Date: Thu, 2 Mar 2000 01:05:36 -0800 (PST) From: pherman@piro.net To: freebsd-gnats-submit@FreeBSD.org Subject: kern/17124: panic: vm_object_deallocate: object deallocated too many times Message-ID: <200003020905.BAA55433@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 17124
>Category: kern
>Synopsis: panic: vm_object_deallocate: object deallocated too many times
>Confidential: no
>Severity: critical
>Priority: medium
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Thu Mar 2 01:10:01 PST 2000
>Closed-Date:
>Last-Modified:
>Originator: Paul Herman
>Release: FreeBSD 3.4-stable
>Organization:
>Environment:
FreeBSD alaaf 3.4-RELEASE FreeBSD 3.4-RELEASE #1: Wed Mar 1 22:53:54 CET 2000 root@alaaf:/usr/src/sys/compile/GENERIC i386
>Description:
After repeatedly and quickly running a specific user program
which swaps a lot, the kernel will panic.
Plain vanilla GENERIC kernel + "option SOFTUPDATES" (couldn't seem
to reproduce it without softupdates! Hmmm...) Oh yeah, I'm using
vinum module, but don't think it has anything to do with that.
Kaboom! Here comes the kgdb backtrace:
panic messages:
---
panic: vm_object_deallocate: object deallocated too many times: 0
syncing disks... 2 2 done
dumping to dev 20001, offset 131200
dump 62 61 60 59 58 57 56 55 54 53 52 51 50 49 48 47 46 45 44 43 42 41 40 39 38 37 36 35 34 33 32 31 30 29 28 27 2
6 25 24 23 22 21 20 19 18 17 16 15 14 13 12 11 10 9 8 7 6 5 4 3 2 1 0
---
#0 boot (howto=256) at ../../kern/kern_shutdown.c:285
285 dumppcb.pcb_cr3 = rcr3();
(kgdb) where
#0 boot (howto=256) at ../../kern/kern_shutdown.c:285
#1 0xc01640c4 in at_shutdown (function=0xc02c2294 <cvtbsdprot.274+64>,
arg=0x0, queue=-1001078464) at ../../kern/kern_shutdown.c:446
#2 0xc0242937 in vm_object_deallocate (object=0xc456d1f0)
at ../../vm/vm_object.c:305
#3 0xc023fe7f in vm_map_entry_delete (map=0xc4532880, entry=0xc454c140)
at ../../vm/vm_map.c:1735
#4 0xc0240060 in vm_map_delete (map=0xc4532880, start=0, end=3217022976)
at ../../vm/vm_map.c:1849
#5 0xc02400e4 in vm_map_remove (map=0xc4532880, start=0, end=3217022976)
at ../../vm/vm_map.c:1874
#6 0xc015dad1 in exec_new_vmspace (imgp=0xc4568e94)
at ../../kern/kern_exec.c:452
#7 0xc01543ec in exec_elf_imgact (imgp=0xc4568e94)
at ../../kern/imgact_elf.c:452
#8 0xc015d52f in execve (p=0xc452ede0, uap=0xc4568f94)
at ../../kern/kern_exec.c:179
#9 0xc0268ae7 in syscall (frame={tf_es = 39, tf_ds = 39, tf_edi = 135004496,
tf_esi = 135028528, tf_ebp = -1077945476, tf_isp = -1000960028,
tf_ebx = 135004336, tf_edx = 135004496, tf_ecx = 4, tf_eax = 59,
tf_trapno = 12, tf_err = 2, tf_eip = 672160040, tf_cs = 31,
tf_eflags = 646, tf_esp = -1077945680, tf_ss = 39})
at ../../i386/i386/trap.c:1100
#10 0xc025b62c in Xint0x80_syscall ()
Cannot access memory at address 0xbfbfdb7c.
------------------------------------------------------
And, for giggles, my dmesg from GENERIC:
Copyright (c) 1992-1999 FreeBSD Inc.
Copyright (c) 1982, 1986, 1989, 1991, 1993
The Regents of the University of California. All rights reserved.
FreeBSD 3.4-RELEASE #1: Wed Mar 1 22:53:54 CET 2000
root@alaaf:/usr/src/sys/compile/GENERIC
Timecounter "i8254" frequency 1193182 Hz
CPU: Pentium II (233.86-MHz 686-class CPU)
Origin = "GenuineIntel" Id = 0x634 Stepping = 4
Features=0x80f9ff<FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,SEP,MTRR,PGE,MCA,CMOV,MMX>
real memory = 67043328 (65472K bytes)
config> f wdc0 0xa0ffa0ff
config> f wdc1 0xa0ffa0ff
config> q
avail memory = 61669376 (60224K bytes)
Preloaded elf kernel "kernel" at 0xc0360000.
Preloaded userconfig_script "/boot/kernel.conf" at 0xc036009c.
Pentium Pro MTRR support enabled
Probing for devices on PCI bus 0:
chip0: <Intel 82443LX host to PCI bridge> rev 0x03 on pci0.0.0
chip1: <Intel 82443LX PCI-PCI bridge> rev 0x03 on pci0.1.0
chip2: <Intel 82371AB PCI to ISA bridge> rev 0x01 on pci0.4.0
ide_pci0: <Intel PIIX4 Bus-master IDE controller> rev 0x01 on pci0.4.1
chip3: <Intel 82371AB Power management controller> rev 0x01 on pci0.4.3
Probing for devices on PCI bus 1:
vga0: <Matrox model 0521 graphics accelerator> rev 0x01 int a irq 0 on pci1.0.0
Probing for PnP devices:
Probing for devices on the ISA bus:
sc0 on isa
sc0: VGA color <16 virtual consoles, flags=0x0>
ed0 not found at 0x280
fe0 not found at 0x300
atkbdc0 at 0x60-0x6f on motherboard
atkbd0 irq 1 on isa
psm0 not found
sio0 at 0x3f8-0x3ff irq 4 flags 0x10 on isa
sio0: type 16550A
sio1 at 0x2f8-0x2ff irq 3 on isa
sio1: type 16550A
fdc0 at 0x3f0-0x3f7 irq 6 drq 2 on isa
fd0: 1.44MB 3.5in
wdc0 at 0x1f0-0x1f7 irq 14 flags 0xa0ffa0ff on isa
wdc0: unit 0 (wd0): <QUANTUM BIGFOOT_CY4320A>, DMA, 32-bit, multi-block-16
wd0: 4134MB (8467200 sectors), 8960 cyls, 15 heads, 63 S/T, 512 B/S
wdc1 at 0x170-0x177 irq 15 flags 0xa0ffa0ff on isa
wdc1: unit 0 (atapi): <685A/8.4D>, removable, dma, iordy
acd0: drive speed 1171KB/sec, 120KB cache
acd0: supported read types:
acd0: Audio: play, 255 volume levels
acd0: Mechanism: ejectable tray
acd0: Medium: no/blank disc inside, unlocked
wt0 not found at 0x300
mcd0 not found at 0x300
matcdc0 not found at 0x230
scd0 not found at 0x230
ppc0 at 0x378 irq 7 flags 0x40 on isa
ppc0: SMC-like chipset (ECP/EPP/PS2/NIBBLE) in COMPATIBLE mode
ppc0: FIFO with 16/16/9 bytes threshold
lpt0: <generic printer> on ppbus 0
lpt0: Interrupt-driven port
ppi0: <generic parallel i/o> on ppbus 0
plip0: <PLIP network interface> on ppbus 0
ie0: unknown board_id: f000
ie0 not found at 0x300
ep0 not found at 0x300
ex0 not found
le0 not found at 0x300
lnc0 not found at 0x280
cs0 not found at 0x300
ze0 not found at 0x300
zp0 not found at 0x300
adv0 not found at 0x330
bt0 not found at 0x134
aha0 at 0x330-0x333 irq 11 drq 5 on isa
aha0: AHA-1542CF FW Rev. C.0 (ID=45) SCSI Host Adapter, SCSI ID 7, 16 CCBs
aic0 not found
vga0 at 0x3b0-0x3df maddr 0xa0000 msize 131072 on isa
npx0 on motherboard
npx0: INT 16 interface
Waiting 15 seconds for SCSI devices to settle
changing root device to wd0s1a
da0 at aha0 bus 0 target 0 lun 0
da0: <FUJITSU M2684S-512 2036> Fixed Direct Access SCSI-2 device
da0: 3.300MB/s transfers
da0: 507MB (1039329 512 byte sectors: 64H 32S/T 507C)
vinum: loaded
vinum: reading configuration from /dev/wd0s4h
vinum: updating configuration from /dev/wd0s2h
>How-To-Repeat:
1) Add "option SOFTUPDATES" to GENERIC kernel config.
2) config & make & install kernel. boot.
3) login (root, or plain user, doesn't matter).
4) Run following program (source bellow) rapidly many times i.e.:
while true; do ./mem_hog 70; done
NOTE: "70" depends on system, and needs to be more than the total MB
RAM you have. Point is, system needs to swap heavily. (70 worked for
me on a 64MB system. If you have 256MB, try 300, etc...)
5) kernel should panic after the 3rd or 4th time... if not try
maybe more MB.
Would like to hear if anyone can reproduce it! I seemed to have nailed
it on my system, and can do it at will 100% of the time.
mem_hog CODE:
---
/* mem_hog.c -- fills up pages of RAM.
* Usage: ./mem_hog [mb]
* mb - number of MB of RAM to fill
*/
#include <stdlib.h>
#include <stdio.h>
int main(int ac, char **av) {
int i;
size_t s;
char *p, *pp;
if (ac > 1) s = strtol(av[1], NULL, 10);
else s = 64;
p = (char *)malloc(1024*1024*s);
if (p == NULL) {
fprintf(stderr, "Out of memory!\n");
return 1;
}
for (i=0, pp = p; i<1024*1024*s; i += 4096, pp += 4096) {
*pp = 0x01;
printf("%dKB \r", i>>10); fflush(stdout);
}
printf("\n");
free(p);
return 0;
}
>Fix:
No idea. This one gets into vm_map.c while loading an ELF image
and is way over my head. Would like to know though!
>Release-Note:
>Audit-Trail:
>Unformatted:
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200003020905.BAA55433>