Several QOM objects crash on introspection

Several QOM objects crash on introspection

[Markus Armbruster]

QMP command qom-list-properties crashes for the following object types:

    colo-compare
    cryptodev-backend-lkcf
    memory-region-portio-list
    qemu-fixed-text-console
    qemu-graphic-console
    qio-net-listener
    x-remote-object

Testing gap: tests/qtest/device-introspect-test.c guards against such
bugs in devices, but not non-device objects.

Example crash:

(gdb) r
Starting program: /home/armbru/bin/qemu-system-x86_64 -S -display none -qmp stdio
[...]
{"QMP": {"version": {"qemu": {"micro": 94, "minor": 2, "major": 10}, "package": "v11.0.0-rc4-14-gcb2bd9a2e6-dirty"}, "capabilities": ["oob"]}}
[New Thread 0x7fff6b61d6c0 (LWP 2882851)]
{"execute": "qmp_capabilities", "arguments": {"enable": ["oob"]}}
{"return": {}}
{"execute": "qom-list-properties", "arguments": {"typename": "colo-compare"}}
upstream-qemu: ../util/qemu-thread-posix.c:96: qemu_mutex_destroy: Assertion `mutex->initialized' failed.

Thread 1 "upstream-qemu" received signal SIGABRT, Aborted.
0x00007ffff49c33cc in __pthread_kill_implementation () from /lib64/libc.so.6
[...]
(gdb) bt
#0  0x00007ffff49c33cc in __pthread_kill_implementation () at /lib64/libc.so.6
#1  0x00007ffff496915e in raise () at /lib64/libc.so.6
#2  0x00007ffff49506d0 in abort () at /lib64/libc.so.6
#3  0x00007ffff4950639 in __assert_fail_base.cold () at /lib64/libc.so.6
#4  0x0000555555ee3187 in qemu_mutex_destroy (mutex=0x55555761d4a0 <event_mtx>)
    at ../util/qemu-thread-posix.c:96
#5  0x0000555555a18c65 in colo_compare_finalize (obj=0x55555887e4f0)
    at ../net/colo-compare.c:1423
#6  0x0000555555c8bb31 in object_deinit
    (obj=0x55555887e4f0, type=0x555558053a90) at ../qom/object.c:715
#7  0x0000555555c8bbab in object_finalize (data=0x55555887e4f0)
    at ../qom/object.c:729
#8  0x0000555555c8ce2c in object_unref (objptr=0x55555887e4f0)
    at ../qom/object.c:1232
#9  0x0000555555de8d38 in qmp_qom_list_properties
    (typename=0x5555581ef450 "colo-compare", errp=0x7fffffffd8a8)
    at ../qom/qom-qmp-cmds.c:282
#10 0x0000555555e90311 in qmp_marshal_qom_list_properties
    (args=0x7fff64003150, ret=0x7fffeccccda8, errp=0x7fffeccccda0)
    at qapi/qapi-commands-qom.c:326
#11 0x0000555555ecdd9e in do_qmp_dispatch_bh (opaque=0x7fffecccce40)
    at ../qapi/qmp-dispatch.c:128
#12 0x0000555555eff09b in aio_bh_call (bh=0x555558bee700)
--Type <RET> for more, q to quit, c to continue without paging--
    at ../util/async.c:173
#13 0x0000555555eff1e3 in aio_bh_poll (ctx=0x55555807f180)
    at ../util/async.c:220
#14 0x0000555555ede0d0 in aio_dispatch (ctx=0x55555807f180)
    at ../util/aio-posix.c:390
#15 0x0000555555eff6f4 in aio_ctx_dispatch
    (source=0x55555807f180, callback=0x0, user_data=0x0) at ../util/async.c:365
#16 0x00007ffff6deb323 in g_main_context_dispatch_unlocked.lto_priv ()
    at /lib64/libglib-2.0.so.0
#17 0x00007ffff6deb5b5 in g_main_context_dispatch () at /lib64/libglib-2.0.so.0
#18 0x0000555555f01202 in glib_pollfds_poll () at ../util/main-loop.c:290
#19 0x0000555555f01290 in os_host_main_loop_wait (timeout=0)
    at ../util/main-loop.c:313
#20 0x0000555555f013c1 in main_loop_wait (nonblocking=0)
    at ../util/main-loop.c:592
#21 0x0000555555993773 in qemu_main_loop () at ../system/runstate.c:945
#22 0x0000555555e0d468 in qemu_default_main (opaque=0x0) at ../system/main.c:50
#23 0x0000555555e0d522 in main (argc=6, argv=0x7fffffffdd58)
    at ../system/main.c:93

Re: Several QOM objects crash on introspection

[Marc-André Lureau]

Hi

On Wed, Apr 22, 2026 at 6:16 PM Markus Armbruster <armbru@redhat.com> wrote:
>
> QMP command qom-list-properties crashes for the following object types:
>
>     colo-compare
>     cryptodev-backend-lkcf
>     memory-region-portio-list
>     qemu-fixed-text-console
>     qemu-graphic-console
>     qio-net-listener
>     x-remote-object
>
> Testing gap: tests/qtest/device-introspect-test.c guards against such
> bugs in devices, but not non-device objects.

