From mboxrd@z Thu Jan  1 00:00:00 1970
From: Chris Webb <chris@arachsys.com>
Subject: Another VNC crash, qemu-kvm-0.12.3
Date: Mon, 1 Mar 2010 18:14:17 +0000
Message-ID: <20100301181416.GB15908@arachsys.com>
References: <20100221172358.GH4894@arachsys.com>
 <4B82462A.7050903@redhat.com>
 <4B82F8ED.6000303@codemonkey.ws>
Mime-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: QUOTED-PRINTABLE
To: qemu-devel@nongnu.org, kvm@vger.kernel.org
Return-path: <kvm-owner@vger.kernel.org>
Received: from alpha.arachsys.com ([91.203.57.7]:51722 "EHLO
	alpha.arachsys.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1750998Ab0CASOT (ORCPT <rfc822;kvm@vger.kernel.org>);
	Mon, 1 Mar 2010 13:14:19 -0500
Content-Disposition: inline
In-Reply-To: <4B82F8ED.6000303@codemonkey.ws>
Sender: kvm-owner@vger.kernel.org
List-ID: <kvm.vger.kernel.org>

We've just seen another VNC related qemu-kvm crash, this time an arithm=
etic
exception at vnc.c:1424 in the newly release qemu-kvm 0.12.3.

  [...]
  1423     if (vs->absolute) {=20
  1424         kbd_mouse_event(x * 0x7FFF / (ds_get_width(vs->ds) - 1),
  1425                         y * 0x7FFF / (ds_get_height(vs->ds) - 1)=
,
  1426                         dz, buttons);
  1427     } else if (vnc_has_feature(vs, VNC_FEATURE_POINTER_TYPE_CHAN=
GE)) {=20
  1428         x -=3D 0x7FFF;
  [...]

and sure enough:

  (gdb) p vs->ds->surface->width
  $1 =3D 9
  (gdb) p vs->ds->surface->height
  $2 =3D 1

What a 9x1 display surface is doing on this guest is a mystery to me, b=
ut you
definitely can't divide by one less than its height!

  (gdb) p *vs
  $3 =3D {csock =3D 19, ds =3D 0x1c60fa0, dirty =3D {{4294967295, 42949=
67295, 4294967295, 4294967295,=20
        4294967295} <repeats 2048 times>}, vd =3D 0x26a0110, need_updat=
e =3D 1, force_update =3D 0, features =3D 67,=20
    absolute =3D 1, last_x =3D -1, last_y =3D -1, vnc_encoding =3D 5, t=
ight_quality =3D 9 '\t', tight_compression =3D 9 '\t',=20
    major =3D 3, minor =3D 8, challenge =3D "=B9{\177\226\200k=D5j=E9P=F1=
=C4A=A4o)", output =3D {capacity =3D 925115, offset =3D 0,=20
      buffer =3D 0x28ba4b0 ""}, input =3D {capacity =3D 5120, offset =3D=
 6, buffer =3D 0x28b90a0 "\005"},=20
    write_pixels =3D 0x4bb9e0 <vnc_write_pixels_generic>, send_hextile_=
tile =3D 0x4bcdf0 <send_hextile_tile_generic_32>,=20
    clientds =3D {flags =3D 0 '\0', width =3D 800, height =3D 600, line=
size =3D 3200, data =3D 0x7fcd00ab6010 "", pf =3D {
        bits_per_pixel =3D 32 ' ', bytes_per_pixel =3D 4 '\004', depth =
=3D 24 '\030', rmask =3D 0, gmask =3D 0, bmask =3D 0,=20
        amask =3D 0, rshift =3D 16 '\020', gshift =3D 8 '\b', bshift =3D=
 0 '\0', ashift =3D 24 '\030', rmax =3D 255 '=FF',=20
        gmax =3D 255 '=FF', bmax =3D 255 '=FF', amax =3D 255 '=FF', rbi=
ts =3D 8 '\b', gbits =3D 8 '\b', bbits =3D 8 '\b',=20
        abits =3D 8 '\b'}}, audio_cap =3D 0x0, as =3D {freq =3D 44100, =
nchannels =3D 2, fmt =3D AUD_FMT_S16, endianness =3D 0},=20
    read_handler =3D 0x4beac0 <protocol_client_msg>, read_handler_expec=
t =3D 6, modifiers_state =3D '\0' <repeats 255 times>,=20
    zlib =3D {capacity =3D 0, offset =3D 0, buffer =3D 0x0}, zlib_tmp =3D=
 {capacity =3D 0, offset =3D 0, buffer =3D 0x0},=20
    zlib_stream =3D {{next_in =3D 0x0, avail_in =3D 0, total_in =3D 0, =
next_out =3D 0x0, avail_out =3D 0, total_out =3D 0, msg =3D 0x0,=20
        state =3D 0x0, zalloc =3D 0, zfree =3D 0, opaque =3D 0x0, data_=
type =3D 0, adler =3D 0, reserved =3D 0}, {next_in =3D 0x0,=20
        avail_in =3D 0, total_in =3D 0, next_out =3D 0x0, avail_out =3D=
 0, total_out =3D 0, msg =3D 0x0, state =3D 0x0, zalloc =3D 0,=20
        zfree =3D 0, opaque =3D 0x0, data_type =3D 0, adler =3D 0, rese=
rved =3D 0}, {next_in =3D 0x0, avail_in =3D 0, total_in =3D 0,=20
        next_out =3D 0x0, avail_out =3D 0, total_out =3D 0, msg =3D 0x0=
, state =3D 0x0, zalloc =3D 0, zfree =3D 0, opaque =3D 0x0,=20
        data_type =3D 0, adler =3D 0, reserved =3D 0}, {next_in =3D 0x0=
, avail_in =3D 0, total_in =3D 0, next_out =3D 0x0,=20
        avail_out =3D 0, total_out =3D 0, msg =3D 0x0, state =3D 0x0, z=
alloc =3D 0, zfree =3D 0, opaque =3D 0x0, data_type =3D 0,=20
        adler =3D 0, reserved =3D 0}}, next =3D 0x0}

  (gdb) p *vs->ds
  $4 =3D {surface =3D 0x1c81f40, opaque =3D 0x26a0110, gui_timer =3D 0x=
0, allocator =3D 0x8199d0, listeners =3D 0x1c95fa0,=20
    mouse_set =3D 0, cursor_define =3D 0, next =3D 0x0}

  (gdb) p *vs->ds->surface
  $5 =3D {flags =3D 2 '\002', width =3D 9, height =3D 1, linesize =3D 3=
6, data =3D 0x7fcd00ab6010 "", pf =3D {
      bits_per_pixel =3D 32 ' ', bytes_per_pixel =3D 4 '\004', depth =3D=
 24 '\030', rmask =3D 16711680, gmask =3D 65280,=20
      bmask =3D 255, amask =3D 0, rshift =3D 16 '\020', gshift =3D 8 '\=
b', bshift =3D 0 '\0', ashift =3D 24 '\030', rmax =3D 255 '=FF',=20
      gmax =3D 255 '=FF', bmax =3D 255 '=FF', amax =3D 255 '=FF', rbits=
 =3D 8 '\b', gbits =3D 8 '\b', bbits =3D 8 '\b', abits =3D 8 '\b'}}

Cheers,

Chris.