From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from eggs.gnu.org ([2001:4830:134:3::10]:59221)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <bounces@canonical.com>) id 1VFkda-0003Jd-V6
	for qemu-devel@nongnu.org; Sat, 31 Aug 2013 08:50:53 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <bounces@canonical.com>) id 1VFkdU-0004ld-JV
	for qemu-devel@nongnu.org; Sat, 31 Aug 2013 08:50:46 -0400
Received: from indium.canonical.com ([91.189.90.7]:52591)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <bounces@canonical.com>) id 1VFkdU-0004lY-3z
	for qemu-devel@nongnu.org; Sat, 31 Aug 2013 08:50:40 -0400
Received: from loganberry.canonical.com ([91.189.90.37])
	by indium.canonical.com with esmtp (Exim 4.71 #1 (Debian))
	id 1VFkdT-0007QS-0w
	for <qemu-devel@nongnu.org>; Sat, 31 Aug 2013 12:50:39 +0000
Received: from loganberry.canonical.com (localhost [127.0.0.1])
	by loganberry.canonical.com (Postfix) with ESMTP id DD8FC2E808C
	for <qemu-devel@nongnu.org>; Sat, 31 Aug 2013 12:50:38 +0000 (UTC)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Date: Sat, 31 Aug 2013 12:43:12 -0000
From: Richard Jones <rjones@redhat.com>
Sender: bounces@canonical.com
References: <20130831124312.10740.0.malonedeb@wampee.canonical.com>
Message-Id: <20130831124312.10740.0.malonedeb@wampee.canonical.com>
Errors-To: bounces@canonical.com
Subject: [Qemu-devel] [Bug 1219207] [NEW] QMP (32 bit only) segfaults in
	query-tpm-types	when compiled with --enable-tpm
Reply-To: Bug 1219207 <1219207@bugs.launchpad.net>
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: qemu-devel@nongnu.org

Public bug reported:

NB: This bug ONLY happens on i686.  When qemu is compiled for x86-64,
the bug does NOT happen.

$ ./configure --enable-tpm
$ make
$ (sleep 5; printf '{"execute":"qmp_capabilities"}\n{"execute":"query-tpm-t=
ypes"}\n') | ./i386-softmmu/qemu-system-i386 -S -nodefaults -nographic -M n=
one -qmp stdio
{"QMP": {"version": {"qemu": {"micro": 50, "minor": 6, "major": 1}, "packag=
e": ""}, "capabilities": []}}
{"return": {}}
Segmentation fault (core dumped)

The stack trace is:

#0  output_type_enum (v=3D0xb9938228, obj=3D0x5, =

    strings=3D0xb77f0320 <TpmType_lookup>, kind=3D0xb767f1d4 "TpmType", nam=
e=3D0x0, =

    errp=3D0xbfec4628) at qapi/qapi-visit-core.c:306
#1  0xb762b3b5 in visit_type_enum (v=3Dv@entry=3D0xb9938228, obj=3D0x5, =

    strings=3D0xb77f0320 <TpmType_lookup>, kind=3Dkind@entry=3D0xb767f1d4 "=
TpmType", =

    name=3Dname@entry=3D0x0, errp=3Derrp@entry=3D0xbfec4628)
    at qapi/qapi-visit-core.c:114
#2  0xb74a9ef4 in visit_type_TpmType (errp=3D0xbfec4628, name=3D0x0, =

    obj=3D<optimized out>, m=3D0xb9938228) at qapi-visit.c:5220
#3  visit_type_TpmTypeList (m=3D0xb9938228, obj=3Dobj@entry=3D0xbfec4678, =

    name=3Dname@entry=3D0xb76545a6 "unused", errp=3Derrp@entry=3D0xbfec4674)
    at qapi-visit.c:5206
#4  0xb74c403e in qmp_marshal_output_query_tpm_types (errp=3D0xbfec4674, =

    ret_out=3D0xbfec46d8, ret_in=3D0xb993f490) at qmp-marshal.c:3795
#5  qmp_marshal_input_query_tpm_types (mon=3D0xb9937098, qdict=3D0xb99379a0=
, =

    ret=3D0xbfec46d8) at qmp-marshal.c:3817
#6  0xb7581d7a in qmp_call_cmd (cmd=3D<optimized out>, params=3D0xb99379a0, =

