Date: Sun, 4 Jul 1999 21:38:44 +0200 (CEST) From: Andrzej Bialecki <abial@webgiro.com> To: Peter Wemm <peter@netplex.com.au> Cc: freebsd-current@freebsd.org Subject: Panic in vm_page_free_toq (Re: Panic in vm_page_zero_idle) Message-ID: <Pine.BSF.4.05.9907042129400.67827-300000@freja.webgiro.com> In-Reply-To: <19990629171306.122DB82@overcee.netplex.com.au>
index | next in thread | previous in thread | raw e-mail
[-- Attachment #1 --]
On Wed, 30 Jun 1999, Peter Wemm wrote:
> Andrzej Bialecki wrote:
> > Hi,
> >
> > Sources are from yesterday, machine is Toshiba Portege 7020CT. During make
> > -j24 buildworld machine dies with the following panic mesage (notice
> > absence of register dump):
> >
> > kernel: type 12 trap, code=0
> > Stopped at vm_page_zero_idle+0xc9: movl %eax,0x4(%edx)
> >
> > db> tr
> > vm_page_zero_idle(e,66a,2,183f9ff,756e6547) at vm_page_zero_idle+0xc9
> > idle_loop() at idle_loop+0x2d
>
> That's because there is no process context at this point, and nowhere the
> registers are saved for the idle ``context''.
>
> Trap 12 is a page fault. Do a 'show registers' to see what's up. I
> would like to know what %edx is.
>
> It's trapping here:
> m = vm_page_list_find(PQ_FREE, free_rover, FALSE);
> if (m != NULL && (m->flags & PG_ZERO) == 0) {
> --(*vm_page_queues[m->queue].lcnt);
> TAILQ_REMOVE(vm_page_queues[m->queue].pl, m, pageq);
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^
> m->queue = PQ_NONE;
> splx(s);
>
> Specifically, vm_page_queues[m->queue].pl is invalid or the tailq corrupt
> or something evil along those lines. Or, m->queue is bogus and causing
> an out of bounds array lookup. Hmm, do a show registers and record %eax
> at this point too.
I could only use gdb, and I didn't have kernel.debug. I went some frames
up to reach the vm_page_zero_idle, and did "info registers". Both %eax and
%edx were 0x0.
But this time I was (a little bit) wiser. Here's another panic - this time
I got the core file and a kernel with symbols, and I did what I could with
gdb, but finally ran out of ideas... ;-)
Additionally, the core file is on a laptop, and I have only modem
connection at the moment, but I will be able to put it om freefall (or
wherever) at the end of next week.
Andrzej Bialecki
// <abial@webgiro.com> WebGiro AB, Sweden (http://www.webgiro.com)
// -------------------------------------------------------------------
// ------ FreeBSD: The Power to Serve. http://www.freebsd.org --------
// --- Small & Embedded FreeBSD: http://www.freebsd.org/~picobsd/ ----
[-- Attachment #2 --]
Script started on Sun Jul 4 20:54:36 1999
# gdb -k /sys/compile/TUNE/kernel.debug vmcore.2
GNU gdb 4.18
Copyright 1998 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB. Type "show warranty" for details.
This GDB was configured as "i386-unknown-freebsd"...
IdlePTD 2822144
initial pcb at 240680
panicstr: vm_page_free: freeing free page
panic messages:
---
panic: vm_page_free: freeing free page
syncing disks... done
dumping to dev (0,196609), offset 131328
dump 127 126 125 124 123 122 121 120 119 118 117 116 115 114 113 112 111 110 109 108 107 106 105 104 103 102 101 100 99 98 97 96 95 94 93 92 91 90 89 88 87 86 85 84 83 82 81 80 79 78 77 76 75 74 73 72 71 70 69 68 67 66 65 64 63 62 61 60 59 58 57 56 55 54 53 52 51 50 49 48 47 46 45 44 43 42 41 40 39 38 37 36 35 34 33 32 31 30 29 28 27 26 25 24 23 22 21 20 19 18 17 16 15 14 13 12 11 10 9 8 7 6 5 4 3 2 1 0
---
#0 boot (howto=256) at ../../kern/kern_shutdown.c:289
289 dumppcb.pcb_cr3 = rcr3();
(kgdb) where
#0 boot (howto=256) at ../../kern/kern_shutdown.c:289
#1 0xc0135851 in panic (fmt=0xc020ece0 "vm_page_free: freeing free page")
at ../../kern/kern_shutdown.c:452
#2 0xc01a7f3d in vm_page_free_toq (m=0xc045f3e0) at ../../vm/vm_page.c:1095
#3 0xc01a5e39 in vm_object_terminate (object=0xc6b40bd0)
at ../../vm/vm_page.h:500
#4 0xc01a5d55 in vm_object_deallocate (object=0xc6b40bd0)
at ../../vm/vm_object.c:382
#5 0xc01a3263 in vm_map_entry_delete (map=0xc6880740, entry=0xc6cb6f78)
at ../../vm/vm_map.c:1680
#6 0xc01a3421 in vm_map_delete (map=0xc6880740, start=0, end=3217022976)
at ../../vm/vm_map.c:1783
#7 0xc01a34a5 in vm_map_remove (map=0xc6880740, start=0, end=3217022976)
at ../../vm/vm_map.c:1808
#8 0xc012f310 in exit1 (p=0xc6d1ad60, rv=11) at ../../kern/kern_exit.c:220
#9 0xc0136bfe in sigexit (p=0xc6d1ad60, signum=11)
at ../../kern/kern_sig.c:1251
#10 0xc0136a41 in postsig (signum=11) at ../../kern/kern_sig.c:1157
#11 0xc01d0b7e in trap (frame={tf_fs = 47, tf_es = -1063190481,
tf_ds = -1078001617, tf_edi = 0, tf_esi = 671533121,
tf_ebp = -1077945512, tf_isp = -958808108, tf_ebx = 671531312,
tf_edx = 27, tf_ecx = 134529888, tf_eax = 134291808, tf_trapno = 12,
tf_err = 134291808, tf_eip = 134529926, tf_cs = 31, tf_eflags = 66070,
tf_esp = -1077945512, tf_ss = 47}) at ../../i386/i386/trap.c:162
---Type <return> to continue, or q <return> to quit---
#12 0x804c386 in ?? ()
Cannot access memory at address 0xbfbfdb58.
(kgdb) up
#1 0xc0135851 in panic (fmt=0xc020ece0 "vm_page_free: freeing free page")
at ../../kern/kern_shutdown.c:452
452 boot(bootopt);
(kgdb) up
#2 0xc01a7f3d in vm_page_free_toq (m=0xc045f3e0) at ../../vm/vm_page.c:1095
1095 panic("vm_page_free: freeing free page");
(kgdb) list
1090 printf(
1091 "vm_page_free: pindex(%lu), busy(%d), PG_BUSY(%d), hold(%d)\n",
1092 (u_long)m->pindex, m->busy, (m->flags & PG_BUSY) ? 1 : 0,
1093 m->hold_count);
1094 if ((m->queue - m->pc) == PQ_FREE)
1095 panic("vm_page_free: freeing free page");
1096 else
1097 panic("vm_page_free: freeing busy page");
1098 }
1099 #endif
(kgdb) print *m
$1 = {pageq = {tqe_next = 0xc04ca7e0, tqe_prev = 0xc0230e98}, hnext = 0x0,
listq = {tqe_next = 0xc057a580, tqe_prev = 0xc6b00be8}, object = 0x0,
pindex = 31, phys_addr = 8826880, queue = 44, flags = 129, pc = 43,
wire_count = 0, hold_count = 0, act_count = 5 '\005', busy = 0 '\000',
