Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 8 Feb 2007 01:53:56 -0800 (PST)
From:      Don Lewis <truckman@FreeBSD.org>
To:        freebsd-current@FreeBSD.org
Subject:   Re: i386 kernel page fault in generic_bcopy() during shutdown
Message-ID:  <200702080954.l189rujU012991@gw.catspoiler.org>
In-Reply-To: <200702070002.l1702pmM007203@gw.catspoiler.org>

next in thread | previous in thread | raw e-mail | index | archive | help
On  6 Feb, To: freebsd-current@FreeBSD.org wrote:
> My Pentium-M laptop has consistently paniced during shutdown since I
> updated kernel and world in early January.  It still has the problem
> even after I updated the kernel and world a couple days ago.  My Athlon
> XP desktop machine does not exhibit this problem.  The kernel on the
> affected machine is close to GENERIC, with SMP, apic, gif, faith, and
> atapicd removed, and with atapicam added.
> 
> The page faults occur in a couple of different places.  I've seen
> generic_bcopy() and pmap_allocpte().  Occasionally I see a double fault.
> 
> 
> kgdb seems to have trouble unwinding the stack from the last crash:
> 
> # kgdb /boot/kernel/kernel /var/crash/vmcore.6
> kgdb: kvm_nlist(_stopped_cpus): 
> kgdb: kvm_nlist(_stoppcbs): 
> [GDB will not be able to debug user-mode threads: /usr/lib/libthread_db.so: Undefined symbol "ps_pglobal_lookup"]
> GNU gdb 6.1.1 [FreeBSD]
> Copyright 2004 Free Software Foundation, Inc.
> GDB is free software, covered by the GNU General Public License, and you are
> welcome to change it and/or distribute copies of it under certain conditions.
> Type "show copying" to see the conditions.
> There is absolutely no warranty for GDB.  Type "show warranty" for details.
> This GDB was configured as "i386-marcel-freebsd".
> 
> Unread portion of the kernel message buffer:
> 
> 
> Fatal trap 12: page fault while in kernel mode
> fault virtual address   = 0xd6247d90
> fault code              = supervisor write, page not present
> instruction pointer     = 0x20:0xc089d9c6
> stack pointer           = 0x28:0xd4ff0bb8
> frame pointer           = 0x28:0xd4ff0be4
> code segment            = base 0x0, limit 0xfffff, type 0x1b
>                         = DPL 0, pres 1, def32 1, gran 1
> processor eflags        = interrupt enabled, resume, IOPL = 0
> current process         = 1018 (shutdown)
> Physical memory: 502 MB
> Dumping 67 MB: 52 36 20 4
> 
> #0  doadump () at pcpu.h:166
> 166     pcpu.h: No such file or directory.
>         in pcpu.h
> #0  doadump () at pcpu.h:166
> #1  0xc0475a57 in db_fncall (dummy1=-721483344, dummy2=0, dummy3=-1063115424, 
>     dummy4=0xd4ff098c "@z\ufffd\ufffd") at /usr/src/sys/ddb/db_command.c:486
> #2  0xc0475863 in db_command (last_cmdp=0xc09fb064, cmd_table=0x0)
>     at /usr/src/sys/ddb/db_command.c:401
> #3  0xc047591e in db_command_loop () at /usr/src/sys/ddb/db_command.c:453
> #4  0xc0477569 in db_trap (type=12, code=0) at /usr/src/sys/ddb/db_main.c:222
> #5  0xc06cabc9 in kdb_trap (type=12, code=0, tf=0x0)
>     at /usr/src/sys/kern/subr_kdb.c:502
> #6  0xc089feed in trap_fatal (frame=0xd4ff0b78, eva=3592715664)
>     at /usr/src/sys/i386/i386/trap.c:859
> #7  0xc089fc4f in trap_pfault (frame=0xd4ff0b78, usermode=0, eva=3592715664)
>     at /usr/src/sys/i386/i386/trap.c:777
> #8  0xc089f872 in trap (frame=0xd4ff0b78) at /usr/src/sys/i386/i386/trap.c:462
> #9  0xc089009b in calltrap () at /usr/src/sys/i386/i386/exception.s:139
> #10 0xd6247d90 in ?? ()
> Previous frame inner to this frame (corrupt stack?)
> 
> According to the instruction pointer in the trap frame, this time the
> fault is occured inside generic_bcopy().
> 
> 
> (kgdb) list *0xc089d9c6
> 0xc089d9c6 is at /usr/src/sys/i386/i386/support.s:490.
> 485             cmpl    %ecx,%eax                       /* overlapping
> && src < dst? */ 486             jb      1f
> 487
> 488             shrl    $2,%ecx                         /* copy by
> 32-bit words */ 489             cld
> /* nope, copy forwards */ 490             rep
> 491             movsl
> 492             movl    20(%esp),%ecx
> 493             andl    $3,%ecx                         /* any bytes
> left? */ 494             rep
> 
> 
> I just rebooted again and got this stack trace in DDB:
> 
> pmap_allocpte() at pmap_allocpte+0x2f
> pmap_copy() at pmap_copy+0x1c5
> vm_map_copy_entry() at vm_map_copy_entry+0x119
> vmspace_fork() at vmspace_fork+0x1f8
> vm_forkproc() at vm_forkproc()+0xb3
> fork1() at fork1+0xdc9
