Site Navigation

Date:      Fri, 13 Jul 2007 11:27:05 +0300
From:      Kostik Belousov <kostikbel@gmail.com>
To:        Attilio Rao <attilio@freebsd.org>
Cc:        Julian Elischer <julian@elischer.org>, FreeBSD Current <current@freebsd.org>
Subject:   Re: crash in tty code in 6.1.. fixed since?
Message-ID:  <20070713082705.GI2200@deviant.kiev.zoral.com.ua>
In-Reply-To: <46972B28.1010409@FreeBSD.org>
References:  <46970DF7.3000803@elischer.org> <46972B28.1010409@FreeBSD.org>

---

next in thread | previous in thread | raw e-mail | index | archive | help

---

--FyU5fTJCTr/6Eq8v
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Fri, Jul 13, 2007 at 09:35:04AM +0200, Attilio Rao wrote:
> Julian Elischer wrote:
> >Does this crash look familiar to anyone?
> >It's in 6.1 unfortunatly..
> >
> >#6  0xc069ca6a in calltrap () at ../../../i386/i386/exception.s:139
> >#7  0xc0587012 in ttymodem (tp=3D0xc6990800, flag=3D-1065963704)
> >   at ../../../kern/tty.c:1659
> >#8  0xc058b83e in ptcclose (dev=3D0x0, flags=3D7, fmt=3D8192, td=3D0xc69=
66d80)
> >   at linedisc.h:136
> >#9  0xc052bf77 in giant_close (dev=3D0xc7547c00, fflag=3D7, devtype=3D81=
92,   =20
> >td=3D0xc6966d80) at ../../../kern/kern_conf.c:266
> >#10 0xc051685f in devfs_close (ap=3D0xe706baa4)
> >   at ../../../fs/devfs/devfs_vnops.c:287
> >#11 0xc06c2a10 in VOP_CLOSE_APV (vop=3D0x0, a=3D0xc076af48) at vnode_if.=
c:426
> >#12 0xc05bf3ce in vn_close (vp=3D0xc764e550, flags=3D7, file_cred=3D0x0,=
   =20
> >td=3D0xc6966d80) at vnode_if.h:227
> >#13 0xc05c0212 in vn_closefile (fp=3D0xc7532510, td=3D0xc6966d80)
> >   at ../../../kern/vfs_vnops.c:852
> >#14 0xc0516887 in devfs_close_f (fp=3D0xc7532510, td=3D0xc6966d80)
> >   at ../../../fs/devfs/devfs_vnops.c:297
> >#15 0xc05361e8 in fdrop_locked (fp=3D0xc7532510, td=3D0xc6966d80) at fil=
e.h:289
> >#16 0xc0536135 in fdrop (fp=3D0xc7532510, td=3D0xc6966d80)
> >   at ../../../kern/kern_descrip.c:2122
> >#17 0xc05346d3 in closef (fp=3D0xc7532510, td=3D0xc6966d80)
> >   at ../../../kern/kern_descrip.c:1942
> >#18 0xc0533487 in fdfree (td=3D0xc6966d80) at=20
> >../../../kern/kern_descrip.c:1627
> >#19 0xc053cc88 in exit1 (td=3D0xc6966d80, rv=3D15) at=20
> >../../../kern/kern_exit.c:263
> >#20 0xc055b58b in sigexit (td=3D0xc6966d80, sig=3D15)
> >   at ../../../kern/kern_sig.c:2451
> >#21 0xc055b296 in postsig (sig=3D15) at ../../../kern/kern_sig.c:2326
> >#22 0xc0577fbe in ast (framep=3D0xe706bd38) at ../../../kern/subr_trap.c=
:266
> >#23 0xc069d3ad in doreti_ast () at ../../../i386/i386/exception.s:293
> >
> >(kgdb) up
> >#7  0xc0587012 in ttymodem (tp=3D0xc6990800, flag=3D-1065963704)
> >   at ../../../kern/tty.c:1659
> >1659                                    if (tp->t_session->s_leader) {
> >Current language:  auto; currently c
> >(kgdb) list
> >1654                        !ISSET(tp->t_cflag, CLOCAL)) {
> >1655                            SET(tp->t_state, TS_ZOMBIE);
> >1656                            CLR(tp->t_state, TS_CONNECTED);
> >1657                            if (tp->t_session) {
> >1658                                    sx_slock(&proctree_lock);
> >1659                                    if (tp->t_session->s_leader) {
> >1660                                            struct proc *p;
> >1661
> >1662                                            p =3D=20
> >tp->t_session->s_leader;
> >1663                                            PROC_LOCK(p);
> >
> >(kgdb) set print pretty
> >(kgdb) p *tp
> >$3 =3D {
> > t_rawq =3D {
> >   c_cc =3D 0,
> >[...]
> >
> > t_outcc =3D 119661,  t_line =3D 0,  t_dev =3D 0xc763fe00,  t_mdev =3D 0=
x0,=20
> > t_devunit =3D 0,  t_state =3D 0,  t_flags =3D 0,  t_timeout =3D 300000,=
  t_pgrp=20
> >=3D 0x0,  t_session =3D 0x0,  t_sigio =3D 0x0,  t_rsel =3D {
> >   si_thrlist =3D {
> >     tqe_next =3D 0x0,      tqe_prev =3D 0x0
> >   },    si_thread =3D 0x0,    si_note =3D {
> >   [...]
> >
> >
> >tp_session is NULL but it shouldn't have been able to have run that line=
=20
> >(line 1659) if it had tested NULL 2 lines before..
> >this suggests a locking problem..
>=20
> I think it has been fixed some months ago IIRC.
> The problem here, should be that if sx_slock() let thread sleep, Giant=20
> is released before to sleep and tp->t_session can be accessed in racy way.
> Another nice side-effect about having tty Giant :)

Yes, it seems that rev. 1.267 fixed it and was MFCed as rev. 1.228.2.6.
There was a lot of commits around this one, it may be safer to update to
RELENG_6.

--FyU5fTJCTr/6Eq8v
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (FreeBSD)

iD8DBQFGlzdYC3+MBN1Mb4gRAsEsAKDRz9V2Yvp1DZe6ZVOBaYma+JQPhwCfTHeo
xm7KhWy0n9MUgT3MTF7kWCk=
=Oc6E
-----END PGP SIGNATURE-----

--FyU5fTJCTr/6Eq8v--

---

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20070713082705.GI2200>

Legal Notices | © 1995-2024 The FreeBSD Project. All rights reserved.

Contact