summary refs log tree commit diff stats
path: root/results/classifier/108/other/1785
diff options
context:
space:
mode:
Diffstat (limited to '')
-rw-r--r--results/classifier/108/other/178540
-rw-r--r--results/classifier/108/other/1785197181
-rw-r--r--results/classifier/108/other/178520361
-rw-r--r--results/classifier/108/other/178530845
-rw-r--r--results/classifier/108/other/178548541
-rw-r--r--results/classifier/108/other/1785670535
-rw-r--r--results/classifier/108/other/1785734131
-rw-r--r--results/classifier/108/other/178590256
-rw-r--r--results/classifier/108/other/178597292
9 files changed, 1182 insertions, 0 deletions
diff --git a/results/classifier/108/other/1785 b/results/classifier/108/other/1785
new file mode 100644
index 000000000..7b1581e9a
--- /dev/null
+++ b/results/classifier/108/other/1785
@@ -0,0 +1,40 @@
+device: 0.868
+files: 0.846
+graphic: 0.803
+performance: 0.775
+network: 0.748
+PID: 0.733
+KVM: 0.732
+debug: 0.701
+socket: 0.687
+boot: 0.687
+permissions: 0.624
+other: 0.608
+vnc: 0.602
+semantic: 0.557
+
+8.1.0rc0: Build failure when building static binaries, auto config incorrectly mark bzip2 as supported on my machine
+Description of problem:
+8.1.0rc0 fails to build when I build static binaries.
+
+```
+Jul 24 20:28:22 clang-13: warning: argument unused during compilation: '-pie' [-Wunused-command-line-argument]
+Jul 24 20:28:22 ld.lld: error: attempted static link of dynamic object /usr/bin/../lib/libbz2.so
+Jul 24 20:28:22 clang-13: error: linker command failed with exit code 1 (use -v to see invocation)
+```
+
+It seems that `./configure` mistaken my dynamic library of bzip2 as able to compile under static compilation.
+Steps to reproduce:
+1. `./configure --target-list=x86_64-softmmu --static` with bzip2 only dynamicly installed and static library not installed
+2. see output
+
+You can see
+```
+    snappy support                               : NO
+    bzip2 support                                : YES
+    lzfse support                                : NO
+```
+
+which is wrong. Additionally, the compilation fails because the system only have bzip2 dynamicly but not staticly.
+Additional information:
+
diff --git a/results/classifier/108/other/1785197 b/results/classifier/108/other/1785197
new file mode 100644
index 000000000..6f4e47954
--- /dev/null
+++ b/results/classifier/108/other/1785197
@@ -0,0 +1,181 @@
+permissions: 0.768
+other: 0.765
+vnc: 0.738
+performance: 0.718
+semantic: 0.713
+device: 0.702
+KVM: 0.699
+network: 0.697
+PID: 0.689
+debug: 0.683
+files: 0.668
+socket: 0.663
+boot: 0.657
+graphic: 0.657
+
+qemu 2.12.0 crash during install windows 10 with vga
+
+Same issue as https://www.qubes-os.org/doc/windows-vm/ , it's not easy to reproduced.
+cpu_physical_memory_snapshot_get_dirty: Assertion `start + length <= snap->end’ failed
+
+Qemu version is 2.12.0. 
+(gdb) bt
+#0  0x00007f504ed6fc37 in raise () from /lib/x86_64-linux-gnu/libc.so.6
+#1  0x00007f504ed73028 in abort () from /lib/x86_64-linux-gnu/libc.so.6
+#2  0x00007f504ed68bf6 in ?? () from /lib/x86_64-linux-gnu/libc.so.6
+#3  0x00007f504ed68ca2 in __assert_fail () from /lib/x86_64-linux-gnu/libc.so.6
+#4  0x00005585bbdc9641 in cpu_physical_memory_snapshot_get_dirty (snap=snap@entry=0x5585bfdc2ff0, start=<optimized out>, length=<optimized out>)
+    at /qemu-2.12/exec.c:1264
+#5  0x00005585bbe2b4de in memory_region_snapshot_get_dirty (mr=mr@entry=0x5585c06e3d10, snap=snap@entry=0x5585bfdc2ff0, addr=<optimized out>,
+    size=<optimized out>) at /qemu-2.12/memory.c:1997
+#6  0x00005585bbe552a4 in vga_draw_graphic (full_update=0, s=0x5585c06e3d00) at /qemu-2.12/hw/display/vga.c:1671
+#7  vga_update_display (opaque=0x5585c06e3d00) at /qemu-2.12/hw/display/vga.c:1767
+#8  0x00005585bc0d9a8f in qemu_spice_display_refresh (ssd=0x5585c06e3930) at /qemu-2.12/ui/spice-display.c:478
+#9  0x00005585bc0ced72 in dpy_refresh (s=0x5585c081b2a0) at /qemu-2.12/ui/console.c:1629
+#10 gui_update (opaque=0x5585c081b2a0) at /qemu-2.12/ui/console.c:203
+#11 0x00005585bc1d333c in timerlist_run_timers (timer_list=0x5585bee1f950) at /qemu-2.12/util/qemu-timer.c:536
+#12 0x00005585bc1d35a3 in qemu_clock_run_timers (type=QEMU_CLOCK_REALTIME) at /qemu-2.12/util/qemu-timer.c:547
+#13 qemu_clock_run_all_timers () at /qemu-2.12/util/qemu-timer.c:674
+#14 0x00005585bc1d3aa4 in main_loop_wait (nonblocking=<optimized out>) at /qemu-2.12/util/main-loop.c:528
+#15 0x00005585bbdc2f8a in main_loop () at /qemu-2.12/vl.c:1973
+#16 main (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>) at /qemu-2.12/vl.c:4804 
+
+(gdb) frame 5
+(gdb) p/x *snap
+$1 = {start = 0x1000c0000, end = 0x1000c0000, dirty = 0x5585bfdc3000}
+
+Here the snap->start is identical to snap->end , I think something is wrong. 
+In function vga_draw_graphic, the snap is allocated from region_start/region_end.
+        snap = memory_region_snapshot_and_clear_dirty(&s->vram, region_start,
+                                                      region_end - region_start,
+                                                      DIRTY_MEMORY_VGA);
+Is that possible for region_start== region_end ? 
+
+Commandline:
+/usr/bin/kvm -name guest=win10-2,debug-threads=on -S -object secret,id=masterKey0,format=raw,file=/run/lib/libvirt/qemu/domain-51-win10-2/master-key.aes -machine pc-i440fx-2.12,accel=kvm,usb=off,system=windows,dump-guest-core=off -cpu qemu64,hv_time,hv_relaxed,hv_spinlocks=0x2000 -m size=4194304k,slots=10,maxmem=34359738368k -realtime mlock=off -smp 2,maxcpus=24,sockets=24,cores=1,threads=1 -numa node,nodeid=0,cpus=0-23,mem=4096 -uuid cb871760-e684-4926-8f0b-270f7ff35539 -no-user-config -nodefaults -chardev socket,id=charmonitor,path=/run/lib/libvirt/qemu/domain-51-win10-2/monitor.sock,server,nowait -mon chardev=charmonitor,id=monitor,mode=control -chardev socket,id=charmonitor_cas,path=/run/lib/libvirt/qemu/domain-51-win10-2/monitor.sock.cas,server,nowait -mon chardev=charmonitor_cas,id=monitor_cas,mode=control -rtc base=localtime,clock=vm,driftfix=slew -no-hpet -no-shutdown -global PIIX4_PM.disable_s3=1 -global PIIX4_PM.disable_s4=1 -boot strict=on -device piix3-usb-uhci,id=usb,bus=pci.0,addr=0x1.0x2 -device usb-ehci,id=usb1,bus=pci.0,addr=0x4 -device nec-usb-xhci,id=usb2,bus=pci.0,addr=0x5 -device virtio-scsi-pci,id=scsi1,bus=pci.0,addr=0x6 -device virtio-serial-pci,id=virtio-serial0,bus=pci.0,addr=0x7 -device usb-hub,id=hub0,bus=usb.0,port=1 -drive file=/vms/images/win10-2,format=qcow2,if=none,id=drive-virtio-disk0,cache=directsync,aio=native -device virtio-blk-pci,scsi=off,bus=pci.0,addr=0x8,pci_hotpluggable=on,drive=drive-virtio-disk0,id=virtio-disk0,bootindex=1 -drive file=/vms/isos/virtio-win10.vfd,format=raw,if=none,id=drive-fdc0-0-0,readonly=on,cache=directsync,aio=native -global isa-fdc.driveA=drive-fdc0-0-0 -global isa-fdc.bootindexA=4 -drive file=/vms/nfs/windows_msdn_iso/cn_windows_10_multi-edition_version_1709_updated_sept_2017_x64_dvd_100090804.iso,format=raw,if=none,id=drive-ide0-0-0,readonly=on -device ide-cd,bus=ide.0,unit=0,drive=drive-ide0-0-0,id=ide0-0-0,bootindex=2 -netdev tap,fd=62,id=hostnet0,vhost=on,vhostfd=63 -device virtio-net-pci,pci_hotpluggable=on,netdev=hostnet0,id=net0,mac=0c:da:41:1d:11:5b,bus=pci.0,addr=0x3,bootindex=3 -chardev pty,id=charserial0 -device isa-serial,chardev=charserial0,id=serial0 -chardev socket,id=charchannel0,path=/var/lib/libvirt/qemu/win10-2.agent,server,nowait -device virtserialport,bus=virtio-serial0.0,nr=1,chardev=charchannel0,id=channel0,name=org.qemu.guest_agent.0 -device usb-tablet,id=input0,bus=usb.0,port=2 -vnc 0.0.0.0:0 -spice port=5901,tls-port=5902,addr=0.0.0.0,disable-ticketing,x509-dir=/etc/pki/libvirt-spice,seamless-migration=on -device qxl-vga,id=video0,ram_size=67108864,vram_size=16777216,vram64_size_mb=0,vgamem_mb=16,bus=pci.0,addr=0x2 -device virtio-balloon-pci,id=balloon0,bus=pci.0,addr=0x9 -msg timestamp=on
+
+I have tried many times to reproduce the issue.
+
+1. Add a breakpoint
+(gdb) b memory_region_snapshot_and_clear_dirty if size==0
+Breakpoint 1 at 0x55ef37b7d450: file /qemu-2.12/memory.c, line 1986.
+
+2. Occasionally the breakpoint hited, size is 0
+(gdb) c
+Continuing.