Good catch, are you going to send a test for it?

fwiw, I found also a critical in "filter-rewriter": (export
G_DEBUG=fatal_criticals)

qemu-system-x86_64: GLib: g_hash_table_destroy: assertion 'hash_table
!= NULL' failed

Thread 1 "qemu-system-x86" received signal SIGTRAP, Trace/breakpoint trap.
0x00007ffff66dd1f8 in g_logv () from /lib64/libglib-2.0.so.0
(gdb) bt
#0  0x00007ffff66dd1f8 in g_logv () at /lib64/libglib-2.0.so.0
#1  0x00007ffff66dd4c3 in g_log () at /lib64/libglib-2.0.so.0
#2  0x000055555604580b in colo_rewriter_cleanup (nf=0x7cbfeba71000) at
../net/filter-rewriter.c:376
#3  0x000055555601f9b3 in netfilter_finalize (obj=0x7cbfeba71000) at
../net/filter.c:312
#4  0x0000555556598c58 in object_deinit (obj=0x7cbfeba71000,
type=0x7d2feba2b7c0) at ../qom/object.c:715
#5  0x0000555556598c86 in object_deinit (obj=0x7cbfeba71000,
type=0x7d2feba2bb40) at ../qom/object.c:719
#6  0x0000555556598d13 in object_finalize (data=0x7cbfeba71000) at
../qom/object.c:729
#7  0x000055555659b1af in object_unref (objptr=0x7cbfeba71000) at
../qom/object.c:1232
#8  0x00005555568b751c in qmp_qom_list_properties
(typename=0x7c1febd88110 "filter-rewriter", errp=0x7bffea77b520) at
../qom/qom-qmp-cmds.c:282

>
> Example crash:
>
> (gdb) r
> Starting program: /home/armbru/bin/qemu-system-x86_64 -S -display none -qmp stdio
> [...]
> {"QMP": {"version": {"qemu": {"micro": 94, "minor": 2, "major": 10}, "package": "v11.0.0-rc4-14-gcb2bd9a2e6-dirty"}, "capabilities": ["oob"]}}
> [New Thread 0x7fff6b61d6c0 (LWP 2882851)]
> {"execute": "qmp_capabilities", "arguments": {"enable": ["oob"]}}
> {"return": {}}
> {"execute": "qom-list-properties", "arguments": {"typename": "colo-compare"}}
> upstream-qemu: ../util/qemu-thread-posix.c:96: qemu_mutex_destroy: Assertion `mutex->initialized' failed.
>
> Thread 1 "upstream-qemu" received signal SIGABRT, Aborted.
> 0x00007ffff49c33cc in __pthread_kill_implementation () from /lib64/libc.so.6
> [...]
> (gdb) bt
> #0  0x00007ffff49c33cc in __pthread_kill_implementation () at /lib64/libc.so.6
> #1  0x00007ffff496915e in raise () at /lib64/libc.so.6
> #2  0x00007ffff49506d0 in abort () at /lib64/libc.so.6
> #3  0x00007ffff4950639 in __assert_fail_base.cold () at /lib64/libc.so.6
> #4  0x0000555555ee3187 in qemu_mutex_destroy (mutex=0x55555761d4a0 <event_mtx>)
>     at ../util/qemu-thread-posix.c:96
> #5  0x0000555555a18c65 in colo_compare_finalize (obj=0x55555887e4f0)
>     at ../net/colo-compare.c:1423
> #6  0x0000555555c8bb31 in object_deinit
>     (obj=0x55555887e4f0, type=0x555558053a90) at ../qom/object.c:715
> #7  0x0000555555c8bbab in object_finalize (data=0x55555887e4f0)
>     at ../qom/object.c:729
> #8  0x0000555555c8ce2c in object_unref (objptr=0x55555887e4f0)
>     at ../qom/object.c:1232
> #9  0x0000555555de8d38 in qmp_qom_list_properties
>     (typename=0x5555581ef450 "colo-compare", errp=0x7fffffffd8a8)
>     at ../qom/qom-qmp-cmds.c:282
> #10 0x0000555555e90311 in qmp_marshal_qom_list_properties
>     (args=0x7fff64003150, ret=0x7fffeccccda8, errp=0x7fffeccccda0)
>     at qapi/qapi-commands-qom.c:326
> #11 0x0000555555ecdd9e in do_qmp_dispatch_bh (opaque=0x7fffecccce40)
>     at ../qapi/qmp-dispatch.c:128
> #12 0x0000555555eff09b in aio_bh_call (bh=0x555558bee700)
> --Type <RET> for more, q to quit, c to continue without paging--
>     at ../util/async.c:173
> #13 0x0000555555eff1e3 in aio_bh_poll (ctx=0x55555807f180)
>     at ../util/async.c:220
> #14 0x0000555555ede0d0 in aio_dispatch (ctx=0x55555807f180)
>     at ../util/aio-posix.c:390
> #15 0x0000555555eff6f4 in aio_ctx_dispatch
>     (source=0x55555807f180, callback=0x0, user_data=0x0) at ../util/async.c:365
> #16 0x00007ffff6deb323 in g_main_context_dispatch_unlocked.lto_priv ()
>     at /lib64/libglib-2.0.so.0
> #17 0x00007ffff6deb5b5 in g_main_context_dispatch () at /lib64/libglib-2.0.so.0
> #18 0x0000555555f01202 in glib_pollfds_poll () at ../util/main-loop.c:290
> #19 0x0000555555f01290 in os_host_main_loop_wait (timeout=0)
>     at ../util/main-loop.c:313
> #20 0x0000555555f013c1 in main_loop_wait (nonblocking=0)
>     at ../util/main-loop.c:592
> #21 0x0000555555993773 in qemu_main_loop () at ../system/runstate.c:945
> #22 0x0000555555e0d468 in qemu_default_main (opaque=0x0) at ../system/main.c:50
> #23 0x0000555555e0d522 in main (argc=6, argv=0x7fffffffdd58)
>     at ../system/main.c:93
>

