1707520, type = BDRV_TRACKED_WRITE, serialising = false, overlap_offset = 1352192, + overlap_bytes = 1707520, list = {le_next = 0x0, le_prev = 0x2e88a1d8}, co = 0x2e895a90, wait_queue = {entries = {sqh_first = 0x0, + sqh_last = 0x3fff80cffe20}}, waiting_for = 0x0} + align = 1 + head_buf = 0x0 +---Type <return> to continue, or q <return> to quit--- + tail_buf = 0x0 + local_qiov = {iov = 0x3fff80cffdb0, niov = -2133852688, nalloc = 16383, size = 1352192} + use_local_qiov = false + ret = 0 + __PRETTY_FUNCTION__ = "bdrv_co_pwritev" +#15 0x000000001008da0c in blk_co_pwritev (blk=0x2e879410, offset=1352192, bytes=1707520, qiov=0x3fffc85f0bf0, flags=BDRV_REQ_FUA) at block/block-backend.c:1085 + ret = 0 + bs = 0x2e886f60 +#16 0x000000001008db68 in blk_write_entry (opaque=0x3fffc85f0c08) at block/block-backend.c:1110 + rwco = 0x3fffc85f0c08 +#17 0x00000000101aa444 in coroutine_trampoline (i0=780753552, i1=0) at util/coroutine-ucontext.c:79 + arg = {p = 0x2e895a90, i = {780753552, 0}} + self = 0x2e895a90 + co = 0x2e895a90 +#18 0x00003fff83402b9c in makecontext () from /lib64/libc.so.6 +No symbol table info available. +#19 0x0000000000000000 in ?? () +No symbol table info available. + +Will attach the 'image_fuzzer' images. + + + +On Wed 01 Nov 2017 07:13:08 AM CET, Thomas Huth wrote: +> On 30.10.2017 15:43, R.Nageswara Sastry wrote: +>> Public bug reported: +>> +>> git is at HEAD a93ece47fd9edbd4558db24300056c9a57d3bcd4 +>> This is on ppc64le architecture. +>> +>> Re-production steps: +>> +>> 1. Copy the attached files named backing_img.file and test.img to a directory +>> 2. And customize the following command to point to the above directory and run the same. +>> /usr/bin/qemu-io <path to>/test.img -c "write 1352192 1707520" +>> +>> 3.Output of the above command. +>> qemu-io: block/qcow2-cache.c:411: qcow2_cache_entry_mark_dirty: Assertion `c->entries[i].offset != 0' failed. +>> Aborted (core dumped) +>> +>> from gdb: +>> (gdb) bt +>> #0 0x00003fff833eeff0 in raise () from /lib64/libc.so.6 +>> #1 0x00003fff833f136c in abort () from /lib64/libc.so.6 +>> #2 0x00003fff833e4c44 in __assert_fail_base () from /lib64/libc.so.6 +>> #3 0x00003fff833e4d34 in __assert_fail () from /lib64/libc.so.6 +>> #4 0x000000001006a594 in qcow2_cache_entry_mark_dirty (bs=0x2e886f60, c=0x2e879700, table=0x3fff81200000) at block/qcow2-cache.c:411 +>> #5 0x0000000010056154 in alloc_refcount_block (bs=0x2e886f60, cluster_index=2, refcount_block=0x3fff80cff808) at block/qcow2-refcount.c:417 +>> #6 0x0000000010057520 in update_refcount (bs=0x2e886f60, offset=1048576, length=524288, addend=1, decrease=false, type=QCOW2_DISCARD_NEVER) +>> at block/qcow2-refcount.c:834 +>> #7 0x0000000010057dc8 in qcow2_alloc_clusters_at (bs=0x2e886f60, offset=1048576, nb_clusters=1) at block/qcow2-refcount.c:1032 +>> #8 0x00000000100636d8 in do_alloc_cluster_offset (bs=0x2e886f60, guest_offset=2097152, host_offset=0x3fff80cff9e0, nb_clusters=0x3fff80cff9d8) +>> at block/qcow2-cluster.c:1221 +>> #9 0x0000000010063afc in handle_alloc (bs=0x2e886f60, guest_offset=2097152, host_offset=0x3fff80cffab0, bytes=0x3fff80cffab8, m=0x3fff80cffb60) +>> at block/qcow2-cluster.c:1324 +>> #10 0x0000000010064178 in qcow2_alloc_cluster_offset (bs=0x2e886f60, offset=1572864, bytes=0x3fff80cffb4c, host_offset=0x3fff80cffb58, m=0x3fff80cffb60) +>> at block/qcow2-cluster.c:1511 +>> #11 0x000000001004d3f4 in qcow2_co_pwritev (bs=0x2e886f60, offset=1572864, bytes=1486848, qiov=0x3fffc85f0bf0, flags=0) at block/qcow2.c:1919 +>> #12 0x00000000100a9648 in bdrv_driver_pwritev (bs=0x2e886f60, offset=1352192, bytes=1707520, qiov=0x3fffc85f0bf0, flags=16) at block/io.c:898 +>> #13 0x00000000100ab630 in bdrv_aligned_pwritev (child=0x2e8927f0, req=0x3fff80cffdd8, offset=1352192, bytes=1707520, align=1, qiov=0x3fffc85f0bf0, flags=16) +>> at block/io.c:1440 +>> #14 0x00000000100ac4ac in bdrv_co_pwritev (child=0x2e8927f0, offset=1352192, bytes=1707520, qiov=0x3fffc85f0bf0, flags=BDRV_REQ_FUA) at block/io.c:1691 +>> #15 0x000000001008da0c in blk_co_pwritev (blk=0x2e879410, offset=1352192, bytes=1707520, qiov=0x3fffc85f0bf0, flags=BDRV_REQ_FUA) at block/block-backend.c:1085 +>> #16 0x000000001008db68 in blk_write_entry (opaque=0x3fffc85f0c08) at block/block-backend.c:1110 +>> #17 0x00000000101aa444 in coroutine_trampoline (i0=780753552, i1=0) at util/coroutine-ucontext.c:79 +>> #18 0x00003fff83402b9c in makecontext () from /lib64/libc.so.6 +>> #19 0x0000000000000000 in ?? () +>> (gdb) bt full +>> #0 0x00003fff833eeff0 in raise () from /lib64/libc.so.6 +>> No symbol table info available. +>> #1 0x00003fff833f136c in abort () from /lib64/libc.so.6 +>> No symbol table info available. +>> #2 0x00003fff833e4c44 in __assert_fail_base () from /lib64/libc.so.6 +>> No symbol table info available. +>> #3 0x00003fff833e4d34 in __assert_fail () from /lib64/libc.so.6 +>> No symbol table info available. +>> #4 0x000000001006a594 in qcow2_cache_entry_mark_dirty (bs=0x2e886f60, c=0x2e879700, table=0x3fff81200000) at block/qcow2-cache.c:411 +>> i = 0 +>> __PRETTY_FUNCTION__ = "qcow2_cache_entry_mark_dirty" +>> #5 0x0000000010056154 in alloc_refcount_block (bs=0x2e886f60, cluster_index=2, refcount_block=0x3fff80cff808) at block/qcow2-refcount.c:417 +>> s = 0x2e893210 +>> refcount_table_index = 0 +>> ret = 0 +>> new_block = 0 +>> blocks_used = 72057594818669408 +>> meta_offset = 1572863 +>> #6 0x0000000010057520 in update_refcount (bs=0x2e886f60, offset=1048576, length=524288, addend=1, decrease=false, type=QCOW2_DISCARD_NEVER) +>> at block/qcow2-refcount.c:834 +>> block_index = 268870408 +>> refcount = 780741808 +>> cluster_index = 2 +>> table_index = 0 +>> s = 0x2e893210 +>> start = 1048576 +>> last = 1048576 +>> cluster_offset = 1048576 +>> refcount_block = 0x3fff81200000 +>> old_table_index = -1 +>> ret = 16383 +>> #7 0x0000000010057dc8 in qcow2_alloc_clusters_at (bs=0x2e886f60, offset=1048576, nb_clusters=1) at block/qcow2-refcount.c:1032 +>> s = 0x2e893210 +>> cluster_index = 3 +>> refcount = 0 +>> i = 1 +>> ret = 0 +>> __PRETTY_FUNCTION__ = "qcow2_alloc_clusters_at" +>> #8 0x00000000100636d8 in do_alloc_cluster_offset (bs=0x2e886f60, guest_offset=2097152, host_offset=0x3fff80cff9e0, nb_clusters=0x3fff80cff9d8) +>> at block/qcow2-cluster.c:1221 +>> ret = 780743184 +>> s = 0x2e893210 +>> #9 0x0000000010063afc in handle_alloc (bs=0x2e886f60, guest_offset=2097152, host_offset=0x3fff80cffab0, bytes=0x3fff80cffab8, m=0x3fff80cffb60) +>> at block/qcow2-cluster.c:1324 +>> s = 0x2e893210 +>> l2_index = 4 +>> l2_table = 0x0 +>> entry = 0 +>> nb_clusters = 1 +>> ret = 0 +>> ---Type <return> to continue, or q <return> to quit--- +>> keep_old_clusters = false +>> alloc_cluster_offset = 1048576 +>> __PRETTY_FUNCTION__ = "handle_alloc" +>> requested_bytes = 17960562528 +>> avail_bytes = -2133853344 +>> nb_bytes = 16383 +>> old_m = 0x100000000 +>> #10 0x0000000010064178 in qcow2_alloc_cluster_offset (bs=0x2e886f60, offset=1572864, bytes=0x3fff80cffb4c, host_offset=0x3fff80cffb58, m=0x3fff80cffb60) +>> at block/qcow2-cluster.c:1511 +>> s = 0x2e893210 +>> start = 2097152 +>> remaining = 962560 +>> cluster_offset = 1048576 +>> cur_bytes = 962560 +>> ret = 0 +>> __PRETTY_FUNCTION__ = "qcow2_alloc_cluster_offset" +>> #11 0x000000001004d3f4 in qcow2_co_pwritev (bs=0x2e886f60, offset=1572864, bytes=1486848, qiov=0x3fffc85f0bf0, flags=0) at block/qcow2.c:1919 +>> s = 0x2e893210 +>> offset_in_cluster = 0 +>> ret = 0 +>> cur_bytes = 1486848 +>> cluster_offset = 524288 +>> hd_qiov = {iov = 0x2e858660, niov = 1, nalloc = 1, size = 220672} +>> bytes_done = 220672 +>> cluster_data = 0x0 +>> l2meta = 0x0 +>> __PRETTY_FUNCTION__ = "qcow2_co_pwritev" +>> #12 0x00000000100a9648 in bdrv_driver_pwritev (bs=0x2e886f60, offset=1352192, bytes=1707520, qiov=0x3fffc85f0bf0, flags=16) at block/io.c:898 +>> drv = 0x102036f0 <bdrv_qcow2> +>> sector_num = 780706080 +>> nb_sectors = 3069122264 +>> ret = -203160320 +>> __PRETTY_FUNCTION__ = "bdrv_driver_pwritev" +>> #13 0x00000000100ab630 in bdrv_aligned_pwritev (child=0x2e8927f0, req=0x3fff80cffdd8, offset=1352192, bytes=1707520, align=1, qiov=0x3fffc85f0bf0, flags=16) +>> at block/io.c:1440 +>> bs = 0x2e886f60 +>> drv = 0x102036f0 <bdrv_qcow2> +>> waited = false +>> ret = 0 +>> end_sector = 5976 +>> bytes_remaining = 1707520 +>> max_transfer = 2147483647 +>> __PRETTY_FUNCTION__ = "bdrv_aligned_pwritev" +>> #14 0x00000000100ac4ac in bdrv_co_pwritev (child=0x2e8927f0, offset=1352192, bytes=1707520, qiov=0x3fffc85f0bf0, flags=BDRV_REQ_FUA) at block/io.c:1691 +>> bs = 0x2e886f60 +>> req = {bs = 0x2e886f60, offset = 1352192, bytes = 1707520, type = BDRV_TRACKED_WRITE, serialising = false, overlap_offset = 1352192, +>> overlap_bytes = 1707520, list = {le_next = 0x0, le_prev = 0x2e88a1d8}, co = 0x2e895a90, wait_queue = {entries = {sqh_first = 0x0, +>> sqh_last = 0x3fff80cffe20}}, waiting_for = 0x0} +>> align = 1 +>> head_buf = 0x0 +>> ---Type <return> to continue, or q <return> to quit--- +>> tail_buf = 0x0 +>> local_qiov = {iov = 0x3fff80cffdb0, niov = -2133852688, nalloc = 16383, size = 1352192} +>> use_local_qiov = false +>> ret = 0 +>> __PRETTY_FUNCTION__ = "bdrv_co_pwritev" +>> #15 0x000000001008da0c in blk_co_pwritev (blk=0x2e879410, offset=1352192, bytes=1707520, qiov=0x3fffc85f0bf0, flags=BDRV_REQ_FUA) at block/block-backend.c:1085 +>> ret = 0 +>> bs = 0x2e886f60 +>> #16 0x000000001008db68 in blk_write_entry (opaque=0x3fffc85f0c08) at block/block-backend.c:1110 +>> rwco = 0x3fffc85f0c08 +>> #17 0x00000000101aa444 in coroutine_trampoline (i0=780753552, i1=0) at util/coroutine-ucontext.c:79 +>> arg = {p = 0x2e895a90, i = {780753552, 0}} +>> self = 0x2e895a90 +>> co = 0x2e895a90 +>> #18 0x00003fff83402b9c in makecontext () from /lib64/libc.so.6 +>> No symbol table info available. +>> #19 0x0000000000000000 in ?? () +>> No symbol table info available. +> +> Can you also reproduce this on x86, or is it specific to ppc64? + +I can actually reproduce it myself, I'll take a look. + +Berto + + +On Wed 01 Nov 2017 09:55:21 AM CET, Alberto Garcia wrote: +> On Wed 01 Nov 2017 07:13:08 AM CET, Thomas Huth wrote: +>> On 30.10.2017 15:43, R.Nageswara Sastry wrote: +>>> Public bug reported: +>>> +>>> git is at HEAD a93ece47fd9edbd4558db24300056c9a57d3bcd4 +>>> This is on ppc64le architecture. +>>> +>>> Re-production steps: +>>> +>>> 1. Copy the attached files named backing_img.file and test.img to a directory +>>> 2. And customize the following command to point to the above directory and run the same. +>>> /usr/bin/qemu-io <path to>/test.img -c "write 1352192 1707520" +>>> +>>> 3.Output of the above command. +>>> qemu-io: block/qcow2-cache.c:411: qcow2_cache_entry_mark_dirty: Assertion `c->entries[i].offset != 0' failed. +>>> Aborted (core dumped) +>>> +>>> from gdb: +>>> (gdb) bt +>>> #0 0x00003fff833eeff0 in raise () from /lib64/libc.so.6 +>>> #1 0x00003fff833f136c in abort () from /lib64/libc.so.6 +>>> #2 0x00003fff833e4c44 in __assert_fail_base () from /lib64/libc.so.6 +>>> #3 0x00003fff833e4d34 in __assert_fail () from /lib64/libc.so.6 +>>> #4 0x000000001006a594 in qcow2_cache_entry_mark_dirty (bs=0x2e886f60, c=0x2e879700, table=0x3fff81200000) at block/qcow2-cache.c:411 +>>> #5 0x0000000010056154 in alloc_refcount_block (bs=0x2e886f60, cluster_index=2, refcount_block=0x3fff80cff808) at block/qcow2-refcount.c:417 +>>> #6 0x0000000010057520 in update_refcount (bs=0x2e886f60, offset=1048576, length=524288, addend=1, decrease=false, type=QCOW2_DISCARD_NEVER) +>>> at block/qcow2-refcount.c:834 +>>> #7 0x0000000010057dc8 in qcow2_alloc_clusters_at (bs=0x2e886f60, offset=1048576, nb_clusters=1) at block/qcow2-refcount.c:1032 +>>> #8 0x00000000100636d8 in do_alloc_cluster_offset (bs=0x2e886f60, guest_offset=2097152, host_offset=0x3fff80cff9e0, nb_clusters=0x3fff80cff9d8) +>>> at block/qcow2-cluster.c:1221 +>>> #9 0x0000000010063afc in handle_alloc (bs=0x2e886f60, guest_offset=2097152, host_offset=0x3fff80cffab0, bytes=0x3fff80cffab8, m=0x3fff80cffb60) +>>> at block/qcow2-cluster.c:1324 +>>> #10 0x0000000010064178 in qcow2_alloc_cluster_offset (bs=0x2e886f60, offset=1572864, bytes=0x3fff80cffb4c, host_offset=0x3fff80cffb58, m=0x3fff80cffb60) +>>> at block/qcow2-cluster.c:1511 +>>> #11 0x000000001004d3f4 in qcow2_co_pwritev (bs=0x2e886f60, offset=1572864, bytes=1486848, qiov=0x3fffc85f0bf0, flags=0) at block/qcow2.c:1919 +>>> #12 0x00000000100a9648 in bdrv_driver_pwritev (bs=0x2e886f60, offset=1352192, bytes=1707520, qiov=0x3fffc85f0bf0, flags=16) at block/io.c:898 +>>> #13 0x00000000100ab630 in bdrv_aligned_pwritev (child=0x2e8927f0, req=0x3fff80cffdd8, offset=1352192, bytes=1707520, align=1, qiov=0x3fffc85f0bf0, flags=16) +>>> at block/io.c:1440 +>>> #14 0x00000000100ac4ac in bdrv_co_pwritev (child=0x2e8927f0, offset=1352192, bytes=1707520, qiov=0x3fffc85f0bf0, flags=BDRV_REQ_FUA) at block/io.c:1691 +>>> #15 0x000000001008da0c in blk_co_pwritev (blk=0x2e879410, offset=1352192, bytes=1707520, qiov=0x3fffc85f0bf0, flags=BDRV_REQ_FUA) at block/block-backend.c:1085 +>>> #16 0x000000001008db68 in blk_write_entry (opaque=0x3fffc85f0c08) at block/block-backend.c:1110 +>>> #17 0x00000000101aa444 in coroutine_trampoline (i0=780753552, i1=0) at util/coroutine-ucontext.c:79 +>>> #18 0x00003fff83402b9c in makecontext () from /lib64/libc.so.6 +>>> #19 0x0000000000000000 