+Thread 1 "kvm" hit Breakpoint 1, memory_region_snapshot_and_clear_dirty (mr=mr@entry=0x55ef3aff1b40, addr=addr@entry=0, size=size@entry=0, client=client@entry=0)
+    at /qemu-2.12/memory.c:1986
+(gdb) bt
+#0  memory_region_snapshot_and_clear_dirty (mr=mr@entry=0x55ef3aff1b40, addr=addr@entry=0, size=size@entry=0, client=client@entry=0)
+    at /qemu-2.12/memory.c:1986
+#1  0x000055ef37ba6d0f in vga_draw_graphic (full_update=0, s=0x55ef3aff1b30) at /qemu-2.12/hw/display/vga.c:1642
+#2  vga_update_display (opaque=0x55ef3aff1b30) at /qemu-2.12/hw/display/vga.c:1767
+#3  0x000055ef37e2ba8f in qemu_spice_display_refresh (ssd=0x55ef3aff1760) at /qemu-2.12/ui/spice-display.c:478
+#4  0x000055ef37e20d72 in dpy_refresh (s=0x55ef3b1290b0) at /qemu-2.12/ui/console.c:1629
+#5  gui_update (opaque=0x55ef3b1290b0) at /qemu-2.12/ui/console.c:203
+#6  0x000055ef37f2533c in timerlist_run_timers (timer_list=0x55ef396fbc60) at /qemu-2.12/util/qemu-timer.c:536
+#7  0x000055ef37f255a3 in qemu_clock_run_timers (type=QEMU_CLOCK_REALTIME) at /qemu-2.12/util/qemu-timer.c:547
+#8  qemu_clock_run_all_timers () at /qemu-2.12/util/qemu-timer.c:674
+#9  0x000055ef37f25aa4 in main_loop_wait (nonblocking=<optimized out>) at /qemu-2.12/util/main-loop.c:528
+#10 0x000055ef37b14f8a in main_loop () at /qemu-2.12/vl.c:1973
+#11 main (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>) at /qemu-2.12/vl.c:4804
+
+3. Why the size is 0 ? Why region_start is identical to region_end ?
+    region_end = region_start + (ram_addr_t)s->line_offset * height;
+    region_end += width * s->get_bpp(s) / 8; /* scanline length */
+    region_end -= s->line_offset;
+
+(gdb) p s->line_offset
+$4 = 0
+(gdb) p width
+$5 = 1024
+(gdb) p/x s->vbe_regs
+$10 = {0xb0c0, 0x400, 0x300, 0x20, 0x0, 0x0, 0x400, 0x1000, 0x0, 0x0}
+
+Because s->vbe_regs[VBE_DISPI_INDEX_ENABLE] is 0, vbe_enabled is false, so vga_get_bpp return 0, and region_end += 0
+
+4. Why s->vbe_regs[VBE_DISPI_INDEX_ENABLE] is 0 ?
+
+
+
+1. Add breakpoint at vga.c:790 s->vbe_regs[VBE_DISPI_INDEX_ENABLE] = val;
+
+(gdb) b vga.c:790
+Breakpoint 2 at 0x56100ad10521: file /qemu-2.12/hw/display/vga.c, line 790.
+
+(gdb) c
+Continuing.
+
+2. When breakpoint is hited , val is 0
+
+Thread 5 "CPU 1/KVM" hit Breakpoint 2, vbe_ioport_write_data (opaque=0x56100e6e7b30, addr=<optimized out>, val=0) at /qemu-2.12/hw/display/vga.c:790
+
+(gdb) bt
+#0  vbe_ioport_write_data (opaque=0x56100e6e7b30, addr=<optimized out>, val=0) at /qemu-2.12/hw/display/vga.c:790
+#1  0x000056100ace521b in memory_region_write_accessor (mr=0x56100e74e590, addr=1, value=<optimized out>, size=2, shift=<optimized out>, mask=<optimized out>, attrs=...)
+    at /qemu-2.12/memory.c:530
+#2  0x000056100ace266e in access_with_adjusted_size (addr=addr@entry=1, value=value@entry=0x7fb2aeffc9a8, size=size@entry=2, access_size_min=<optimized out>, access_size_max=<optimized out>,
+    access_fn=0x56100ace51a0 <memory_region_write_accessor>, mr=0x56100e74e590, attrs=...) at /qemu-2.12/memory.c:597
+#3  0x000056100ace72ca in memory_region_dispatch_write (mr=mr@entry=0x56100e74e590, addr=1, data=<optimized out>, size=size@entry=2, attrs=attrs@entry=...)
+    at /qemu-2.12/memory.c:1487
+#4  0x000056100ac85807 in flatview_write_continue (mr=0x56100e74e590, l=<optimized out>, addr1=<optimized out>, len=2, buf=0x7fb2bf3e2000 "", attrs=..., addr=463, fv=0x7fb2a458fea0)
+    at /qemu-2.12/exec.c:3166
+#5  flatview_write (fv=0x7fb2a458fea0, addr=<optimized out>, attrs=..., buf=<optimized out>, len=<optimized out>) at /qemu-2.12/exec.c:3216
+#6  0x000056100ac8a2af in address_space_write (as=<optimized out>, addr=<optimized out>, attrs=..., buf=<optimized out>, len=<optimized out>)
+    at /qemu-2.12/exec.c:3332
+#7  0x000056100ac8a345 in address_space_rw (as=<optimized out>, addr=addr@entry=463, attrs=..., attrs@entry=..., buf=buf@entry=0x7fb2bf3e2000 "", len=len@entry=2, is_write=is_write@entry=true)
+    at /qemu-2.12/exec.c:3343
+#8  0x000056100acf66f2 in kvm_handle_io (count=1, size=2, direction=<optimized out>, data=<optimized out>, attrs=..., port=463)
+    at /qemu-2.12/accel/kvm/kvm-all.c:1730
+#9  kvm_cpu_exec (cpu=cpu@entry=0x56100cecc810) at /qemu-2.12/accel/kvm/kvm-all.c:1970
+#10 0x000056100acd0ab6 in qemu_kvm_cpu_thread_fn (arg=0x56100cecc810) at /qemu-2.12/cpus.c:1229
+#11 0x00007fb2bc1dc184 in start_thread () from /lib/x86_64-linux-gnu/libpthread.so.0
+#12 0x00007fb2bbf09bed in clone () from /lib/x86_64-linux-gnu/libc.so.6
+
+(gdb) c
+Continuing.
+
+3. size is 0, region_start is identical to region_end
+
+Thread 1 "kvm" hit Breakpoint 1, memory_region_snapshot_and_clear_dirty (mr=mr@entry=0x56100e6e7b40, addr=addr@entry=0, size=size@entry=0, client=client@entry=0)
+    at /qemu-2.12/memory.c:1986
+
+(gdb) c
+Continuing.
+
+
+4. Abort
+
+Thread 1 "kvm" received signal SIGABRT, Aborted.
+0x00007fb2bbe42c37 in raise () from /lib/x86_64-linux-gnu/libc.so.6
+
+(gdb) bt
+#0  0x00007fb2bbe42c37 in raise () from /lib/x86_64-linux-gnu/libc.so.6
+#1  0x00007fb2bbe46028 in abort () from /lib/x86_64-linux-gnu/libc.so.6
+#2  0x00007fb2bbe3bbf6 in ?? () from /lib/x86_64-linux-gnu/libc.so.6
+#3  0x00007fb2bbe3bca2 in __assert_fail () from /lib/x86_64-linux-gnu/libc.so.6
+#4  0x000056100ac86641 in cpu_physical_memory_snapshot_get_dirty (snap=snap@entry=0x56100d6b0de0, start=<optimized out>, length=<optimized out>)
+    at /qemu-2.12/exec.c:1264
+#5  0x000056100ace84de in memory_region_snapshot_get_dirty (mr=mr@entry=0x56100e6e7b40, snap=snap@entry=0x56100d6b0de0, addr=<optimized out>, size=<optimized out>)
+    at /qemu-2.12/memory.c:1997
+#6  0x000056100ad122a4 in vga_draw_graphic (full_update=0, s=0x56100e6e7b30) at /qemu-2.12/hw/display/vga.c:1671
+#7  vga_update_display (opaque=0x56100e6e7b30) at /qemu-2.12/hw/display/vga.c:1767
+#8  0x000056100af96a8f in qemu_spice_display_refresh (ssd=0x56100e6e7760) at /qemu-2.12/ui/spice-display.c:478
+#9  0x000056100af8bd72 in dpy_refresh (s=0x56100e81f0b0) at /qemu-2.12/ui/console.c:1629
+#10 gui_update (opaque=0x56100e81f0b0) at /qemu-2.12/ui/console.c:203
+#11 0x000056100b09033c in timerlist_run_timers (timer_list=0x56100cdf1c60) at /qemu-2.12/util/qemu-timer.c:536
+#12 0x000056100b0905a3 in qemu_clock_run_timers (type=QEMU_CLOCK_REALTIME) at /qemu-2.12/util/qemu-timer.c:547
+#13 qemu_clock_run_all_timers () at /qemu-2.12/util/qemu-timer.c:674
+#14 0x000056100b090aa4 in main_loop_wait (nonblocking=<optimized out>) at /qemu-2.12/util/main-loop.c:528
+#15 0x000056100ac7ff8a in main_loop () at /qemu-2.12/vl.c:1973
+#16 main (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>) at /qemu-2.12/vl.c:4804
+
+
+5. When guest vga driver set the s->vbe_regs[VBE_DISPI_INDEX_ENABLE] to 0, then if the vga_draw_graphic be called , the qemu crash. 
+
+
+
+
+This commit has fixed it.
+https://git.qemu.org/?p=qemu.git;a=commit;h=a89fe6c3297
+
diff --git a/results/classifier/108/other/1785203 b/results/classifier/108/other/1785203
new file mode 100644
index 000000000..e55b47e2f
--- /dev/null
+++ b/results/classifier/108/other/1785203
@@ -0,0 +1,61 @@
+vnc: 0.699
+performance: 0.656
+permissions: 0.621
+other: 0.609
+KVM: 0.607
+semantic: 0.584
+files: 0.578
+debug: 0.569
+graphic: 0.556
+device: 0.548
+PID: 0.543
+socket: 0.542
+network: 0.536
+boot: 0.483
+
+accel/tcg/translate-all.c:2511: page_check_range: Assertion `start < ((target_ulong)1 << L1_MAP_ADDR_SPACE_BITS)' failed.
+
+qemu-riscv64 version 2.12.93 crashes when mincore() is called with invalid pointer with the following message:
+
+qemu-riscv64: /opt/qemu/accel/tcg/translate-all.c:2511: page_check_range: Assertion `start < ((target_ulong)1 << L1_MAP_ADDR_SPACE_BITS)' failed.
