From owner-freebsd-alpha Sat Dec 14 17:21: 4 2002 Delivered-To: freebsd-alpha@freebsd.org Received: from green.bikeshed.org (freefall.freebsd.org [216.136.204.21]) by hub.freebsd.org (Postfix) with ESMTP id 4826737B401; Sat, 14 Dec 2002 17:21:02 -0800 (PST) Received: from green.bikeshed.org (i50y3cn8krz8dlyo@green.bikeshed.org [10.0.0.1] (may be forged)) by green.bikeshed.org (8.12.6/8.12.6) with ESMTP id gBF1L1Oa014308; Sat, 14 Dec 2002 20:21:01 -0500 (EST) (envelope-from green@green.bikeshed.org) Received: from localhost (green@localhost) by green.bikeshed.org (8.12.6/8.12.6/Submit) with ESMTP id gBF1L15m014304; Sat, 14 Dec 2002 20:21:01 -0500 (EST) Message-Id: <200212150121.gBF1L15m014304@green.bikeshed.org> X-Mailer: exmh version 2.5 07/13/2001 with nmh-1.0.4 To: Jake Burkholder Cc: "Brian F. Feldman" , John Baldwin , Kris Kennaway , current@FreeBSD.ORG, alpha@FreeBSD.ORG Subject: Re: UMA panic under load In-Reply-To: Your message of "Sat, 14 Dec 2002 20:14:46 EST." <20021214201446.F93389@locore.ca> From: "Brian F. Feldman" Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Sat, 14 Dec 2002 20:21:01 -0500 Sender: owner-freebsd-alpha@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Jake Burkholder wrote: > Apparently, On Sat, Dec 14, 2002 at 07:37:31PM -0500, > Brian F. Feldman said words to the effect of; > > > John Baldwin wrote: > > > > > > On 12-Dec-2002 Kris Kennaway wrote: > > > > I got this on an alpha tonight. It was under heavy load at the time > > > > (18 simultaneous package builds had just been spawned on the machine). > > > > Any ideas? > > > > > > > > Slab at 0xfffffc00042d3fb8, freei 2 = 0. > > > > panic: Duplicate free of item 0xfffffc00042d22e0 from zone 0xfffffc0007d31800(VMSPACE) > > > > > > > > db_print_backtrace() at db_print_backtrace+0x18 > > > > panic() at panic+0x104 > > > > uma_dbg_free() at uma_dbg_free+0x170 > > > > uma_zfree_arg() at uma_zfree_arg+0x150 > > > > vmspace_free() at vmspace_free+0xe4 > > > > swapout_procs() at swapout_procs+0x428 > > > > vm_daemon() at vm_daemon+0x74 > > > > fork_exit() at fork_exit+0xe0 > > > > exception_return() at exception_return > > > > --- root of call graph --- > > > > panic > > > > Stopped at Debugger+0x34: zapnot v0,#0xf,v0 > > > > db> > > > > > > I have seen this on a couple of different arch's I think. A vmspace > > > shouldn't be free'd here, it's refcount should not be that low. > > > I wonder if something is free'ing the vmspace w/o dropping the refcount? > > > > The problem appears to be that swapout_procs() is swapping out a process > > that is in the process of exiting (in exit1()) and having already > > relinquished its vmspace, but has not set PRS_ZOMBIE yet (which would be > > preventing the swapout). It's clearly not correct for a process in exit1() > > to be swapped out, and the vmspace _needs_ to be decremented in the correct > > place or resources are NEVER freed when the race is lost. > > P_WEXIT is set, so the process won't get swapped out. The problem is that > the vmspace refcnt is 0 when swapout_procs is called, since it was > decremented in exit1. The refcnt is incremented before p_flag is tested > for P_WEXIT, the swapout is skipped because its found to be set, and then > vmspace_free is called which decrements the refcnt to 0 and prematurely > frees the vmspace. Decrementing the refcnt in exit1 breaks the normal > refernce count semantics because the vmspace is not being freed then. There are no normal reference count semantics; exit1() attempts to free parts of the vmspace. Sounds to me like a simple solution is to check for P_WEXIT both before and after incrementing the vmspace refcount. -- Brian Fundakowski Feldman \'[ FreeBSD ]''''''''''\ <> green@FreeBSD.org <> bfeldman@tislabs.com \ The Power to Serve! \ Opinions expressed are my own. \,,,,,,,,,,,,,,,,,,,,,,\ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-alpha" in the body of the message