in ?? () +>>> (gdb) bt full +>>> #0 0x00003fff833eeff0 in raise () from /lib64/libc.so.6 +>>> No symbol table info available. +>>> #1 0x00003fff833f136c in abort () from /lib64/libc.so.6 +>>> No symbol table info available. +>>> #2 0x00003fff833e4c44 in __assert_fail_base () from /lib64/libc.so.6 +>>> No symbol table info available. +>>> #3 0x00003fff833e4d34 in __assert_fail () from /lib64/libc.so.6 +>>> No symbol table info available. +>>> #4 0x000000001006a594 in qcow2_cache_entry_mark_dirty (bs=0x2e886f60, c=0x2e879700, table=0x3fff81200000) at block/qcow2-cache.c:411 +>>> i = 0 +>>> __PRETTY_FUNCTION__ = "qcow2_cache_entry_mark_dirty" +>>> #5 0x0000000010056154 in alloc_refcount_block (bs=0x2e886f60, cluster_index=2, refcount_block=0x3fff80cff808) at block/qcow2-refcount.c:417 +>>> s = 0x2e893210 +>>> refcount_table_index = 0 +>>> ret = 0 +>>> new_block = 0 +>>> blocks_used = 72057594818669408 +>>> meta_offset = 1572863 +>>> #6 0x0000000010057520 in update_refcount (bs=0x2e886f60, offset=1048576, length=524288, addend=1, decrease=false, type=QCOW2_DISCARD_NEVER) +>>> at block/qcow2-refcount.c:834 +>>> block_index = 268870408 +>>> refcount = 780741808 +>>> cluster_index = 2 +>>> table_index = 0 +>>> s = 0x2e893210 +>>> start = 1048576 +>>> last = 1048576 +>>> cluster_offset = 1048576 +>>> refcount_block = 0x3fff81200000 +>>> old_table_index = -1 +>>> ret = 16383 +>>> #7 0x0000000010057dc8 in qcow2_alloc_clusters_at (bs=0x2e886f60, offset=1048576, nb_clusters=1) at block/qcow2-refcount.c:1032 +>>> s = 0x2e893210 +>>> cluster_index = 3 +>>> refcount = 0 +>>> i = 1 +>>> ret = 0 +>>> __PRETTY_FUNCTION__ = "qcow2_alloc_clusters_at" +>>> #8 0x00000000100636d8 in do_alloc_cluster_offset (bs=0x2e886f60, guest_offset=2097152, host_offset=0x3fff80cff9e0, nb_clusters=0x3fff80cff9d8) +>>> at block/qcow2-cluster.c:1221 +>>> ret = 780743184 +>>> s = 0x2e893210 +>>> #9 0x0000000010063afc in handle_alloc (bs=0x2e886f60, guest_offset=2097152, host_offset=0x3fff80cffab0, bytes=0x3fff80cffab8, m=0x3fff80cffb60) +>>> at block/qcow2-cluster.c:1324 +>>> s = 0x2e893210 +>>> l2_index = 4 +>>> l2_table = 0x0 +>>> entry = 0 +>>> nb_clusters = 1 +>>> ret = 0 +>>> ---Type <return> to continue, or q <return> to quit--- +>>> keep_old_clusters = false +>>> alloc_cluster_offset = 1048576 +>>> __PRETTY_FUNCTION__ = "handle_alloc" +>>> requested_bytes = 17960562528 +>>> avail_bytes = -2133853344 +>>> nb_bytes = 16383 +>>> old_m = 0x100000000 +>>> #10 0x0000000010064178 in qcow2_alloc_cluster_offset (bs=0x2e886f60, offset=1572864, bytes=0x3fff80cffb4c, host_offset=0x3fff80cffb58, m=0x3fff80cffb60) +>>> at block/qcow2-cluster.c:1511 +>>> s = 0x2e893210 +>>> start = 2097152 +>>> remaining = 962560 +>>> cluster_offset = 1048576 +>>> cur_bytes = 962560 +>>> ret = 0 +>>> __PRETTY_FUNCTION__ = "qcow2_alloc_cluster_offset" +>>> #11 0x000000001004d3f4 in qcow2_co_pwritev (bs=0x2e886f60, offset=1572864, bytes=1486848, qiov=0x3fffc85f0bf0, flags=0) at block/qcow2.c:1919 +>>> s = 0x2e893210 +>>> offset_in_cluster = 0 +>>> ret = 0 +>>> cur_bytes = 1486848 +>>> cluster_offset = 524288 +>>> hd_qiov = {iov = 0x2e858660, niov = 1, nalloc = 1, size = 220672} +>>> bytes_done = 220672 +>>> cluster_data = 0x0 +>>> l2meta = 0x0 +>>> __PRETTY_FUNCTION__ = "qcow2_co_pwritev" +>>> #12 0x00000000100a9648 in bdrv_driver_pwritev (bs=0x2e886f60, offset=1352192, bytes=1707520, qiov=0x3fffc85f0bf0, flags=16) at block/io.c:898 +>>> drv = 0x102036f0 <bdrv_qcow2> +>>> sector_num = 780706080 +>>> nb_sectors = 3069122264 +>>> ret = -203160320 +>>> __PRETTY_FUNCTION__ = "bdrv_driver_pwritev" +>>> #13 0x00000000100ab630 in bdrv_aligned_pwritev (child=0x2e8927f0, req=0x3fff80cffdd8, offset=1352192, bytes=1707520, align=1, qiov=0x3fffc85f0bf0, flags=16) +>>> at block/io.c:1440 +>>> bs = 0x2e886f60 +>>> drv = 0x102036f0 <bdrv_qcow2> +>>> waited = false +>>> ret = 0 +>>> end_sector = 5976 +>>> bytes_remaining = 1707520 +>>> max_transfer = 2147483647 +>>> __PRETTY_FUNCTION__ = "bdrv_aligned_pwritev" +>>> #14 0x00000000100ac4ac in bdrv_co_pwritev (child=0x2e8927f0, offset=1352192, bytes=1707520, qiov=0x3fffc85f0bf0, flags=BDRV_REQ_FUA) at block/io.c:1691 +>>> bs = 0x2e886f60 +>>> req = {bs = 0x2e886f60, offset = 1352192, bytes = 1707520, type = BDRV_TRACKED_WRITE, serialising = false, overlap_offset = 1352192, +>>> overlap_bytes = 1707520, list = {le_next = 0x0, le_prev = 0x2e88a1d8}, co = 0x2e895a90, wait_queue = {entries = {sqh_first = 0x0, +>>> sqh_last = 0x3fff80cffe20}}, waiting_for = 0x0} +>>> align = 1 +>>> head_buf = 0x0 +>>> ---Type <return> to continue, or q <return> to quit--- +>>> tail_buf = 0x0 +>>> local_qiov = {iov = 0x3fff80cffdb0, niov = -2133852688, nalloc = 16383, size = 1352192} +>>> use_local_qiov = false +>>> ret = 0 +>>> __PRETTY_FUNCTION__ = "bdrv_co_pwritev" +>>> #15 0x000000001008da0c in blk_co_pwritev (blk=0x2e879410, offset=1352192, bytes=1707520, qiov=0x3fffc85f0bf0, flags=BDRV_REQ_FUA) at block/block-backend.c:1085 +>>> ret = 0 +>>> bs = 0x2e886f60 +>>> #16 0x000000001008db68 in blk_write_entry (opaque=0x3fffc85f0c08) at block/block-backend.c:1110 +>>> rwco = 0x3fffc85f0c08 +>>> #17 0x00000000101aa444 in coroutine_trampoline (i0=780753552, i1=0) at util/coroutine-ucontext.c:79 +>>> arg = {p = 0x2e895a90, i = {780753552, 0}} +>>> self = 0x2e895a90 +>>> co = 0x2e895a90 +>>> #18 0x00003fff83402b9c in makecontext () from /lib64/libc.so.6 +>>> No symbol table info available. +>>> #19 0x0000000000000000 in ?? () +>>> No symbol table info available. +>> +>> Can you also reproduce this on x86, or is it specific to ppc64? + +I'm working on a fix, I'll send the patch later today. + +Berto + + +The attached image is corrupted and QEMU doesn't handle it correctly. + +Here are the fixes for this and other related problems: + + https://lists.gnu.org/archive/html/qemu-block/2017-11/msg00010.html + + +Fix has been merged here: +https://git.qemu.org/?p=qemu.git;a=commitdiff;h=6bf45d59f98c898b7d79 + diff --git a/results/classifier/108/other/1728635 b/results/classifier/108/other/1728635 new file mode 100644 index 000000000..32e51c658 --- /dev/null +++ b/results/classifier/108/other/1728635 @@ -0,0 +1,209 @@ +other: 0.936 +permissions: 0.917 +graphic: 0.909 +KVM: 0.908 +device: 0.905 +performance: 0.892 +semantic: 0.867 +debug: 0.866 +boot: 0.866 +vnc: 0.866 +socket: 0.860 +network: 0.859 +files: 0.832 +PID: 0.816 + +qemu-io crashes with SIGSEGV when did -c aio_write 9233408 28160 on a image_fuzzer image + +git is at HEAD a93ece47fd9edbd4558db24300056c9a57d3bcd4 +This is on ppc64le architecture. + +Re-production steps: + +1. Copy the attached file named test.img to a directory +2. And