+qemu:handle_cpu_signal received signal outside vCPU context @ pc=0x600014ef
+
+Testcase:
+
+#include <sys/mman.h>
+
+int main (void)
+{
+  unsigned char v;
+  return mincore ((void *) 0x00000010000000000, 1, &v);
+}
+
+Backtrace:
+
+#0  raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
+#1  0x000000006000140a in abort () at abort.c:79
+#2  0x00000000600012ec in __assert_fail_base (
+    fmt=0x6024eae8 "%s%s%s:%u: %s%sAssertion `%s' failed.\n%n", 
+    assertion=0x601b9758 "start < ((target_ulong)1 << L1_MAP_ADDR_SPACE_BITS)", 
+    file=0x601b9658 "/opt/qemu/accel/tcg/translate-all.c", line=2511, 
+    function=0x601b9810 <__PRETTY_FUNCTION__.23867> "page_check_range") at assert.c:92
+#3  0x000000006010e10e in __assert_fail (
+    assertion=assertion@entry=0x601b9758 "start < ((target_ulong)1 << L1_MAP_ADDR_SPACE_BITS)", file=file@entry=0x601b9658 "/opt/qemu/accel/tcg/translate-all.c", line=line@entry=2511, 
+    function=function@entry=0x601b9810 <__PRETTY_FUNCTION__.23867> "page_check_range")
+    at assert.c:101
+#4  0x000000006003e916 in page_check_range (start=start@entry=1099511627776, len=len@entry=1, 
+    flags=flags@entry=1) at /opt/qemu/accel/tcg/translate-all.c:2511
+#5  0x0000000060057717 in access_ok (size=1, addr=1099511627776, type=0)
+    at /opt/qemu/linux-user/qemu.h:567
+#6  lock_user (copy=0, len=1, guest_addr=1099511627776, type=0)
+    at /opt/qemu/linux-user/qemu.h:567
+#7  do_syscall (cpu_env=cpu_env@entry=0x622fca28, num=232, arg1=1099511627776, arg2=1, 
+    arg3=274886298751, arg4=0, arg5=274886298808, arg6=66518, arg7=0, arg8=0)
+    at /opt/qemu/linux-user/syscall.c:11635
+#8  0x0000000060066c5c in cpu_loop (env=env@entry=0x622fca28)
+    at /opt/qemu/linux-user/riscv/cpu_loop.c:55
+#9  0x0000000060002156 in main (argc=<optimized out>, argv=0x7fffffffed68, 
+    envp=<optimized out>) at /opt/qemu/linux-user/main.c:819
+
+Fixed by 0acd4ab849827bbc20402e01c9da088207c0d236  ("linux-user: check valid address in access_ok()"),  fix released in v5.0.0.
+
diff --git a/results/classifier/108/other/1785308 b/results/classifier/108/other/1785308
new file mode 100644
index 000000000..e6afd209f
--- /dev/null
+++ b/results/classifier/108/other/1785308
@@ -0,0 +1,45 @@
+other: 0.891
+graphic: 0.874
+KVM: 0.829
+performance: 0.803
+semantic: 0.723
+device: 0.719
+socket: 0.676
+debug: 0.672
+files: 0.580
+PID: 0.579
+permissions: 0.560
+network: 0.548
+vnc: 0.527
+boot: 0.508
+
+0x8 exception encountered but not handled
+
+Present in all QEMU versions.
+
+OS is triple page faulting and crashing rather than handling the expected double page fault properly. The same OS works in Bochs so I know its not the problem.
+
+Hi Ra,
+  We'll need a bit more detail to be able to help here.
+The fact something works in Bochs but doesn't work in qemu doesn't necessarily mean it's a qemu bug - for example the OS might be hitting something undefined or a timing issue; so we'd need some information on how the double page fault happened.
+Does it work with KVM enabled? With tcg? What version of qemu are you using?
+
+Hi David,
+    The OS is hitting something undefined. It's built on exploiting the x86 architecture to run computations of the MMU rather than the CPU: https://github.com/jbangert/trapcc
+I've tried it on the 3 most recent versions of QEMU for Windows. I'll give it a go with KVM and tcg and get back to you although I'm not hopeful.  
+
+OK, that's just a cruel test :-)
+It'll be interesting to see the difference between TCG and KVM, but with such a weird test case as that you'll probably need to narrow the problem down more.
+
+
+What would be useful information to narrow down the problem? Any specific kind of logs from running it in TCG and KVM?
+
+I think I'd start by seeing if it fails in both or if they're different.
+If they're different then you'd follow the series of exceptions that they each get
+and see where they diverge.
+
+More generally, I think that if you care about getting this test case to work under QEMU emulation you're going to have to be prepared to dig into QEMU's internals to debug where we diverge from what the real CPU does. Our x86 emulation is not very actively maintained and this isn't a "real world" use case that many users are going to have problems with, so my guess is it is unlikely to be fixed unless somebody with enough interest in it to take a day or a week to debug what's going on does that work.
+
+
+[Expired for QEMU because there has been no activity for 60 days.]
+
diff --git a/results/classifier/108/other/1785485 b/results/classifier/108/other/1785485
new file mode 100644
index 000000000..c5465063d
--- /dev/null
+++ b/results/classifier/108/other/1785485
@@ -0,0 +1,41 @@
+graphic: 0.709
+device: 0.685
+semantic: 0.603
+performance: 0.577
+other: 0.499
+network: 0.375
+permissions: 0.329
+vnc: 0.318
+debug: 0.300
+socket: 0.297
+files: 0.269
+PID: 0.257
+boot: 0.250
+KVM: 0.175
+
+Mouse moves erratically when using scroll wheel on Windows NT 4, Windows 95, and Windows 3.1 guests
+
+QEMU version: 3.0.0 RC3
+Guests: Windows NT 4.0, Windows 95, Windows 3.1
+
+Program: When the user uses the scroll wheel, the mouse's movement becomes erratic. 
+
+This is noticed immediately when the scroll wheel is used. Sometimes the problem can be fixed by moving the scroll wheel some more.
+
+My theory is this problem is because of the lack of support for the Microsoft Intellimouse in these guest operating systems.
+
+The QEMU project is currently considering to move its bug tracking to
+another system. For this we need to know which bugs are still valid
+and which could be closed already. Thus we are setting older bugs to
+"Incomplete" now.
+
+If you still think this bug report here is valid, then please switch
+the state back to "New" within the next 60 days, otherwise this report
+will be marked as "Expired". Or please mark it as "Fix Released" if
+the problem has been solved with a newer version of QEMU already.
+
+Thank you and sorry for the inconvenience.
+
+
+After doing tests with Windows 95, 3,1, NT 4.0, and 2000 I can say this bug appears to be fixed.
+
diff --git a/results/classifier/108/other/1785670 b/results/classifier/108/other/1785670
new file mode 100644
index 000000000..770649656
--- /dev/null
+++ b/results/classifier/108/other/1785670
@@ -0,0 +1,535 @@
+other: 0.765
+KVM: 0.685
+vnc: 0.676
+device: 0.675
+permissions: 0.666
+network: 0.665
+PID: 0.662
+semantic: 0.659
+graphic: 0.653
+socket: 0.653
+performance: 0.649
+files: 0.647
+debug: 0.645
+boot: 0.543
+
+Guest(ubuntu 18.04) crashes when trying uploading file
+
+I speficy slirp network, and I can open websites, git clone repos. But when I try to upload a file to slack, or try to do a git push, it crashes.
+
+My host is ubuntu 16.04 with kernel 4.15.0-29-generic, and qemu is latest source in git(commit 1fb57da72ae0886e). The command I use is
+
+./x86_64-softmmu/qemu-system-x86_64 -machine q35,accel=kvm -m 2048 -drive file=../qcow2/guest.qcow2  -netdev user,id=realnet0 -device e1000e,netdev=realnet0
+
+The trace is as follows
+
+*** Error in `./x86_64-softmmu/qemu-system-x86_64': free(): invalid next size (normal): 0x00007f66d80b7300 ***
+======= Backtrace: =========
+/lib/x86_64-linux-gnu/libc.so.6(+0x777e5)[0x7f66fb7967e5]
+/lib/x86_64-linux-gnu/libc.so.6(+0x8037a)[0x7f66fb79f37a]
+/lib/x86_64-linux-gnu/libc.so.6(cfree+0x4c)[0x7f66fb7a353c]
+./x86_64-softmmu/qemu-system-x86_64(+0x6a8549)[0x55dc10c7d549]
+./x86_64-softmmu/qemu-system-x86_64(+0x6a99d4)[0x55dc10c7e9d4]
+./x86_64-softmmu/qemu-system-x86_64(+0x6ad09a)[0x55dc10c8209a]
+./x86_64-softmmu/qemu-system-x86_64(+0x6a3feb)[0x55dc10c78feb]
+./x86_64-softmmu/qemu-system-x86_64(+0x6a746e)[0x55dc10c7c46e]
+./x86_64-softmmu/qemu-system-x86_64(+0x68fe2c)[0x55dc10c64e2c]
+./x86_64-softmmu/qemu-system-x86_64(+0x685b3b)[0x55dc10c5ab3b]
+./x86_64-softmmu/qemu-system-x86_64(+0x685bfd)[0x55dc10c5abfd]
+./x86_64-softmmu/qemu-system-x86_64(+0x6885a8)[0x55dc10c5d5a8]
+./x86_64-softmmu/qemu-system-x86_64(+0x688717)[0x55dc10c5d717]
+./x86_64-softmmu/qemu-system-x86_64(+0x685d27)[0x55dc10c5ad27]
+./x86_64-softmmu/qemu-system-x86_64(+0x685d54)[0x55dc10c5ad54]
+./x86_64-softmmu/qemu-system-x86_64(+0x586bb8)[0x55dc10b5bbb8]
+./x86_64-softmmu/qemu-system-x86_64(+0x586d92)[0x55dc10b5bd92]
+./x86_64-softmmu/qemu-system-x86_64(+0x586ecd)[0x55dc10b5becd]
+./x86_64-softmmu/qemu-system-x86_64(+0x593ea8)[0x55dc10b68ea8]
+./x86_64-softmmu/qemu-system-x86_64(+0x59419d)[0x55dc10b6919d]
+./x86_64-softmmu/qemu-system-x86_64(+0x5947df)[0x55dc10b697df]
+./x86_64-softmmu/qemu-system-x86_64(+0x597ddf)[0x55dc10b6cddf]
+./x86_64-softmmu/qemu-system-x86_64(+0x5989e7)[0x55dc10b6d9e7]
+./x86_64-softmmu/qemu-system-x86_64(+0x58ae11)[0x55dc10b5fe11]
+./x86_64-softmmu/qemu-system-x86_64(+0x30d4f6)[0x55dc108e24f6]
