From owner-freebsd-current@FreeBSD.ORG  Wed Sep  1 10:45:09 2004
Return-Path: <owner-freebsd-current@FreeBSD.ORG>
Delivered-To: freebsd-current@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 1684A16A4CE
	for <freebsd-current@freebsd.org>;
	Wed,  1 Sep 2004 10:45:09 +0000 (GMT)
Received: from park.rambler.ru (park.rambler.ru [81.19.64.101])
	by mx1.FreeBSD.org (Postfix) with ESMTP id B56CF43D1F
	for <freebsd-current@freebsd.org>;
	Wed,  1 Sep 2004 10:45:07 +0000 (GMT)
	(envelope-from is@rambler-co.ru)
Received: from is.park.rambler.ru (is.park.rambler.ru [81.19.64.102])
	by park.rambler.ru (8.12.6/8.12.6) with ESMTP id i81Aj5is054573
	for <freebsd-current@freebsd.org>;
	Wed, 1 Sep 2004 14:45:05 +0400 (MSD)	(envelope-from is@rambler-co.ru)
Date: Wed, 1 Sep 2004 14:47:59 +0400 (MSD)
From: Igor Sysoev <is@rambler-co.ru>
X-X-Sender: is@is.park.rambler.ru
To: freebsd-current@freebsd.org
Message-ID: <20040901144705.K97970@is.park.rambler.ru>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Subject: panic caused by EVFILT_SIGNAL detaching in rfork()ed thread
X-BeenThere: freebsd-current@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Discussions about the use of FreeBSD-current
	<freebsd-current.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-current>,
	<mailto:freebsd-current-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-current>
List-Post: <mailto:freebsd-current@freebsd.org>
List-Help: <mailto:freebsd-current-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-current>,
	<mailto:freebsd-current-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 01 Sep 2004 10:45:09 -0000

5.3-BETA2 still may panic as described in
http://freebsd.rambler.ru/bsdmail/freebsd-hackers_2004/msg02732.html

#0  doadump () at pcpu.h:159
#1  0xc05ffbf4 in boot (howto=260) at /usr/src/sys/kern/kern_shutdown.c:396
#2  0xc05fff13 in panic (fmt=0xc07bca72 "from debugger")
    at /usr/src/sys/kern/kern_shutdown.c:558
#3  0xc045fe89 in db_panic (addr=-1067481728, have_addr=0, count=-1,
    modif=0xeacfd92c "") at /usr/src/sys/ddb/db_command.c:435
#4  0xc045fe20 in db_command (last_cmdp=0xc0894604, cmd_table=0x0,
    aux_cmd_tablep=0xc08150d4, aux_cmd_tablep_end=0xc08150f0)
    at /usr/src/sys/ddb/db_command.c:349
#5  0xc045fee8 in db_command_loop () at /usr/src/sys/ddb/db_command.c:455
#6  0xc0461a4d in db_trap (type=12, code=0) at /usr/src/sys/ddb/db_main.c:221
#7  0xc0616b03 in kdb_trap (type=12, code=0, tf=0x1)
    at /usr/src/sys/kern/subr_kdb.c:418
#8  0xc0787efd in trap_fatal (frame=0xeacfdac4, eva=28)
    at /usr/src/sys/i386/i386/trap.c:807
#9  0xc0787c5b in trap_pfault (frame=0xeacfdac4, usermode=0, eva=28)
    at /usr/src/sys/i386/i386/trap.c:730
#10 0xc07878a1 in trap (frame=
      {tf_fs = -1067319272, tf_es = -1064632304, tf_ds = -1010368496, tf_edi = -1065428340, tf_esi = 1502, tf_ebp = -355476720, tf_isp = -355476752, tf_ebx = 0, tf_edx = 4, tf_ecx = 2, tf_eax = -1013504780, tf_trapno = 12, tf_err = 0, tf_eip = -1067481728, tf_cs = 8, tf_eflags = 66118, tf_esp = -1008610988, tf_ss = 0}) at /usr/src/sys/i386/i386/trap.c:417
#11 0xc077631a in calltrap () at /usr/src/sys/i386/i386/exception.s:140
#12 0xc0620018 in removechild (parent=0x0, child=0x5de)
    at /usr/src/sys/kern/subr_witness.c:1443
#13 0xc05e86ab in knlist_remove_kq (knl=0xc39724f4, kn=0x0,
    knlislocked=-1065428340, kqislocked=0)
    at /usr/src/sys/kern/kern_event.c:1502
#14 0xc05e87b3 in knlist_remove (knl=0xc39724f4, kn=0xc3e1d154, islocked=0)
    at /usr/src/sys/kern/kern_event.c:1527
#15 0xc060451b in filt_sigdetach (kn=0x0) at /usr/src/sys/kern/kern_sig.c:2733
#16 0xc05e826a in kqueue_close (fp=0xc394ebb0, td=0xc3a22420)
    at /usr/src/sys/kern/kern_event.c:1372
#17 0xc05e5524 in fdrop_locked (fp=0xc394ebb0, td=0xc3a22420) at file.h:289
#18 0xc05e47b8 in fdrop (fp=0xc394ebb0, td=0xc3a22420)
    at /usr/src/sys/kern/kern_descrip.c:1897
#19 0xc05e478b in closef (fp=0xc394ebb0, td=0xc3a22420)
    at /usr/src/sys/kern/kern_descrip.c:1883
#20 0xc05e40e7 in fdfree (td=0xc3a22420)
    at /usr/src/sys/kern/kern_descrip.c:1610
#21 0xc05ea896 in exit1 (td=0xc3a22420, rv=0)
    at /usr/src/sys/kern/kern_exit.c:242
#22 0xc05ea494 in sys_exit (td=0xc3a22420, uap=0x0)
    at /usr/src/sys/kern/kern_exit.c:94
#23 0xc07881cf in syscall (frame=
      {tf_fs = 47, tf_es = 47, tf_ds = 47, tf_edi = 2, tf_esi = 134873108, tf_ebp = -1077941784, tf_isp = -355476108, tf_ebx = 672658924, tf_edx = 10, tf_ecx = 672658608, tf_eax = 1, tf_trapno = 12, tf_err = 2, tf_eip = 672162923, tf_cs = 31, tf_eflags = 662, tf_esp = -1077941812, tf_ss = 47})
    at /usr/src/sys/i386/i386/trap.c:1004
#24 0xc077636f in Xint0x80_syscall () at /usr/src/sys/i386/i386/exception.s:201

[ ... ]

(kgdb) fr 15
#15 0xc060451b in filt_sigdetach (kn=0x0) at /usr/src/sys/kern/kern_sig.c:2733
2733            knlist_remove(&p->p_klist, kn, 0);
(kgdb) down
#14 0xc05e87b3 in knlist_remove (knl=0xc39724f4, kn=0xc3e1d154, islocked=0)
    at /usr/src/sys/kern/kern_event.c:1527
1527            knlist_remove_kq(knl, kn, islocked, 0);
(kgdb) p *knl
$1 = {kl_lock = 0x0, kl_list = {slh_first = 0x0}}


However, I do not know is it safe to test !SLIST_EMPTY(&p->p_klist) in
filt_sigdetach() because in 5.3-BETA2 kqueue uses own mutex. Unfortunately,
I could not just now to write a small test case to allow everyone to
reproduce the panic but my user-level server always causes panic on exit on
unpatched 5.x and sometimes on unpatched 4.10.


Igor Sysoev
http://sysoev.ru/en/