customize the following command to point to the above directory and run the same. +# cp test.img copy.img +# qemu/qemu-io <path to>/copy.img -c "aio_write 9233408 28160" + +from gdb: +Program terminated with signal 11, Segmentation fault. +#0 0x00003fffa0077644 in __memcpy_power7 () from /lib64/libc.so.6 +Missing separate debuginfos, use: debuginfo-install cyrus-sasl-lib-2.1.26-21.el7.ppc64le glib2-2.50.3-3.el7.ppc64le glibc-2.17-196.el7.ppc64le gmp-6.0.0-15.el7.ppc64le gnutls-3.3.26-9.el7.ppc64le keyutils-libs-1.5.8-3.el7.ppc64le krb5-libs-1.15.1-8.el7.ppc64le libaio-0.3.109-13.el7.ppc64le libcom_err-1.42.9-10.el7.ppc64le libcurl-7.29.0-42.el7.ppc64le libffi-3.0.13-18.el7.ppc64le libgcc-4.8.5-16.el7_4.1.ppc64le libidn-1.28-4.el7.ppc64le libselinux-2.5-11.el7.ppc64le libssh2-1.4.3-10.el7_2.1.ppc64le libstdc++-4.8.5-16.el7_4.1.ppc64le libtasn1-4.10-1.el7.ppc64le nettle-2.7.1-8.el7.ppc64le nspr-4.13.1-1.0.el7_3.ppc64le nss-3.28.4-15.el7_4.ppc64le nss-softokn-freebl-3.28.3-8.el7_4.ppc64le nss-util-3.28.4-3.el7.ppc64le openldap-2.4.44-5.el7.ppc64le openssl-libs-1.0.2k-8.el7.ppc64le p11-kit-0.23.5-3.el7.ppc64le pcre-8.32-17.el7.ppc64le zlib-1.2.7-17.el7.ppc64le +(gdb) bt +#0 0x00003fffa0077644 in __memcpy_power7 () from /lib64/libc.so.6 +#1 0x0000000010056738 in qcow2_refcount_area (bs=0x25f56f60, start_offset=137438953472, additional_clusters=0, exact_size=false, new_refblock_index=0, + new_refblock_offset=524288) at block/qcow2-refcount.c:573 +#2 0x0000000010056374 in alloc_refcount_block (bs=0x25f56f60, cluster_index=0, refcount_block=0x3fff9dadf838) at block/qcow2-refcount.c:479 +#3 0x0000000010057520 in update_refcount (bs=0x25f56f60, offset=0, length=524288, addend=1, decrease=false, type=QCOW2_DISCARD_NEVER) + at block/qcow2-refcount.c:834 +#4 0x0000000010057c24 in qcow2_alloc_clusters (bs=0x25f56f60, size=524288) at block/qcow2-refcount.c:996 +#5 0x0000000010063684 in do_alloc_cluster_offset (bs=0x25f56f60, guest_offset=9233408, host_offset=0x3fff9dadf9e0, nb_clusters=0x3fff9dadf9d8) + at block/qcow2-cluster.c:1213 +#6 0x0000000010063afc in handle_alloc (bs=0x25f56f60, guest_offset=9233408, host_offset=0x3fff9dadfab0, bytes=0x3fff9dadfab8, m=0x3fff9dadfb60) + at block/qcow2-cluster.c:1324 +#7 0x0000000010064178 in qcow2_alloc_cluster_offset (bs=0x25f56f60, offset=9233408, bytes=0x3fff9dadfb4c, host_offset=0x3fff9dadfb58, m=0x3fff9dadfb60) + at block/qcow2-cluster.c:1511 +#8 0x000000001004d3f4 in qcow2_co_pwritev (bs=0x25f56f60, offset=9233408, bytes=28160, qiov=0x25f6fa08, flags=0) at block/qcow2.c:1919 +#9 0x00000000100a9648 in bdrv_driver_pwritev (bs=0x25f56f60, offset=9233408, bytes=28160, qiov=0x25f6fa08, flags=16) at block/io.c:898 +#10 0x00000000100ab630 in bdrv_aligned_pwritev (child=0x25f627f0, req=0x3fff9dadfdd8, offset=9233408, bytes=28160, align=1, qiov=0x25f6fa08, flags=16) + at block/io.c:1440 +#11 0x00000000100ac4ac in bdrv_co_pwritev (child=0x25f627f0, offset=9233408, bytes=28160, qiov=0x25f6fa08, flags=BDRV_REQ_FUA) at block/io.c:1691 +#12 0x000000001008da0c in blk_co_pwritev (blk=0x25f49410, offset=9233408, bytes=28160, qiov=0x25f6fa08, flags=BDRV_REQ_FUA) at block/block-backend.c:1085 +#13 0x000000001008e718 in blk_aio_write_entry (opaque=0x25f6fa70) at block/block-backend.c:1276 +#14 0x00000000101aa444 in coroutine_trampoline (i0=636902032, i1=0) at util/coroutine-ucontext.c:79 +#15 0x00003fffa0022b9c in makecontext () from /lib64/libc.so.6 +#16 0x0000000000000000 in ?? () +(gdb) bt full +#0 0x00003fffa0077644 in __memcpy_power7 () from /lib64/libc.so.6 +No symbol table info available. +#1 0x0000000010056738 in qcow2_refcount_area (bs=0x25f56f60, start_offset=137438953472, additional_clusters=0, exact_size=false, new_refblock_index=0, + new_refblock_offset=524288) at block/qcow2-refcount.c:573 + s = 0x25f63210 + total_refblock_count_u64 = 2 + additional_refblock_count = 0 + total_refblock_count = 2 + table_size = 65536 + area_reftable_index = 1 + table_clusters = 1 + i = 0 + table_offset = 268870620 + block_offset = 70367094634128 + end_offset = 636891296 + ret = 636786432 + new_table = 0x3fff9d940010 + __PRETTY_FUNCTION__ = "qcow2_refcount_area" + data = {d64 = 636841824, d32 = 1} + old_table_offset = 70367094634552 + old_table_size = 636786432 +#2 0x0000000010056374 in alloc_refcount_block (bs=0x25f56f60, cluster_index=0, refcount_block=0x3fff9dadf838) at block/qcow2-refcount.c:479 + s = 0x25f63210 + refcount_table_index = 0 + ret = 0 + new_block = 524288 + blocks_used = 1 + meta_offset = 137438953472 +#3 0x0000000010057520 in update_refcount (bs=0x25f56f60, offset=0, length=524288, addend=1, decrease=false, type=QCOW2_DISCARD_NEVER) + at block/qcow2-refcount.c:834 + block_index = 268794524 + refcount = 4563798300 + cluster_index = 0 + table_index = 0 + s = 0x25f63210 + start = 0 + last = 0 + cluster_offset = 0 + refcount_block = 0x0 + old_table_index = -1 + ret = 0 +#4 0x0000000010057c24 in qcow2_alloc_clusters (bs=0x25f56f60, size=524288) at block/qcow2-refcount.c:996 + offset = 0 + ret = 0 +#5 0x0000000010063684 in do_alloc_cluster_offset (bs=0x25f56f60, guest_offset=9233408, host_offset=0x3fff9dadf9e0, nb_clusters=0x3fff9dadf9d8) + at block/qcow2-cluster.c:1213 + cluster_offset = 0 + s = 0x25f63210 +#6 0x0000000010063afc in handle_alloc (bs=0x25f56f60, guest_offset=9233408, host_offset=0x3fff9dadfab0, bytes=0x3fff9dadfab8, m=0x3fff9dadfb60) + at block/qcow2-cluster.c:1324 +---Type <return> to continue, or q <return> to quit--- + s = 0x25f63210 + l2_index = 17 + l2_table = 0x0 + entry = 0 + nb_clusters = 1 + ret = 0 + keep_old_clusters = false + alloc_cluster_offset = 0 + __PRETTY_FUNCTION__ = "handle_alloc" + requested_bytes = 73651285856 + avail_bytes = -1649542304 + nb_bytes = 16383 + old_m = 0x3fff00000000 +#7 0x0000000010064178 in qcow2_alloc_cluster_offset (bs=0x25f56f60, offset=9233408, bytes=0x3fff9dadfb4c, host_offset=0x3fff9dadfb58, m=0x3fff9dadfb60) + at block/qcow2-cluster.c:1511 + s = 0x25f63210 + start = 9233408 + remaining = 28160 + cluster_offset = 0 + cur_bytes = 28160 + ret = 0 + __PRETTY_FUNCTION__ = "qcow2_alloc_cluster_offset" +#8 0x000000001004d3f4 in qcow2_co_pwritev (bs=0x25f56f60, offset=9233408, bytes=28160, qiov=0x25f6fa08, flags=0) at block/qcow2.c:1919 + s = 0x25f63210 + offset_in_cluster = 320512 + ret = 0 + cur_bytes = 28160 + cluster_offset = 0 + hd_qiov = {iov = 0x25f285a0, niov = 0, nalloc = 1, size = 0} + bytes_done = 0 + cluster_data = 0x0 + l2meta = 0x0 + __PRETTY_FUNCTION__ = "qcow2_co_pwritev" +#9 0x00000000100a9648 in bdrv_driver_pwritev (bs=0x25f56f60, offset=9233408, bytes=28160, qiov=0x25f6fa08, flags=16) at block/io.c:898 + drv = 0x102036f0 <bdrv_qcow2> + sector_num = 636854560 + nb_sectors = 598850083 + ret = -1802855680 + __PRETTY_FUNCTION__ = "bdrv_driver_pwritev" +#10 0x00000000100ab630 in bdrv_aligned_pwritev (child=0x25f627f0, req=0x3fff9dadfdd8, offset=9233408, bytes=28160, align=1, qiov=0x25f6fa08, flags=16) + at block/io.c:1440 + bs = 0x25f56f60 + drv = 0x102036f0 <bdrv_qcow2> + waited = false + ret = 0 + end_sector = 18089 + bytes_remaining = 28160 + max_transfer = 2147483647 + __PRETTY_FUNCTION__ = "bdrv_aligned_pwritev" +#11 0x00000000100ac4ac in bdrv_co_pwritev (child=0x25f627f0, offset=9233408, bytes=28160, qiov=0x25f6fa08, flags=BDRV_REQ_FUA) at block/io.c:1691 +---Type <return> to continue, or q <return> to quit--- + bs = 0x25f56f60 + req = {bs = 0x25f56f60, offset = 9233408, bytes = 28160, type = BDRV_TRACKED_WRITE, serialising = false, overlap_offset = 9233408, + overlap_bytes = 28160, list = {le_next = 0x0, le_prev = 0x25f5a1d8}, co = 0x25f65a90, wait_queue = {entries = {sqh_first = 0x0, + sqh_last = 0x3fff9dadfe20}}, waiting_for = 0x0} + align = 1 + head_buf = 0x0 + tail_buf = 0x0 + local_qiov = {iov = 0x3fff9dadfdb0, niov = -1649541648, nalloc = 16383, size = 9233408} + use_local_qiov = false + ret = 0 + __PRETTY_FUNCTION__ = "bdrv_co_pwritev" +#12 0x000000001008da0c in blk_co_pwritev (blk=0x25f49410, offset=9233408, bytes=28160, qiov=0x25f6fa08, flags=BDRV_REQ_FUA) at block/block-backend.c:1085 + ret = 0 + bs = 0x25f56f60 +#13 0x000000001008e718 in blk_aio_write_entry (opaque=0x25f6fa70) at block/block-backend.c:1276 + acb = 0x25f6fa70 + rwco = 0x25f6fa98 + __PRETTY_FUNCTION__ = "blk_aio_write_entry" +#14 0x00000000101aa444 in coroutine_trampoline (i0=636902032, i1=0) at util/coroutine-ucontext.c:79 + arg = {p = 0x25f65a90, i = {636902032, 0}} + self = 0x25f65a90 + co = 0x25f65a90 +#15 0x00003fffa0022b9c in makecontext () from /lib64/libc.so.6 +No symbol table info available. +#16 0x0000000000000000 in ?? () +No symbol table info available. + +Will be attaching image_fuzzer image + + + +I can't reproduce this on commit a93ece47fd9edbd4558db24300056c9a57d3bcd4: + +# ./qemu-io copy.img -c "aio_write 9233408 28160" +can't open device copy.img: Could not open backing file: Could not open 'backing_img.file': No such file or directory + +and on the latest commit, I get a different error that makes me suspect this has been fixed: + +# ./qemu-io copy.img -c "aio_write 9233408 28160" +can't open device copy.img: Image does not contain a reference count table + +It just doesn't look as if this was fixed explicitly, as the recent refcount changes reference your other fuzzer disclosures, and not this one. + +...Max? + +The QEMU project is currently considering to move its bug tracking to another system. For this we need to know which bugs are still valid and which could be closed already. Thus we are setting older bugs to "Incomplete" now. +If you still think this bug report here is valid, then please switch the state back to "New" within the next 60 days, otherwise this report will be marked as "Expired". Or mark it as "Fix Released" if the problem has been solved with a newer version of QEMU already. Thank you and sorry for the inconvenience. + + +[Expired for QEMU because there has been no activity for 60 days.] + diff --git a/results/classifier/108/other/1728639 b/results/classifier/108/other/1728639 new file mode 100644 index 000000000..c3d2d2125 --- /dev/null +++ b/results/classifier/108/other/1728639 @@ -0,0 +1,126 @@ +permissions: 0.918 +other: 0.872 +device: 0.852 +graphic: 0.832 +semantic: 0.818 +performance: 0.803 +socket: 0.795 +boot: 0.789 +debug: 0.780 +PID: 0.765 +KVM: 0.756 +files: 0.726 +network: 0.691 +vnc: 0.647 + +qemu-io crashes with SIGSEGV when did -c truncate 320000 on a image_fuzzer image + +git is at HEAD a93ece47fd9edbd4558db24300056c9a57d3bcd4 +This is on ppc64le architecture. + +Re-production steps: + +1. Copy the attached files named test.img to a directory +2. And customize the following command to point to the above directory and run the same. +# mv test.img copy.img +# qemu-io <path to>/copy.img -c "truncate 320000" + +from gdb: +Program terminated with signal 11, Segmentation fault. +#0 0x000000001000e444 in refresh_total_sectors (bs=0x1fe86f60, hint=11648) at block.c:723 +723 if (drv->bdrv_getlength) { +Missing separate debuginfos, use: debuginfo-install cyrus-sasl-lib-2.1.26-21.el7.ppc64le glib2-2.50.3-3.el7.ppc64le glibc-2.17-196.el7.ppc64le gmp-6.0.0-15.el7.ppc64le gnutls-3.3.26-9.el7.ppc64le keyutils-libs-1.5.8-3.el7.ppc64le krb5-libs-1.15.1-8.el7.ppc64le libaio-0.3.109-13.el7.ppc64le libcom_err-1.42.9-10.el7.ppc64le libcurl-7.29.0-42.el7.ppc64le libffi-3.0.13-18.el7.ppc64le libgcc-4.8.5-16.el7_4.1.ppc64le libidn-1.28-4.el7.ppc64le libselinux-2.5-11.el7.ppc64le libssh2-1.4.3-10.el7_2.1.ppc64le libstdc++-4.8.5-16.el7_4.1.ppc64le libtasn1-4.10-1.el7.ppc64le nettle-2.7.1-8.el7.ppc64le nspr-4.13.1-1.0.el7_3.ppc64le nss-3.28.4-15.el7_4.ppc64le nss-softokn-freebl-3.28.3-8.el7_4.ppc64le nss-util-3.28.4-3.el7.ppc64le openldap-2.4.44-5.el7.ppc64le openssl-libs-1.0.2k-8.el7.ppc64le p11-kit-0.23.5-3.el7.ppc64le pcre-8.32-17.el7.ppc64le zlib-1.2.7-17.el7.ppc64le +(gdb) bt +#0 0x000000001000e444 in refresh_total_sectors (bs=0x1fe86f60, hint=11648) at block.c:723 +#1 0x000000001000fa10 in bdrv_open_driver (bs=0x1fe86f60, drv=0x102036f0 <bdrv_qcow2>, node_name=0x0, options=0x1fe8c240, open_flags=24578, + errp=0x3fffea0fc920) at block.c:1153 +#2 0x0000000010010480 in bdrv_open_common (bs=0x1fe86f60, file=0x1fe92540, options=0x1fe8c240, errp=0x3fffea0fc920) at block.c:1395 +#3 0x0000000010013ac8 in bdrv_open_inherit (filename=0x3fffea0ff661 "copy.img", reference=0x0, options=0x1fe8c240, flags=24578, parent=0x0, child_role=0x0, + errp=0x3fffea0fcae0) at block.c:2616 +#4 0x0000000010013e8c in bdrv_open (filename=0x3fffea0ff661 "copy.img", reference=0x0, options=0x0, flags=16386, errp=0x3fffea0fcae0) at block.c:2698 +#5 0x000000001008b6d4 in blk_new_open (filename=0x3fffea0ff661 "copy.img", reference=0x0, options=0x0, flags=16386, errp=0x3fffea0fcae0) + at block/block-backend.c:321 +#6 0x000000001000a6ec in openfile (name=0x3fffea0ff661 "copy.img", flags=16386, writethrough=true, force_share=false, opts=0x0) at qemu-io.c:81 +#7 0x000000001000c040 in main (argc=4, argv=0x3fffea0fd208) at qemu-io.c:624 +(gdb) bt full +#0 0x000000001000e444 in refresh_total_sectors (bs=0x1fe86f60, hint=11648) at block.c:723 + drv = 0x0 +#1 0x000000001000fa10 in bdrv_open_driver (bs=0x1fe86f60, drv=0x102036f0 <bdrv_qcow2>, node_name=0x0, options=0x1fe8c240, open_flags=24578, + errp=0x3fffea0fc920) at block.c:1153 + local_err = 0x0 + ret = 0 + __PRETTY_FUNCTION__ = "bdrv_open_driver" + __func__ = "bdrv_open_driver" +#2 0x0000000010010480 in bdrv_open_common (bs=0x1fe86f60, file=0x1fe92540, options=0x1fe8c240, errp=0x3fffea0fc920) at block.c:1395 + ret = 16383 + open_flags = 24578 + filename = 0x1fe8e2b1 "copy.img" + driver_name = 0x1fe54810 "qcow2" + node_name = 0x0 + discard = 0x0 + detect_zeroes = 0x0 + opts = 0x1fe93100 + drv = 0x102036f0 <bdrv_qcow2> + local_err = 0x0 + __PRETTY_FUNCTION__ = "bdrv_open_common" + __func__ = "bdrv_open_common" +#3 0x0000000010013ac8 in bdrv_open_inherit (filename=0x3fffea0ff661 "copy.img", reference=0x0, options=0x1fe8c240, flags=24578, parent=0x0, child_role=0x0, + errp=0x3fffea0fcae0) at block.c:2616 + ret = 512 + file = 0x1fe92540 + bs = 0x1fe86f60 + drv = 0x102036f0 <bdrv_qcow2> + drvname = 0x0 + backing = 0x0 + local_err = 0x0 + snapshot_options = 0x0 + snapshot_flags = 0 + __PRETTY_FUNCTION__ = "bdrv_open_inherit" + __func__ = "bdrv_open_inherit" +#4 0x0000000010013e8c in bdrv_open (filename=0x3fffea0ff661 "copy.img", reference=0x0, options=0x0, flags=16386, errp=0x3fffea0fcae0) at block.c:2698 +No locals. +#5 0x000000001008b6d4 in blk_new_open (filename=0x3fffea0ff661 "copy.img", reference=0x0, options=0x0, flags=16386, errp=0x3fffea0fcae0) + at block/block-backend.c:321 + blk = 0x1fe79410 + bs = 0x0 + perm = 3 +#6 0x000000001000a6ec in openfile (name=0x3fffea0ff661 "copy.img", flags=16386, writethrough=true, force_share=false, opts=0x0) at qemu-io.c:81 + local_err = 0x0 +#7 0x000000001000c040 in main (argc=4, argv=0x3fffea0fd208) at qemu-io.c:624 + readonly = 0 + sopt = 0x101b2608 "hVc:d:f:rsnCmkt:T:U" + lopt = {{name = 0x101b26d0 "driver", has_arg = 0, flag = 0x0, val = 104}, {name = 0x101b26d8 "help", has_arg = 0, flag = 0x0, val = 86}, { + name = 0x101b26e0 "version", has_arg = 1, flag = 0x0, val = 99}, {name = 0x101b26e8 "cmd", has_arg = 1, flag = 0x0, val = 102}, { + name = 0x101b26f0 "format", has_arg = 0, flag = 0x0, val = 114}, {name = 0x101b2700 "y", has_arg = 0, flag = 0x0, val = 115}, { + name = 0x101b2710 "", has_arg = 0, flag = 0x0, val = 110}, {name = 0x101b2718 "nocache", has_arg = 0, flag = 0x0, val = 67}, { +---Type <return> to continue, or q <return> to quit--- + name = 0x101b2728 "read", has_arg = 0, flag = 0x0, val = 109}, {name = 0x101b2738 "", has_arg = 0, flag = 0x0, val = 107}, { + name = 0x101b2748 "io", has_arg = 1, flag = 0x0, val = 100}, {name = 0x101b2750 "discard", has_arg = 1, flag = 0x0, val = 116}, { + name = 0x101b2758 "cache", has_arg = 1, flag = 0x0, val = 84}, {name = 0x101b25e8 "object", has_arg = 1, flag = 0x0, val = 256}, { + name = 0x101b2760 "trace", has_arg = 0, flag = 0x0, val = 257}, {name = 0x101b1c48 "force-share", has_arg = 0, flag = 0x0, val = 85}, {name = 0x0, + has_arg = 0, flag = 0x0, val = 0}} + c = -1 + opt_index = 0 + flags = 16386 + writethrough = true + local_error = 0x0 + opts = 0x0 + format = 0x0 + trace_file = 0x0 + force_share = false +(gdb) +(gdb) quit + +Will attach image_fuzzer image. + + + +Hi, + +Thanks a lot for reporting this bug! I've found a fix and I'll send a patch once I've written a test case. + +Max + +Fix has been released with QEMU 2.11: +https://git.qemu.org/?p=qemu.git;a=commitdiff;h=791fff504cad4d935df + diff --git a/results/classifier/108/other/1728643 b/results/classifier/108/other/1728643 new file mode 100644 index 000000000..fd0ca6d5b --- /dev/null +++ b/results/classifier/108/other/1728643 @@ -0,0 +1,131 @@ +other: 0.958 +permissions: 0.937 +graphic: 0.926 +semantic: 0.924 +performance: 0.907 +debug: 0.883 +PID: 0.879 +boot: 0.856 +files: 0.847 +socket: 0.844 +network: 0.839 +device: 0.835 +KVM: 0.820 +vnc: 0.819 + +qemu-io fails with Assertion `*host_offset != 0' failed + +git is at HEAD a93ece47fd9edbd4558db24300056c9a57d3bcd4 +This is on ppc64le architecture. + +Re-production steps: + +1. Copy the attached files named test.img to a directory +2. And customize the following command to point to the above directory and run the same. +# cp test.img copy.img +# qemu-io <path to>/copy.img -c "write 884736 34816" + +from gdb: +(gdb) bt +#0 0x00003fffad63eff0 in raise () from /lib64/libc.so.6 +#1 0x00003fffad64136c in abort () from /lib64/libc.so.6 +#2 0x00003fffad634c44 in __assert_fail_base () from /lib64/libc.so.6 +#3 0x00003fffad634d34 in __assert_fail () from /lib64/libc.so.6 +#4 0x000000001006426c in qcow2_alloc_cluster_offset (bs=0x391e9ad0, offset=884736, bytes=0x3fffaa89fb4c, host_offset=0x3fffaa89fb58, m=0x3fffaa89fb60) + at block/qcow2-cluster.c:1524 +#5 0x000000001004d3f4 in qcow2_co_pwritev (bs=0x391e9ad0, offset=884736, bytes=34816, qiov=0x3fffce0e2940, flags=0) at block/qcow2.c:1919 +#6 0x00000000100a9648 in bdrv_driver_pwritev (bs=0x391e9ad0, offset=884736, bytes=34816, qiov=0x3fffce0e2940, flags=16) at block/io.c:898 +#7 0x00000000100ab630 in bdrv_aligned_pwritev (child=0x391f51a0, req=0x3fffaa89fdd8, offset=884736, bytes=34816, align=1, qiov=0x3fffce0e2940, flags=16) + at block/io.c:1440 +#8 0x00000000100ac4ac in bdrv_co_pwritev (child=0x391f51a0, offset=884736, bytes=34816, qiov=0x3fffce0e2940, flags=BDRV_REQ_FUA) at block/io.c:1691 +#9 0x000000001008da0c in blk_co_pwritev (blk=0x391d9410, offset=884736, bytes=34816, qiov=0x3fffce0e2940, flags=BDRV_REQ_FUA) at block/block-backend.c:1085 +#10 0x000000001008db68 in blk_write_entry (opaque=0x3fffce0e2958) at block/block-backend.c:1110 +#11 0x00000000101aa444 in coroutine_trampoline (i0=958427472, i1=0) at util/coroutine-ucontext.c:79 +#12 0x00003fffad652b9c in makecontext () from /lib64/libc.so.6 +#13 0x0000000000000000 in ?? () +(gdb) bt full +#0 0x00003fffad63eff0 in raise () from /lib64/libc.so.6 +No symbol table info available. +#1 0x00003fffad64136c in abort () from /lib64/libc.so.6 +No symbol table info available. +#2 0x00003fffad634c44 in __assert_fail_base () from /lib64/libc.so.6 +No symbol table info available. +#3 0x00003fffad634d34 in __assert_fail () from /lib64/libc.so.6 +No symbol table info available. +#4 0x000000001006426c in qcow2_alloc_cluster_offset (bs=0x391e9ad0, offset=884736, bytes=0x3fffaa89fb4c, host_offset=0x3fffaa89fb58, m=0x3fffaa89fb60) + at block/qcow2-cluster.c:1524 + s = 0x391f5d80 + start = 919552 + remaining = 0 + cluster_offset = 399360 + cur_bytes = 34816 + ret = 1 + __PRETTY_FUNCTION__ = "qcow2_alloc_cluster_offset" +#5 0x000000001004d3f4 in qcow2_co_pwritev (bs=0x391e9ad0, offset=884736, bytes=34816, qiov=0x3fffce0e2940, flags=0) at block/qcow2.c:1919 + s = 0x391f5d80 + offset_in_cluster = 360448 + ret = 0 + cur_bytes = 34816 + cluster_offset = 0 + hd_qiov = {iov = 0x391b85a0, niov = 0, nalloc = 1, size = 0} + bytes_done = 0 + cluster_data = 0x0 + l2meta = 