+./x86_64-softmmu/qemu-system-x86_64(+0x30d70e)[0x55dc108e270e]
+./x86_64-softmmu/qemu-system-x86_64(+0x310336)[0x55dc108e5336]
+./x86_64-softmmu/qemu-system-x86_64(+0x2ac368)[0x55dc10881368]
+./x86_64-softmmu/qemu-system-x86_64(+0x2ac4b2)[0x55dc108814b2]
+./x86_64-softmmu/qemu-system-x86_64(+0x2ac7b8)[0x55dc108817b8]
+./x86_64-softmmu/qemu-system-x86_64(+0x2ac809)[0x55dc10881809]
+./x86_64-softmmu/qemu-system-x86_64(+0x32b673)[0x55dc10900673]
+./x86_64-softmmu/qemu-system-x86_64(+0x2f2875)[0x55dc108c7875]
+./x86_64-softmmu/qemu-system-x86_64(+0x81b91c)[0x55dc10df091c]
+/lib/x86_64-linux-gnu/libpthread.so.0(+0x76ba)[0x7f66fbaf06ba]
+/lib/x86_64-linux-gnu/libc.so.6(clone+0x6d)[0x7f66fb82641d]
+======= Memory map: ========
+55dc105d5000-55dc112a9000 r-xp 00000000 103:02 5767220                   /home/biggerfish/src/qemu/x86_64-softmmu/qemu-system-x86_64
+55dc114a9000-55dc115bd000 r--p 00cd4000 103:02 5767220                   /home/biggerfish/src/qemu/x86_64-softmmu/qemu-system-x86_64
+55dc115bd000-55dc11773000 rw-p 00de8000 103:02 5767220                   /home/biggerfish/src/qemu/x86_64-softmmu/qemu-system-x86_64
+55dc11773000-55dc117b5000 rw-p 00000000 00:00 0 
+55dc134d6000-55dc14e20000 rw-p 00000000 00:00 0                          [heap]
+7f6634000000-7f6634021000 rw-p 00000000 00:00 0 
+7f6634021000-7f6638000000 ---p 00000000 00:00 0 
+7f663c000000-7f663c021000 rw-p 00000000 00:00 0 
+7f663c021000-7f6640000000 ---p 00000000 00:00 0 
+7f6642000000-7f6644000000 rw-s 00000000 00:05 4882443                    /SYSV00000000 (deleted)
+7f6644000000-7f6644021000 rw-p 00000000 00:00 0 
+7f6644021000-7f6648000000 ---p 00000000 00:00 0 
+7f66491cc000-7f66491cd000 ---p 00000000 00:00 0 
+7f66491cd000-7f66499cd000 rw-p 00000000 00:00 0 
+7f66499cd000-7f66499ce000 ---p 00000000 00:00 0 
+7f66499ce000-7f664a1ce000 rw-p 00000000 00:00 0 
+7f664a1ce000-7f664a1cf000 ---p 00000000 00:00 0 
+7f664a1cf000-7f664a9cf000 rw-p 00000000 00:00 0 
+7f664a9cf000-7f664a9d0000 ---p 00000000 00:00 0 
+7f664a9d0000-7f664b1d0000 rw-p 00000000 00:00 0 
+7f664b1d0000-7f664b1d1000 ---p 00000000 00:00 0 
+7f664b1d1000-7f664b9d1000 rw-p 00000000 00:00 0 
+7f664b9d1000-7f664b9d2000 ---p 00000000 00:00 0 
+7f664b9d2000-7f664bad2000 rw-p 00000000 00:00 0 
+7f664bad2000-7f664bad3000 ---p 00000000 00:00 0 
+7f664bad3000-7f664bbd3000 rw-p 00000000 00:00 0 
+7f664bbd3000-7f664bbd4000 ---p 00000000 00:00 0 
+7f664bbd4000-7f664bcd4000 rw-p 00000000 00:00 0 
+7f664bcd4000-7f664bcd5000 ---p 00000000 00:00 0 
+7f664bcd5000-7f664c4d5000 rw-p 00000000 00:00 0 
+7f664c4d5000-7f664c4d6000 ---p 00000000 00:00 0 
+7f664c4d6000-7f664c5d6000 rw-p 00000000 00:00 0 
+7f664c5d6000-7f664c5d7000 ---p 00000000 00:00 0 
+7f664c5d7000-7f664c6d7000 rw-p 00000000 00:00 0 
+7f664c6d7000-7f664c6d8000 ---p 00000000 00:00 0 
+7f664c6d8000-7f664c7d8000 rw-p 00000000 00:00 0 
+7f664c7d8000-7f664c7d9000 ---p 00000000 00:00 0 
+7f664c7d9000-7f664c8d9000 rw-p 00000000 00:00 0 
+7f664c8d9000-7f664c8da000 ---p 00000000 00:00 0 
+7f664c8da000-7f664c9da000 rw-p 00000000 00:00 0 
+7f664c9da000-7f664c9db000 ---p 00000000 00:00 0 
+7f664c9db000-7f664cadb000 rw-p 00000000 00:00 0 
+7f664cadb000-7f664cadc000 ---p 00000000 00:00 0 
+7f664cadc000-7f664cbdc000 rw-p 00000000 00:00 0 
+7f664cbdc000-7f664cbdd000 ---p 00000000 00:00 0 
+7f664cbdd000-7f664ccdd000 rw-p 00000000 00:00 0 
+7f664ccdd000-7f664ccde000 ---p 00000000 00:00 0 
+7f664ccde000-7f664cdde000 rw-p 00000000 00:00 0 
+7f664cdde000-7f664cddf000 ---p 00000000 00:00 0 
+7f664cddf000-7f664cedf000 rw-p 00000000 00:00 0 
+7f664cedf000-7f664cee0000 ---p 00000000 00:00 0 
+7f664cee0000-7f664cfe0000 rw-p 00000000 00:00 0 
+7f664cfe0000-7f664cfe1000 ---p 00000000 00:00 0 
+7f664cfe1000-7f664d0e1000 rw-p 00000000 00:00 0 
+7f664d0e1000-7f664d0e2000 ---p 00000000 00:00 0 
+7f664d0e2000-7f664d1e2000 rw-p 00000000 00:00 0 
+7f664d1e2000-7f664d1e3000 ---p 00000000 00:00 0 
+7f664d1e3000-7f664d2e3000 rw-p 00000000 00:00 0 
+7f664d2e3000-7f664d2e4000 ---p 00000000 00:00 0 
+7f664d2e4000-7f664d3e4000 rw-p 00000000 00:00 0 
+7f664d3e4000-7f664d3e5000 ---p 00000000 00:00 0 
+7f664d3e5000-7f664d4e5000 rw-p 00000000 00:00 0 
+7f664d4e5000-7f664d4e6000 ---p 00000000 00:00 0 
+7f664d4e6000-7f664d5e6000 rw-p 00000000 00:00 0 
+7f664d5e6000-7f664d5e7000 ---p 00000000 00:00 0 
+7f664d5e7000-7f664d6e7000 rw-p 00000000 00:00 0 
+7f664d6e7000-7f664d6e8000 ---p 00000000 00:00 0 
+7f664d6e8000-7f664d7e8000 rw-p 00000000 00:00 0 
+7f664d7e8000-7f664d7e9000 ---p 00000000 00:00 0 
+7f664d7e9000-7f664d8e9000 rw-p 00000000 00:00 0 
+7f664d8e9000-7f664d8ea000 ---p 00000000 00:00 0 
+7f664d8ea000-7f664d9ea000 rw-p 00000000 00:00 0 
+7f664d9ea000-7f664d9eb000 ---p 00000000 00:00 0 
+7f664d9eb000-7f664daeb000 rw-p 00000000 00:00 0 
+7f664daeb000-7f664daec000 ---p 00000000 00:00 0 
+7f664daec000-7f664dbec000 rw-p 00000000 00:00 0 
+7f664dbec000-7f664dbed000 ---p 00000000 00:00 0 
+7f664dbed000-7f664dced000 rw-p 00000000 00:00 0 
+7f664dced000-7f664dcee000 ---p 00000000 00:00 0 
+7f664dcee000-7f664ddee000 rw-p 00000000 00:00 0 
+7f664ddee000-7f664ddef000 ---p 00000000 00:00 0 
+7f664ddef000-7f664deef000 rw-p 00000000 00:00 0 
+7f664deef000-7f664def0000 ---p 00000000 00:00 0 
+7f664def0000-7f664dff0000 rw-p 00000000 00:00 0 
+7f664dff0000-7f664dff1000 ---p 00000000 00:00 0 
+7f664dff1000-7f664e0f1000 rw-p 00000000 00:00 0 
+7f664e0f1000-7f664e0f2000 ---p 00000000 00:00 0 
+7f664e0f2000-7f664e1f2000 rw-p 00000000 00:00 0 
+7f664e1f2000-7f664e1f3000 ---p 00000000 00:00 0 
+7f664e1f3000-7f664e2f3000 rw-p 00000000 00:00 0 
+7f664e2f3000-7f664e2f4000 ---p 00000000 00:00 0 
+7f664e2f4000-7f664e3f4000 rw-p 00000000 00:00 0 
+7f664e3f4000-7f664e3f5000 ---p 00000000 00:00 0 
+7f664e3f5000-7f664e4f5000 rw-p 00000000 00:00 0 
+7f664e4f5000-7f664e4f6000 ---p 00000000 00:00 0 
+7f664e4f6000-7f664e5f6000 rw-p 00000000 00:00 0 
+7f664e5f6000-7f664e5f7000 ---p 00000000 00:00 0 
+7f664e5f7000-7f664e6f7000 rw-p 00000000 00:00 0 
+7f664e6f7000-7f664e6f8000 ---p 00000000 00:00 0 
+7f664e6f8000-7f664e7f8000 rw-p 00000000 00:00 0 
+7f664e7f8000-7f664e7f9000 ---p 00000000 00:00 0 
+7f664e7f9000-7f664e8f9000 rw-p 00000000 00:00 0 
+7f664e8f9000-7f664e8fa000 ---p 00000000 00:00 0 
+7f664e8fa000-7f664e9fa000 rw-p 00000000 00:00 0 
+7f664e9fa000-7f664e9fb000 ---p 00000000 00:00 0 
+7f664e9fb000-7f664eafb000 rw-p 00000000 00:00 0 
+7f664eafb000-7f664eafc000 ---p 00000000 00:00 0 
+7f664eafc000-7f664ebfc000 rw-p 00000000 00:00 0 
+7f664ebfc000-7f664ebfd000 ---p 00000000 00:00 0 
+7f664ebfd000-7f664ecfd000 rw-p 00000000 00:00 0 
+7f664ecfd000-7f664ecfe000 ---p 00000000 00:00 0 
+7f664ecfe000-7f664edfe000 rw-p 00000000 00:00 0 
+7f664edfe000-7f664edff000 ---p 00000000 00:00 0 
+7f664edff000-7f664eeff000 rw-p 00000000 00:00 0 
+7f664eeff000-7f664ef00000 ---p 00000000 00:00 0 
+7f664ef00000-7f664f000000 rw-p 00000000 00:00 0 
+7f664f6fe000-7f664f6ff000 ---p 00000000 00:00 0 
+7f664f6ff000-7f664f7ff000 rw-p 00000000 00:00 0 
+7f664f7ff000-7f664f800000 ---p 00000000 00:00 0 
+7f664f800000-7f6650000000 rw-p 00000000 00:00 0 
+7f6650000000-7f6650022000 rw-p 00000000 00:00 0 
+7f6650022000-7f6654000000 ---p 00000000 00:00 0 
+7f66540f5000-7f66540f6000 ---p 00000000 00:00 0 
+7f66540f6000-7f66541f6000 rw-p 00000000 00:00 0 
+7f66541f6000-7f66541f7000 ---p 00000000 00:00 0 
+7f66541f7000-7f66542f7000 rw-p 00000000 00:00 0 
+7f66542f7000-7f66542f8000 ---p 00000000 00:00 0 
+7f66542f8000-7f66543f8000 rw-p 00000000 00:00 0 
+7f66543f8000-7f66543f9000 ---p 00000000 00:00 0 
+7f66543f9000-7f66544f9000 rw-p 00000000 00:00 0 
+7f66544f9000-7f66544fa000 ---p 00000000 00:00 0 
+7f66544fa000-7f66545fa000 rw-p 00000000 00:00 0 
+7f66545fa000-7f66545fb000 ---p 00000000 00:00 0 
+7f66545fb000-7f66546fb000 rw-p 00000000 00:00 0 
+7f66546fb000-7f66546fc000 ---p 00000000 00:00 0 
+7f66546fc000-7f66547fc000 rw-p 00000000 00:00 0 
+7f66547fc000-7f66547fd000 ---p 00000000 00:00 0 
+7f66547fd000-7f66548fd000 rw-p 00000000 00:00 0 
+7f66548fd000-7f66548fe000 ---p 00000000 00:00 0 
+7f66548fe000-7f66549fe000 rw-p 00000000 00:00 0 
+7f66549fe000-7f66549ff000 ---p 00000000 00:00 0 
+7f66549ff000-7f6654aff000 rw-p 00000000 00:00 0 
+7f6654aff000-7f6654b00000 ---p 00000000 00:00 0 
+7f6654b00000-7f6654c00000 rw-p 00000000 00:00 0 
+7f6654c00000-7f6654c01000 rw-p 00000000 00:00 0 
+7f6654c01000-7f6654c02000 ---p 00000000 00:00 0 
+7f6654cff000-7f6654d00000 ---p 00000000 00:00 0 
+7f6654d00000-7f6654e00000 rw-p 00000000 00:00 0 
+7f6654e00000-7f6654e01000 rw-p 00000000 00:00 0 
+7f6654e01000-7f6654e02000 ---p 00000000 00:00 0 
+7f6654eff000-7f6654f00000 ---p 00000000 00:00 0 
+7f6654f00000-7f6655000000 rw-p 00000000 00:00 0 
+7f6655000000-7f6655200000 rw-p 00000000 00:00 0 
+7f6655200000-7f6655201000 ---p 00000000 00:00 0 
+7f665523b000-7f6656af1000 r-xp 00000000 103:02 2233416                   /usr/lib/x86_64-linux-gnu/libicudata.so.55.1
+7f6656af1000-7f6656cf0000 ---p 018b6000 103:02 2233416                   /usr/lib/x86_64-linux-gnu/libicudata.so.55.1
+7f6656cf0000-7f6656cf1000 r--p 018b5000 103:02 2233416                   /usr/lib/x86_64-linux-gnu/libicudata.so.55.1
+7f6656cf1000-7f6656cf2000 rw-p 018b6000 103:02 2233416                   /usr/lib/x86_64-linux-gnu/libicudata.so.55.1
+7f6656cf2000-7f6656e71000 r-xp 00000000 103:02 2233420                   /usr/lib/x86_64-linux-gnu/libicuuc.so.55.1
+7f6656e71000-7f6657071000 ---p 0017f000 103:02 2233420                   /usr/lib/x86_64-linux-gnu/libicuuc.so.55.1
+7f6657071000-7f6657081000 r--p 0017f000 103:02 2233420                   /usr/lib/x86_64-linux-gnu/libicuuc.so.55.1
+7f6657081000-7f6657082000 rw-p 0018f000 103:02 2233420                   /usr/lib/x86_64-linux-gnu/libicuuc.so.55.1
+7f6657082000-7f6657086000 rw-p 00000000 00:00 0 
+7f6657086000-7f6657237000 r-xp 00000000 103:02 2237922                   /usr/lib/x86_64-linux-gnu/libxml2.so.2.9.3
+7f6657237000-7f6657436000 ---p 001b1000 103:02 2237922                   /usr/lib/x86_64-linux-gnu/libxml2.so.2.9.3
+7f6657436000-7f665743e000 r--p 001b0000 103:02 2237922                   /usr/lib/x86_64-linux-gnu/libxml2.so.2.9.3
+7f665743e000-7f6657440000 rw-p 001b8000 103:02 2237922                   /usr/lib/x86_64-linux-gnu/libxml2.so.2.9.3
+7f6657440000-7f6657441000 rw-p 00000000 00:00 0 
+7f6657441000-7f6657e00000 r--p 00000000 103:02 2235565                   /usr/lib/locale/locale-archive
+7f6657e00000-7f66d7e00000 rw-p 00000000 00:00 0 
+7f66d7e00000-7f66d7e01000 ---p 00000000 00:00 0 
+7f66d7eff000-7f66d7f00000 ---p 00000000 00:00 0 
+7f66d7f00000-7f66d8000000 rw-p 00000000 00:00 0 
+7f66d8000000-7f66d8b29000 rw-p 00000000 00:00 0 
+7f66d8b29000-7f66dc000000 ---p 00000000 00:00 0 
+7f66dc000000-7f66dc022000 rw-p 00000000 00:00 0 
+7f66dc022000-7f66e0000000 ---p 00000000 00:00 0 
+7f66e008a000-7f66e008b000 ---p 00000000 00:00 0 
+7f66e008b000-7f66e018b000 rw-p 00000000 00:00 0 
+7f66e018b000-7f66e01c2000 r-xp 00000000 103:02 2236734                   /usr/lib/x86_64-linux-gnu/libcroco-0.6.so.3.0.1
+7f66e01c2000-7f66e03c2000 ---p 00037000 103:02 2236734                   /usr/lib/x86_64-linux-gnu/libcroco-0.6.so.3.0.1
+7f66e03c2000-7f66e03c5000 r--p 00037000 103:02 2236734                   /usr/lib/x86_64-linux-gnu/libcroco-0.6.so.3.0.1
+7f66e03c5000-7f66e03c6000 rw-p 0003a000 103:02 2236734                   /usr/lib/x86_64-linux-gnu/libcroco-0.6.so.3.0.1
+7f66e03c6000-7f66e03fb000 r-xp 00000000 103:02 2237572                   /usr/lib/x86_64-linux-gnu/librsvg-2.so.2.40.13
+7f66e03fb000-7f66e05fb000 ---p 00035000 103:02 2237572                   /usr/lib/x86_64-linux-gnu/librsvg-2.so.2.40.13
+7f66e05fb000-7f66e05fc000 r--p 00035000 103:02 2237572                   /usr/lib/x86_64-linux-gnu/librsvg-2.so.2.40.13
+7f66e05fc000-7f66e05fd000 rw-p 00036000 103:02 2237572                   /usr/lib/x86_64-linux-gnu/librsvg-2.so.2.40.13
+7f66e05fd000-7f66e05ff000 r-xp 00000000 103:02 2493292                   /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-svg.so
+7f66e05ff000-7f66e07fe000 ---p 00002000 103:02 2493292                   /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-svg.so
+7f66e07fe000-7f66e07ff000 r--p 00001000 103:02 2493292                   /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-svg.so
+7f66e07ff000-7f66e0800000 rw-p 00002000 103:02 2493292                   /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-svg.so
+7f66e0800000-7f66e0840000 rw-p 00000000 00:00 0 
+7f66e0840000-7f66e0841000 ---p 00000000 00:00 0 
+7f66e08ff000-7f66e0900000 ---p 00000000 00:00 0 
+7f66e0900000-7f66e0a00000 rw-p 00000000 00:00 0 
+7f66e0a00000-7f66e0a10000 rw-p 00000000 00:00 0 
+7f66e0a10000-7f66e0a11000 ---p 00000000 00:00 0 
+7f66e0aff000-7f66e0b00000 ---p 00000000 00:00 0 
+7f66e0b00000-7f66e0c00000 rw-p 00000000 00:00 0 
+7f66e0c00000-7f66e1c00000 rw-p 00000000 00:00 0 
+7f66e1c00000-7f66e1c01000 ---p 00000000 00:00 0 
+7f66e1cff000-7f66e1d00000 ---p 00000000 00:00 0 
+7f66e1d00000-7f66e1e00000 rw-p 00000000 00:00 0 
+7f66e1e00000-7f66e1e20000 rw-p 00000000 00:00 0 
+7f66e1e20000-7f66e1e21000 ---p 00000000 00:00 0 
+7f66e1e5c000-7f66e1eb3000 r--p 00000000 103:02 3277771                   /usr/share/fonts/truetype/ubuntu-font-family/Ubuntu-R.ttf
+7f66e1eb3000-7f66e1ebe000 r--s 00000000 103:02 3019418                   /var/cache/fontconfig/945677eb7aeaf62f1d50efc3fb3ec7d8-le64.cache-6
+7f66e1ebe000-7f66e1ed3000 r--s 00000000 103:02 3019394                   /var/cache/fontconfig/04aabc0a78ac019cf9454389977116d2-le64.cache-6
+7f66e1eff000-7f66e1f00000 ---p 00000000 00:00 0 
+7f66e1f00000-7f66e2000000 rw-p 00000000 00:00 0 
+7f66e2000000-7f66e2040000 rw-p 00000000 00:00 0 
+7f66e2040000-7f66e2041000 ---p 00000000 00:00 0 
+7f66e204a000-7f66e204b000 rw-p 00000000 00:00 0 
+7f66e204b000-7f66e2051000 r--s 00000000 103:02 3019400                   /var/cache/fontconfig/2cd17615ca594fa2959ae173292e504c-le64.cache-6
+7f66e2051000-7f66e2052000 r--s 00000000 103:02 3019397                   /var/cache/fontconfig/0d8c3b2ac0904cb8a57a757ad11a4a08-le64.cache-6
+7f66e2052000-7f66e2053000 r--s 00000000 103:02 3019399                   /var/cache/fontconfig/1ac9eb803944fde146138c791f5cc56a-le64.cache-6
+7f66e2053000-7f66e2057000 r--s 00000000 103:02 3019404                   /var/cache/fontconfig/385c0604a188198f04d133e54aba7fe7-le64.cache-6
+7f66e2057000-7f66e2058000 r--s 00000000 103:02 3019431                   /var/cache/fontconfig/dc05db6664285cc2f12bf69c139ae4c3-le64.cache-6
+7f66e2058000-7f66e205b000 r--s 00000000 103:02 3019414                   /var/cache/fontconfig/767a8244fc0220cfb567a839d0392e0b-le64.cache-6
+7f66e205b000-7f66e2060000 r--s 00000000 103:02 3019417                   /var/cache/fontconfig/8801497958630a81b71ace7c5f9b32a8-le64.cache-6
+7f66e2060000-7f66e2067000 r--s 00000000 103:02 3019401                   /var/cache/fontconfig/3047814df9a2f067bd2d96a2b9c36e5a-le64.cache-6
+7f66e2067000-7f66e206d000 r--s 00000000 103:02 3019422                   /var/cache/fontconfig/b47c4e1ecd0709278f4910c18777a504-le64.cache-6
+7f66e206d000-7f66e2080000 r--s 00000000 103:02 3019428                   /var/cache/fontconfig/d52a8644073d54c13679302ca1180695-le64.cache-6
+7f66e2080000-7f66e208b000 r--s 00000000 103:02 3019416                   /var/cache/fontconfig/83bf95040141907cd45bb53cf7c1c148-le64.cache-6
+7f66e208b000-7f66e209d000 r--s 00000000 103:02 3019420                   /var/cache/fontconfig/9b89f8e3dae116d678bbf48e5f21f69b-le64.cache-6
+7f66e209d000-7f66e20bc000 r--s 00000000 103:02 2752558                   /usr/share/mime/mime.cache
+7f66e20bc000-7f66e20bd000 ---p 00000000 00:00 0 
+7f66e20bd000-7f66e21bd000 rw-p 00000000 00:00 0 
+7f66e21bd000-7f66e21be000 ---p 00000000 00:00 0 
+7f66e21be000-7f66e2ca2000 rw-p 00000000 00:00 0 
+7f66e2ca2000-7f66e2ca3000 ---p 00000000 00:00 0 
+7f66e2ca3000-7f66e2da3000 rw-p 00000000 00:00 0 
+7f66e2da3000-7f66e2da4000 ---p 00000000 00:00 0 
+7f66e2da4000-7f66e35a4000 rw-p 00000000 00:00 0 
+7f66e35a4000-7f66e35ab000 r-xp 00000000 103:02 2237425                   /usr/lib/x86_64-linux-gnu/libogg.so.0.8.2
+7f66e35ab000-7f66e37ab000 ---p 00007000 103:02 2237425                   /usr/lib/x86_64-linux-gnu/libogg.so.0.8.2
+7f66e37ab000-7f66e37ac000 r--p 00007000 103:02 2237425                   /usr/lib/x86_64-linux-gnu/libogg.so.0.8.2
+7f66e37ac000-7f66e37ad000 rw-p 00008000 103:02 2237425                   /usr/lib/x86_64-linux-gnu/libogg.so.0.8.2
+7f66e37ad000-7f66e37d7000 r-xp 00000000 103:02 2233113                   /usr/lib/x86_64-linux-gnu/libvorbis.so.0.4.8
+7f66e37d7000-7f66e39d6000 ---p 0002a000 103:02 2233113                   /usr/lib/x86_64-linux-gnu/libvorbis.so.0.4.8
+7f66e39d6000-7f66e39d7000 r--p 00029000 103:02 2233113                   /usr/lib/x86_64-linux-gnu/libvorbis.so.0.4.8
+7f66e39d7000-7f66e39d8000 rw-p 0002a000 103:02 2233113                   /usr/lib/x86_64-linux-gnu/libvorbis.so.0.4.8
+7f66e39d8000-7f66e39e1000 r-xp 00000000 103:02 2237286                   /usr/lib/x86_64-linux-gnu/libltdl.so.7.3.1
+7f66e39e1000-7f66e3be0000 ---p 00009000 103:02 2237286                   /usr/lib/x86_64-linux-gnu/libltdl.so.7.3.1
+7f66e3be0000-7f66e3be1000 r--p 00008000 103:02 2237286                   /usr/lib/x86_64-linux-gnu/libltdl.so.7.3.1
+7f66e3be1000-7f66e3be2000 rw-p 00009000 103:02 2237286                   /usr/lib/x86_64-linux-gnu/libltdl.so.7.3.1
+7f66e3be2000-7f66e3bf6000 r-xp 00000000 103:02 2237676                   /usr/lib/x86_64-linux-gnu/libtdb.so.1.3.8Aborted (core dumped)
+
+I can recreate this here.