Re: Several QOM objects crash on introspection

[Markus Armbruster]

Marc-André Lureau <marcandre.lureau@redhat.com> writes:

> Hi
>
> On Wed, Apr 22, 2026 at 6:16 PM Markus Armbruster <armbru@redhat.com> wrote:
>>
>> QMP command qom-list-properties crashes for the following object types:
>>
>>     colo-compare
>>     cryptodev-backend-lkcf
>>     memory-region-portio-list
>>     qemu-fixed-text-console
>>     qemu-graphic-console
>>     qio-net-listener
>>     x-remote-object
>>
>> Testing gap: tests/qtest/device-introspect-test.c guards against such
>> bugs in devices, but not non-device objects.
>
> Good catch, are you going to send a test for it?

I should; I wrote device-introspect-test.c.  I'll see what I can do.

> fwiw, I found also a critical in "filter-rewriter": (export
> G_DEBUG=fatal_criticals)

Reproduced.  Seems to be the only one.

Thanks!

[...]

Re: Several QOM objects crash on introspection

[Jagannathan Raman]

On 4/23/26 12:55 AM, Markus Armbruster wrote:
> Marc-André Lureau <marcandre.lureau@redhat.com> writes:
>
>> Hi
>>
>> On Wed, Apr 22, 2026 at 6:16 PM Markus Armbruster <armbru@redhat.com> wrote:
>>> QMP command qom-list-properties crashes for the following object types:
>>>
>>>      colo-compare
>>>      cryptodev-backend-lkcf
>>>      memory-region-portio-list
>>>      qemu-fixed-text-console
>>>      qemu-graphic-console
>>>      qio-net-listener
>>>      x-remote-object
>>>
>>> Testing gap: tests/qtest/device-introspect-test.c guards against such
>>> bugs in devices, but not non-device objects.
>> Good catch, are you going to send a test for it?
> I should; I wrote device-introspect-test.c.  I'll see what I can do.
>
>> fwiw, I found also a critical in "filter-rewriter": (export
>> G_DEBUG=fatal_criticals)
> Reproduced.  Seems to be the only one.
>
> Thanks!
>
> [...]
>
Thanks for reporting the issue, Markus!

I was able to reproduce the it for "x-remote-object". Could you please 
confirm if you're working on a fix or if you'd like me to take a look?