> fork() at fork+0x18
> syscall() at ...
> 
> The problem seems to consistently happen with a fork1() call on the
> stack.
> 
> This is what kgdb reports for the second crash.
> 
> # kgdb /boot/kernel/kernel /var/crash/vmcore.7
> kgdb: kvm_nlist(_stopped_cpus): 
> kgdb: kvm_nlist(_stoppcbs): 
> [GDB will not be able to debug user-mode threads: /usr/lib/libthread_db.so: Undefined symbol "ps_pglobal_lookup"]
> GNU gdb 6.1.1 [FreeBSD]
> Copyright 2004 Free Software Foundation, Inc.
> GDB is free software, covered by the GNU General Public License, and you are
> welcome to change it and/or distribute copies of it under certain conditions.
> Type "show copying" to see the conditions.
> There is absolutely no warranty for GDB.  Type "show warranty" for details.
> This GDB was configured as "i386-marcel-freebsd".
> 
> Unread portion of the kernel message buffer:
> Kernel page fault with the following non-sleepable locks held:
> exclusive sleep mutex pmap r = 0 (0xc31131ac) locked @ /usr/src/sys/i386/i386/pmap.c:2773
> exclusive sleep mutex pmap r = 0 (0xc29640a8) locked @ /usr/src/sys/i386/i386/pmap.c:2772
> exclusive sleep mutex vm page queue mutex r = 0 (0xc0a7e61c) locked @ /usr/src/sys/i386/i386/pmap.c:2767
> KDB: stack backtrace:
> db_trace_self_wrapper(c092a31e) at db_trace_self_wrapper+0x25
> kdb_backtrace(3,c295c000,c,d3ad2b1c,d3ad2b10,...) at kdb_backtrace+0x29
> witness_warn(5,0,c094defe) at witness_warn+0x192
> trap(d3ad2b1c) at trap+0xfb
> calltrap() at calltrap+0x6
> --- trap 0xd624f000, eip = 0, esp = 0x10212, ebp = 0xc31131ac ---
> (null)(1430000,c0a34ac8,c2959360,0,d624f000,...) at 0
> __func__.0(61727420,78302070,202c3731,20706965,2325203d,...) at 0xc094ad95
> 
> 
> Fatal trap 12: page fault while in kernel mode
> fault virtual address   = 0xd624f080
> fault code              = supervisor read, page not present
> instruction pointer     = 0x20:0xc089a513
> stack pointer           = 0x28:0xd3ad2b5c
> frame pointer           = 0x28:0xd3ad2b68
> code segment            = base 0x0, limit 0xfffff, type 0x1b
>                         = DPL 0, pres 1, def32 1, gran 1
> processor eflags        = interrupt enabled, resume, IOPL = 0
> current process         = 1 (init)
> Physical memory: 502 MB
> Dumping 101 MB: 86 70 54 38 22 6
> 
> #0  doadump () at pcpu.h:166
> 166     pcpu.h: No such file or directory.
>         in pcpu.h
> (kgdb) where
> #0  doadump () at pcpu.h:166
> #1  0xc0475a57 in db_fncall (dummy1=-743626368, dummy2=0, dummy3=-1063115424, 
>     dummy4=0xd3ad295c "@z\ufffd\ufffd") at /usr/src/sys/ddb/db_command.c:486
> #2  0xc0475863 in db_command (last_cmdp=0xc09fb064, cmd_table=0x0)
>     at /usr/src/sys/ddb/db_command.c:401
> #3  0xc047591e in db_command_loop () at /usr/src/sys/ddb/db_command.c:453
> #4  0xc0477569 in db_trap (type=12, code=0) at /usr/src/sys/ddb/db_main.c:222
> #5  0xc06cabc9 in kdb_trap (type=12, code=0, tf=0x0)
>     at /usr/src/sys/kern/subr_kdb.c:502
> #6  0xc089feed in trap_fatal (frame=0xd3ad2b1c, eva=3592745088)
>     at /usr/src/sys/i386/i386/trap.c:859
> #7  0xc089f59b in trap (frame=0xd3ad2b1c) at /usr/src/sys/i386/i386/trap.c:276
> #8  0xc089009b in calltrap () at /usr/src/sys/i386/i386/exception.s:139
> #9  0xd624f080 in ?? ()
> Previous frame inner to this frame (corrupt stack?)
> (kgdb) list *0xc089a513
> 0xc089a513 is in pmap_allocpte (/usr/src/sys/i386/i386/pmap.c:1401).
> 1396            ptepindex = va >> PDRSHIFT;
> 1397    retry:
> 1398            /*
> 1399             * Get the page directory entry
> 1400             */
> 1401            ptepa = pmap->pm_pdir[ptepindex];
> 1402
> 1403            /*
> 1404             * This supports switching from a 4MB page to a
> 1405             * normal 4K page.


This problem appears to be triggered by killing the Xorg server.  I can
also trigger the panic with Ctrl-Alt-Backspace, or
"/usr/local/etc/rc.d/gdm stop".  On the other hand, I found a workaround
for the shutdown case.  If I Ctrl-Alt-F1 to switch to a text vty and log
on in text mode, the shutdown command cleanly shuts down the system.

I suspect that is problem is likely to be graphics hardware dependent,
so this is what the Xorg server says about the hardware in my laptop:
	(--) PCI:*(1:0:0) ATI Technologies Inc Radeon Mobility M7 LW [Radeon Mobility 75
00] rev 0, Mem @ 0xe0000000/27, 0xc0100000/16, I/O @ 0x3000/8




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200702080954.l189rujU012991>