VirtualBox

Opened 14 years ago

Closed 10 years ago

#7063 closed defect (fixed)

Virtualbox crash when switching screens

Reported by: Mihai Hanor Owned by:
Component: other Version: VirtualBox 3.2.10
Keywords: Cc:
Guest type: Windows Host type: Windows

Description (last modified by Frank Mehnert)

This is an older crash, which I didn't understood until I VB 3.2.6 beta2. I think I first mentioned about it in #6443. Now, I can reproduce it at will. Similarly with the QtGuiVBox4!QWidget::repaint+0x5dcb crash, the reproduction steps of this one may not seem to have anything to do with the normal usage of the program.

All that is required is one click on the X button (close window button) of a VM window, at the right moment. Reproducing it at will, requires you to be relatively fast and to be able to intuit when to act (timing is important). It always crashes in VBoxDD!VBoxUsbRegister plus some offset (depending on the guest type).

Host: Windows XP SP3 32bit
Affected versions: VB 3.2.4, VB 3.2.6 beta1 and beta2

First test case: guest Windows 7 32 bit
The hot moment is at boot time, right before the guest switches from text mode (80x25 I think, empty screen, text cursor positioned in the top left corner) to 1024x768 graphics (for the eye-kandy animated boot logo).

Second test case: guest Windows XP 32 bit
The moment you're looking for is also at boot time, right before the guest switches from text mode (it has completed the text mode progress bar) to the 640x480/800x600 graphics (for boot logo and animated progress bar).

Technique:

  1. Press the X button with the mouse cursor. The top-most window "Close Virtual Machine" appears.
  2. Press Esc on the keyboard. The "Close Virtual Machine" window closes. Again, with a fast action, press the X button on the VM window. You must time it correctly, not too fast (the button will not "catch" it) and not too late, or you'll miss the right moment. Repeat if you have not missed it (the guest hasn't switched to the 2nd resolution). You can rest while the "Close Virtual Machine" is being displayed, but the "Esc followed by click on X" succession must be fast. Or you can crash it the first time if you're lucky or if you're able to time it correctly.

Attachments (7)

VBoxDD_VBoxUsbRegister_crash.zip (33.9 KB ) - added by Mihai Hanor 14 years ago.
VB 3.2.6.r63112
svn_ose_crash.zip (27.1 KB ) - added by Mihai Hanor 14 years ago.
OSE win32 svn 30690 crash
resolution.cpp (405 bytes ) - added by Mihai Hanor 11 years ago.
minidump4_2_10.zip (37.6 KB ) - added by Mihai Hanor 11 years ago.
minidump4_3_2.zip (19.8 KB ) - added by Mihai Hanor 10 years ago.
VBox.log (60.8 KB ) - added by Mihai Hanor 10 years ago.
VBox.zip (31.8 KB ) - added by Mihai Hanor 10 years ago.
svn 49813, win7 x64 host and guest

Download all attachments as: .zip

Change History (36)

comment:1 by Mihai Hanor, 14 years ago

btw, this crash and the one from #6443 are very different in nature

comment:2 by Mihai Hanor, 14 years ago

step 2, I wanted to say "the guest hasn't switched to the 2nd resolution", not "the guest switched to the 2nd resolution"

-> fixed (Michael)

comment:3 by Mihai Hanor, 14 years ago

3.2.6.r63112 (final) is also affected
I can reproduce this with and without the VirtualBox USB Support (usually I don't install the vboxusbmon driver). All USB options are disabled from VM settings.

by Mihai Hanor, 14 years ago

VB 3.2.6.r63112

comment:4 by Mihai Hanor, 14 years ago

I've managed to build the OSE 32 bit svn 30690 and crash it
If I'm looking the right way, I see that there is a VBoxUsbRegister function in the compiled OSE VboxDD.dll. But the OSE crash shows something else, while there are some similarities in how the stack backtrace looks, compared with the PUEL case. Maybe the crash from the PUEL version points to the wrong function.

