From owner-freebsd-current  Fri Jul 26 10:23:56 2002
Delivered-To: freebsd-current@freebsd.org
Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP
	id 3920237B400; Fri, 26 Jul 2002 10:23:48 -0700 (PDT)
Received: from ort.lviv.net (ort.lviv.net [195.5.34.107])
	by mx1.FreeBSD.org (Postfix) with ESMTP
	id 47EC043E42; Fri, 26 Jul 2002 10:23:46 -0700 (PDT)
	(envelope-from andrew@ort.lviv.net)
Received: from ort.lviv.net ([172.16.2.157])
	by ort.lviv.net (8.11.6/8.11.6) with ESMTP id g6QHNFY01130;
	Fri, 26 Jul 2002 20:23:15 +0300
Message-ID: <3D418599.6000108@ort.lviv.net>
Date: Fri, 26 Jul 2002 20:23:37 +0300
From: andrew bliznak <andrew@ort.lviv.net>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.0.0) Gecko/20020530
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: John Baldwin <jhb@FreeBSD.org>
Cc: current@FreeBSD.org, Alex Zepeda <zipzippy@sonic.net>,
	Peter Schultz <peter@jocose.org>
Subject: Re: I think X is making this whole thing unstable..
References: <XFMail.20020726124415.jhb@FreeBSD.org>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 8bit
Sender: owner-freebsd-current@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-current.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-current>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-current>
X-Loop: FreeBSD.ORG

John Baldwin wrote:
> On 26-Jul-2002 andrew bliznak wrote:
> 
>>#14 0xc03179d8 in calltrap () at {standard input}:98
>>#15 0xc01e4db5 in _mtx_lock_sleep (m=0x28, opts=0, file=0x0, line=0)
>>     at /usr/home/andrew/C/src/sys/kern/kern_mutex.c:598
> 
> 
> This is the bug, it's like it is dereferencing a null pointer to get
> a mutex or something.
> 
> 
>>#16 0xc026f71d in tcp_input (m=0xc0f10100, off0=20)
>>     at /usr/home/andrew/C/src/sys/netinet/tcp_input.c:520
> 
> 
>         /*
>          * Locate pcb for segment.
>          */
>          INP_INFO_WLOCK(&tcbinfo);
>          headlocked = 1;
> 
> #define INP_INFO_WLOCK(ipi)     mtx_lock(&(ipi)->ipi_mtx)
> 
> I don't see why it should be a problem though, tcbinfo is a global
> var.

Hm, little more debuging, m in sys/kern/kern_mutex.c:595 is wrong!

(kgdb) up 16
#16 0xc026f71d in tcp_input (m=0xc0f10100, off0=20)
     at /usr/home/andrew/C/src/sys/netinet/tcp_input.c:520
520 
	 INP_INFO_WLOCK(&tcbinfo);
(kgdb) print tcinfo
$1 = {hashbase = 0xc1c6a000, hashmask = 511, porthashbase = 0xc0efe800,
   porthashmask = 511, listhead = 0xc03c1bf0, lastport = 49172, lastlow 
= 0,
   lasthi = 0, ipi_zone = 0xc0f05dc0, ipi_count = 29, ipi_gencnt = 74,
   ipi_mtx = {mtx_object = {lo_class = 0xc03b6f00, lo_name = 0xc03662e8 
"tcp",
       lo_type = 0xc03662e8 "tcp", lo_flags = 720896, lo_list = {
         tqe_next = 0x0, tqe_prev = 0x0}, lo_witness = 0x0},
     mtx_lock = 3237004802, mtx_recurse = 0, mtx_blocked = {
       tqh_first = 0xc0f0bd80, tqh_last = 0xc0f0bda0}, mtx_contested = {
       le_next = 0x0, le_prev = 0xc0f0c664}, mtx_acqtime = 0,
     mtx_filename = 0x0, mtx_lineno = 0}}
(kgdb) down
#15 0xc01e4db5 in _mtx_lock_sleep (m=0x28, opts=0, file=0x0, line=0)
     at /usr/home/andrew/C/src/sys/kern/kern_mutex.c:598
598 
		propagate_priority(td);
(kgdb) list
593 
		 * Save who we're blocked on.
594 
		 */
595 
		td->td_blocked = m;
596 
		td->td_mtxname = m->mtx_object.lo_name;
597 
		td->td_state = TDS_MTX;
598 
		propagate_priority(td);
599 

600 
		if (LOCK_LOG_TEST(&m->mtx_object, opts))
601 
			CTR3(KTR_LOCK,
602 
			    "_mtx_lock_sleep: p %p blocked on [%p] %s", td, m,
(kgdb) print td
$2 = (struct thread *) 0xc0f0c600
(kgdb) print *td
$3 = {td_proc = 0xc207f560, td_ksegrp = 0xc207f598, td_plist = {
     tqe_next = 0x0, tqe_prev = 0xc207f570}, td_kglist = {tqe_next = 0x0,
     tqe_prev = 0xc207f5b4}, td_slpq = {tqe_next = 0x0, tqe_prev = 
0xc0f0c0d8},
   td_blkq = {tqe_next = 0x0, tqe_prev = 0x0}, td_runq = {tqe_next = 0x0,
     tqe_prev = 0x0}, td_selq = {tqh_first = 0xc1cef270,
     tqh_last = 0xc20c711c}, td_flags = 200, td_last_kse = 0x0,
   td_kse = 0xc207f5f4, td_dupfd = 0, td_wchan = 0xc03ba2c4,
   td_wmesg = 0xc035eb89 "select", td_lastcpu = 0 '\0', td_inktr = 0 '\0',
   td_inktrace = 0 '\0', td_locks = -416, td_blocked = 0x0, td_ithd = 0x0,
   td_mtxname = 0x0, td_contested = {lh_first = 0xc03c1c2c},
   td_sleeplocks = 0x0, td_intr_nesting_level = 0, td_mailbox = 0x0,
   td_ucred = 0xc209f100, td_switchin = 0, td_md = <incomplete type>,
   td_retval = {0, 189}, td_base_pri = 187 '»', td_priority = 40 '(',
   td_pcb = 0xcc3e5da0, td_state = TDS_SLP, td_slpcallout = {c_links = 
{sle = {
         sle_next = 0x0}, tqe = {tqe_next = 0x0, tqe_prev = 0xc0f0c510}},
     c_time = 23481, c_arg = 0xc0f0c600,
     c_func = 0xc01cc450 <cv_timedwait_end>, c_flags = 14},
   td_frame = 0xcc3e5d48, td_kstack_obj = 0xc083312c, td_kstack = 
3426631680,
   td_critnest = 1}
(kgdb) print m
$4 = (struct mtx *) 0x28
(kgdb)


> 
> Hmm, one thing to note is that the tcbinfo_mtx pointer isn't ever
> used or assigned.
> 




To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-current" in the body of the message