Date: Fri, 24 Jun 2005 18:44:30 +0200 From: Peter Holm <peter@holm.cc> To: Thierry Herbelot <thierry@herbelot.com> Cc: current@freebsd.org Subject: Re: panic: Memory modified after free Message-ID: <20050624164430.GA14074@peter.osted.lan> In-Reply-To: <200506241626.57469.thierry@herbelot.com> References: <200506241626.57469.thierry@herbelot.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, Jun 24, 2005 at 04:26:55PM +0200, Thierry Herbelot wrote: > > This is with an SMP machine (oldish BP6) > It seems as thou I got the same one: panic: Memory modified after free 0xc216d500(256) val=c1d5e100 @ 0xc216d500 cpuid = 0 KDB: enter: panic [thread pid 37 tid 100020 ] Stopped at kdb_enter+0x2b: nop db> where Tracing pid 37 tid 100020 td 0xc1540480 kdb_enter(c0852679) at kdb_enter+0x2b panic(c086d47e,c216d500,100,c1d5e100,c216d500) at panic+0x14b trash_ctor(c216d500,100,cbfa0b04,1,c104a9d8) at trash_ctor+0x2f mb_ctor_mbuf(c216d500,100,cbfa0b04,1) at mb_ctor_mbuf+0x18 uma_zalloc_arg(c104a9a0,cbfa0b04,1) at uma_zalloc_arg+0x10f m_copym(c1739300,16a0,5a8,1,5cef834) at m_copym+0x11c tcp_output(c1fe78fc) at tcp_output+0xa42 tcp_input(c178ab00,14,c178ab00,0,0) at tcp_input+0x2b0f ip_input(c178ab00) at ip_input+0x511 netisr_processqueue(c099eb38) at netisr_processqueue+0x6e swi_net(0) at swi_net+0xbe ithread_loop(c1573480,cbfa0d38,...) at ithread_loop+0x11c fork_exit(c061bba0,c1573480,cbfa0d38) at fork_exit+0xa0 fork_trampoline() at fork_trampoline+0x8 Details at http://www.holm.cc/stress/log/cons136.html - Peter > > multi-cur# kgdb kernel.debug /files3/tmp/vmcore.154 > [GDB will not be able to debug user-mode threads: /usr/lib/libthread_db.so: > Undefined symbol "ps_pglobal_lookup"] > GNU gdb 6.1.1 [FreeBSD] > Copyright 2004 Free Software Foundation, Inc. > GDB is free software, covered by the GNU General Public License, and you are > welcome to change it and/or distribute copies of it under certain conditions. > Type "show copying" to see the conditions. > There is absolutely no warranty for GDB. Type "show warranty" for details. > This GDB was configured as "i386-marcel-freebsd". > #0 doadump () at pcpu.h:165 > 165 __asm __volatile("movl %%fs:0,%0" : "=r" (td)); > (kgdb) bt > #0 doadump () at pcpu.h:165 > #1 0xc046897a in db_fncall (dummy1=0, dummy2=0, dummy3=-1067166101, > dummy4=0xcc89d8d4 "\bÙ\211Ì") at /usr/src/sys/ddb/db_command.c:531 > #2 0xc0468788 in db_command (last_cmdp=0xc08fc464, cmd_table=0x0, > aux_cmd_tablep=0xc0879f00, > aux_cmd_tablep_end=0xc0879f1c) at /usr/src/sys/ddb/db_command.c:349 > #3 0xc0468850 in db_command_loop () at /usr/src/sys/ddb/db_command.c:455 > #4 0xc046a3d5 in db_trap (type=3, code=0) at /usr/src/sys/ddb/db_main.c:221 > #5 0xc0645904 in kdb_trap (type=3, code=0, tf=0xcc89da18) > at /usr/src/sys/kern/subr_kdb.c:471 > #6 0xc07e7cbc in trap (frame= > {tf_fs = -863436792, tf_es = -1067188184, tf_ds = -1065025496, tf_edi = > -1064921604, tf_esi = 1, tf_ebp = -863380904, tf_isp = -863380924, tf_ebx = > -863380860, tf_edx = 0, tf_ecx = -1056755712, tf_eax = 18, tf_trapno = 3, > tf_err = 0, tf_eip = -1067166101, tf_cs = 32, tf_eflags = 642, tf_esp = > -863380872, tf_ss = -1067263353}) at /usr/src/sys/i386/i386/trap.c:598 > #7 0xc07d583a in calltrap () at /usr/src/sys/i386/i386/exception.s:139 > #8 0xcc890008 in ?? () > #9 0xc0640028 in blst_radix_init (scan=0xc084ecf5, > radix=-4516961442427043584, > skip=-1050930176, count=Unhandled dwarf expression opcode 0x93 > ) at /usr/src/sys/kern/subr_blist.c:885 > #10 0xc062da87 in panic (fmt=0x282 <Address 0x282 out of bounds>) > at /usr/src/sys/kern/kern_shutdown.c:537 > #11 0xc077be53 in trash_ctor (mem=0xc15c1400, size=0, arg=0xcc89db40, flags=1) > at /usr/src/sys/vm/uma_dbg.c:72 > #12 0xc0624bd8 in mb_ctor_mbuf (mem=0xc15c1400, size=256, arg=0xcc89db40, > how=1) > at /usr/src/sys/kern/kern_mbuf.c:204 > #13 0xc077a85f in uma_zalloc_arg (zone=0xc104a9a0, udata=0xcc89db40, flags=1) > at /usr/src/sys/vm/uma_core.c:1839 > #14 0xc06c66ed in tcp_output (tp=0xc165eac8) at mbuf.h:392 > ---Type <return> to continue, or q <return> to quit---q > Quit > (kgdb) frame 11 > #11 0xc077be53 in trash_ctor (mem=0xc15c1400, size=0, arg=0xcc89db40, flags=1) > at /usr/src/sys/vm/uma_dbg.c:72 > 72 panic("Memory modified after free %p(%d) > val=%x @ %p\n", > (kgdb) list > 67 > 68 cnt = size / sizeof(uma_junk); > 69 > 70 for (p = mem; cnt > 0; cnt--, p++) > 71 if (*p != uma_junk) > 72 panic("Memory modified after free %p(%d) > val=%x @ %p\n", > 73 mem, size, *p, p); > 74 return (0); > 75 } > 76 > (kgdb) frame 13 > #13 0xc077a85f in uma_zalloc_arg (zone=0xc104a9a0, udata=0xcc89db40, flags=1) > at /usr/src/sys/vm/uma_core.c:1839 > 1839 if (zone->uz_ctor(item, > zone->uz_keg->uk_size, > (kgdb) list > 1834 ZONE_LOCK(zone); > 1835 uma_dbg_alloc(zone, NULL, item); > 1836 ZONE_UNLOCK(zone); > 1837 #endif > 1838 if (zone->uz_ctor != NULL) { > 1839 if (zone->uz_ctor(item, > zone->uz_keg->uk_size, > 1840 udata, flags) != 0) { > 1841 uma_zfree_internal(zone, item, > udata, > 1842 SKIP_DTOR); > 1843 return (NULL); > (kgdb) print *zone > $1 = {uz_name = 0xc084d5b0 "Mbuf", uz_lock = 0xc10443c8, uz_keg = 0xc10443c0, > uz_link = { > le_next = 0xc104ac60, le_prev = 0xc10443f8}, uz_full_bucket = {lh_first = > 0x0}, > uz_free_bucket = {lh_first = 0x0}, uz_ctor = 0xc0624bc0 <mb_ctor_mbuf>, > uz_dtor = 0xc0624c30 <mb_dtor_mbuf>, uz_init = 0, uz_fini = 0, uz_allocs = > 1993622, > uz_fills = 0, uz_count = 128, uz_cpu = {{uc_freebucket = 0xc15b820c, > uc_allocbucket = 0xc103d20c, uc_allocs = 3}}} > > multi-cur# ident kernel.debug | grep uma_dbg.c > $FreeBSD: src/sys/vm/uma_dbg.c,v 1.19 2005/02/16 21:45:59 bmilekic Exp $ > multi-cur# ident kernel.debug | grep kern_mbuf.c > $FreeBSD: src/sys/kern/kern_mbuf.c,v 1.8 2005/06/23 04:33:39 silby Exp $ > multi-cur# ident kernel.debug | grep uma_core.c > $FreeBSD: src/sys/vm/uma_core.c,v 1.119 2005/04/29 18:56:36 rwatson Exp $ > _______________________________________________ > freebsd-current@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-current > To unsubscribe, send any mail to "freebsd-current-unsubscribe@freebsd.org"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20050624164430.GA14074>