Re: [Qemu-devel] Re: Spice project is now open

[Andrea Arcangeli]

On Sat, Dec 12, 2009 at 05:52:49PM -0600, Anthony Liguori wrote:
> This is the bit that confuses me.  VNC is not a driver.  When I say it 
> cannot crash the guest, I mean that if the VNC server makes a mistake, 
> there may be a SEGV in qemu or it may just result in a VNC client seeing 
> corruption.  The guest does not see a bad VGA register content though or 
> something like that.  VNC is a host driver or backend service or 
> whatever you want to call it.  VNC does not have migration state because 
> it has no guest visible state.

Again, a guest crash because of qlx interaction is not what I
mean. And the reason I wasn't even thinking about this scenario is
that the kind of paravirt-driver related guest crash you are talking
about, if it can happen, can happen even if spice lib in the qemu side
lives in a separate address space. This is why this case of pure guest
crash through qlx is not relevant to decide if to have spice lib
inside our outside of qemu address space, I think that is more about
the qlx driver and not spice on the qemu side.

With regard to VNC, as long as VNC lives in the same address space
with the guest, it can just follow a dangling pointer and corrupt and
crash the guest too like libspice or qcow2 or anything else in that
address space could too, or worse silently corrupt guest fs metadata
and leave traces of fs corruption that could emerge months or years
after the bug was fixed. qlx and paravirt definitely not required for
this, VNC can do it too.

> When you compare Spice to a virtio driver, that implies to me that
> it does interact directly with the guest.  In fact, when you have a
> driver passing high level commands to Spice, you would think that
> the status of these commands would be pending state, no?  Let's say
> the guest sends a fill rectangle command and the Spice server sends
> that to a client.  The Spice server needs to know when the client
> has finished that (maybe not, but let's assume it does) so there is
> now a pending request that someone has to keep track of.  If you do
> a savevm or a live migration, or the client disconnects, the state
> of that request has to be saved somewhere (unless you tell the guest
> that the client has disconnected which is how Xen handles pv device
> migration).  So that's what I'm trying to understand.  How far does
> the guest's visibility go?  Is the guest totally ignorant of
> anything other than QXL?  If so, that's good, and I'm very happy
> about it :-) Regards, Anthony Liguori

I would expect it to be ignorant about anything but qlx (what else
does it need to know), but I never looked into spice before it was
open source so it's not like I'm the right person to ask for those
details ;).