0x392074c0 + __PRETTY_FUNCTION__ = "qcow2_co_pwritev" +#6 0x00000000100a9648 in bdrv_driver_pwritev (bs=0x391e9ad0, offset=884736, bytes=34816, qiov=0x3fffce0e2940, flags=16) at block/io.c:898 + drv = 0x102036f0 <bdrv_qcow2> + sector_num = 958319760 + nb_sectors = 2340082071 + ret = 743104256 + __PRETTY_FUNCTION__ = "bdrv_driver_pwritev" +#7 0x00000000100ab630 in bdrv_aligned_pwritev (child=0x391f51a0, req=0x3fffaa89fdd8, offset=884736, bytes=34816, align=1, qiov=0x3fffce0e2940, flags=16) + at block/io.c:1440 + bs = 0x391e9ad0 + drv = 0x102036f0 <bdrv_qcow2> + waited = false + ret = 0 + end_sector = 1796 + bytes_remaining = 34816 + max_transfer = 2147483647 + __PRETTY_FUNCTION__ = "bdrv_aligned_pwritev" +#8 0x00000000100ac4ac in bdrv_co_pwritev (child=0x391f51a0, offset=884736, bytes=34816, qiov=0x3fffce0e2940, flags=BDRV_REQ_FUA) at block/io.c:1691 + bs = 0x391e9ad0 + req = {bs = 0x391e9ad0, offset = 884736, bytes = 34816, type = BDRV_TRACKED_WRITE, serialising = false, overlap_offset = 884736, + overlap_bytes = 34816, list = {le_next = 0x0, le_prev = 0x391ecd48}, co = 0x39207150, wait_queue = {entries = {sqh_first = 0x0, + sqh_last = 0x3fffaa89fe20}}, waiting_for = 0x0} + align = 1 +---Type <return> to continue, or q <return> to quit--- + head_buf = 0x0 + tail_buf = 0x0 + local_qiov = {iov = 0x3fffaa89fdb0, niov = -1433797136, nalloc = 16383, size = 884736} + use_local_qiov = false + ret = 0 + __PRETTY_FUNCTION__ = "bdrv_co_pwritev" +#9 0x000000001008da0c in blk_co_pwritev (blk=0x391d9410, offset=884736, bytes=34816, qiov=0x3fffce0e2940, flags=BDRV_REQ_FUA) at block/block-backend.c:1085 + ret = 0 + bs = 0x391e9ad0 +#10 0x000000001008db68 in blk_write_entry (opaque=0x3fffce0e2958) at block/block-backend.c:1110 + rwco = 0x3fffce0e2958 +#11 0x00000000101aa444 in coroutine_trampoline (i0=958427472, i1=0) at util/coroutine-ucontext.c:79 + arg = {p = 0x39207150, i = {958427472, 0}} + self = 0x39207150 + co = 0x39207150 +#12 0x00003fffad652b9c in makecontext () from /lib64/libc.so.6 +No symbol table info available. +#13 0x0000000000000000 in ?? () +No symbol table info available. + + +Will be attaching image_fuzzer images. + + + +Hi, + +Once more, thanks a lot for reporting this bug! I've found a fix and I'll send a patch once I've written a test case. + +Max + +Fix has been released with QEMU 2.11: +https://git.qemu.org/?p=qemu.git;a=commitdiff;h=93bbaf03ff7fd490e82 + diff --git a/results/classifier/108/other/1728660 b/results/classifier/108/other/1728660 new file mode 100644 index 000000000..93a9b17cf --- /dev/null +++ b/results/classifier/108/other/1728660 @@ -0,0 +1,75 @@ +other: 0.876 +device: 0.796 +graphic: 0.795 +permissions: 0.768 +performance: 0.743 +KVM: 0.741 +files: 0.739 +semantic: 0.700 +debug: 0.693 +PID: 0.689 +boot: 0.685 +socket: 0.630 +network: 0.601 +vnc: 0.547 + +qemu-io segfaults at block/io.c:2545 + +git is at HEAD a93ece47fd9edbd4558db24300056c9a57d3bcd4 +This is on ppc64le architecture. + +Re-production steps: + +1. Copy the attached file named test.img to a directory +2. And customize the following command to point to the above directory and run the same. +# mv test.img copy.img +# qemu-io <path to>/copy.img -c "discard 108544 97792" + +from gdb: +Program terminated with signal 11, Segmentation fault. +#0 0x00000000100af254 in bdrv_co_pdiscard (bs=0x3ee89ad0, offset=196608, bytes=9728) at block/io.c:2545 +2545 if (bs->drv->bdrv_co_pdiscard) { +Missing separate debuginfos, use: debuginfo-install cyrus-sasl-lib-2.1.26-21.el7.ppc64le glib2-2.50.3-3.el7.ppc64le glibc-2.17-196.el7.ppc64le gmp-6.0.0-15.el7.ppc64le gnutls-3.3.26-9.el7.ppc64le keyutils-libs-1.5.8-3.el7.ppc64le krb5-libs-1.15.1-8.el7.ppc64le libaio-0.3.109-13.el7.ppc64le libcom_err-1.42.9-10.el7.ppc64le libcurl-7.29.0-42.el7.ppc64le libffi-3.0.13-18.el7.ppc64le libgcc-4.8.5-16.el7_4.1.ppc64le libidn-1.28-4.el7.ppc64le libselinux-2.5-11.el7.ppc64le libssh2-1.4.3-10.el7_2.1.ppc64le libstdc++-4.8.5-16.el7_4.1.ppc64le libtasn1-4.10-1.el7.ppc64le nettle-2.7.1-8.el7.ppc64le nspr-4.13.1-1.0.el7_3.ppc64le nss-3.28.4-15.el7_4.ppc64le nss-softokn-freebl-3.28.3-8.el7_4.ppc64le nss-util-3.28.4-3.el7.ppc64le openldap-2.4.44-5.el7.ppc64le openssl-libs-1.0.2k-8.el7.ppc64le p11-kit-0.23.5-3.el7.ppc64le pcre-8.32-17.el7.ppc64le zlib-1.2.7-17.el7.ppc64le +(gdb) bt +#0 0x00000000100af254 in bdrv_co_pdiscard (bs=0x3ee89ad0, offset=196608, bytes=9728) at block/io.c:2545 +#1 0x000000001008f260 in blk_co_pdiscard (blk=0x3ee79410, offset=108544, bytes=97792) at block/block-backend.c:1447 +#2 0x0000000010090884 in blk_pdiscard_entry (opaque=0x3fffd7402c58) at block/block-backend.c:1851 +#3 0x00000000101aa444 in coroutine_trampoline (i0=1055521728, i1=0) at util/coroutine-ucontext.c:79 +#4 0x00003fff7a3d2b9c in makecontext () from /lib64/libc.so.6 +#5 0x0000000000000000 in ?? () +(gdb) bt full +#0 0x00000000100af254 in bdrv_co_pdiscard (bs=0x3ee89ad0, offset=196608, bytes=9728) at block/io.c:2545 + num = 9728 + req = {bs = 0x3ee89ad0, offset = 108544, bytes = 97792, type = BDRV_TRACKED_DISCARD, serialising = false, overlap_offset = 108544, + overlap_bytes = 97792, list = {le_next = 0x0, le_prev = 0x3ee8cd48}, co = 0x3ee9fbc0, wait_queue = {entries = {sqh_first = 0x0, + sqh_last = 0x3fff7823fe10}}, waiting_for = 0x0} + max_pdiscard = 2147467264 + ret = 0 + head = 0 + tail = 9728 + align = 16384 + __PRETTY_FUNCTION__ = "bdrv_co_pdiscard" +#1 0x000000001008f260 in blk_co_pdiscard (blk=0x3ee79410, offset=108544, bytes=97792) at block/block-backend.c:1447 + ret = 0 +#2 0x0000000010090884 in blk_pdiscard_entry (opaque=0x3fffd7402c58) at block/block-backend.c:1851 + rwco = 0x3fffd7402c58 +#3 0x00000000101aa444 in coroutine_trampoline (i0=1055521728, i1=0) at util/coroutine-ucontext.c:79 + arg = {p = 0x3ee9fbc0, i = {1055521728, 0}} + self = 0x3ee9fbc0 + co = 0x3ee9fbc0 +#4 0x00003fff7a3d2b9c in makecontext () from /lib64/libc.so.6 +No symbol table info available. +#5 0x0000000000000000 in ?? () +No symbol table info available. + + + +Hi, + +And once again, thanks a lot for reporting this bug! Here, too, I've found a fix and I'll send a patch once I've written a test case. + +Max + +Fix has been released with QEMU 2.11: +https://git.qemu.org/?p=qemu.git;a=commitdiff;h=d470ad42acfc73c45d3e8e + diff --git a/results/classifier/108/other/1728661 b/results/classifier/108/other/1728661 new file mode 100644 index 000000000..9621ad98a --- /dev/null +++ b/results/classifier/108/other/1728661 @@ -0,0 +1,133 @@ +permissions: 0.881 +other: 0.875 +graphic: 0.861 +KVM: 0.852 +device: 0.849 +performance: 0.830 +debug: 0.770 +semantic: 0.749 +vnc: 0.734 +files: 0.723 +network: 0.719 +PID: 