Hi,
Those day, I'm working for usb controller hot-plugging/unplugging(
not enable multifunction capability). Everything work well, but when
I test the case of hot-plug/unplug reiteratively, qemu will be aborted:
qemu-system-x86_64: qobject/qdict.c:432: qentry_destroy: Assertion `e->value !=
((void *)0)' failed.
the backtrace is:
Program received signal SIGABRT, Aborted.
0x00007ffd95ec2b55 in raise () from /lib64/libc.so.6
(gdb) bt
#0 0x00007ffd95ec2b55 in raise () from /lib64/libc.so.6
#1 0x00007ffd95ec4131 in abort () from /lib64/libc.so.6
#2 0x00007ffd95ebba10 in __assert_fail () from /lib64/libc.so.6
#3 0x00007ffd98efcc66 in qentry_destroy (e=0x7ffd9996ebe8) at
qobject/qdict.c:432
#4 0x00007ffd98efce0d in qdict_destroy_obj (obj=0x7ffd998e0090) at
qobject/qdict.c:472
#5 0x00007ffd98e64446 in qobject_decref (obj=0x7ffd998e0090) at
/mnt/sdb/gonglei/code/qemu/include/qapi/qmp/qobject.h:100
#6 0x00007ffd98e6ccae in handle_user_command (mon=0x7ffd9982e160,
cmdline=0x7ffd998447e0 "device_add usb-ehci,id=ehci")
at /mnt/sdb/gonglei/code/qemu/monitor.c:4163
#7 0x00007ffd98e6ee1a in monitor_command_cb (opaque=0x7ffd9982e160,
cmdline=0x7ffd998447e0 "device_add usb-ehci,id=ehci",
readline_opaque=0x0) at /mnt/sdb/gonglei/code/qemu/monitor.c:5021
#8 0x00007ffd98f1ccbc in readline_handle_byte (rs=0x7ffd998447e0, ch=13) at
util/readline.c:376
#9 0x00007ffd98e6ed62 in monitor_read (opaque=0x7ffd9982e160,
buf=0x7fff034c8600 "\r\207L\003\377\177", size=1)
at /mnt/sdb/gonglei/code/qemu/monitor.c:5004
#10 0x00007ffd98d653cd in qemu_chr_be_write (s=0x7ffd998306a0,
buf=0x7fff034c8600 "\r\207L\003\377\177", len=1) at qemu-char.c:165
#11 0x00007ffd98d6705f in fd_chr_read (chan=0x7ffd9982c950, cond=G_IO_IN,
opaque=0x7ffd998306a0) at qemu-char.c:848
#12 0x00007ffd979ac69a in g_main_context_dispatch () from
/usr/lib64/libglib-2.0.so.0
#13 0x00007ffd98d30431 in glib_pollfds_poll () at main-loop.c:190
#14 0x00007ffd98d30529 in os_host_main_loop_wait (timeout=981534) at
main-loop.c:235
#15 0x00007ffd98d3061b in main_loop_wait (nonblocking=0) at main-loop.c:484
#16 0x00007ffd98dc8191 in main_loop () at vl.c:2075
#17 0x00007ffd98dcf732 in main (argc=18, argv=0x7fff034c9bf8,
envp=0x7fff034c9c90) at vl.c:4556
Debug reiteratively, I find the conflict of memory.
Qemu command line:
./qemu-system-x86_64 -enable-kvm -m 4096 -smp 4 -name win7 -boot c -drive
file=/mnt/sdb/gonglei/image/win7_32_2U -vnc 0.0.0.0:10 -monitor stdio
QEMU 2.0.50 monitor - type 'help' for more information
(qemu) device_add usb-ehci,id=ehci
gdb steps as below:
Breakpoint 4, handle_user_command (mon=0x7fb8d242f160, cmdline=0x7fb8d24457e0
"device_add usb-ehci,id=ehci")
at /mnt/sdb/gonglei/code/qemu/monitor.c:4142
4142 cmd = monitor_parse_command(mon, cmdline, 0, mon->cmd_table, qdict);
(gdb) p &qdict->table[262] // Gonglei: according to the tested result
before, the qdict->table[262]'s memory will conflict
$4 = (struct {...} *) 0x7fb8d2535848
(gdb) watch *(long *)0x7fb8d2535848
Hardware watchpoint 9: *(long *)0x7fb8d2535848
(gdb) c
Continuing.