Thread 1 "qemu-system-x86" received signal SIGSEGV, Segmentation fault.
0x0000555555f6f2b0 in device_listener_unregister 
(listener=0x5555589893d0) at ../hw/core/qdev.c:208
208         QTAILQ_REMOVE(&device_listeners, listener, link);
Missing separate debuginfos, use: dnf debuginfo-install 
boost-iostreams-1.75.0-10.el9.x86_64 boost-thread-1.75.0-10.el9.x86_64 
bzip2-libs-1.0.8-10.el9_5.x86_64 cryptsetup-libs-2.7.2-3.el9_6.1.x86_64 
cyrus-sasl-lib-2.1.27-21.el9.x86_64 
device-mapper-libs-1.02.202-6.el9.x86_64 
elfutils-libelf-0.192-6.el9_6.x86_64 4
(gdb) bt
#0  0x0000555555f6f2b0 in device_listener_unregister 
(listener=0x5555589893d0) at ../hw/core/qdev.c:208
#1  0x000055555595a7f1 in remote_object_finalize (obj=0x555558989370) at 
../hw/remote/remote-obj.c:157
#2  0x0000555555f7582e in object_deinit (obj=0x555558989370, 
type=0x5555577eb700) at ../qom/object.c:715
#3  0x0000555555f758a8 in object_finalize (data=0x555558989370) at 
../qom/object.c:729
#4  0x0000555555f76b43 in object_unref (objptr=0x555558989370) at 
../qom/object.c:1232
#5  0x00005555560c9287 in qmp_qom_list_properties 
(typename=0x5555580e0430 "x-remote-object", errp=0x7fffffffd668) at 
../qom/qom-qmp-cmds.c:282
#6  0x000055555615edae in qmp_marshal_qom_list_properties 
(args=0x7fffe0006250, ret=0x7fffebb75da8, errp=0x7fffebb75da0) at 
qapi/qapi-commands-qom.c:326
#7  0x000055555619a81d in do_qmp_dispatch_bh (opaque=0x7fffebb75e40) at 
../qapi/qmp-dispatch.c:128
#8  0x00005555561cb1cc in aio_bh_call (bh=0x555558609210) at 
../util/async.c:173
#9  0x00005555561cb31a in aio_bh_poll (ctx=0x55555784eaa0) at 
../util/async.c:220
#10 0x00005555561a86ce in aio_dispatch (ctx=0x55555784eaa0) at 
../util/aio-posix.c:390
#11 0x00005555561cb82e in aio_ctx_dispatch (source=0x55555784eaa0, 
callback=0x0, user_data=0x0) at ../util/async.c:365
#12 0x00007ffff787cf4f in g_main_context_dispatch () at 
/lib64/libglib-2.0.so.0
#13 0x00005555561cd334 in glib_pollfds_poll () at ../util/main-loop.c:290
#14 0x00005555561cd3c2 in os_host_main_loop_wait (timeout=0) at 
../util/main-loop.c:313
#15 0x00005555561cd4f1 in main_loop_wait (nonblocking=0) at 
../util/main-loop.c:592
#16 0x0000555555cec0f1 in qemu_main_loop () at ../system/runstate.c:948
#17 0x00005555560df5bd in qemu_default_main (opaque=0x0) at 
../system/main.c:50
#18 0x00005555560df677 in main (argc=15, argv=0x7fffffffdad8) at 
../system/main.c:93

(gdb) p device_listeners
$3 = {tqh_first = 0x0, tqh_circ = {tql_next = 0x0, tql_prev = 0x0}}

(gdb) p *listener
$4 = {realize = 0x0, unrealize = 0x0, hide_device = 0x0, link = 
{tqe_next = 0x0, tqe_circ = {tql_next = 0x0, tql_prev = 0x0}}}

Thank you,

Jag

Re: Several QOM objects crash on introspection

[Markus Armbruster]

Jagannathan Raman <jag.raman@oracle.com> writes:

> Thanks for reporting the issue, Markus!
>
> I was able to reproduce the it for "x-remote-object". Could you please confirm if you're working on a fix or if you'd like me to take a look?

Yes, please, have a look :)

Re: Several QOM objects crash on introspection

[Peter Xu]

On Wed, Apr 22, 2026 at 04:16:01PM +0200, Markus Armbruster wrote:
> QMP command qom-list-properties crashes for the following object types:
> 
>     colo-compare [*]
>     cryptodev-backend-lkcf
>     memory-region-portio-list [*]
>     qemu-fixed-text-console
>     qemu-graphic-console
>     qio-net-listener [*]
>     x-remote-object

I sent three fixes over marked ones [*] above:

https://lore.kernel.org/r/20260423183212.468047-1-peterx@redhat.com

Thanks,

-- 
Peter Xu