From owner-freebsd-current@FreeBSD.ORG Fri Jun 24 14:27:08 2005 Return-Path: X-Original-To: current@freebsd.org Delivered-To: freebsd-current@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5EA1516A41C for ; Fri, 24 Jun 2005 14:27:08 +0000 (GMT) (envelope-from thierry@herbelot.com) Received: from postfix3-2.free.fr (postfix3-2.free.fr [213.228.0.169]) by mx1.FreeBSD.org (Postfix) with ESMTP id E98A443D48 for ; Fri, 24 Jun 2005 14:27:07 +0000 (GMT) (envelope-from thierry@herbelot.com) Received: from herbelot.dyndns.org (bne75-4-82-227-159-103.fbx.proxad.net [82.227.159.103]) by postfix3-2.free.fr (Postfix) with ESMTP id 5C7A0C115 for ; Fri, 24 Jun 2005 16:27:06 +0200 (CEST) Received: from diversion.herbelot.nom (diversion.herbelot.nom [192.168.2.6]) by herbelot.dyndns.org (8.13.3/8.13.3) with ESMTP id j5OER0kb024415 for ; Fri, 24 Jun 2005 16:27:04 +0200 (CEST) From: Thierry Herbelot To: current@freebsd.org Date: Fri, 24 Jun 2005 16:26:55 +0200 User-Agent: KMail/1.8 X-Warning: Windows can lose your files X-Op-Sys: Le FriBi de la mort qui tue X-Org: TfH&Co X-MailScanner: Found to be clean MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-15" Content-Transfer-Encoding: 8bit Content-Disposition: inline Message-Id: <200506241626.57469.thierry@herbelot.com> Cc: Subject: panic: Memory modified after free X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: thierry@herbelot.com List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 24 Jun 2005 14:27:08 -0000 This is with an SMP machine (oldish BP6) multi-cur# kgdb kernel.debug /files3/tmp/vmcore.154 [GDB will not be able to debug user-mode threads: /usr/lib/libthread_db.so: Undefined symbol "ps_pglobal_lookup"] GNU gdb 6.1.1 [FreeBSD] Copyright 2004 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Type "show copying" to see the conditions. There is absolutely no warranty for GDB. Type "show warranty" for details. This GDB was configured as "i386-marcel-freebsd". #0 doadump () at pcpu.h:165 165 __asm __volatile("movl %%fs:0,%0" : "=r" (td)); (kgdb) bt #0 doadump () at pcpu.h:165 #1 0xc046897a in db_fncall (dummy1=0, dummy2=0, dummy3=-1067166101, dummy4=0xcc89d8d4 "\bÙ\211Ì") at /usr/src/sys/ddb/db_command.c:531 #2 0xc0468788 in db_command (last_cmdp=0xc08fc464, cmd_table=0x0, aux_cmd_tablep=0xc0879f00, aux_cmd_tablep_end=0xc0879f1c) at /usr/src/sys/ddb/db_command.c:349 #3 0xc0468850 in db_command_loop () at /usr/src/sys/ddb/db_command.c:455 #4 0xc046a3d5 in db_trap (type=3, code=0) at /usr/src/sys/ddb/db_main.c:221 #5 0xc0645904 in kdb_trap (type=3, code=0, tf=0xcc89da18) at /usr/src/sys/kern/subr_kdb.c:471 #6 0xc07e7cbc in trap (frame= {tf_fs = -863436792, tf_es = -1067188184, tf_ds = -1065025496, tf_edi = -1064921604, tf_esi = 1, tf_ebp = -863380904, tf_isp = -863380924, tf_ebx = -863380860, tf_edx = 0, tf_ecx = -1056755712, tf_eax = 18, tf_trapno = 3, tf_err = 0, tf_eip = -1067166101, tf_cs = 32, tf_eflags = 642, tf_esp = -863380872, tf_ss = -1067263353}) at /usr/src/sys/i386/i386/trap.c:598 #7 0xc07d583a in calltrap () at /usr/src/sys/i386/i386/exception.s:139 #8 0xcc890008 in ?? () #9 0xc0640028 in blst_radix_init (scan=0xc084ecf5, radix=-4516961442427043584, skip=-1050930176, count=Unhandled dwarf expression opcode 0x93 ) at /usr/src/sys/kern/subr_blist.c:885 #10 0xc062da87 in panic (fmt=0x282
) at /usr/src/sys/kern/kern_shutdown.c:537 #11 0xc077be53 in trash_ctor (mem=0xc15c1400, size=0, arg=0xcc89db40, flags=1) at /usr/src/sys/vm/uma_dbg.c:72 #12 0xc0624bd8 in mb_ctor_mbuf (mem=0xc15c1400, size=256, arg=0xcc89db40, how=1) at /usr/src/sys/kern/kern_mbuf.c:204 #13 0xc077a85f in uma_zalloc_arg (zone=0xc104a9a0, udata=0xcc89db40, flags=1) at /usr/src/sys/vm/uma_core.c:1839 #14 0xc06c66ed in tcp_output (tp=0xc165eac8) at mbuf.h:392 ---Type to continue, or q to quit---q Quit (kgdb) frame 11 #11 0xc077be53 in trash_ctor (mem=0xc15c1400, size=0, arg=0xcc89db40, flags=1) at /usr/src/sys/vm/uma_dbg.c:72 72 panic("Memory modified after free %p(%d) val=%x @ %p\n", (kgdb) list 67 68 cnt = size / sizeof(uma_junk); 69 70 for (p = mem; cnt > 0; cnt--, p++) 71 if (*p != uma_junk) 72 panic("Memory modified after free %p(%d) val=%x @ %p\n", 73 mem, size, *p, p); 74 return (0); 75 } 76 (kgdb) frame 13 #13 0xc077a85f in uma_zalloc_arg (zone=0xc104a9a0, udata=0xcc89db40, flags=1) at /usr/src/sys/vm/uma_core.c:1839 1839 if (zone->uz_ctor(item, zone->uz_keg->uk_size, (kgdb) list 1834 ZONE_LOCK(zone); 1835 uma_dbg_alloc(zone, NULL, item); 1836 ZONE_UNLOCK(zone); 1837 #endif 1838 if (zone->uz_ctor != NULL) { 1839 if (zone->uz_ctor(item, zone->uz_keg->uk_size, 1840 udata, flags) != 0) { 1841 uma_zfree_internal(zone, item, udata, 1842 SKIP_DTOR); 1843 return (NULL); (kgdb) print *zone $1 = {uz_name = 0xc084d5b0 "Mbuf", uz_lock = 0xc10443c8, uz_keg = 0xc10443c0, uz_link = { le_next = 0xc104ac60, le_prev = 0xc10443f8}, uz_full_bucket = {lh_first = 0x0}, uz_free_bucket = {lh_first = 0x0}, uz_ctor = 0xc0624bc0 , uz_dtor = 0xc0624c30 , uz_init = 0, uz_fini = 0, uz_allocs = 1993622, uz_fills = 0, uz_count = 128, uz_cpu = {{uc_freebucket = 0xc15b820c, uc_allocbucket = 0xc103d20c, uc_allocs = 3}}} multi-cur# ident kernel.debug | grep uma_dbg.c $FreeBSD: src/sys/vm/uma_dbg.c,v 1.19 2005/02/16 21:45:59 bmilekic Exp $ multi-cur# ident kernel.debug | grep kern_mbuf.c $FreeBSD: src/sys/kern/kern_mbuf.c,v 1.8 2005/06/23 04:33:39 silby Exp $ multi-cur# ident kernel.debug | grep uma_core.c $FreeBSD: src/sys/vm/uma_core.c,v 1.119 2005/04/29 18:56:36 rwatson Exp $