1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
|
qemu 2.12.0 crash during install windows 10 with vga
Same issue as https://www.qubes-os.org/doc/windows-vm/ , it's not easy to reproduced.
cpu_physical_memory_snapshot_get_dirty: Assertion `start + length <= snap->end’ failed
Qemu version is 2.12.0.
(gdb) bt
#0 0x00007f504ed6fc37 in raise () from /lib/x86_64-linux-gnu/libc.so.6
#1 0x00007f504ed73028 in abort () from /lib/x86_64-linux-gnu/libc.so.6
#2 0x00007f504ed68bf6 in ?? () from /lib/x86_64-linux-gnu/libc.so.6
#3 0x00007f504ed68ca2 in __assert_fail () from /lib/x86_64-linux-gnu/libc.so.6
#4 0x00005585bbdc9641 in cpu_physical_memory_snapshot_get_dirty (snap=snap@entry=0x5585bfdc2ff0, start=<optimized out>, length=<optimized out>)
at /qemu-2.12/exec.c:1264
#5 0x00005585bbe2b4de in memory_region_snapshot_get_dirty (mr=mr@entry=0x5585c06e3d10, snap=snap@entry=0x5585bfdc2ff0, addr=<optimized out>,
size=<optimized out>) at /qemu-2.12/memory.c:1997
#6 0x00005585bbe552a4 in vga_draw_graphic (full_update=0, s=0x5585c06e3d00) at /qemu-2.12/hw/display/vga.c:1671
#7 vga_update_display (opaque=0x5585c06e3d00) at /qemu-2.12/hw/display/vga.c:1767
#8 0x00005585bc0d9a8f in qemu_spice_display_refresh (ssd=0x5585c06e3930) at /qemu-2.12/ui/spice-display.c:478
#9 0x00005585bc0ced72 in dpy_refresh (s=0x5585c081b2a0) at /qemu-2.12/ui/console.c:1629
#10 gui_update (opaque=0x5585c081b2a0) at /qemu-2.12/ui/console.c:203
#11 0x00005585bc1d333c in timerlist_run_timers (timer_list=0x5585bee1f950) at /qemu-2.12/util/qemu-timer.c:536
#12 0x00005585bc1d35a3 in qemu_clock_run_timers (type=QEMU_CLOCK_REALTIME) at /qemu-2.12/util/qemu-timer.c:547
#13 qemu_clock_run_all_timers () at /qemu-2.12/util/qemu-timer.c:674
#14 0x00005585bc1d3aa4 in main_loop_wait (nonblocking=<optimized out>) at /qemu-2.12/util/main-loop.c:528
#15 0x00005585bbdc2f8a in main_loop () at /qemu-2.12/vl.c:1973
#16 main (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>) at /qemu-2.12/vl.c:4804
(gdb) frame 5
(gdb) p/x *snap
$1 = {start = 0x1000c0000, end = 0x1000c0000, dirty = 0x5585bfdc3000}
Here the snap->start is identical to snap->end , I think something is wrong.
In function vga_draw_graphic, the snap is allocated from region_start/region_end.
snap = memory_region_snapshot_and_clear_dirty(&s->vram, region_start,
region_end - region_start,
DIRTY_MEMORY_VGA);
Is that possible for region_start== region_end ?
Commandline:
/usr/bin/kvm -name guest=win10-2,debug-threads=on -S -object secret,id=masterKey0,format=raw,file=/run/lib/libvirt/qemu/domain-51-win10-2/master-key.aes -machine pc-i440fx-2.12,accel=kvm,usb=off,system=windows,dump-guest-core=off -cpu qemu64,hv_time,hv_relaxed,hv_spinlocks=0x2000 -m size=4194304k,slots=10,maxmem=34359738368k -realtime mlock=off -smp 2,maxcpus=24,sockets=24,cores=1,threads=1 -numa node,nodeid=0,cpus=0-23,mem=4096 -uuid cb871760-e684-4926-8f0b-270f7ff35539 -no-user-config -nodefaults -chardev socket,id=charmonitor,path=/run/lib/libvirt/qemu/domain-51-win10-2/monitor.sock,server,nowait -mon chardev=charmonitor,id=monitor,mode=control -chardev socket,id=charmonitor_cas,path=/run/lib/libvirt/qemu/domain-51-win10-2/monitor.sock.cas,server,nowait -mon chardev=charmonitor_cas,id=monitor_cas,mode=control -rtc base=localtime,clock=vm,driftfix=slew -no-hpet -no-shutdown -global PIIX4_PM.disable_s3=1 -global PIIX4_PM.disable_s4=1 -boot strict=on -device piix3-usb-uhci,id=usb,bus=pci.0,addr=0x1.0x2 -device usb-ehci,id=usb1,bus=pci.0,addr=0x4 -device nec-usb-xhci,id=usb2,bus=pci.0,addr=0x5 -device virtio-scsi-pci,id=scsi1,bus=pci.0,addr=0x6 -device virtio-serial-pci,id=virtio-serial0,bus=pci.0,addr=0x7 -device usb-hub,id=hub0,bus=usb.0,port=1 -drive file=/vms/images/win10-2,format=qcow2,if=none,id=drive-virtio-disk0,cache=directsync,aio=native -device virtio-blk-pci,scsi=off,bus=pci.0,addr=0x8,pci_hotpluggable=on,drive=drive-virtio-disk0,id=virtio-disk0,bootindex=1 -drive file=/vms/isos/virtio-win10.vfd,format=raw,if=none,id=drive-fdc0-0-0,readonly=on,cache=directsync,aio=native -global isa-fdc.driveA=drive-fdc0-0-0 -global isa-fdc.bootindexA=4 -drive file=/vms/nfs/windows_msdn_iso/cn_windows_10_multi-edition_version_1709_updated_sept_2017_x64_dvd_100090804.iso,format=raw,if=none,id=drive-ide0-0-0,readonly=on -device ide-cd,bus=ide.0,unit=0,drive=drive-ide0-0-0,id=ide0-0-0,bootindex=2 -netdev tap,fd=62,id=hostnet0,vhost=on,vhostfd=63 -device virtio-net-pci,pci_hotpluggable=on,netdev=hostnet0,id=net0,mac=0c:da:41:1d:11:5b,bus=pci.0,addr=0x3,bootindex=3 -chardev pty,id=charserial0 -device isa-serial,chardev=charserial0,id=serial0 -chardev socket,id=charchannel0,path=/var/lib/libvirt/qemu/win10-2.agent,server,nowait -device virtserialport,bus=virtio-serial0.0,nr=1,chardev=charchannel0,id=channel0,name=org.qemu.guest_agent.0 -device usb-tablet,id=input0,bus=usb.0,port=2 -vnc 0.0.0.0:0 -spice port=5901,tls-port=5902,addr=0.0.0.0,disable-ticketing,x509-dir=/etc/pki/libvirt-spice,seamless-migration=on -device qxl-vga,id=video0,ram_size=67108864,vram_size=16777216,vram64_size_mb=0,vgamem_mb=16,bus=pci.0,addr=0x2 -device virtio-balloon-pci,id=balloon0,bus=pci.0,addr=0x9 -msg timestamp=on
I have tried many times to reproduce the issue.
1. Add a breakpoint
(gdb) b memory_region_snapshot_and_clear_dirty if size==0
Breakpoint 1 at 0x55ef37b7d450: file /qemu-2.12/memory.c, line 1986.
2. Occasionally the breakpoint hited, size is 0
(gdb) c
Continuing.
Thread 1 "kvm" hit Breakpoint 1, memory_region_snapshot_and_clear_dirty (mr=mr@entry=0x55ef3aff1b40, addr=addr@entry=0, size=size@entry=0, client=client@entry=0)
at /qemu-2.12/memory.c:1986
(gdb) bt
#0 memory_region_snapshot_and_clear_dirty (mr=mr@entry=0x55ef3aff1b40, addr=addr@entry=0, size=size@entry=0, client=client@entry=0)
at /qemu-2.12/memory.c:1986
#1 0x000055ef37ba6d0f in vga_draw_graphic (full_update=0, s=0x55ef3aff1b30) at /qemu-2.12/hw/display/vga.c:1642
#2 vga_update_display (opaque=0x55ef3aff1b30) at /qemu-2.12/hw/display/vga.c:1767
#3 0x000055ef37e2ba8f in qemu_spice_display_refresh (ssd=0x55ef3aff1760) at /qemu-2.12/ui/spice-display.c:478
#4 0x000055ef37e20d72 in dpy_refresh (s=0x55ef3b1290b0) at /qemu-2.12/ui/console.c:1629
#5 gui_update (opaque=0x55ef3b1290b0) at /qemu-2.12/ui/console.c:203
#6 0x000055ef37f2533c in timerlist_run_timers (timer_list=0x55ef396fbc60) at /qemu-2.12/util/qemu-timer.c:536
#7 0x000055ef37f255a3 in qemu_clock_run_timers (type=QEMU_CLOCK_REALTIME) at /qemu-2.12/util/qemu-timer.c:547
#8 qemu_clock_run_all_timers () at /qemu-2.12/util/qemu-timer.c:674
#9 0x000055ef37f25aa4 in main_loop_wait (nonblocking=<optimized out>) at /qemu-2.12/util/main-loop.c:528
#10 0x000055ef37b14f8a in main_loop () at /qemu-2.12/vl.c:1973
#11 main (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>) at /qemu-2.12/vl.c:4804
3. Why the size is 0 ? Why region_start is identical to region_end ?
region_end = region_start + (ram_addr_t)s->line_offset * height;
region_end += width * s->get_bpp(s) / 8; /* scanline length */
region_end -= s->line_offset;
(gdb) p s->line_offset
$4 = 0
(gdb) p width
$5 = 1024
(gdb) p/x s->vbe_regs
$10 = {0xb0c0, 0x400, 0x300, 0x20, 0x0, 0x0, 0x400, 0x1000, 0x0, 0x0}
Because s->vbe_regs[VBE_DISPI_INDEX_ENABLE] is 0, vbe_enabled is false, so vga_get_bpp return 0, and region_end += 0
4. Why s->vbe_regs[VBE_DISPI_INDEX_ENABLE] is 0 ?
1. Add breakpoint at vga.c:790 s->vbe_regs[VBE_DISPI_INDEX_ENABLE] = val;
(gdb) b vga.c:790
Breakpoint 2 at 0x56100ad10521: file /qemu-2.12/hw/display/vga.c, line 790.
(gdb) c
Continuing.
2. When breakpoint is hited , val is 0
Thread 5 "CPU 1/KVM" hit Breakpoint 2, vbe_ioport_write_data (opaque=0x56100e6e7b30, addr=<optimized out>, val=0) at /qemu-2.12/hw/display/vga.c:790
(gdb) bt
#0 vbe_ioport_write_data (opaque=0x56100e6e7b30, addr=<optimized out>, val=0) at /qemu-2.12/hw/display/vga.c:790
#1 0x000056100ace521b in memory_region_write_accessor (mr=0x56100e74e590, addr=1, value=<optimized out>, size=2, shift=<optimized out>, mask=<optimized out>, attrs=...)
at /qemu-2.12/memory.c:530
#2 0x000056100ace266e in access_with_adjusted_size (addr=addr@entry=1, value=value@entry=0x7fb2aeffc9a8, size=size@entry=2, access_size_min=<optimized out>, access_size_max=<optimized out>,
access_fn=0x56100ace51a0 <memory_region_write_accessor>, mr=0x56100e74e590, attrs=...) at /qemu-2.12/memory.c:597
#3 0x000056100ace72ca in memory_region_dispatch_write (mr=mr@entry=0x56100e74e590, addr=1, data=<optimized out>, size=size@entry=2, attrs=attrs@entry=...)
