panic: Memory modified after free

From: Thierry Herbelot <thierry_at_herbelot.com>
Date: Fri, 24 Jun 2005 16:26:55 +0200
This is with an SMP machine (oldish BP6)


multi-cur# kgdb kernel.debug /files3/tmp/vmcore.154
[GDB will not be able to debug user-mode threads: /usr/lib/libthread_db.so: 
Undefined symbol "ps_pglobal_lookup"]
GNU gdb 6.1.1 [FreeBSD]
Copyright 2004 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "i386-marcel-freebsd".
#0  doadump () at pcpu.h:165
165             __asm __volatile("movl %%fs:0,%0" : "=r" (td));
(kgdb) bt
#0  doadump () at pcpu.h:165
#1  0xc046897a in db_fncall (dummy1=0, dummy2=0, dummy3=-1067166101,
    dummy4=0xcc89d8d4 "\bÙ\211Ì") at /usr/src/sys/ddb/db_command.c:531
#2  0xc0468788 in db_command (last_cmdp=0xc08fc464, cmd_table=0x0, 
aux_cmd_tablep=0xc0879f00,
    aux_cmd_tablep_end=0xc0879f1c) at /usr/src/sys/ddb/db_command.c:349
#3  0xc0468850 in db_command_loop () at /usr/src/sys/ddb/db_command.c:455
#4  0xc046a3d5 in db_trap (type=3, code=0) at /usr/src/sys/ddb/db_main.c:221
#5  0xc0645904 in kdb_trap (type=3, code=0, tf=0xcc89da18) 
at /usr/src/sys/kern/subr_kdb.c:471
#6  0xc07e7cbc in trap (frame=
      {tf_fs = -863436792, tf_es = -1067188184, tf_ds = -1065025496, tf_edi = 
-1064921604, tf_esi = 1, tf_ebp = -863380904, tf_isp = -863380924, tf_ebx = 
-863380860, tf_edx = 0, tf_ecx = -1056755712, tf_eax = 18, tf_trapno = 3, 
tf_err = 0, tf_eip = -1067166101, tf_cs = 32, tf_eflags = 642, tf_esp = 
-863380872, tf_ss = -1067263353}) at /usr/src/sys/i386/i386/trap.c:598
#7  0xc07d583a in calltrap () at /usr/src/sys/i386/i386/exception.s:139
#8  0xcc890008 in ?? ()
#9  0xc0640028 in blst_radix_init (scan=0xc084ecf5, 
radix=-4516961442427043584,
    skip=-1050930176, count=Unhandled dwarf expression opcode 0x93
) at /usr/src/sys/kern/subr_blist.c:885
#10 0xc062da87 in panic (fmt=0x282 <Address 0x282 out of bounds>)
    at /usr/src/sys/kern/kern_shutdown.c:537
#11 0xc077be53 in trash_ctor (mem=0xc15c1400, size=0, arg=0xcc89db40, flags=1)
    at /usr/src/sys/vm/uma_dbg.c:72
#12 0xc0624bd8 in mb_ctor_mbuf (mem=0xc15c1400, size=256, arg=0xcc89db40, 
how=1)
    at /usr/src/sys/kern/kern_mbuf.c:204
#13 0xc077a85f in uma_zalloc_arg (zone=0xc104a9a0, udata=0xcc89db40, flags=1)
    at /usr/src/sys/vm/uma_core.c:1839
#14 0xc06c66ed in tcp_output (tp=0xc165eac8) at mbuf.h:392
---Type <return> to continue, or q <return> to quit---q
Quit
(kgdb) frame 11
#11 0xc077be53 in trash_ctor (mem=0xc15c1400, size=0, arg=0xcc89db40, flags=1)
    at /usr/src/sys/vm/uma_dbg.c:72
72                              panic("Memory modified after free %p(%d) 
val=%x _at_ %p\n",
(kgdb) list
67
68              cnt = size / sizeof(uma_junk);
69
70              for (p = mem; cnt > 0; cnt--, p++)
71                      if (*p != uma_junk)
72                              panic("Memory modified after free %p(%d) 
val=%x _at_ %p\n",
73                                  mem, size, *p, p);
74              return (0);
75      }
76
(kgdb) frame 13
#13 0xc077a85f in uma_zalloc_arg (zone=0xc104a9a0, udata=0xcc89db40, flags=1)
    at /usr/src/sys/vm/uma_core.c:1839
1839                                    if (zone->uz_ctor(item, 
zone->uz_keg->uk_size,
(kgdb) list
1834                            ZONE_LOCK(zone);
1835                            uma_dbg_alloc(zone, NULL, item);
1836                            ZONE_UNLOCK(zone);
1837    #endif
1838                            if (zone->uz_ctor != NULL) {
1839                                    if (zone->uz_ctor(item, 
zone->uz_keg->uk_size,
1840                                        udata, flags) != 0) {
1841                                            uma_zfree_internal(zone, item, 
udata,
1842                                                SKIP_DTOR);
1843                                            return (NULL);
(kgdb) print *zone
$1 = {uz_name = 0xc084d5b0 "Mbuf", uz_lock = 0xc10443c8, uz_keg = 0xc10443c0, 
uz_link = {
    le_next = 0xc104ac60, le_prev = 0xc10443f8}, uz_full_bucket = {lh_first = 
0x0},
  uz_free_bucket = {lh_first = 0x0}, uz_ctor = 0xc0624bc0 <mb_ctor_mbuf>,
  uz_dtor = 0xc0624c30 <mb_dtor_mbuf>, uz_init = 0, uz_fini = 0, uz_allocs = 
1993622,
  uz_fills = 0, uz_count = 128, uz_cpu = {{uc_freebucket = 0xc15b820c,
      uc_allocbucket = 0xc103d20c, uc_allocs = 3}}}

multi-cur# ident kernel.debug | grep uma_dbg.c
     $FreeBSD: src/sys/vm/uma_dbg.c,v 1.19 2005/02/16 21:45:59 bmilekic Exp $
multi-cur# ident kernel.debug | grep kern_mbuf.c
     $FreeBSD: src/sys/kern/kern_mbuf.c,v 1.8 2005/06/23 04:33:39 silby Exp $
multi-cur# ident kernel.debug | grep uma_core.c
     $FreeBSD: src/sys/vm/uma_core.c,v 1.119 2005/04/29 18:56:36 rwatson Exp $
Received on Fri Jun 24 2005 - 12:27:08 UTC

This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:38:37 UTC