    mon=3D0xb9937098) at /home/rjones/d/qemu/monitor.c:4644
#7  handle_qmp_command (parser=3D0xb99370ec, tokens=3D0xb9941438)
    at /home/rjones/d/qemu/monitor.c:4710
#8  0xb7631d8f in json_message_process_token (lexer=3D0xb99370f0, =

    token=3D0xb993f3a8, type=3DJSON_OPERATOR, x=3D29, y=3D1)
    at qobject/json-streamer.c:87
#9  0xb764579b in json_lexer_feed_char (lexer=3Dlexer@entry=3D0xb99370f0, =

    ch=3D<optimized out>, flush=3Dflush@entry=3Dfalse) at qobject/json-lexe=
r.c:303
#10 0xb76458c8 in json_lexer_feed (lexer=3Dlexer@entry=3D0xb99370f0, =

    buffer=3Dbuffer@entry=3D0xbfec486c "}\243\353S\351\364b\267/\327=E2=B5=
=80\025}\267 \367b\267\315\372\223\271\065\023j\267\002", size=3Dsize@entry=
=3D1)
    at qobject/json-lexer.c:356
#11 0xb7631fab in json_message_parser_feed (parser=3D0xb99370ec, =

    buffer=3Dbuffer@entry=3D0xbfec486c "}\243\353S\351\364b\267/\327=E2=B5=
=80\025}\267 \367b\267\315\372\223\271\065\023j\267\002", size=3Dsize@entry=
=3D1)
    at qobject/json-streamer.c:110
#12 0xb75803eb in monitor_control_read (opaque=3D0xb9937098, =

    buf=3D0xbfec486c "}\243\353S\351\364b\267/\327=E2=B5=80\025}\267 \367b\=
267\315\372\223\271\065\023j\267\002", size=3D1) at /home/rjones/d/qemu/mon=
itor.c:4731
#13 0xb74b191e in qemu_chr_be_write (len=3D<optimized out>, =

    buf=3D0xbfec486c "}\243\353S\351\364b\267/\327=E2=B5=80\025}\267 \367b\=
267\315\372\223\271\065\023j\267\002", s=3D0xb9935800) at qemu-char.c:165
#14 fd_chr_read (chan=3D0xb9935870, cond=3D(G_IO_IN | G_IO_HUP), opaque=3D0=
xb9935800)
    at qemu-char.c:841
#15 0xb71f6876 in g_io_unix_dispatch () from /usr/lib/libglib-2.0.so.0
#16 0xb71b0286 in g_main_context_dispatch () from /usr/lib/libglib-2.0.so.0
#17 0xb747a13e in glib_pollfds_poll () at main-loop.c:189
#18 os_host_main_loop_wait (timeout=3D<optimized out>) at main-loop.c:234
#19 main_loop_wait (nonblocking=3D1) at main-loop.c:484
#20 0xb7309f11 in main_loop () at vl.c:2090
#21 main (argc=3D8, argv=3D0xbfec5c14, envp=3D0xbfec5c38) at vl.c:4435

** Affects: qemu
     Importance: Undecided
         Status: New

-- =

You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1219207

Title:
  QMP (32 bit only) segfaults in query-tpm-types when compiled with
  --enable-tpm

Status in QEMU:
  New

Bug description:
  NB: This bug ONLY happens on i686.  When qemu is compiled for x86-64,
  the bug does NOT happen.

  $ ./configure --enable-tpm
  $ make
  $ (sleep 5; printf '{"execute":"qmp_capabilities"}\n{"execute":"query-tpm=
-types"}\n') | ./i386-softmmu/qemu-system-i386 -S -nodefaults -nographic -M=
 none -qmp stdio
  {"QMP": {"version": {"qemu": {"micro": 50, "minor": 6, "major": 1}, "pack=
age": ""}, "capabilities": []}}
  {"return": {}}
  Segmentation fault (core dumped)

  The stack trace is:

