1 files changed, 80 insertions, 0 deletions

diff --git a/results/classifier/118/graphic/839 b/results/classifier/118/graphic/839
new file mode 100644
index 000000000..89ef7e9b9
--- /dev/null
+++ b/results/classifier/118/graphic/839
@@ -0,0 +1,80 @@
+graphic: 0.808
+performance: 0.770
+risc-v: 0.768
+arm: 0.767
+network: 0.746
+device: 0.738
+virtual: 0.731
+peripherals: 0.724
+semantic: 0.724
+KVM: 0.721
+hypervisor: 0.712
+register: 0.709
+debug: 0.706
+permissions: 0.704
+TCG: 0.693
+socket: 0.688
+VMM: 0.677
+architecture: 0.675
+files: 0.667
+PID: 0.665
+ppc: 0.651
+assembly: 0.642
+user-level: 0.636
+kernel: 0.625
+vnc: 0.615
+boot: 0.601
+x86: 0.599
+i386: 0.492
+mistranslation: 0.333
+
+qxl in COLO secondary node cause QEMU to segmentation fault
+Description of problem:
+After COLO checkpoint, the Secondary VM's qemu received segmentation fault while releasing qxl resources in interface_release_resource() routine.     
+i have used gdb and qemu trace to debug Secondary VM's qemu. the object 'qxl->last_release' is null and object 'ring->items[prod].el' != 0, it leads to null pointer dereference.     
+During COLO checkpoint,the Secondary VM's qemu has loaded Primary VM's qxl states,so i think it not need to release qxl resources.
+Steps to reproduce:
+1.Startup Primary VM and Secondary VM of COLO mode, and gdb to Secondary VM's qemu.     
+2.Connect to Primary VM's spice server.         
+3.Secondary VM's qemu will receiveing segmentation fault.
+Additional information:
+gdb to Secondary VM's qemu:     
+   ``` 
+Program received signal SIGSEGV, Segmentation fault.      
+[Switching to Thread 0x7ff9e3bff700 (LWP 44703)]     
+0x0000555555b2e8d6 in interface_release_resource (sin=0x555557d7c8a8, ext=...) at ../hw/display/qxl.c:783     
+783	        qxl->last_release->next = ext.info->id;    
+(gdb) bt   
+#0  0x0000555555b2e8d6 in interface_release_resource (sin=0x555557d7c8a8, ext=...) at ../hw/display/qxl.c:783    
+#1  0x00007fffd7751dd1 in red_drawable_unref () at /lib64/libspice-server.so.1    
+#2  0x00007fffd771eabe in drawable_unref () at /lib64/libspice-server.so.1    
+#3  0x00007fffd77206a7 in draw_until () at /lib64/libspice-server.so.1   
+#4  0x00007fffd771f7cd in display_channel_draw () at /lib64/libspice-server.so.1   
+#5  0x00007fffd7721b51 in display_channel_process_draw () at /lib64/libspice-server.so.1   
+#6  0x00007fffd7752142 in red_process_display () at /lib64/libspice-server.so.1
+#7  0x00007fffd77521fb in worker_source_dispatch () at /lib64/libspice-server.so.1
+#8  0x00007fffd6c2f049 in g_main_context_dispatch () at /lib64/libglib-2.0.so.0
+#9  0x00007fffd6c2f3a8 in g_main_context_iterate.isra.19 () at /lib64/libglib-2.0.so.0
+#10 0x00007fffd6c2f67a in g_main_loop_run () at /lib64/libglib-2.0.so.0
+#11 0x00007fffd775166a in red_worker_main () at /lib64/libspice-server.so.1
+#12 0x00007fffd5658dd5 in start_thread () at /lib64/libpthread.so.0
+#13 0x00007fffd538202d in clone () at /lib64/libc.so.6
+(gdb) frame 0
+#0  0x0000555555b2e8d6 in interface_release_resource (sin=0x555557d7c8a8, ext=...) at ../hw/display/qxl.c:783
+783	        qxl->last_release->next = ext.info->id;
+(gdb) print qxl->last_release
+$1 = (QXLReleaseInfo *) 0x0
+   ```
+
+qemu trace log:
+   ```
+44840@1643012769.363844:colo_send_message Send 'checkpoint-reply' message
+44840@1643012773.579053:colo_receive_message Receive 'vmstate-send' message
+44840@1643012773.978838:colo_receive_message Receive 'vmstate-size' message
+44840@1643012773.979041:colo_send_message Send 'vmstate-received' message
+44840@1643012774.180598:qxl_pre_load 0
+44703@1643012774.180660:qxl_ring_res_put 0 #res=20
+44840@1643012774.182627:qxl_post_load 0 native
+44840@1643012774.197993:colo_vm_state_change Change 'stop' => 'run'
+44840@1643012774.198030:colo_send_message Send 'vmstate-loaded' message
+   ```