From owner-freebsd-bugs Tue Apr 30 14:40:08 1996 Return-Path: owner-bugs Received: (from root@localhost) by freefall.freebsd.org (8.7.3/8.7.3) id OAA11412 for bugs-outgoing; Tue, 30 Apr 1996 14:40:08 -0700 (PDT) Received: (from gnats@localhost) by freefall.freebsd.org (8.7.3/8.7.3) id OAA11346 Tue, 30 Apr 1996 14:40:03 -0700 (PDT) Resent-Date: Tue, 30 Apr 1996 14:40:03 -0700 (PDT) Resent-Message-Id: <199604302140.OAA11346@freefall.freebsd.org> Resent-From: gnats (GNATS Management) Resent-To: freebsd-bugs Resent-Reply-To: FreeBSD-gnats@freefall.FreeBSD.org, hsu@clinet.fi Received: from hauki.clinet.fi (hauki.clinet.fi [194.100.0.1]) by freefall.freebsd.org (8.7.3/8.7.3) with ESMTP id OAA10394 for ; Tue, 30 Apr 1996 14:31:51 -0700 (PDT) Received: from katiska.clinet.fi (root@katiska.clinet.fi [194.100.0.4]) by hauki.clinet.fi (8.7.5/8.6.4) with ESMTP id AAA06861 for ; Wed, 1 May 1996 00:31:10 +0300 (EET DST) Received: (root@localhost) by katiska.clinet.fi (8.7.5/8.6.4) id AAA05251; Wed, 1 May 1996 00:31:07 +0300 (EET DST) Message-Id: <199604302131.AAA05251@katiska.clinet.fi> Date: Wed, 1 May 1996 00:31:07 +0300 (EET DST) From: Heikki Suonsivu Reply-To: hsu@clinet.fi To: FreeBSD-gnats-submit@freebsd.org X-Send-Pr-Version: 3.2 Subject: kern/1166: pmap panic (dump available) Sender: owner-bugs@freebsd.org X-Loop: FreeBSD.org Precedence: bulk >Number: 1166 >Category: kern >Synopsis: pmap panic (dump available) >Confidential: no >Severity: serious >Priority: high >Responsible: freebsd-bugs >State: open >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Tue Apr 30 14:40:02 PDT 1996 >Last-Modified: >Originator: Heikki Suonsivu >Organization: Clinet, Espoo, Finland >Release: FreeBSD 2.2-CURRENT i386 >Environment: news server with full feed, current from around april 22, adaptek 2940 asus pci 64M. >Description: dump and kernel are ftp://ftp.clinet.fi/pub/FreeBSD/crashdumps/*.67.gz (within 15 minutes of submitting this report). GDB is free software and you are welcome to distribute copies of it under certain conditions; type "show copying" to see the conditions. There is absolutely no warranty for GDB; type "show warranty" for details. GDB 4.13 (i386-unknown-freebsd), Copyright 1994 Free Software Foundation, Inc... IdlePTD ac6000 current pcb at 224aa8 panic: from debugger #0 boot (howto=256) at ../../i386/i386/machdep.c:941 941 dumppcb.pcb_ptd = rcr3(); (kgdb) bt #0 boot (howto=256) at ../../i386/i386/machdep.c:941 #1 0xf011ad27 in panic (fmt=0xf01011f8 "from debugger") at ../../kern/subr_prf.c:133 #2 0xf0101215 in db_panic (dummy1=-266550203, dummy2=0, dummy3=-1, dummy4=0xefbffcf0 "") at ../../ddb/db_command.c:395 #3 0xf01010fe in db_command (last_cmdp=0xf0200b34, cmd_table=0xf0200994) at ../../ddb/db_command.c:288 #4 0xf010127d in db_command_loop () at ../../ddb/db_command.c:417 #5 0xf01035e8 in db_trap (type=12, code=0) at ../../ddb/db_trap.c:73 #6 0xf01c6f9a in kdb_trap (type=12, code=0, regs=0xefbffe40) at ../../i386/i386/db_interface.c:136 #7 0xf01cf723 in trap_fatal (frame=0xefbffe40) at ../../i386/i386/trap.c:736 #8 0xf01cf220 in trap_pfault (frame=0xefbffe40, usermode=0) at ../../i386/i386/trap.c:651 #9 0xf01ceeb3 in trap (frame={tf_es = 16, tf_ds = 16, tf_edi = 1024, tf_esi = -207945792, tf_ebp = -272630112, tf_isp = -272630168, tf_ebx = 1, tf_edx = -114995200, tf_ecx = 73, tf_eax = 48984000, tf_trapno = 12, tf_err = 0, tf_eip = -266550203, tf_cs = 8, tf_eflags = 66182, tf_esp = -215115904, tf_ss = 299008}) at ../../i386/i386/trap.c:319 #10 0xf01c7811 in calltrap () #11 0xf01bb0ce in vm_map_delete (map=0xf2f26c00, start=0, end=4022329344) at ../../vm/vm_map.c:1702 ---Type to continue, or q to quit--- #12 0xf01bb158 in vm_map_remove (map=0xf2f26c00, start=0, end=4022329344) at ../../vm/vm_map.c:1736 #13 0xf010f456 in exit1 (p=0xf2f47b00, rv=2) at ../../kern/kern_exit.c:160 #14 0xf01165e2 in sigexit (p=0xf2f47b00, signum=2) at ../../kern/kern_sig.c:1214 #15 0xf01163d6 in postsig (signum=2) at ../../kern/kern_sig.c:1122 #16 0xf01cfb08 in syscall (frame={tf_es = 39, tf_ds = 39, tf_edi = 352256, tf_esi = 335672, tf_ebp = -272640436, tf_isp = -272629788, tf_ebx = 0, tf_edx = 1, tf_ecx = 0, tf_eax = 7262, tf_trapno = 12, tf_err = 7, tf_eip = 173205, tf_cs = 31, tf_eflags = 514, tf_esp = -272640464, tf_ss = 39}) at ../../i386/i386/trap.c:144 #17 0xf01c7865 in Xsyscall () Cannot access memory at address 0xefbfd64c. (kgdb) up #1 0xf011ad27 in panic (fmt=0xf01011f8 "from debugger") at ../../kern/subr_prf.c:133 133 boot(bootopt); (kgdb) #2 0xf0101215 in db_panic (dummy1=-266550203, dummy2=0, dummy3=-1, dummy4=0xefbffcf0 "") at ../../ddb/db_command.c:395 395 panic("from debugger"); (kgdb) #3 0xf01010fe in db_command (last_cmdp=0xf0200b34, cmd_table=0xf0200994) at ../../ddb/db_command.c:288 288 (*cmd->fcn)(addr, have_addr, count, modif); (kgdb) #4 0xf010127d in db_command_loop () at ../../ddb/db_command.c:417 417 db_command(&db_last_command, db_command_table); (kgdb) #5 0xf01035e8 in db_trap (type=12, code=0) at ../../ddb/db_trap.c:73 73 db_command_loop(); (kgdb) #6 0xf01c6f9a in kdb_trap (type=12, code=0, regs=0xefbffe40) at ../../i386/i386/db_interface.c:136 136 db_trap(type, code); (kgdb) #7 0xf01cf723 in trap_fatal (frame=0xefbffe40) at ../../i386/i386/trap.c:736 736 if (kdb_trap (type, 0, frame)) (kgdb) #8 0xf01cf220 in trap_pfault (frame=0xefbffe40, usermode=0) at ../../i386/i386/trap.c:651 651 trap_fatal(frame); (kgdb) #9 0xf01ceeb3 in trap (frame={tf_es = 16, tf_ds = 16, tf_edi = 1024, tf_esi = -207945792, tf_ebp = -272630112, tf_isp = -272630168, tf_ebx = 1, tf_edx = -114995200, tf_ecx = 73, tf_eax = 48984000, tf_trapno = 12, tf_err = 0, tf_eip = -266550203, tf_cs = 8, tf_eflags = 66182, tf_esp = -215115904, tf_ss = 299008}) at ../../i386/i386/trap.c:319 319 (void) trap_pfault(&frame, FALSE); (kgdb) #10 0xf01c7811 in calltrap () (kgdb) #11 0xf01bb0ce in vm_map_delete (map=0xf2f26c00, start=0, end=4022329344) at ../../vm/vm_map.c:1702 1702 pmap_remove(map->pmap, s, e); (kgdb) #12 0xf01bb158 in vm_map_remove (map=0xf2f26c00, start=0, end=4022329344) at ../../vm/vm_map.c:1736 1736 result = vm_map_delete(map, start, end); (kgdb) #13 0xf010f456 in exit1 (p=0xf2f47b00, rv=2) at ../../kern/kern_exit.c:160 160 (void) vm_map_remove(&vm->vm_map, VM_MIN_ADDRESS, (kgdb) #14 0xf01165e2 in sigexit (p=0xf2f47b00, signum=2) at ../../kern/kern_sig.c:1214 1214 exit1(p, W_EXITCODE(0, signum)); (kgdb) #15 0xf01163d6 in postsig (signum=2) at ../../kern/kern_sig.c:1122 1122 sigexit(p, signum); (kgdb) #16 0xf01cfb08 in syscall (frame={tf_es = 39, tf_ds = 39, tf_edi = 352256, tf_esi = 335672, tf_ebp = -272640436, tf_isp = -272629788, tf_ebx = 0, tf_edx = 1, tf_ecx = 0, tf_eax = 7262, tf_trapno = 12, tf_err = 7, tf_eip = 173205, tf_cs = 31, tf_eflags = 514, tf_esp = -272640464, tf_ss = 39}) at ../../i386/i386/trap.c:144 144 postsig(sig); (kgdb) #17 0xf01c7865 in Xsyscall () (kgdb) Cannot access memory at address 0xefbfd64c. (kgdb) down #16 0xf01cfb08 in syscall (frame={tf_es = 39, tf_ds = 39, tf_edi = 352256, tf_esi = 335672, tf_ebp = -272640436, tf_isp = -272629788, tf_ebx = 0, tf_edx = 1, tf_ecx = 0, tf_eax = 7262, tf_trapno = 12, tf_err = 7, tf_eip = 173205, tf_cs = 31, tf_eflags = 514, tf_esp = -272640464, tf_ss = 39}) at ../../i386/i386/trap.c:144 144 postsig(sig); (kgdb) print sig $1 = 0 (kgdb) list 139 u_quad_t oticks; 140 { 141 int sig, s; 142 143 while ((sig = CURSIG(p)) != 0) 144 postsig(sig); 145 p->p_priority = p->p_usrpri; 146 if (want_resched) { 147 /* 148 * Since we are curproc, clock will normally just change (kgdb) down #15 0xf01163d6 in postsig (signum=2) at ../../kern/kern_sig.c:1122 1122 sigexit(p, signum); (kgdb) list 1117 if (action == SIG_DFL) { 1118 /* 1119 * Default action, where the default is to kill 1120 * the process. (Other cases were ignored above.) 1121 */ 1122 sigexit(p, signum); 1123 /* NOTREACHED */ 1124 } else { 1125 /* 1126 * If we get here, the signal must be caught. (kgdb) print p $2 = (struct proc *) 0xf2f47b00 (kgdb) print *p $3 = {p_forw = 0xf2f2a700, p_back = 0x0, p_list = {le_next = 0xf3134d00, le_prev = 0xf02528d0}, p_cred = 0xf2dd56a0, p_fd = 0xf3183480, p_stats = 0xf6e05258, p_limit = 0xf020f950, p_vmspace = 0xf2f26c00, p_sigacts = 0xf6e05128, p_flag = 8198, p_stat = 2 '\002', p_pad1 = "À­Þ", p_pid = 7277, p_pglist = {le_next = 0x0, le_prev = 0xf320a468}, p_pptr = 0xf2c73600, p_sibling = {le_next = 0xf3085900, le_prev = 0xf2c73648}, p_children = {lh_first = 0x0}, p_oppid = 0, p_dupfd = 0, p_estcpu = 190, p_cpticks = 0, p_pctcpu = 0, p_wchan = 0x0, p_wmesg = 0x0, p_swtime = 2, p_slptime = 0, p_realtimer = {it_interval = { tv_sec = 0, tv_usec = 0}, it_value = {tv_sec = 0, tv_usec = 0}}, p_rtime = {tv_sec = 0, tv_usec = 0}, p_uticks = 0, p_sticks = 0, p_iticks = 0, p_traceflag = 0, p_tracep = 0x0, p_siglist = 0, p_textvp = 0xf2d06100, p_lock = 0 '\000', p_pad2 = "\000\000", p_locks = 0, p_simple_locks = 0, p_hash = {le_next = 0x0, le_prev = 0xf2c691b4}, p_sigmask = 0, p_sigignore = 4294967295, p_sigcatch = 0, p_priority = 97 'a', p_usrpri = 97 'a', p_nice = 0 '\000', p_comm = "sh\000h\000\000r\000\000\000\000\000\000\000\000\000", p_pgrp = 0xf320a460, p_sysent = 0xf0201c50, p_rtprio = {type = 1, prio = 0}, p_addr = 0xf6e05000, p_md = {md_flags = 0, md_regs = 0xefbfffbc}, p_xstat = 0, p_acflag = 17, p_ru = 0xf32c5800} (kgdb) down #14 0xf01165e2 in sigexit (p=0xf2f47b00, signum=2) at ../../kern/kern_sig.c:1214 1214 exit1(p, W_EXITCODE(0, signum)); (kgdb) list 1209 p->p_cred && p->p_ucred ? p->p_ucred->cr_uid : -1, 1210 signum); 1211 if (coredump(p) == 0) 1212 signum |= WCOREFLAG; 1213 } 1214 exit1(p, W_EXITCODE(0, signum)); 1215 /* NOTREACHED */ 1216 } 1217 1218 /* (kgdb) print signum $4 = 2 (kgdb) down #13 0xf010f456 in exit1 (p=0xf2f47b00, rv=2) at ../../kern/kern_exit.c:160 160 (void) vm_map_remove(&vm->vm_map, VM_MIN_ADDRESS, (kgdb) list 155 * Need to do this early enough that we can still sleep. 