qemu-kvm-ev-2.12.0-44.1.el7_8.1 线上热迁移qemu-kvm coredump问题分析

配置libvirt coredumo后（https://www.cnblogs.com/maojun1998/p/17215214.html）

让测试一直迁移vm,一段时间后出现coredump

root 错误码: coredump.sh 严重错误,进程 coredump,dumpfile:/run/fs_mount//hdd/core.26956

  1  
  2 qemu关于这块代码非常绕最后core在object_get_class
  3 
  4  Chardev *s = be->chr;
  5  src = CHARDEV_GET_CLASS(s)->chr_add_watch(s, cond);
  6  
  7  
  8  #define CHARDEV_GET_CLASS(obj) \
  9     OBJECT_GET_CLASS(ChardevClass, (obj), TYPE_CHARDEV)
 10 
 11 #define OBJECT_GET_CLASS(class, obj, name) \
 12     OBJECT_CLASS_CHECK(class, object_get_class(OBJECT(obj)), name)
 13     
 14 #define OBJECT(obj) \
 15     ((Object *)(obj))
 16 #define OBJECT_CLASS_CHECK(class_type, class, name) \
 17     ((class_type *)object_class_dynamic_cast_assert(OBJECT_CLASS(class), (name), \
 18                                                __FILE__, __LINE__, __func__))
 19 #define OBJECT_CLASS(class) \
 20     ((ObjectClass *)(class))
 21     
 22 ObjectClass *object_get_class(Object *obj)
 23 {
 24     return obj->class;
 25 }
 26 struct Chardev {
 27     Object parent_obj;
 28 
 29     QemuMutex chr_write_lock;
 30     CharBackend *be;
 31     char *label;
 32     char *filename;
 33     int logfd;
 34     int be_open;
 35     GSource *gsource;
 36     GMainContext *gcontext;
 37     DECLARE_BITMAP(features, QEMU_CHAR_FEATURE_LAST);
 38 };
 39 struct Object
 40 {
 41     /*< private >*/
 42     ObjectClass *class;
 43     ObjectFree *free;
 44     GHashTable *properties;
 45     uint32_t ref;
 46     Object *parent;
 47 };
 48 struct ObjectClass
 49 {
 50     /*< private >*/
 51     Type type;
 52     GSList *interfaces;
 53 
 54     const char *object_cast_cache[OBJECT_CLASS_CAST_CACHE];
 55     const char *class_cast_cache[OBJECT_CLASS_CAST_CACHE];
 56 
 57     ObjectUnparent *unparent;
 58 
 59     GHashTable *properties;
 60 };
 61 typedef struct ChardevClass {
 62     ObjectClass parent_class;
 63 
 64     bool internal; /* TODO: eventually use TYPE_USER_CREATABLE */
 65     void (*parse)(QemuOpts *opts, ChardevBackend *backend, Error **errp);
 66 
 67     void (*open)(Chardev *chr, ChardevBackend *backend,
 68                  bool *be_opened, Error **errp);
 69 
 70     int (*chr_write)(Chardev *s, const uint8_t *buf, int len);
 71     int (*chr_sync_read)(Chardev *s, const uint8_t *buf, int len);
 72     GSource *(*chr_add_watch)(Chardev *s, GIOCondition cond);
 73     void (*chr_update_read_handler)(Chardev *s);
 74     int (*chr_ioctl)(Chardev *s, int cmd, void *arg);
 75     int (*get_msgfds)(Chardev *s, int* fds, int num);
 76     int (*set_msgfds)(Chardev *s, int *fds, int num);
 77     int (*chr_add_client)(Chardev *chr, int fd);
 78     int (*chr_wait_connected)(Chardev *chr, Error **errp);
 79     void (*chr_disconnect)(Chardev *chr);
 80     void (*chr_accept_input)(Chardev *chr);
 81     void (*chr_set_echo)(Chardev *chr, bool echo);
 82     void (*chr_set_fe_open)(Chardev *chr, int fe_open);
 83     void (*chr_be_event)(Chardev *s, int event);
