From owner-freebsd-current Fri Jan 9 12:00:30 1998 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.7/8.8.7) id MAA06203 for current-outgoing; Fri, 9 Jan 1998 12:00:30 -0800 (PST) (envelope-from owner-freebsd-current) Received: from implode.root.com (implode.root.com [198.145.90.17]) by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id MAA06066 for ; Fri, 9 Jan 1998 12:00:06 -0800 (PST) (envelope-from root@implode.root.com) Received: from implode.root.com (localhost [127.0.0.1]) by implode.root.com (8.8.5/8.8.5) with ESMTP id LAA08072; Fri, 9 Jan 1998 11:57:42 -0800 (PST) Message-Id: <199801091957.LAA08072@implode.root.com> To: Penisoara Adrian cc: Kevin Day , freebsd-current@FreeBSD.ORG Subject: Re: Fatal trap 12 & debugging info ?? In-reply-to: Your message of "Fri, 09 Jan 1998 21:29:54 +0200." From: David Greenman Reply-To: dg@root.com Date: Fri, 09 Jan 1998 11:57:42 -0800 Sender: owner-freebsd-current@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk > I've manually patched kern_exec.c (rev 1.69 introduced a >include and a STOPEVENT() call, make depend wasn't so happy with those) >and now I'm awaiting... hoping it won't panic anymore :) Hmmm. > BTW, I can't find PR#5313 (GNATS didn't find it, or I'm not using the >right query params) that "bde" made reference to in r1.70 CVS log; any >kind soul care to help me finding it ? Attached. -DG David Greenman Core-team/Principal Architect, The FreeBSD Project >From dima@burka.rdy.com Tue Dec 16 00:28:31 1997 Received: from burka.rdy.com (dima@burka.rdy.com [205.149.163.30]) by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id AAA06695 for ; Tue, 16 Dec 1997 00:28:30 -0800 (PST) (envelope-from dima@burka.rdy.com) Received: by burka.rdy.com id AAA27196; (8.8.8/RDY) Tue, 16 Dec 1997 00:28:29 -0800 (PST) Message-Id: <199712160828.AAA27196@burka.rdy.com> Date: Tue, 16 Dec 1997 00:28:29 -0800 (PST) >From: dima@best.net Reply-To: dima@best.net To: FreeBSD-gnats-submit@freebsd.org Subject: panic: free: multiple frees X-Send-Pr-Version: 3.2 >Number: 5313 >Category: kern >Synopsis: system crashes with "free: multiple frees" message. >Confidential: no >Severity: serious >Priority: medium >Responsible: freebsd-bugs >State: closed >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Tue Dec 16 00:30:00 PST 1997 >Last-Modified: Sat Dec 20 12:00:53 MET 1997 >Originator: Dima Ruban >Organization: BEST Internet Communications, Inc. >Release: FreeBSD 2.2.5-STABLE i386 >Environment: Here's dmesg output: Copyright (c) 1992-1997 FreeBSD Inc. Copyright (c) 1982, 1986, 1989, 1991, 1993 The Regents of the University of California. All rights reserved. FreeBSD 2.2.5-STABLE #20: Wed Dec 3 11:33:30 PST 1997 dillon@tick.best.net:/src/src/sys/compile/BEST CPU: Pentium Pro (199.31-MHz 686-class CPU) Origin = "GenuineIntel" Id = 0x619 Stepping=9 Features=0xf9ff,MTRR,PGE,MCA,CMOV> real memory = 134217728 (131072K bytes) avail memory = 121167872 (118328K bytes) Probing for devices on PCI bus 0: chip0 rev 2 on pci0:0 chip1 rev 1 on pci0:1:0 chip2 rev 0 on pci0:1:1 vga0 rev 211 int a irq 12 on pci0:10 de0 rev 32 int a irq 10 on pci0:11 de0: SMC 9332BDT 21140A [10-100Mb/s] pass 2.0 de0: address 00:e0:29:06:cc:47 ahc0 rev 0 int a irq 11 on pci0:12 ahc0: aic7880 Wide Channel, SCSI Id=7, 16 SCBs ahc0 waiting for scsi devices to settle ahc0: target 0 Tagged Queuing Device (ahc0:0:0): "SEAGATE ST34371W 0484" type 0 fixed SCSI 2 sd0(ahc0:0:0): Direct-Access 4148MB (8496884 512 byte sectors) sd0(ahc0:0:0): with 5172 cyls, 10 heads, and an average 164 sectors/track ahc0: target 1 Tagged Queuing Device (ahc0:1:0): "SEAGATE ST19171W 0023" type 0 fixed SCSI 2 sd1(ahc0:1:0): Direct-Access 8683MB (17783112 512 byte sectors) sd1(ahc0:1:0): with 5268 cyls, 20 heads, and an average 168 sectors/track ahc0: target 2 Tagged Queuing Device (ahc0:2:0): "SEAGATE ST19171W 0023" type 0 fixed SCSI 2 sd2(ahc0:2:0): Direct-Access 8683MB (17783112 512 byte sectors) sd2(ahc0:2:0): with 5268 cyls, 20 heads, and an average 168 sectors/track Probing for devices on the ISA bus: sc0 at 0x60-0x6f irq 1 on motherboard sc0: VGA color <16 virtual consoles, flags=0x0> sio0 at 0x3f8-0x3ff irq 4 flags 0x10 on isa sio0: type 16550A sio1 at 0x2f8-0x2ff irq 3 on isa sio1: type 16550A lpt0 at 0x378-0x37f irq 7 on isa lpt0: Interrupt-driven port lp0: TCP/IP capable interface fdc0 at 0x3f0-0x3f7 irq 6 drq 2 on isa fdc0: FIFO enabled, 8 bytes threshold fd0: 1.44MB 3.5in npx0 on motherboard npx0: INT 16 interface ccd0: Concatenated disk driver >Description: System panics with 'panic: free: multiple frees' randomly. Hardware configuration is summarized in boot output, above. Crash dump is available. Here's backtrace from the dump: #0 boot (howto=0x104) at ../../kern/kern_shutdown.c:266 #1 0xf01132a3 in panic (fmt=0xf0101459 "from debugger") at ../../kern/kern_shutdown.c:390 #2 0xf0101475 in db_panic (dummy1=0xf01b5149, dummy2=0x0, dummy3=0xffffffff, dummy4=0xefbffc90 "") at ../../ddb/db_command.c:440 #3 0xf0101365 in db_command (last_cmdp=0xf01ddb24, cmd_table=0xf01dd974, aux_cmd_tablep=0xf02032d0) at ../../ddb/db_command.c:337 #4 0xf01014e2 in db_command_loop () at ../../ddb/db_command.c:462 #5 0xf0103c38 in db_trap (type=0x3, code=0x0) at ../../ddb/db_trap.c:73 #6 0xf01b4f4b in kdb_trap (type=0x3, code=0x0, regs=0xefbffd80) at ../../i386/i386/db_interface.c:126 #7 0xf01be764 in trap (frame={tf_es = 0x10, tf_ds = 0x10, tf_edi = 0xf1781908, tf_esi = 0xf010fca7, tf_ebp = 0xefbffdc4, tf_isp = 0xefbffda8, tf_ebx = 0x100, tf_edx = 0xf01b5111, tf_ecx = 0x3f9, tf_eax = 0x12, tf_trapno = 0x3, tf_err = 0x0, tf_eip = 0xf01b5149, tf_cs = 0x8, tf_eflags = 0x256, tf_esp = 0xf01b5101, tf_ss = 0xf0113238}) at ../../i386/i386/trap.c:403 #8 0xf01b5149 in Debugger (msg=0xf0113238 "panic") at ../../i386/i386/db_interface.c:254 #9 0xf011329a in panic (fmt=0xf010fca7 "free: multiple frees") at ../../kern/kern_shutdown.c:388 #10 0xf010fd87 in free (addr=0xf5dbd000, type=0x4a) at ../../kern/kern_malloc.c:342 #11 0xf010c500 in execve (p=0xf2685e00, uap=0xefbfff94, retval=0xefbfff84) at ../../kern/kern_exec.c:371 #12 0xf01bf1a7 in syscall (frame={tf_es = 0xefbf0027, tf_ds = 0xefbf0027, tf_edi = 0x50620, tf_esi = 0x0, tf_ebp = 0xefbfdc98, tf_isp = 0xefbfffe4, tf_ebx = 0x50630, tf_edx = 0x50630, tf_ecx = 0x5132f, tf_eax = 0x3b, tf_trapno = 0xc, tf_err = 0x7, tf_eip = 0x28a55, tf_cs = 0x1f, tf_eflags = 0x206, tf_esp = 0xefbfdc7c, tf_ss = 0x27}) at ../../i386/i386/trap.c:890 #13 0x28a55 in ?? () #14 0x34d4 in ?? () #15 0x3237 in ?? () #16 0x235d in ?? () #17 0x21e2 in ?? () #18 0x22d7 in ?? () #19 0x906b in ?? () #20 0x8f7b in ?? () #21 0x107e in ?? () >How-To-Repeat: >Fix: >Audit-Trail: From: Bruce Evans To: dima@best.net, FreeBSD-gnats-submit@FreeBSD.ORG Cc: Subject: Re: kern/5313: panic: free: multiple frees Date: Tue, 16 Dec 1997 20:53:06 +1100 >#9 0xf011329a in panic (fmt=0xf010fca7 "free: multiple frees") > at ../../kern/kern_shutdown.c:388 >#10 0xf010fd87 in free (addr=0xf5dbd000, type=0x4a) > at ../../kern/kern_malloc.c:342 There is one obvious problem. imgp->image_header needs to be cleared in both arms of the if statement since it is always set). This fix has not been tested. Bruce diff -c2 kern_exec.c~ kern_exec.c *** kern_exec.c~ Mon Dec 8 06:07:52 1997 --- kern_exec.c Tue Dec 16 20:47:32 1997 *************** *** 219,226 **** brelse(bp); bp = NULL; ! } else { free((void *)imgp->image_header, M_TEMP); ! imgp->image_header = NULL; ! } /* free old vnode and name buffer */ vrele(ndp->ni_vp); --- 218,224 ---- brelse(bp); bp = NULL; ! } else free((void *)imgp->image_header, M_TEMP); ! imgp->image_header = NULL; /* free old vnode and name buffer */ vrele(ndp->ni_vp); State-Changed-From-To: open-feedback State-Changed-By: davidg State-Changed-When: Tue Dec 16 08:00:39 PST 1997 State-Changed-Why: A fix was committed to both -current and -stable that might fix this problem (and others?!). Please confirm closure. State-Changed-From-To: feedback-closed State-Changed-By: joerg State-Changed-When: Sat Dec 20 12:00:29 MET 1997 State-Changed-Why: Supplied feedback suggest fix was successful. >Unformatted: