From nobody Sat Nov 22 20:41:27 2025
X-Original-To: freebsd-current@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4dDPBr5gFvz6HYR0
	for <freebsd-current@mlmmj.nyi.freebsd.org>; Sat, 22 Nov 2025 20:41:40 +0000 (UTC)
	(envelope-from kostikbel@gmail.com)
Received: from kib.kiev.ua (kib.kiev.ua [IPv6:2001:470:d5e7:1::1])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(Client did not present a certificate)
	by mx1.freebsd.org (Postfix) with ESMTPS id 4dDPBr0lPtz480m;
	Sat, 22 Nov 2025 20:41:39 +0000 (UTC)
	(envelope-from kostikbel@gmail.com)
Authentication-Results: mx1.freebsd.org;
	dkim=none;
	dmarc=fail reason="No valid SPF, No valid DKIM" header.from=gmail.com (policy=none);
	spf=softfail (mx1.freebsd.org: 2001:470:d5e7:1::1 is neither permitted nor denied by domain of kostikbel@gmail.com) smtp.mailfrom=kostikbel@gmail.com
Received: from tom.home (kib@localhost [127.0.0.1] (may be forged))
	by kib.kiev.ua (8.18.1/8.18.1) with ESMTP id 5AMKfSKr025702;
	Sat, 22 Nov 2025 22:41:31 +0200 (EET)
	(envelope-from kostikbel@gmail.com)
DKIM-Filter: OpenDKIM Filter v2.10.3 kib.kiev.ua 5AMKfSKr025702
Received: (from kostik@localhost)
	by tom.home (8.18.1/8.18.1/Submit) id 5AMKfSLn025701;
	Sat, 22 Nov 2025 22:41:28 +0200 (EET)
	(envelope-from kostikbel@gmail.com)
X-Authentication-Warning: tom.home: kostik set sender to kostikbel@gmail.com using -f
Date: Sat, 22 Nov 2025 22:41:27 +0200
From: Konstantin Belousov <kostikbel@gmail.com>
To: Michal Meloun <mmel@freebsd.org>
Cc: FreeBSD Current <freebsd-current@freebsd.org>
Subject: Re: mmap( MAP_ANON) is broken on current. (was Still seeing Failed
 assertion: "p[i] == 0" on armv7 buildworld)
Message-ID: <aSIf9zLhTMVcK5Sj@kib.kiev.ua>
References: <aSG_GJNR7L4Mx-e8@kib.kiev.ua>
 <aSHDPDsuG40k2TEZ@kib.kiev.ua>
 <603e75f8-7064-4fca-8520-282331c20ec0@freebsd.org>
 <aSHZiASbyd4rqPIV@kib.kiev.ua>
 <b94a8938-91e5-41da-9686-03a62ab0142f@freebsd.org>
 <aSHqezcjIEXHeaIf@kib.kiev.ua>
 <f3350539-8dca-4d95-810a-f76c7daa7b89@freebsd.org>
 <aSIEzLFD2Xv7GD_a@kib.kiev.ua>
 <9a864c53-0033-46d1-ad07-6b528115789f@freebsd.org>
 <aSIa1Xt47HHMyDQ1@kib.kiev.ua>
List-Id: Discussions about the use of FreeBSD-current <freebsd-current.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/freebsd-current
List-Help: <mailto:freebsd-current+help@freebsd.org>
List-Post: <mailto:freebsd-current@freebsd.org>
List-Subscribe: <mailto:freebsd-current+subscribe@freebsd.org>
List-Unsubscribe: <mailto:freebsd-current+unsubscribe@freebsd.org>
Sender: owner-freebsd-current@FreeBSD.org
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <aSIa1Xt47HHMyDQ1@kib.kiev.ua>
X-Spamd-Bar: -
X-Spamd-Result: default: False [-1.32 / 15.00];
	NEURAL_HAM_MEDIUM(-0.98)[-0.984];
	NEURAL_HAM_SHORT(-0.97)[-0.970];
	NEURAL_SPAM_LONG(0.64)[0.637];
	DMARC_POLICY_SOFTFAIL(0.10)[gmail.com : No valid SPF, No valid DKIM,none];
	MIME_GOOD(-0.10)[text/plain];
	RCPT_COUNT_TWO(0.00)[2];
	ARC_NA(0.00)[];
	MISSING_XM_UA(0.00)[];
	ASN(0.00)[asn:6939, ipnet:2001:470::/32, country:US];
	FREEMAIL_FROM(0.00)[gmail.com];
	MIME_TRACE(0.00)[0:+];
	R_DKIM_NA(0.00)[];
	MLMMJ_DEST(0.00)[freebsd-current@freebsd.org];
	RCVD_TLS_LAST(0.00)[];
	FROM_EQ_ENVFROM(0.00)[];
	FROM_HAS_DN(0.00)[];
	FREEMAIL_ENVFROM(0.00)[gmail.com];
	RCVD_COUNT_TWO(0.00)[2];
	TO_MATCH_ENVRCPT_ALL(0.00)[];
	R_SPF_SOFTFAIL(0.00)[~all];
	TO_DN_ALL(0.00)[];
	HAS_XAW(0.00)[]
X-Rspamd-Queue-Id: 4dDPBr0lPtz480m

On Sat, Nov 22, 2025 at 10:19:38PM +0200, Konstantin Belousov wrote:
> Please in addition to the patch, enable debug.vm_check_pg_zero.

And use the following patch (one more hunk for vm_object_page_remove()):

diff --git a/sys/vm/vm_map.c b/sys/vm/vm_map.c
index 6b09552c5fee..76808b5ad7f1 100644
--- a/sys/vm/vm_map.c
+++ b/sys/vm/vm_map.c
@@ -1743,6 +1743,27 @@ vm_map_insert1(vm_map_t map, vm_object_t object, vm_ooffset_t offset,
 	    (vm_size_t)(prev_entry->end - prev_entry->start),
 	    (vm_size_t)(end - prev_entry->end), cred != NULL &&
 	    (protoeflags & MAP_ENTRY_NEEDS_COPY) == 0)) {
+		vm_object_t obj = prev_entry->object.vm_object;
+		if (obj != NULL) {
+			struct pctrie_iter pages;
+			vm_page_t p;
+
+			vm_page_iter_init(&pages, obj);
+			p = vm_radix_iter_lookup_ge(&pages,
+			    OFF_TO_IDX(prev_entry->offset +
+			    prev_entry->end - prev_entry->start));
+			if (p != NULL) {
+				KASSERT(p->pindex >= OFF_TO_IDX(prev_entry->offset +
+				    prev_entry->end - prev_entry->start +
+				    end - start),
+				    ("FOUND page %p pindex %#jx "
+				    "e %#jx %#jx %#jx %#jx",
+				    p, p->pindex, (uintmax_t)prev_entry->offset,
+				    (uintmax_t)prev_entry->end,
+				    (uintmax_t)prev_entry->start,
+				    (uintmax_t)(end - start)));
+			}
+		}
 		/*
 		 * We were able to extend the object.  Determine if we
 		 * can extend the previous map entry to include the
diff --git a/sys/vm/vm_object.c b/sys/vm/vm_object.c
index 5b4517d2bf0c..e87047f9a380 100644
--- a/sys/vm/vm_object.c
+++ b/sys/vm/vm_object.c
@@ -1988,7 +1988,7 @@ vm_object_page_remove(vm_object_t object, vm_pindex_t start, vm_pindex_t end,
 	    (options & (OBJPR_CLEANONLY | OBJPR_NOTMAPPED)) == OBJPR_NOTMAPPED,
 	    ("vm_object_page_remove: illegal options for object %p", object));
 	if (object->resident_page_count == 0)
-		return;
+		goto remove_pager;
 	vm_object_pip_add(object, 1);
 	vm_page_iter_limit_init(&pages, object, end);
 again:
@@ -2061,6 +2061,7 @@ vm_object_page_remove(vm_object_t object, vm_pindex_t start, vm_pindex_t end,
 	}
 	vm_object_pip_wakeup(object);
 
+remove_pager:
 	vm_pager_freespace(object, start, (end == 0 ? object->size : end) -
 	    start);
 }
@@ -2189,13 +2190,19 @@ vm_object_coalesce(vm_object_t prev_object, vm_ooffset_t prev_offset,
 	next_size >>= PAGE_SHIFT;
 	next_pindex = OFF_TO_IDX(prev_offset) + prev_size;
 
-	if (prev_object->ref_count > 1 &&
-	    prev_object->size != next_pindex &&
+	if (prev_object->ref_count > 1 ||
+	    prev_object->size != next_pindex ||
 	    (prev_object->flags & OBJ_ONEMAPPING) == 0) {
 		VM_OBJECT_WUNLOCK(prev_object);
 		return (FALSE);
 	}
 
+	KASSERT(next_pindex + next_size > prev_object->size,
+	    ("vm_object_coalesce: "
+	    "obj %p next_pindex %#jx next_size %#jx obj_size %#jx",
+	    prev_object, (uintmax_t)next_pindex, (uintmax_t)next_size,
+	    (uintmax_t)prev_object->size));
+
 	/*
 	 * Account for the charge.
 	 */
@@ -2222,26 +2229,13 @@ vm_object_coalesce(vm_object_t prev_object, vm_ooffset_t prev_offset,
 	 * Remove any pages that may still be in the object from a previous
 	 * deallocation.
 	 */
-	if (next_pindex < prev_object->size) {
-		vm_object_page_remove(prev_object, next_pindex, next_pindex +
-		    next_size, 0);
-#if 0
-		if (prev_object->cred != NULL) {
-			KASSERT(prev_object->charge >=
-			    ptoa(prev_object->size - next_pindex),
-			    ("object %p overcharged 1 %jx %jx", prev_object,
-				(uintmax_t)next_pindex, (uintmax_t)next_size));
-			prev_object->charge -= ptoa(prev_object->size -
-			    next_pindex);
-		}
-#endif
-	}
+	vm_object_page_remove(prev_object, next_pindex, next_pindex +
+	    next_size, 0);
 
 	/*
 	 * Extend the object if necessary.
 	 */
-	if (next_pindex + next_size > prev_object->size)
-		prev_object->size = next_pindex + next_size;
+	prev_object->size = next_pindex + next_size;
 
 	VM_OBJECT_WUNLOCK(prev_object);
 	return (TRUE);