valid = 0 '\000', dirty = 255 'ÿ'}
(kgdb) print *(m->pageq.tqe_next)
$2 = {pageq = {tqe_next = 0xc053a3e0, tqe_prev = 0xc045f3e0}, hnext = 0x0,
listq = {tqe_next = 0xc0571b80, tqe_prev = 0xc690c2a0}, object = 0x0,
pindex = 5, phys_addr = 46313472, queue = 44, flags = 128, pc = 43,
wire_count = 0, hold_count = 0, act_count = 5 '\005', busy = 0 '\000',
valid = 0 '\000', dirty = 255 'ÿ'}
(kgdb) print **(m->pageq.tqe_prev)
$4 = {pageq = {tqe_next = 0xc04ca7e0, tqe_prev = 0xc0230e98}, hnext = 0x0,
listq = {tqe_next = 0xc057a580, tqe_prev = 0xc6b00be8}, object = 0x0,
pindex = 31, phys_addr = 8826880, queue = 44, flags = 129, pc = 43,
wire_count = 0, hold_count = 0, act_count = 5 '\005', busy = 0 '\000',
valid = 0 '\000', dirty = 255 'ÿ'}
(kgdb) print *((m->pageq.tqe_next)->pageq.tqe_next)
$5 = {pageq = {tqe_next = 0xc04aafe0, tqe_prev = 0xc04ca7e0}, hnext = 0x0,
listq = {tqe_next = 0x0, tqe_prev = 0xc696815c}, object = 0x0, pindex = 9,
phys_addr = 85372928, queue = 44, flags = 128, pc = 43, wire_count = 0,
hold_count = 0, act_count = 5 '\005', busy = 0 '\000', valid = 0 '\000',
dirty = 255 'ÿ'}
(kgdb) up
#3 0xc01a5e39 in vm_object_terminate (object=0xc6b40bd0)
at ../../vm/vm_page.h:500
500 vm_page_free_toq(m);
(kgdb) print *object
$6 = {object_list = {tqe_next = 0xc6e0c804, tqe_prev = 0xc6aa1b64},
shadow_head = {tqh_first = 0x0, tqh_last = 0xc6b40bd8}, shadow_list = {
tqe_next = 0x0, tqe_prev = 0xc6b7c1b8}, memq = {tqh_first = 0xc045f3e0,
tqh_last = 0xc056f0fc}, generation = 800, type = OBJT_DEFAULT, size = 32,
ref_count = 0, shadow_count = 0, pg_color = 12, hash_rand = -206344143,
flags = 8584, paging_in_progress = 0, behavior = 0, resident_page_count = 2,
backing_object = 0x0, backing_object_offset = 0, last_read = 0,
pager_object_list = {tqe_next = 0x0, tqe_prev = 0x0}, handle = 0x0,
un_pager = {vnp = {vnp_size = 0}, devp = {devp_pglist = {tqh_first = 0x0,
tqh_last = 0x0}}, swp = {swp_bcount = 0}}}
(kgdb) quit
# exit
Script done on Sun Jul 4 21:18:32 1999
[-- Attachment #3 --]
#
# GENERIC -- Generic machine with WD/AHx/NCR/BTx family disks
#
# For more information read the handbook part System Administration ->
# Configuring the FreeBSD Kernel -> The Configuration File.
# The handbook is available in /usr/share/doc/handbook or online as
# latest version from the FreeBSD World Wide Web server
# <URL:http://www.FreeBSD.ORG/>;
#
# An exhaustive list of options and more detailed explanations of the
# device lines is present in the ./LINT configuration file. If you are
# in doubt as to the purpose or necessity of a line, check first in LINT.
#
# $Id: GENERIC,v 1.143.2.11 1999/05/04 00:15:55 msmith Exp $
machine "i386"
cpu "I686_CPU"
ident TUNE
maxusers 32
options INET #InterNETworking
options FFS #Berkeley Fast Filesystem
options FFS_ROOT #FFS usable as root device [keep this!]
options MSDOSFS #MSDOS Filesystem
options "CD9660" #ISO 9660 Filesystem
options "CD9660_ROOT" #CD-ROM usable as root. "CD9660" req'ed
options PROCFS #Process filesystem
options "COMPAT_43" #Compatible with BSD 4.3 [KEEP THIS!]
options UCONSOLE #Allow users to grab the console
options USERCONFIG #boot -c editor
options VISUAL_USERCONFIG #visual boot -c editor
options DDB
#config kernel root on wd0
# To make an SMP kernel, the next two are needed
#options SMP # Symmetric MultiProcessor Kernel
#options APIC_IO # Symmetric (APIC) I/O
# Optionally these may need tweaked, (defaults shown):
#options NCPU=2 # number of CPUs
#options NBUS=4 # number of busses
#options NAPIC=1 # number of IO APICs
#options NINTR=24 # number of INTs
controller isa0
controller pci0
controller pnp0
device pcm0 at isa? port 0x220 irq 5 drq 1 flags 0x0
controller fdc0 at isa? port "IO_FD1" irq 6 drq 2
disk fd0 at fdc0 drive 0
#controller wdc0 at isa? port "IO_WD1" irq 14
#disk wd0 at wdc0 drive 0
#disk wd1 at wdc0 drive 1
#controller wdc1 at isa? port "IO_WD2" irq 15
#disk wd2 at wdc1 drive 0
#disk wd3 at wdc1 drive 1
#device wcd0 #IDE CD-ROM
controller ata0
device atadisk0
device atapicd0
# atkbdc0 controlls both the keyboard and the PS/2 mouse
controller atkbdc0 at isa? port IO_KBD
device atkbd0 at atkbdc? irq 1
device psm0 at atkbdc? irq 12
device vga0 at isa? port ? conflicts
# splash screen/screen saver
pseudo-device splash
# syscons is the default console driver, resembling an SCO console
device sc0 at isa?
device npx0 at isa? port IO_NPX irq 13
#
# Laptop support (see LINT for more options)
#
device apm0 at isa? flags 0x31 # Advanced Power Management
# PCCARD (PCMCIA) support
controller card0
device pcic0 at card?
device pcic1 at card?
device sio0 at isa? port "IO_COM1" flags 0x10 irq 4
device sio1 at isa? port "IO_COM2" irq 3
device sio2 at isa? disable port "IO_COM3" irq 5
device sio3 at isa? disable port "IO_COM4" irq 9
# Parallel port
device ppc0 at isa? port? flags 0x40 irq 7
controller ppbus0
device lpt0 at ppbus?
device plip0 at ppbus?
device ppi0 at ppbus?
#
# The following Ethernet NICs are all PCI devices.
#
#device ax0 # ASIX AX88140A
#device de0 # DEC/Intel DC21x4x (``Tulip'')
device fxp0 # Intel EtherExpress PRO/100B (82557, 82558)
#device mx0 # Macronix 98713/98715/98725 (``PMAC'')
#device pn0 # Lite-On 82c168/82c169 (``PNIC'')
#device rl0 # RealTek 8129/8139
#device tl0 # Texas Instruments ThunderLAN
#device tx0 # SMC 9432TX (83c170 ``EPIC'')
#device vr0 # VIA Rhine, Rhine II
#device vx0 # 3Com 3c590, 3c595 (``Vortex'')
#device wb0 # Winbond W89C840F
#device xl0 # 3Com 3c90x (``Boomerang'', ``Cyclone'')
# Order is important here due to intrusive probes, do *not* alphabetize
# this list of network interfaces until the probes have been fixed.
# Right now it appears that the ie0 must be probed before ep0. See
# revision 1.20 of this file.
device ed0 at isa? port 0x280 irq 10 iomem 0xd8000
device ie0 at isa? port 0x300 irq 10 iomem 0xd0000
device ep0 at isa? port 0x300 irq 10
device ex0 at isa? port? irq?
device fe0 at isa? port 0x300 irq ?
device le0 at isa? port 0x300 irq 5 iomem 0xd0000
device lnc0 at isa? port 0x280 irq 10 drq 0
device cs0 at isa? port 0x300 irq ?
pseudo-device loop
pseudo-device ether
pseudo-device sl 1
pseudo-device ppp 1
pseudo-device tun 2
pseudo-device vn 4
pseudo-device pty 16
pseudo-device gzip # Exec gzipped a.out's
# KTRACE enables the system-call tracing facility ktrace(2).
# This adds 4 KB bloat to your kernel, and slightly increases
# the costs of each syscall.
options KTRACE #kernel tracing
# This provides support for System V shared memory and message queues.
#
options SYSVSHM
options SYSVMSG
options SYSVSEM
# The `bpfilter' pseudo-device enables the Berkeley Packet Filter. Be
# aware of the legal and administrative consequences of enabling this
# option. The number of devices determines the maximum number of
# simultaneous BPF clients programs runnable.
pseudo-device bpfilter 4 #Berkeley packet filter
help
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.05.9907042129400.67827-300000>