From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from eggs.gnu.org ([2001:4830:134:3::10]:47563)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <b.candler@pobox.com>) id 1c5EI4-0003m6-MJ
	for qemu-devel@nongnu.org; Fri, 11 Nov 2016 11:03:00 -0500
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <b.candler@pobox.com>) id 1c5EHy-00077G-5l
	for qemu-devel@nongnu.org; Fri, 11 Nov 2016 11:02:56 -0500
Received: from pb-smtp2.pobox.com ([64.147.108.71]:59558
	helo=sasl.smtp.pobox.com)
	by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32)
	(Exim 4.71) (envelope-from <b.candler@pobox.com>) id 1c5EHy-000779-1i
	for qemu-devel@nongnu.org; Fri, 11 Nov 2016 11:02:50 -0500
References: <95e79bc8-4547-b3b1-65b7-f641eb0c92f7@pobox.com>
	<20161104111419.GG9817@stefanha-x1.localdomain>
	<20161106180401.GE27308@var.home>
	<e003d356-924b-3847-40a3-514d9ff1b787@pobox.com>
	<20161107104245.GC5036@stefanha-x1.localdomain>
	<466003bb-a2c4-bb9b-7b0b-7b2d6dcb16d7@pobox.com>
	<20161109112724.GC4682@stefanha-x1.localdomain>
	<b8a33819-5fc2-02f5-ec9b-b085a42671f2@pobox.com>
From: Brian Candler <b.candler@pobox.com>
Message-ID: <02eee090-b017-dd4e-e63c-814d3d7beb72@pobox.com>
Date: Fri, 11 Nov 2016 16:02:44 +0000
MIME-Version: 1.0
In-Reply-To: <b8a33819-5fc2-02f5-ec9b-b085a42671f2@pobox.com>
Content-Type: text/plain; charset=windows-1252; format=flowed
Content-Transfer-Encoding: 7bit
Subject: Re: [Qemu-devel] Crashing in tcp_close
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.nongnu.org/archive/html/qemu-devel/>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: Stefan Hajnoczi <stefanha@gmail.com>
Cc: Samuel Thibault <samuel.thibault@gnu.org>, qemu-devel@nongnu.org, Jan Kiszka <jan.kiszka@siemens.com>

On 11/11/2016 15:02, Brian Candler wrote:
>
> But over more than 10 runs (some with MALLOC_xxx_ and some without) it 
> did not crash once :-(
Aha!! Looking carefully at valgrind output, I see some definite cases of 
use-after-free in tcp_output. Does the info below help?

Regards,

Brian.

==18350== Memcheck, a memory error detector
==18350== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al.
==18350== Using Valgrind-3.11.0 and LibVEX; rerun with -h for copyright info
==18350== Command: /usr/local/bin/qemu-system-x86_64 -netdev 
user,id=user.0,hostfwd=tcp::3301-:22 -device virtio-scsi-pci,id=scsi0 
-device scsi-hd,bus=scsi0.0,drive=drive0 -device 
virtio-net,netdev=user.0 -drive 
if=none,file=output-qemu-vtp-nmm/vtp-nmm-201611111528.qcow2,id=drive0,cache=writeback,discard=unmap,format=qcow2 
-boot c -vnc [::]:46 -name vtp-nmm-201611111528.qcow2 -m 4G -machine 
type=pc,accel=kvm
==18350==
==18350== Warning: client switching stacks?  SP change: 0xffeffea78 --> 
0x6be5e48
==18350==          to suppress, use: --max-stackframe=68589554736 or greater
==18350== Warning: client switching stacks?  SP change: 0x6be5df8 --> 
0xffeffea80
==18350==          to suppress, use: --max-stackframe=68589554824 or greater
==18350== Warning: client switching stacks?  SP change: 0xffefff258 --> 
0x6be5e20
==18350==          to suppress, use: --max-stackframe=68589556792 or greater
==18350==          further instances of this message will not be shown.
==18350== Warning: noted but unhandled ioctl 0xaea3 with no 
size/direction hints.
==18350==    This could cause spurious value errors to appear.
==18350==    See README_MISSING_SYSCALL_OR_IOCTL for guidance on writing 
a proper wrapper.
==18350== Warning: set address range perms: large range [0x395db000, 
0x1397db000) (noaccess)
==18350== Warning: set address range perms: large range [0x39600000, 
0x139600000) (defined)
==18350== Thread 4:
==18350== Syscall param ioctl(generic) points to uninitialised byte(s)
==18350==    at 0x63AF357: ioctl (syscall-template.S:84)
==18350==    by 0x33AA36: kvm_vcpu_ioctl (kvm-all.c:2076)
==18350==    by 0x3F8409: kvm_put_debugregs (kvm.c:2594)
==18350==    by 0x3F8409: kvm_arch_put_registers (kvm.c:2688)
==18350==    by 0x3378AD: do_kvm_cpu_synchronize_post_init (kvm-all.c:1884)
==18350==    by 0x326901: flush_queued_work (cpus.c:1003)
==18350==    by 0x326901: qemu_wait_io_event_common (cpus.c:1022)
==18350==    by 0x32885E: qemu_kvm_wait_io_event (cpus.c:1048)
==18350==    by 0x32885E: qemu_kvm_cpu_thread_fn (cpus.c:1083)
==18350==    by 0x609D709: start_thread (pthread_create.c:333)
==18350==    by 0x63B982C: clone (clone.S:109)
==18350==  Address 0x90edb10 is on thread 4's stack
==18350==  in frame #2, created by kvm_arch_put_registers (kvm.c:2621)
==18350==  Uninitialised value was created by a stack allocation
==18350==    at 0x3F6D20: kvm_arch_put_registers (kvm.c:2621)
==18350==
==18350== Syscall param ioctl(generic) points to uninitialised byte(s)
==18350==    at 0x63AF357: ioctl (syscall-template.S:84)
==18350==    by 0x33AA36: kvm_vcpu_ioctl (kvm-all.c:2076)
==18350==    by 0x3F8409: kvm_put_debugregs (kvm.c:2594)
==18350==    by 0x3F8409: kvm_arch_put_registers (kvm.c:2688)
==18350==    by 0x33788D: do_kvm_cpu_synchronize_post_reset (kvm-all.c:1871)
==18350==    by 0x326901: flush_queued_work (cpus.c:1003)
==18350==    by 0x326901: qemu_wait_io_event_common (cpus.c:1022)
==18350==    by 0x32885E: qemu_kvm_wait_io_event (cpus.c:1048)
==18350==    by 0x32885E: qemu_kvm_cpu_thread_fn (cpus.c:1083)
==18350==    by 0x609D709: start_thread (pthread_create.c:333)
==18350==    by 0x63B982C: clone (clone.S:109)
==18350==  Address 0x90edb10 is on thread 4's stack
==18350==  in frame #2, created by kvm_arch_put_registers (kvm.c:2621)
==18350==  Uninitialised value was created by a stack allocation
==18350==    at 0x3F6D20: kvm_arch_put_registers (kvm.c:2621)
==18350==
==18350== Warning: noted but unhandled ioctl 0xaeb7 with no 
size/direction hints.
==18350==    This could cause spurious value errors to appear.
==18350==    See README_MISSING_SYSCALL_OR_IOCTL for guidance on writing 
a proper wrapper.
==18350== Syscall param ioctl(generic) points to uninitialised byte(s)
==18350==    at 0x63AF357: ioctl (syscall-template.S:84)
==18350==    by 0x33AA36: kvm_vcpu_ioctl (kvm-all.c:2076)
==18350==    by 0x3F8409: kvm_put_debugregs (kvm.c:2594)
==18350==    by 0x3F8409: kvm_arch_put_registers (kvm.c:2688)
==18350==    by 0x33AD7C: kvm_cpu_exec (kvm-all.c:1911)
==18350==    by 0x3288D7: qemu_kvm_cpu_thread_fn (cpus.c:1078)
==18350==    by 0x609D709: start_thread (pthread_create.c:333)
==18350==    by 0x63B982C: clone (clone.S:109)
==18350==  Address 0x90edaa0 is on thread 4's stack
==18350==  in frame #2, created by kvm_arch_put_registers (kvm.c:2621)
==18350==  Uninitialised value was created by a stack allocation
==18350==    at 0x3F6D20: kvm_arch_put_registers (kvm.c:2621)
==18350==
==18350== Warning: invalid file descriptor 1031 in syscall socket()
==18350== Warning: invalid file descriptor 1031 in syscall socket()
==18350== Warning: invalid file descriptor 1031 in syscall socket()
==18350== Warning: invalid file descriptor 1031 in syscall socket()
==18350== Warning: invalid file descriptor 1031 in syscall socket()
==18350== Warning: invalid file descriptor 1031 in syscall socket()
==18350== Warning: invalid file descriptor 1031 in syscall socket()
==18350== Warning: invalid file descriptor 1031 in syscall socket()
==18350== Warning: invalid file descriptor -1 in syscall close()
==18350== Warning: invalid file descriptor 1031 in syscall socket()
==18350== Warning: invalid file descriptor 1031 in syscall socket()

... lots more of these ...

==18350== Invalid read of size 4
==18350==    at 0x550B5B: if_start (if.c:230)
==18350==    by 0x552E6C: ip_output (ip_output.c:85)
==18350==    by 0x55AA31: tcp_output (tcp_output.c:469)
==18350==    by 0x558FD7: tcp_input (tcp_input.c:1386)
==18350==    by 0x55543F: slirp_input (slirp.c:867)
==18350==    by 0x54AFBF: net_slirp_receive (slirp.c:118)
==18350==    by 0x540B18: nc_sendv_compat (net.c:701)
==18350==    by 0x540B18: qemu_deliver_packet_iov (net.c:728)
==18350==    by 0x5438DA: qemu_net_queue_deliver_iov (queue.c:179)
==18350==    by 0x5438DA: qemu_net_queue_send_iov (queue.c:224)
==18350==    by 0x36B428: virtio_net_flush_tx (virtio-net.c:1282)
==18350==    by 0x36B624: virtio_net_tx_bh (virtio-net.c:1387)
==18350==    by 0x5804EC: aio_bh_call (async.c:67)
==18350==    by 0x5804EC: aio_bh_poll (async.c:95)
==18350==    by 0x58A8FF: aio_dispatch (aio-posix.c:308)
==18350==  Address 0x9eabec4 is 340 bytes inside a block of size 432 free'd
==18350==    at 0x4C2EDEB: free (in 
/usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==18350==    by 0x55B25E: tcp_close (tcp_subr.c:334)
==18350==    by 0x55C7AE: tcp_timers (tcp_timer.c:289)
==18350==    by 0x55C7AE: tcp_slowtimo (tcp_timer.c:89)
==18350==    by 0x555187: slirp_pollfds_poll (slirp.c:576)
==18350==    by 0x5891EB: main_loop_wait (main-loop.c:508)
==18350==    by 0x2F4430: main_loop (vl.c:1908)
==18350==    by 0x2F4430: main (vl.c:4604)
==18350==  Block was alloc'd at
==18350==    at 0x4C2FB55: calloc (in 
/usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==18350==    by 0x556D42: socreate (socket.c:51)
==18350==    by 0x559580: tcp_input (tcp_input.c:432)
==18350==    by 0x55543F: slirp_input (slirp.c:867)
==18350==    by 0x54AFBF: net_slirp_receive (slirp.c:118)
==18350==    by 0x540B18: nc_sendv_compat (net.c:701)
==18350==    by 0x540B18: qemu_deliver_packet_iov (net.c:728)
==18350==    by 0x5438DA: qemu_net_queue_deliver_iov (queue.c:179)
==18350==    by 0x5438DA: qemu_net_queue_send_iov (queue.c:224)
==18350==    by 0x36B428: virtio_net_flush_tx (virtio-net.c:1282)
==18350==    by 0x36B624: virtio_net_tx_bh (virtio-net.c:1387)
==18350==    by 0x5804EC: aio_bh_call (async.c:67)
==18350==    by 0x5804EC: aio_bh_poll (async.c:95)
==18350==    by 0x58A8FF: aio_dispatch (aio-posix.c:308)
==18350==    by 0x5803AD: aio_ctx_dispatch (async.c:234)
==18350==
==18350== Invalid read of size 4
==18350==    at 0x550B5B: if_start (if.c:230)
==18350==    by 0x552E6C: ip_output (ip_output.c:85)
==18350==    by 0x55AA31: tcp_output (tcp_output.c:469)
==18350==    by 0x55B2D5: tcp_drop (tcp_subr.c:296)
==18350==    by 0x55C7AE: tcp_timers (tcp_timer.c:289)
==18350==    by 0x55C7AE: tcp_slowtimo (tcp_timer.c:89)
==18350==    by 0x555187: slirp_pollfds_poll (slirp.c:576)
==18350==    by 0x5891EB: main_loop_wait (main-loop.c:508)
==18350==    by 0x2F4430: main_loop (vl.c:1908)
==18350==    by 0x2F4430: main (vl.c:4604)
==18350==  Address 0x9d87f74 is 340 bytes inside a block of size 432 free'd
==18350==    at 0x4C2EDEB: free (in 
/usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==18350==    by 0x55B25E: tcp_close (tcp_subr.c:334)
==18350==    by 0x55C7AE: tcp_timers (tcp_timer.c:289)
==18350==    by 0x55C7AE: tcp_slowtimo (tcp_timer.c:89)
==18350==    by 0x555187: slirp_pollfds_poll (slirp.c:576)
==18350==    by 0x5891EB: main_loop_wait (main-loop.c:508)
==18350==    by 0x2F4430: main_loop (vl.c:1908)
==18350==    by 0x2F4430: main (vl.c:4604)
==18350==  Block was alloc'd at
==18350==    at 0x4C2FB55: calloc (in 
/usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==18350==    by 0x556D42: socreate (socket.c:51)
==18350==    by 0x559580: tcp_input (tcp_input.c:432)
==18350==    by 0x55543F: slirp_input (slirp.c:867)
==18350==    by 0x54AFBF: net_slirp_receive (slirp.c:118)
==18350==    by 0x540B18: nc_sendv_compat (net.c:701)
==18350==    by 0x540B18: qemu_deliver_packet_iov (net.c:728)
==18350==    by 0x5438DA: qemu_net_queue_deliver_iov (queue.c:179)
==18350==    by 0x5438DA: qemu_net_queue_send_iov (queue.c:224)
==18350==    by 0x36B428: virtio_net_flush_tx (virtio-net.c:1282)
==18350==    by 0x36B624: virtio_net_tx_bh (virtio-net.c:1387)
==18350==    by 0x5804EC: aio_bh_call (async.c:67)
==18350==    by 0x5804EC: aio_bh_poll (async.c:95)
==18350==    by 0x58A8FF: aio_dispatch (aio-posix.c:308)
==18350==    by 0x5803AD: aio_ctx_dispatch (async.c:234)
==18350==
==18350== Invalid read of size 4
==18350==    at 0x550B5B: if_start (if.c:230)
==18350==    by 0x552E6C: ip_output (ip_output.c:85)
==18350==    by 0x55AA31: tcp_output (tcp_output.c:469)
==18350==    by 0x55C626: tcp_timers (tcp_timer.c:243)
==18350==    by 0x55C626: tcp_slowtimo (tcp_timer.c:89)
==18350==    by 0x555187: slirp_pollfds_poll (slirp.c:576)
==18350==    by 0x5891EB: main_loop_wait (main-loop.c:508)
==18350==    by 0x2F4430: main_loop (vl.c:1908)
==18350==    by 0x2F4430: main (vl.c:4604)
==18350==  Address 0x8754634 is 340 bytes inside a block of size 432 free'd
==18350==    at 0x4C2EDEB: free (in 
/usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==18350==    by 0x55B25E: tcp_close (tcp_subr.c:334)
==18350==    by 0x55C7AE: tcp_timers (tcp_timer.c:289)
==18350==    by 0x55C7AE: tcp_slowtimo (tcp_timer.c:89)
==18350==    by 0x555187: slirp_pollfds_poll (slirp.c:576)
==18350==    by 0x5891EB: main_loop_wait (main-loop.c:508)
==18350==    by 0x2F4430: main_loop (vl.c:1908)
==18350==    by 0x2F4430: main (vl.c:4604)
==18350==  Block was alloc'd at
==18350==    at 0x4C2FB55: calloc (in 
/usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==18350==    by 0x556D42: socreate (socket.c:51)
==18350==    by 0x559580: tcp_input (tcp_input.c:432)
==18350==    by 0x55543F: slirp_input (slirp.c:867)
==18350==    by 0x54AFBF: net_slirp_receive (slirp.c:118)
==18350==    by 0x540B18: nc_sendv_compat (net.c:701)
==18350==    by 0x540B18: qemu_deliver_packet_iov (net.c:728)
==18350==    by 0x5438DA: qemu_net_queue_deliver_iov (queue.c:179)
==18350==    by 0x5438DA: qemu_net_queue_send_iov (queue.c:224)
==18350==    by 0x36B428: virtio_net_flush_tx (virtio-net.c:1282)
==18350==    by 0x36B624: virtio_net_tx_bh (virtio-net.c:1387)
==18350==    by 0x5804EC: aio_bh_call (async.c:67)
==18350==    by 0x5804EC: aio_bh_poll (async.c:95)
==18350==    by 0x58A8FF: aio_dispatch (aio-posix.c:308)
==18350==    by 0x5803AD: aio_ctx_dispatch (async.c:234)
==18350==
==18350== Warning: invalid file descriptor 1031 in syscall socket()
==18350== Warning: invalid file descriptor 1031 in syscall socket()
==18350== Warning: invalid file descriptor 1031 in syscall socket()
==18350== Warning: invalid file descriptor 1031 in syscall socket()
... more of these
==18350== Invalid read of size 4
==18350==    at 0x550B5B: if_start (if.c:230)
==18350==    by 0x552E6C: ip_output (ip_output.c:85)
==18350==    by 0x55AA31: tcp_output (tcp_output.c:469)
==18350==    by 0x555158: slirp_pollfds_poll (slirp.c:631)
==18350==    by 0x5891EB: main_loop_wait (main-loop.c:508)
==18350==    by 0x2F4430: main_loop (vl.c:1908)
==18350==    by 0x2F4430: main (vl.c:4604)
==18350==  Address 0xa12dd64 is 340 bytes inside a block of size 432 free'd
==18350==    at 0x4C2EDEB: free (in 
/usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==18350==    by 0x55B25E: tcp_close (tcp_subr.c:334)
==18350==    by 0x55C7AE: tcp_timers (tcp_timer.c:289)
==18350==    by 0x55C7AE: tcp_slowtimo (tcp_timer.c:89)
==18350==    by 0x555187: slirp_pollfds_poll (slirp.c:576)
==18350==    by 0x5891EB: main_loop_wait (main-loop.c:508)
==18350==    by 0x2F4430: main_loop (vl.c:1908)
==18350==    by 0x2F4430: main (vl.c:4604)
==18350==  Block was alloc'd at
==18350==    at 0x4C2FB55: calloc (in 
/usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==18350==    by 0x556D42: socreate (socket.c:51)
==18350==    by 0x559580: tcp_input (tcp_input.c:432)
==18350==    by 0x55543F: slirp_input (slirp.c:867)
==18350==    by 0x54AFBF: net_slirp_receive (slirp.c:118)
==18350==    by 0x540B18: nc_sendv_compat (net.c:701)
==18350==    by 0x540B18: qemu_deliver_packet_iov (net.c:728)
==18350==    by 0x5438DA: qemu_net_queue_deliver_iov (queue.c:179)
==18350==    by 0x5438DA: qemu_net_queue_send_iov (queue.c:224)
==18350==    by 0x36B428: virtio_net_flush_tx (virtio-net.c:1282)
==18350==    by 0x36B624: virtio_net_tx_bh (virtio-net.c:1387)
==18350==    by 0x5804EC: aio_bh_call (async.c:67)
==18350==    by 0x5804EC: aio_bh_poll (async.c:95)
==18350==    by 0x58A8FF: aio_dispatch (aio-posix.c:308)
==18350==    by 0x5803AD: aio_ctx_dispatch (async.c:234)
==18350==
==18350==
==18350== HEAP SUMMARY:
==18350==     in use at exit: 206,196,552 bytes in 14,718 blocks
==18350==   total heap usage: 5,617,405 allocs, 5,602,687 frees, 
2,542,220,901 bytes allocated
==18350==
==18350== 8 bytes in 1 blocks are definitely lost in loss record 840 of 
4,814
==18350==    at 0x4C2FB55: calloc (in 
/usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==18350==    by 0x56AD780: g_malloc0 (in 
/lib/x86_64-linux-gnu/libglib-2.0.so.0.4800.1)
==18350==    by 0x334895: portio_list_init (ioport.c:130)
==18350==    by 0x4A0255: isa_register_portio_list (isa-bus.c:150)
==18350==    by 0x45ED66: parallel_isa_realizefn (parallel.c:535)
==18350==    by 0x4634D4: device_set_realized (qdev.c:918)
==18350==    by 0x57BCBD: property_set_bool (object.c:1853)
==18350==    by 0x57FAE0: object_property_set_qobject (qom-qobject.c:27)
==18350==    by 0x57D9AF: object_property_set_bool (object.c:1156)
==18350==    by 0x4622B1: qdev_init_nofail (qdev.c:358)
==18350==    by 0x4A05EA: parallel_init (isa-bus.c:303)
==18350==    by 0x4A05EA: parallel_hds_isa_init (isa-bus.c:314)
==18350==    by 0x38CFA7: pc_basic_device_init (pc.c:1593)
==18350==
==18350== 16 bytes in 1 blocks are definitely lost in loss record 1,848 
of 4,814
==18350==    at 0x4C2DB8F: malloc (in 
/usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==18350==    by 0x56AD728: g_malloc (in 
/lib/x86_64-linux-gnu/libglib-2.0.so.0.4800.1)
==18350==    by 0x465F21: qemu_extend_irqs (irq.c:56)
==18350==    by 0x38CFBF: pc_basic_device_init (pc.c:1595)
==18350==    by 0x38F18A: pc_init1.constprop.0 (pc_piix.c:238)
==18350==    by 0x2F1051: main (vl.c:4467)
==18350==
==18350== 16 bytes in 1 blocks are definitely lost in loss record 1,849 
of 4,814
==18350==    at 0x4C2FB55: calloc (in 
/usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==18350==    by 0x56AD780: g_malloc0 (in 
/lib/x86_64-linux-gnu/libglib-2.0.so.0.4800.1)
==18350==    by 0x334895: portio_list_init (ioport.c:130)
==18350==    by 0x4A0255: isa_register_portio_list (isa-bus.c:150)
==18350==    by 0x487394: i8257_realize (i8257.c:556)
==18350==    by 0x4634D4: device_set_realized (qdev.c:918)
==18350==    by 0x57BCBD: property_set_bool (object.c:1853)
==18350==    by 0x57FAE0: object_property_set_qobject (qom-qobject.c:27)
==18350==    by 0x57D9AF: object_property_set_bool (object.c:1156)
==18350==    by 0x4622B1: qdev_init_nofail (qdev.c:358)
==18350==    by 0x487D1C: DMA_init (i8257.c:632)
==18350==    by 0x38D03B: pc_basic_device_init (pc.c:1612)
==18350==
==18350== 16 bytes in 1 blocks are definitely lost in loss record 1,850 
of 4,814
==18350==    at 0x4C2FB55: calloc (in 
/usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==18350==    by 0x56AD780: g_malloc0 (in 
/lib/x86_64-linux-gnu/libglib-2.0.so.0.4800.1)
==18350==    by 0x334895: portio_list_init (ioport.c:130)
==18350==    by 0x4A0255: isa_register_portio_list (isa-bus.c:150)
==18350==    by 0x487394: i8257_realize (i8257.c:556)
==18350==    by 0x4634D4: device_set_realized (qdev.c:918)
==18350==    by 0x57BCBD: property_set_bool (object.c:1853)
==18350==    by 0x57FAE0: object_property_set_qobject (qom-qobject.c:27)
==18350==    by 0x57D9AF: object_property_set_bool (object.c:1156)
==18350==    by 0x4622B1: qdev_init_nofail (qdev.c:358)
==18350==    by 0x487C8D: DMA_init (i8257.c:640)
==18350==    by 0x38D03B: pc_basic_device_init (pc.c:1612)
==18350==
==18350== 16 bytes in 1 blocks are definitely lost in loss record 1,851 
of 4,814
==18350==    at 0x4C2FB55: calloc (in 
/usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==18350==    by 0x56AD780: g_malloc0 (in 
/lib/x86_64-linux-gnu/libglib-2.0.so.0.4800.1)
==18350==    by 0x334895: portio_list_init (ioport.c:130)
==18350==    by 0x4A0255: isa_register_portio_list (isa-bus.c:150)
==18350==    by 0x451109: isabus_fdc_realize (fdc.c:2498)
==18350==    by 0x4634D4: device_set_realized (qdev.c:918)
==18350==    by 0x57BCBD: property_set_bool (object.c:1853)
==18350==    by 0x57FAE0: object_property_set_qobject (qom-qobject.c:27)
==18350==    by 0x57D9AF: object_property_set_bool (object.c:1156)
==18350==    by 0x4622B1: qdev_init_nofail (qdev.c:358)
==18350==    by 0x45256A: fdctrl_init_isa (fdc.c:2395)
==18350==    by 0x38D0B4: pc_basic_device_init (pc.c:1619)
==18350==
==18350== 16 bytes in 2 blocks are definitely lost in loss record 1,852 
of 4,814
==18350==    at 0x4C2FB55: calloc (in 
/usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==18350==    by 0x56AD780: g_malloc0 (in 
/lib/x86_64-linux-gnu/libglib-2.0.so.0.4800.1)
==18350==    by 0x334895: portio_list_init (ioport.c:130)
==18350==    by 0x4A0255: isa_register_portio_list (isa-bus.c:150)
==18350==    by 0x49121F: pci_piix_init_ports (piix.c:141)
==18350==    by 0x49121F: pci_piix_ide_realize (piix.c:165)
==18350==    by 0x4D495F: pci_qdev_realize (pci.c:1966)
==18350==    by 0x4634D4: device_set_realized (qdev.c:918)
==18350==    by 0x57BCBD: property_set_bool (object.c:1853)
==18350==    by 0x57FAE0: object_property_set_qobject (qom-qobject.c:27)
==18350==    by 0x57D9AF: object_property_set_bool (object.c:1156)
==18350==    by 0x4622B1: qdev_init_nofail (qdev.c:358)
==18350==    by 0x4D38D5: pci_create_simple_multifunction (pci.c:2017)
==18350==    by 0x4D38D5: pci_create_simple (pci.c:2028)
==18350==
==18350== 48 bytes in 2 blocks are definitely lost in loss record 2,642 
of 4,814
==18350==    at 0x4C2FB55: calloc (in 
/usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==18350==    by 0x56AD780: g_malloc0 (in 
/lib/x86_64-linux-gnu/libglib-2.0.so.0.4800.1)
==18350==    by 0x334895: portio_list_init (ioport.c:130)
==18350==    by 0x4A0255: isa_register_portio_list (isa-bus.c:150)
==18350==    by 0x48E027: ide_init_ioport (core.c:2622)
==18350==    by 0x49121F: pci_piix_init_ports (piix.c:141)
==18350==    by 0x49121F: pci_piix_ide_realize (piix.c:165)
==18350==    by 0x4D495F: pci_qdev_realize (pci.c:1966)
==18350==    by 0x4634D4: device_set_realized (qdev.c:918)
==18350==    by 0x57BCBD: property_set_bool (object.c:1853)
==18350==    by 0x57FAE0: object_property_set_qobject (qom-qobject.c:27)
==18350==    by 0x57D9AF: object_property_set_bool (object.c:1156)
==18350==    by 0x4622B1: qdev_init_nofail (qdev.c:358)
==18350==
==18350== 128 bytes in 1 blocks are definitely lost in loss record 4,037 
of 4,814
==18350==    at 0x4C2DB8F: malloc (in 
/usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==18350==    by 0x4C2FDEF: realloc (in 
/usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==18350==    by 0x56AD7E7: g_realloc (in 
/lib/x86_64-linux-gnu/libglib-2.0.so.0.4800.1)
==18350==    by 0x567B2DC: ??? (in 
/lib/x86_64-linux-gnu/libglib-2.0.so.0.4800.1)
==18350==    by 0x567C3BA: g_ptr_array_add (in 
/lib/x86_64-linux-gnu/libglib-2.0.so.0.4800.1)
==18350==    by 0x397348: crs_range_insert (acpi-build.c:745)
==18350==    by 0x397348: crs_replace_with_free_ranges (acpi-build.c:808)
==18350==    by 0x398CE2: build_dsdt (acpi-build.c:2092)
==18350==    by 0x39AA52: acpi_build (acpi-build.c:2670)
==18350==    by 0x39BB7B: acpi_setup (acpi-build.c:2873)
==18350==    by 0x38AE7A: pc_machine_done (pc.c:1270)
==18350==    by 0x626623: notifier_list_notify (notify.c:40)
==18350==    by 0x2F122B: qemu_run_machine_init_done_notifiers (vl.c:2686)
==18350==    by 0x2F122B: main (vl.c:4562)
==18350==
==18350== 128 bytes in 1 blocks are definitely lost in loss record 4,038 
of 4,814
==18350==    at 0x4C2DB8F: malloc (in 
/usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==18350==    by 0x4C2FDEF: realloc (in 
/usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==18350==    by 0x56AD7E7: g_realloc (in 
/lib/x86_64-linux-gnu/libglib-2.0.so.0.4800.1)
==18350==    by 0x567B2DC: ??? (in 
/lib/x86_64-linux-gnu/libglib-2.0.so.0.4800.1)
==18350==    by 0x567C3BA: g_ptr_array_add (in 
/lib/x86_64-linux-gnu/libglib-2.0.so.0.4800.1)
==18350==    by 0x397348: crs_range_insert (acpi-build.c:745)
==18350==    by 0x397348: crs_replace_with_free_ranges (acpi-build.c:808)
==18350==    by 0x398DEE: build_dsdt (acpi-build.c:2107)
==18350==    by 0x39AA52: acpi_build (acpi-build.c:2670)
==18350==    by 0x39BB7B: acpi_setup (acpi-build.c:2873)
==18350==    by 0x38AE7A: pc_machine_done (pc.c:1270)
==18350==    by 0x626623: notifier_list_notify (notify.c:40)
==18350==    by 0x2F122B: qemu_run_machine_init_done_notifiers (vl.c:2686)
==18350==    by 0x2F122B: main (vl.c:4562)
==18350==
==18350== 256 bytes in 2 blocks are definitely lost in loss record 4,231 
of 4,814
==18350==    at 0x4C2DB8F: malloc (in 
/usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==18350==    by 0x4C2FDEF: realloc (in 
/usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==18350==    by 0x56AD7E7: g_realloc (in 
/lib/x86_64-linux-gnu/libglib-2.0.so.0.4800.1)
==18350==    by 0x567B2DC: ??? (in 
/lib/x86_64-linux-gnu/libglib-2.0.so.0.4800.1)
==18350==    by 0x567C3BA: g_ptr_array_add (in 
/lib/x86_64-linux-gnu/libglib-2.0.so.0.4800.1)
==18350==    by 0x397348: crs_range_insert (acpi-build.c:745)
==18350==    by 0x397348: crs_replace_with_free_ranges (acpi-build.c:808)
==18350==    by 0x398CE2: build_dsdt (acpi-build.c:2092)
==18350==    by 0x39AA52: acpi_build (acpi-build.c:2670)
==18350==    by 0x39B9A0: acpi_build_update (acpi-build.c:2808)
==18350==    by 0x4CA245: fw_cfg_select (fw_cfg.c:275)
==18350==    by 0x4CADA2: fw_cfg_dma_transfer (fw_cfg.c:348)
==18350==    by 0x33D857: memory_region_write_accessor (memory.c:525)
==18350==
==18350== 256 bytes in 2 blocks are definitely lost in loss record 4,232 
of 4,814
==18350==    at 0x4C2DB8F: malloc (in 
/usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==18350==    by 0x4C2FDEF: realloc (in 
/usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==18350==    by 0x56AD7E7: g_realloc (in 
/lib/x86_64-linux-gnu/libglib-2.0.so.0.4800.1)
==18350==    by 0x567B2DC: ??? (in 
/lib/x86_64-linux-gnu/libglib-2.0.so.0.4800.1)
==18350==    by 0x567C3BA: g_ptr_array_add (in 
/lib/x86_64-linux-gnu/libglib-2.0.so.0.4800.1)
==18350==    by 0x397348: crs_range_insert (acpi-build.c:745)
==18350==    by 0x397348: crs_replace_with_free_ranges (acpi-build.c:808)
==18350==    by 0x398DEE: build_dsdt (acpi-build.c:2107)
==18350==    by 0x39AA52: acpi_build (acpi-build.c:2670)
==18350==    by 0x39B9A0: acpi_build_update (acpi-build.c:2808)
==18350==    by 0x4CA245: fw_cfg_select (fw_cfg.c:275)
==18350==    by 0x4CADA2: fw_cfg_dma_transfer (fw_cfg.c:348)
==18350==    by 0x33D857: memory_region_write_accessor (memory.c:525)
==18350==
==18350== 294 bytes in 27 blocks are definitely lost in loss record 
4,250 of 4,814
==18350==    at 0x4C2DB8F: malloc (in 
/usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==18350==    by 0x56AD728: g_malloc (in 
/lib/x86_64-linux-gnu/libglib-2.0.so.0.4800.1)
==18350==    by 0x56C6577: g_strndup (in 
/lib/x86_64-linux-gnu/libglib-2.0.so.0.4800.1)
==18350==    by 0x467D46: machine_class_base_init (machine.c:375)
==18350==    by 0x57C484: type_initialize.part.5 (object.c:322)
==18350==    by 0x57CA7C: type_initialize (object.c:811)
==18350==    by 0x57CA7C: object_class_foreach_tramp (object.c:798)
==18350==    by 0x569733F: g_hash_table_foreach (in 
/lib/x86_64-linux-gnu/libglib-2.0.so.0.4800.1)
==18350==    by 0x57CF17: object_class_foreach (object.c:820)
==18350==    by 0x57CFB1: object_class_get_list (object.c:874)
==18350==    by 0x410DEE: find_default_machine (vl.c:1470)