0.718 +socket: 0.691 +boot: 0.665 + +qemu-io segfaults at block/qcow2.h:533 + +git is at HEAD a93ece47fd9edbd4558db24300056c9a57d3bcd4 +This is on ppc64le architecture. + +Re-production steps: + +1. Copy the attached file named test.img to a directory +2. And customize the following command to point to the above directory and run the same. +# mv test.img copy.img +# qemu-io <path to>/copy.img -c "truncate 66560" + +from gdb: +Program terminated with signal 11, Segmentation fault. +#0 0x0000000010054cec in get_refblock_offset (s=0x32ca3210, offset=9223372036854775296) at ./block/qcow2.h:533 +533 return s->refcount_table[index] & REFT_OFFSET_MASK; +Missing separate debuginfos, use: debuginfo-install cyrus-sasl-lib-2.1.26-21.el7.ppc64le glib2-2.50.3-3.el7.ppc64le glibc-2.17-196.el7.ppc64le gmp-6.0.0-15.el7.ppc64le gnutls-3.3.26-9.el7.ppc64le keyutils-libs-1.5.8-3.el7.ppc64le krb5-libs-1.15.1-8.el7.ppc64le libaio-0.3.109-13.el7.ppc64le libcom_err-1.42.9-10.el7.ppc64le libcurl-7.29.0-42.el7.ppc64le libffi-3.0.13-18.el7.ppc64le libgcc-4.8.5-16.el7_4.1.ppc64le libidn-1.28-4.el7.ppc64le libselinux-2.5-11.el7.ppc64le libssh2-1.4.3-10.el7_2.1.ppc64le libstdc++-4.8.5-16.el7_4.1.ppc64le libtasn1-4.10-1.el7.ppc64le nettle-2.7.1-8.el7.ppc64le nspr-4.13.1-1.0.el7_3.ppc64le nss-3.28.4-15.el7_4.ppc64le nss-softokn-freebl-3.28.3-8.el7_4.ppc64le nss-util-3.28.4-3.el7.ppc64le openldap-2.4.44-5.el7.ppc64le openssl-libs-1.0.2k-8.el7.ppc64le p11-kit-0.23.5-3.el7.ppc64le pcre-8.32-17.el7.ppc64le zlib-1.2.7-17.el7.ppc64le +(gdb) bt +#0 0x0000000010054cec in get_refblock_offset (s=0x32ca3210, offset=9223372036854775296) at ./block/qcow2.h:533 +#1 0x000000001005df4c in qcow2_discard_refcount_block (bs=0x32c96f60, discard_block_offs=9223372036854775296) at block/qcow2-refcount.c:3070 +#2 0x000000001005e5c4 in qcow2_shrink_reftable (bs=0x32c96f60) at block/qcow2-refcount.c:3169 +#3 0x0000000010051184 in qcow2_truncate (bs=0x32c96f60, offset=66560, prealloc=PREALLOC_MODE_OFF, errp=0x3fffc051ecd8) at block/qcow2.c:3155 +#4 0x0000000010016480 in bdrv_truncate (child=0x32ca6270, offset=66560, prealloc=PREALLOC_MODE_OFF, errp=0x3fffc051ecd8) at block.c:3585 +#5 0x0000000010090800 in blk_truncate (blk=0x32c89410, offset=66560, prealloc=PREALLOC_MODE_OFF, errp=0x3fffc051ecd8) at block/block-backend.c:1845 +#6 0x0000000010023028 in truncate_f (blk=0x32c89410, argc=2, argv=0x32c685a0) at qemu-io-cmds.c:1580 +#7 0x000000001001e648 in command (blk=0x32c89410, ct=0x32c96e30, argc=2, argv=0x32c685a0) at qemu-io-cmds.c:117 +#8 0x0000000010024d64 in qemuio_command (blk=0x32c89410, cmd=0x3fffc052f66e "truncate 66560") at qemu-io-cmds.c:2291 +#9 0x000000001000b540 in command_loop () at qemu-io.c:374 +#10 0x000000001000c05c in main (argc=4, argv=0x3fffc051f618) at qemu-io.c:630 +(gdb) bt full +#0 0x0000000010054cec in get_refblock_offset (s=0x32ca3210, offset=9223372036854775296) at ./block/qcow2.h:533 + index = 4294967295 +#1 0x000000001005df4c in qcow2_discard_refcount_block (bs=0x32c96f60, discard_block_offs=9223372036854775296) at block/qcow2-refcount.c:3070 + s = 0x32ca3210 + refblock_offs = 852111520 + cluster_index = 16384 + block_index = 3226593616 + refblock = 0x32cb9570 + ret = 16384 + __PRETTY_FUNCTION__ = "qcow2_discard_refcount_block" +#2 0x000000001005e5c4 in qcow2_shrink_reftable (bs=0x32c96f60) at block/qcow2-refcount.c:3169 + s = 0x32ca3210 + reftable_tmp = 0x32cb9570 + i = 0 + ret = 0 +#3 0x0000000010051184 in qcow2_truncate (bs=0x32c96f60, offset=66560, prealloc=PREALLOC_MODE_OFF, errp=0x3fffc051ecd8) at block/qcow2.c:3155 + last_cluster = 70367675804416 + old_file_size = 70367675804416 + s = 0x32ca3210 + old_length = 1048576 + new_l1_size = 1 + ret = 0 + __func__ = "qcow2_truncate" + __PRETTY_FUNCTION__ = "qcow2_truncate" + __FUNCTION__ = "qcow2_truncate" +#4 0x0000000010016480 in bdrv_truncate (child=0x32ca6270, offset=66560, prealloc=PREALLOC_MODE_OFF, errp=0x3fffc051ecd8) at block.c:3585 + bs = 0x32c96f60 + drv = 0x102036f0 <bdrv_qcow2> + ret = 16383 + __PRETTY_FUNCTION__ = "bdrv_truncate" + __func__ = "bdrv_truncate" +#5 0x0000000010090800 in blk_truncate (blk=0x32c89410, offset=66560, prealloc=PREALLOC_MODE_OFF, errp=0x3fffc051ecd8) at block/block-backend.c:1845 + __func__ = "blk_truncate" +#6 0x0000000010023028 in truncate_f (blk=0x32c89410, argc=2, argv=0x32c685a0) at qemu-io-cmds.c:1580 + local_err = 0x0 + offset = 66560 + ret = 0 +#7 0x000000001001e648 in command (blk=0x32c89410, ct=0x32c96e30, argc=2, argv=0x32c685a0) at qemu-io-cmds.c:117 + cmd = 0x32c684c0 "truncate" +#8 0x0000000010024d64 in qemuio_command (blk=0x32c89410, cmd=0x3fffc052f66e "truncate 66560") at qemu-io-cmds.c:2291 + ctx = 0x32c924d0 + input = 0x32c684c0 "truncate" + ct = 0x32c96e30 + v = 0x32c685a0 + c = 2 + done = false +#9 0x000000001000b540 in command_loop () at qemu-io.c:374 + i = 0 + done = 0 + fetchable = 0 +---Type <return> to continue, or q <return> to quit--- + prompted = 0 + input = 0x0 +#10 0x000000001000c05c in main (argc=4, argv=0x3fffc051f618) at qemu-io.c:630 + readonly = 0 + sopt = 0x101b2608 "hVc:d:f:rsnCmkt:T:U" + lopt = {{name = 0x101b26d0 "driver", has_arg = 0, flag = 0x0, val = 104}, {name = 0x101b26d8 "help", has_arg = 0, flag = 0x0, val = 86}, { + name = 0x101b26e0 "version", has_arg = 1, flag = 0x0, val = 99}, {name = 0x101b26e8 "cmd", has_arg = 1, flag = 0x0, val = 102}, { + name = 0x101b26f0 "format", has_arg = 0, flag = 0x0, val = 114}, {name = 0x101b2700 "y", has_arg = 0, flag = 0x0, val = 115}, { + name = 0x101b2710 "", has_arg = 0, flag = 0x0, val = 110}, {name = 0x101b2718 "nocache", has_arg = 0, flag = 0x0, val = 67}, { + name = 0x101b2728 "read", has_arg = 0, flag = 0x0, val = 109}, {name = 0x101b2738 "", has_arg = 0, flag = 0x0, val = 107}, { + name = 0x101b2748 "io", has_arg = 1, flag = 0x0, val = 100}, {name = 0x101b2750 "discard", has_arg = 1, flag = 0x0, val = 116}, { + name = 0x101b2758 "cache", has_arg = 1, flag = 0x0, val = 84}, {name = 0x101b25e8 "object", has_arg = 1, flag = 0x0, val = 256}, { + name = 0x101b2760 "trace", has_arg = 0, flag = 0x0, val = 257}, {name = 0x101b1c48 "force-share", has_arg = 0, flag = 0x0, val = 85}, {name = 0x0, + has_arg = 0, flag = 0x0, val = 0}} + c = -1 + opt_index = 0 + flags = 16386 + writethrough = true + local_error = 0x0 + opts = 0x0 + format = 0x0 + trace_file = 0x0 + force_share = false + +image_fuzzer image will be attached. + + + +Hi, + +And finally, also here, thanks a lot for reporting this bug! I've found a fix; sending a patch might take a little longer, though... + +Max + +Fix has been released with QEMU 2.11: +https://git.qemu.org/?p=qemu.git;a=commitdiff;h=23482f8a603a7fc591b770 + |