From owner-freebsd-bugs@FreeBSD.ORG  Tue Mar 27 03:30:04 2007
Return-Path: <owner-freebsd-bugs@FreeBSD.ORG>
X-Original-To: freebsd-bugs@hub.freebsd.org
Delivered-To: freebsd-bugs@hub.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
	by hub.freebsd.org (Postfix) with ESMTP id 2F88016A402
	for <freebsd-bugs@hub.freebsd.org>;
	Tue, 27 Mar 2007 03:30:04 +0000 (UTC)
	(envelope-from gnats@FreeBSD.org)
Received: from freefall.freebsd.org (freefall.freebsd.org [69.147.83.40])
	by mx1.freebsd.org (Postfix) with ESMTP id 0D3E613C4B7
	for <freebsd-bugs@hub.freebsd.org>;
	Tue, 27 Mar 2007 03:30:04 +0000 (UTC)
	(envelope-from gnats@FreeBSD.org)
Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1])
	by freefall.freebsd.org (8.13.4/8.13.4) with ESMTP id l2R3U375095936
	for <freebsd-bugs@freefall.freebsd.org>; Tue, 27 Mar 2007 03:30:03 GMT
	(envelope-from gnats@freefall.freebsd.org)
Received: (from gnats@localhost)
	by freefall.freebsd.org (8.13.4/8.13.4/Submit) id l2R3U3Z5095935;
	Tue, 27 Mar 2007 03:30:03 GMT (envelope-from gnats)
Resent-Date: Tue, 27 Mar 2007 03:30:03 GMT
Resent-Message-Id: <200703270330.l2R3U3Z5095935@freefall.freebsd.org>
Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer)
Resent-To: freebsd-bugs@FreeBSD.org
Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org,
	Andrew Muhametshin<andrew@dobrohot.org>
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
	by hub.freebsd.org (Postfix) with ESMTP id BE98A16A403
	for <freebsd-gnats-submit@FreeBSD.org>;
	Tue, 27 Mar 2007 03:22:06 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (www.freebsd.org [69.147.83.33])
	by mx1.freebsd.org (Postfix) with ESMTP id AC5BA13C4C5
	for <freebsd-gnats-submit@FreeBSD.org>;
	Tue, 27 Mar 2007 03:22:06 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (localhost [127.0.0.1])
	by www.freebsd.org (8.13.1/8.13.1) with ESMTP id l2R3M6AN041823
	for <freebsd-gnats-submit@FreeBSD.org>; Tue, 27 Mar 2007 03:22:06 GMT
	(envelope-from nobody@www.freebsd.org)
Received: (from nobody@localhost)
	by www.freebsd.org (8.13.1/8.13.1/Submit) id l2R3H4B2036335;
	Tue, 27 Mar 2007 03:17:04 GMT (envelope-from nobody)
Message-Id: <200703270317.l2R3H4B2036335@www.freebsd.org>
Date: Tue, 27 Mar 2007 03:17:04 GMT
From: Andrew Muhametshin<andrew@dobrohot.org>
To: freebsd-gnats-submit@FreeBSD.org
X-Send-Pr-Version: www-3.0
Cc: 
Subject: misc/110892: Fatal trap 12, at use qemu
X-BeenThere: freebsd-bugs@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Bug reports <freebsd-bugs.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-bugs>,
	<mailto:freebsd-bugs-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-bugs>
List-Post: <mailto:freebsd-bugs@freebsd.org>
List-Help: <mailto:freebsd-bugs-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-bugs>,
	<mailto:freebsd-bugs-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 27 Mar 2007 03:30:04 -0000


>Number:         110892
>Category:       misc
>Synopsis:       Fatal trap 12, at use qemu
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Tue Mar 27 03:30:03 GMT 2007
>Closed-Date:
>Last-Modified:
>Originator:     Andrew Muhametshin
>Release:        FreeBSD-6.2-RELEASE
>Organization:
>Environment:
$ uname -a
FreeBSD inspirra.localdomain 6.2-RELEASE FreeBSD 6.2-RELEASE #6: Mon Jan 29 09:21:15 MSK 2007     root@inspirra.localdomain:/usr/obj/usr/src/sys/INSPIRRA  i386
>Description:
Sometimes (not always), there is a crash of system at use of the emulator "qemu"


$ kgdb ./kernel.debug /var/crash/vmcore.0
kgdb: kvm_nlist(_stopped_cpus):
kgdb: kvm_nlist(_stoppcbs):
[GDB will not be able to debug user-mode threads: /usr/lib/libthread_db.so: Undefined symbol "ps_pglobal_lookup"]
GNU gdb 6.1.1 [FreeBSD]
Copyright 2004 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "i386-marcel-freebsd".

