From owner-freebsd-bugs Wed Jul 22 09:00:33 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id JAA26068 for freebsd-bugs-outgoing; Wed, 22 Jul 1998 09:00:33 -0700 (PDT) (envelope-from owner-freebsd-bugs@FreeBSD.ORG) Received: from freefall.freebsd.org (freefall.FreeBSD.ORG [204.216.27.21]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id JAA25978 for ; Wed, 22 Jul 1998 09:00:22 -0700 (PDT) (envelope-from gnats@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.8.8/8.8.5) id JAA00599; Wed, 22 Jul 1998 09:00:02 -0700 (PDT) Received: from elvis.vnet.net (elvis.vnet.net [166.82.1.5]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id HAA14157 for ; Wed, 22 Jul 1998 07:51:11 -0700 (PDT) (envelope-from rivers@dignus.com) Received: from dignus.com (ponds.vnet.net [166.82.177.48]) by elvis.vnet.net (8.8.8/8.8.4) with ESMTP id KAA01885 for ; Wed, 22 Jul 1998 10:50:47 -0400 (EDT) Received: from lakes.dignus.com (lakes [10.0.0.3]) by dignus.com (8.8.8/8.8.5) with ESMTP id LAA01815 for ; Wed, 22 Jul 1998 11:22:44 -0400 (EDT) Received: (from rivers@localhost) by lakes.dignus.com (8.8.8/8.6.9) id KAA00527; Wed, 22 Jul 1998 10:54:52 -0400 (EDT) Message-Id: <199807221454.KAA00527@lakes.dignus.com> Date: Wed, 22 Jul 1998 10:54:52 -0400 (EDT) From: Thomas David Rivers Reply-To: rivers@dignus.com To: FreeBSD-gnats-submit@FreeBSD.ORG X-Send-Pr-Version: 3.2 Subject: kern/7367: panic: malloc: wrong bucket Sender: owner-freebsd-bugs@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org >Number: 7367 >Category: kern >Synopsis: panic: malloc: wrong bucket >Confidential: no >Severity: serious >Priority: medium >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Wed Jul 22 09:00:01 PDT 1998 >Last-Modified: >Originator: Thomas David Rivers >Organization: Dignus LLC >Release: FreeBSD 2.2.6-RELEASE i386 >Environment: FreeBSD 2.2.6; 32Meg machine, XFreeBSD, Matrox Millenium II card. >Description: I get "mysterious" panics/crashs after upgrading to 2.2.6 (from 2.2.5). Sometimes, I get a panic with a nice savecore, sometimes I don't. Here's the traceback of the latest one (from gdb -k): #0 boot (howto=256) at ../../kern/kern_shutdown.c:266 #1 0xf0112882 in panic (fmt=0xf010f01b "malloc: wrong bucket") at ../../kern/kern_shutdown.c:390 #2 0xf010f364 in malloc (size=264, type=41, flags=0) at ../../kern/kern_malloc.c:226 #3 0xf010c992 in fork1 (p1=0xf0b04000, flags=20, retval=0xefbfff84) at ../../kern/kern_fork.c:170 #4 0xf010c870 in fork (p=0xf0b04000, uap=0xefbfff94, retval=0xefbfff84) at ../../kern/kern_fork.c:91 #5 0xf01c853f in syscall (frame={tf_es = 39, tf_ds = 39, tf_edi = 368640, tf_esi = 337812, tf_ebp = -272639004, tf_isp = -272629788, tf_ebx = 1, tf_edx = 368640, tf_ecx = 337812, tf_eax = 2, tf_trapno = 12, tf_err = 7, tf_eip = 168389, tf_cs = 31, tf_eflags = 514, tf_esp = -272639028, tf_ss = 39}) at ../../i386/i386/trap.c:918 #6 0x291c5 in ?? () #7 0x2e49 in ?? () #8 0x2399 in ?? () #9 0x2148 in ?? () #10 0x909e in ?? () #11 0x107e in ?? () which seems to be an issue with the kernel malloc routines, the call in fork1 looks like: 169 /* Allocate new proc. */ 170 MALLOC(newproc, struct proc *, sizeof(struct proc), M_PROC, M_WAITOK); I'd guess that the malloc chains had been corrupted, and this is not the culprit of the corruption; but the call that discovered it. I have the kernel (a 2.2.6-RELEASE kernel config'd with debug) and the core file if anyone is interested. The panic call looks like (from kern_malloc.c): 221 freep->spare0 = 0; 222 #endif /* DIAGNOSTIC */ 223 #ifdef KMEMSTATS 224 kup = btokup(va); 225 if (kup->ku_indx != indx) 226 panic("malloc: wrong bucket"); 227 if (kup->ku_freecnt == 0) 228 panic("malloc: lost data"); 229 kup->ku_freecnt--; 230 kbp->kb_totalfree--; and, the problem here is kup is NULL! [so, the dereference kup->ku_indx gets a bogus value.] va is 0xf0b46c00, and *va is NULL. >How-To-Repeat: Hmm... for me, it's boot up and wait a few days. >Fix: As a diagnostic, perhaps a PANIC in kern_malloc if kup is NULL? >Audit-Trail: >Unformatted: To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-bugs" in the body of the message