[Spice-devel] qxl - spice crash, memslot_get_virt: address generation is not valid

Vladimir Sementsov-Ogievskiy vsementsov at virtuozzo.com
Fri Nov 8 13:17:36 UTC 2019 

Hi all!

Hope someone could help me with the following.

Seems we've faced https://bugzilla.redhat.com/show_bug.cgi?id=1540919 Qemu bug. It was
(AFAIU) workarounded in spice, in https://bugzilla.redhat.com/show_bug.cgi?id=1567944 ,
which marked is fixed in spice-0.14.0-4..

Still, our crash is on spice-server-0.14.0-7 , which is higher..
Qemu is based on rhev-2.12.0-33, and I don't see in upstream any related fixes.

1567944 discussions has fixes in attachments by Christophe and Frediano.. But I can't find
anything in Qemu mailing list archives. What is the problem with the patch?

===
backtrace

#0  0x00007fd1785f8337 in __GI_raise (sig=sig at entry=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:55
#1  0x00007fd1785f9a28 in __GI_abort () at abort.c:90
#2  0x00007fd179e3ecfc in spice_logv (log_domain=0x7fd179eafbf1 "Spice", args=0x7fd12561e460, format=0x7fd179eb6d30 "address generation is not valid, group_id %d, slot_id %d, gen %d, slot_gen %d\n",
     function=0x7fd179eb6f30 <__FUNCTION__.16041> "memslot_get_virt", strloc=0x7fd179eb6e26 "memslot.c:122", log_level=G_LOG_LEVEL_CRITICAL) at log.c:183
#3  spice_log (log_level=log_level at entry=G_LOG_LEVEL_CRITICAL, strloc=strloc at entry=0x7fd179eb6e26 "memslot.c:122", function=function at entry=0x7fd179eb6f30 <__FUNCTION__.16041> "memslot_get_virt",
     format=format at entry=0x7fd179eb6d30 "address generation is not valid, group_id %d, slot_id %d, gen %d, slot_gen %d\n") at log.c:196
#4  0x00007fd179e0579f in memslot_get_virt (info=info at entry=0x556f209c44f0, addr=addr at entry=844424930131968, add_size=add_size at entry=20, group_id=group_id at entry=1, error=error at entry=0x7fd12561e5d4)
     at memslot.c:121
#5  0x00007fd179e0e007 in red_get_data_chunks_ptr (slots=slots at entry=0x556f209c44f0, group_id=group_id at entry=1, memslot_id=0, red=red at entry=0x7fd12561e630, qxl=0x7fd128e04016) at red-parse-qxl.c:146
#6  0x00007fd179e106ae in red_get_cursor (addr=72057594044235776, red=0x556f209d8d48, group_id=1, slots=0x556f209c44f0) at red-parse-qxl.c:1441
#7  red_get_cursor_cmd (slots=slots at entry=0x556f209c44f0, group_id=1, red=red at entry=0x556f209d8d20, addr=<optimized out>) at red-parse-qxl.c:1482
#8  0x00007fd179e2138f in red_process_cursor_cmd (worker=worker at entry=0x556f209c4460, ext=ext at entry=0x556f22f58000) at red-worker.c:111
#9  0x00007fd179e2152b in loadvm_command (ext=0x556f22f58000, worker=0x556f209c4460) at red-worker.c:980
#10 handle_dev_loadvm_commands (opaque=0x556f209c4460, payload=<optimized out>) at red-worker.c:1002
#11 0x00007fd179ded65d in dispatcher_handle_single_read (dispatcher=0x556f21b6b8d0) at dispatcher.c:284
#12 dispatcher_handle_recv_read (dispatcher=0x556f21b6b8d0) at dispatcher.c:304
#13 0x00007fd179df3e6b in watch_func (source=<optimized out>, condition=<optimized out>, data=0x556f208dc090) at event-loop.c:128
#14 0x00007fd190742049 in g_main_dispatch (context=0x556f2095efd0) at gmain.c:3175
#15 g_main_context_dispatch (context=context at entry=0x556f2095efd0) at gmain.c:3828
#16 0x00007fd1907423a8 in g_main_context_iterate (context=0x556f2095efd0, block=block at entry=1, dispatch=dispatch at entry=1, self=<optimized out>) at gmain.c:3901
#17 0x00007fd19074267a in g_main_loop_run (loop=0x556f22aeea00) at gmain.c:4097
#18 0x00007fd179e225da in red_worker_main (arg=0x556f209c4460) at red-worker.c:1372
#19 0x00007fd178997e65 in start_thread (arg=0x7fd125621700) at pthread_create.c:307
#20 0x00007fd1786c088d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:111

(gdb) fr 2
#2  0x00007fd179e3ecfc in spice_logv (log_domain=0x7fd179eafbf1 "Spice", args=0x7fd12561e460, format=0x7fd179eb6d30 "address generation is not valid, group_id %d, slot_id %d, gen %d, slot_gen %d\n",
     function=0x7fd179eb6f30 <__FUNCTION__.16041> "memslot_get_virt", strloc=0x7fd179eb6e26 "memslot.c:122", log_level=G_LOG_LEVEL_CRITICAL) at log.c:183
183             abort();
(gdb) list
178         g_log(log_domain, log_level, "%s", log_msg->str);
179         g_string_free(log_msg, TRUE);
180
181         if ((abort_mask & log_level) != 0) {
182             spice_backtrace();
183             abort();
184         }
185     }
186
187     void spice_log(GLogLevelFlags log_level,
(gdb) fr 4
#4  0x00007fd179e0579f in memslot_get_virt (info=info at entry=0x556f209c44f0, addr=addr at entry=844424930131968, add_size=add_size at entry=20, group_id=group_id at entry=1, error=error at entry=0x7fd12561e5d4)
     at memslot.c:121
121             spice_critical("address generation is not valid, group_id %d, slot_id %d, gen %d, slot_gen %d\n",
(gdb) list
116         slot = &info->mem_slots[group_id][slot_id];
117
118         generation = memslot_get_generation(info, addr);
119         if (generation != slot->generation) {
120             print_memslots(info);
121             spice_critical("address generation is not valid, group_id %d, slot_id %d, gen %d, slot_gen %d\n",
122                   group_id, slot_id, generation, slot->generation);
123             *error = 1;
124             return 0;
125         }
(gdb) p group_id
$1 = 1
(gdb) p slot_id
$2 = 0
(gdb) p generation
$3 = 3
(gdb) p slot->generation
$4 = 0


-- 
Best regards,
Vladimir

More information about the Spice-devel mailing list