From owner-freebsd-current@FreeBSD.ORG  Tue Mar  1 18:50:19 2005
Return-Path: <owner-freebsd-current@FreeBSD.ORG>
Delivered-To: freebsd-current@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 95F6E16A4CE
	for <freebsd-current@freebsd.org>;
	Tue,  1 Mar 2005 18:50:19 +0000 (GMT)
Received: from carver.gumbysoft.com (carver.gumbysoft.com [66.220.23.50])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 45B6A43D1D
	for <freebsd-current@freebsd.org>;
	Tue,  1 Mar 2005 18:50:19 +0000 (GMT)
	(envelope-from dwhite@gumbysoft.com)
Received: by carver.gumbysoft.com (Postfix, from userid 1000)
	id 1AAE572DD4; Tue,  1 Mar 2005 10:50:19 -0800 (PST)
Received: from localhost (localhost [127.0.0.1])
	by carver.gumbysoft.com (Postfix) with ESMTP id 1581372DCB
	for <freebsd-current@freebsd.org>;
	Tue,  1 Mar 2005 10:50:19 -0800 (PST)
Date: Tue, 1 Mar 2005 10:50:19 -0800 (PST)
From: Doug White <dwhite@gumbysoft.com>
To: freebsd-current@freebsd.org
In-Reply-To: <80134123.20050228214525@takeda.tk>
Message-ID: <20050301104030.W68845@carver.gumbysoft.com>
References: <549575862.20050226230200@takeda.tk>
	<20050228210235.C62607@carver.gumbysoft.com>
	<80134123.20050228214525@takeda.tk>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Subject: Re: FreeBSD 5.3 crash (core with debug symbols available)
X-BeenThere: freebsd-current@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Discussions about the use of FreeBSD-current
	<freebsd-current.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-current>,
	<mailto:freebsd-current-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-current>
List-Post: <mailto:freebsd-current@freebsd.org>
List-Help: <mailto:freebsd-current-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-current>,
	<mailto:freebsd-current-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 01 Mar 2005 18:50:19 -0000

On Mon, 28 Feb 2005, Dariusz Kulinski wrote:

> Hello Doug,
>
> Monday, February 28, 2005, 9:07:45 PM, you wrote:
>
> > Could you post the tail end of 'print msgbuf' so we can see what the
> > faulting address was?
>
> ehh... :(
>
> [GDB will not be able to debug user-mode threads: /usr/lib/libthread_db.so: Undefined symbol "ps_pglobal_lookup"]
> GNU gdb 6.1.1 [FreeBSD]
> Copyright 2004 Free Software Foundation, Inc.
> GDB is free software, covered by the GNU General Public License, and you are
> welcome to change it and/or distribute copies of it under certain conditions.
> Type "show copying" to see the conditions.
> There is absolutely no warranty for GDB.  Type "show warranty" for details.
> This GDB was configured as "i386-marcel-freebsd".
> doadump () at pcpu.h:159
> (kgdb) print msgbuf
> No symbol "msgbuf" in current context.

oops.. er.. um...

> > This is (in RELENG_5_3):
>
> > 1580         FOREACH_THREAD_IN_PROC(p, td) {
> > 1581                 if (td->td_waitset != NULL &&
> > 1582                     SIGISMEMBER(*(td->td_waitset), sig)) {
> > 1583                                 mtx_unlock_spin(&sched_lock);
> > 1584                                 return (td);
>
> > Looks like it ran over a spammed thread, but I'll want to see the fault
> > address. Bets on whether its 0xdeadc0de+offset?
>
> 0xdeadc0de, huh? :)

free()d memory regions get filled with 0xdeadc0de to hunt down
use-after-free conditions.

> Just one more thing, maybe it helps, that's from dmesg (I totally
> forgot about that I have it):
>
> kernel trap 12 with interrupts disabled
>
>
> Fatal trap 12: page fault while in kernel mode
> fault virtual address   = 0xd12bfc64
> fault code              = supervisor read, page not present
> instruction pointer     = 0x8:0xc04e9d3f
> stack pointer           = 0x10:0xcbd25c24
> frame pointer           = 0x10:0xcbd25c44
> code segment            = base 0x0, limit 0xfffff, type 0x1b
>                         = DPL 0, pres 1, def32 1, gran 1
> processor eflags        = resume, IOPL = 0
> current process         = 27 (swi5: clock sio)
> panic: vm_fault: fault on nofault entry, addr: d12bf000
> KDB: stack backtrace:
> kdb_backtrace(c06d09c4,c0725520,c06df826,cbd25a70,d12bf000) at kdb_backtrace+0x2e
> panic(c06df826,d12bf000,1,cbd25b00,cbd25af0) at panic+0xb7
> vm_fault(c103a000,d12bf000,1,0,cbd25be4) at vm_fault+0x1b9
> trap_pfault(cbd25be4,0,d12bfc64,0,d12bfc64) at trap_pfault+0x1f3
> trap(c1f90018,10,c1d10010,0,0) at trap+0x340
> calltrap() at calltrap+0x5
> --- trap 0xc, eip = 0xc04e9d3f, esp = 0xcbd25c24, ebp = 0xcbd25c44 ---
> sigtd(c16948d4,e,81,c16948d4,cbd25c94) at sigtd+0xaf
> psignal(c16948d4,e,c14e04b0,c06fb3c0,bbb3c76b) at psignal+0x4b
> realitexpire(c16948d4,0,cbd25cb8,210b41,87c25148) at realitexpire+0x60
> softclock(0,0,0,0,0) at softclock+0x26e
> ithread_loop(c14dd580,cbd25d48,0,0,0) at ithread_loop+0x1b8
> fork_exit(c04cbd20,c14dd580,cbd25d48) at fork_exit+0x80
> fork_trampoline() at fork_trampoline+0x8
> --- trap 0x1, eip = 0, esp = 0xcbd25d7c, ebp = 0 ---
> KDB: enter: panic
> Uptime: 25d1h32m49s
> Dumping 255 MB
>  16 32 48 64 80 96 112 128 144 160 176 192 208 224 240
> Dump complete
> Automatic reboot in 15 seconds - press a key on the console to abort
> Rebooting...
>

Thats what I want :-)

OK, it wasn't deadc0de, so can you load the crashdump up, go down to the
sigtd() frame, and "print *td"?  It'll be a huge spew.

-- 
Doug White                    |  FreeBSD: The Power to Serve
dwhite@gumbysoft.com          |  www.FreeBSD.org