Re: [Qemu-devel] Crashing in tcp_close

qemu-devel.nongnu.org archive mirror
 help / color / mirror / Atom feed

From: Stefan Hajnoczi <stefanha@gmail.com>
To: Brian Candler <b.candler@pobox.com>
Cc: qemu-devel@nongnu.org,
	Samuel Thibault <samuel.thibault@ens-lyon.org>,
	Jan Kiszka <jan.kiszka@siemens.com>
Subject: Re: [Qemu-devel] Crashing in tcp_close
Date: Fri, 4 Nov 2016 11:14:19 +0000	[thread overview]
Message-ID: <20161104111419.GG9817@stefanha-x1.localdomain> (raw)
In-Reply-To: <95e79bc8-4547-b3b1-65b7-f641eb0c92f7@pobox.com>

[-- Attachment #1: Type: text/plain, Size: 2718 bytes --]

On Thu, Oct 20, 2016 at 10:53:50PM +0100, Brian Candler wrote:

CCing slirp maintainers to get attention on this bug

> I have some reproducible-ish segfaults in qemu 2.7.0 (built from source)
> running under ubuntu 16.04, on a quad-core i7 Mac Mini Server.
> 
> I can reproduce these problems on a different Mac Mini, and I also replaced
> the RAM on mine, so I'm sure it's not hardware related.
> 
> It's somewhat painful to reproduce (taking about 30 minutes each attempt,
> and using a lot of network bandwidth).
> 
> This is using packer (packer.io) to create a VM and then using ansible to do
> a whole load of package installation and provisioning inside that VM.
> packer starts qemu with a user-mode network interface.
> 
> If I part-build the VM, I can continue the build by restarting it under gdb
> and qemu directly at the command line, and get a backtrace. Here's the first
> one:
> 
> Thread 1 "qemu-system-x86" received signal SIGSEGV, Segmentation fault.
> 0x00007ffff6a1bb5b in _int_free (av=0x7ffff6d5fb20 <main_arena>,
> p=<optimised out>, have_lock=0) at malloc.c:4006
> 4006    malloc.c: No such file or directory.
> (gdb) bt
> #0  0x00007ffff6a1bb5b in _int_free (av=0x7ffff6d5fb20 <main_arena>,
> p=<optimised out>, have_lock=0)
>     at malloc.c:4006
> #1  0x00007ffff6a1fabc in __GI___libc_free (mem=<optimised out>) at
> malloc.c:2969
> #2  0x00005555559a6c0f in tcp_close (tp=tp@entry=0x555556621ed0) at
> slirp/tcp_subr.c:334
> #3  0x00005555559a6c8f in tcp_drop (tp=tp@entry=0x555556621ed0,
> err=<optimised out>) at slirp/tcp_subr.c:298
> #4  0x00005555559a816b in tcp_timers (timer=<optimised out>,
> tp=0x555556621ed0) at slirp/tcp_timer.c:179
> #5  tcp_slowtimo (slirp=slirp@entry=0x55555658ecf0) at slirp/tcp_timer.c:89
> #6  0x00005555559a0be8 in slirp_pollfds_poll (pollfds=0x555556531f20,
> select_error=select_error@entry=0)
>     at slirp/slirp.c:576
> #7  0x00005555559d4b0c in main_loop_wait (nonblocking=<optimised out>) at
> main-loop.c:508
> #8  0x000055555573fea1 in main_loop () at vl.c:1908
> #9  main (argc=<optimised out>, argv=<optimised out>, envp=<optimised out>)
> at vl.c:4604
> (gdb)
> 
> So:
> 
> * Is this of interest?

Yes.  Thank you for reporting it.

> * If so, what additional gdb output would you like me to provide?

I wonder if this connection has already been closed/freed before and the
timer fires shortly afterward.  That's just a guess based on the
backtrace.

> * If developers want to reproduce this, let me know and I can probably send
> the VM qcow2 file and/or packer source privately off-list [I need to check
> permission for that]
> 
> Thanks,
> 
> Brian Candler.
> 
> 

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 455 bytes --]

next prev parent reply	other threads:[~2016-11-04 11:14 UTC|newest]

Thread overview: 23+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2016-10-20 21:53 [Qemu-devel] Crashing in tcp_close Brian Candler
2016-11-04 11:14 ` Stefan Hajnoczi [this message]
2016-11-06 18:04   ` Samuel Thibault
2016-11-07  8:42     ` Brian Candler
2016-11-07  9:33       ` Brian Candler
2016-11-07 10:42       ` Stefan Hajnoczi
2016-11-07 11:09         ` Brian Candler
2016-11-07 13:57           ` Stefan Hajnoczi
2016-11-07 20:52           ` Brian Candler
2016-11-08 16:03             ` Stefan Hajnoczi
2016-11-08 17:31             ` Brian Candler
2016-11-08 21:22         ` Brian Candler
2016-11-09 11:27           ` Stefan Hajnoczi
2016-11-11 15:02             ` Brian Candler
2016-11-11 16:02               ` Brian Candler
2016-11-11 16:17                 ` Samuel Thibault
2016-11-11 20:53                   ` Brian Candler
2016-11-11 22:09                     ` Samuel Thibault
2016-11-12  9:33                       ` Brian Candler
2016-11-12  9:54                         ` Brian Candler
2016-11-12 10:44                         ` Samuel Thibault
2016-11-13 11:55                           ` Brian Candler
2016-11-14 13:47                             ` Stefan Hajnoczi

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20161104111419.GG9817@stefanha-x1.localdomain \
    --to=stefanha@gmail.com \
    --cc=b.candler@pobox.com \
    --cc=jan.kiszka@siemens.com \
    --cc=qemu-devel@nongnu.org \
    --cc=samuel.thibault@ens-lyon.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).