Date: Mon, 27 May 1996 14:04:40 +0300 (EET DST) From: Heikki Suonsivu <hsu@clinet.fi> To: FreeBSD-gnats-submit@freebsd.org Subject: kern/1258: new vm code: freeing held page Message-ID: <199605271104.OAA19130@varasto.clinet.fi> Resent-Message-ID: <199605271110.EAA04574@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 1258
>Category: kern
>Synopsis: new vm code: freeing held page
>Confidential: no
>Severity: serious
>Priority: high
>Responsible: freebsd-bugs
>State: open
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Mon May 27 04:10:03 PDT 1996
>Last-Modified:
>Originator: Heikki Suonsivu
>Organization:
Clinet, Espoo, Finland
>Release: FreeBSD 2.2-CURRENT i386
>Environment:
news server, sup May 27 00:50 GMT.
>Description:
kernel and dump are
ftp.clinet.fi://ftp.clinet.fi/pub/FreeBSD/crashdumps/*.77.gz
hsu#news.clinet.fi Mon 4: gdb -k kernel.77 vmcore.77
GDB is free software and you are welcome to distribute copies of it
under certain conditions; type "show copying" to see the conditions.
There is absolutely no warranty for GDB; type "show warranty" for details.
GDB 4.13 (i386-unknown-freebsd),
Copyright 1994 Free Software Foundation, Inc...
IdlePTD 268000
current pcb at 21f608
panic: freeing held page, count=%d, pindex=%d(0x%x)
#0 boot (howto=256) at ../../i386/i386/machdep.c:940
940 dumppcb.pcb_ptd = rcr3();
(kgdb) bt
#0 boot (howto=256) at ../../i386/i386/machdep.c:940
#1 0xf01171f6 in panic (
fmt=0xf01bd6a9 "freeing held page, count=%d, pindex=%d(0x%x)")
at ../../kern/subr_prf.c:127
#2 0xf01bd7b7 in vm_page_free (m=0xf0331180) at ../../vm/vm_page.c:746
#3 0xf01c6477 in pmap_release (pmap=0xf36ed064) at ../../i386/i386/pmap.c:698
#4 0xf01b7e34 in vmspace_free (vm=0xf36ed000) at ../../vm/vm_map.c:265
#5 0xf01ce0da in cpu_wait (p=0xf34a3400) at ../../i386/i386/vm_machdep.c:628
#6 0xf010c355 in wait1 (q=0xf37a6d00, uap=0xefbfff94, retval=0xefbfff84,
compat=0) at ../../kern/kern_exit.c:426
#7 0xf010c183 in wait4 (p=0xf37a6d00, uap=0xefbfff94, retval=0xefbfff84)
at ../../kern/kern_exit.c:323
#8 0xf01ca921 in syscall (frame={tf_es = 39, tf_ds = 39, tf_edi = 360448,
tf_esi = 1, tf_ebp = -272639216, tf_isp = -272629788,
tf_ebx = -272639156, tf_edx = 2, tf_ecx = -272639156, tf_eax = 7,
tf_trapno = 12, tf_err = 7, tf_eip = 178245, tf_cs = 31,
tf_eflags = 514, tf_esp = -272639236, tf_ss = 39})
at ../../i386/i386/trap.c:890
#9 0xf01c1ee5 in Xsyscall ()
#10 0xb63f in ?? ()
#11 0xb347 in ?? ()
#12 0xb1f8 in ?? ()
#13 0x620a in ?? ()
#14 0x52a9 in ?? ()
#15 0x510b in ?? ()
#16 0x51f0 in ?? ()
#17 0x5162 in ?? ()
#18 0x50eb in ?? ()
#19 0x50eb in ?? ()
#20 0x50eb in ?? ()
#21 0x50eb in ?? ()
#22 0x50eb in ?? ()
#23 0x50eb in ?? ()
#24 0x53b4 in ?? ()
#25 0x5216 in ?? ()
#26 0x57fa in ?? ()
#27 0x5296 in ?? ()
#28 0xc08b in ?? ()
#29 0xbf86 in ?? ()
#30 0x107f in ?? ()
(kgdb) up
#1 0xf01171f6 in panic (
fmt=0xf01bd6a9 "freeing held page, count=%d, pindex=%d(0x%x)")
at ../../kern/subr_prf.c:127
127 boot(bootopt);
(kgdb) list
122
123 #if defined(DDB)
124 if (debugger_on_panic)
125 Debugger ("panic");
126 #endif
127 boot(bootopt);
128 }
129
130 /*
131 * Warn that a system table is full.
(kgdb) up
#2 0xf01bd7b7 in vm_page_free (m=0xf0331180) at ../../vm/vm_page.c:746
746 panic("freeing held page, count=%d, pindex=%d(0x%x)",
(kgdb) list
741 else
742 panic("vm_page_free: freeing busy page");
743 }
744
745 if (m->hold_count) {
746 panic("freeing held page, count=%d, pindex=%d(0x%x)",
747 m->hold_count, m->pindex, m->pindex);
748 }
749
750 vm_page_remove(m);
(kgdb) print *m
$1 = {pageq = {tqe_next = 0xf030a6f0, tqe_prev = 0xf0301de0}, hashq = {
tqe_next = 0x0, tqe_prev = 0xf02d8ec8}, listq = {tqe_next = 0xf0331cc0,
tqe_prev = 0xf02b0610}, object = 0xf3999380, pindex = 0,
phys_addr = 55611392, queue = 4, flags = 4, wire_count = 0, hold_count = 22,
act_count = 5 '\005', busy = 0 '\000', valid = 255 'ÿ', dirty = 0 '\000'}
(kgdb) set radix 16
Input and output radices now set to decimal 16, hex 10, octal 20.
(kgdb) print *m
$2 = {pageq = {tqe_next = 0xf030a6f0, tqe_prev = 0xf0301de0}, hashq = {
tqe_next = 0x0, tqe_prev = 0xf02d8ec8}, listq = {tqe_next = 0xf0331cc0,
tqe_prev = 0xf02b0610}, object = 0xf3999380, pindex = 0x0,
phys_addr = 0x3509000, queue = 0x4, flags = 0x4, wire_count = 0x0,
hold_count = 0x16, act_count = 0x5, busy = 0x0, valid = 0xff, dirty = 0x0}
(kgdb) up
#3 0xf01c6477 in pmap_release (pmap=0xf36ed064) at ../../i386/i386/pmap.c:698
698 vm_page_free(p);
(kgdb) list
693 pde[APTDPTDI] = 0;
694 pde[PTDPTDI] = 0;
695 pmap_kremove((vm_offset_t) pmap->pm_pdir);
696 }
697
698 vm_page_free(p);
699 TAILQ_REMOVE(&vm_page_queue_free, p, pageq);
700 TAILQ_INSERT_HEAD(&vm_page_queue_zero, p, pageq);
701 p->queue = PQ_ZERO;
702 splx(s);
(kgdb) print p
$3 = (struct vm_page *) 0xf0331180
(kgdb) print *p
$4 = {pageq = {tqe_next = 0xf030a6f0, tqe_prev = 0xf0301de0}, hashq = {
tqe_next = 0x0, tqe_prev = 0xf02d8ec8}, listq = {tqe_next = 0xf0331cc0,
tqe_prev = 0xf02b0610}, object = 0xf3999380, pindex = 0x0,
phys_addr = 0x3509000, queue = 0x4, flags = 0x4, wire_count = 0x0,
hold_count = 0x16, act_count = 0x5, busy = 0x0, valid = 0xff, dirty = 0x0}
(kgdb) up
#4 0xf01b7e34 in vmspace_free (vm=0xf36ed000) at ../../vm/vm_map.c:265
265 pmap_release(&vm->vm_pmap);
(kgdb) print vm
$5 = (struct vmspace *) 0xf36ed000
(kgdb) print *vm
$6 = {vm_map = {pmap = 0xf36ed064, lock = {want_write = 0x0,
want_upgrade = 0x0, waiting = 0x0, can_sleep = 0x1, read_count = 0x0,
proc = 0x0, recursion_depth = 0x0}, header = {prev = 0xf36ed020,
next = 0xf36ed020, start = 0x0, end = 0xeffbf000, object = {
vm_object = 0x0, share_map = 0x0, sub_map = 0x0},
offset = 0x0000000000000000, is_a_map = 0x0, is_sub_map = 0x0,
copy_on_write = 0x0, needs_copy = 0x0, protection = 0x0,
max_protection = 0x0, inheritance = 0x0, wired_count = 0x0},
nentries = 0x0, size = 0x0, is_main_map = 0x1, ref_count = 0x0,
hint = 0xf36ed020, first_free = 0xf36ed020, entries_pageable = 0x1,
timestamp = 0x7}, vm_pmap = {pm_pdir = 0xf9c93000, pm_pteobj = 0xf3999380,
pm_dref = 0x0, pm_count = 0x1, pm_stats = {resident_count = 0x18,
wired_count = 0x0}, pm_map = 0xf36ed000}, vm_refcnt = 0x0, vm_shm = 0x0,
vm_upages_obj = 0xf36b3e80, vm_rssize = 0x0, vm_swrss = 0x0, vm_tsize = 0xa,
vm_dsize = 0x2, vm_ssize = 0x20, vm_taddr = 0x1000 "Ì",
vm_daddr = 0xb000 "\\ò\001",
vm_maxsaddr = 0xebbfe000 <Address 0xebbfe000 out of bounds>,
vm_minsaddr = 0xefbfddc4 "\004"}
(kgdb) up
#5 0xf01ce0da in cpu_wait (p=0xf34a3400) at ../../i386/i386/vm_machdep.c:628
628 vmspace_free(p->p_vmspace);
(kgdb) print p
$7 = (struct proc *) 0xf34a3400
(kgdb) print *p
$8 = {p_forw = 0xf0249874, p_back = 0x0, p_list = {le_next = 0x0,
le_prev = 0xf0243444}, p_cred = 0x0, p_fd = 0xf3539880,
p_stats = 0xf7809258, p_limit = 0xf020a4a8, p_vmspace = 0xf36ed000,
p_sigacts = 0xf7809128, p_flag = 0x6004, p_stat = 0x5, p_pad1 = "ðûï",
p_pid = 0x49b5, p_pglist = {le_next = 0x0, le_prev = 0xf37a6d34},
p_pptr = 0xf37a6d00, p_sibling = {le_next = 0x0, le_prev = 0xf37a6d48},
p_children = {lh_first = 0x0}, p_oppid = 0x0, p_dupfd = 0x0,
p_estcpu = 0x100, p_cpticks = 0x1, p_pctcpu = 0x0, p_wchan = 0x0,
p_wmesg = 0x0, p_swtime = 0x0, p_slptime = 0x0, p_realtimer = {
it_interval = {tv_sec = 0x0, tv_usec = 0x0}, it_value = {tv_sec = 0x0,
tv_usec = 0x0}}, p_rtime = {tv_sec = 0x0, tv_usec = 0x4fc},
p_uticks = 0, p_sticks = 0, p_iticks = 1, p_traceflag = 0x0, p_tracep = 0x0,
p_siglist = 0x0, p_textvp = 0xf348b700, p_lock = 0x0, p_pad2 = "\000\000",
p_locks = 0x0, p_simple_locks = 0x0, p_hash = {le_next = 0x0,
le_prev = 0xf33d66d4}, p_sigmask = 0x0, p_sigignore = 0xffffffff,
p_sigcatch = 0x0, p_priority = 0x72, p_usrpri = 0x72, p_nice = 0x0,
p_comm = "test\000er\000\000\000\000\000\000\000\000\000", p_pgrp = 0x0,
p_sysent = 0xf01fd8c0, p_rtprio = {type = 0x1, prio = 0x0},
p_addr = 0xf7809000, p_md = {md_flags = 0x0, md_regs = 0xefbfffbc},
p_xstat = 0x0, p_acflag = 0x0, p_ru = 0x0}
(kgdb) up
#6 0xf010c355 in wait1 (q=0xf37a6d00, uap=0xefbfff94, retval=0xefbfff84,
compat=0x0) at ../../kern/kern_exit.c:426
426 cpu_wait(p);
(kgdb) print p
$9 = (struct proc *) 0xf34a3400
(kgdb) print *p
$10 = {p_forw = 0xf0249874, p_back = 0x0, p_list = {le_next = 0x0,
le_prev = 0xf0243444}, p_cred = 0x0, p_fd = 0xf3539880,
p_stats = 0xf7809258, p_limit = 0xf020a4a8, p_vmspace = 0xf36ed000,
p_sigacts = 0xf7809128, p_flag = 0x6004, p_stat = 0x5, p_pad1 = "ðûï",
p_pid = 0x49b5, p_pglist = {le_next = 0x0, le_prev = 0xf37a6d34},
p_pptr = 0xf37a6d00, p_sibling = {le_next = 0x0, le_prev = 0xf37a6d48},
p_children = {lh_first = 0x0}, p_oppid = 0x0, p_dupfd = 0x0,
p_estcpu = 0x100, p_cpticks = 0x1, p_pctcpu = 0x0, p_wchan = 0x0,
p_wmesg = 0x0, p_swtime = 0x0, p_slptime = 0x0, p_realtimer = {
it_interval = {tv_sec = 0x0, tv_usec = 0x0}, it_value = {tv_sec = 0x0,
tv_usec = 0x0}}, p_rtime = {tv_sec = 0x0, tv_usec = 0x4fc},
p_uticks = 0, p_sticks = 0, p_iticks = 1, p_traceflag = 0x0, p_tracep = 0x0,
p_siglist = 0x0, p_textvp = 0xf348b700, p_lock = 0x0, p_pad2 = "\000\000",
p_locks = 0x0, p_simple_locks = 0x0, p_hash = {le_next = 0x0,
le_prev = 0xf33d66d4}, p_sigmask = 0x0, p_sigignore = 0xffffffff,
p_sigcatch = 0x0, p_priority = 0x72, p_usrpri = 0x72, p_nice = 0x0,
p_comm = "test\000er\000\000\000\000\000\000\000\000\000", p_pgrp = 0x0,
p_sysent = 0xf01fd8c0, p_rtprio = {type = 0x1, prio = 0x0},
p_addr = 0xf7809000, p_md = {md_flags = 0x0, md_regs = 0xefbfffbc},
p_xstat = 0x0, p_acflag = 0x0, p_ru = 0x0}
(kgdb) up
#7 0xf010c183 in wait4 (p=0xf37a6d00, uap=0xefbfff94, retval=0xefbfff84)
at ../../kern/kern_exit.c:323
323 return (wait1(p, uap, retval, 0));
(kgdb) print p
$11 = (struct proc *) 0xf37a6d00
(kgdb) print uap
$12 = (struct wait_args *) 0xefbfff94
(kgdb) print *uap
$13 = {pid = 0xffffffff, status = 0xefbfdb4c, options = 0x2, rusage = 0x0}
(kgdb) print reval
No symbol "reval" in current context.
(kgdb) print retval
$14 = (int *) 0xefbfff84
(kgdb) up
#8 0xf01ca921 in syscall (frame={tf_es = 0x27, tf_ds = 0x27,
tf_edi = 0x58000, tf_esi = 0x1, tf_ebp = 0xefbfdb10,
tf_isp = 0xefbfffe4, tf_ebx = 0xefbfdb4c, tf_edx = 0x2,
tf_ecx = 0xefbfdb4c, tf_eax = 0x7, tf_trapno = 0xc, tf_err = 0x7,
tf_eip = 0x2b845, tf_cs = 0x1f, tf_eflags = 0x202, tf_esp = 0xefbfdafc,
tf_ss = 0x27}) at ../../i386/i386/trap.c:890
890 error = (*callp->sy_call)(p, args, rval);
(kgdb) list
885 ktrsyscall(p->p_tracep, code, callp->sy_narg, args);
886 #endif
887 rval[0] = 0;
888 rval[1] = frame.tf_edx;
889
890 error = (*callp->sy_call)(p, args, rval);
891
892 switch (error) {
893
894 case 0:
(kgdb) up
#9 0xf01c1ee5 in Xsyscall ()
(kgdb) list
895 /*
896 * Reinitialize proc pointer `p' as it may be different
897 * if this is a child returning from fork syscall.
898 */
899 p = curproc;
900 frame.tf_eax = rval[0];
901 frame.tf_edx = rval[1];
902 frame.tf_eflags &= ~PSL_C;
903 break;
904
(kgdb) up
#10 0xb63f in ?? ()
(kgdb) list
905 case ERESTART:
906 /*
907 * Reconstruct pc, assuming lcall $X,y is 7 bytes,
908 * int 0x80 is 2 bytes. We saved this in tf_err.
909 */
910 frame.tf_eip -= frame.tf_err;
911 break;
912
913 case EJUSTRETURN:
914 break;
(kgdb)
>How-To-Repeat:
I do not know, but load might be a good candidate.
>Fix:
>Audit-Trail:
>Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199605271104.OAA19130>