From owner-freebsd-bugs  Sat May 11 14:30:06 1996
Return-Path: owner-bugs
Received: (from root@localhost)
          by freefall.freebsd.org (8.7.3/8.7.3) id OAA19419
          for bugs-outgoing; Sat, 11 May 1996 14:30:06 -0700 (PDT)
Received: (from gnats@localhost)
          by freefall.freebsd.org (8.7.3/8.7.3) id OAA19409
          Sat, 11 May 1996 14:30:02 -0700 (PDT)
Resent-Date: Sat, 11 May 1996 14:30:02 -0700 (PDT)
Resent-Message-Id: <199605112130.OAA19409@freefall.freebsd.org>
Resent-From: gnats (GNATS Management)
Resent-To: freebsd-bugs
Resent-Reply-To: FreeBSD-gnats@freefall.FreeBSD.org, hsu@clinet.fi
Received: from hauki.clinet.fi (root@hauki.clinet.fi [194.100.0.1])
          by freefall.freebsd.org (8.7.3/8.7.3) with ESMTP id OAA18796
          for <FreeBSD-gnats-submit@freebsd.org>; Sat, 11 May 1996 14:23:41 -0700 (PDT)
Received: from katiska.clinet.fi (root@katiska.clinet.fi [194.100.0.4]) by hauki.clinet.fi (8.7.5/8.6.4) with ESMTP id AAA00475 for <FreeBSD-gnats-submit@freebsd.org>; Sun, 12 May 1996 00:23:31 +0300 (EET DST)
Received: (root@localhost) by katiska.clinet.fi (8.7.5/8.6.4) id AAA07283; Sun, 12 May 1996 00:23:30 +0300 (EET DST)
Message-Id: <199605112123.AAA07283@katiska.clinet.fi>
Date: Sun, 12 May 1996 00:23:30 +0300 (EET DST)
From: Heikki Suonsivu <hsu@clinet.fi>
Reply-To: hsu@clinet.fi
To: FreeBSD-gnats-submit@freebsd.org
X-Send-Pr-Version: 3.2
Subject: kern/1190: panic: page fault (wild pointer?)
Sender: owner-bugs@freebsd.org
X-Loop: FreeBSD.org
Precedence: bulk


>Number:         1190
>Category:       kern
>Synopsis:       panic: page fault (wild pointer?)
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    freebsd-bugs
>State:          open
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Sat May 11 14:30:01 PDT 1996
>Last-Modified:
>Originator:     Heikki Suonsivu
>Organization:
Clinet, Espoo, Finland
>Release:        FreeBSD 2.2-CURRENT i386
>Environment:

	News server, P90, sup beginning of May (kernel is compiled May 5,
probably supped within couple of days from that).

>Description:

