From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from eggs.gnu.org ([208.118.235.92]:53094)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <rjones@redhat.com>) id 1T7R0L-0007O3-DP
	for qemu-devel@nongnu.org; Fri, 31 Aug 2012 09:11:25 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <rjones@redhat.com>) id 1T7R0F-0006xr-AP
	for qemu-devel@nongnu.org; Fri, 31 Aug 2012 09:11:21 -0400
Received: from mx1.redhat.com ([209.132.183.28]:23041)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <rjones@redhat.com>) id 1T7R0F-0006xl-23
	for qemu-devel@nongnu.org; Fri, 31 Aug 2012 09:11:15 -0400
Received: from int-mx11.intmail.prod.int.phx2.redhat.com
	(int-mx11.intmail.prod.int.phx2.redhat.com [10.5.11.24])
	by mx1.redhat.com (8.14.4/8.14.4) with ESMTP id q7VDBElk001780
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK)
	for <qemu-devel@nongnu.org>; Fri, 31 Aug 2012 09:11:14 -0400
Received: from localhost (vpn1-5-29.ams2.redhat.com [10.36.5.29])
	by int-mx11.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP
	id q7VDBCNg003468
	for <qemu-devel@nongnu.org>; Fri, 31 Aug 2012 09:11:13 -0400
Date: Fri, 31 Aug 2012 14:11:10 +0100
From: "Richard W.M. Jones" <rjones@redhat.com>
Message-ID: <20120831131110.GA9668@rhmail.home.annexia.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Subject: [Qemu-devel] qemu 1.2 segfault on shutdown (ioh->deleted == false,
	io->fd == -1)
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: qemu-devel@nongnu.org


I'm tracking this bug here:
https://bugzilla.redhat.com/show_bug.cgi?id=853408

Does anyone recognize this segfault on shutdown when using either a
console or a virtio-serial char device?

It's only caught in Fedora because we compile with 'fortify source' so
the attempt to modify a negative offset in an fdset is caught.
Probably it just overwrites a random bit of memory for everyone else.

(gdb) frame 6
#6  0x00007f173d3d373d in qemu_iohandler_poll (readfds=readfds@entry=
    0x7f173dd97b60 <rfds>, writefds=writefds@entry=0x7f173dd97be0 <wfds>, 
    xfds=xfds@entry=0x7f173dd97c60 <xfds>, ret=ret@entry=1) at iohandler.c:156
156             if (!ioh->deleted && ioh->fd_read && FD_ISSET(ioh->fd, readfds)) {
(gdb) print *ioh
$1 = {
  fd_read_poll = 0x7f173d49a7f0 <tcp_chr_read_poll>, 
  fd_read = 0x7f173d49be30 <tcp_chr_read>, 
  fd_write = 0x0, 
  opaque = 0x7f173fe3a380, 
  next = {
    le_next = 0x7f1728003310, 
    le_prev = 0x7f173dd96a70 <io_handlers>
  }, 
  fd = -1, 
  deleted = false
}

Rich.

-- 
Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones
virt-top is 'top' for virtual machines.  Tiny program with many
powerful monitoring features, net stats, disk stats, logging, etc.
http://et.redhat.com/~rjones/virt-top