With Alfred's help, I think I've determined the send side of the socket not calling selwakeup() is the problem. If there's a missing selwakeup{,pri}(), then the object can be freed while it's still on the select/poll queues. So far, I haven't had a crash, whereas mozilla, running multithreaded, with libpthread on SMP, can otherwise cause it very quickly. Index: uipc_socket.c =================================================================== RCS file: /usr/ncvs/src/sys/kern/uipc_socket.c,v retrieving revision 1.161 diff -u -r1.161 uipc_socket.c --- uipc_socket.c 31 Jan 2004 10:40:23 -0000 1.161 +++ uipc_socket.c 11 Feb 2004 03:36:05 -0000 _at__at_ -291,6 +291,7 _at__at_ struct socket *so; { struct socket *head = so->so_head; + int s; KASSERT(so->so_count == 0, ("socket %p so_count not 0", so)); _at__at_ -314,6 +315,12 _at__at_ so->so_state &= ~SS_INCOMP; so->so_head = NULL; } + so->so_snd.sb_flags |= SB_NOINTR; + (void)sblock(&so->so_snd, M_WAITOK); + s = splimp(); + socantsendmore(so); + splx(s); + sbunlock(&so->so_snd); sbrelease(&so->so_snd, so); sorflush(so); sodealloc(so); -- Brian Fundakowski Feldman \'[ FreeBSD ]''''''''''\ <> green_at_FreeBSD.org \ The Power to Serve! \ Opinions expressed are my own. \,,,,,,,,,,,,,,,,,,,,,,\Received on Tue Feb 10 2004 - 19:11:02 UTC
This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:37:42 UTC