From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from eggs.gnu.org ([2001:4830:134:3::10]:39150)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <fred.konrad@greensocs.com>) id 1WUadA-0001Fk-8t
	for qemu-devel@nongnu.org; Mon, 31 Mar 2014 07:44:05 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <fred.konrad@greensocs.com>) id 1WUad1-0001vK-63
	for qemu-devel@nongnu.org; Mon, 31 Mar 2014 07:43:56 -0400
Received: from [2001:41d0:8:2b42::1] (port=45458 helo=greensocs.com)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <fred.konrad@greensocs.com>) id 1WUad0-0001uw-SP
	for qemu-devel@nongnu.org; Mon, 31 Mar 2014 07:43:47 -0400
Message-ID: <533954EC.1040400@greensocs.com>
Date: Mon, 31 Mar 2014 13:43:40 +0200
From: Frederic Konrad <fred.konrad@greensocs.com>
MIME-Version: 1.0
References: <5335892E.8080402@greensocs.com>
	<1396265434.3108.11.camel@nilsson.home.kraxel.org>
In-Reply-To: <1396265434.3108.11.camel@nilsson.home.kraxel.org>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
Subject: Re: [Qemu-devel] Bug with mpc8544ds machine.
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: Gerd Hoffmann <kraxel@redhat.com>
Cc: qemu-devel <qemu-devel@nongnu.org>

On 31/03/2014 13:30, Gerd Hoffmann wrote:
> On Fr, 2014-03-28 at 15:37 +0100, Frederic Konrad wrote:
>> Hi everybody,
>>
>> I didn't see anything on the list about that.
>> I get this bug in the current git.
>>
>> I configured qemu with the following command line:
>>
>> ./configure --target-list=ppc-softmmu
>>
>> I ran QEMU with the following command line:
>>
>> ./ppc-softmmu/qemu-system-ppc --M mpc8544ds
> ... then hit any key.  Crashes on first keypress for me, and given the
> stacktrace I think it is the same for you.
Hi,

On my side I don't need to push any key.
>> (gdb) bt
>> #0  0x00007fecf8e2a578 in qemu_input_transform_abs_rotate
>> (evt=<optimized out>) at ui/input.c:79
>> #1  qemu_input_event_send (src=src@entry=0x0,
>> evt=evt@entry=0x7fecfaac3130) at ui/input.c:141
>> #2  0x00007fecf8e2a71a in qemu_input_event_send_key (src=0x0,
>> key=<optimized out>, down=<optimized out>) at ui/input.c:185
>> #3  0x00007fecf8e2a7c2 in qemu_input_event_send_key_number
>> (src=<optimized out>, num=<optimized out>, down=<optimized out>) at
>> ui/input.c:195
> The key press event is created, then sent, and qemu crashes in a code
> path which isn't executed in the first place for keyboard events.
>
> Trying to reproduce locally crashes in a slightly different place, but
> it is a simliar pattern here:
>
> (gdb) bt
> #0  0x00005555557ba7b8 in fprintf (__fmt=<optimized out>,
> __stream=<optimized out>)
>      at /usr/include/bits/stdio2.h:97
> #1  trace_input_event_key_qcode (down=<optimized out>, qcode=<optimized
> out>,
>      conidx=<optimized out>) at ./trace/generated-tracers.h:5664
> #2  qemu_input_event_trace (evt=0x5555564012c0, src=0x0)
>      at /home/kraxel/projects/qemu/ui/input.c:104
> #3  qemu_input_event_send (src=src@entry=0x0,
> evt=evt@entry=0x5555564012c0)
>      at /home/kraxel/projects/qemu/ui/input.c:137
> #4  0x00005555557baab2 in qemu_input_event_send_key (src=0x0,
> key=<optimized out>,
>      down=<optimized out>) at /home/kraxel/projects/qemu/ui/input.c:185
> [ ... ]
>
> (gdb) up
> #1  trace_input_event_key_qcode (down=<optimized out>, qcode=<optimized
> out>,
>      conidx=<optimized out>) at ./trace/generated-tracers.h:5664
> 5664            fprintf(stderr, "input_event_key_qcode " "con %d, key
> qcode %s, down %d" "\n" , conidx, qcode, down);
> (gdb) up
> #2  qemu_input_event_trace (evt=0x5555564012c0, src=0x0)
>      at /home/kraxel/projects/qemu/ui/input.c:104
> 104                 trace_input_event_key_qcode(idx, name,
> evt->key->down);
> (gdb) print *evt
> $1 = {kind = INPUT_EVENT_KIND_KEY, {data = 0x5555564012e0, key =
> 0x5555564012e0,
>      btn = 0x5555564012e0, rel = 0x5555564012e0, abs = 0x5555564012e0}}
> (gdb) print *evt->key->key
> $2 = {kind = KEY_VALUE_KIND_NUMBER, {data = 0x20, number = 32, qcode =
> Q_KEY_CODE_I}}
>
> So, again, qemu crashing in a code path (trace_input_event_key_qcode)
> which it should not have been executed in the first place (we have
> KEY_VALUE_KIND_NUMBER not KEY_VALUE_KIND_QCODE).
>
> Hmm.  Puzzling.  Anyone has an idea what is going on here?
>
> cheers,
>    Gerd
>
>
>
I had a different behaviour with --enable-debug configure flags:

Program received signal SIGSEGV, Segmentation fault.
0x0000555555808193 in qemu_input_event_send (src=0x0, 
evt=0x5555566202f0) at ui/input.c:146
146        s->handler->event(s->dev, src, evt);
2: evt->kind = INPUT_EVENT_KIND_BTN
1: s = (QemuInputHandlerState *) 0x0

Seems qemu_input_find_handler returned NULL for me.

Adding this fixes the issue:

diff --git a/ui/input.c b/ui/input.c
index 2761911..d7670e9 100644
--- a/ui/input.c
+++ b/ui/input.c
@@ -143,8 +143,11 @@ void qemu_input_event_send(QemuConsole *src, 
InputEvent *evt)

      /* send event */
      s = qemu_input_find_handler(1 << evt->kind);
-    s->handler->event(s->dev, src, evt);
-    s->events++;
+
+    if (s != NULL) {
+        s->handler->event(s->dev, src, evt);
+        s->events++;
+    }
  }

  void qemu_input_event_sync(void)

Thanks,
Fred