From owner-freebsd-current Thu Feb 4 09:28:04 1999 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id JAA20239 for freebsd-current-outgoing; Thu, 4 Feb 1999 09:26:20 -0800 (PST) (envelope-from owner-freebsd-current@FreeBSD.ORG) Received: from apollo.backplane.com (apollo.backplane.com [209.157.86.2]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id JAA20232 for ; Thu, 4 Feb 1999 09:26:17 -0800 (PST) (envelope-from dillon@apollo.backplane.com) Received: (from dillon@localhost) by apollo.backplane.com (8.9.2/8.9.1) id JAA88650; Thu, 4 Feb 1999 09:26:07 -0800 (PST) (envelope-from dillon) Date: Thu, 4 Feb 1999 09:26:07 -0800 (PST) From: Matthew Dillon Message-Id: <199902041726.JAA88650@apollo.backplane.com> To: Stephen McKay Cc: freebsd-current@FreeBSD.ORG, syssgm@detir.qld.gov.au Subject: Re: panic: vm_object_qcollapse(): object mismatch References: <199902041300.XAA10590@nymph.detir.qld.gov.au> Sender: owner-freebsd-current@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Hmmm. This looks like an out-an-out bug to me. The assertion is wrong. It's scanning the backing_object and asserting that the pages in the backing object are associated with object rather then backing_object. This section of code only runs when paging is in progress on a collapseable object AND there are also idle pages in that object. The collapse condition is probably due to an exiting process ( typical in a buildworld ). ( from vm/vm_object.c ) /* * busy the page and move it from the backing store to the * parent object. */ vm_page_busy(p); KASSERT(p->object == object, ("vm_object_qcollapse(): object mismatch")); ^^^^^^^^^^ should be 'backing_object' There is also an interrupt race. Since paging can be in progress, pages in the object can be ripped out from under it so we have to run at splbio() in the loop. I will commit the fix. -Matt Matthew Dillon :Hardware: 486DX2/66 16Mb ram, aha1542CF, 2x1Gb SCSI disks :Software: 4.0-current 1-2 days old, softupdates : (vm_map.c is at rev 1.146, for example) : :I was running 'make -j5 buildworld'. It swaps like crazy when I do this. :-) : :Here's what gdb -k tells me: : :... :#9 0xf01425e0 in panic ( : fmt=0xf0225c1f "vm_object_qcollapse(): object mismatch") : at ../../kern/kern_shutdown.c:446 :#10 0xf01e0772 in vm_object_qcollapse (object=0xf2f001d0) : at ../../vm/vm_object.c:1011 :#11 0xf01e08d6 in vm_object_collapse (object=0xf2f001d0) : at ../../vm/vm_object.c:1102 :#12 0xf01ddae2 in vm_map_copy_entry (src_map=0xf2f4aa00, dst_map=0xf2f4ad00, : src_entry=0xf2ed0e10, dst_entry=0xf2f8edc0) at ../../vm/vm_map.c:2284 :#13 0xf01ddd73 in vmspace_fork (vm1=0xf2f4aa00) at ../../vm/vm_map.c:2411 :#14 0xf01da833 in vm_fork (p1=0xf2f7db20, p2=0xf2d751e0, flags=20) : at ../../vm/vm_glue.c:231 :#15 0xf013d4f0 in fork1 (p1=0xf2f7db20, flags=20) at ../../kern/kern_fork.c:447 :#16 0xf013ce65 in fork (p=0xf2f7db20, uap=0xf3021f94) : at ../../kern/kern_fork.c:99 :#17 0xf01fe783 in syscall (frame={tf_es = 134807599, tf_ds = -272695249, : tf_edi = 134750909, tf_esi = 134935201, tf_ebp = -272643652, : tf_isp = -217964572, tf_ebx = 4, tf_edx = 672250004, tf_ecx = 19, : tf_eax = 2, tf_trapno = 12, tf_err = 2, tf_eip = 671826564, tf_cs = 31, : tf_eflags = 662, tf_esp = -272651296, tf_ss = 47}) : at ../../i386/i386/trap.c:1100 :#18 0xf01f4e9c in Xint0x80_syscall () :... :(kgdb) p *p :$1 = {pageq = {tqe_next = 0xf02c5240, tqe_prev = 0xf02e4e00}, hnext = 0x0, : listq = {tqe_next = 0xf02e59d0, tqe_prev = 0xf2f69cc8}, object = 0xf2f69cb0, : pindex = 30, phys_addr = 15065088, queue = 4, flags = 1, pc = 0, : wire_count = 0, hold_count = 0, act_count = 27 '\e', busy = 0 '\000', : valid = 255 'ÿ', dirty = 255 'ÿ'} :(kgdb) p object :$2 = (struct vm_object *) 0xf2f001d0 :(kgdb) p *object :$3 = {object_list = {tqe_next = 0xf2fdc2b8, tqe_prev = 0xf2f69c3c}, : shadow_head = {tqh_first = 0x0, tqh_last = 0xf2f001d8}, shadow_list = { : tqe_next = 0x0, tqe_prev = 0xf2f69cb8}, memq = {tqh_first = 0xf02dbcb0, : tqh_last = 0xf02cc86c}, generation = 11690, type = OBJT_DEFAULT, : size = 32, ref_count = 2, shadow_count = 0, pg_color = 0, : hash_rand = -136756254, flags = 8576, paging_in_progress = 0, behavior = 0, : resident_page_count = 6, cache_count = 0, wire_count = 0, : backing_object = 0xf2f69cb0, backing_object_offset = 0x0000000000000000, : last_read = 0, pager_object_list = {tqe_next = 0xf2f69000, : tqe_prev = 0xf0252f10}, handle = 0x0, un_pager = {vnp = { : vnp_size = 0x0000000000000000}, devp = {devp_pglist = {tqh_first = 0x0, : tqh_last = 0x0}}, swp = {swp_bcount = 0}}} :(kgdb) p *(p->object) :$4 = {object_list = {tqe_next = 0xf2f915e4, tqe_prev = 0xf30fd0e8}, : shadow_head = {tqh_first = 0xf2f001d0, tqh_last = 0xf2f001e0}, : shadow_list = {tqe_next = 0x0, tqe_prev = 0xf30fef04}, memq = { : tqh_first = 0xf02e7170, tqh_last = 0xf02cff5c}, generation = 10219, : type = OBJT_SWAP, size = 32, ref_count = 3, shadow_count = 1, pg_color = 0, : hash_rand = -136000830, flags = 384, paging_in_progress = 0, behavior = 0, : resident_page_count = 4, cache_count = 1, wire_count = 0, : backing_object = 0x0, backing_object_offset = 0x0000000000000000, : last_read = 29, pager_object_list = {tqe_next = 0xf30fad24, : tqe_prev = 0xf30f0814}, handle = 0x0, un_pager = {vnp = { : vnp_size = 0x0000000000000001}, devp = {devp_pglist = {tqh_first = 0x1, : tqh_last = 0x0}}, swp = {swp_bcount = 1}}} : :I'll keep this dump around. What other details do people want? : :I'm not likely to even get to look at this let alone solve it. Bummer. : :Stephen. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-current" in the body of the message