Date: Fri, 24 Jun 2005 16:26:55 +0200 From: Thierry Herbelot <thierry@herbelot.com> To: current@freebsd.org Subject: panic: Memory modified after free Message-ID: <200506241626.57469.thierry@herbelot.com>
next in thread | raw e-mail | index | archive | help
This is with an SMP machine (oldish BP6) multi-cur# kgdb kernel.debug /files3/tmp/vmcore.154 [GDB will not be able to debug user-mode threads: /usr/lib/libthread_db.so: Undefined symbol "ps_pglobal_lookup"] GNU gdb 6.1.1 [FreeBSD] Copyright 2004 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Type "show copying" to see the conditions. There is absolutely no warranty for GDB. Type "show warranty" for details. This GDB was configured as "i386-marcel-freebsd". #0 doadump () at pcpu.h:165 165 __asm __volatile("movl %%fs:0,%0" : "=r" (td)); (kgdb) bt #0 doadump () at pcpu.h:165 #1 0xc046897a in db_fncall (dummy1=0, dummy2=0, dummy3=-1067166101, dummy4=0xcc89d8d4 "\bÙ\211Ì") at /usr/src/sys/ddb/db_command.c:531 #2 0xc0468788 in db_command (last_cmdp=0xc08fc464, cmd_table=0x0, aux_cmd_tablep=0xc0879f00, aux_cmd_tablep_end=0xc0879f1c) at /usr/src/sys/ddb/db_command.c:349 #3 0xc0468850 in db_command_loop () at /usr/src/sys/ddb/db_command.c:455 #4 0xc046a3d5 in db_trap (type=3, code=0) at /usr/src/sys/ddb/db_main.c:221 #5 0xc0645904 in kdb_trap (type=3, code=0, tf=0xcc89da18) at /usr/src/sys/kern/subr_kdb.c:471 #6 0xc07e7cbc in trap (frame= {tf_fs = -863436792, tf_es = -1067188184, tf_ds = -1065025496, tf_edi = -1064921604, tf_esi = 1, tf_ebp = -863380904, tf_isp = -863380924, tf_ebx = -863380860, tf_edx = 0, tf_ecx = -1056755712, tf_eax = 18, tf_trapno = 3, tf_err = 0, tf_eip = -1067166101, tf_cs = 32, tf_eflags = 642, tf_esp = -863380872, tf_ss = -1067263353}) at /usr/src/sys/i386/i386/trap.c:598 #7 0xc07d583a in calltrap () at /usr/src/sys/i386/i386/exception.s:139 #8 0xcc890008 in ?? () #9 0xc0640028 in blst_radix_init (scan=0xc084ecf5, radix=-4516961442427043584, skip=-1050930176, count=Unhandled dwarf expression opcode 0x93 ) at /usr/src/sys/kern/subr_blist.c:885 #10 0xc062da87 in panic (fmt=0x282 <Address 0x282 out of bounds>) at /usr/src/sys/kern/kern_shutdown.c:537 #11 0xc077be53 in trash_ctor (mem=0xc15c1400, size=0, arg=0xcc89db40, flags=1) at /usr/src/sys/vm/uma_dbg.c:72 #12 0xc0624bd8 in mb_ctor_mbuf (mem=0xc15c1400, size=256, arg=0xcc89db40, how=1) at /usr/src/sys/kern/kern_mbuf.c:204 #13 0xc077a85f in uma_zalloc_arg (zone=0xc104a9a0, udata=0xcc89db40, flags=1) at /usr/src/sys/vm/uma_core.c:1839 #14 0xc06c66ed in tcp_output (tp=0xc165eac8) at mbuf.h:392 ---Type <return> to continue, or q <return> to quit---q Quit (kgdb) frame 11 #11 0xc077be53 in trash_ctor (mem=0xc15c1400, size=0, arg=0xcc89db40, flags=1) at /usr/src/sys/vm/uma_dbg.c:72 72 panic("Memory modified after free %p(%d) val=%x @ %p\n", (kgdb) list 67 68 cnt = size / sizeof(uma_junk); 69 70 for (p = mem; cnt > 0; cnt--, p++) 71 if (*p != uma_junk) 72 panic("Memory modified after free %p(%d) val=%x @ %p\n", 73 mem, size, *p, p); 74 return (0); 75 } 76 (kgdb) frame 13 #13 0xc077a85f in uma_zalloc_arg (zone=0xc104a9a0, udata=0xcc89db40, flags=1) at /usr/src/sys/vm/uma_core.c:1839 1839 if (zone->uz_ctor(item, zone->uz_keg->uk_size, (kgdb) list 1834 ZONE_LOCK(zone); 1835 uma_dbg_alloc(zone, NULL, item); 1836 ZONE_UNLOCK(zone); 1837 #endif 1838 if (zone->uz_ctor != NULL) { 1839 if (zone->uz_ctor(item, zone->uz_keg->uk_size, 1840 udata, flags) != 0) { 1841 uma_zfree_internal(zone, item, udata, 1842 SKIP_DTOR); 1843 return (NULL); (kgdb) print *zone $1 = {uz_name = 0xc084d5b0 "Mbuf", uz_lock = 0xc10443c8, uz_keg = 0xc10443c0, uz_link = { le_next = 0xc104ac60, le_prev = 0xc10443f8}, uz_full_bucket = {lh_first = 0x0}, uz_free_bucket = {lh_first = 0x0}, uz_ctor = 0xc0624bc0 <mb_ctor_mbuf>, uz_dtor = 0xc0624c30 <mb_dtor_mbuf>, uz_init = 0, uz_fini = 0, uz_allocs = 1993622, uz_fills = 0, uz_count = 128, uz_cpu = {{uc_freebucket = 0xc15b820c, uc_allocbucket = 0xc103d20c, uc_allocs = 3}}} multi-cur# ident kernel.debug | grep uma_dbg.c $FreeBSD: src/sys/vm/uma_dbg.c,v 1.19 2005/02/16 21:45:59 bmilekic Exp $ multi-cur# ident kernel.debug | grep kern_mbuf.c $FreeBSD: src/sys/kern/kern_mbuf.c,v 1.8 2005/06/23 04:33:39 silby Exp $ multi-cur# ident kernel.debug | grep uma_core.c $FreeBSD: src/sys/vm/uma_core.c,v 1.119 2005/04/29 18:56:36 rwatson Exp $
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200506241626.57469.thierry>