[Thread 0x7fb8cc645700 (LWP 11554) exited]
Hardware watchpoint 9: *(long *)0x7fb8d2535848
Old value = 0
New value = 140431779094136
0x00007fb8d18ee15a in usb_bus_new (bus=0x7fb8d24ede78, bus_size=192,
ops=0x7fb8d1f365d0 <ehci_bus_ops>, host=0x7fb8d24ed6e0)
at hw/usb/bus.c:87
87 QTAILQ_INSERT_TAIL(&busses, bus, next);
(gdb) bt
#0 0x00007fb8d18ee15a in usb_bus_new (bus=0x7fb8d24ede78, bus_size=192,
ops=0x7fb8d1f365d0 <ehci_bus_ops>, host=0x7fb8d24ed6e0)
at hw/usb/bus.c:87
#1 0x00007fb8d191043b in usb_ehci_realize (s=0x7fb8d24ede78,
dev=0x7fb8d24ed6e0, errp=0x0) at hw/usb/hcd-ehci.c:2536
#2 0x00007fb8d1908a51 in usb_ehci_pci_initfn (dev=0x7fb8d24ed6e0) at
hw/usb/hcd-ehci-pci.c:66
#3 0x00007fb8d18bec1b in pci_qdev_init (qdev=0x7fb8d24ed6e0) at
hw/pci/pci.c:1769
#4 0x00007fb8d1841dd1 in device_realize (dev=0x7fb8d24ed6e0,
errp=0x7ffffa7f6af8) at hw/core/qdev.c:182
#5 0x00007fb8d1843871 in device_set_realized (obj=0x7fb8d24ed6e0, value=true,
errp=0x7ffffa7f6c98) at hw/core/qdev.c:757
#6 0x00007fb8d1988cac in property_set_bool (obj=0x7fb8d24ed6e0,
v=0x7fb8d25c05b0, opaque=0x7fb8d2568b90, name=
0x7fb8d1b58b11 "realized", errp=0x7ffffa7f6c98) at qom/object.c:1428
#7 0x00007fb8d19874c1 in object_property_set (obj=0x7fb8d24ed6e0,
v=0x7fb8d25c05b0, name=0x7fb8d1b58b11 "realized", errp=
0x7ffffa7f6c98) at qom/object.c:826
#8 0x00007fb8d19893e9 in object_property_set_qobject (obj=0x7fb8d24ed6e0,
value=0x7fb8d257b630, name=0x7fb8d1b58b11 "realized",
errp=0x7ffffa7f6c98) at qom/qom-qobject.c:24
#9 0x00007fb8d1987869 in object_property_set_bool (obj=0x7fb8d24ed6e0,
value=true, name=0x7fb8d1b58b11 "realized", errp=
0x7ffffa7f6c98) at qom/object.c:890
#10 0x00007fb8d196587a in qdev_device_add (opts=0x7fb8d2548030) at
qdev-monitor.c:560
#11 0x00007fb8d1965e8e in do_device_add (mon=0x7fb8d242f160,
qdict=0x7fb8d2535000, ret_data=0x7ffffa7f6d78) at qdev-monitor.c:677
#12 0x00007fb8d1a6dc47 in handle_user_command (mon=0x7fb8d242f160,
cmdline=0x7fb8d24457e0 "device_add usb-ehci,id=ehci")
at /mnt/sdb/gonglei/code/qemu/monitor.c:4153
#13 0x00007fb8d1a6fe60 in monitor_command_cb (opaque=0x7fb8d242f160,
cmdline=0x7fb8d24457e0 "device_add usb-ehci,id=ehci",
readline_opaque=0x0) at /mnt/sdb/gonglei/code/qemu/monitor.c:5027
#14 0x00007fb8d1b1ddec in readline_handle_byte (rs=0x7fb8d24457e0, ch=13) at
util/readline.c:376
#15 0x00007fb8d1a6fda8 in monitor_read (opaque=0x7fb8d242f160,
buf=0x7ffffa7f6f00 "\rp\177\372\377\177", size=1)
at /mnt/sdb/gonglei/code/qemu/monitor.c:5010
#16 0x00007fb8d19663cd in qemu_chr_be_write (s=0x7fb8d24316a0,
buf=0x7ffffa7f6f00 "\rp\177\372\377\177", len=1) at qemu-char.c:165
#17 0x00007fb8d196805f in fd_chr_read (chan=0x7fb8d242d950, cond=G_IO_IN,
opaque=0x7fb8d24316a0) at qemu-char.c:848
#18 0x00007fb8d05ad69a in g_main_context_dispatch () from
/usr/lib64/libglib-2.0.so.0
#19 0x00007fb8d1931431 in glib_pollfds_poll () at main-loop.c:190
#20 0x00007fb8d1931529 in os_host_main_loop_wait (timeout=976765) at
main-loop.c:235
#21 0x00007fb8d193161b in main_loop_wait (nonblocking=0) at main-loop.c:484
#22 0x00007fb8d19c9191 in main_loop () at vl.c:2075
#23 0x00007fb8d19d0732 in main (argc=18, argv=0x7ffffa7f84f8,
envp=0x7ffffa7f8590) at vl.c:4556
(gdb) p busses
$5 = {tqh_first = 0x7fb8d24d0cb0, tqh_last = 0x7fb8d2535848}
(gdb) p busses->tqh_last
$6 = (struct USBBus **) 0x7fb8d2535848
(gdb) p *busses->tqh_last
$7 = (struct USBBus *) 0x7fb8d24ede78
(gdb) p **busses->tqh_last
$8 = {qbus = {obj = {class = 0x7fb8d2424690, free = 0x0, properties =
{tqh_first = 0x7fb8d24f0320, tqh_last = 0x7fb8d2547fa0},
ref = 1, parent = 0x7fb8d24ed6e0}, parent = 0x7fb8d24ed6e0, name =
0x7fb8d24bb3e0 "ehci.0", allow_hotplug = 1,
hotplug_handler = 0x0, max_index = 0, realized = false, children =
{tqh_first = 0x0, tqh_last = 0x7fb8d24eded0}, sibling = {
le_next = 0x0, le_prev = 0x7fb8d24ed758}}, ops = 0x7fb8d1f365d0
<ehci_bus_ops>, busnr = 5, nfree = 0, nused = 0, free = {
tqh_first = 0x0, tqh_last = 0x7fb8d24edf08}, used = {tqh_first = 0x0,
tqh_last = 0x7fb8d24edf18}, next = {tqe_next = 0x0,
tqe_prev = 0x7fb8d2535848}}
(gdb) c
Continuing.
Program received signal SIGABRT, Aborted.
0x00007fb8ceac3b55 in raise () from /lib64/libc.so.6
(gdb) bt
#0 0x00007fb8ceac3b55 in raise () from /lib64/libc.so.6
#1 0x00007fb8ceac5131 in abort () from /lib64/libc.so.6
#2 0x00007fb8ceabca10 in __assert_fail () from /lib64/libc.so.6
#3 0x00007fb8d1afdd1e in qentry_destroy (e=0x7fb8d24ede78) at
qobject/qdict.c:435
#4 0x00007fb8d1afdf3a in qdict_destroy_obj (obj=0x7fb8d2535000) at
qobject/qdict.c:484
#5 0x00007fb8d1a65446 in qobject_decref (obj=0x7fb8d2535000) at
/mnt/sdb/gonglei/code/qemu/include/qapi/qmp/qobject.h:100
#6 0x00007fb8d1a6dcf4 in handle_user_command (mon=0x7fb8d242f160,
cmdline=0x7fb8d24457e0 "device_add usb-ehci,id=ehci")
at /mnt/sdb/gonglei/code/qemu/monitor.c:4169
#7 0x00007fb8d1a6fe60 in monitor_command_cb (opaque=0x7fb8d242f160,
cmdline=0x7fb8d24457e0 "device_add usb-ehci,id=ehci",
readline_opaque=0x0) at /mnt/sdb/gonglei/code/qemu/monitor.c:5027
#8 0x00007fb8d1b1ddec in readline_handle_byte (rs=0x7fb8d24457e0, ch=13) at
util/readline.c:376
#9 0x00007fb8d1a6fda8 in monitor_read (opaque=0x7fb8d242f160,
buf=0x7ffffa7f6f00 "\rp\177\372\377\177", size=1)
at /mnt/sdb/gonglei/code/qemu/monitor.c:5010
#10 0x00007fb8d19663cd in qemu_chr_be_write (s=0x7fb8d24316a0,
buf=0x7ffffa7f6f00 "\rp\177\372\377\177", len=1) at qemu-char.c:165
#11 0x00007fb8d196805f in fd_chr_read (chan=0x7fb8d242d950, cond=G_IO_IN,
opaque=0x7fb8d24316a0) at qemu-char.c:848
#12 0x00007fb8d05ad69a in g_main_context_dispatch () from
/usr/lib64/libglib-2.0.so.0
#13 0x00007fb8d1931431 in glib_pollfds_poll () at main-loop.c:190
#14 0x00007fb8d1931529 in os_host_main_loop_wait (timeout=976765) at
main-loop.c:235
#15 0x00007fb8d193161b in main_loop_wait (nonblocking=0) at main-loop.c:484
#16 0x00007fb8d19c9191 in main_loop () at vl.c:2075
#17 0x00007fb8d19d0732 in main (argc=18, argv=0x7ffffa7f84f8,
envp=0x7ffffa7f8590) at vl.c:4556
(gdb) f 4
#4 0x00007fb8d1afdf3a in qdict_destroy_obj (obj=0x7fb8d2535000) at
qobject/qdict.c:484
484 qentry_destroy(entry);
(gdb) p *qdict
$11 = {base = {type = 0x7fb8d1eecd20 <qdict_type>, refcnt = 0}, size = 2, table
= {{lh_first = 0x0} <repeats 262 times>, {
lh_first = 0x7fb8d24ede78}, {lh_first = 0x0} <repeats 223 times>,
{lh_first = 0x7fb8d24e8440}, {lh_first =
0x0} <repeats 25 times>}}
(gdb) p *entry
$12 = {key = 0x7fb8d2424690 " \006@ò?\177", value = 0x0, next = {le_next =
0x7fb8d24f0320, le_prev = 0x7fb8d2547fa0}}
(gdb)
I don't know why the new qdict address will conflict with the global usb
busses. tqh_last?
Any ideas? Thanks!
Best regards,
-Gonglei
