Date: Fri, 23 Oct 1998 01:02:11 -0400 From: Benjamin Greenwald <beng@lcs.mit.edu> To: freebsd-current@FreeBSD.ORG Subject: VM bug triggered by X server death Message-ID: <199810230502.BAA01214@miris.lcs.mit.edu>
next in thread | raw e-mail | index | archive | help
Greetings all,
With the most recent kernel, every time my X server dies (reboot, explicit
kill, whatever) the kernel panics. Looks like some sort of VM bug. A
backtrace follows. This problem is easily and completely reproducible
(translate it happens every time) and it occurs with both my Xi Graphics X
server as well as the XSuSE XFCom_3DLabs server (I have a Fire GL 1000 Pro).
-Ben
bellatrix:/usr/src/sys/compile/BELLATRIX# gdb -k
GDB is free software and you are welcome to distribute copies of it
under certain conditions; type "show copying" to see the conditions.
There is absolutely no warranty for GDB; type "show warranty" for details.
GDB 4.16 (i386-unknown-freebsd), Copyright 1996 Free Software Foundation, Inc.
(kgdb) symbol-file kernel.debug
Reading symbols from kernel.debug...done.
(kgdb) exec-file /var/crash/kernel.1
(kgdb) core-file /var/crash/vmcore.1
IdlePTD 2760704
initial pcb at 23b038
panicstr: vm_page_remove: page not busy
panic messages:
---
panic: vm_page_remove: page not busy
syncing disks... done
dumping to dev 20409, offset 262272
dump 63 62 61 60 59 58 57 56 55 54 53 52 51 50 49 48 47 46 45 44 43 42 41 40 39 38 37 36 35 34 33 32 31 30 29 28 27 26 25 24 23 22 21 20 19 18 17 16 15 14 13 12 11 10 9 8 7 6 5 4 3 2 1 0
---
#0 boot (howto=256) at ../../kern/kern_shutdown.c:268
268 dumppcb.pcb_cr3 = rcr3();
(kgdb) bt
#0 boot (howto=256) at ../../kern/kern_shutdown.c:268
#1 0xf013f6dc in at_shutdown (
function=0xf021a0f1 <vm_object_print_pages_cmd+217>, arg=0xf41bdfc0,
queue=-199571212) at ../../kern/kern_shutdown.c:430
#2 0xf01d2505 in vm_page_remove (m=0xf41bdfc0) at ../../vm/vm_page.c:442
#3 0xf01d0a51 in vm_object_terminate (object=0xf41b7000)
at ../../vm/vm_object.c:464
#4 0xf01d095d in vm_object_deallocate (object=0xf41b7000)
at ../../vm/vm_object.c:391
#5 0xf01ce08f in vm_map_entry_delete (map=0xf414a100, entry=0xf41b884c)
at ../../vm/vm_map.c:1742
#6 0xf01ce293 in vm_map_delete (map=0xf414a100, start=0, end=4022329344)
at ../../vm/vm_map.c:1858
#7 0xf01ce319 in vm_map_remove (map=0xf414a100, start=0, end=4022329344)
at ../../vm/vm_map.c:1883
#8 0xf0138c25 in exec_new_vmspace (imgp=0xf41ace9c)
at ../../kern/kern_exec.c:441
#9 0xf012fae8 in exec_elf_imgact (imgp=0xf41ace9c)
at ../../kern/imgact_elf.c:437
#10 0xf01386a3 in execve (p=0xf4146340, uap=0xf41acf94)
at ../../kern/kern_exec.c:176
#11 0xf01e41eb in syscall (frame={tf_es = 39, tf_ds = 39, tf_edi = 1286048,
tf_esi = 8, tf_ebp = -272641892, tf_isp = -199569436,
tf_ebx = 538153056, tf_edx = -272641812, tf_ecx = -272642001,
tf_eax = 59, tf_trapno = 7, tf_err = 7, tf_eip = 537856945, tf_cs = 31,
tf_eflags = 12946, tf_esp = -272643064, tf_ss = 39})
at ../../i386/i386/trap.c:1031
#12 0x200f0bb1 in ?? ()
Cannot access memory at address 0xefbfd09c.
(kgdb) up 2
#2 0xf01d2505 in vm_page_remove (m=0xf41bdfc0) at ../../vm/vm_page.c:442
442 panic("vm_page_remove: page not busy");
(kgdb) list
437 if (m->object == NULL)
438 return;
439
440 #if !defined(MAX_PERF)
441 if ((m->flags & PG_BUSY) == 0) {
442 panic("vm_page_remove: page not busy");
443 }
444 #endif
445
446 vm_page_flag_clear(m, PG_BUSY);
(kgdb) up
#3 0xf01d0a51 in vm_object_terminate (object=0xf41b7000)
at ../../vm/vm_object.c:464
464 vm_page_remove(p);
(kgdb) list
459 vm_page_busy(p);
460 vm_page_free(p);
461 cnt.v_pfree++;
462 } else {
463 printf("vm_object_terminate: not freeing wired page; wire_count=%d\n", p->wire_count);
464 vm_page_remove(p);
465 }
466 }
467 /*
468 * Let the pager know object is dead.
(kgdb) p *p
$3 = {pageq = {tqe_next = 0xf41bdf80, tqe_prev = 0xf41b7078}, hashq = {
tqe_next = 0xf41bdf80, tqe_prev = 0xf0413e80}, listq = {
tqe_next = 0xf41bdf80, tqe_prev = 0xf41b7018}, object = 0xf41b7000,
pindex = 160, phys_addr = 655360, queue = 0, flags = 184, pc = 0,
wire_count = 1, hold_count = 0, act_count = 0 '\000', busy = 0 '\000',
valid = 255 'ÿ', dirty = 0 '\000'}
(kgdb) up
#4 0xf01d095d in vm_object_deallocate (object=0xf41b7000)
at ../../vm/vm_object.c:391
391 vm_object_terminate(object);
(kgdb) list
386 if (temp->ref_count == 0)
387 vm_object_clear_flag(temp, OBJ_OPT);
388 temp->generation++;
389 object->backing_object = NULL;
390 }
391 vm_object_terminate(object);
392 /* unlocks and deallocates object */
393 object = temp;
394 }
395 }
(kgdb) p *object
$5 = {object_list = {tqe_next = 0xf41c0f68, tqe_prev = 0xf41b7440},
shadow_head = {tqh_first = 0x0, tqh_last = 0xf41b7008}, shadow_list = {
tqe_next = 0x0, tqe_prev = 0x0}, memq = {tqh_first = 0xf41bdfc0,
tqh_last = 0xf41befd0}, generation = 388, type = OBJT_DEVICE,
size = 929824, ref_count = 0, shadow_count = 0, pg_color = 17, id = 4029,
flags = 8584, paging_in_progress = 0, behavior = 0,
resident_page_count = 129, cache_count = 0, wire_count = 129,
paging_offset = 0x0000000000000000, backing_object = 0x0,
backing_object_offset = 0x0000000000000000, last_read = 0,
page_hint = 0xf41befc0, pager_object_list = {tqe_next = 0x0,
tqe_prev = 0xf023f9b4}, handle = 0x200, un_pager = {vnp = {
vnp_size = 0xf41befc0f41bdfc0}, devp = {devp_pglist = {
tqh_first = 0xf41bdfc0, tqh_last = 0xf41befc0}}, swp = {
swp_nblocks = -199499840, swp_allocsize = -199495744, swp_blocks = 0x0,
swp_poip = 0}}}
(kgdb)
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-current" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199810230502.BAA01214>