If you want, I can provide a full dump of the OSE crash.

by Mihai Hanor, 14 years ago

Attachment: svn_ose_crash.zip added

OSE win32 svn 30690 crash

comment:5 by Mihai Hanor, 14 years ago

0:009> kP
ChildEBP RetAddr  
0326fb60 04ee57cd VBoxDD!vga_draw_line4_32(
			struct VGAState * s1 = 0x05960080, 
			unsigned char * d = 0x071d0020 "--- memory read error at address 0x071d0020 ---", 
			unsigned char * s = 0x05980000 "", 
			int width = 0n80)+0xe8 [d:\vbox\src\vbox\devices\graphics\devvgatmpl.h @ 264]
0326fbf8 04ee45ec VBoxDD!vga_draw_graphic(
			struct VGAState * s = 0x05960080, 
			int full_update = 0n1)+0x47d [d:\vbox\src\vbox\devices\graphics\devvga.cpp @ 2348]
0326fc24 04ee60a2 VBoxDD!vga_update_display(
			struct VGAState * s = 0x05960080, 
			bool fUpdateAll = true)+0x12c [d:\vbox\src\vbox\devices\graphics\devvga.cpp @ 2528]
0326fc3c 04ee63a9 VBoxDD!updateDisplayAll(
			struct VGAState * pThis = 0x05960080)+0xb2 [d:\vbox\src\vbox\devices\graphics\devvga.cpp @ 4888]
*** WARNING: Unable to verify checksum for D:\vbox\out\win.x86\debug\bin\VBoxC.dll
0326fce0 027daabf VBoxDD!vgaPortTakeScreenshot(
			struct PDMIDISPLAYPORT * pInterface = 0x05972dfc, 
			unsigned char ** ppu8Data = 0x00127fbc, 
			unsigned int * pcbData = 0x00127fb0, 
			unsigned int * pcx = 0x00127fa4, 
			unsigned int * pcy = 0x00127f98)+0x219 [d:\vbox\src\vbox\devices\graphics\devvga.cpp @ 4979]
*** WARNING: Unable to verify checksum for D:\vbox\out\win.x86\debug\bin\VBoxVMM.dll
0326fd58 100cfa92 VBoxC!Display::displayTakeScreenshotEMT(
			class Display * pDisplay = 0x0038e238, 
			unsigned long aScreenId = 0, 
			unsigned char ** ppu8Data = 0x00127fbc, 
			unsigned int * pcbData = 0x00127fb0, 
			unsigned int * pu32Width = 0x00127fa4, 
			unsigned int * pu32Height = 0x00127f98)+0x4f [d:\vbox\src\vbox\main\displayimpl.cpp @ 2348]
0326fddc 100cf57d VBoxVMM!vmR3ReqProcessOneU(
			struct UVM * pUVM = 0x01c7c000, 
			struct VMREQ * pReq = 0x01c81678)+0x162 [d:\vbox\src\vbox\vmm\vmreq.cpp @ 1223]
0326fe24 100ddfb8 VBoxVMM!VMR3ReqProcessU(
			struct UVM * pUVM = 0x01c7c000, 
			unsigned int idDstCpu = 0xfffffff4)+0x26d [d:\vbox\src\vbox\vmm\vmreq.cpp @ 1108]
0326ff00 100dd9e5 VBoxVMM!vmR3EmulationThreadWithId(
			struct RTTHREADINT * ThreadSelf = 0x01c80648, 
			struct UVMCPU * pUVCpu = 0x01c7c3c0, 
			unsigned int idCpu = 0)+0x5b8 [d:\vbox\src\vbox\vmm\vmemt.cpp @ 167]
*** WARNING: Unable to verify checksum for D:\vbox\out\win.x86\debug\bin\VBoxRT.dll
0326ff18 00a9bb65 VBoxVMM!vmR3EmulationThread(
			struct RTTHREADINT * ThreadSelf = 0x01c80648, 
			void * pvArgs = 0x01c7c3c0)+0x25 [d:\vbox\src\vbox\vmm\vmemt.cpp @ 60]
0326ff4c 00b0f837 VBoxRT!rtThreadMain(
			struct RTTHREADINT * pThread = 0x01c80648, 
			unsigned int NativeThread = 0x2c0, 
			char * pszThreadName = 0x01c80bc4 "EMT")+0x185 [d:\vbox\src\vbox\runtime\common\misc\thread.cpp @ 679]
0326ff70 78afc6de VBoxRT!rtThreadNativeMain(
			void * pvArgs = 0x01c80648)+0xb7 [d:\vbox\src\vbox\runtime\r3\win\thread-win.cpp @ 102]
0326ffa8 78afc788 MSVCR100!_callthreadstartex(void)+0x1b [f:\dd\vctools\crt_bld\self_x86\crt\src\threadex.c @ 314]
0326ffb4 7c80b729 MSVCR100!_threadstartex(
			void * ptd = 0x01c80ce0)+0x64 [f:\dd\vctools\crt_bld\self_x86\crt\src\threadex.c @ 292]
0326ffec 00000000 kernel32!BaseThreadStart+0x37