+
+#0  0x00007fffec275feb in raise () at /lib64/libc.so.6
+#1  0x00007fffec2605c1 in abort () at /lib64/libc.so.6
+#2  0x00007fffec2b89d7 in __libc_message () at /lib64/libc.so.6
+#3  0x00007fffec2beeac in  () at /lib64/libc.so.6
+#4  0x00007fffec2c091c in _int_free () at /lib64/libc.so.6
+#5  0x00007ffff725b4d2 in g_free () at /lib64/libglib-2.0.so.0
+#6  0x0000555555b49551 in m_free (m=0x7fffc44b0dd0) at /home/dgilbert/git/qemu/slirp/mbuf.c:114
+#7  0x0000555555b4a33d in sbappend (so=<optimized out>, m=<optimized out>) at /home/dgilbert/git/qemu/slirp/sbuf.c:82
+#8  0x0000555555b4d6ae in tcp_input (m=0x7fffc44b0dd0, iphlen=<optimized out>, inso=<optimized out>, af=<optimized out>)
+    at /home/dgilbert/git/qemu/slirp/tcp_input.c:1300
+#9  0x0000555555b48d98 in slirp_input (slirp=<optimized out>, pkt=0x7fffc44ad900 "RU\n", pkt_len=pkt_len@entry=66)
+    at /home/dgilbert/git/qemu/slirp/slirp.c:875
+#10 0x0000555555b378e0 in net_slirp_receive (nc=<optimized out>, buf=<optimized out>, size=66) at /home/dgilbert/git/qemu/net/slirp.c:121
+#11 0x0000555555b2ff4e in nc_sendv_compat (flags=<optimized out>, iovcnt=3, iov=0x7fffceff9a40, nc=0x5555567d5e60)
+    at /home/dgilbert/git/qemu/net/net.c:701
+#12 0x0000555555b2ff4e in qemu_deliver_packet_iov (sender=<optimized out>, flags=<optimized out>, iov=0x7fffceff9a40, iovcnt=3, opaque=0x5555567d5e60)
+    at /home/dgilbert/git/qemu/net/net.c:728
+#13 0x0000555555b32744 in qemu_net_queue_deliver_iov (iovcnt=3, iov=0x7fffceff9a40, flags=0, sender=0x555557a70ae0, queue=0x5555567d6010)
+    at /home/dgilbert/git/qemu/net/queue.c:179
+#14 0x0000555555b32744 in qemu_net_queue_send_iov (queue=0x5555567d6010, sender=0x555557a70ae0, flags=0, iov=0x7fffceff9a40, iovcnt=3, sent_cb=<optimized out>) at /home/dgilbert/git/qemu/net/queue.c:224
+#15 0x0000555555a6ec61 in net_tx_pkt_sendv (pkt=0x555557a71010, iov_cnt=3, iov=0x7fffceff9a40, nc=0x555557a70ae0)
+    at /home/dgilbert/git/qemu/hw/net/net_tx_pkt.c:546
+#16 0x0000555555a6ec61 in net_tx_pkt_do_sw_fragmentation (pkt=pkt@entry=0x555557a71010, nc=nc@entry=0x555557a70ae0)
+    at /home/dgilbert/git/qemu/hw/net/net_tx_pkt.c:588
+#17 0x0000555555a6f87f in net_tx_pkt_send (pkt=0x555557a71010, nc=nc@entry=0x555557a70ae0) at /home/dgilbert/git/qemu/hw/net/net_tx_pkt.c:625
+#18 0x0000555555a78ff8 in e1000e_tx_pkt_send (queue_index=<optimized out>, tx=0x555557a1d1e8, core=0x5555579fcf80)
+    at /home/dgilbert/git/qemu/hw/net/e1000e_core.c:665
+#19 0x0000555555a78ff8 in e1000e_process_tx_desc (queue_index=<optimized out>, dp=0x7fffceff9f30, tx=0x555557a1d1e8, core=0x5555579fcf80)
+    at /home/dgilbert/git/qemu/hw/net/e1000e_core.c:742
+#20 0x0000555555a78ff8 in e1000e_start_xmit (core=0x5555579fcf80, txr=<optimized out>, txr=<optimized out>)
+    at /home/dgilbert/git/qemu/hw/net/e1000e_core.c:933
+#21 0x0000555555a792b9 in e1000e_set_tdt (core=<optimized out>, index=<optimized out>, val=<optimized out>)
+    at /home/dgilbert/git/qemu/hw/net/e1000e_core.c:2450
+#22 0x0000555555a7c0a5 in e1000e_core_write (core=0x5555579fcf80, addr=<optimized out>, val=220, size=4)
+    at /home/dgilbert/git/qemu/hw/net/e1000e_core.c:3255
+#23 0x0000555555876c37 in memory_region_write_accessor (mr=0x5555579fcbb0, addr=14360, value=<optimized out>, size=4, shift=<optimized out>, mask=<optimized out>, attrs=...) at /home/dgilbert/git/qemu/memory.c:527
+---Type <return> to continue, or q <return> to quit---
+ out>, access_size_max=<optimized out>, access_fn=0x555555876bc0 <memory_region_write_accessor>, mr=0x5555579fcbb0, attrs=...) at /home/dgilbert/git/qemu/memory.c:594
+#25 0x00005555558794c1 in memory_region_dispatch_write (mr=mr@entry=0x5555579fcbb0, addr=14360, data=<optimized out>, size=4, attrs=attrs@entry=...) at /home/dgilbert/git/qemu/memory.c:1479
+#26 0x0000555555823833 in flatview_write_continue (fv=fv@entry=0x7fffc50aebc0, addr=addr@entry=4273485848, attrs=..., buf=buf@entry=0x7ffff7ff3028 <incomplete sequence \334>, len=len@entry=4, addr1=<optimized out>, l=<optimized out>, mr=0x5555579fcbb0) at /home/dgilbert/git/qemu/exec.c:3255
+#27 0x0000555555823a59 in flatview_write (fv=0x7fffc50aebc0, addr=4273485848, attrs=..., buf=0x7ffff7ff3028 <incomplete sequence \334>, len=4) at /home/dgilbert/git/qemu/exec.c:3294
+#28 0x000055555582737f in address_space_write (as=<optimized out>, addr=<optimized out>, attrs=..., buf=buf@entry=0x7ffff7ff3028 <incomplete sequence \334>, len=<optimized out>) at /home/dgilbert/git/qemu/exec.c:3384
+#29 0x000055555582740a in address_space_rw (as=<optimized out>, addr=<optimized out>, attrs=..., attrs@entry=..., buf=buf@entry=0x7ffff7ff3028 <incomplete sequence \334>, len=<optimized out>, is_write=<optimized out>)
+    at /home/dgilbert/git/qemu/exec.c:3395
+#30 0x000055555588b7b8 in kvm_cpu_exec (cpu=cpu@entry=0x55555683ddf0) at /home/dgilbert/git/qemu/accel/kvm/kvm-all.c:1979
+#31 0x0000555555862896 in qemu_kvm_cpu_thread_fn (arg=0x55555683ddf0) at /home/dgilbert/git/qemu/cpus.c:1215
+#32 0x00007fffec605594 in start_thread () at /lib64/libpthread.so.0
+#33 0x00007fffec3390df in clone () at /lib64/libc.so.6
+
+(This is with a fedora guest, so that's irrelevant)
+
+Looks like it might be e1000e specific?
+I can recreate it with either q35 with no extra options (it has e1000e by default), pc or q35 specifying e1000e, but plain pc works fine.
+
+Simple test;  scp bigfile from guest to user@10.0.2.2: (i.e. host)
+
+Dave
+
+It's indeed e1000e specific, when I change e1000e to e1000, I can upload file freely. Looks like there is an overflow somewhere in e1000e that corrupted the heap chunk header.
+
+Hi, 
+ 
+I have find the overflow point using ASAN.
+ 
+void
+m_cat(struct mbuf *m, struct mbuf *n)
+{
+ /*
+  * If there's no room, realloc
+  */
+ if (M_FREEROOM(m) < n->m_len)
+  m_inc(m, m->m_len + n->m_len);
+ 
+ memcpy(m->m_data+m->m_len, n->m_data, n->m_len);
+ m->m_len += n->m_len;
+ 
+ m_free(n);
+}
+ 
+
+/* make m 'size' bytes large from m_data */
+void
+m_inc(struct mbuf *m, int size)
+{
+    int datasize;
+ 
+    /* some compilers throw up on gotos.  This one we can fake. */
+    if (m->m_size > size) {
+        return;
+    }
+ 
+    if (m->m_flags & M_EXT) {
+        datasize = m->m_data - m->m_ext;
+        m->m_ext = g_realloc(m->m_ext, size + datasize);
+    } else {
+        datasize = m->m_data - m->m_dat;
+        m->m_ext = g_malloc(size + datasize);
+        memcpy(m->m_ext, m->m_dat, m->m_size);
+        m->m_flags |= M_EXT;
+    }
+ 
+    m->m_data = m->m_ext + datasize;
+    m->m_size = size + datasize;
+}
+ 
+Here m_cat catenates two mbuf, when the first has no buffer, it allocates an M_EXT.
+In m_inc, g_malloc called, then return m_cat, the next call to m_cat will trigger oob write.
+ 
+Seems the m_len is too big.
+In my debug, I see the m->m_len is 0x5b0, but datasize in m_inc is 0x40. Is this right?
+ 
+Thanks,
+Li Qiang
+ 
+==17835==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61f000041dd0 at pc 0x7ffff6e9ad7b bp 0x7fffc6b215d0 sp 0x7fffc6b20d80
+WRITE of size 28 at 0x61f000041dd0 thread T4
+    #0 0x7ffff6e9ad7a  (/usr/lib/x86_64-linux-gnu/libasan.so.3+0x5cd7a)
+    #1 0x55555663fa71 in m_cat slirp/mbuf.c:143
+    #2 0x555556632cdd in ip_reass slirp/ip_input.c:341
+    #3 0x555556631609 in ip_input slirp/ip_input.c:190
+    #4 0x55555663bd91 in slirp_input slirp/slirp.c:874
+    #5 0x555556600d6f in net_slirp_receive net/slirp.c:121
+    #6 0x5555565e8192 in nc_sendv_compat net/net.c:701
+    #7 0x5555565e8322 in qemu_deliver_packet_iov net/net.c:728
+    #8 0x5555565edda2 in qemu_net_queue_deliver_iov net/queue.c:179
+    #9 0x5555565edfaa in qemu_net_queue_send_iov net/queue.c:224
+    #10 0x5555565e8547 in qemu_sendv_packet_async net/net.c:764
+    #11 0x5555565e8574 in qemu_sendv_packet net/net.c:772
+    #12 0x55555636657c in net_tx_pkt_sendv hw/net/net_tx_pkt.c:546
+    #13 0x5555563668f3 in net_tx_pkt_do_sw_fragmentation hw/net/net_tx_pkt.c:588
+    #14 0x555556366c93 in net_tx_pkt_send hw/net/net_tx_pkt.c:625
+    #15 0x55555638586c in e1000e_tx_pkt_send hw/net/e1000e_core.c:665
+    #16 0x555556385fca in e1000e_process_tx_desc hw/net/e1000e_core.c:742
+    #17 0x555556387680 in e1000e_start_xmit hw/net/e1000e_core.c:933
+    #18 0x55555638f390 in e1000e_set_tdt hw/net/e1000e_core.c:2450
+    #19 0x5555563911cb in e1000e_core_write hw/net/e1000e_core.c:3255
+    #20 0x555556370524 in e1000e_mmio_write hw/net/e1000e.c:105
+    #21 0x555555d4ec07 in memory_region_write_accessor /home/liqiang02/qemu-devel/qemu/memory.c:527
+    #22 0x555555d4eee3 in access_with_adjusted_size /home/liqiang02/qemu-devel/qemu/memory.c:594
+    #23 0x555555d54d16 in memory_region_dispatch_write /home/liqiang02/qemu-devel/qemu/memory.c:1473
+    #24 0x555555c94b76 in flatview_write_continue /home/liqiang02/qemu-devel/qemu/exec.c:3255
+    #25 0x555555c94da1 in flatview_write /home/liqiang02/qemu-devel/qemu/exec.c:3294
+    #26 0x555555c95354 in address_space_write /home/liqiang02/qemu-devel/qemu/exec.c:3384
+    #27 0x555555c953a5 in address_space_rw /home/liqiang02/qemu-devel/qemu/exec.c:3395
+    #28 0x555555d92c4d in kvm_cpu_exec /home/liqiang02/qemu-devel/qemu/accel/kvm/kvm-all.c:1979
+    #29 0x555555d18936 in qemu_kvm_cpu_thread_fn /home/liqiang02/qemu-devel/qemu/cpus.c:1215
+    #30 0x5555569afef1 in qemu_thread_start util/qemu-thread-posix.c:504
+    #31 0x7fffdadbd493 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x7493)
+    #32 0x7fffdaafface in __clone (/lib/x86_64-linux-gnu/libc.so.6+0xe8ace)
+ 
+AddressSanitizer can not describe address in more detail (wild memory access suspected).
+SUMMARY: AddressSanitizer: heap-buffer-overflow (/usr/lib/x86_64-linux-gnu/libasan.so.3+0x5cd7a) 
+Shadow bytes around the buggy address:
+  0x0c3e80000360: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
+  0x0c3e80000370: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
+  0x0c3e80000380: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
+  0x0c3e80000390: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
+  0x0c3e800003a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
+=>0x0c3e800003b0: fa fa fa fa fa fa fa fa fa fa[fa]fa fa fa fa fa
+  0x0c3e800003c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
+  0x0c3e800003d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
+  0x0c3e800003e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
+  0x0c3e800003f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
+  0x0c3e80000400: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
+Shadow byte legend (one shadow byte represents 8 application bytes):
+  Addressable:           00
+  Partially addressable: 01 02 03 04 05 06 07 
+  Heap left redzone:       fa
+  Heap right redzone:      fb
+  Freed heap region:       fd
+  Stack left redzone:      f1
+  Stack mid redzone:       f2
+  Stack right redzone:     f3
+  Stack partial redzone:   f4
+  Stack after return:      f5
+  Stack use after scope:   f8
+  Global redzone:          f9
+  Global init order:       f6
+  Poisoned by user:        f7
+  Container overflow:      fc
+  Array cookie:            ac
+  Intra object redzone:    bb
+  ASan internal:           fe
+  Left alloca redzone:     ca
+  Right alloca redzone:    cb
+Thread T4 created by T0 here:
+    #0 0x7ffff6e6ef59 in __interceptor_pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.3+0x30f59)
+    #1 0x5555569b012f in qemu_thread_create util/qemu-thread-posix.c:534
+    #2 0x555555d1b7b9 in qemu_kvm_start_vcpu /home/liqiang02/qemu-devel/qemu/cpus.c:1935
+    #3 0x555555d1bf6c in qemu_init_vcpu /home/liqiang02/qemu-devel/qemu/cpus.c:2001
+    #4 0x555555f682de in x86_cpu_realizefn /home/liqiang02/qemu-devel/qemu/target/i386/cpu.c:4996
+    #5 0x55555621c00c in device_set_realized hw/core/qdev.c:826
+    #6 0x5555566f962f in property_set_bool qom/object.c:1984
+    #7 0x5555566f5bfc in object_property_set qom/object.c:1176
+    #8 0x5555566fbdce in object_property_set_qobject qom/qom-qobject.c:27
+    #9 0x5555566f5f19 in object_property_set_bool qom/object.c:1242
+    #10 0x555555edf7d7 in pc_new_cpu /home/liqiang02/qemu-devel/qemu/hw/i386/pc.c:1107
+    #11 0x555555edfc98 in pc_cpus_init /home/liqiang02/qemu-devel/qemu/hw/i386/pc.c:1155
+    #12 0x555555ef2451 in pc_q35_init /home/liqiang02/qemu-devel/qemu/hw/i386/pc_q35.c:130
+    #13 0x555555ef37f4 in pc_init_v3_0 /home/liqiang02/qemu-devel/qemu/hw/i386/pc_q35.c:320
+    #14 0x55555622ca6d in machine_run_board_init hw/core/machine.c:830
+    #15 0x555556099045 in main /home/liqiang02/qemu-devel/qemu/vl.c:4516
+    #16 0x7fffdaa372e0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202e0)
+ 
+
+
+For me:
+c22098c74a fails
+864036e251 fails
+3835c310bd doesn't crash, but sometimes the outbound connection hangs.
+
+So perhaps the crash is 864036e251f54c99d31df124aad7f34f01f5344c
+
+http://patchwork.ozlabs.org/patch/954491/ is a patch which should fix this crash.
+
+
+Glad to see such a quick fix, and ASAN looks like a great tool :)
+
+Fix has been included here:
+https://git.qemu.org/?p=qemu.git;a=commitdiff;h=09b94ac0f29db3b022a77
+
diff --git a/results/classifier/108/other/1785734 b/results/classifier/108/other/1785734
new file mode 100644
index 000000000..e16d65ecd
--- /dev/null
+++ b/results/classifier/108/other/1785734
@@ -0,0 +1,131 @@
+vnc: 0.771
+KVM: 0.765
+other: 0.750
+debug: 0.710
+performance: 0.688
+device: 0.674
+graphic: 0.667
+permissions: 0.632
+socket: 0.621
+PID: 0.616
+semantic: 0.612
+files: 0.611
+boot: 0.579
+network: 0.578
+
+movdqu partial write at page boundary
+
+In TCG mode, when a 16-byte write instruction (such as movdqu) is executed at a page boundary and causes a page fault, a partial write is executed in the first page. See the attached code for an example.
+
+Tested on the qemu-3.0.0-rc1 release.
+
+
+% gcc -m32 qemu-bug2.c && ./a.out && echo && qemu-i386 ./a.out
+*(0x70000ff8+ 0) = aa
+*(0x70000ff8+ 1) = aa
+*(0x70000ff8+ 2) = aa
+*(0x70000ff8+ 3) = aa
+*(0x70000ff8+ 4) = aa
+*(0x70000ff8+ 5) = aa
+*(0x70000ff8+ 6) = aa
+*(0x70000ff8+ 7) = aa
+*(0x70000ff8+ 8) = 55
+*(0x70000ff8+ 9) = 55
+*(0x70000ff8+10) = 55
+*(0x70000ff8+11) = 55
+*(0x70000ff8+12) = 55
+*(0x70000ff8+13) = 55
+*(0x70000ff8+14) = 55
+*(0x70000ff8+15) = 55
+page fault: addr=0x70001000 err=0x7
+*(0x70000ff8+ 0) = aa
+*(0x70000ff8+ 1) = aa
+*(0x70000ff8+ 2) = aa
+*(0x70000ff8+ 3) = aa
+*(0x70000ff8+ 4) = aa
+*(0x70000ff8+ 5) = aa
+*(0x70000ff8+ 6) = aa
+*(0x70000ff8+ 7) = aa
+*(0x70000ff8+ 8) = 55
+*(0x70000ff8+ 9) = 55
+*(0x70000ff8+10) = 55
+*(0x70000ff8+11) = 55
+*(0x70000ff8+12) = 55
+*(0x70000ff8+13) = 55
+*(0x70000ff8+14) = 55
+*(0x70000ff8+15) = 55
+
+*(0x70000ff8+ 0) = aa
+*(0x70000ff8+ 1) = aa
+*(0x70000ff8+ 2) = aa
+*(0x70000ff8+ 3) = aa
+*(0x70000ff8+ 4) = aa
+*(0x70000ff8+ 5) = aa
+*(0x70000ff8+ 6) = aa
+*(0x70000ff8+ 7) = aa
+*(0x70000ff8+ 8) = 55
+*(0x70000ff8+ 9) = 55
+*(0x70000ff8+10) = 55
+*(0x70000ff8+11) = 55
+*(0x70000ff8+12) = 55
+*(0x70000ff8+13) = 55
+*(0x70000ff8+14) = 55
+*(0x70000ff8+15) = 55
+page fault: addr=0x70001000 err=0x6
+*(0x70000ff8+ 0) = 77
+*(0x70000ff8+ 1) = 66
+*(0x70000ff8+ 2) = 55
+*(0x70000ff8+ 3) = 44
+*(0x70000ff8+ 4) = 33
+*(0x70000ff8+ 5) = 22
+*(0x70000ff8+ 6) = 11
+*(0x70000ff8+ 7) = 0
+*(0x70000ff8+ 8) = 55
+*(0x70000ff8+ 9) = 55
+*(0x70000ff8+10) = 55
+*(0x70000ff8+11) = 55
+*(0x70000ff8+12) = 55
+*(0x70000ff8+13) = 55
+*(0x70000ff8+14) = 55
+*(0x70000ff8+15) = 55
+
+
+
+This is a part of a class of related problems for qemu linux-user, in that any non-atomic store is not validated before initiating a partial write.
+
+For instance, qemu-x86_64, built for arm32, would show this same partial store problem for any 64-bit write crossing a page boundary because we are forced by the limits of the host to split the store into two 32-bit pieces.
+
+While we could probably fix this specific case fairly easily, because it is implemented with an external helper in the first place, we would need some new infrastructure to handle the more general problem.  Exactly what form that should take would need some thought and discussion.
+
+The QEMU project is currently moving its bug tracking to another system.
+For this we need to know which bugs are still valid and which could be
+closed already. Thus we are setting the bug state to "Incomplete" now.
+
+If the bug has already been fixed in the latest upstream version of QEMU,
+then please close this ticket as "Fix released".
+
+If it is not fixed yet and you think that this bug report here is still
+valid, then you have two options:
+
+1) If you already have an account on gitlab.com, please open a new ticket
+for this problem in our new tracker here:
+
+    https://gitlab.com/qemu-project/qemu/-/issues
+
+and then close this ticket here on Launchpad (or let it expire auto-
+matically after 60 days). Please mention the URL of this bug ticket on
+Launchpad in the new ticket on GitLab.
+
+2) If you don't have an account on gitlab.com and don't intend to get
+one, but still would like to keep this ticket opened, then please switch
+the state back to "New" or "Confirmed" within the next 60 days (other-
+wise it will get closed as "Expired"). We will then eventually migrate
+the ticket automatically to the new system (but you won't be the reporter
+of the bug in the new system and thus you won't get notified on changes
+anymore).
+
+Thank you and sorry for the inconvenience.
+
+
+[Expired for QEMU because there has been no activity for 60 days.]
+
diff --git a/results/classifier/108/other/1785902 b/results/classifier/108/other/1785902
new file mode 100644
index 000000000..ebbb02a08
--- /dev/null
+++ b/results/classifier/108/other/1785902
@@ -0,0 +1,56 @@
+device: 0.690
+files: 0.652
+permissions: 0.561
+socket: 0.544
+semantic: 0.421
+network: 0.402
+other: 0.396
+graphic: 0.377
+PID: 0.371
+performance: 0.267
+boot: 0.226
+debug: 0.204
+vnc: 0.195
+KVM: 0.076
+
+local/9pfs: Too many levels of symbolic links
+
+Version: 2.9.1
+
+The primary symptom is resolving symlink fails w/ error "too many levels of symbolic links".
+
+My analysis showed that local_readlink() uses local_open_nofollow() to open the file and then tries to read it. local_open_nofollow() then tries to open the file w/ O_NOFOLLOW, which obviously fails if the requested file is a symlink.
+
+Turned out that security_model=mapped can't cope with symlinks in the host file system.
+
+Instead, security_model=passthrough works as expected. OTOH, I'll have to check, whether this mode already provides a safe chroot, or guest can escape and damage the host system.
+
+The wiki page needs some more documentation on that:
+https://wiki.qemu.org/Documentation/9psetup
+
+The QEMU project is currently considering to move its bug tracking to
+another system. For this we need to know which bugs are still valid
+and which could be closed already. Thus we are setting older bugs to
+"Incomplete" now.
+
+If you still think this bug report here is valid, then please switch
+the state back to "New" within the next 60 days, otherwise this report
+will be marked as "Expired". Or please mark it as "Fix Released" if
+the problem has been solved with a newer version of QEMU already.
+
+Thank you and sorry for the inconvenience.
+
+
+Enrico, with security_model=mapped (a.k.a. security_model=mapped-xattr) 9p is not following symlinks on host. That's the expected behaviour.
+
+There are 2 distinct models:
+
+security_model=passthrough uses the ownership information, permissions and symlink info etc. directly from the host's file system. This model requires the qemu binary to run as high privileged user (i.e. root) though, because it needs to be able to change file ownership, permissions and so forth. For that reason this model is only appropriate for use cases where there is a certain trust to what the guest system is doing. E.g. this model is commonly used by kernel coders to build kernel/driver code on host and then test run it as guest.
+
+For untrusted guests (i.e. most cases) it is recommended to use security_model=mapped-xattr instead. In this mode all ownership information, permissions, etc. are emulated (i.e. mapped) by storing them as extended attributes on top of files on host. This way the qemu binary can run with a regular (unprivileged) user and pretend to host it would have all rights to change ownership and permissions.
+
+You can read more details about this in the 9p developer description about the 9p 'local' driver here:
+https://wiki.qemu.org/Documentation/9p#9p_Filesystem_Drivers
+
+[Expired for QEMU because there has been no activity for 60 days.]
+
diff --git a/results/classifier/108/other/1785972 b/results/classifier/108/other/1785972
new file mode 100644
index 000000000..b4b2b5d3b
--- /dev/null
+++ b/results/classifier/108/other/1785972
@@ -0,0 +1,92 @@
+debug: 0.733
+device: 0.731
+permissions: 0.724
+vnc: 0.719
+semantic: 0.702
+files: 0.698
+network: 0.695
+graphic: 0.694
+other: 0.690
+PID: 0.652
+socket: 0.635
+KVM: 0.634
+performance: 0.612
+boot: 0.545
+
+v3.0.0-rc4: VM fails to start after vcpuhotunplug, managedsave sequence
+
+VM fails to start after vcpu hot un-plug, managedsave sequence
+
+Host info:
+Kernel: 4.18.0-rc8-00002-g1236568ee3cb
+
+qemu: commit 6ad90805383e6d04b3ff49681b8519a48c9f4410 (HEAD -> master, tag: v3.0.0-rc4)
+QEMU emulator version 2.12.94 (v3.0.0-rc4-dirty)
+
+libvirt: commit 087de2f5a3dffb27d2eeb0c50a86d5d6984e5a5e (HEAD -> master)
+libvirtd (libvirt) 4.6.0
+
+Guest Kernel: 4.18.0-rc8-00002-g1236568ee3cb
+
+
+Steps to reproduce:
+1. Start a guest(VM) with 2 current , 4 max vcpus
+virsh start vm1
+Domain vm1 started
+
+2. Hotplug 2 vcpus
+virsh setvcpus vm1 4 --live
+
+3. Hot unplug 2 vcpus
+virsh setvcpus vm1 2 --live
+
+4. Managedsave the VM
+virsh managedsave vm1
+
+Domain vm1 state saved by libvirt
+
+5. Start the VM ---Fails to start
+virsh start vm1
+
+error: Failed to start domain avocado-vt-vm1
+error: internal error: qemu unexpectedly closed the monitor: 2018-08-08T06:27:53.853818Z qemu: Unknown savevm section or instance 'spapr_cpu' 2
+2018-08-08T06:27:53.854949Z qemu: load of migration failed: Invalid argument
+
+
+
+Testcase:
+avocado run libvirt_vcpu_plug_unplug.positive_test.vcpu_set.live.vm_operate.managedsave_with_unplug --vt-type libvirt --vt-extra-params emulator_path=/usr/share/avocado-plugins-vt/bin/qemu create_vm_libvirt=yes kill_vm_libvirt=yes env_cleanup=yes smp=8 backup_image_before_testing=no libvirt_controller=virtio-scsi scsi_hba=virtio-scsi-pci drive_format=scsi-hd use_os_variant=no restore_image_after_testing=no vga=none display=nographic kernel=/home/kvmci/linux/vmlinux kernel_args='root=/dev/sda2 rw console=tty0 console=ttyS0,115200 init=/sbin/init  initcall_debug' take_regular_screendumps=no --vt-guest-os JeOS.27.ppc64le
+JOB ID     : 1f869477ad87e7d7e7e7777f631ae08965f41a74
+JOB LOG    : /root/avocado/job-results/job-2018-08-08T02.42-1f86947/job.log
+ (1/1) type_specific.io-github-autotest-libvirt.libvirt_vcpu_plug_unplug.positive_test.vcpu_set.live.vm_operate.managedsave_with_unplug: ERROR (91.58 s)
+RESULTS    : PASS 0 | ERROR 1 | FAIL 0 | SKIP 0 | WARN 0 | INTERRUPT 0 | CANCEL 0
+JOB TIME   : 95.89 s
+
+
+
+Bisect result:
+
+v3.0.0-rc0: vcpu hotplug crashes the domain - https://bugs.launchpad.net/qemu/+bug/1780928, this commit fixes that issue, b585395b655a6c1f9d9ebf1f0890e76d0708eed6 ppc/xics: fix ICP reset path
+
+
+v3.0.0-rc1- v3.0.0-rc4: hotplug crash bug fixed, but now we are hitting this one.
+
+Last good commit I could find, 2309832afdaf8d6451ebc2e81bace8eb8ea41293 where both vcpu hotplug and managed save sequence worked fine.
+
+The first commit that causes this issue is:
+
+b94020268e0b6659499e250d25346baaa9888fed (spapr_cpu_core: migrate per-CPU data)
+
+Simpler way to reproduce:
+1. Hotplug a CPU
+2. Hot unplug it
+3. Migrate the VM (will fail)
+
+This commit https://lists.gnu.org/archive/html/qemu-devel/2018-08/msg01281.html from ~bharata-rao, fixes the issue.
+
+Applied to ppc-for-3.1.
+
+https://lists.gnu.org/archive/html/qemu-devel/2018-08/msg01317.html
+
+https://git.qemu.org/?p=qemu.git;a=commitdiff;h=cc71c7760e263f808c4240a
+