From nobody Wed Nov 19 21:04:25 2025
X-Original-To: freebsd-current@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4dBYrs4fKLz6JGc0
	for <freebsd-current@mlmmj.nyi.freebsd.org>; Wed, 19 Nov 2025 21:04:45 +0000 (UTC)
	(envelope-from marklmi@yahoo.com)
Received: from sonic309-21.consmr.mail.gq1.yahoo.com (sonic309-21.consmr.mail.gq1.yahoo.com [98.137.65.147])
	(using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(Client did not present a certificate)
	by mx1.freebsd.org (Postfix) with ESMTPS id 4dBYrq6z67z42Hv
	for <freebsd-current@freebsd.org>; Wed, 19 Nov 2025 21:04:43 +0000 (UTC)
	(envelope-from marklmi@yahoo.com)
Authentication-Results: mx1.freebsd.org;
	dkim=pass header.d=yahoo.com header.s=s2048 header.b=iY3EFkPY;
	dmarc=pass (policy=reject) header.from=yahoo.com;
	spf=pass (mx1.freebsd.org: domain of marklmi@yahoo.com designates 98.137.65.147 as permitted sender) smtp.mailfrom=marklmi@yahoo.com
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1763586280; bh=LnbrHx6rTLm4lF99HxhuyPGr0NfL1OMKFm0Xzq7m77o=; h=From:Subject:Date:References:To:In-Reply-To:From:Subject:Reply-To; b=iY3EFkPY3AUWkIdmqYy0Az+gbPD9H+MJrOgpMKUToUG+cS2UJx2cZ5feZfDtM8ACBCvGAry2ttU82z6HnPSqjb5H1oS6e4u7caqOkLWuRF2xwHzEi0EYlvBu9Mw8fMTNyB2UTK6LeRNG7NkqzxapOMlTwiWVIECYkyQETIkUwF0f43IqBZUHPUJQeWpdiybteLFK1l6BtknWZyk8dRd/ArBEsUj8FGLqB8QBtUJArqBxC85mthXO+53KFKwgxgUyoWRA09T+KHxRyHJjRLesFpDdMxTbuDm1dKi+taVvOj5tewfifihTt6Cv1vnztIcF1jTwE4s94IMu4Vn6Z7/ZDA==
X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1763586280; bh=3CnxOU7VNar9KUE9+AuxpY1XYsCqRBvT8YxXqDcyY1m=; h=X-Sonic-MF:From:Subject:Date:To:From:Subject; b=OYBZdTEM9zJEPco0srD/s65eO+BxBcQda1r4eLVr5ui+VOxKfzyfdHdNhvqXeh09k75gQF/58XndxMG0gTaCn9+S+U+vBrbmhD75P0bEkaNLxQkkyLUDb5bp6IbQ9KRjxcUDCS8EbOAPLEWvefxf/YdVthakYh4QONHsMtcHBV96By+pZ8O6Ilaz6aC4STmwzNJHqp1yp2/b4QLPXPLTB55+6ovVVQTZxEkK1iTbe69RDcrJ0ULbdwEQn/+TL2AuzdOZbO/pH3juhebyQ4xFb25eHRi1bXYJibEPD9HOm/9dSc0M28TBz0NHxPfNrqLcGHJK5Wfz8LO7mxP1dQdqJA==
X-YMail-OSG: C8Vov.gVM1np8n0IbPksVpPG.9ZNpNxUD.S3N4Rv3wNzxOoAES3YSHGuAGr9FKE
 h77kx.mb8VqwhtqLrg886VUDxvArUqj9AVZsuP_zlCTiK56H0xcEIgZJJaSY.KHvOPmfl.eMURy0
 tXO2SSOum0Ti5lbn0CL4ZfnvoK18Sg4aqFTMaPxLRt4ys_ikGqlsuSxKT_1teAd2boi8YsEJ1tIq
 9fUX6ScSN_1nKAJ23M8ipuRhxxUcK62kndYhcZTsYDpLiFzDeSEzbxSYeRGF5FAnsLLQj6CzISY2
 qu0ySGER7l9JaoH.YTlDdqR3tm01g0l09C2oL7gl6xsqkCcqnFZscEzOVvNZfdt1a8y90kBVCEdO
 pKNWWTxcWGDdAzBlHsC2T2PymvHX_9La9UBud009GVyVlO1wM9OwOfrM4mRjFThiE5bqblze1WZx
 _7hvAzXF9h.RcRRwP2XEk_oHP9QScaxugUR8RG_fCohYkl.43Yg1_EIpcTWnD1rY4SzfVhqwMrdF
 FUkdGQIFnvZQpcve3.AOhnC09wETphBj0b5vuogVZPZ0XRHNvgc.MBB9n9SJ_5CHTr3cE7RubjrI
 TEYl2.MZNFxd22iIsggMah8BYw7FaxQXUWIwcgClTBRT8fv642czNSziEi8Onl0uB3fhjmhjAfhl
 jZtqokHWrpvIVQ1MRIcnU9k0CT5Ry3e9J9JTceQXsxVSL0BLchSDXY1qEP345h.qQ4BTDCHm65Vk
 wGC9AiUu75FDx9aWnA84SnCatHWj.gKaNAv19VaCaW79QvjB_VI9BWOPElR.T4UgEDzQehBiY4uV
 IQ1.2E0g2RG1GdDuDy3GSCJcsQVLcHxPT4znyMjAkWoIbjRA.nwWlXGr8ua6mYs4J8dNSuw0fSJE
 yUzEMChQAFMC0YVQNWEzx64Vi99c8uEbNrnlOHUTeOZH6MhsMekO.YvubsVzE3jOSV_65jcFnFlU
 3QxTqNXXAwP1lnF2QF2cO7YtELEhGM5dRzcadaeqC6ch5mcHw8y87LZj.xVTru6s_6XsUxZU2nUw
 rpz_.XZVIw0eHBV7XxXxCr2nQfsxKkEYtKli4TdK6GKgiT77TO.V360ZmYCMMgGzjsVYXq4jcFw4
 v8kVUg_PJnPaL1mWQW.q.HflQqbrlxe2VDDMwnerzXCR86Ma3a5fp_wMS7iX7Gvt8gIBLjHOyLmS
 V9RapHwwJnKZ7cVMHwxIp9Ry3.d24y2Dv32HYg8HXgkhI_YXuYVn1bzibr7CwTHNMIAiMZgL9ktZ
 YsEnVydzfoBLBJFoi6vYbYT1q0flI6E2sBskpRjVSyhCRYjKAxHFr3vbGEwNKwgcIbH9qwjreFGH
 kCnWOoz9aWpar0w8ln6FoExLP2vw8qiGqlAR0DPjNrloIj2O7BkwxAEvvfs1cua6MNhQTHUZtKn8
 pu3zV.dU3b.mYXh36OY8iUyauIfwZd.q7HdhlGRkakHs9pcLpR94ZdixFhNAe65P7Pk0fdR80dgW
 U4IlnH8TkkCR_ZaUHfxFZALB61NV6gvAISmPzycLQVcbbvHP11kPaiUYMtKbVrBoSK_hGjxPvgx6
 LrBvEooz6hDucwrCUxrluHMEmuf.lMa4lpIXNl27kX6_gueUmERV0rRiavj_JNaD2pGUMzEkCzfT
 u8xGcQVobR9paliMHemPo.0bYi7cIohW00AqpYvFSsALVPB.KxGAOFi_8quynDpYbVX9kk36zSQe
 VrhNczUMdpd9ScyTblSGQuIXcg5rR8DzeaIEqkoiM4wgC.Zbxxe5eV0_mweLcWeTfI1BubC_x0yC
 js.xeqHFjmZuv18uwT.CVNpotvZmkOCzvOvCBEpTG5k0AaXG1lQ2b87IBPctImvd0OHUaZHMT3PP
 LnwQjmctVsIVUscRBRx5fKP2_7R.KgmY7M5Rf.O9stvqe3YKFYk6ynPBsphT4diWeZP1u8OKvvKq
 MwmdCQUc7TyOh.Xaj5Fb2My6eQMwrwaubMu_4llL90lfP4YDEeGkNjX6JuVJ6EvcKYaP2ACEJWWy
 8ren_KFjoW42h6akNT5BAduwNPJUmGgwN7nXP.0.JA6HZGYhp6vUrDc1OOSnJ42vtDBjL1e6qU1x
 j1VnrFRHOWD84iD_p2di7FGDFtBJPNi6exJdHvnNlzUQjehUEOXtET94phyZIWh.MlW_5hF2qLm0
 Buo37VIBsH_qfeLPDkeii6mdxWfZG.88BxVtxe5I5oXU36LiWC20bJeIdgkHklf2yVq1ZewfAuLN
 Zwkili50wtXbsHOyKkwXmLXnMloteCJSDMQ67oxCNhcz.tluXlIsmIeCMPNSp0MD.PliWcv44zF_
 su4X0Hk6.oA--
X-Sonic-MF: <marklmi@yahoo.com>
X-Sonic-ID: eadc9265-f82c-4b28-9d1c-453bd01dd69a
Received: from sonic.gate.mail.ne1.yahoo.com by sonic309.consmr.mail.gq1.yahoo.com with HTTP; Wed, 19 Nov 2025 21:04:40 +0000
Received: by hermes--production-gq1-869cc4b577-s7np4 (Yahoo Inc. Hermes SMTP Server) with ESMTPA ID 4dcd400842e69cda3e9fbb04a4b42921;
          Wed, 19 Nov 2025 21:04:36 +0000 (UTC)
From: Mark Millard <marklmi@yahoo.com>
Content-Type: text/plain;
	charset=us-ascii
Content-Transfer-Encoding: quoted-printable
List-Id: Discussions about the use of FreeBSD-current <freebsd-current.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/freebsd-current
List-Help: <mailto:freebsd-current+help@freebsd.org>
List-Post: <mailto:freebsd-current@freebsd.org>
List-Subscribe: <mailto:freebsd-current+subscribe@freebsd.org>
List-Unsubscribe: <mailto:freebsd-current+unsubscribe@freebsd.org>
Sender: owner-freebsd-current@FreeBSD.org
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3826.700.81\))
Subject: Re: Still seeing Failed assertion: "p[i] == 0" on armv7 buildworld 
 [Notes from another example core dump: #5] [Common range #0..#10
 __je_pa_alloc]
Date: Wed, 19 Nov 2025 13:04:25 -0800
References: <aOvTG-20QRJtJJwf@int21h>
 <CANCZdfrJ8rph_rkT3Mk-sNYKNspoV15SvHWLsahzS0HnULi4ww@mail.gmail.com>
 <aO068RrAehdiHOoZ@www.zefox.net> <aRUJPryA4Vmu8dDD@www.zefox.net>
 <4957be52-e57f-4f5f-9626-d0f706480fe1@FreeBSD.org> <87ldkai9lu.fsf@panix.com>
 <aRXuLTN4hkGykHIl@www.zefox.net> <877bvthymv.fsf@panix.com>
 <aRdJ5xYeKEmhuIgh@www.zefox.net> <ouy1pm0nued.fsf@panix3.panix.com>
 <aRtBYaaa0n3_lwar@www.zefox.net>
 <CAJ-Vmo=TbT7nD7rBrNnq3cutwMp9f7WXtQ-k9mUBne5ht4zGWg@mail.gmail.com>
 <13E753F4-84F8-4ADB-96B6-908897D6971C@yahoo.com>
 <3174F751-9853-4697-B0C0-98B54518A69F@yahoo.com>
 <E634EF40-545C-44D7-9050-83D18090F6EB@yahoo.com>
 <BA9E6753-F895-46C8-95F3-C3C8B1692033@yahoo.com>
 <A27FE12B-0074-4403-81F7-8A224CC96CC8@yahoo.com>
 <D17E06B0-4591-45F2-8C46-70D94E371941@yahoo.com>
 <463AC500-C7C7-43FB-B5EF-332CEBA3D944@yahoo.com>
 <F9590F2F-0CB0-4AA9-870E-A97D45C1EC01@yahoo.com>
 <3E0D6079-0F5B-463E-94D4-37506A837D33@yahoo.com>
 <05479AC8-C8EB-42A3-9A54-2CAF687023D2@yahoo.com>
 <422A55DB-E005-4DA5-89F3-52879F35F6A4@yahoo.com>
To: freebsd-arm@freebsd.org,
 freebsd-current@freebsd.org
In-Reply-To: <422A55DB-E005-4DA5-89F3-52879F35F6A4@yahoo.com>
Message-Id: <F1F45DCF-609B-4C15-A799-5BE757F43EB2@yahoo.com>
X-Mailer: Apple Mail (2.3826.700.81)
X-Spamd-Bar: ---
X-Spamd-Result: default: False [-3.93 / 15.00];
	NEURAL_HAM_LONG(-1.00)[-1.000];
	NEURAL_HAM_MEDIUM(-1.00)[-1.000];
	NEURAL_HAM_SHORT(-0.93)[-0.933];
	DMARC_POLICY_ALLOW(-0.50)[yahoo.com,reject];
	R_DKIM_ALLOW(-0.20)[yahoo.com:s=s2048];
	R_SPF_ALLOW(-0.20)[+ptr:yahoo.com];
	MIME_GOOD(-0.10)[text/plain];
	FREEMAIL_FROM(0.00)[yahoo.com];
	DWL_DNSWL_NONE(0.00)[yahoo.com:dkim];
	ARC_NA(0.00)[];
	RCVD_TLS_LAST(0.00)[];
	RCPT_COUNT_TWO(0.00)[2];
	MIME_TRACE(0.00)[0:+];
	DKIM_TRACE(0.00)[yahoo.com:+];
	FROM_HAS_DN(0.00)[];
	FREEMAIL_ENVFROM(0.00)[yahoo.com];
	TO_DN_NONE(0.00)[];
	RCVD_COUNT_TWO(0.00)[2];
	FROM_EQ_ENVFROM(0.00)[];
	RCVD_VIA_SMTP_AUTH(0.00)[];
	TO_MATCH_ENVRCPT_SOME(0.00)[];
	MID_RHS_MATCH_FROM(0.00)[];
	MLMMJ_DEST(0.00)[freebsd-current@freebsd.org];
	RWL_MAILSPIKE_POSSIBLE(0.00)[98.137.65.147:from];
	APPLE_MAILER_COMMON(0.00)[];
	RCVD_IN_DNSWL_NONE(0.00)[98.137.65.147:from]
X-Rspamd-Queue-Id: 4dBYrq6z67z42Hv

On Nov 19, 2025, at 09:53, Mark Millard <marklmi@yahoo.com> wrote:
>=20
> On Nov 18, 2025, at 22:10, Mark Millard <marklmi@yahoo.com> wrote:
>=20
>> I'm only sending notes from testing of how similar other failures =
appear
>> to the 2 lists. Folks can ask that I do otherwise for them if they =
want.
>>=20
>> This one also does not have area_malloc involved at all.
>>=20
>> This one is for size 8192 (2 pages). It looks like #0..#10 are =
similar to
>> the prior reports. #10 is __je_pa_alloc.
>>=20
>> #11 is: arena_slab_alloc
>>=20
>> (gdb) bt
>> #0  thr_kill () at thr_kill.S:4
>> #1  0x2a08ef24 in __raise (s=3D6) at /usr/src/lib/libc/gen/raise.c:48
>> #2  0x2a145f38 in abort () at /usr/src/lib/libc/stdlib/abort.c:61
>> #3  0x2a196128 in ehooks_debug_zero_check =
(addr=3Daddr@entry=3D0x2e12b000, size=3Dsize@entry=3D8192) at =
/usr/src/contrib/jemalloc/include/jemalloc/internal/ehooks.h:170
>> #4  0x2a191f60 in ehooks_alloc (tsdn=3D0x2a2e4060, ehooks=3D0x2a600080,=
 new_addr=3D0x0, size=3D<optimized out>, alignment=3D4096, =
zero=3D0xffff9747, commit=3D<optimized out>)
>>   at /usr/src/contrib/jemalloc/include/jemalloc/internal/ehooks.h:208
>> #5  __je_extent_alloc_wrapper (tsdn=3Dtsdn@entry=3D0x2a2e4060, =
pac=3D0x2a601810, ehooks=3D<optimized out>, new_addr=3D<optimized out>, =
size=3D8192, alignment=3D4096, zero=3Dtrue, commit=3D0xffff97a7,=20
>>   growing_retained=3D<optimized out>) at jemalloc_extent.c:1003
>> #6  0x2a1916e0 in __je_ecache_alloc_grow (tsdn=3D<optimized out>, =
tsdn@entry=3D0x2a2e4060, pac=3Dpac@entry=3D0x2a601810, =
ehooks=3Dehooks@entry=3D0x2a600080, ecache=3D<optimized out>, =
ecache@entry=3D0x2a603dd0,=20
>>   expand_edata=3D0x0, size=3D8192, alignment=3D4096, zero=3D<optimized =
out>, guarded=3D<optimized out>) at jemalloc_extent.c:126
>> #7  0x2a1c9680 in pac_alloc_real (tsdn=3D0x2a2e4060, pac=3D0x2a601810, =
ehooks=3D0x2a600080, size=3D8192, alignment=3D4096, zero=3D<optimized =
out>, guarded=3Dfalse) at jemalloc_pac.c:124
>> #8  pac_alloc_impl (tsdn=3Dtsdn@entry=3D0x2a2e4060, self=3D0x2a601810, =
size=3Dsize@entry=3D8192, alignment=3D4096, zero=3D<optimized out>, =
guarded=3Dfalse, frequent_reuse=3D<optimized out>,=20
>>   deferred_work_generated=3D<optimized out>) at jemalloc_pac.c:178
>> #9  0x2a1c7ae8 in pai_alloc (tsdn=3D0x2a2e4060, self=3D0x0, =
size=3D8192, alignment=3D2147483615, zero=3D<optimized out>, =
guarded=3Dfalse, frequent_reuse=3Dtrue, =
deferred_work_generated=3D<optimized out>)
>>   at /usr/src/contrib/jemalloc/include/jemalloc/internal/pai.h:43
>> #10 __je_pa_alloc (tsdn=3Dtsdn@entry=3D0x2a2e4060, =
shard=3Dshard@entry=3D0x2a601800, size=3D8192, alignment=3D<optimized =
out>, slab=3Dtrue, szind=3D35, zero=3D<optimized out>, guarded=3Dfalse,=20=

>>   deferred_work_generated=3D0xffff986f) at jemalloc_pa.c:139
>> #11 0x2a16b9f8 in arena_slab_alloc (tsdn=3Dtsdn@entry=3D0x2a2e4060, =
arena=3D0x2a600540, binind=3D35, binshard=3D0, bin_info=3D0x2a2200ec =
<__je_bin_infos+1680>) at jemalloc_arena.c:839
>> #12 0x2a16ac98 in __je_arena_cache_bin_fill_small (tsdn=3D0x2a2e4060, =
arena=3D0x2a600540, cache_bin=3Dcache_bin@entry=3D0x2a2e4618, =
cache_bin_info=3D0x2a600506, binind=3D35, nfill=3D10) at =
jemalloc_arena.c:1034
>> #13 0x2a1b5694 in __je_tcache_alloc_small_hard (tsdn=3D0x0, =
tsdn@entry=3D0x2a2e4060, arena=3D0x0, arena@entry=3D0x2a600540, =
tcache=3Dtcache@entry=3D0x2a2e42c8, =
cache_bin=3Dcache_bin@entry=3D0x2a2e4618, binind=3D35,=20
>>   tcache_success=3D0xffff991f) at jemalloc_tcache.c:238
>> #14 0x2a16cef4 in tcache_alloc_small (tsd=3D<optimized out>, =
arena=3D0x2a600540, tcache=3D0x2a2e42c8, size=3D<optimized out>, =
binind=3D35, zero=3Dfalse, slow_path=3Dtrue)
>>   at =
/usr/src/contrib/jemalloc/include/jemalloc/internal/tcache_inlines.h:68
>> #15 arena_malloc (tsdn=3D<optimized out>, arena=3D<optimized out>, =
size=3D8192, ind=3D35, zero=3Dfalse, tcache=3D0x2a2e42c8, =
slow_path=3Dtrue)
>>   at =
/usr/src/contrib/jemalloc/include/jemalloc/internal/arena_inlines_b.h:151
>> #16 0x2a16cb88 in __je_arena_palloc (tsdn=3D0x0, =
tsdn@entry=3D0x2a2e4060, arena=3D<optimized out>, usize=3D<optimized =
out>, usize@entry=3D8192, alignment=3Dalignment@entry=3D8, zero=3Dfalse, =
tcache=3D0x2a2e42c8)
>>   at jemalloc_arena.c:1224
>> #17 0x2a16559c in ipallocztm (tsdn=3D0x2a2e4060, =
tsdn@entry=3D0x2a2e42c8, usize=3D8192, alignment=3D8, zero=3Dfalse, =
tcache=3D0x2a2e42c8, is_internal=3Dfalse, arena=3D0x0)
>>   at =
/usr/src/contrib/jemalloc/include/jemalloc/internal/jemalloc_internal_inli=
nes_c.h:80
>> #18 ipalloct (tsdn=3D0x0, tsdn@entry=3D0x2a2e4060, usize=3D8192, =
alignment=3D8, zero=3Dfalse, tcache=3D0x2a2e42c8, arena=3D0x0)
>>   at =
/usr/src/contrib/jemalloc/include/jemalloc/internal/jemalloc_internal_inli=
nes_c.h:91
>> #19 0x2a1651f4 in imalloc_no_sample (sopts=3D0xffff9a14, =
dopts=3D0xffff99f4, tsd=3D0x2a2e4060, size=3D8192, usize=3D8192, =
ind=3D<optimized out>) at jemalloc_jemalloc.c:2398
>> #20 imalloc_body (sopts=3D0xffff9a14, dopts=3D0xffff99f4, =
tsd=3D0x2a2e4060) at jemalloc_jemalloc.c:2577
>> #21 0x2a156188 in imalloc (sopts=3Dsopts@entry=3D0xffff9a14, =
dopts=3D<optimized out>, dopts@entry=3D0xffff99f4) at =
jemalloc_jemalloc.c:2693
>> #22 0x2a15677c in __aligned_alloc (alignment=3D8, size=3D8192) at =
jemalloc_jemalloc.c:2821
>> #23 0x29e61a00 in =
std::__1::__libcpp_aligned_alloc[abi:se190107](unsigned int, unsigned =
int) (__alignment=3D8, __size=3D<optimized out>)
>>   at =
/usr/src/contrib/llvm-project/libcxx/include/__memory/aligned_alloc.h:43
>> #24 operator_new_aligned_impl (size=3D<optimized out>, alignment=3D8) =
at /usr/src/contrib/llvm-project/libcxx/src/new.cpp:129
>> #25 operator new (size=3D<optimized out>, alignment=3D<optimized =
out>) at /usr/src/contrib/llvm-project/libcxx/src/new.cpp:141
>> #26 0x20ff35f8 in Allocate () at =
/usr/src/contrib/llvm-project/llvm/include/llvm/Support/AllocatorBase.h:92=

>> #27 StartNewSlab () at =
/usr/src/contrib/llvm-project/llvm/include/llvm/Support/Allocator.h:344
>> #28 AllocateSlow () at =
/usr/src/contrib/llvm-project/llvm/include/llvm/Support/Allocator.h:200
>> #29 0x26c0ab48 in Allocate () at =
/usr/src/contrib/llvm-project/llvm/include/llvm/Support/Allocator.h:176
>> #30 Allocate () at =
/usr/src/contrib/llvm-project/llvm/include/llvm/Support/Allocator.h:214
>> #31 operator new<llvm::MallocAllocator, 4096U, 4096U, 128U> () at =
/usr/src/contrib/llvm-project/llvm/include/llvm/Support/Allocator.h:448
>> #32 getMachineMemOperand () at =
/usr/src/contrib/llvm-project/llvm/lib/CodeGen/MachineFunction.cpp:496
>> #33 0x2705c62c in getStore () at =
/usr/src/contrib/llvm-project/llvm/lib/CodeGen/SelectionDAG/SelectionDAG.c=
pp:9015
>> #34 0x270941b4 in visitStore () at =
/usr/src/contrib/llvm-project/llvm/lib/CodeGen/SelectionDAG/SelectionDAGBu=
ilder.cpp:4746
>> #35 0x2708d80c in visit () at =
/usr/src/contrib/llvm-project/llvm/include/llvm/IR/Instruction.def:173
>> #36 0x2708c9e4 in visit () at =
/usr/src/contrib/llvm-project/llvm/lib/CodeGen/SelectionDAG/SelectionDAGBu=
ilder.cpp:1346
>> #37 0x270f53c8 in SelectBasicBlock () at =
/usr/src/contrib/llvm-project/llvm/lib/CodeGen/SelectionDAG/SelectionDAGIS=
el.cpp:838
>> #38 0x270f4b84 in SelectAllBasicBlocks () at =
/usr/src/contrib/llvm-project/llvm/lib/CodeGen/SelectionDAG/SelectionDAGIS=
el.cpp:1863
>> #39 0x270f1f24 in runOnMachineFunction () at =
/usr/src/contrib/llvm-project/llvm/lib/CodeGen/SelectionDAG/SelectionDAGIS=
el.cpp:631
>> #40 0x28300224 in runOnMachineFunction () at =
/usr/src/contrib/llvm-project/llvm/lib/Target/ARM/ARMISelDAGToDAG.cpp:70
>> #41 0x270efd6c in runOnMachineFunction () at =
/usr/src/contrib/llvm-project/llvm/lib/CodeGen/SelectionDAG/SelectionDAGIS=
el.cpp:374
>> #42 0x26c15e88 in runOnFunction () at =
/usr/src/contrib/llvm-project/llvm/lib/CodeGen/MachineFunctionPass.cpp:94
>> #43 0x276a9e74 in runOnFunction () at =
/usr/src/contrib/llvm-project/llvm/lib/IR/LegacyPassManager.cpp:1440
>> #44 0x276b0d40 in runOnModule () at =
/usr/src/contrib/llvm-project/llvm/lib/IR/LegacyPassManager.cpp:1486
>> #45 0x276aa5e0 in runOnModule () at =
/usr/src/contrib/llvm-project/llvm/lib/IR/LegacyPassManager.cpp:1555
>> --Type <RET> for more, q to quit, c to continue without paging--
>> #46 run () at =
/usr/src/contrib/llvm-project/llvm/lib/IR/LegacyPassManager.cpp:541
>> #47 0x2216d2e8 in RunCodegenPipeline () at =
/usr/src/contrib/llvm-project/clang/lib/CodeGen/BackendUtil.cpp:1157
>> #48 EmitAssembly () at =
/usr/src/contrib/llvm-project/clang/lib/CodeGen/BackendUtil.cpp:1180
>> #49 EmitBackendOutput () at =
/usr/src/contrib/llvm-project/clang/lib/CodeGen/BackendUtil.cpp:1341
>> #50 0x225cbca0 in HandleTranslationUnit () at =
/usr/src/contrib/llvm-project/clang/lib/CodeGen/CodeGenAction.cpp:354
>> #51 0x22cff8e4 in ParseAST () at =
/usr/src/contrib/llvm-project/clang/lib/Parse/ParseAST.cpp:184
>> #52 0x22b5a7b8 in Execute () at =
/usr/src/contrib/llvm-project/clang/lib/Frontend/FrontendAction.cpp:1078
>> #53 0x22adb800 in ExecuteAction () at =
/usr/src/contrib/llvm-project/clang/lib/Frontend/CompilerInstance.cpp:1061=

>> #54 0x22bf6a90 in ExecuteCompilerInvocation () at =
/usr/src/contrib/llvm-project/clang/lib/FrontendTool/ExecuteCompilerInvoca=
tion.cpp:280
>> #55 0x0002afc8 in cc1_main () at =
/usr/src/contrib/llvm-project/clang/tools/driver/cc1_main.cpp:284
>> #56 0x00038548 in ExecuteCC1Tool () at =
/usr/src/contrib/llvm-project/clang/tools/driver/driver.cpp:215
>> #57 0x227877ec in operator() () at =
/usr/src/contrib/llvm-project/llvm/include/llvm/ADT/STLFunctionalExtras.h:=
68
>> #58 operator() () at =
/usr/src/contrib/llvm-project/clang/lib/Driver/Job.cpp:440
>> #59 callback_fn<(lambda at =
/usr/src/contrib/llvm-project/clang/lib/Driver/Job.cpp:440:22)>(void) () =
at =
/usr/src/contrib/llvm-project/llvm/include/llvm/ADT/STLFunctionalExtras.h:=
45
>> #60 0x27d88624 in operator() () at =
/usr/src/contrib/llvm-project/llvm/include/llvm/ADT/STLFunctionalExtras.h:=
68
>> #61 RunSafely () at =
/usr/src/contrib/llvm-project/llvm/lib/Support/CrashRecoveryContext.cpp:42=
6
>> #62 0x22786e90 in Execute () at =
/usr/src/contrib/llvm-project/clang/lib/Driver/Job.cpp:440
>> #63 0x22748074 in ExecuteCommand () at =
/usr/src/contrib/llvm-project/clang/lib/Driver/Compilation.cpp:199
>> #64 0x227483d0 in ExecuteJobs () at =
/usr/src/contrib/llvm-project/clang/lib/Driver/Compilation.cpp:253
>> #65 0x22765bb8 in ExecuteCompilation () at =
/usr/src/contrib/llvm-project/clang/lib/Driver/Driver.cpp:1943
>> #66 0x00037ba4 in clang_main () at =
/usr/src/contrib/llvm-project/clang/tools/driver/driver.cpp:391
>> #67 0x000363a8 in main () at =
/usr/src/usr.bin/clang/clang/clang-driver.cpp:17
>>=20
>>=20
>>=20
>> 0x2e12afd0: 0xa5a5a5a5 0xa5a5a5a5 0xa5a5a5a5 0xa5a5a5a5
>> 0x2e12afe0: 0xa5a5a5a5 0xa5a5a5a5 0xa5a5a5a5 0xa5a5a5a5
>> 0x2e12aff0: 0xa5a5a5a5 0xa5a5a5a5 0xa5a5a5a5 0xa5a5a5a5
>> (gdb) x /1024x ((size_t*)addr)+0
>> 0x2e12b000: 0x00000000 0x00000000 0x00000000 0x00000000
>> 0x2e12b010: 0x00000000 0x00000000 0x00000000 0x00000000
>> 0x2e12b020: 0x00000000 0x00000000 0x00000000 0x00000000
>> . . .
>> 0x2e12b650: 0x00000000 0x00000000 0x00000000 0x00000000
>> 0x2e12b660: 0x00000000 0x00000000 0x00000000 0x00000000
>> 0x2e12b670: 0x00000000 0x00000000 0x00000000 0x00000000
>> 0x2e12b680: 0x5a5a5a5a 0x5a5a5a5a 0x5a5a5a5a 0x5a5a5a5a
>> 0x2e12b690: 0x5a5a5a5a 0x5a5a5a5a 0x5a5a5a5a 0x5a5a5a5a
>> 0x2e12b6a0: 0x5a5a5a5a 0x5a5a5a5a 0x5a5a5a5a 0x5a5a5a5a
>> . . .
>> 0x2e12cfd0: 0x5a5a5a5a 0x5a5a5a5a 0x5a5a5a5a 0x5a5a5a5a
>> 0x2e12cfe0: 0x5a5a5a5a 0x5a5a5a5a 0x5a5a5a5a 0x5a5a5a5a
>> 0x2e12cff0: 0x5a5a5a5a 0x5a5a5a5a 0x5a5a5a5a 0x5a5a5a5a
>> (gdb) x /1024x ((size_t*)addr)+2048
>> 0x2e12d000: Cannot access memory at address 0x2e12d000
>>=20
>>=20
>>=20
>> For #0..#10: The prior examples and the above
>> agree about:
>>=20
>> #5  __je_extent_alloc_wrapper zero=3Dtrue
>>=20
>> But also there was in this example:
>> #14 tcache_alloc_small        zero=3Dfalse
>>=20
>> (The others before #14 are optimized out.)
>>=20
>>=20
>> So summarizing some of the failure results so far . . .
>>=20
>> The common part of the call chain is:
>>=20
>> #0  thr_kill ()               at thr_kill.S:4
>> #1  __raise (s=3D6)             at /usr/src/lib/libc/gen/raise.c:48
>> #2  abort ()                  at /usr/src/lib/libc/stdlib/abort.c:61
>> #3  ehooks_debug_zero_check   at =
/usr/src/contrib/jemalloc/include/jemalloc/internal/ehooks.h:170
>> #4  ehooks_alloc              at =
/usr/src/contrib/jemalloc/include/jemalloc/internal/ehooks.h:208
>> #5  __je_extent_alloc_wrapper at jemalloc_extent.c:1003 (argument =
zero=3Dtrue)
>> #6  __je_ecache_alloc_grow    at jemalloc_extent.c:126
>> #7  pac_alloc_real            at jemalloc_pac.c:124
>> #8  pac_alloc_impl            at jemalloc_pac.c:178
>> #9  pai_alloc                 at =
/usr/src/contrib/jemalloc/include/jemalloc/internal/pai.h:43
>> #10 __je_pa_alloc             at jemalloc_pa.c:139
>> Note: some #11+ can show arguments with a zero=3Dfalse
>>=20
>> All the non-zero Bytes in the pages being checked are 0x5a bytes.
>> The zero Bytes (if any) come first so far.
>=20
> By no means do I know if the below is the actual problem.
>=20
>=20
> The one place I see zero possibly becoming true for
> __je_extent_alloc_wrapper by the time of the backtrace
> is via:
>=20
> void *
> extent_alloc_mmap(void *new_addr, size_t size, size_t alignment, bool =
*zero,
>    bool *commit) {
>        assert(alignment =3D=3D ALIGNMENT_CEILING(alignment, PAGE));
>        void *ret =3D pages_map(new_addr, size, alignment, commit);
>        if (ret =3D=3D NULL) {
>                return NULL;
>        }
>        assert(ret !=3D NULL);
>        if (*commit) {
>                *zero =3D true;
>        }
>        return ret;
> }
>=20
> (So pages_map behavior vs. commit usage is relevant.
> See jemalloc/src/pages.c .)
>=20
> extent_alloc_mmap called via:
>=20
> /*
> * If the caller specifies (!*zero), it is still possible to receive =
zeroed
> * memory, in which case *zero is toggled to true.  =
arena_extent_alloc() takes
> * advantage of this to avoid demanding zeroed extents, but taking =
advantage of
> * them if they are returned.
> */
> static void *
> extent_alloc_core(tsdn_t *tsdn, arena_t *arena, void *new_addr, size_t =
size,
>    size_t alignment, bool *zero, bool *commit, dss_prec_t dss_prec) {
>        void *ret;
>=20
>        assert(size !=3D 0);
>        assert(alignment !=3D 0);
>=20
>        /* "primary" dss. */
>        if (have_dss && dss_prec =3D=3D dss_prec_primary && (ret =3D
>            extent_alloc_dss(tsdn, arena, new_addr, size, alignment, =
zero,
>            commit)) !=3D NULL) {
>                return ret;
>        }
>        /* mmap. */
>        if ((ret =3D extent_alloc_mmap(new_addr, size, alignment, zero, =
commit))
>            !=3D NULL) {
>                return ret;
>        }
>        /* "secondary" dss. */
>        if (have_dss && dss_prec =3D=3D dss_prec_secondary && (ret =3D
>            extent_alloc_dss(tsdn, arena, new_addr, size, alignment, =
zero,
>            commit)) !=3D NULL) {
>                return ret;
>        }
>=20
>        /* All strategies for allocation failed. */
>        return NULL;
> }
>=20
> in jemalloc/src/ehooks.c
>=20
> called via:
>=20
> void *
> ehooks_default_alloc_impl(tsdn_t *tsdn, void *new_addr, size_t size,
>    size_t alignment, bool *zero, bool *commit, unsigned arena_ind) {
>        arena_t *arena =3D arena_get(tsdn, arena_ind, false);
>        /* NULL arena indicates arena_create. */
>        assert(arena !=3D NULL || alignment =3D=3D HUGEPAGE);
>        dss_prec_t dss =3D (arena =3D=3D NULL) ? dss_prec_disabled :
>            (dss_prec_t)atomic_load_u(&arena->dss_prec, =
ATOMIC_RELAXED);
>        void *ret =3D extent_alloc_core(tsdn, arena, new_addr, size, =
alignment,
>            zero, commit, dss);
>        if (have_madvise_huge && ret) {
>                pages_set_thp_state(ret, size);
>        }
>        return ret;
> }
>=20
> in jemalloc/src/ehooks.c
>=20
> called via (so is ehooks_debug_zero_check):
>=20
> static inline void *
> ehooks_alloc(tsdn_t *tsdn, ehooks_t *ehooks, void *new_addr, size_t =
size,
>    size_t alignment, bool *zero, bool *commit) {
>        bool orig_zero =3D *zero;
>        void *ret;
>        extent_hooks_t *extent_hooks =3D =
ehooks_get_extent_hooks_ptr(ehooks);
>        if (extent_hooks =3D=3D &ehooks_default_extent_hooks) {
>                ret =3D ehooks_default_alloc_impl(tsdn, new_addr, size,
>                    alignment, zero, commit, ehooks_ind_get(ehooks));
>        } else {
>                ehooks_pre_reentrancy(tsdn);
>                ret =3D extent_hooks->alloc(extent_hooks, new_addr, =
size,
>                    alignment, zero, commit, ehooks_ind_get(ehooks));
>                ehooks_post_reentrancy(tsdn);
>        }
>        assert(new_addr =3D=3D NULL || ret =3D=3D NULL || new_addr =3D=3D=
 ret);
>        assert(!orig_zero || *zero);
>        if (*zero && ret !=3D NULL) {
>                ehooks_debug_zero_check(ret, size);
>        }
>        return ret;
> }
>=20
> called via:
>=20
> edata_t *
> extent_alloc_wrapper(tsdn_t *tsdn, pac_t *pac, ehooks_t *ehooks,
>    void *new_addr, size_t size, size_t alignment, bool zero, bool =
*commit,
>    bool growing_retained) {
>        witness_assert_depth_to_rank(tsdn_witness_tsdp_get(tsdn),
>            WITNESS_RANK_CORE, growing_retained ? 1 : 0);
>=20
>        edata_t *edata =3D edata_cache_get(tsdn, pac->edata_cache);
>        if (edata =3D=3D NULL) {
>                return NULL;
>        }
>        size_t palignment =3D ALIGNMENT_CEILING(alignment, PAGE);
>        void *addr =3D ehooks_alloc(tsdn, ehooks, new_addr, size, =
palignment,
>            &zero, commit);
> . . .
>=20

There are just 2 calls to (__je_)pa_alloc, one of which pass false
for zero ( jemalloc/src/arena.c ). The pattern used below also
matches hpa_alloc but ignore those:

 # grep -r 'pa_alloc\>' /usr/src/contrib/jemalloc/src/
/usr/src/contrib/jemalloc/src/pa.c:pa_alloc(tsdn_t *tsdn, pa_shard_t =
*shard, size_t size, size_t alignment,
/usr/src/contrib/jemalloc/src/hpa.c:static edata_t *hpa_alloc(tsdn_t =
*tsdn, pai_t *self, size_t size,
/usr/src/contrib/jemalloc/src/hpa.c:	shard->pai.alloc =3D &hpa_alloc;
/usr/src/contrib/jemalloc/src/hpa.c:	assert(self->alloc =3D =
&hpa_alloc);
/usr/src/contrib/jemalloc/src/hpa.c:hpa_alloc(tsdn_t *tsdn, pai_t *self, =
size_t size, size_t alignment, bool zero,
/usr/src/contrib/jemalloc/src/arena.c:	edata_t *edata =3D =
pa_alloc(tsdn, &arena->pa_shard, esize, alignment,
/usr/src/contrib/jemalloc/src/arena.c:	edata_t *slab =3D pa_alloc(tsdn, =
&arena->pa_shard, bin_info->slab_size,

The calling code looks like the below, where it
is the arena_slab_alloc routine that passes false
directly. Examples 1, 2, 3, and 5 that I sent to
the lists have arena_slab_alloc as the caller of
(__je_)pa_alloc. Yet they end up with #5
(__je_)extent_alloc_wrapper showing zero=3Dtrue
in the backtrace and ehooks_debug_zero_check
being called (which requires ehooks_alloc to
see its zero with the relevant value indicating
true).

That is my evidence for extent_alloc_mmap possibly
causing ehooks_alloc to see a true for zero in its
check for if it should call ehooks_debug_zero_check .

For reference:

edata_t *
arena_extent_alloc_large(tsdn_t *tsdn, arena_t *arena, size_t usize,
    size_t alignment, bool zero) {
        bool deferred_work_generated =3D false;
        szind_t szind =3D sz_size2index(usize);
        size_t esize =3D usize + sz_large_pad;
       =20
        bool guarded =3D san_large_extent_decide_guard(tsdn,
            arena_get_ehooks(arena), esize, alignment);
        edata_t *edata =3D pa_alloc(tsdn, &arena->pa_shard, esize, =
alignment,
            /* slab */ false, szind, zero, guarded, =
&deferred_work_generated);
. . .

static edata_t *
arena_slab_alloc(tsdn_t *tsdn, arena_t *arena, szind_t binind, unsigned =
binshard,
    const bin_info_t *bin_info) {
        bool deferred_work_generated =3D false;
        witness_assert_depth_to_rank(tsdn_witness_tsdp_get(tsdn),
            WITNESS_RANK_CORE, 0);
       =20
        bool guarded =3D san_slab_extent_decide_guard(tsdn,
            arena_get_ehooks(arena));
        edata_t *slab =3D pa_alloc(tsdn, &arena->pa_shard, =
bin_info->slab_size,
            /* alignment */ PAGE, /* slab */ true, /* szind */ binind,
             /* zero */ false, guarded, &deferred_work_generated);
. . .


(I do have some more saved core dumps now, but I doubt
publication would be all that useful: too similar to
those already published.)


=3D=3D=3D
Mark Millard
marklmi at yahoo.com