Unread portion of the kernel message buffer:


Fatal trap 12: page fault while in kernel mode
fault virtual address   = 0x1c
fault code              = supervisor read, page not present
instruction pointer     = 0x20:0xc04ef8e7
stack pointer           = 0x28:0xe466bcb0
frame pointer           = 0x28:0xe466bcb4
code segment            = base 0x0, limit 0xfffff, type 0x1b
                        = DPL 0, pres 1, def32 1, gran 1
processor eflags        = interrupt enabled, resume, IOPL = 0
current process         = 37 (pagedaemon)
trap number             = 12
panic: page fault
Uptime: 9h27m30s
Dumping 958 MB (2 chunks)
  chunk 0: 1MB (159 pages) ... ok
  chunk 1: 958MB (245232 pages) 942 926 910 894 878 862 846 830 814 798 782 766 750 734 718 702 686 670 654 638 622 606 590 574 558 542 526 510 494 478 462 446 430 414 398 382 366 350 334 318 302 286 270 254 238 222 (CTRL-C to abort)  206 190 174 158 142 126 110 94 78 62 46 30 14

#0  doadump () at pcpu.h:165
165             __asm __volatile("movl %%fs:0,%0" : "=r" (td));
(kgdb) bt full
#0  doadump () at pcpu.h:165
No locals.
#1  0xc04fb684 in boot (howto=260) at /usr/src/sys/kern/kern_shutdown.c:409
        first_buf_printf = 1
#2  0xc04fb9b6 in panic (fmt=0xc06c5733 "%s") at /usr/src/sys/kern/kern_shutdown.c:565
        td = (struct thread *) 0xc4e09000
        bootopt = 260
        newpanic = 0
        ap = 0xc4e09000 ""
        buf = "page fault", '\0' <repeats 245 times>
#3  0xc06a40ec in trap_fatal (frame=0xe466bc70, eva=0) at /usr/src/sys/i386/i386/trap.c:837
        code = 40
        type = 12
        ss = 40
        esp = 0
        softseg = {ssd_base = 0, ssd_limit = 1048575, ssd_type = 27, ssd_dpl = 0, ssd_p = 1, ssd_xx = 15, ssd_xx1 = 3,
  ssd_def32 = 1, ssd_gran = 1}
        msg = 0x0
#4  0xc06a3df2 in trap_pfault (frame=0xe466bc70, usermode=0, eva=28) at /usr/src/sys/i386/i386/trap.c:745
        va = 0
        vm = (struct vmspace *) 0x0
        map = 0xc071b840
        rv = 1
        ftype = 1 '\001'
        td = (struct thread *) 0xc4e09000
        p = (struct proc *) 0xc4ead000
#5  0xc06a39bd in trap (frame=
      {tf_fs = 8, tf_es = 40, tf_ds = 40, tf_edi = 90694, tf_esi = 0, tf_ebp = -463029068, tf_isp = -463029092, tf_ebx = -1050230984, tf_edx = 4, tf_ecx = 0, tf_eax = -1051846016, tf_trapno = 12, tf_err = 0, tf_eip = -1068566297, tf_cs = 32, tf_eflags = 590406, tf_esp = -1050230984, tf_ss = -463029024}) at /usr/src/sys/i386/i386/trap.c:435
        td = (struct thread *) 0xc4e09000
        p = (struct proc *) 0xc4ead000
        sticks = 3339534336
        i = 0
        ucode = 0
        type = 12
        code = 0
        eva = 28
#6  0xc068ff5a in calltrap () at /usr/src/sys/i386/i386/exception.s:139
---Type <return> to continue, or q <return> to quit---
No locals.
#7  0xc04ef8e7 in _mtx_trylock (m=0x0, opts=0, file=0x0, line=0) at /usr/src/sys/kern/kern_mutex.c:428
        rval = 4
#8  0xc0652038 in vm_pageout_page_stats () at /usr/src/sys/vm/vm_pageout.c:1376
        actcount = 1
        object = 0x0
        m = 0xc166bf38
        next = 0xc14e1a80
        pcount = 90694
        tpcount = -1051846016
        fullintervalcount = 0
        page_shortage = 4
#9  0xc06524ab in vm_pageout () at /usr/src/sys/vm/vm_pageout.c:1546
        error = -1051846016
        pass = 0
#10 0xc04e16df in fork_exit (callout=0xc06521d0 <vm_pageout>, arg=0xc14e1a80, frame=0xc14e1a80)
    at /usr/src/sys/kern/kern_fork.c:821
        p = (struct proc *) 0xc4ead000
        td = (struct thread *) 0x4
#11 0xc068ffbc in fork_trampoline () at /usr/src/sys/i386/i386/exception.s:208
No locals.

>How-To-Repeat:
$ pkg_info -E kqemu\* qemu\*
kqemu-kmod-1.3.0.p11
qemu-0.9.0

$ kldload aio 
$ kldload kqemu
$ qemu -boot c -m 256 \
     -hda /usr/EMULATORS/BOCHS/disk0.img \
     -net nic,model=rtl8139 \
     -net tap \
     -std-vga \
     -soundhw es1370 \
     -win2k-hack \
     -kernel-kqemu

Guest system on qemu - WinXP.
Crash of system occurs very often, but not always.

>Fix:

>Release-Note:
>Audit-Trail:
>Unformatted: