From owner-freebsd-hackers Sun Jun 9 23:41:15 2002 Delivered-To: freebsd-hackers@freebsd.org Received: from hawk.mail.pas.earthlink.net (hawk.mail.pas.earthlink.net [207.217.120.22]) by hub.freebsd.org (Postfix) with ESMTP id 5177537B407 for ; Sun, 9 Jun 2002 23:40:50 -0700 (PDT) Received: from pool0081.cvx40-bradley.dialup.earthlink.net ([216.244.42.81] helo=mindspring.com) by hawk.mail.pas.earthlink.net with esmtp (Exim 3.33 #2) id 17HIr7-0006Jk-00; Sun, 09 Jun 2002 23:40:46 -0700 Message-ID: <3D0449C9.27338938@mindspring.com> Date: Sun, 09 Jun 2002 23:40:09 -0700 From: Terry Lambert X-Mailer: Mozilla 4.7 [en]C-CCK-MCD {Sony} (Win98; U) X-Accept-Language: en MIME-Version: 1.0 To: Arun Sharma Cc: freebsd-hackers@freebsd.org Subject: Re: 0xdeadxxxx ? References: <20020610002316.GA6628@sharma-home.net> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-hackers@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Arun Sharma wrote: > I just got a kernel mode page fault. I'd like to find out more > about > > > fault virtual address = 0xdeadc162 > > It looks like the address is meant to signal a particular class of > error. Which one ? 0xdeadc162 - 0xdeadc0de = 0x00000084 = 132 decimal Look for a short value that's getting set to 132. If you'd done a traceback on the fault and identified the code, then finding out what the short value involved was, to know whether that was a += 132 or an = 49506 or a -= 16029. My guess would be a reference counted object whose count was a short, overflowed, and then was subsequently increment 132 times... OR a long reference count whose references were all releases, but a pointer to the object itself was not properly NULL'ed out, and it the reference was increment 132 times. Knowing the size of the object would help identify it. So would enabling allocator debugging, and making a free of a freed object cause a panic, rather than just printing out a warning (the traceback on *that* panix would identify the erroneous free). You would probably benefit, as well, by making sure the ref counts themselves were not in the areas that got blown over by "0xdeadc0de" (the first 12 bytes) of any structure. Basically, this looks very much like a free error, where a free of a unfreed object ends up getting pointered to. Another thing to look for... lok for objects that would be aligned on a 132 byte boundary (probably, this is a pointer that's overwritten by "0xdeadc0de", and then referenced with a non-zero index for some object that's some power of two divisible into 132-sized. I had a similar error with the cred reference counts that I found when I was the first person to get FreeBSD to go over 32767 simultaneous network connections off a single listen socket (if you will remember). -- Terry To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message