  #0  output_type_enum (v=3D0xb9938228, obj=3D0x5, =

      strings=3D0xb77f0320 <TpmType_lookup>, kind=3D0xb767f1d4 "TpmType", n=
ame=3D0x0, =

      errp=3D0xbfec4628) at qapi/qapi-visit-core.c:306
  #1  0xb762b3b5 in visit_type_enum (v=3Dv@entry=3D0xb9938228, obj=3D0x5, =

      strings=3D0xb77f0320 <TpmType_lookup>, kind=3Dkind@entry=3D0xb767f1d4=
 "TpmType", =

      name=3Dname@entry=3D0x0, errp=3Derrp@entry=3D0xbfec4628)
      at qapi/qapi-visit-core.c:114
  #2  0xb74a9ef4 in visit_type_TpmType (errp=3D0xbfec4628, name=3D0x0, =

      obj=3D<optimized out>, m=3D0xb9938228) at qapi-visit.c:5220
  #3  visit_type_TpmTypeList (m=3D0xb9938228, obj=3Dobj@entry=3D0xbfec4678, =

      name=3Dname@entry=3D0xb76545a6 "unused", errp=3Derrp@entry=3D0xbfec46=
74)
      at qapi-visit.c:5206
  #4  0xb74c403e in qmp_marshal_output_query_tpm_types (errp=3D0xbfec4674, =

      ret_out=3D0xbfec46d8, ret_in=3D0xb993f490) at qmp-marshal.c:3795
  #5  qmp_marshal_input_query_tpm_types (mon=3D0xb9937098, qdict=3D0xb99379=
a0, =

      ret=3D0xbfec46d8) at qmp-marshal.c:3817
  #6  0xb7581d7a in qmp_call_cmd (cmd=3D<optimized out>, params=3D0xb99379a=
0, =

      mon=3D0xb9937098) at /home/rjones/d/qemu/monitor.c:4644
  #7  handle_qmp_command (parser=3D0xb99370ec, tokens=3D0xb9941438)
      at /home/rjones/d/qemu/monitor.c:4710
  #8  0xb7631d8f in json_message_process_token (lexer=3D0xb99370f0, =

      token=3D0xb993f3a8, type=3DJSON_OPERATOR, x=3D29, y=3D1)
      at qobject/json-streamer.c:87
  #9  0xb764579b in json_lexer_feed_char (lexer=3Dlexer@entry=3D0xb99370f0, =

      ch=3D<optimized out>, flush=3Dflush@entry=3Dfalse) at qobject/json-le=
xer.c:303
  #10 0xb76458c8 in json_lexer_feed (lexer=3Dlexer@entry=3D0xb99370f0, =

      buffer=3Dbuffer@entry=3D0xbfec486c "}\243\353S\351\364b\267/\327=E2=
=B5=80\025}\267 \367b\267\315\372\223\271\065\023j\267\002", size=3Dsize@en=
try=3D1)
      at qobject/json-lexer.c:356
  #11 0xb7631fab in json_message_parser_feed (parser=3D0xb99370ec, =

      buffer=3Dbuffer@entry=3D0xbfec486c "}\243\353S\351\364b\267/\327=E2=
=B5=80\025}\267 \367b\267\315\372\223\271\065\023j\267\002", size=3Dsize@en=
try=3D1)
      at qobject/json-streamer.c:110
  #12 0xb75803eb in monitor_control_read (opaque=3D0xb9937098, =

      buf=3D0xbfec486c "}\243\353S\351\364b\267/\327=E2=B5=80\025}\267 \367=
b\267\315\372\223\271\065\023j\267\002", size=3D1) at /home/rjones/d/qemu/m=
onitor.c:4731
  #13 0xb74b191e in qemu_chr_be_write (len=3D<optimized out>, =

      buf=3D0xbfec486c "}\243\353S\351\364b\267/\327=E2=B5=80\025}\267 \367=
b\267\315\372\223\271\065\023j\267\002", s=3D0xb9935800) at qemu-char.c:165
  #14 fd_chr_read (chan=3D0xb9935870, cond=3D(G_IO_IN | G_IO_HUP), opaque=
=3D0xb9935800)
      at qemu-char.c:841
  #15 0xb71f6876 in g_io_unix_dispatch () from /usr/lib/libglib-2.0.so.0
  #16 0xb71b0286 in g_main_context_dispatch () from /usr/lib/libglib-2.0.so=
.0
  #17 0xb747a13e in glib_pollfds_poll () at main-loop.c:189
  #18 os_host_main_loop_wait (timeout=3D<optimized out>) at main-loop.c:234
  #19 main_loop_wait (nonblocking=3D1) at main-loop.c:484
  #20 0xb7309f11 in main_loop () at vl.c:2090
  #21 main (argc=3D8, argv=3D0xbfec5c14, envp=3D0xbfec5c38) at vl.c:4435

To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1219207/+subscriptions