From owner-freebsd-current@FreeBSD.ORG  Sun Dec 21 18:24:11 2003
Return-Path: <owner-freebsd-current@FreeBSD.ORG>
Delivered-To: freebsd-current@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 8B87E16A4CE
	for <freebsd-current@freebsd.org>;
	Sun, 21 Dec 2003 18:24:11 -0800 (PST)
Received: from sizone.org (mortar.sizone.org [65.126.154.242])
	by mx1.FreeBSD.org (Postfix) with ESMTP id ED32B43D64
	for <freebsd-current@freebsd.org>;
	Sun, 21 Dec 2003 18:24:09 -0800 (PST)
	(envelope-from dgilbert@daveg.ca)
Received: by sizone.org (Postfix, from userid 66)
	id 61DDB307E1; Sun, 21 Dec 2003 21:24:09 -0500 (EST)
Received: by canoe.dclg.ca (Postfix, from userid 101)
	id 6BAED1D1D54; Sun, 21 Dec 2003 21:24:09 -0500 (EST)
From: David Gilbert <dgilbert@dclg.ca>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-ID: <16358.21961.164134.835078@canoe.dclg.ca>
Date: Sun, 21 Dec 2003 21:24:09 -0500
To: freebsd-current@freebsd.org
X-Mailer: VM 7.17 under 21.4 (patch 14) "Reasonable Discussion" XEmacs Lucid
Subject: Use of Freed Memory crash.
X-BeenThere: freebsd-current@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Discussions about the use of FreeBSD-current
	<freebsd-current.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-current>,
	<mailto:freebsd-current-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-current>
List-Post: <mailto:freebsd-current@freebsd.org>
List-Help: <mailto:freebsd-current-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-current>,
	<mailto:freebsd-current-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 22 Dec 2003 02:24:11 -0000

I got the following backtrace from a recent crash of current:

(kgdb) bt
#0  doadump () at ../../../kern/kern_shutdown.c:240
#1  0xc0542d42 in boot (howto=256) at ../../../kern/kern_shutdown.c:372
#2  0xc0543098 in panic () at ../../../kern/kern_shutdown.c:550
#3  0xc064fa17 in mtrash_ctor (mem=0xc9d84000, size=0, arg=0x0)
    at ../../../vm/uma_dbg.c:137
#4  0xc064e17b in uma_zalloc_arg (zone=0xc103be40, udata=0x0, flags=2)
    at ../../../vm/uma_core.c:1403
#5  0xc0537a93 in malloc (size=3238248000, type=0xc06f45a0, flags=2)
    at ../../../vm/uma.h:234
#6  0xc056d695 in poll (td=0xc6bb88c0, uap=0xe9f71d14)
    at ../../../kern/sys_generic.c:966
#7  0xc0680db0 in syscall (frame=
      {tf_fs = 47, tf_es = 673775663, tf_ds = -1078001617, tf_edi = 10, tf_esi = 172, tf_ebp = -1077943212, tf_isp = -369681036, tf_ebx = 673797812, tf_edx = 160608256, tf_ecx = 137695232, tf_eax = 209, tf_trapno = 22, tf_err = 2, tf_eip = 674140831, tf_cs = 31, tf_eflags = 658, tf_esp = -1077943272, tf_ss = 47})
    at ../../../i386/i386/trap.c:1010
#8  0xc067292d in Xint0x80_syscall () at {standard input}:136
---Can't read userspace from dump, or kernel process---

... now the panic message was:

panic: Most recently used by temp

The code in question (mtrash_ctor) is:

               printf("Memory modified after free %p(%d) val=%x @ %p\n",  
                        mem, size, *p, p);
               panic("Most recently used by %s\n", (*ksp == NULL)?
                        "none" : (*ksp)->ks_shortdesc);

... anyone working on something that affects this?  I have the dump if
someone wants it.

Dave.

-- 
============================================================================
|David Gilbert, Independent Contractor.       | Two things can only be     |
|Mail:       dave@daveg.ca                    |  equal if and only if they |
|http://daveg.ca                              |   are precisely opposite.  |
=========================================================GLO================