Public bug reported:
My host environment: Xen + QEMU
git clones today's xen git and qemut git (2017-10-31)
xen -- git://xenbits.xen.org/xen.git
commit 24fb44e971a62b345c7b6ca3c03b454a1e150abe
qemu -- https://github.com/qemu/qemu
commit 47ba789c97c8d201d01058b00a14d8a9a85fcfe9
QEMU was compiled using:
./configure --prefix=/mnt/bin/ --enable-xen --target-list=i386-softmmu
--extra-cflags="-I/mnt/xen/tools/include -I/mnt/xen/tools/libxc
-I/mnt/xen/tools/xenstore" --extra-ldflags="-L/mnt/xen/tools/libxc
-L/mnt/xen/tools/xenstore" --enable-debug --enable-debug-stack-usage
Xen was configured with the above QEMU distribution:
./configure --with-system-qemu=/mnt/bin/bin/qemu-system-i386
QEMU command line:
/mnt/bin/bin/qemu-system-i386 -xen-domid 28 -chardev
socket,id=libxl-cmd,path=/var/run/xen/qmp-libxl-28,server,nowait -no-shutdown
-mon chardev=libxl-cmd,mode=control -chardev
socket,id=libxenstat-cmd,path=/var/run/xen/qmp-libxenstat-28,server,nowait -mon
chardev=libxenstat-cmd,mode=control -nodefaults -no-user-config -name ubu_hvm
-vnc 0.0.0.0:1,to=99 -display none -serial pty -device cirrus-vga,vgamem_mb=8
-boot order=c -smp 2,maxcpus=2 -device
rtl8139,id=nic0,netdev=net0,mac=00:16:3e:74:34:32 -netdev
type=tap,id=net0,ifname=vif28.0-emu,script=no,downscript=no -device
rtl8139,id=nic1,netdev=net1,mac=00:16:3e:5f:48:e4 -netdev
type=tap,id=net1,ifname=vif28.1-emu,script=no,downscript=no -machine xenfv -m
1504 -drive
file=/mnt/10G.hdd,if=ide,index=0,media=disk,format=raw,cache=writeback
Produce:
I run a fuzzer program in guest vm, it may set incorrect values for graphics
registers, sequencer registers and other registers.
Seeing the following error from /var/log/xen/qemu-dm-<vm-name>.log:
qemu-system-i386: hw/display/cirrus_vga.c:712: cirrus_invalidate_region:
Assertion `off_cur_end >= off_cur' failed.
I can reproduce it at anytime, if you need to gather more diagnostic
information or try test patches, I'm happy to help.
gdb bt:
#0 0x00007f81a64f8c37 in __GI_raise (sig=sig@entry=6) at
../nptl/sysdeps/unix/sysv/linux/raise.c:56
#1 0x00007f81a64fc028 in __GI_abort () at abort.c:89
#2 0x00007f81a64f1bf6 in __assert_fail_base (fmt=0x7f81a6646018 "%s%s%s:%u:
%s%sAssertion `%s' failed.\n%n",
assertion=assertion@entry=0x55d70cf8cdf2 "off_cur_end >= off_cur",
file=file@entry=0x55d70cf8cda9 "hw/display/cirrus_vga.c", line=line@entry=712,
function=function@entry=0x55d70cf8db60 <__PRETTY_FUNCTION__.40643>
"cirrus_invalidate_region") at assert.c:92
#3 0x00007f81a64f1ca2 in __GI___assert_fail (assertion=0x55d70cf8cdf2
"off_cur_end >= off_cur", file=0x55d70cf8cda9 "hw/display/cirrus_vga.c",
line=712,
function=0x55d70cf8db60 <__PRETTY_FUNCTION__.40643>
"cirrus_invalidate_region") at assert.c:101
#4 0x000055d70cb66445 in cirrus_invalidate_region (s=0x55d70ee3a4b0,
off_begin=4190568, off_pitch=1842, bytesperline=5056, lines=2922) at
hw/display/cirrus_vga.c:712
#5 0x000055d70cb6660c in cirrus_bitblt_common_patterncopy (s=0x55d70ee3a4b0)
at hw/display/cirrus_vga.c:752
#6 0x000055d70cb6676d in cirrus_bitblt_videotovideo_patterncopy
(s=0x55d70ee3a4b0) at hw/display/cirrus_vga.c:786
#7 0x000055d70cb670c5 in cirrus_bitblt_videotovideo (s=0x55d70ee3a4b0) at
hw/display/cirrus_vga.c:986
#8 0x000055d70cb678bf in cirrus_bitblt_start (s=0x55d70ee3a4b0) at
hw/display/cirrus_vga.c:1136
#9 0x000055d70cb6880b in cirrus_vga_write_gr (s=0x55d70ee3a4b0, reg_index=42,
reg_value=228) at hw/display/cirrus_vga.c:1652
#10 0x000055d70cb6ab86 in cirrus_vga_ioport_write (opaque=0x55d70ee3a4b0,
addr=975, val=228, size=1) at hw/display/cirrus_vga.c:2754
#11 0x000055d70c91d9c0 in memory_region_write_accessor (mr=0x55d70ee4af70,
addr=31, value=0x7fffdaaeaf38, size=1, shift=8, mask=255, attrs=...)
at /mnt/qemu/memory.c:560
#12 0x000055d70c91dc3a in access_with_adjusted_size (addr=30,
value=0x7fffdaaeaf38, size=2, access_size_min=1, access_size_max=1,
access_fn=0x55d70c91d8c9 <memory_region_write_accessor>, mr=0x55d70ee4af70,
attrs=...) at /mnt/qemu/memory.c:627
#13 0x000055d70c920f48 in memory_region_dispatch_write (mr=0x55d70ee4af70,
addr=30, data=58410, size=2, attrs=...) at /mnt/qemu/memory.c:1503
#14 0x000055d70c8c51e0 in flatview_write_continue (fv=0x55d70ecb66d0, addr=974,
attrs=..., buf=0x7fffdaaeb0f0 "*\344W\026\377\177", len=4, addr1=30, l=2,
mr=0x55d70ee4af70) at /mnt/qemu/exec.c:2951
#15 0x000055d70c8c5390 in flatview_write (fv=0x55d70ecb66d0, addr=974,
attrs=..., buf=0x7fffdaaeb0f0 "*\344W\026\377\177", len=4) at
/mnt/qemu/exec.c:3002
#16 0x000055d70c8c5406 in address_space_write (as=0x55d70d70d5e0
<address_space_io>, addr=974, attrs=..., buf=0x7fffdaaeb0f0
"*\344W\026\377\177", len=4)
at /mnt/qemu/exec.c:3014
#17 0x000055d70c914fb3 in cpu_outl (addr=974, val=374858794) at
/mnt/qemu/ioport.c:81
#18 0x000055d70ca0253f in do_outp (addr=974, size=4, val=374858794) at
/mnt/qemu/hw/i386/xen/xen-hvm.c:782
#19 0x000055d70ca02888 in cpu_ioreq_pio (req=0x7fffdaaeb210) at
/mnt/qemu/hw/i386/xen/xen-hvm.c:852
#20 0x000055d70ca02f2e in handle_ioreq (state=0x55d70e0cf3d0,
req=0x7fffdaaeb210) at /mnt/qemu/hw/i386/xen/xen-hvm.c:961
#21 0x000055d70ca0343e in cpu_handle_ioreq (opaque=0x55d70e0cf3d0) at
/mnt/qemu/hw/i386/xen/xen-hvm.c:1089
#22 0x000055d70ce75d69 in aio_dispatch_handlers (ctx=0x55d70e098550) at
util/aio-posix.c:406
#23 0x000055d70ce75f0b in aio_dispatch (ctx=0x55d70e098550) at
util/aio-posix.c:437
#24 0x000055d70ce70b46 in aio_ctx_dispatch (source=0x55d70e098550,
callback=0x0, user_data=0x0) at util/async.c:261
#25 0x00007f81a7215e04 in g_main_context_dispatch () from
/lib/x86_64-linux-gnu/libglib-2.0.so.0
#26 0x000055d70ce74455 in glib_pollfds_poll () at util/main-loop.c:214
#27 0x000055d70ce7456a in os_host_main_loop_wait (timeout=16061710) at
util/main-loop.c:261
#28 0x000055d70ce7463f in main_loop_wait (nonblocking=0) at util/main-loop.c:515
#29 0x000055d70ca8e6a6 in main_loop () at vl.c:1995
#30 0x000055d70ca96815 in main (argc=42, argv=0x7fffdaaeb888,
envp=0x7fffdaaeb9e0) at vl.c:4897
** Affects: qemu
Importance: Undecided
Status: New
** Tags: cirrus crash
--
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1729501
Title:
qemu crashes with assertion error `off_cur_end >= off_cur' failed
Status in QEMU:
New
Bug description:
My host environment: Xen + QEMU
git clones today's xen git and qemut git (2017-10-31)
xen -- git://xenbits.xen.org/xen.git
commit 24fb44e971a62b345c7b6ca3c03b454a1e150abe
qemu -- https://github.com/qemu/qemu
commit 47ba789c97c8d201d01058b00a14d8a9a85fcfe9
QEMU was compiled using:
./configure --prefix=/mnt/bin/ --enable-xen --target-list=i386-softmmu
--extra-cflags="-I/mnt/xen/tools/include -I/mnt/xen/tools/libxc
-I/mnt/xen/tools/xenstore" --extra-ldflags="-L/mnt/xen/tools/libxc
-L/mnt/xen/tools/xenstore" --enable-debug --enable-debug-stack-usage
Xen was configured with the above QEMU distribution:
./configure --with-system-qemu=/mnt/bin/bin/qemu-system-i386
QEMU command line:
/mnt/bin/bin/qemu-system-i386 -xen-domid 28 -chardev
socket,id=libxl-cmd,path=/var/run/xen/qmp-libxl-28,server,nowait -no-shutdown
-mon chardev=libxl-cmd,mode=control -chardev
socket,id=libxenstat-cmd,path=/var/run/xen/qmp-libxenstat-28,server,nowait -mon
chardev=libxenstat-cmd,mode=control -nodefaults -no-user-config -name ubu_hvm
-vnc 0.0.0.0:1,to=99 -display none -serial pty -device cirrus-vga,vgamem_mb=8
-boot order=c -smp 2,maxcpus=2 -device
rtl8139,id=nic0,netdev=net0,mac=00:16:3e:74:34:32 -netdev
type=tap,id=net0,ifname=vif28.0-emu,script=no,downscript=no -device
rtl8139,id=nic1,netdev=net1,mac=00:16:3e:5f:48:e4 -netdev
type=tap,id=net1,ifname=vif28.1-emu,script=no,downscript=no -machine xenfv -m
1504 -drive
file=/mnt/10G.hdd,if=ide,index=0,media=disk,format=raw,cache=writeback
Produce:
I run a fuzzer program in guest vm, it may set incorrect values for graphics
registers, sequencer registers and other registers.
Seeing the following error from /var/log/xen/qemu-dm-<vm-name>.log:
qemu-system-i386: hw/display/cirrus_vga.c:712: cirrus_invalidate_region:
Assertion `off_cur_end >= off_cur' failed.
I can reproduce it at anytime, if you need to gather more diagnostic
information or try test patches, I'm happy to help.
gdb bt:
#0 0x00007f81a64f8c37 in __GI_raise (sig=sig@entry=6) at
../nptl/sysdeps/unix/sysv/linux/raise.c:56
#1 0x00007f81a64fc028 in __GI_abort () at abort.c:89
#2 0x00007f81a64f1bf6 in __assert_fail_base (fmt=0x7f81a6646018 "%s%s%s:%u:
%s%sAssertion `%s' failed.\n%n",
assertion=assertion@entry=0x55d70cf8cdf2 "off_cur_end >= off_cur",
file=file@entry=0x55d70cf8cda9 "hw/display/cirrus_vga.c", line=line@entry=712,
function=function@entry=0x55d70cf8db60 <__PRETTY_FUNCTION__.40643>
"cirrus_invalidate_region") at assert.c:92
#3 0x00007f81a64f1ca2 in __GI___assert_fail (assertion=0x55d70cf8cdf2
"off_cur_end >= off_cur", file=0x55d70cf8cda9 "hw/display/cirrus_vga.c",
line=712,
function=0x55d70cf8db60 <__PRETTY_FUNCTION__.40643>
"cirrus_invalidate_region") at assert.c:101
#4 0x000055d70cb66445 in cirrus_invalidate_region (s=0x55d70ee3a4b0,
off_begin=4190568, off_pitch=1842, bytesperline=5056, lines=2922) at
hw/display/cirrus_vga.c:712
#5 0x000055d70cb6660c in cirrus_bitblt_common_patterncopy (s=0x55d70ee3a4b0)
at hw/display/cirrus_vga.c:752
#6 0x000055d70cb6676d in cirrus_bitblt_videotovideo_patterncopy
(s=0x55d70ee3a4b0) at hw/display/cirrus_vga.c:786
#7 0x000055d70cb670c5 in cirrus_bitblt_videotovideo (s=0x55d70ee3a4b0) at
hw/display/cirrus_vga.c:986
#8 0x000055d70cb678bf in cirrus_bitblt_start (s=0x55d70ee3a4b0) at
hw/display/cirrus_vga.c:1136
#9 0x000055d70cb6880b in cirrus_vga_write_gr (s=0x55d70ee3a4b0,
reg_index=42, reg_value=228) at hw/display/cirrus_vga.c:1652
#10 0x000055d70cb6ab86 in cirrus_vga_ioport_write (opaque=0x55d70ee3a4b0,
addr=975, val=228, size=1) at hw/display/cirrus_vga.c:2754
#11 0x000055d70c91d9c0 in memory_region_write_accessor (mr=0x55d70ee4af70,
addr=31, value=0x7fffdaaeaf38, size=1, shift=8, mask=255, attrs=...)
at /mnt/qemu/memory.c:560
#12 0x000055d70c91dc3a in access_with_adjusted_size (addr=30,
value=0x7fffdaaeaf38, size=2, access_size_min=1, access_size_max=1,
access_fn=0x55d70c91d8c9 <memory_region_write_accessor>,
mr=0x55d70ee4af70, attrs=...) at /mnt/qemu/memory.c:627
#13 0x000055d70c920f48 in memory_region_dispatch_write (mr=0x55d70ee4af70,
addr=30, data=58410, size=2, attrs=...) at /mnt/qemu/memory.c:1503
#14 0x000055d70c8c51e0 in flatview_write_continue (fv=0x55d70ecb66d0,
addr=974, attrs=..., buf=0x7fffdaaeb0f0 "*\344W\026\377\177", len=4, addr1=30,
l=2,
mr=0x55d70ee4af70) at /mnt/qemu/exec.c:2951
#15 0x000055d70c8c5390 in flatview_write (fv=0x55d70ecb66d0, addr=974,
attrs=..., buf=0x7fffdaaeb0f0 "*\344W\026\377\177", len=4) at
/mnt/qemu/exec.c:3002
#16 0x000055d70c8c5406 in address_space_write (as=0x55d70d70d5e0
<address_space_io>, addr=974, attrs=..., buf=0x7fffdaaeb0f0
"*\344W\026\377\177", len=4)
at /mnt/qemu/exec.c:3014
#17 0x000055d70c914fb3 in cpu_outl (addr=974, val=374858794) at
/mnt/qemu/ioport.c:81
#18 0x000055d70ca0253f in do_outp (addr=974, size=4, val=374858794) at
/mnt/qemu/hw/i386/xen/xen-hvm.c:782
#19 0x000055d70ca02888 in cpu_ioreq_pio (req=0x7fffdaaeb210) at
/mnt/qemu/hw/i386/xen/xen-hvm.c:852
#20 0x000055d70ca02f2e in handle_ioreq (state=0x55d70e0cf3d0,
req=0x7fffdaaeb210) at /mnt/qemu/hw/i386/xen/xen-hvm.c:961
#21 0x000055d70ca0343e in cpu_handle_ioreq (opaque=0x55d70e0cf3d0) at
/mnt/qemu/hw/i386/xen/xen-hvm.c:1089
#22 0x000055d70ce75d69 in aio_dispatch_handlers (ctx=0x55d70e098550) at
util/aio-posix.c:406
#23 0x000055d70ce75f0b in aio_dispatch (ctx=0x55d70e098550) at
util/aio-posix.c:437
#24 0x000055d70ce70b46 in aio_ctx_dispatch (source=0x55d70e098550,
callback=0x0, user_data=0x0) at util/async.c:261
#25 0x00007f81a7215e04 in g_main_context_dispatch () from
/lib/x86_64-linux-gnu/libglib-2.0.so.0
#26 0x000055d70ce74455 in glib_pollfds_poll () at util/main-loop.c:214
#27 0x000055d70ce7456a in os_host_main_loop_wait (timeout=16061710) at
util/main-loop.c:261
#28 0x000055d70ce7463f in main_loop_wait (nonblocking=0) at
util/main-loop.c:515
#29 0x000055d70ca8e6a6 in main_loop () at vl.c:1995
#30 0x000055d70ca96815 in main (argc=42, argv=0x7fffdaaeb888,
envp=0x7fffdaaeb9e0) at vl.c:4897
To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1729501/+subscriptions
