Fatal double fault with 20031116-JPSNAP

From: Damian Gerow <dgerow_at_afflictions.org> Date: Sat, 29 Nov 2003 16:07:44 -0500 · This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:37:31 UTC

A couple days ago, I downloaded 20031116-JPSNAP to install on a new system
-- this box had been running 5.1-R without issues for some time, but wasn't
doing anything particular, and I had mucked up the 5.1 -> 5.2 upgrade
(statfs stuff).

Whenever I boot the system into multi-user mode, I see a *lot* of this:

    checking stopevent 2 with the following non-sleepable locks held:
    exclusive sleep mutex sigacts r = 0 (0xc48f9aa8) locked _at_ /usr/src/sys/kern/kern_synch.c:293
    checking stopevent 2 with the following non-sleepable locks held:
    exclusive sleep mutex sigacts r = 0 (0xc48f9aa8) locked _at_ /usr/src/sys/kern/subr_trap.c:260
    checking stopevent 2 with the following non-sleepable locks held:
    exclusive sleep mutex sigacts r = 0 (0xc48f9aa8) locked _at_ /usr/src/sys/kern/subr_trap.c:260

over and over and over -- it makes the console essentially unusable.

Thinking an update might fix it, I booted into single user mode, cvsup'ed,
and started building.  However, six buildworlds later, it appears that I'm
constantly getting a fatal double fault, but in differing places.  This
looks like the turnstile double-panic outlined in 5.2R-TODO -- I hope  this
is enough information.

Anyhow, here's what I see (I don't know how to use the debugger, so I've
just guessed at commands):

    panic: Duplicate free of item 0xc1cda71c from zone 0xc103b780(PV ENTRY)

    cpuid = 0;
    Debugger("panic")
    Stopped at      Debugger+0x55:  xchgl   %ebx,in_Debugger.0
    db> trace
    Debugger(c0895cb8,0,c08ae388,d8a48c04,100) at Debugger+0x55
    panic(c08ae388,c1cc72bc,c103b780,c08b3233,6d0) at panic+0x156
    uma_dbg_free(c103b780,0,c1cc72bc,6d0,0) at uma_dbg_free+0x111
    uma_zfree_arg(c103b780,c1cc72bc,0,a2f,c0893811) at uma_zfree_arg+0x123
    pmap_remove_pages(c1d0d364,0,bfc00000,11a,c0893811) at
    pmap_remove_pages+0x209
    exit1(c4796c80,0,c0893811,65,d8a48d40) at exit1+0x68c
    sys_exit(c4796c80,d8a48d10,c08b38d0,3ee,1) at sys_exit+0x41
    syscall(2f,2f,2f,bfbfece0,0) at syscall+0x2e0
    Xint0x80_syscall() at Xint0x80_syscall+0x1d
    --- syscall (1, FreeBSD ELF32, sys_exit), eip = 0x806427b, esp =
    0xbfbfec9c, ebp = 0xbfbfecb8 ---
    db> match
    After 6 instructions (0 loads, 0 stores),
    Stopped at      Debugger+0x66:  ret
    db> match

    syncing disks, buffers remaining... panic: sleeping thread (pid 14015) owns a non-sleepable lock
    cpuid = 0;
    Debugger("panic")
    Uptime: 18m4s
    panic: Assertion td->td_turnstile != NULL failed at /usr/src/sys/kern/subr_turnstile.c:437
    [the above four lines, thirteen times]

    Fatal double fault:
    eip = 0xc08118c0
    esp = 0xd77ba000
    ebp = 0xd77ba020
    cpuid = 0; apic id = 00
    panic: double fault
    cpuid = 0;
    Debugger("panic")

    Fatal trap 3: breakpoint instruction fault while in kernel mode
    cpuid = 0; apic id = 00
    instruction pointer     = 0x8:0xc0811a85
    stack pointer           = 0x10:0xc09bb2dc
    frame pointer           = 0x10:0xc09bb2e8
    code segment            = base 0x0, limit 0xfffff, type 0x1b
                            = DPL 0, pres 1, def32 1, gran 1
    processor eflags        = nested task, IOPL = 0
    current process         = 27 (swi8: tty:sio clock)

And on the next buildworld, in a different place:

    panic: Duplicate free of item 0xc4bc221c from zone 0xc103b6c0(MAP ENTRY)

    cpuid = 0;
    Debugger("panic")
    Stopped at      Debugger+0x55:  xchgl   %ebx,in_Debugger.0
    db> trace
    Debugger(c0895cb8,0,c08ae388,d8a05b8c,100) at Debugger+0x55
    panic(c08ae388,c4bc221c,c103b6c0,c08ac694,6d0) at panic+0x156
    uma_dbg_free(c103b6c0,0,c4bc221c,6d0,0) at uma_dbg_free+0x111
    uma_zfree_arg(c103b6c0,c4bc221c,0,d8a05c34,c07d9f6c) at
    uma_zfree_arg+0x123
    vm_map_entry_dispose(c1d0d84c,c4bc221c,c08ac714,829,c08ac714) at
    vm_map_entry_dispose+0x3d
    vm_map_entry_delete(c1d0d84c,c4bc221c,c08ac714,884,c1d0d888) at
    vm_map_entry_delete+0x1ac
    vm_map_delete(c1d0d84c,0,bfc00000,c1d0d84c,c48b8900) at
    vm_map_delete+0x228
    vm_map_remove(c1d0d84c,0,bfc00000,11d,c0893811) at vm_map_remove+0x58
    exit1(c4704780,0,c0893811,65,d8a05d40) at exit1+0x6c6
    sys_exit(c4704780,d8a05d10,c08b38d0,3ee,1) at sys_exit+0x41
    syscall(2f,2f,2f,bfbfec40,0) at syscall+0x2e0
    Xint0x80_syscall() at Xint0x80_syscall+0x1d
    --- syscall (1, FreeBSD ELF32, sys_exit), eip = 0x806427b, esp =
    0xbfbfebfc, ebp = 0xbfbfec18 ---
    db> match
    After 6 instructions (0 loads, 0 stores),
    Stopped at      Debugger+0x66:  ret
    db> match
    Uptime: 35m13s
    panic: Assertion td->td_turnstile != NULL failed at /usr/src/sys/kern/subr_turnstile.c:437
    cpuid = 0;
    Debugger("panic")
    [the above four lines thirteen times]

    Fatal double fault:
    eip = 0xc048a39f
    esp = 0xd89f8000
    ebp = 0xd89f800c
    cpuid = 0; apic id = 00
    panic: double fault
    cpuid = 0;
    Debugger("panic")

    Fatal trap 3: breakpoint instruction fault while in kernel mode
    cpuid = 0; apic id = 00
    instruction pointer     = 0x8:0xc0811a85
    stack pointer           = 0x10:0xc09bb2dc
    frame pointer           = 0x10:0xc09bb2e8
    code segment            = base 0x0, limit 0xfffff, type 0x1b
                            = DPL 0, pres 1, def32 1, gran 1
    processor eflags        = nested task, IOPL = 0
    current process         = 4 (g_down)

The system is a C3 Nehemiah chip on a DFI CD70-SC (VIA Apollo Pro 266
chipset), and was working fine with 5.1-R.

In trying to reproduce a third panic, buildworld is about 75% complete.
Fingers crossed I'll be able to build into 5.2-BETA.