On 02/10/2018 03:29 AM, Wang King wrote:
> Empty IDE CD-ROM configured on the VM:
>     <disk type='file' device='cdrom'>
>       <driver name='qemu' type='raw' cache='none' io='threads'/>
>       <target dev='hdb' bus='ide'/>
>       <readonly/>
>       <address type='drive' controller='0' bus='0' target='0' unit='1'/>
>     </disk>
> Make migration for this VM, then qemu aborted in ide_restart_bh. IDEState 
> expect
> end_transfer_func equal to ide_atapi_cmd, but it refer to 
> ide_dummy_transfer_stop.
> I have no idea about this, can anyone help me?
> 

Do you have an easy way to reproduce this? 2.8.1 is a bit old at this
point, but I don't think we've changed anything in the IDE emulator
substantively since then, so I'm curious to see if I can get this to
reproduce.

I'm surprised an empty CD-ROM would cause this, though, since it
shouldn't really have any commands in-flight that might get us to a
weird edge case, so I want to take a close look at this.

Denis Lunev noted some issues with migration that I couldn't solve at
the time either. A reproducer would be fantastic.

> qemu version is 2.8.1
> (gdb) bt
> #0  0x00007fcff7c4b157 in raise () from /usr/lib64/libc.so.6
> #1  0x00007fcff7c4c848 in abort () from /usr/lib64/libc.so.6
> #2  0x00007fcff7c441c6 in __assert_fail_base () from /usr/lib64/libc.so.6
> #3  0x00007fcff7c44272 in __assert_fail () from /usr/lib64/libc.so.6
> #4  0x00000000006207ab in ide_restart_bh (opaque=0x38b3430) at 
> hw/ide/core.c:2570
> #5  0x0000000000763a6f in aio_bh_poll (ctx=ctx@entry=0x234f940) at async.c:115
> #6  0x0000000000770948 in aio_dispatch (ctx=0x234f940) at aio_posix.c:303
> #7  0x00000000007638e1 in aio_ctx_dispatch (source=<optimized out>, 
> callback=<optimized out>, user_data=<optimized out>) at async.c:254
> #8  0x00007fcff8e6799a in g_main_context_dispatch () from 
> /usr/lib64/libglib-2.0.so.0
> #9  0x000000000076e606 in glib_pollfds_poll () at main_loop.c:228
> #10 0x000000000076e6ab in os_host_main_loop_wait (timeout=0) at 
> main_loop.c:273
> #11 0x000000000076e7d5 in main_loop_wait (nonblocking=nonblocking@entry=0) at 
> main_loop.c:521
> #12 0x000000000056b911 in main_loop () at vl.c:2089
> #13 0x0000000000420805 in main (argc=<optimized out>, argv=<optimized out>, 
> envp=<optimized out>) at vl.c:4964
> (gdb) f 4
> #4  0x00000000006207ab in ide_restart_bh (opaque=0x38b3430)
> 2570            assert(s->end_transfer_func == ide_atapi_cmd);
> (gdb) p *bus
> $7 = {qbus = {obj = {class = 0x2313a30, free = 0x0, properties = 0x3871520, 
> ref = 2, parent = 0x38b2b00}, parent = 0x38b2b00, name = 0x3980af0 "ide.0", 
> hotplug_handler = 0x0, max_index = 1, realized = true,
>     children = {tqh_first = 0x349e050, tqh_last = 0x349e060}, sibling = 
> {le_next = 0x0, le_prev = 0x38b3d68}}, master = 0x0, slave = 0x349e3c0, ifs = 
> {{bus = 0x38b3430, unit = 0 '\000', drive_kind = IDE_HD,
>       cylinders = 0, heads = 0, sectors = 0, chs_trans = 0, nb_sectors = 0, 
> mult_sectors = 16, identify_set = 0, identify_data = '\000' <repeats 511 
> times>, drive_serial = 1,
>       drive_serial_str = '\000' <repeats 20 times>, drive_model_str = '\000' 
> <repeats 40 times>, wwn = 0, feature = 0 '\000', error = 1 '\001', nsector = 
> 0, sector = 0 '\000', lcyl = 96 '`',
>       hcyl = 0 '\000', hob_feature = 0 '\000', hob_nsector = 0 '\000', 
> hob_sector = 0 '\000', hob_lcyl = 0 '\000', hob_hcyl = 0 '\000', select = 160 
> '\240', status = 80 'P', lba48 = 0 '\000', blk = 0x0,
>       version = "\000\000\000\000\000\000\000\000", events = {eject_request = 
> false, new_media = false}, sense_key = 0 '\000', asc = 0 '\000', tray_open = 
> false, tray_locked = false,
>       cdrom_changed = 0 '\000', packet_transfer_size = 0, 
> elementary_transfer_size = 0, io_buffer_index = 0, lba = 0, cd_sector_size = 
> 0, atapi_dma = 0, acct = {bytes = 0, start_time_ns = 0,
>         type = BLOCK_ACCT_READ}, pio_aiocb = 0x0, iov = {iov_base = 0x0, 
> iov_len = 0}, qiov = {iov = 0x0, niov = 0, nalloc = 0, size = 0}, 
> buffered_requests = {lh_first = 0x0}, io_buffer_offset = 0,
>       io_buffer_size = 0, sg = {sg = 0x0, nsg = 0, nalloc = 0, size = 0, dev 
> = 0x0, as = 0x0}, req_nb_sectors = 0, end_transfer_func = 0x61b780 
> <ide_dummy_transfer_stop>,
>       data_ptr = 0x7fcffd126800 "\377\377\377\377", data_end = 0x7fcffd126800 
> "\377\377\377\377", io_buffer = 0x7fcffd126800 "\377\377\377\377", 
> io_buffer_total_len = 131076, cur_io_buffer_offset = 0,
>       cur_io_buffer_len = 0, end_transfer_fn_idx = 0 '\000', 
> sector_write_timer = 0x39e5c60, irq_count = 0, ext_error = 0 '\000', 
> mdata_size = 0, mdata_storage = 0x0, media_changed = 0,
>       dma_cmd = IDE_DMA_READ, smart_enabled = 0 '\000', smart_autosave = 0 
> '\000', smart_errors = 0, smart_selftest_count = 0 '\000', 
> smart_selftest_data = 0x39e6000 "", ncq_queues = 0}, {bus = 0x38b3430,
>       unit = 1 '\001', drive_kind = IDE_CD, cylinders = 0, heads = 0, sectors 
> = 0, chs_trans = 0, nb_sectors = 0, mult_sectors = 16, identify_set = 1,
>       identify_data = "\300\205", '\000' <repeats 18 times>, "MQ0000 2", ' ' 
> <repeats 12 times>, "\003\000\000\002\004\000.2+5    EQUMD DVR-MO", ' ' 
> <repeats 28 times>, "\000\000\001\000\000\003\000\000\000\000\000\000\a", 
> '\000' <repeats 17 times>, 
> "\a\000\a\000\003\000\264\000\264\000,\001\264\000\000\000\000\000\036\000\036",
>  '\000' <repeats 15 times>, "\036", '\000' <repeats 15 times>, "?", '\000' 
> <repeats 334 times>, drive_serial = 2, drive_serial_str = "QM00002", '\000' 
> <repeats 13 times>, drive_model_str = "QEMU DVD-ROM", '\000' <repeats 28 
> times>, wwn = 0, feature = 0 '\000', error = 0 '\000', nsector = 3,
>       sector = 0 '\000', lcyl = 18 '\022', hcyl = 0 '\000', hob_feature = 0 
> '\000', hob_nsector = 3 '\003', hob_sector = 0 '\000', hob_lcyl = 0 '\000', 
> hob_hcyl = 0 '\000', select = 176 '\260',
>       status = 80 'P', lba48 = 0 '\000', blk = 0x2498650, version = 
> "2.5+\000\000\000\000", events = {eject_request = false, new_media = false}, 
> sense_key = 2 '\002', asc = 58 ':', tray_open = false,
>       tray_locked = false, cdrom_changed = 0 '\000', packet_transfer_size = 
> 0, elementary_transfer_size = 0, io_buffer_index = 0, lba = 0, cd_sector_size 
> = 0, atapi_dma = 0, acct = {bytes = 0,
>         start_time_ns = 0, type = BLOCK_ACCT_READ}, pio_aiocb = 0x0, iov = 
> {iov_base = 0x0, iov_len = 0}, qiov = {iov = 0x0, niov = 0, nalloc = 0, size 
> = 0}, buffered_requests = {lh_first = 0x0},
>       io_buffer_offset = 0, io_buffer_size = 0, sg = {sg = 0x0, nsg = 0, 
> nalloc = 0, size = 0, dev = 0x0, as = 0x0}, req_nb_sectors = 0, 
> end_transfer_func = 0x61b780 <ide_dummy_transfer_stop>,
>       data_ptr = 0x7fcff03ca800 "\377\377\377\377", data_end = 0x7fcff03ca800 
> "\377\377\377\377", io_buffer = 0x7fcff03ca800 "\377\377\377\377", 
> io_buffer_total_len = 131076, cur_io_buffer_offset = 0,
>       cur_io_buffer_len = 0, end_transfer_fn_idx = 0 '\000', 
> sector_write_timer = 0x39e5ca0, irq_count = 0, ext_error = 0 '\000', 
> mdata_size = 0, mdata_storage = 0x0, media_changed = 0,
>       dma_cmd = IDE_DMA_READ, smart_enabled = 1 '\001', smart_autosave = 1 
> '\001', smart_errors = 0, smart_selftest_count = 0 '\000', 
> smart_selftest_data = 0x39e7000 "", ncq_queues = 0}}, bh = 0x0,
>   bus_id = 0, max_units = 2, dma = 0x38b45f0, unit = 1 '\001', cmd = 8 '\b', 
> irq = 0x39e5ce0, error_status = 0, retry_unit = 1 '\001', retry_sector_num = 
> -1, retry_nsector = 2, portio_list = {
>     ports = 0xe61a20 <ide_portio_list>, owner = 0x0, address_space = 
> 0x23527e0, nr = 1, regions = 0x3980b10, opaque = 0x38b3430, name = 0x8d2724 
> "ide", flush_coalesced_mmio = false}, portio2_list = {
>     ports = 0xe619c0 <ide_portio2_list>, owner = 0x0, address_space = 
> 0x23527e0, nr = 1, regions = 0x39b3400, opaque = 0x38b3430, name = 0x8d2724 
> "ide", flush_coalesced_mmio = false}, vmstate = 0x39e5eb0}
> (gdb) p *(BMDMAState*)0x38b45f0
> $9 = {dma = {ops = 0xd51280 <bmdma_ops>, iov = {iov_base = 0x0, iov_len = 0}, 
> qiov = {iov = 0x0, niov = 0, nalloc = 0, size = 0}, aiocb = 0x0}, cmd = 0 
> '\000', status = 4 '\004', addr = 0, bus = 0x38b3430,
>   cur_addr = 0, cur_prd_last = 0, cur_prd_addr = 0, cur_prd_len = 0, dma_cb = 
> 0x0, addr_ioport = {parent_obj = {class = 0x2327d00, free = 0x0, properties = 
> 0x3871180, ref = 1, parent = 0x38b2b00},
>     romd_mode = true, ram = false, subpage = false, readonly = false, 
> rom_device = false, flush_coalesced_mmio = false, global_locking = true, 
> dirty_log_mask = 0 '\000', ram_block = 0x0, owner = 0x38b2b00,
>     iommu_ops = 0x0, ops = 0xe8c8c0 <bmdma_addr_ioport_ops>, opaque = 
> 0x38b45f0, container = 0x38b4b20, size = 0x00000000000000000000000000000004, 
> addr = 4,
>     destructor = 0x46fc40 <memory_region_destructor_none>, align = 0, 
> terminates = true, ram_device = false, enabled = true, warning_printed = 
> false, vga_logging_count = 0 '\000', alias = 0x0,
>     alias_offset = 0, priority = 0, subregions = {tqh_first = 0x0, tqh_last = 
> 0x38b46f8}, subregions_link = {tqe_next = 0x38b4750, tqe_prev = 0x38b4a98}, 
> coalesced = {tqh_first = 0x0, tqh_last = 0x38b4718},
>     name = 0x38e90c0 "bmdma", ioeventfd_nb = 0, ioeventfds = 0x0, 
> iommu_notify = {lh_first = 0x0}, iommu_notify_flags = IOMMU_NOTIFIER_NONE}, 
> extra_io = {parent_obj = {class = 0x2327d00, free = 0x0,
>       properties = 0x3871060, ref = 1, parent = 0x38b2b00}, romd_mode = true, 
> ram = false, subpage = false, readonly = false, rom_device = false, 
> flush_coalesced_mmio = false, global_locking = true,
>     dirty_log_mask = 0 '\000', ram_block = 0x0, owner = 0x38b2b00, iommu_ops 
> = 0x0, ops = 0xd516c0 <piix_bmdma_ops>, opaque = 0x38b45f0, container = 
> 0x38b4b20, size = 0x00000000000000000000000000000004,
>     addr = 0, destructor = 0x46fc40 <memory_region_destructor_none>, align = 
> 0, terminates = true, ram_device = false, enabled = true, warning_printed = 
> false, vga_logging_count = 0 '\000', alias = 0x0,
>     alias_offset = 0, priority = 0, subregions = {tqh_first = 0x0, tqh_last = 
> 0x38b47f8}, subregions_link = {tqe_next = 0x0, tqe_prev = 0x38b4708}, 
> coalesced = {tqh_first = 0x0, tqh_last = 0x38b4818},
>     name = 0x38b6af0 "piix-bmdma", ioeventfd_nb = 0, ioeventfds = 0x0, 
> iommu_notify = {lh_first = 0x0}, iommu_notify_flags = IOMMU_NOTIFIER_NONE}, 
> irq = 0x285c930, migration_compat_status = 36 '$',
>   migration_retry_unit = 1 '\001', migration_retry_sector_num = -1, 
> migration_retry_nsector = 2, pci_dev = 0x38b2b00}
> (gdb)
> 

-- 
—js

Reply via email to