From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from eggs.gnu.org ([2001:4830:134:3::10]:35135)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <dgilbert@redhat.com>) id 1cCrtP-0002Nd-Lb
	for qemu-devel@nongnu.org; Fri, 02 Dec 2016 12:45:04 -0500
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <dgilbert@redhat.com>) id 1cCrtN-0004BT-4d
	for qemu-devel@nongnu.org; Fri, 02 Dec 2016 12:45:03 -0500
Received: from mx1.redhat.com ([209.132.183.28]:40694)
	by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32)
	(Exim 4.71) (envelope-from <dgilbert@redhat.com>) id 1cCrtM-0004BA-VZ
	for qemu-devel@nongnu.org; Fri, 02 Dec 2016 12:45:01 -0500
Received: from int-mx10.intmail.prod.int.phx2.redhat.com
	(int-mx10.intmail.prod.int.phx2.redhat.com [10.5.11.23])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by mx1.redhat.com (Postfix) with ESMTPS id 1A2238FCE5
	for <qemu-devel@nongnu.org>; Fri,  2 Dec 2016 17:44:59 +0000 (UTC)
Date: Fri, 2 Dec 2016 17:44:55 +0000
From: "Dr. David Alan Gilbert" <dgilbert@redhat.com>
Message-ID: <20161202174015.GE15373@work-vm>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Subject: [Qemu-devel] Postcopy+spice crash
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.nongnu.org/archive/html/qemu-devel/>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: kraxel@redhat.com
Cc: qemu-devel@nongnu.org

Hi Gerd,
  I've got a moderately repeatable crash with spice playing
a video + postcopy.  Some of the time I just get a warning
(that I also get in precopy) but sometimes it turns into
a backtrace;

This is:
  f24 guest playing youtube fullscreen.
  migration between 2.7.0<->current head (had crash both ways)

The warning I get with precopy most of the time is:
  ./x86_64-softmmu/qemu-system-x86_64:26921): Spice-Warning **: red_memslots.c:94:validate_virt: virtual address out of range
    virt=0x7f5397ed002a+0x2925ff31 slot_id=1 group_id=1
    slot=0x7f5397c00000-0x7f539bbfe000 delta=0x7f5397c00000

The crash I've had with postcopy is:
red_dispatcher_loadvm_commands:
id 0, group 0, virt start 0, virt end ffffffffffffffff, generation 0, delta 0
id 1, group 1, virt start 7fbe83c00000, virt end 7fbe87bfe000, generation 0, delta 7fbe83c00000
id 2, group 1, virt start 7fbe7fa00000, virt end 7fbe83a00000, generation 0, delta 7fbe7fa00000
(./x86_64-softmmu/qemu-system-x86_64:22376): Spice-CRITICAL **: red_memslots.c:123:get_virt: slot_id 128 too big, addr=8000000000000000

#0  0x00007fc0aa42f49d in read () from /lib64/libpthread.so.0
#1  0x00007fc0a8c36c01 in spice_backtrace_gstack () from /lib64/libspice-server.so.1
#2  0x00007fc0a8c3e4f7 in spice_logv () from /lib64/libspice-server.so.1
#3  0x00007fc0a8c3e655 in spice_log () from /lib64/libspice-server.so.1
#4  0x00007fc0a8bfc6de in get_virt () from /lib64/libspice-server.so.1
#5  0x00007fc0a8bfcb73 in red_get_data_chunks_ptr () from /lib64/libspice-server.so.1
#6  0x00007fc0a8bff3fa in red_get_cursor_cmd () from /lib64/libspice-server.so.1
#7  0x00007fc0a8c0fd79 in handle_dev_loadvm_commands () from /lib64/libspice-server.so.1
#8  0x00007fc0a8bf9523 in dispatcher_handle_recv_read () from /lib64/libspice-server.so.1
#9  0x00007fc0a8c1d5a5 in red_worker_main () from /lib64/libspice-server.so.1
#10 0x00007fc0aa428dc5 in start_thread () from /lib64/libpthread.so.0
#11 0x00007fc0a61786ed in clone () from /lib64/libc.so.6

and:

red_dispatcher_loadvm_commands:
id 0, group 0, virt start 0, virt end ffffffffffffffff, generation 0, delta 0
id 1, group 1, virt start 7f3b93800000, virt end 7f3b977fe000, generation 0, delta 7f3b93800000
id 2, group 1, virt start 7f3b8f400000, virt end 7f3b93400000, generation 0, delta 7f3b8f400000
(/opt/qemu/v2.7.0/bin/qemu-system-x86_64:41053): Spice-CRITICAL **: red_memslots.c:123:get_virt: slot_id 80 too big, addr=5000000000000000

I'm using:
spice-server-devel-0.12.4-19.el7.x86_64

Dave

--
Dr. David Alan Gilbert / dgilbert@redhat.com / Manchester, UK