qemu-devel
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Qemu-devel] qemu-2.8-rc4 is broken


From: Stefan Hajnoczi
Subject: Re: [Qemu-devel] qemu-2.8-rc4 is broken
Date: Tue, 20 Dec 2016 14:02:02 +0000

On Tue, Dec 20, 2016 at 11:10 AM, Pavel Dovgalyuk <address@hidden> wrote:
>> From: Stefan Hajnoczi [mailto:address@hidden
>> On Tue, Dec 20, 2016 at 10:45:44AM +0300, Pavel Dovgalyuk wrote:
>> > It also fails much earlier when I enable logs with "-d int -D log".
>> >
>> > Here is backtrace for this failure:
>> >
>> >
>> >
>> > #0  0x0000000076e79e52 in ntdll!EtwpCreateEtwThread ()
>> >
>> >    from /c/Windows/SYSTEM32/ntdll.dll
>> >
>> > #1  0x0000000076e56965 in ntdll!EtwEventSetInformation ()
>> >
>> >    from /c/Windows/SYSTEM32/ntdll.dll
>> >
>> > #2  0x0000000076e942d9 in ntdll!RtlLogStackBackTrace ()
>> >
>> >    from /c/Windows/SYSTEM32/ntdll.dll
>> >
>> > #3  0x0000000076e3797c in ntdll!TpAlpcRegisterCompletionList ()
>> >
>> >    from /c/Windows/SYSTEM32/ntdll.dll
>> >
>> > #4  0x000007fefdc810c8 in msvcrt!free () from 
>> > /c/Windows/system32/msvcrt.dll
>>
>> Looks like a heap corruption bug since free() is failing.
>
> Seems to be a race condition.
> When I add logs into invalidate_page_bitmap, the bug disappears.
> It seems that someone tries to free the same page bitmap twice and 
> simultaneously.

Does the following workaround prevent the crashes?

-global apic-common.vapic=off

> Here is the stack trace for two threads at the moment when qemu fails:
> Failed thread:
> #0  0x0000000076e79e52 in ntdll!EtwpCreateEtwThread ()
>    from /c/Windows/SYSTEM32/ntdll.dll
> #1  0x0000000076e56965 in ntdll!EtwEventSetInformation ()
>    from /c/Windows/SYSTEM32/ntdll.dll
> #2  0x0000000076e942d9 in ntdll!RtlLogStackBackTrace ()
>    from /c/Windows/SYSTEM32/ntdll.dll
> #3  0x0000000076e3797c in ntdll!TpAlpcRegisterCompletionList ()
>    from /c/Windows/SYSTEM32/ntdll.dll
> #4  0x000007fefdc810c8 in msvcrt!free () from /c/Windows/system32/msvcrt.dll
> #5  0x000000000040c57d in invalidate_page_bitmap (p=<optimized out>,
>     p=<optimized out>) at D:/Projects/QEMU/qemu/translate-all.c:881
> #6  tb_invalidate_phys_page_range (start=826113, address@hidden,
>     address@hidden)
>     at D:/Projects/QEMU/qemu/translate-all.c:1527
> #7  0x000000000040c5ed in tb_invalidate_phys_range_1 (end=826116,
>     start=<optimized out>) at D:/Projects/QEMU/qemu/translate-all.c:1414
> #8  tb_invalidate_phys_range (address@hidden, address@hidden)
>     at D:/Projects/QEMU/qemu/translate-all.c:1424
> #9  0x0000000000402e5f in invalidate_and_set_dirty (address@hidden,
>     addr=<optimized out>, length=<optimized out>)
>     at D:/Projects/QEMU/qemu/exec.c:2511
> #10 0x0000000000406af7 in cpu_physical_memory_write_rom_internal (
>     type=WRITE_DATA, len=3, buf=0x22f411 "", addr=826113,
>     as=0xab4280 <address_space_memory>) at D:/Projects/QEMU/qemu/exec.c:2795
> <and more>
>
> Another thread:
> #0  0x00000000007411b0 in g_free ()
> #1  0x000000000040b6b4 in invalidate_page_bitmap (p=0x1143f738, p=0x1143f738)
>     at D:/Projects/QEMU/qemu/translate-all.c:881
> #2  page_flush_tb_1 (address@hidden, lp=0x5715058)
>     at D:/Projects/QEMU/qemu/translate-all.c:900
> #3  0x000000000040b6ee in page_flush_tb_1 (level=1, lp=0xac8ac0 <l1_map>)
>     at D:/Projects/QEMU/qemu/translate-all.c:906
> #4  0x000000000040b7b3 in page_flush_tb ()
>     at D:/Projects/QEMU/qemu/translate-all.c:916
> #5  do_tb_flush (cpu=<optimized out>, tb_flush_count=...)
>     at D:/Projects/QEMU/qemu/translate-all.c:954
> #6  0x0000000000519ac1 in process_queued_cpu_work (cpu=0x5632fd0)
>     at cpus-common.c:338
> #7  0x0000000000439761 in qemu_wait_io_event_common (cpu=0x5632fd0)
>     at D:/Projects/QEMU/qemu/cpus.c:942
> #8  qemu_tcg_wait_io_event (cpu=<optimized out>)
>     at D:/Projects/QEMU/qemu/cpus.c:957
> #9  qemu_tcg_cpu_thread_fn (address@hidden)
>     at D:/Projects/QEMU/qemu/cpus.c:1216
> #10 0x000000000072c285 in win32_start_routine (arg=0x565ba40)
>     at util/qemu-thread-win32.c:406
> #11 0x000007fefdc8415f in srand () from /c/Windows/system32/msvcrt.dll
> #12 0x000007fefdc86ebd in msvcrt!_ftime64_s ()
> <and more>
>
>>
>> QEMU 2.8.0 is scheduled for release today.  I have checked that
>> qemu-system-i386.exe works but without playing an MP3 file in Windows
>> XP.
>>
>> I plan to go ahead with the release unless information becomes available
>> that suggests it affects more than just this one scenario.
>
>> >
>> >
>> > I encountered the following bug with the latest version of QEMU.
>> >
>> > I use windows host and start qemu with the following command line:
>> >
>> > qemu-system-i386.exe -soundhw ac97 -snapshot -hda disk.qcow2 -net none
>> >
>> >
>> >
>> > Guest system is Windows XP 32-bit. It founds new hardware (including audio 
>> > controller)
>> >
>> > and I start playing mp3 file.
>> >
>> > After seconds of playing qemu fails with an exception.
>> >
>> >
>> >
>> > I tried to bisect between 2.7 and 2.8, but bug is not stable.
>> >
>> > It manifested itself at commits "68701de1362b29fd6941a2021e9393ddbe60edd8" 
>> > and
>> > "6a928d25b6d8bc3729c3d28326c6db13b9481059".
>
>
> Pavel Dovgalyuk
>



reply via email to

[Prev in Thread] Current Thread [Next in Thread]