From owner-freebsd-current  Sat Mar  2 06:46:44 1996
Return-Path: owner-current
Received: (from root@localhost)
          by freefall.freebsd.org (8.7.3/8.7.3) id GAA17125
          for current-outgoing; Sat, 2 Mar 1996 06:46:44 -0800 (PST)
Received: from godzilla.zeta.org.au (godzilla.zeta.org.au [203.2.228.19])
          by freefall.freebsd.org (8.7.3/8.7.3) with SMTP id GAA17118
          for <freebsd-current@FreeBSD.ORG>; Sat, 2 Mar 1996 06:46:39 -0800 (PST)
Received: (from bde@localhost) by godzilla.zeta.org.au (8.6.12/8.6.9) id BAA09381; Sun, 3 Mar 1996 01:41:53 +1100
Date: Sun, 3 Mar 1996 01:41:53 +1100
From: Bruce Evans <bde@zeta.org.au>
Message-Id: <199603021441.BAA09381@godzilla.zeta.org.au>
To: jhay@mikom.csir.co.za, terry@lambert.org
Subject: Re: rename panics kernel
Cc: freebsd-current@FreeBSD.ORG
Sender: owner-current@FreeBSD.ORG
Precedence: bulk

>> > Resently I got a "panic : vrele : negative reference count".
>> > The vrele() was called from rename().
>> > 
>> > I tried a simple script to exercise rename (attached below) and a
>> > current system seems to panic (trapped in ufs_rename).  There's a race

I got this to cause problems in all versions of current by waiting a
little longer.

The console aborts are still broken (bde should fix this :-)

The panic in savecore repeats until I run `savecore -c' to clear the core.

Bruce

Debugger("manual escape to debugger")
Stopped at      _Debugger+0x2b: movb    $0,_in_Debugger.100
db> c
panic: vm_fork: u_map allocation failed
Debugger("panic")
Stopped at      _Debugger+0x2b: movb    $0,_in_Debugger.100
db> t
_Debugger(f01197fa,f01197f8,f01bbc40,efbffee4,f01197f0) at _Debugger+0x2b
_panic(f01bbc40,f064fe00,f0687000,efbfff8c,14) at _panic+0x4e
_vm_fork(f0687000,f064fe00) at _vm_fork+0x164
_fork1(f0687000,0,0,efbfff8c,efbfffb4) at _fork1+0x3c5
_fork(f0687000,efbfff94,efbfff8c,0,17250) at _fork+0x12
_syscall(efbf0027,efbf0027,1c7d0,17250,efbfd990) at _syscall+0x157
_Xsyscall() at _Xsyscall+0x2d
--- syscall 2, eip = 0x8061395, ebp = 0xefbfd990 ---
db> ps
  pid   proc     addr    uid  ppid  pgrp  flag stat wmesg   wchan   cmd
  542 f064fe00 f3533000   15   241   241 000006  1                  sh
  241 f0687000 f351b000   15   224   241 00c006  2                  sh
  227 f0687600 f3519000    0     1   227 004082  3   ttyin f02265ec getty
  226 f0689b00 f3517000    0     1   226 004082  3   ttyin f0226510 getty
  225 f0687500 f34f5000    0     1   225 004082  3   ttyin f0226434 getty
  224 f0689c00 f34f3000   15     1   224 004086  3    wait f0689c00 bash
  184 f068c300 f3515000    0     1   184 000080  3  accept f0685322 sendmail
  180 f0685d00 f3513000    0     1   180 000080  2                  cron
  173 f066ec00 f3509000    0     1   173 000080  3  select f022752c inetd
  172 f066ee00 f3511000    0     1   164 000080  3  nfsidl f0227268 nfsiod
  167 f066a200 f350f000    0     1   164 000080  3  nfsidl f022726c nfsiod
  166 f066a400 f350d000    0     1   164 000080  3  nfsidl f0227260 nfsiod
  165 f066a800 f350b000    0     1   164 000080  3  nfsidl f0227264 nfsiod
  162 f066ae00 f3507000    0   157   157 000080  3    nfsd f0653600 nfsd
  161 f0666000 f3505000    0   157   157 000080  3    nfsd f0653400 nfsd
  160 f0666100 f3503000    0   157   157 000080  3    nfsd f0653800 nfsd
  159 f0666a00 f3501000    0   157   157 000080  3    nfsd f0653a00 nfsd
  157 f0666800 f34ff000    0     1   157 000080  3  accept f066a722 nfsd
  155 f0666e00 f34fd000    0     1   155 000080  3  select f022752c mountd
  148 f0664b00 f34fb000    1     1   148 000180  3  select f022752c portmap
--More--  142 f0661400 f34f9000    0     1   142 000084  2                  syslogd
   22 f063a100 f34f7000    0     1    22 000080  3   pause f34f7148 adjkerntz
    4 f0632f00 f34f1000    0     0     0 000604  2                  update
    3 f061c000 f34ef000    0     0     0 000204  3  psleep f021f3a4 vmdaemon
    2 f061c200 f34ed000    0     0     0 000204  3  psleep f0227854 pagedaemon
    1 f061c400 f34eb000    0     0     1 004080  3    wait f061c400 init
    0 f0236b24 f026f000    0     0     0 000204  2                  swapper
db> sh r
cs          0xefbf0008
ds                0x10
es                0x10
ss                0x10
eax               0x12
ecx              0x3f9
edx         0xf01c8115  _db_write_bytes+0xd9
ebx              0x100
esp         0xefbffeac  _kstack+0x1eac
ebp         0xefbffeb4  _kstack+0x1eb4
esi         0xf01bbc40  _vsunlock+0x60
edi         0xefbfff8c  _kstack+0x1f8c
eip         0xf01c8143  _Debugger+0x2b
efl              0x246
_Debugger+0x2b: movb    $0,_in_Debugger.100
db> c

syncing disks... 8 8 6 done

dumping to dev 1, offset 50124
dump 7 6 5 4 3 2 1 0 succeeded
Automatic reboot in 15 seconds - press a key on the console to abort
Rebooting...

[reboot]

checking for core dump...savecore: reboot after panic: bremfree: removing a buffer when not on a queue
savecore: system went down at Sun Mar  3 01:32:04 1996
savecore: writing core to /var/crash/vmcore.0
  8192Kpanic: bremfree: removing a buffer when not on a queue
Debugger("panic")
Stopped at      _Debugger+0x2b: movb    $0,_in_Debugger.100
db> t
_Debugger(f01197fa,f01197f8,f012c881,efbffce8,f01197f0) at _Debugger+0x2b
_panic(f012c881,f260b70c,c0004040,efbffd20,f012d678) at _panic+0x4e
_bremfree(f260b70c) at _bremfree+0x5e
_vfs_bio_awrite(f260b70c,0,80000000,c0004040,efbffd64) at _vfs_bio_awrite+0x120
_getnewbuf(0,0,1,0,f061a000) at _getnewbuf+0x143
_getblk(f0663d80,48,2000,0,0) at _getblk+0x210
_ffs_balloc(f065e100,48,2000,f0618180,efbffeb8) at _ffs_balloc+0x6aa
_ffs_write(efbffee0,efbfff94,100000,efbfff94,0) at _ffs_write+0x2cd
_vn_write(f065fcc0,efbfff2c,f0618180,efbfff94,f0656500) at _vn_write+0x93
_write(f0656500,efbfff94,efbfff8c,100000,807ed60) at _write+0x97
_syscall(27,27,6,807ed60,efbfde60) at _syscall+0x157
_Xsyscall() at _Xsyscall+0x2d
--- syscall 4, eip = 0x8063f95, ebp = 0xefbfde60 ---
db> ps
  pid   proc     addr    uid  ppid  pgrp  flag stat wmesg   wchan   cmd
  138 f0656500 f34f5000    0     5     5 004006  2                  savecore
   22 f0632000 f34f7000    0     1    22 000084  3   pause f34f7148 adjkerntz
    5 f0635900 f34f3000    0     1     5 004086  3    wait f0635900 sh
    4 f0632f00 f34f1000    0     0     0 000204  3  update f0237d90 update
    3 f061c000 f34ef000    0     0     0 000204  3  psleep f021f3a4 vmdaemon
    2 f061c200 f34ed000    0     0     0 000204  3  psleep f0227854 pagedaemon
    1 f061c400 f34eb000    0     0     1 004084  3    wait f061c400 init
    0 f0236b24 f026f000    0     0     0 000204  3   sched f0236b24 swapper
db> sh r
cs          0xefbf0008
ds                0x10
es                0x10
ss                0x10
eax               0x12
ecx              0x3f9
edx         0xf01c8115  _db_write_bytes+0xd9
ebx              0x100
esp         0xefbffcb0  _kstack+0x1cb0
ebp         0xefbffcb8  _kstack+0x1cb8
esi         0xf012c881  _bufinit+0x1bd
edi         0xf0620c80
eip         0xf01c8143  _Debugger+0x2b
efl              0x246
_Debugger+0x2b: movb    $0,_in_Debugger.100
db> c

syncing disks... panic: bremfree: removing a buffer when not on a queue
Debugger("panic")
Stopped at      _Debugger+0x2b: movb    $0,_in_Debugger.100
db> c

dumping to dev 1, offset 50124
dump 7 6 5 4 3 2 1 0 succeeded
Automatic reboot in 15 seconds - press a key on the console to abort
Rebooting...