at /qemu-2.12/memory.c:1487
#4 0x000056100ac85807 in flatview_write_continue (mr=0x56100e74e590, l=<optimized out>, addr1=<optimized out>, len=2, buf=0x7fb2bf3e2000 "", attrs=..., addr=463, fv=0x7fb2a458fea0)
at /qemu-2.12/exec.c:3166
#5 flatview_write (fv=0x7fb2a458fea0, addr=<optimized out>, attrs=..., buf=<optimized out>, len=<optimized out>) at /qemu-2.12/exec.c:3216
#6 0x000056100ac8a2af in address_space_write (as=<optimized out>, addr=<optimized out>, attrs=..., buf=<optimized out>, len=<optimized out>)
at /qemu-2.12/exec.c:3332
#7 0x000056100ac8a345 in address_space_rw (as=<optimized out>, addr=addr@entry=463, attrs=..., attrs@entry=..., buf=buf@entry=0x7fb2bf3e2000 "", len=len@entry=2, is_write=is_write@entry=true)
at /qemu-2.12/exec.c:3343
#8 0x000056100acf66f2 in kvm_handle_io (count=1, size=2, direction=<optimized out>, data=<optimized out>, attrs=..., port=463)
at /qemu-2.12/accel/kvm/kvm-all.c:1730
#9 kvm_cpu_exec (cpu=cpu@entry=0x56100cecc810) at /qemu-2.12/accel/kvm/kvm-all.c:1970
#10 0x000056100acd0ab6 in qemu_kvm_cpu_thread_fn (arg=0x56100cecc810) at /qemu-2.12/cpus.c:1229
#11 0x00007fb2bc1dc184 in start_thread () from /lib/x86_64-linux-gnu/libpthread.so.0
#12 0x00007fb2bbf09bed in clone () from /lib/x86_64-linux-gnu/libc.so.6
(gdb) c
Continuing.
3. size is 0, region_start is identical to region_end
Thread 1 "kvm" hit Breakpoint 1, memory_region_snapshot_and_clear_dirty (mr=mr@entry=0x56100e6e7b40, addr=addr@entry=0, size=size@entry=0, client=client@entry=0)
at /qemu-2.12/memory.c:1986
(gdb) c
Continuing.
4. Abort
Thread 1 "kvm" received signal SIGABRT, Aborted.
0x00007fb2bbe42c37 in raise () from /lib/x86_64-linux-gnu/libc.so.6
(gdb) bt
#0 0x00007fb2bbe42c37 in raise () from /lib/x86_64-linux-gnu/libc.so.6
#1 0x00007fb2bbe46028 in abort () from /lib/x86_64-linux-gnu/libc.so.6
#2 0x00007fb2bbe3bbf6 in ?? () from /lib/x86_64-linux-gnu/libc.so.6
#3 0x00007fb2bbe3bca2 in __assert_fail () from /lib/x86_64-linux-gnu/libc.so.6
#4 0x000056100ac86641 in cpu_physical_memory_snapshot_get_dirty (snap=snap@entry=0x56100d6b0de0, start=<optimized out>, length=<optimized out>)
at /qemu-2.12/exec.c:1264
#5 0x000056100ace84de in memory_region_snapshot_get_dirty (mr=mr@entry=0x56100e6e7b40, snap=snap@entry=0x56100d6b0de0, addr=<optimized out>, size=<optimized out>)
at /qemu-2.12/memory.c:1997
#6 0x000056100ad122a4 in vga_draw_graphic (full_update=0, s=0x56100e6e7b30) at /qemu-2.12/hw/display/vga.c:1671
#7 vga_update_display (opaque=0x56100e6e7b30) at /qemu-2.12/hw/display/vga.c:1767
#8 0x000056100af96a8f in qemu_spice_display_refresh (ssd=0x56100e6e7760) at /qemu-2.12/ui/spice-display.c:478
#9 0x000056100af8bd72 in dpy_refresh (s=0x56100e81f0b0) at /qemu-2.12/ui/console.c:1629
#10 gui_update (opaque=0x56100e81f0b0) at /qemu-2.12/ui/console.c:203
#11 0x000056100b09033c in timerlist_run_timers (timer_list=0x56100cdf1c60) at /qemu-2.12/util/qemu-timer.c:536
#12 0x000056100b0905a3 in qemu_clock_run_timers (type=QEMU_CLOCK_REALTIME) at /qemu-2.12/util/qemu-timer.c:547
#13 qemu_clock_run_all_timers () at /qemu-2.12/util/qemu-timer.c:674
#14 0x000056100b090aa4 in main_loop_wait (nonblocking=<optimized out>) at /qemu-2.12/util/main-loop.c:528
#15 0x000056100ac7ff8a in main_loop () at /qemu-2.12/vl.c:1973
#16 main (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>) at /qemu-2.12/vl.c:4804
5. When guest vga driver set the s->vbe_regs[VBE_DISPI_INDEX_ENABLE] to 0, then if the vga_draw_graphic be called , the qemu crash.
This commit has fixed it.
https://git.qemu.org/?p=qemu.git;a=commit;h=a89fe6c3297
|