Date: Tue, 25 Apr 1995 18:06:49 -0400 From: Andrew Heybey <ath@bellcore.com> To: hackers@FreeBSD.org Subject: forking and shared memory don't mix (with fix) Message-ID: <199504252206.SAA02513@grapenuts.bellcore.com>
next in thread | raw e-mail | index | archive | help
If a process creates some shared memory (using either sysV shmem or
mmap), forks, and one or more of the children touches the shared
memory (so as to get pages of it in their pmaps), then when the last
of the processes exit the machine crashes with the following stack
trace (the page fault actually happens in pmap_remove_all() at line
1028 because pte is not valid):
[line 1028] if (pmap_pte_w(pte))
IdlePTD 1e0000
current pcb at 1d3704
panic: page fault
#0 boot (arghowto=256) at ../../i386/i386/machdep.c:811
811 dumppcb.pcb_ptd = rcr3();
(kgdb) where
#0 boot (arghowto=256) at ../../i386/i386/machdep.c:811
#1 0xf0111c43 in panic (fmt=0xf01a1a5c "page fault")
at ../../kern/subr_prf.c:128
#2 0xf01a251e in trap_fatal (frame=0xefbffdc0) at ../../i386/i386/trap.c:688
#3 0xf01a2090 in trap_pfault (frame=0xefbffdc0, usermode=0)
at ../../i386/i386/trap.c:610
#4 0xf01a1d57 in trap (frame={tf_es = 16, tf_ds = 16, tf_edi = 140206080,
tf_esi = -255910036, tf_ebp = -272630252, tf_isp = -272630296,
tf_ebx = -4057384, tf_edx = 34230, tf_ecx = -265771604,
tf_eax = -4194304, tf_trapno = 12, tf_err = 0, tf_eip = -266735075,
tf_cs = 8, tf_eflags = 66182, tf_esp = -265987948, tf_ss = -2147483648})
at ../../i386/i386/trap.c:290
#5 0xf0197e81 in calltrap ()
#6 0xf01a047a in pmap_page_protect (phys=21471232, prot=0)
at ../../i386/i386/pmap.c:1921
#7 0xf0190e10 in vm_object_pmap_remove (object=0xf0bc3180, start=0,
end=12808192) at ../../vm/vm_page.h:288
#8 0xf018e974 in vm_map_delete (map=0xf0bc4d80, start=134963200,
end=147771392) at ../../vm/vm_map.c:1641
#9 0xf018db3c in vm_map_deallocate (map=0xf0bc4d80) at ../../vm/vm_map.c:477
#10 0xf018e868 in vm_map_entry_delete (map=0xf0bc0700, entry=0xf0bb4ee0)
at ../../vm/vm_map.c:1557
#11 0xf018e990 in vm_map_delete (map=0xf0bc0700, start=134963200,
end=147771392) at ../../vm/vm_map.c:1654
#12 0xf018ea10 in vm_map_remove (map=0xf0bc0700, start=134963200,
end=147771392) at ../../vm/vm_map.c:1679
#13 0xf0116214 in shm_delete_mapping (p=0xf0bc0400, shmmap_s=0xf0bc1a10)
at ../../kern/sysv_shm.c:150
#14 0xf0116a39 in shmexit (p=0xf0bc0400) at ../../kern/sysv_shm.c:562
#15 0xf0108cca in exit1 (p=0xf0bc0400, rv=0) at ../../kern/kern_exit.c:137
#16 0xf0108be4 in exit (p=0xf0bc0400, uap=0xefbfff94, retval=0xefbfff8c)
at ../../kern/kern_exit.c:86
#17 0xf01a2707 in syscall (frame={tf_es = 39, tf_ds = 39, tf_edi = 0,
tf_esi = -1, tf_ebp = -272639276, tf_isp = -272629788,
tf_ebx = 134828128, tf_edx = 0, tf_ecx = 134661724, tf_eax = 1,
tf_trapno = 642, tf_err = 642, tf_eip = 134483757, tf_cs = 31,
tf_eflags = 642, tf_esp = -272639296, tf_ss = 39})
at ../../i386/i386/trap.c:828
#18 0xf0197ecb in Xsyscall ()
I believe the following patch fixes the bug--at least it seems to for
my specific application. Crash dumps available upon request.
*** 1.1 1995/04/25 21:38:17
--- pmap.c 1995/04/25 22:01:30
***************
*** 1241,1247 ****
npv = get_pv_entry();
npv->pv_va = va;
npv->pv_pmap = pmap;
! npv->pv_next = pv->pv_next;
pv->pv_next = npv;
}
splx(s);
--- 1241,1247 ----
npv = get_pv_entry();
npv->pv_va = va;
npv->pv_pmap = pmap;
! npv->pv_next = NULL;
pv->pv_next = npv;
}
splx(s);
***************
*** 1430,1436 ****
npv = get_pv_entry();
npv->pv_va = va;
npv->pv_pmap = pmap;
! npv->pv_next = pv->pv_next;
pv->pv_next = npv;
}
splx(s);
--- 1430,1436 ----
npv = get_pv_entry();
npv->pv_va = va;
npv->pv_pmap = pmap;
! npv->pv_next = NULL;
pv->pv_next = npv;
}
splx(s);
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199504252206.SAA02513>