kgdb strange behaviour on current

From: Victor Snezhko <snezhko_at_indorsoft.ru>
Date: Thu, 03 Nov 2005 12:28:30 +0600
  
  Some days ago I analysed the crashdump of a panic triggered by ipv6
changes on 2005.10.21.16.23.xx, and noticed a strange thing. See:

/home/vvs # kgdb /usr/obj/usr/src/sys/VVS/kernel.debug /var/crash/vmcore.1
[GDB will not be able to debug user-mode threads: /usr/lib/libthread_db.so: Undefined symbol "ps_pglobal_lookup"]
GNU gdb 6.1.1 [FreeBSD]
Copyright 2004 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "i386-marcel-freebsd".

Unread portion of the kernel message buffer:
kernel trap 12 with interrupts disabled


Fatal trap 12: page fault while in kernel mode
cpuid = 0; apic id = 00
fault virtual address	= 0xdeadc0e6
fault code		= supervisor read, page not present
instruction pointer	= 0x20:0xc066e0c2
stack pointer	        = 0x28:0xcbfd3cac
frame pointer	        = 0x28:0xcbfd3cd4
code segment		= base 0x0, limit 0xfffff, type 0x1b
			= DPL 0, pres 1, def32 1, gran 1
processor eflags	= resume, IOPL = 0
current process		= 12 (swi4: clock sio)
panic: from debugger
cpuid = 0
Uptime: 1m26s
Dumping 255 MB (2 chunks)
  chunk 0: 1MB (159 pages) ... ok
  chunk 1: 255MB (65264 pages) 239 223 207 191 175 159 143 127 111 95 79 63 47 31 15

#0  doadump () at pcpu.h:165
165	pcpu.h: No such file or directory.
	in pcpu.h

(kgdb) bt
#0  doadump () at pcpu.h:165
#1  0xc06613fc in boot (howto=260) at /usr/src/sys/kern/kern_shutdown.c:399
#2  0xc0661711 in panic (fmt=0xc0859480 "from debugger")
    at /usr/src/sys/kern/kern_shutdown.c:555
#3  0xc046d151 in db_panic (addr=-1066999614, have_addr=0, count=-1, 
    modif=0xcbfd3aa8 "") at /usr/src/sys/ddb/db_command.c:435
#4  0xc046d0e8 in db_command (last_cmdp=0xc094a164, cmd_table=0x0, 
    aux_cmd_tablep=0xc08c0048, aux_cmd_tablep_end=0xc08c0064)
    at /usr/src/sys/ddb/db_command.c:404
#5  0xc046d1b0 in db_command_loop () at /usr/src/sys/ddb/db_command.c:455
---Type <return> to continue, or q <return> to quit---
#6  0xc046edc9 in db_trap (type=12, code=0) at /usr/src/sys/ddb/db_main.c:221
#7  0xc067b408 in kdb_trap (type=12, code=0, tf=0xcbfd3c6c)
    at /usr/src/sys/kern/subr_kdb.c:485
#8  0xc0823f68 in trap_fatal (frame=0xcbfd3c6c, eva=3735929062)
    at /usr/src/sys/i386/i386/trap.c:846
#9  0xc08235f2 in trap (frame=
      {tf_fs = 8, tf_es = -872611800, tf_ds = -1067122648, tf_edi = -1049930560, tf_esi = -1051228800, tf_ebp = -872596268, tf_isp = -872596328, tf_ebx = 1, tf_edx = -966778392, tf_ecx = -559038242, tf_eax = 85115, tf_trapno = 12, tf_err = 0, tf_eip = -1066999614, tf_cs = 32, tf_eflags = 589826, tf_esp = -1051359088, tf_ss = 0})
---Type <return> to continue, or q <return> to quit---
    at /usr/src/sys/i386/i386/trap.c:269
#10 0xc0810e2a in calltrap () at /usr/src/sys/i386/i386/exception.s:139
#11 0xc066e0c2 in softclock (dummy=0x0) at /usr/src/sys/kern/kern_timeout.c:220
#12 0xc064ed32 in ithread_execute_handlers (p=0xc1558890, ie=0xc1578580)
    at /usr/src/sys/kern/kern_intr.c:662
#13 0xc064ee63 in ithread_loop (arg=0xc151f8e0)
    at /usr/src/sys/kern/kern_intr.c:745
#14 0xc064dfc4 in fork_exit (callout=0xc064edfc <ithread_loop>, arg=0xc151f8e0, 
    frame=0xcbfd3d38) at /usr/src/sys/kern/kern_fork.c:789
#15 0xc0810e8c in fork_trampoline () at /usr/src/sys/i386/i386/exception.s:208
(kgdb) up 11
#11 0xc066e0c2 in softclock (dummy=0x0) at /usr/src/sys/kern/kern_timeout.c:220
220				if (c->c_time != curticks) {
(kgdb) list
215			curticks = softticks;
216			bucket = &callwheel[curticks & callwheelmask];
217			c = TAILQ_FIRST(bucket);
218			while (c) {
219				depth++;
220				if (c->c_time != curticks) {
221					c = TAILQ_NEXT(c, c_links.tqe);
222					++steps;
223					if (steps >= MAX_SOFTCLOCK_STEPS) {
224						nextsoftcheck = c;
(kgdb) print c
$1 = (struct callout *) 0xdeadc0de
(kgdb) print bucket->tqh_first
$2 = (struct callout *) 0xc18eb520
(kgdb) print *(bucket->tqh_first)
$3 = {c_links = {sle = {sle_next = 0xdeadc0de}, tqe = {tqe_next = 0xdeadc0de, 
      tqe_prev = 0xdeadc0de}}, c_time = -559038242, c_arg = 0xdeadc0de, 
  c_func = 0xdeadc0de, c_mtx = 0xdeadc0de, c_flags = -559038242}
(kgdb) print bucket
$4 = (struct callout_tailq *) 0xc66021e8
(kgdb) quit

/home/vvs # grep "#define.*[^S]TAILQ_FIRST" /usr/src/sys/sys/queue.h
#define	TAILQ_FIRST(head)	((head)->tqh_first)

bucket->tqh_first seems to be a valid pointer, but points to
garbage. But c should be the same pointer, and debugger shows a
distinct value for it!  

Do we need to debug this further? What can I do?

-- 
WBR, Victor V. Snezhko
EMail: snezhko_at_indorsoft.ru
Received on Thu Nov 03 2005 - 05:28:38 UTC

This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:38:47 UTC