comment:6 by Michael Thayer, 14 years ago

Description: modified (diff)

comment:7 by Klaus Espenlaub, 14 years ago

You're managing to trigger taking a screenshot (done implicitly from the GUI!) when there's no video mode set.

This causes a crash. I'm not sure what the proper fix is, I only made a quick local change which made it go away when I reliably bumped into it with the latest development build.

comment:8 by Mihai Hanor, 14 years ago

svn 30908 also crashes

0:009> kP
ChildEBP RetAddr  
032afb60 04f35add VBoxDD!vga_draw_line24_32(
			struct VGAState * s1 = 0x059b0080, 
			unsigned char * d = 0x07830040 "--- memory read error at address 0x07830040 ---", 
			unsigned char * s = 0x059d0000 "", 
			int width = 0n1024)+0x51 [d:\vbox\src\vbox\devices\graphics\devvgatmpl.h @ 434]
032afbf8 04f348ff VBoxDD!vga_draw_graphic(
			struct VGAState * s = 0x059b0080, 
			int full_update = 0n1)+0x47d [d:\vbox\src\vbox\devices\graphics\devvga.cpp @ 2348]
032afc24 04f363b2 VBoxDD!vga_update_display(
			struct VGAState * s = 0x059b0080, 
			bool fUpdateAll = true)+0x14f [d:\vbox\src\vbox\devices\graphics\devvga.cpp @ 2531]
032afc3c 04f366b9 VBoxDD!updateDisplayAll(
			struct VGAState * pThis = 0x059b0080)+0xb2 [d:\vbox\src\vbox\devices\graphics\devvga.cpp @ 4891]
*** WARNING: Unable to verify checksum for D:\vbox\out\win.x86\debug\bin\VBoxC.dll
032afce0 02a255ff VBoxDD!vgaPortTakeScreenshot(
			struct PDMIDISPLAYPORT * pInterface = 0x059c2dfc, 
			unsigned char ** ppu8Data = 0x00126898, 
			unsigned int * pcbData = 0x0012688c, 
			unsigned int * pcx = 0x00126880, 
			unsigned int * pcy = 0x00126874)+0x219 [d:\vbox\src\vbox\devices\graphics\devvga.cpp @ 4982]
*** WARNING: Unable to verify checksum for D:\vbox\out\win.x86\debug\bin\VBoxVMM.dll
032afd58 100d2f72 VBoxC!Display::displayTakeScreenshotEMT(
			class Display * pDisplay = 0x0038c498, 
			unsigned long aScreenId = 0, 
			unsigned char ** ppu8Data = 0x00126898, 
			unsigned int * pcbData = 0x0012688c, 
			unsigned int * pu32Width = 0x00126880, 
			unsigned int * pu32Height = 0x00126874)+0x4f [d:\vbox\src\vbox\main\displayimpl.cpp @ 2348]
032afddc 100d2a5d VBoxVMM!vmR3ReqProcessOneU(
			struct UVM * pUVM = 0x01e29000, 
			struct VMREQ * pReq = 0x01e2df68)+0x162 [d:\vbox\src\vbox\vmm\vmreq.cpp @ 1223]
032afe24 100e1498 VBoxVMM!VMR3ReqProcessU(
			struct UVM * pUVM = 0x01e29000, 
			unsigned int idDstCpu = 0xfffffff4)+0x26d [d:\vbox\src\vbox\vmm\vmreq.cpp @ 1108]
032aff00 100e0ec5 VBoxVMM!vmR3EmulationThreadWithId(
			struct RTTHREADINT * ThreadSelf = 0x01e2d238, 
			struct UVMCPU * pUVCpu = 0x01e293c0, 
			unsigned int idCpu = 0)+0x5b8 [d:\vbox\src\vbox\vmm\vmemt.cpp @ 167]
*** WARNING: Unable to verify checksum for D:\vbox\out\win.x86\debug\bin\VBoxRT.dll
032aff18 00acbc15 VBoxVMM!vmR3EmulationThread(
			struct RTTHREADINT * ThreadSelf = 0x01e2d238, 
			void * pvArgs = 0x01e293c0)+0x25 [d:\vbox\src\vbox\vmm\vmemt.cpp @ 60]
032aff4c 00b3fa97 VBoxRT!rtThreadMain(
			struct RTTHREADINT * pThread = 0x01e2d238, 
			unsigned int NativeThread = 0xe00, 
			char * pszThreadName = 0x01e2d7b4 "EMT")+0x185 [d:\vbox\src\vbox\runtime\common\misc\thread.cpp @ 679]
032aff70 78afc6de VBoxRT!rtThreadNativeMain(
			void * pvArgs = 0x01e2d238)+0xb7 [d:\vbox\src\vbox\runtime\r3\win\thread-win.cpp @ 102]
032affa8 78afc788 MSVCR100!_callthreadstartex(void)+0x1b [f:\dd\vctools\crt_bld\self_x86\crt\src\threadex.c @ 314]
032affb4 7c80b729 MSVCR100!_threadstartex(
			void * ptd = 0x0038e3f0)+0x64 [f:\dd\vctools\crt_bld\self_x86\crt\src\threadex.c @ 292]
032affec 00000000 kernel32!BaseThreadStart+0x37

