[Qemu-devel] qemu_malloc failing

[Brad Hards <bradh@frogmouth.net>]

Hi,

I'm trying to investigate a bug (crash) that I see when attaching a USB device
(a UVC webcam) from the host to the guest.

I'm running it as:
sudo gdb --args /opt/bin/qemu -hda ubuntu-test -name kubuntu-qemu -usb -device usb-tablet -m 1024 -serial stdio -usbdevice host:0c45:6450

(I've tried running with -m 512 too, not discernibly different).

Host and guest are the same - kubuntu 10.10. The device works fine on the host.

The guest runs for a while, and has no ill-effects (that I've seen) until I try
to use the webcam. If I open the device (using cheese or luvcview), I see some
traffic, then qemu segfaults:


Program received signal SIGSEGV, Segmentation fault.
0x00007ffff5a4e66c in malloc_consolidate (av=0x7ffff5d55e40) at malloc.c:5161
5161    malloc.c: No such file or directory.
        in malloc.c
(gdb) bt
#0  0x00007ffff5a4e66c in malloc_consolidate (av=0x7ffff5d55e40) at malloc.c:5161
#1  0x00007ffff5a51e82 in _int_malloc (av=0x7ffff5d55e40, bytes=2128) at malloc.c:4373
#2  0x00007ffff5a5338e in __libc_malloc (bytes=2128) at malloc.c:3660
#3  0x000000000042b3d6 in qemu_malloc (size=2128) at qemu-malloc.c:49
#4  0x000000000056100f in uhci_async_alloc (s=0x15dcc10) at /home/bradh/qemu-codingstyle.git/hw/usb-uhci.c:167
#5  0x00000000005620d4 in uhci_handle_td (s=0x15dcc10, addr=684474656, td=0x7fffffffdf80, int_mask=0x7fffffffdfac) at /home/bradh/qemu-codingstyle.git/hw/usb-uhci.c:808
#6  0x0000000000562665 in uhci_process_frame (s=0x15dcc10) at /home/bradh/qemu-codingstyle.git/hw/usb-uhci.c:1007
#7  0x00000000005628a8 in uhci_frame_timer (opaque=0x15dcc10) at /home/bradh/qemu-codingstyle.git/hw/usb-uhci.c:1092
#8  0x00000000004da94c in qemu_run_timers (clock=0x1171ff0) at qemu-timer.c:505
#9  0x00000000004dac0c in qemu_run_all_timers () at qemu-timer.c:616
#10 0x00000000005484c2 in main_loop_wait (nonblocking=1) at /home/bradh/qemu-codingstyle.git/vl.c:1324
#11 0x0000000000548549 in main_loop () at /home/bradh/qemu-codingstyle.git/vl.c:1365
#12 0x000000000054c725 in main (argc=14, argv=0x7fffffffe648, envp=0x7fffffffe6c0) at /home/bradh/qemu-codingstyle.git/vl.c:3195

Line 167 in hw/usb-uhci.c is in in static UHCIAsync *uhci_async_alloc(UHCIState *s)
It looks like:
	UHCIAsync *async = qemu_malloc(sizeof(UHCIAsync));

UHCIState is fairly large, so the size looks possible:
typedef struct UHCIState {
    PCIDevice dev;
    USBBus bus;
    uint16_t cmd; /* cmd register */
    uint16_t status;
    uint16_t intr; /* interrupt enable register */
    uint16_t frnum; /* frame number */
    uint32_t fl_base_addr; /* frame list base address */
    uint8_t sof_timing;
    uint8_t status2; /* bit 0 and 1 are used to generate UHCI_STS_USBINT */
    int64_t expire_time;
    QEMUTimer *frame_timer;
    UHCIPort ports[NB_PORTS];

    /* Interrupts that should be raised at the end of the current frame.  */
    uint32_t pending_int_mask;

    /* Active packets */
    UHCIAsync *async_pending;
    UHCIAsync *async_pool;
    uint8_t num_ports_vmstate;
} UHCIState;

Line 49 in qemu_malloc.c is in void *qemu_malloc(size_t size).
It looks like.
	ptr = qemu_oom_check(malloc(size ? size : 1));

So I guess malloc is failing. However I don't see how / why. The host is a laptop
machine with 6G RAM, and it appears to remain quite responsive. 

Any suggestions on how to proceed with debugging this?

Brad