Kernel panic in 6.0 revisited

From: Joe Marcus Clarke <marcus_at_marcuscom.com> Date: Sat, 04 Sep 2004 00:57:24 -0400 · This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:38:10 UTC

A few days ago, I reported a kernel panic in HEAD while building
packages on my tinderbox machine.  I was unable to get a core dump fro
that crash, and after switching from ULE to 4BSD, I had thought it had
gone away.

Well, today, the machine panicked twice.  It was the same panic both
times, and the same panic I got a few days ago.  This time, however, I
was able to get a core dump.  Here is the panic message:

Fatal trap 12: page fault while in kernel mode
cpuid = 0; apic id = 00
fault virtual address   = 0x1c
fault code              = supervisor write, page not present
instruction pointer     = 0x8:0xc0533d07
stack pointer           = 0x10:0xf5f30a4c
frame pointer           = 0x10:0xf5f30a58
code segment            = base 0x0, limit 0xfffff, type 0x1b
                        = DPL 0, pres 1, def32 1, gran 1
processor eflags        = interrupt enabled, resume, IOPL = 0
current process         = 27441 (cpp0)
Stopped at  vfs_vmio_release+0x1b: lock cmpxchgl %ecx,0x1c(%edx)

Here is the full backtrace:

#0  doadump () at pcpu.h:159
No locals.
#1  0xc044790a in db_fncall (dummy1=0, dummy2=0, dummy3=-1067408529, dummy4=0xf3832640 "l&\203óÔ\205`ÀX&\203ó\\&\203ó\220\a") at /usr/src/sys/ddb/db_command.c:531
        fn_addr = -1068568116
        args = {0 <repeats 11 times>}
        nargs = 11
        retval = 0
        func = (fcn_10args_t *) 0xc04ef1cc <doadump>
        t = 0
#2  0xc0447718 in db_command (last_cmdp=0xc06aa344, cmd_table=0x0, aux_cmd_tablep=0xc0678980, aux_cmd_tablep_end=0xc0678984) at /usr/src/sys/ddb/db_command.c:349
        cmd = (struct command *) 0xc067e7c0
        t = 0
        modif = "l&\203óÔ\205`ÀX&\203ó\\&\203ó\220\a\000\000\220\a\000\000Ï\a\000\000\000\000\000\000\000|mÀ\r\000\000\000\000|mÀ\000|mÀ\r\000\000\000\001\000\000\000\230&\203ó\a\177`À\230&\203ó \177`À OlÀà´kÀx\000\000\000_at_¬jÀ\f\000\000\000¸&\203ó|\226DÀ_\035fÀì\223DÀ\f\000\000\000_at_¬jÀ\236\213DÀ"
        addr = 0
        count = -1067408529
        have_addr = 0
        result = 0
#3  0xc04477e0 in db_command_loop () at /usr/src/sys/ddb/db_command.c:455
No locals.
#4  0xc0449359 in db_trap (type=12, code=0) at /usr/src/sys/ddb/db_main.c:221
        jb = {{_jb = {-209508616, -209508636, -209508564, -209508396, 12, -1069247758, 12, -209508540, -1068464337, -1066976222, -1068464204, -209508560}}}
        prev_jb = (void *) 0x0
        bkpt = 0
#5  0xc0506cb7 in kdb_trap (type=12, code=0, tf=0x1) at /usr/src/sys/kern/subr_kdb.c:418
        did_stop_cpus = 1
        handled = -209508396
#6  0xc06239c1 in trap_fatal (frame=0xf38327d4, eva=28) at /usr/src/sys/i386/i386/trap.c:804
        code = 16
        type = 12
        ss = 16
        esp = 0
        softseg = {ssd_base = 0, ssd_limit = 1048575, ssd_type = 27, ssd_dpl = 0, ssd_p = 1, ssd_xx = 3, ssd_xx1 = 3, ssd_def32 = 1, ssd_gran = 1}
#7  0xc062371f in trap_pfault (frame=0xf38327d4, usermode=0, eva=28) at /usr/src/sys/i386/i386/trap.c:727
        va = 0
        vm = (struct vmspace *) 0x0
        map = 0xc308a4b0
        rv = 1
        ftype = 1 '\001'
        td = (struct thread *) 0xc3184420
        p = (struct proc *) 0xc35bb380
#8  0xc0623335 in trap (frame={tf_fs = -1068629992, tf_es = -601620464, tf_ds = 1048592, tf_edi = -601584980, tf_esi = -601584980, tf_ebp = -209508320, tf_isp = -209508352, tf_ebx = -601584980, tf_edx = 0, tf_ecx = -1021819872, tf_eax = 4, tf_trapno = 12, tf_err = 2, tf_eip = -1068290701, tf_cs = 8, tf_eflags = 66050, tf_esp = -601584980, tf_ss = -601584980}) at /usr/src/sys/i386/i386/trap.c:417
        td = (struct thread *) 0xc3184420
        p = (struct proc *) 0xc35bb380
        sticks = 3227240939
        i = 0
        ucode = 0
        type = 12
        code = 2
        eva = 28
#9  0xc0611c2a in calltrap () at /usr/src/sys/i386/i386/exception.s:140
No locals.
#10 0xc04e0018 in ktrnamei (path=0xdc248aac "\002") at /usr/src/sys/kern/kern_ktrace.c:372
        req = (struct ktr_request *) 0x0
        namelen = -601584980
        buf = 0xdc248aac "\002"
#11 0xc05335d2 in getnewbuf (slpflag=0, slptimeo=0, size=2048, maxsize=16384) at /usr/src/sys/kern/vfs_bio.c:1886
        qindex = 1
        bp = (struct buf *) 0xdc248aac
        nbp = (struct buf *) 0xdc248aac
        defrag = 0
        nqindex = 524306
        flushingbufs = 0
#12 0xc0534a59 in getblk (vp=0xc6f20108, blkno=0, size=2048, slpflag=0, slptimeo=0, flags=0) at /usr/src/sys/kern/vfs_bio.c:2586
        bsize = 16384
        maxsize = 0
        vmio = 1
        offset = Unhandled dwarf expression opcode 0x93

And here is the output of "l *vfs_vmio_release+0x1b":

0xc0533d07 is in vfs_vmio_release (atomic.h:154).
149     static __inline int
150     atomic_cmpset_int(volatile u_int *dst, u_int exp, u_int src)
151     {
152             int res = exp;
153
154             __asm __volatile (
155             "       " __XSTRING(MPLOCKED) " "
156             "       cmpxchgl %1,%2 ;        "
157             "       setz    %%al ;          "
158             "       movzbl  %%al,%0 ;       "

Kernel config is at http://www.marcuscom.com/downloads/FUGU.kernel and
the dmesg output is at http://www.marcuscom.com/downloads/FUGU.dmesg

Let me know if you need anything else.  Thanks.

Joe

-- 
PGP Key : http://www.marcuscom.com/pgp.asc