comment:9 by Mihai Hanor, 13 years ago

it's not fixed in VB 3.2.10

comment:10 by Frank Mehnert, 13 years ago

Component: otherUSB
Version: VirtualBox 3.2.4VirtualBox 3.2.10

comment:11 by Mihai Hanor, 13 years ago

the component is not USB, my first report was based on what the debugger displayed
still reproducible with VB 4.0 beta2

comment:12 by Mihai Hanor, 11 years ago

This is still reproducible, current host is Windowns 7 SP1 x64, VirtualBox self-build from svn 44137. The guest can be any Windows OS. It's easier to reproduce it without having installed the Guest Additions. To help reproduce it, you can compile and run inside the guest the following program:

Version 0, edited 11 years ago by Mihai Hanor (next)

by Mihai Hanor, 11 years ago

Attachment: resolution.cpp added

comment:13 by Frank Mehnert, 11 years ago

Component: USBother
Description: modified (diff)
Summary: Virtualbox crash in VBoxDD!VBoxUsbRegisterVirtualbox crash when switching screens

So do I understand you correct that you can still reproduce that VM crash with VBox 4.2.4 when you do extensive guest screen resolution switching and even without the Guest Additions installed? Do you have 3D enabled and, if so, does it change anything if you disable 3D?

comment:14 by Mihai Hanor, 11 years ago

Yes, I can reproduce the VM crash with Vbox 4.2.4 (and with the newer SVN build), without having installed Guest Additions and without 3D enabled. It's not about extensive guest screen resolution switching, it's about timing. The heavy resolution switching is just to help reproduce the issue.

comment:15 by Alex, 11 years ago

Unable to reproduce crash with resolution.cpp compiled and started screen resolution switches more than two hours on Windows7 host and WinXP guest. Maybe I should do something special there?

Last edited 11 years ago by Alex (previous) (diff)

comment:16 by Mihai Hanor, 11 years ago

I think you haven't read the ticket description. You have to press the "Close Window" VM window button (the top right X button) to bring up the "Close Virtual Machine" VBox window, while the guest is switching from some video mode to "no video mode", then to the 2nd video mode. By just doing the switching, that doesn't crash VBox. Not in my case, anyway.

comment:17 by Frank Mehnert, 11 years ago

Lelik tried harder to reproduce the problem but was not able to do this with VBox 4.2.10. Could you check if this problem is now fixed? There were some related fixes in 4.2.8 and 4.2.10.

comment:18 by Mihai Hanor, 11 years ago

I can easily reproduce the crash with VirtualBox 4.2.10, using the same small program. The host is running Windows 7 Home Premium x64 SP1. Aero is enabled on the host, but animations/fading effects are disabled. This makes the GUI more responsive, if it matters. The guest is Windows 7 x64 SP1.

To reproduce the crash, you have to open and close the Close Virtual Machine window, at different moments, while the guest is running that program. It should crash after closing it and it should take only a few attempts before it crashes.

by Mihai Hanor, 11 years ago

Attachment: minidump4_2_10.zip added

comment:19 by Frank Mehnert, 10 years ago

Still relevant with VBox 4.3.2?

comment:20 by Mihai Hanor, 10 years ago

Yes, I can still reproduce the crash, using the same host&guest OS, with the help of the small program above. You have to click the close button (X) of the VirtualBox window, while the guest is running that program, then hit Escape to exit the "Close Virtual Machine" window. Repeat several times. I can crash it after a few attempts.

by Mihai Hanor, 10 years ago

Attachment: minidump4_3_2.zip added

comment:21 by Mihai Hanor, 10 years ago

I can't seem to be able to reproduce the issue, using a recent SVN build. Maybe changeset 49603 has something to do with it.

comment:22 by Mihai Hanor, 10 years ago

The fix doesn't seem to be part of VirtualBox 4.3.4

comment:23 by Mihai Hanor, 10 years ago

I was wrong. The newer SVN builds do not allow me to trigger the crash using the "Close Virtual Machine" window, but I can easily crash VirtualBox, by repeatedly switching to full-screen and back, using the Host+F shortcut, when the VM is switching the guest screen resolution.

The crash occurs because of buffer overrun, when vga_draw_graphic() calls vga_draw_line(). See source file \src\vbox\devices\graphics\devvga.cpp

Calling get_resolution(), at the top of vga_draw_graphic() function body, we receive resolution parameters that do not match the parameters used to allocate the buffer referenced by (PVGASTATE)pThis->pDrv->pu8Data. From what I can see, every time it crashes, pDrv data members point to a 720x400 screen buffer, created by UIFrameBufferQImage::goFallback (p8Data references a buffer of 1152000 bytes, cbScanline is 2880, which is 1152000/400). The width and height returned by get_resolution() match other resolution, such as 800x600, depending on what screen switching the guest is doing.

comment:24 by sunlover, 10 years ago

mhanor, thanks for the update. You are right that the fix in changeset 49603 is not a part of VBox 4.3.4. The fix addressed a number of problems with the guest resize, but not all.

BTW, which guest did you use to reproduce the the crash? What is the guest additions version? A VBox.log would answer this question :)

Would be good to reproduce the crash here.

by Mihai Hanor, 10 years ago

Attachment: VBox.log added

comment:25 by Mihai Hanor, 10 years ago

I've attached a log, no crash involved. Host&guest Win7 x64. No guest additions. Use the small program (source resolution.cpp) to keep the guest switching the resolution, minimize it (not to interrupt it by a key press), then press and hold the Host key, press F, release both, repeat the cycle as fast as you can and as fast as the guest allows you. You can modify the delay to 500ms, for me it's very easy to reproduce.

comment:26 by sunlover, 10 years ago

mhanor, please test if the crash is still reproducible with r49783. Thanks.

comment:27 by Mihai Hanor, 10 years ago

It appears very robust now. I can't seem to crash it. I'm attaching a vbox.log, in case you're interested.

by Mihai Hanor, 10 years ago

Attachment: VBox.zip added

svn 49813, win7 x64 host and guest

comment:28 by sunlover, 10 years ago

Thanks for testing. Both fixes will be included in the next 4.3.x release.

comment:29 by Frank Mehnert, 10 years ago

Resolution: fixed
Status: newclosed

Fixed in 4.3.6.

Note: See TracTickets for help on using tickets.

© 2023 Oracle
ContactPrivacy policyTerms of Use