==18350==    by 0x2F033F: select_machine (vl.c:2732)
==18350==    by 0x2F033F: main (vl.c:3986)
==18350==
==18350== 304 bytes in 1 blocks are possibly lost in loss record 4,261 
of 4,814
==18350==    at 0x4C2FB55: calloc (in 
/usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==18350==    by 0x40136D4: allocate_dtv (dl-tls.c:322)
==18350==    by 0x40136D4: _dl_allocate_tls (dl-tls.c:539)
==18350==    by 0x609E2BE: allocate_stack (allocatestack.c:588)
==18350==    by 0x609E2BE: pthread_create@@GLIBC_2.2.5 
(pthread_create.c:539)
==18350==    by 0x61CA3D: qemu_thread_create (qemu-thread-posix.c:471)
==18350==    by 0x62AA28: rcu_init_complete (rcu.c:316)
==18350==    by 0x6B67FC: __libc_csu_init (in 
/usr/local/bin/qemu-system-x86_64)
==18350==    by 0x62D37BE: (below main) (libc-start.c:247)
==18350==
==18350== 304 bytes in 1 blocks are possibly lost in loss record 4,262 
of 4,814
==18350==    at 0x4C2FB55: calloc (in 
/usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==18350==    by 0x40136D4: allocate_dtv (dl-tls.c:322)
==18350==    by 0x40136D4: _dl_allocate_tls (dl-tls.c:539)
==18350==    by 0x609E2BE: allocate_stack (allocatestack.c:588)
==18350==    by 0x609E2BE: pthread_create@@GLIBC_2.2.5 
(pthread_create.c:539)
==18350==    by 0x61CA3D: qemu_thread_create (qemu-thread-posix.c:471)
==18350==    by 0x328CFC: qemu_kvm_start_vcpu (cpus.c:1405)
==18350==    by 0x328CFC: qemu_init_vcpu (cpus.c:1445)
==18350==    by 0x3C760A: x86_cpu_realizefn (cpu.c:3086)
==18350==    by 0x4634D4: device_set_realized (qdev.c:918)
==18350==    by 0x57BCBD: property_set_bool (object.c:1853)
==18350==    by 0x57FAE0: object_property_set_qobject (qom-qobject.c:27)
==18350==    by 0x57D9AF: object_property_set_bool (object.c:1156)
==18350==    by 0x3890ED: pc_new_cpu (pc.c:1110)
==18350==    by 0x38C17B: pc_cpus_init (pc.c:1205)
==18350==
==18350== 304 bytes in 1 blocks are possibly lost in loss record 4,263 
of 4,814
==18350==    at 0x4C2FB55: calloc (in 
/usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==18350==    by 0x40136D4: allocate_dtv (dl-tls.c:322)
==18350==    by 0x40136D4: _dl_allocate_tls (dl-tls.c:539)
==18350==    by 0x609E2BE: allocate_stack (allocatestack.c:588)
==18350==    by 0x609E2BE: pthread_create@@GLIBC_2.2.5 
(pthread_create.c:539)
==18350==    by 0x61CA3D: qemu_thread_create (qemu-thread-posix.c:471)
==18350==    by 0x57B3EE: vnc_start_worker_thread (vnc-jobs.c:353)
==18350==    by 0x56C436: vnc_display_init (vnc.c:3159)
==18350==    by 0x56D634: vnc_init_func (vnc.c:3924)
==18350==    by 0x628839: qemu_opts_foreach (qemu-option.c:1116)
==18350==    by 0x2F11C2: main (vl.c:4545)
==18350==
==18350== 8,816 bytes in 29 blocks are possibly lost in loss record 
4,765 of 4,814
==18350==    at 0x4C2FB55: calloc (in 
/usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==18350==    by 0x40136D4: allocate_dtv (dl-tls.c:322)
==18350==    by 0x40136D4: _dl_allocate_tls (dl-tls.c:539)
==18350==    by 0x609E2BE: allocate_stack (allocatestack.c:588)
==18350==    by 0x609E2BE: pthread_create@@GLIBC_2.2.5 
(pthread_create.c:539)
==18350==    by 0x61CA3D: qemu_thread_create (qemu-thread-posix.c:471)
==18350==    by 0x580B06: do_spawn_thread (thread-pool.c:135)
==18350==    by 0x580B67: worker_thread (thread-pool.c:83)
==18350==    by 0x609D709: start_thread (pthread_create.c:333)
==18350==    by 0x63B982C: clone (clone.S:109)
==18350==
==18350== LEAK SUMMARY:
==18350==    definitely lost: 1,198 bytes in 42 blocks
==18350==    indirectly lost: 0 bytes in 0 blocks
==18350==      possibly lost: 9,728 bytes in 32 blocks
==18350==    still reachable: 206,185,626 bytes in 14,644 blocks
==18350==         suppressed: 0 bytes in 0 blocks
==18350== Reachable blocks (those to which a pointer was found) are not 
shown.
==18350== To see them, rerun with: --leak-check=full --show-leak-kinds=all
==18350==
==18350== For counts of detected and suppressed errors, rerun with: -v
==18350== ERROR SUMMARY: 784 errors from 24 contexts (suppressed: 0 from 0)