156 * Can't free the entire vmspace as the kernel stack 157 * may be mapped within that space also. 158 */ 159 if (vm->vm_refcnt == 1) 160 (void) vm_map_remove(&vm->vm_map, VM_MIN_ADDRESS, 161 VM_MAXUSER_ADDRESS); 162 163 if (SESS_LEADER(p)) { 164 register struct session *sp = p->p_session; (kgdb) print vm $5 = (struct vmspace *) 0xf2f26c00 (kgdb) print *vm $6 = {vm_map = {pmap = 0xf2f26c64, lock = {want_write = 1, want_upgrade = 0, waiting = 0, can_sleep = 1, read_count = 0, proc = 0x0, recursion_depth = 0}, header = {prev = 0xf321db40, next = 0xf32d9780, start = 0, end = 4026265600, object = {vm_object = 0x0, share_map = 0x0, sub_map = 0x0}, offset = 0x0000000000000000, is_a_map = 0, is_sub_map = 0, copy_on_write = 0, needs_copy = 0, protection = 0 '\000', max_protection = 0 '\000', inheritance = 0 '\000', wired_count = 0}, nentries = 6, size = 43794432, is_main_map = 1, ref_count = 1, hint = 0xf2f26c20, first_free = 0xf2f26c20, entries_pageable = 1, timestamp = 3}, vm_pmap = { pm_pdir = 0xf9264000, pm_dref = 0, pm_count = 1, pm_stats = { resident_count = 3, wired_count = 2}, pm_map = 0xf2f26c00}, vm_refcnt = 1, vm_shm = 0x0, vm_upages_obj = 0xf32af380, vm_rssize = 0, vm_swrss = 118, vm_tsize = 72, vm_dsize = 16, vm_ssize = 32, vm_taddr = 0x1000 "\023", vm_daddr = 0x49000 "Àÿÿ\203Ä\b\211{\024\203}\024", vm_maxsaddr = 0xebbfe000
, vm_minsaddr = 0xefbfd798
} (kgdb) print vm->vm_map $7 = {pmap = 0xf2f26c64, lock = {want_write = 1, want_upgrade = 0, waiting = 0, can_sleep = 1, read_count = 0, proc = 0x0, recursion_depth = 0}, header = {prev = 0xf321db40, next = 0xf32d9780, start = 0, end = 4026265600, object = {vm_object = 0x0, share_map = 0x0, sub_map = 0x0}, offset = 0x0000000000000000, is_a_map = 0, is_sub_map = 0, copy_on_write = 0, needs_copy = 0, protection = 0 '\000', max_protection = 0 '\000', inheritance = 0 '\000', wired_count = 0}, nentries = 6, size = 43794432, is_main_map = 1, ref_count = 1, hint = 0xf2f26c20, first_free = 0xf2f26c20, entries_pageable = 1, timestamp = 3} (kgdb) down #12 0xf01bb158 in vm_map_remove (map=0xf2f26c00, start=0, end=4022329344) at ../../vm/vm_map.c:1736 1736 result = vm_map_delete(map, start, end); (kgdb) list 1731 if (map == kmem_map) 1732 s = splhigh(); 1733 1734 vm_map_lock(map); 1735 VM_MAP_RANGE_CHECK(map, start, end); 1736 result = vm_map_delete(map, start, end); 1737 vm_map_unlock(map); 1738 1739 if (map == kmem_map) 1740 splx(s); (kgdb) print map $8 = (struct vm_map *) 0xf2f26c00 (kgdb) print start $9 = 0 (kgdb) print end $10 = 4022329344 (kgdb) set radix 16 Input and output radices now set to decimal 16, hex 10, octal 20. (kgdb) print end $11 = 0xefbfe000 (kgdb) print *map $12 = {pmap = 0xf2f26c64, lock = {want_write = 0x1, want_upgrade = 0x0, waiting = 0x0, can_sleep = 0x1, read_count = 0x0, proc = 0x0, recursion_depth = 0x0}, header = {prev = 0xf321db40, next = 0xf32d9780, start = 0x0, end = 0xeffbf000, object = {vm_object = 0x0, share_map = 0x0, sub_map = 0x0}, offset = 0x0000000000000000, is_a_map = 0x0, is_sub_map = 0x0, copy_on_write = 0x0, needs_copy = 0x0, protection = 0x0, max_protection = 0x0, inheritance = 0x0, wired_count = 0x0}, nentries = 0x6, size = 0x29c4000, is_main_map = 0x1, ref_count = 0x1, hint = 0xf2f26c20, first_free = 0xf2f26c20, entries_pageable = 0x1, timestamp = 0x3} (kgdb) down #11 0xf01bb0ce in vm_map_delete (map=0xf2f26c00, start=0x0, end=0xefbfe000) at ../../vm/vm_map.c:1702 1702 pmap_remove(map->pmap, s, e); (kgdb) print map->pmap $13 = (struct pmap *) 0xf2f26c64 (kgdb) print s $14 = 0x1000 (kgdb) print e $15 = 0xf39affc0 (kgdb) print *map $16 = {pmap = 0xf2f26c64, lock = {want_write = 0x1, want_upgrade = 0x0, waiting = 0x0, can_sleep = 0x1, read_count = 0x0, proc = 0x0, recursion_depth = 0x0}, header = {prev = 0xf321db40, next = 0xf32d9780, start = 0x0, end = 0xeffbf000, object = {vm_object = 0x0, share_map = 0x0, sub_map = 0x0}, offset = 0x0000000000000000, is_a_map = 0x0, is_sub_map = 0x0, copy_on_write = 0x0, needs_copy = 0x0, protection = 0x0, max_protection = 0x0, inheritance = 0x0, wired_count = 0x0}, nentries = 0x6, size = 0x29c4000, is_main_map = 0x1, ref_count = 0x1, hint = 0xf2f26c20, first_free = 0xf2f26c20, entries_pageable = 0x1, timestamp = 0x3} (kgdb) print *map->pmap $17 = {pm_pdir = 0xf9264000, pm_dref = 0x0, pm_count = 0x1, pm_stats = { resident_count = 0x3, wired_count = 0x2}, pm_map = 0xf2f26c00} (kgdb) down #10 0xf01c7811 in calltrap () (kgdb) list 1697 else if (!map->is_main_map) 1698 vm_object_pmap_remove(object, 1699 OFF_TO_IDX(entry->offset), 1700 OFF_TO_IDX(entry->offset + (e - s))); 1701 else 1702 pmap_remove(map->pmap, s, e); 1703 1704 /* 1705 * Delete the entry (which may delete the object) only after 1706 * removing all pmap entries pointing to its pages. (kgdb) down #9 0xf01ceeb3 in trap (frame={tf_es = 0x10, tf_ds = 0x10, tf_edi = 0x400, tf_esi = 0xf39affc0, tf_ebp = 0xefbffea0, tf_isp = 0xefbffe68, tf_ebx = 0x1, tf_edx = 0xf9255000, tf_ecx = 0x49, tf_eax = 0x2eb6fc0, tf_trapno = 0xc, tf_err = 0x0, tf_eip = 0xf01cc445, tf_cs = 0x8, tf_eflags = 0x10286, tf_esp = 0xf32d9780, tf_ss = 0x49000}) at ../../i386/i386/trap.c:319 319 (void) trap_pfault(&frame, FALSE); (kgdb) up #10 0xf01c7811 in calltrap () (kgdb) up #11 0xf01bb0ce in vm_map_delete (map=0xf2f26c00, start=0x0, end=0xefbfe000) at ../../vm/vm_map.c:1702 1702 pmap_remove(map->pmap, s, e); (kgdb) list 1697 else if (!map->is_main_map) 1698 vm_object_pmap_remove(object, 1699 OFF_TO_IDX(entry->offset), 1700 OFF_TO_IDX(entry->offset + (e - s))); 1701 else 1702 pmap_remove(map->pmap, s, e); 1703 1704 /* 1705 * Delete the entry (which may delete the object) only after 1706 * removing all pmap entries pointing to its pages. (kgdb) print map->is_main_map $18 = 0x1 (kgdb) >How-To-Repeat: I get these every couple of days. Will try a newer kernel as soon as the current new features get fixed. >Fix: >Audit-Trail: >Unformatted: