From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from mailman by lists.gnu.org with tmda-scanned (Exim 4.43)
	id 1O5PgQ-0005fy-Ia
	for qemu-devel@nongnu.org; Fri, 23 Apr 2010 16:41:06 -0400
Received: from [140.186.70.92] (port=34061 helo=eggs.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.43) id 1O5PgO-0005en-2C
	for qemu-devel@nongnu.org; Fri, 23 Apr 2010 16:41:06 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.69)
	(envelope-from <amluto@gmail.com>) id 1O5PgM-0001qm-Gh
	for qemu-devel@nongnu.org; Fri, 23 Apr 2010 16:41:03 -0400
Received: from mail-pw0-f45.google.com ([209.85.160.45]:59725)
	by eggs.gnu.org with esmtp (Exim 4.69)
	(envelope-from <amluto@gmail.com>) id 1O5PgM-0001qO-C3
	for qemu-devel@nongnu.org; Fri, 23 Apr 2010 16:41:02 -0400
Received: by pwi6 with SMTP id 6so6631359pwi.4
	for <qemu-devel@nongnu.org>; Fri, 23 Apr 2010 13:41:00 -0700 (PDT)
MIME-Version: 1.0
Sender: amluto@gmail.com
From: Andrew Lutomirski <luto@mit.edu>
Date: Fri, 23 Apr 2010 16:40:40 -0400
Message-ID: <z2zcb0375e11004231340h44aef2c2zf99fc8f3a1994c1d@mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1
Subject: [Qemu-devel] VNC crash (double-free, maybe)
List-Id: qemu-devel.nongnu.org
List-Unsubscribe: <http://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/pipermail/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <http://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: qemu-devel@nongnu.org

Hi all-

Running Windows 7 in KVM with -vga std, I often get VNC-related
crashes.  This is easiest to trigger by changing the screen
resolution, but I sometimes get it disconnecting VNC as well.

(This is qemu-kvm.  I can't get plain old qemu to work.)

This occurs in all the Fedora builds I've tried as well as in Avi's
qemu-kvm git from today.

Here's a crash from git:

Here's the crash from upstream qemu-kvm:

*** glibc detected ***
/home/luto/apps/qemu-kvm/x86_64-softmmu/qemu-system-x86_64: double
free or corruption (!pre
v): 0x00000000019d8570 ***


backtrace:

#3  0x00007ffff722fa56 in malloc_printerr () from /lib64/libc.so.6
#4  0x00000000004a3c7d in vnc_dpy_resize (ds=0x1939ed0) at vnc.c:525
#5  0x0000000000582437 in dpy_resize (opaque=0x1929318) at
/home/luto/apps/qemu-kvm/console.h:224
#6  vga_draw_graphic (opaque=0x1929318) at
/home/luto/apps/qemu-kvm/hw/vga.c:1725
#7  vga_update_display (opaque=0x1929318) at
/home/luto/apps/qemu-kvm/hw/vga.c:1937
#8  0x00000000004a5ed4 in vnc_refresh (opaque=0x197a410) at vnc.c:2362
#9  0x00000000004a882e in qemu_run_timers (clock=<value optimized
out>) at qemu-timer.c:579
#10 0x00000000004a88a8 in qemu_run_all_timers () at qemu-timer.c:711
#11 0x0000000000418739 in main_loop_wait (nonblocking=<value optimized out>)
    at /home/luto/apps/qemu-kvm/vl.c:2027
#12 0x000000000042a757 in kvm_main_loop () at
/home/luto/apps/qemu-kvm/qemu-kvm.c:2033
#13 0x000000000041c659 in main_loop (argc=<value optimized out>,
argv=<value optimized out>,
    envp=<value optimized out>) at /home/luto/apps/qemu-kvm/vl.c:2055
#14 main (argc=<value optimized out>, argv=<value optimized out>,
envp=<value optimized out>)
    at /home/luto/apps/qemu-kvm/vl.c:4010

The crash was at qemu_free(vd->server->data) in vnc_dpy_resize.

I can't get a valgrind trace because valgrind crashes when I log into
my Windows account, which is too early for me to trigger the VNC
crash.

This is also in Red Hat bugzilla at:
https://bugzilla.redhat.com/show_bug.cgi?id=583850

I'm not subscribed, so please email me directly, and I'll be happy to
test patches or try debugging things.