Skip site navigation (1)Skip section navigation (2) 
Date:      Sun, 9 Jul 2000 15:51:46 +0200
From:      Ollivier Robert <roberto@keltia.freenix.fr>
To:        "FreeBSD Current Users' list" <freebsd-current@FreeBSD.ORG>
Cc:        mckusick@mckusick.com
Subject:   Multiple free panic on SMP
Message-ID:  <20000709155146.A30086@keltia.freenix.fr>
next in thread | raw e-mail | index | archive | help 
After updating to the very latest current code, I get a multiple free panic on
my SMP machine. It always happen during buildworld in libc_r.

Important note : I have the snapshot code from Kirk.

The panic is in random_read which does a free. Here is the trace.

panic: free: multiple freed item 0xc0e92d00
mp_lock = 00000003; cpuid = 0; lapic.id = 00000000
panic: from debugger
mp_lock = 00000004; cpuid = 0; lapic.id = 00000000
boot() called on cpu#0
Uptime: 41m7s
#0  boot (howto=260) at ../../kern/kern_shutdown.c:303
#1  0xc017819d in panic (fmt=0xc029dc34 "from debugger")
    at ../../kern/kern_shutdown.c:553
#2  0xc0133435 in db_panic (addr=-1071169600, have_addr=0, count=-1, 
    modif=0xc667bc38 "") at ../../ddb/db_command.c:433
#3  0xc01333d5 in db_command (last_cmdp=0xc02d9db4, cmd_table=0xc02d9c14, 
    aux_cmd_tablep=0xc031a8f4) at ../../ddb/db_command.c:333
#4  0xc013349a in db_command_loop () at ../../ddb/db_command.c:455
#5  0xc0135657 in db_trap (type=3, code=0) at ../../ddb/db_trap.c:71
#6  0xc0273d05 in kdb_trap (type=3, code=0, regs=0xc667bd48)
    at ../../i386/i386/db_interface.c:158
#7  0xc028590c in trap (frame={tf_fs = -1070399464, tf_es = -1070399472, 
      tf_ds = -966328304, tf_edi = 128, tf_esi = 256, tf_ebp = -966279792, 
      tf_isp = -966279820, tf_ebx = -1070954959, tf_edx = 0, tf_ecx = 32, 
      tf_eax = 18, tf_trapno = 3, tf_err = 0, tf_eip = -1071169600, tf_cs = 8, 
      tf_eflags = 524886, tf_esp = -1070814813, tf_ss = -1070951182})
    at ../../i386/i386/trap.c:552
#8  0xc0273fc0 in Debugger (msg=0xc02a94f2 "panic") at machine/cpufunc.h:64
#9  0xc0178194 in panic (fmt=0xc02a8631 "free: multiple freed item %p")
    at ../../kern/kern_shutdown.c:551
#10 0xc0173d43 in free (addr=0xc0e92d00, type=0xc03035e0)
    at ../../kern/kern_malloc.c:336
#11 0xc0144340 in random_read (dev=0xc031e3c8, uio=0xc667bed8, flag=131072)
    at ../../dev/randomdev/randomdev.c:100
#12 0xc01b1e67 in spec_read (ap=0xc667be6c)
    at ../../miscfs/specfs/spec_vnops.c:262
#13 0xc0252774 in ufsspec_read (ap=0xc667be6c)
    at ../../ufs/ufs/ufs_vnops.c:1830
#14 0xc0252ca1 in ufs_vnoperatespec (ap=0xc667be6c)
    at ../../ufs/ufs/ufs_vnops.c:2308
#15 0xc01af0e8 in vn_read (fp=0xc1135d40, uio=0xc667bed8, cred=0xc0d9a780, 
    flags=0, p=0xc6580820) at vnode_if.h:334
#16 0xc0188db5 in dofileread (p=0xc6580820, fp=0xc1135d40, fd=3, 
    buf=0xbfbff064, nbyte=116, offset=-1, flags=0) at ../../sys/file.h:141
#17 0xc0188cab in read (p=0xc6580820, uap=0xc667bf80)
    at ../../kern/sys_generic.c:110
#18 0xc0286335 in syscall2 (frame={tf_fs = 47, tf_es = 47, tf_ds = 47, 
      tf_edi = 1717986919, tf_esi = 3, tf_ebp = -1077940008, 
      tf_isp = -966279212, tf_ebx = 672082468, tf_edx = 63956, 
      tf_ecx = 672148482, tf_eax = 3, tf_trapno = 12, tf_err = 2, 
      tf_eip = 672042240, tf_cs = 31, tf_eflags = 643, tf_esp = -1077940196, 
      tf_ss = 47}) at ../../i386/i386/trap.c:1126
#19 0xc02746cb in Xint0x80_syscall ()
(kgdb) up 10
#10 0xc0173d43 in free (addr=0xc0e92d00, type=0xc03035e0)
    at ../../kern/kern_malloc.c:336
336                                     panic("free: multiple freed item %p", addr);
(kgdb) print addr
$1 = (void *) 0xc0e92d00
(kgdb) print *addr
Attempt to dereference a generic pointer.
(kgdb) up
#11 0xc0144340 in random_read (dev=0xc031e3c8, uio=0xc667bed8, flag=131072)
    at ../../dev/randomdev/randomdev.c:100
warning: Source file is more recent than executable.

100                     ret = read_random(random_buf, c);
(kgdb) list
95              void *random_buf;
96
97              c = min(uio->uio_resid, PAGE_SIZE);
98              random_buf = (void *)malloc(c, M_TEMP, M_WAITOK);
99              while (uio->uio_resid > 0 && error == 0) {
100                     ret = read_random(random_buf, c);
101                     error = uiomove(random_buf, ret, uio);
102             }
103             free(random_buf, M_TEMP);
104             return error;
(kgdb) print random_buf
$2 = (void *) 0xc0e92d00
(kgdb) print uio
$3 = (struct uio *) 0xc667bed8
(kgdb) print *uio
$4 = {uio_iov = 0xc667beb0, uio_iovcnt = 1, uio_offset = 116, uio_resid = 0, 
  uio_segflg = UIO_USERSPACE, uio_rw = UIO_READ, uio_procp = 0xc6580820}

More details if needed of course.
-- 
Ollivier ROBERT -=- FreeBSD: The Power to Serve! -=- roberto@keltia.freenix.fr
FreeBSD keltia.freenix.fr 5.0-CURRENT #80: Sun Jun  4 22:44:19 CEST 2000



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-current" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20000709155146.A30086>