From owner-freebsd-current@FreeBSD.ORG  Thu Feb 12 05:15:30 2004
Return-Path: <owner-freebsd-current@FreeBSD.ORG>
Delivered-To: freebsd-current@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id AC1AD16A4CE
	for <current@FreeBSD.ORG>; Thu, 12 Feb 2004 05:15:30 -0800 (PST)
Received: from server019.webpack.hosteurope.de
	(server019.webpack.hosteurope.de [80.237.130.27])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 2F92443D1D
	for <current@FreeBSD.ORG>; Thu, 12 Feb 2004 05:15:30 -0800 (PST)
	(envelope-from bfischer@Techfak.Uni-Bielefeld.DE)
Received: from no-support.loc (pD9FF960C.dip.t-dialin.net [217.255.150.12])
	(authenticated bits=0)i1CDFNYR008442
	for <current@FreeBSD.ORG>; Thu, 12 Feb 2004 14:15:26 +0100
Received: from frolic.no-support.loc (localhost.no-support.loc [127.0.0.1])
	by no-support.loc (8.12.9/8.12.9) with ESMTP id i1CDFvoe000496
	for <current@FreeBSD.ORG>; Thu, 12 Feb 2004 14:15:57 +0100 (CET)
	(envelope-from bjoern@frolic.no-support.loc)
Received: (from bjoern@localhost)
	by frolic.no-support.loc (8.12.9/8.12.9/Submit) id i1CDFvDu000495
	for current@FreeBSD.ORG; Thu, 12 Feb 2004 14:15:57 +0100 (CET)
	(envelope-from bjoern)
From: Bjoern Fischer <bfischer@Techfak.Uni-Bielefeld.DE>
Date: Thu, 12 Feb 2004 14:15:57 +0100
To: current@FreeBSD.ORG
Message-ID: <20040212131557.GA455@frolic.no-support.loc>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.4.1i
Subject: PMD analysis of a panic in ohci.c
X-BeenThere: freebsd-current@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Discussions about the use of FreeBSD-current
	<freebsd-current.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-current>,
	<mailto:freebsd-current-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-current>
List-Post: <mailto:freebsd-current@freebsd.org>
List-Help: <mailto:freebsd-current-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-current>,
	<mailto:freebsd-current-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 12 Feb 2004 13:15:30 -0000

Hello,

with a recent -CURRENT I got a panic while moving the mouse the first
time since I booted my IBM laptop or while starting usbd(8).
I can keep the dump for a while, so if someone needs to talk me through
deeper analysis.

Bjoern Fischer

I wrote some comments into the gdb session...

#0  doadump () at ../../../kern/kern_shutdown.c:240
240             dumping++;
(kgdb) bt
#0  doadump () at ../../../kern/kern_shutdown.c:240
#1  0xc052db7a in boot (howto=256) at ../../../kern/kern_shutdown.c:374
#2  0xc052dfdb in __panic () at ../../../kern/kern_shutdown.c:552
#3  0xc06ae286 in trap_fatal (frame=0xcd150c4c, eva=0)
    at ../../../i386/i386/trap.c:819
#4  0xc06adef2 in trap_pfault (frame=0xcd150c4c, usermode=0, eva=8)
    at ../../../i386/i386/trap.c:733
#5  0xc06ada6d in trap (frame=
      {tf_fs = -1052049384, tf_es = -854261744, tf_ds = -1068236784, tf_edi = 0,
 tf_esi = -1052088320, tf_ebp = -854258512, tf_isp = -854258568, tf_ebx = -10298
86976, tf_edx = 0, tf_ecx = -1029886976, tf_eax = 1862656, tf_trapno = 12, tf_er
r = 2, tf_eip = -1068700480, tf_cs = 8, tf_eflags = 66055, tf_esp = -1030074368,
 tf_ss = -1029887024}) at ../../../i386/i386/trap.c:420
#6  0xc04cecc0 in ohci_softintr (v=0xc29a5000) at ../../../dev/usb/ohci.c:1438
#7  0xc04e0d42 in usb_schedsoftintr (bus=0x0) at ../../../dev/usb/usb.c:840
#8  0xc04ce8d1 in ohci_intr1 (sc=0xc29a5000) at ../../../dev/usb/ohci.c:1216
#9  0xc04ce73f in ohci_intr (p=0xc29a5000) at ../../../dev/usb/ohci.c:1145
#10 0xc0517328 in ithread_loop (arg=0xc2953200)
    at ../../../kern/kern_intr.c:547
#11 0xc0515f58 in fork_exit (callout=0xc0517150 <ithread_loop>, arg=0x0, 
    frame=0x0) at ../../../kern/kern_fork.c:802
(kgdb) frame 6
#6  0xc04cecc0 in ohci_softintr (v=0xc29a5000) at ../../../dev/usb/ohci.c:1438
1438                            opipe->sed->ed.ed_headp = htole32(p->physaddr);
(kgdb) list
1433                                    n = p->nexttd;
1434                                    ohci_free_std(sc, p);
1435                            }
1436
1437                            /* clear halt */
1438                            opipe->sed->ed.ed_headp = htole32(p->physaddr);
1439                            OWRITE4(sc, OHCI_COMMAND_STATUS, OHCI_CLF);
1440
1441                            if (cc == OHCI_CC_STALL)
1442                                    xfer->status = USBD_STALLED;
(kgdb) print opipe
$1 = (struct ohci_pipe *) 0xc2953900
(kgdb) print opipe->sed
$2 = (ohci_soft_ed_t *) 0x0

!! ok, opipe is initialized as (struct ohci_pipe *)xfer->pipe, which
!! is a (struct usbd_pipe *)

(kgdb) print xfer->pipe
$3 = (struct usbd_pipe *) 0xc2953900
(kgdb) print *(xfer->pipe)
$4 = {iface = 0x0, device = 0xc2953b00, endpoint = 0xc2953b24, refcnt = 1, 
  running = 0 '\0', aborting = 0 '\0', queue = {stqh_first = 0x0, 
    stqh_last = 0xc2953914}, next = {le_next = 0x0, le_prev = 0x0}, 
  intrxfer = 0x0, repeat = 0 '\0', interval = -1, methods = 0xc0721d1c}
(kgdb) print *(opipe)
$5 = {pipe = {iface = 0x0, device = 0xc2953b00, endpoint = 0xc2953b24, 
    refcnt = 1, running = 0 '\0', aborting = 0 '\0', queue = {
      stqh_first = 0x0, stqh_last = 0xc2953914}, next = {le_next = 0x0, 
      le_prev = 0x0}, intrxfer = 0x0, repeat = 0 '\0', interval = -1, 
    methods = 0xc0721d1c}, sed = 0x0, aborting = 0, tail = {td = 0x0, 
    itd = 0x0}, u = {ctl = {reqdma = {block = 0x0, offs = 0, len = 0}, 
      length = 0, setup = 0x0, data = 0x0, stat = 0x0}, intr = {nslots = 0, 
      pos = 0}, bulk = {length = 0, isread = 0}, iso = {next = 0, inuse = 0}}}

!! seems like ohci_softintr() expects xfer->pipe to point really to a
!! whole struct ohci_pipe, not just the struct usbd_pipe part. Either
!! somehow the remainder of (struct ohci_pipe *)xfer->pipe was not
!! initialized properly, or it is simply a struct usbd_pipe.