 84     /* Return 0 if succeeded, 1 if failed */
 85     int (*chr_machine_done)(Chardev *chr);
 86 } ChardevClass;
 87 =========================================================================
 88 print *((CharBackend *)0x55873895f4c0)->chr
 89 $32 = {
 90   parent_obj = {
 91     class = 0x5587353beb40,
 92     free = 0x7f59ebf707e0 <g_free>,
 93 Python Exception <class 'gdb.error'> There is no member named keys.:
 94     properties = 0x558735469b00,
 95     ref = 1,
 96     parent = 0x558735470960
 97   },
 98   chr_write_lock = {
 99     lock = {
100       __data = {
101         __lock = 0,
102         __count = 0,
103         __owner = 0,
104         __nusers = 0,
105         __kind = 0,
106         __spins = 0,
107         __elision = 0,
108         __list = {
109           __prev = 0x0,
110           __next = 0x0
111         }
112       },
113       __size = '\000' <repeats 39 times>,
114       __align = 0
115     },
116     initialized = true
117   },
118   be = 0x55873895f4c0,
119   label = 0x5587353af7b0 "charserial0",
120   filename = 0x55873543fea0 "disconnected:unix:/dev/shm/kvm_unix_ch/dev-8f0d86,server",
121   logfd = -1,
122   be_open = 0,
123   gsource = 0x0,
124   gcontext = 0x0,
125   features = {1}
126 }
127 
128 
129 print ((CharBackend *)0x55873895f4c0)->chr
130 $27 = (Chardev *) 0x5587354645a0
131 
132 print  ((Object *)(0x5587354645a0))->class
133 $29 = (ObjectClass *) 0x5587353beb40
134 
135 print (ChardevClass *)0x5587353beb40
136 (gdb) print *(ChardevClass *)0x5587353beb40
137 $31 = {
138   parent_class = {
139     type = 0x558735406300,
140     interfaces = 0x0,
141     object_cast_cache = {0x0, 0x0, 0x0, 0x0},
142     class_cast_cache = {0x0, 0x0, 0x0, 0x0},
143     unparent = 0x0,
144 Python Exception <class 'gdb.error'> There is no member named keys.:
145     properties = 0x558735444aa0
146   },
147   internal = false,
148   parse = 0x55873293a120 <qemu_chr_parse_socket>,
149   open = 0x55873293b210 <qmp_chardev_open_socket>,
150   chr_write = 0x55873293b130 <tcp_chr_write>,
151   chr_sync_read = 0x55873293b080 <tcp_chr_sync_read>,
152   chr_add_watch = 0x558732939860 <tcp_chr_add_watch>,
153   chr_update_read_handler = 0x55873293b740 <tcp_chr_update_read_handler>,
154   chr_ioctl = 0x0,
155   get_msgfds = 0x55873293a750 <tcp_get_msgfds>,
156   set_msgfds = 0x558732939f50 <tcp_set_msgfds>,
157   chr_add_client = 0x55873293bb10 <tcp_chr_add_client>,
158   chr_wait_connected = 0x55873293bb60 <tcp_chr_wait_connected>,
159   chr_disconnect = 0x55873293a9d0 <tcp_chr_disconnect>,
160   chr_accept_input = 0x0,
161   chr_set_echo = 0x0,
162   chr_set_fe_open = 0x0,
163   chr_be_event = 0x5587329333a0 <chr_be_event>,
164   chr_machine_done = 0x55873293b010 <tcp_chr_machine_done_hook>
165 }
166 
167 ================================================================
168 static GSource *tcp_chr_add_watch(Chardev *chr, GIOCondition cond)
169 {
170     SocketChardev *s = SOCKET_CHARDEV(chr);
171     return qio_channel_create_watch(s->ioc, cond);
172 }
173 
174 
175 
176 
177 guint qemu_chr_fe_add_watch(CharBackend *be, GIOCondition cond,
178                             GIOFunc func, void *user_data)
179 {
180     Chardev *s = be->chr;
181     GSource *src;
182     guint tag;
183 
184     if (!s || CHARDEV_GET_CLASS(s)->chr_add_watch == NULL) {
185         return 0;
186     }
187 
188     src = CHARDEV_GET_CLASS(s)->chr_add_watch(s, cond);
189     if (!src) {
190         return 0;
191     }
192 
193     g_source_set_callback(src, (GSourceFunc)func, user_data, NULL);
194     tag = g_source_attach(src, s->gcontext);
195     g_source_unref(src);
196 
197     return tag;
198 }
199 (gdb) bt
200 #0  0x00005587328b34b0 in object_get_class (obj=obj@entry=0x0) at qom/object.c:759
201 #1  0x0000558732946440 in qio_channel_create_watch (ioc=0x0, condition=(G_IO_OUT | G_IO_HUP)) at io/channel.c:280
202 #2  0x0000558732936577 in qemu_chr_fe_add_watch (be=be@entry=0x55873895f4c0, cond=cond@entry=(G_IO_OUT | G_IO_HUP), func=func@entry=
203     0x5587327b7700 <serial_watch_cb>, user_data=user_data@entry=0x55873895f4a0) at chardev/char-fe.c:355
204 #3  0x00005587327b7a97 in serial_post_load (opaque=0x55873895f4a0, version_id=<optimized out>) at hw/char/serial.c:679
205 #4  0x000055873285eb47 in vmstate_load_state (f=f@entry=0x558738c26000, vmsd=0x558732ff4d40 <vmstate_serial>, opaque=0x55873895f4a0, version_id=3) at migration/vmstate.c:165
206 #5  0x000055873285ec5c in vmstate_load_state (f=0x558738c26000, vmsd=0x558732ff50c0 <vmstate_isa_serial>, opaque=0x55873895f400, version_id=3) at migration/vmstate.c:137
207 #6  0x000055873285abf5 in qemu_loadvm_state_main (mis=<optimized out>, f=0x558738c26000) at migration/savevm.c:1970
208 #7  0x000055873285abf5 in qemu_loadvm_state_main (f=f@entry=0x558738c26000, mis=0x55873320dc00 <mis_current.30332>) at migration/savevm.c:2078
209 #8  0x000055873285ca2e in qemu_loadvm_state (f=0x558738c26000) at migration/savevm.c:2162
210 #9  0x0000558732856bf2 in process_incoming_migration_co (opaque=<optimized out>) at migration/migration.c:388
211 #10 0x00005587329a944a in coroutine_trampoline (i0=<optimized out>, i1=<optimized out>) at util/coroutine-ucontext.c:116
212 #11 0x00007f59d3086190 in __start_context () at /lib64/libc.so.6
213 #12 0x00007ffecf01f990 in  ()
214 #13 0x0000000000000000 in  ()
215 
216 修复办法:
217 
218 diff  -Nuar a/chardev/char-socket.c  b/chardev/char-socket.c
219 --- a/chardev/char-socket.c     2023-03-14 20:36:09.910360722 +0800
220 +++ b/chardev/char-socket.c     2023-03-14 20:36:34.551591389 +0800
221 @@ -348,6 +348,9 @@
222  static GSource *tcp_chr_add_watch(Chardev *chr, GIOCondition cond)
223  {
224      SocketChardev *s = SOCKET_CHARDEV(chr);
225 +    if (!s->ioc) {
226 +        return NULL;
227 +    }
228      return qio_channel_create_watch(s->ioc, cond);
229  }
230  
231 =============================================================
232 重新编译rpm包后测试,需要测试配合迁移测试

 参考补丁:版本5.20修复

https://gitlab.com/qemu-project/qemu/-/commit/6585b1627899a3fcaf1cf62bfb659b04371ca9ec

https://gitlab.com/qemu-project/qemu/-/tree/6585b1627899a3fcaf1cf62bfb659b04371ca9ec