ftp://ftp.clinet.fi/pub/FreeBSD/crashdumps/*.69.gz

GDB is free software and you are welcome to distribute copies of it
 under certain conditions; type "show copying" to see the conditions.
There is absolutely no warranty for GDB; type "show warranty" for details.
GDB 4.13 (i386-unknown-freebsd), 
Copyright 1994 Free Software Foundation, Inc...
IdlePTD 263000
current pcb at 21a5c8
panic: page fault
#0  boot (howto=256) at ../../i386/i386/machdep.c:931
931                                     dumppcb.pcb_ptd = rcr3();
(kgdb) bt
#0  boot (howto=256) at ../../i386/i386/machdep.c:931
#1  0xf01171e6 in panic (fmt=0xf01c530c "page fault")
    at ../../kern/subr_prf.c:127
#2  0xf01c5e66 in trap_fatal (frame=0xefbffee8) at ../../i386/i386/trap.c:740
#3  0xf01c5958 in trap_pfault (frame=0xefbffee8, usermode=0)
    at ../../i386/i386/trap.c:651
#4  0xf01c563b in trap (frame={tf_es = 16, tf_ds = 16, tf_edi = -2147483648, 
      tf_esi = -272646144, tf_ebp = -272629964, tf_isp = -272630000, 
      tf_ebx = -264867152, tf_edx = -227449244, tf_ecx = -123129856, 
      tf_eax = 0, tf_trapno = 12, tf_err = 0, tf_eip = -266583618, tf_cs = 8, 
      tf_eflags = 66118, tf_esp = -265439216, tf_ss = 697})
    at ../../i386/i386/trap.c:319
#5  0xf01be321 in calltrap ()
#6  0xf01bb30d in vm_pageout_scan () at ../../vm/vm_pageout.c:704
#7  0xf01bb770 in vm_pageout () at ../../vm/vm_pageout.c:898
#8  0xf0108386 in kproc_start (udata=0xf01fecb0) at ../../kern/init_main.c:255
#9  0xf0108324 in main (framep=0xefbfffb8) at ../../kern/init_main.c:205
(kgdb) up
#1  0xf01171e6 in panic (fmt=0xf01c530c "page fault")
    at ../../kern/subr_prf.c:127
127             boot(bootopt);
(kgdb) up
#2  0xf01c5e66 in trap_fatal (frame=0xefbffee8) at ../../i386/i386/trap.c:740
740                     panic(trap_msg[type]);
(kgdb) up
#3  0xf01c5958 in trap_pfault (frame=0xefbffee8, usermode=0)
    at ../../i386/i386/trap.c:651
651                     trap_fatal(frame);
(kgdb) up
#4  0xf01c563b in trap (frame={tf_es = 16, tf_ds = 16, tf_edi = -2147483648, 
      tf_esi = -272646144, tf_ebp = -272629964, tf_isp = -272630000, 
      tf_ebx = -264867152, tf_edx = -227449244, tf_ecx = -123129856, 
      tf_eax = 0, tf_trapno = 12, tf_err = 0, tf_eip = -266583618, tf_cs = 8, 
      tf_eflags = 66118, tf_esp = -265439216, tf_ss = 697})
    at ../../i386/i386/trap.c:319
319                             (void) trap_pfault(&frame, FALSE);
(kgdb) up
#5  0xf01be321 in calltrap ()
(kgdb) up
#6  0xf01bb30d in vm_pageout_scan () at ../../vm/vm_pageout.c:704
704                     if (m->object->ref_count &&
(kgdb) list
699                             TAILQ_REMOVE(&vm_page_queue_active, m, pageq);
700                             TAILQ_INSERT_TAIL(&vm_page_queue_active, m, pageq);
701                             m = next;
702                             continue;
703                     }
704                     if (m->object->ref_count &&
705                             ((m->flags & PG_REFERENCED) ||
706                             pmap_is_referenced(VM_PAGE_TO_PHYS(m))) ) {
707                             pmap_clear_reference(VM_PAGE_TO_PHYS(m));
708                             m->flags &= ~PG_REFERENCED;
(kgdb) print m
$1 = (struct vm_page *) 0xf03672b0
(kgdb) print *m
$2 = {pageq = {tqe_next = 0x0, tqe_prev = 0xf2716664}, hashq = {
    tqe_next = 0xefbfc000, tqe_prev = 0xf02fed30}, listq = {tqe_next = 0x0, 
    tqe_prev = 0x0}, object = 0x1d4000, pindex = 4029710864, phys_addr = 0, 
  queue = 4, flags = 3398, wire_count = 62077, hold_count = 12288, 
  act_count = 3 '\003', busy = 0 '\000', valid = 48 '0', dirty = 44 ','}
(kgdb) print m->object
$3 = (struct vm_object *) 0x1d4000
(kgdb) print *m->object
Cannot access memory at address 0x1d4000.
(kgdb) 

>How-To-Repeat:

I do not know.  The last sup increased panic frequency (but it has not
deadlocked since the upgrade).  Most of the panics have been silent, no
crash dump.

>Fix:
	
>Audit-Trail:
>Unformatted: