From owner-freebsd-current@FreeBSD.ORG  Fri Apr 15 20:44:38 2005
Return-Path: <owner-freebsd-current@FreeBSD.ORG>
Delivered-To: freebsd-current@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP
	id C4A4716A4CE; Fri, 15 Apr 2005 20:44:38 +0000 (GMT)
Received: from lexi.siliconlandmark.com (lexi.siliconlandmark.com
	[209.69.98.4])	by mx1.FreeBSD.org (Postfix) with ESMTP
	id 67DC543D41; Fri, 15 Apr 2005 20:44:38 +0000 (GMT)
	(envelope-from andy@siliconlandmark.com)
Received: from lexi.siliconlandmark.com (localhost [127.0.0.1])
	j3FKiZpe094016;	Fri, 15 Apr 2005 16:44:35 -0400 (EDT)
	(envelope-from andy@siliconlandmark.com)
Received: from localhost (andy@localhost)j3FKiZwq094013;
	Fri, 15 Apr 2005 16:44:35 -0400 (EDT)
	(envelope-from andy@siliconlandmark.com)
X-Authentication-Warning: lexi.siliconlandmark.com: andy owned process doing
	-bs
Date: Fri, 15 Apr 2005 16:44:35 -0400 (EDT)
From: Andre Guibert de Bruet <andy@siliconlandmark.com>
To: John Baldwin <jhb@FreeBSD.org>
In-Reply-To: <17e130c77e0927c73945b43884069d10@FreeBSD.org>
Message-ID: <20050415155645.H93987@lexi.siliconlandmark.com>
References: <20050415063120.G93987@lexi.siliconlandmark.com>
 <17e130c77e0927c73945b43884069d10@FreeBSD.org>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed
X-Information: Please contact the ISP for more information
X-SL-MailScanner: Found to be clean
X-SL-SpamCheck: not spam, SpamAssassin (score=-2.517, required 6,
	autolearn=not spam, AWL 0.08, BAYES_00 -2.60)
X-MailScanner-From: andy@siliconlandmark.com
cc: alc@FreeBSD.org
cc: current@FreeBSD.org
Subject: Re: syscons joy: reproduceable panic on resolution change
X-BeenThere: freebsd-current@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Discussions about the use of FreeBSD-current
	<freebsd-current.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-current>,
	<mailto:freebsd-current-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-current>
List-Post: <mailto:freebsd-current@freebsd.org>
List-Help: <mailto:freebsd-current-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-current>,
	<mailto:freebsd-current-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 15 Apr 2005 20:44:39 -0000


On Fri, 15 Apr 2005, John Baldwin wrote:

> On Apr 15, 2005, at 8:27 AM, Andre Guibert de Bruet wrote:
>
>> (kgdb) bt
<snip>
>> #9  0xc0693a18 in trap_pfault (frame=0xe900c9d8, usermode=0, eva=0)
>>     at /usr/src/sys/i386/i386/trap.c:724
>> #10 0xc06935f8 in trap (frame=
>>       {tf_fs = -1068433400, tf_es = -1056636888, tf_ds = 40, tf_edi = 
>> -1066508002, tf_esi = 295, tf_ebp = -385824200, tf_isp = -385824252, tf_ebx 
>> = 0, tf_edx = 7, tf_ecx = -385824056, tf_eax = -989770368, tf_trapno = 12, 
>> tf_err = 0, tf_eip = -1068379561, tf_cs = 32, tf_eflags = 66178, tf_esp = 
>> -1067131464, tf_ss = -1056600064}) at /usr/src/sys/i386/i386/trap.c:414
>> #11 0xc067f91a in calltrap () at /usr/src/sys/i386/i386/exception.s:139
>> #12 0xc0510008 in idle_setup (dummy=0x0) at 
>> /usr/src/sys/kern/kern_idle.c:89
>> #13 0xc0645d6e in vm_fault (map=0xc1059000, vaddr=3222274048,
>>     fault_type=2 '\002', fault_flags=0) at /usr/src/sys/vm/vm_fault.c:295
>
> You have a truly unique nested panic here that I haven't seen in a long time. 
> Somehow vm_map_lookup() is returning success, but it is setting 
> fs.first_object to NULL.

This vm_map_lookup call would be performed before the callout that gets us 
here, right?

>> #14 0xc06939c4 in trap_pfault (frame=0xe900cb9c, usermode=0, 
>> eva=3222274048)
>>     at /usr/src/sys/i386/i386/trap.c:713
>> #15 0xc06935f8 in trap (frame=
>>       {tf_fs = -989790200, tf_es = 40, tf_ds = -1068302296, tf_edi = 
>> -1072693248, tf_esi = -955760640, tf_ebp = -385823744, tf_isp = -385823800, 
>> tf_ebx = -1072988160, tf_edx = 1572864, tf_ecx = 319488, tf_eax = 
>> -116932608, tf_trapno = 12, tf_err = 3, tf_eip = -1066853962, tf_cs = 32, 
>> tf_eflags = 66054, tf_esp = 0, tf_ss = -986200024}) at 
>> /usr/src/sys/i386/i386/trap.c:414
>> #16 0xc067f91a in calltrap () at /usr/src/sys/i386/i386/exception.s:139
>> #17 0xc5010008 in ?? ()
>> #18 0x00000028 in ?? ()
>> #19 0xc0530028 in ogetkerninfo (td=0xc537c828, uap=0xc0100000)
>>     at /usr/src/sys/kern/kern_sysctl.c:1440
>> #20 0xc066da8c in vga_txtdraw (scp=0xc537c800, from=0, count=786432, 
>> flip=0)
>>     at /usr/src/sys/dev/syscons/scvgarndr.c:196
>
> I'm not sure why you are bcopy'ing a bad KVA here.

tf_eip in #15 points to i386/i386/support.s:490. This would seem to 
indicate that frame #16 is our call to generic_bcopy...

(kgdb) l *0xc06919b6
0xc06919b6 is at /usr/src/sys/i386/i386/support.s:490.
485             cmpl    %ecx,%eax                       /* overlapping && src < dst? */
486             jb      1f
487
488             shrl    $2,%ecx                         /* copy by 32-bit words */
489             cld                                     /* nope, copy forwards */
490             rep
491             movsl
492             movl    20(%esp),%ecx
493             andl    $3,%ecx                         /* any bytes left? */
494             rep

How do we get from ogetkerninfo to generic_bcopy? I don't see ogetkerninfo 
getting called anywhere in the syscons driver. As you suggested, it looks 
like we're overlapping a vm fault over our humble syscons code path.

Where to from here?

Cheers,
Andy

| Andre Guibert de Bruet | Enterprise Software Consultant >
| Silicon Landmark, LLC. | http://siliconlandmark.com/    >