Skip site navigation (1)Skip section navigation (2)
Date:      Fri, 23 Jun 2006 10:58:50 +0100
From:      Gavin Atkinson <gavin.atkinson@ury.york.ac.uk>
To:        Martin Blapp <mb@imp.ch>
Cc:        Robert Watson <rwatson@freebsd.org>, Patrick Guelat <patg@imp.ch>, "Wojciech A. Koszek" <wkoszek@freebsd.org>, freebsd-stable@freebsd.org
Subject:   Re: Crash with FreeBSD 6.1 STABLE of today
Message-ID:  <1151056731.62769.2.camel@buffy.york.ac.uk>
In-Reply-To: <20060622223630.V17514@godot.imp.ch>
References:  <20060621202508.S17514@godot.imp.ch> <20060621193941.Y8526@fledge.watson.org> <20060622205806.GA6542@FreeBSD.czest.pl> <20060622223630.V17514@godot.imp.ch>

next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, 2006-06-22 at 23:27 +0200, Martin Blapp wrote:
> Hi,
> 
> >>> Unfortunaltly I get this with the debug kernel.
> >>> Does one have to boot with the debug.kernel itself
> >>> to get a trace which is usable ?
> 
> Sigh. A recompile helped !
> 
> (kgdb) where
> #0  doadump () at pcpu.h:165
> #1  0xc066355e in boot (howto=260) at /usr/src/sys/kern/kern_shutdown.c:409
> #2  0xc06638b5 in panic (fmt=0xc0891732 "%s") at /usr/src/sys/kern/kern_shutdown.c:565
> #3  0xc085c6b6 in trap_fatal (frame=0xed6e4ab8, eva=4) at /usr/src/sys/i386/i386/trap.c:836
> #4  0xc085c3bf in trap_pfault (frame=0xed6e4ab8, usermode=0, eva=4) at /usr/src/sys/i386/i386/trap.c:744
> #5  0xc085bfb5 in trap (frame=
>        {tf_fs = 8, tf_es = 40, tf_ds = -1063714776, tf_edi = -1064042304, tf_esi 
> = 0, tf_ebp = -311538944, tf_isp = -311538972, tf_ebx = -967615488, tf_edx = 
> -1063651212, tf_ecx = -941099136, tf_eax = 0, tf_trapno = 12, tf_err = 0, tf_eip = -1066845359, tf_cs 
> = 32, tf_eflags = 66194, tf_esp = -967615488, tf_ss = 0})
>      at /usr/src/sys/i386/i386/trap.c:434
> #6  0xc0848bea in calltrap () at /usr/src/sys/i386/i386/exception.s:139
> #7  0xc0693b51 in ttymodem (tp=0xc6535c00, flag=-1063651212) at /usr/src/sys/kern/tty.c:1659
> #8  0xc0698362 in ptcclose (dev=0x0, flags=3, fmt=8192, td=0xc7e7f780) at linedisc.h:136
> #9  0xc0638a6f in giant_close (dev=0xcb3c1100, fflag=3, devtype=8192, td=0xc7e7f780) at /usr/src/sys/kern/kern_conf.c:266
> #10 0xc06162bf in devfs_close (ap=0xed6e4b7c) at /usr/src/sys/fs/devfs/devfs_vnops.c:287
> #11 0xc086dc1c in VOP_CLOSE_APV (vop=0x0, a=0xc099f874) at vnode_if.c:426
> #12 0xc06c87e2 in vn_close (vp=0xc9cdf660, flags=3, file_cred=0x0, td=0xc7e7f780) at vnode_if.h:227
> #13 0xc06c974a in vn_closefile (fp=0xc6fc5438, td=0xc7e7f780) at /usr/src/sys/kern/vfs_vnops.c:865
> #14 0xc06162e7 in devfs_close_f (fp=0xc6fc5438, td=0xc7e7f780) at /usr/src/sys/fs/devfs/devfs_vnops.c:297
> #15 0xc0642cdc in fdrop_locked (fp=0xc6fc5438, td=0xc7e7f780) at file.h:295
> #16 0xc0642c29 in fdrop (fp=0xc6fc5438, td=0xc7e7f780) at /usr/src/sys/kern/kern_descrip.c:2122
> #17 0xc06411c7 in closef (fp=0xc6fc5438, td=0xc7e7f780) at /usr/src/sys/kern/kern_descrip.c:1942
> #18 0xc063e329 in close (td=0xc7e7f780, uap=0x0) at /usr/src/sys/kern/kern_descrip.c:1007
> #19 0xc085c9f7 in syscall (frame=
>        {tf_fs = 59, tf_es = 59, tf_ds = 59, tf_edi = 0, tf_esi = 673925920, 
> tf_ebp = -1077941928, tf_isp = -311538332, tf_ebx = 673852332, tf_edx = 
> 673925920, tf_ecx = 673925920,
> tf_eax = 6, tf_trapno = 12, tf_err = 2, tf_eip = 673354727, tf_cs = 51, 
> tf_eflags = 518, tf_esp = -1077941956, tf_ss = 59}) at 
> /usr/src/sys/i386/i386/trap.c:981
> #20 0xc0848c3f in Xint0x80_syscall () at /usr/src/sys/i386/i386/exception.s:200
> #21 0x00000033 in ?? ()
> Previous frame inner to this frame (corrupt stack?)
> (kgdb)
> 
> (kgdb) frame 5
> #5  0xc085bfb5 in trap (frame=
>        {tf_fs = 8, tf_es = 40, tf_ds = -1063714776, tf_edi = -1064042304, tf_esi 
> = 0, tf_ebp = -311538944, tf_isp = -311538972, tf_ebx = -967615488, tf_edx = 
> -1063651212, tf_ecx =
>   -941099136, tf_eax = 0, tf_trapno = 12, tf_err = 0, tf_eip = -1066845359, tf_cs 
> = 32, tf_eflags = 66194, tf_esp = -967615488, tf_ss = 0})
>      at /usr/src/sys/i386/i386/trap.c:434
> 
> (kgdb) frame 8
> #8  0xc0698362 in ptcclose (dev=0x0, flags=3, fmt=8192, td=0xc7e7f780) at 
> linedisc.h:136
> 
> 136             return ((*linesw[tp->t_line]->l_modem)(tp, flag));
> (kgdb) list
> 131
> 132     static __inline int
> 133     ttyld_modem(struct tty *tp, int flag)
> 134     {
> 135
> 136             return ((*linesw[tp->t_line]->l_modem)(tp, flag));
> 137     }
> 138
> 139     #endif /* _KERNEL */
> 
> (kgdb) frame 7
> 
> (kgdb) p *tp->t_session
> Cannot access memory at address 0x0
> 
> (kgdb) frame 7
> #7  0xc0693b51 in ttymodem (tp=0xc6535c00, flag=-1063651212) at /usr/src/sys/kern/tty.c:1659
> 1659                                    if (tp->t_session->s_leader) {
> (kgdb) list
> 1654                        !ISSET(tp->t_cflag, CLOCAL)) {
> 1655                            SET(tp->t_state, TS_ZOMBIE);
> 1656                            CLR(tp->t_state, TS_CONNECTED);
> 1657                            if (tp->t_session) {
> 1658                                    sx_slock(&proctree_lock);
> 1659                                    if (tp->t_session->s_leader) {
> 1660                                            struct proc *p;
> 1661
> 1662                                            p = tp->t_session->s_leader;
> 1663                                            PROC_LOCK(p);
> 
> (kgdb) p *tp->t_session
> Cannot access memory at address 0x0
> 
> So here the problem is. Why is tp->t_session empty ? Maybe it has been already 
> free() earlier and we have some race here ?

"Race" was exactly my conclusion last time I looked into this.
http://docs.FreeBSD.org/cgi/mid.cgi?20041204110815.E80797

Something, somewhere is playing with t_session without locking...

Gavin




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1151056731.62769.2.camel>