Date: Sat, 18 Sep 1999 20:59:21 +0100 (BST) From: Adrian Wontroba <aw1@stade.co.uk> To: FreeBSD-gnats-submit@freebsd.org Subject: kern/13810: 3.3 panic rlist_free: free start overlaps already freed area Message-ID: <199909181959.UAA07953@titus.stade.co.uk>
next in thread | raw e-mail | index | archive | help
>Number: 13810
>Category: kern
>Synopsis: 3.3 panic rlist_free: free start overlaps already freed area
>Confidential: yes
>Severity: serious
>Priority: medium
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Sat Sep 18 16:20:01 PDT 1999
>Closed-Date:
>Last-Modified:
>Originator: Adrian Wontroba
>Release: FreeBSD 3.3-STABLE i386
>Organization:
Yes, some would be nice!
>Environment:
3.3-STABLE, cvsupped at 14:12 BST on 18 September
FreeBSD titus.stade.co.uk
3.3-STABLE FreeBSD 3.3-STABLE #0: Sat Sep 18 17:34:12 BST 1999
toor@titus.stade.co.uk:/d3p2/FreeBSD/stable/src/sys/compile/TITUS i386
>Description:
From time to time over the last month or so this system has paniced with
rlist_free. Till recently this was an occasional happening. Recently, the
panics have become more frequent, prompting me to:
Ensure I had a debugging kernel.
Capture the crash dump.
Amend what I suspect is one of the triggers for the problem - a long pipeline
containing several image processing programs, which grow very large.
kernel configuration, dmesg, and gdb output:
==> config <==
# $Header: /p1/home/aw1/kernel-config/TITUS,v 1.25 1999/08/29 12:39:22 aw1 Exp aw1 $
# kernel configuration for titus
#
# based on
# Id: GENERIC,v 1.143.2.14 1999/05/17 05:49:45 obrien Exp $
machine "i386"
cpu "I686_CPU"
ident TITUS
maxusers 32
options MATH_EMULATE #Support for x87 emulation
options INET #InterNETworking
options FFS #Berkeley Fast Filesystem
options FFS_ROOT #FFS usable as root device [keep this!]
options MFS #Memory Filesystem
options MFS_ROOT #MFS usable as root device, "MFS" req'ed
options NFS #Network Filesystem
options NFS_ROOT #NFS usable as root device, "NFS" req'ed
options MSDOSFS #MSDOS Filesystem
options "CD9660" #ISO 9660 Filesystem
options "CD9660_ROOT" #CD-ROM usable as root. "CD9660" req'ed
options PROCFS #Process filesystem
options "COMPAT_43" #Compatible with BSD 4.3 [KEEP THIS!]
options SCSI_DELAY=8000 #Be pessimistic about Joe SCSI device
options UCONSOLE #Allow users to grab the console
Options FAILSAFE #Be conservative
options USERCONFIG #boot -c editor
options VISUAL_USERCONFIG #visual boot -c editor
options SOFTUPDATES
options INCLUDE_CONFIG_FILE # Include this file in kernel
options "NO_F00F_HACK"
options "MD5"
options "VM86"
options VESA # needs VM86 defined too!!
options SCSI_REPORT_GEOMETRY
config kernel root on da0
controller isa0
controller pnp0
controller eisa0
controller pci0
controller fdc0 at isa? port "IO_FD1" bio irq 6 drq 2
disk fd0 at fdc0 drive 0
controller ahc0
options AHC_ALLOW_MEMIO
controller scbus0 at ahc0
disk da0 at scbus0 target 0 unit 0
disk da1 at scbus0 target 1 unit 0
tape sa0 at scbus0 target 2 unit 0
disk da2 at scbus0 target 3 unit 0
device cd0 at scbus0 target 4 unit 0
# target 5 - spare
disk da3 at scbus0 target 6 unit 0
# target 7 - controller
device pass0
# atkbdc0 controlls both the keyboard and the PS/2 mouse
controller atkbdc0 at isa? port IO_KBD tty
device atkbd0 at isa? tty irq 1
device psm0 at isa? tty irq 12
device vga0 at isa? port ? conflicts
# splash screen/screen saver
pseudo-device splash
# syscons is the default console driver, resembling an SCO console
device sc0 at isa? tty
device npx0 at isa? port IO_NPX irq 13
#
# Laptop support (see LINT for more options)
#
device apm0 at isa? flags 0x31 # Advanced Power Management
device sio0 at isa? port "IO_COM1" flags 0x10 tty irq 4
device sio1 at isa? port "IO_COM2" tty irq 3
# Parallel port
device ppc0 at isa? port? flags 0x40 net irq 7
controller ppbus0
device lpt0 at ppbus?
device plip0 at ppbus?
device ppi0 at ppbus?
#controller vpo0 at ppbus?
device ep0 at isa? port 0x340 net irq 10
pseudo-device loop
pseudo-device ether
pseudo-device sl 1
pseudo-device ppp 1
pseudo-device tun 1
pseudo-device pty 32
pseudo-device gzip # Exec gzipped a.out's
pseudo-device vn #Vnode driver (turns a file into a device)
pseudo-device snp 3 #Snoop device - to look at pty/vty/etc..
options KTRACE #kernel tracing
options SYSVSHM
options SYSVMSG
options SYSVSEM
pseudo-device bpfilter 4 #Berkeley packet filter
# Luigi's snd code (use INSTEAD of snd0 and all VOXWARE drivers!).
device pcm0 at isa? port ? irq 7 drq 1
# SMB bus
# System Management Bus support provided by the 'smbus' device.
controller smbus0
device smb0 at smbus?
# I2C Bus
controller iicbus0
controller iicbb0
device ic0 at iicbus?
device iic0 at iicbus?
device iicsmb0 at iicbus?
# bt848 device (needs pci / smb / i2c)
device bktr0
==> dmesg <==
Copyright (c) 1992-1999 FreeBSD Inc.
Copyright (c) 1982, 1986, 1989, 1991, 1993
The Regents of the University of California. All rights reserved.
FreeBSD 3.3-STABLE #0: Sat Sep 18 17:34:12 BST 1999
toor@titus.stade.co.uk:/d3p2/FreeBSD/stable/src/sys/compile/TITUS
Timecounter "i8254" frequency 1193182 Hz
CPU: Pentium Pro (199.43-MHz 686-class CPU)
Origin = "GenuineIntel" Id = 0x619 Stepping = 9
Features=0xf9ff<FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,SEP,MTRR,PGE,MCA,CMOV>
real memory = 134217728 (131072K bytes)
config> pnp 1 0 os enable irq0 5 drq0 0 drq1 1 port0 0x220 port1 0x300 port2 0x388
config> pnp 1 1 os enable port0 0x201
config> quit
avail memory = 127205376 (124224K bytes)
Preloaded elf kernel "kernel" at 0xc0331000.
Preloaded userconfig_script "/boot/kernel.conf" at 0xc033109c.
Preloaded elf module "splash_bmp.ko" at 0xc03310ec.
Preloaded splash_image_data "/boot/images/daemon_640.bmp" at 0xc0331190.
Pentium Pro MTRR support enabled
Probing for devices on PCI bus 0:
chip0: <Intel 82440FX (Natoma) PCI and memory controller> rev 0x02 on pci0.0.0
chip1: <Intel 82371SB PCI to ISA bridge> rev 0x01 on pci0.7.0
vga0: <Matrox MGA 2064W graphics accelerator> rev 0x01 int a irq 11 on pci0.11.0
bktr0: <BrookTree 848A> rev 0x12 int a irq 15 on pci0.15.0
bti2c0: <bt848 Hard/Soft I2C controller>
iicbb0: <I2C generic bit-banging driver> on bti2c0
iicbus0: <Philips I2C bus> on iicbb0 master-only
iicsmb0: <I2C to SMB bridge> on iicbus0
smbus0: <System Management Bus> on iicsmb0
smb0: <SMBus general purpose I/O> on smbus0
iic0: <I2C general purpose I/O> on iicbus0
smbus1: <System Management Bus> on bti2c0
smb1: <SMBus general purpose I/O> on smbus1
bktr0: Hauppauge Model 60134 CV
Hauppauge WinCast/TV, Philips FR1216 PAL tuner, msp3400c stereo.
bktr0: Detected a MSP3410D-B4
ahc0: <Adaptec 2940A Ultra SCSI adapter> rev 0x01 int a irq 15 on pci0.17.0
ahc0: aic7860 Single Channel A, SCSI Id=7, 3/255 SCBs
Probing for PnP devices:
CSN 1 Vendor ID: CTL00f0 [0xf0008c0e] Serial 0xffffffff Comp ID: PNPb02f [0x2fb0d041]
pcm1 (SB16pnp <Vibra16X> sn 0xffffffff) at 0x220-0x22f irq 5 drq 0 flags 0x11 on isa
Probing for devices on the ISA bus:
sc0 on isa
sc0: VGA color <16 virtual consoles, flags=0x0>
atkbdc0 at 0x60-0x6f on motherboard
atkbd0 irq 1 on isa
psm0 irq 12 on isa
psm0: model Generic PS/2 mouse, device ID 0
sio0 at 0x3f8-0x3ff irq 4 flags 0x10 on isa
sio0: type 16550A
sio1 at 0x2f8-0x2ff irq 3 on isa
sio1: type 16550A
fdc0 at 0x3f0-0x3f7 irq 6 drq 2 on isa
fdc0: FIFO enabled, 8 bytes threshold
fd0: 1.44MB 3.5in
ppc0 at 0x378 irq 7 flags 0x40 on isa
ppc0: Generic chipset (ECP/PS2/NIBBLE) in COMPATIBLE mode
ppc0: FIFO with 16/16/8 bytes threshold
lpt0: <generic printer> on ppbus 0
lpt0: Interrupt-driven port
ppi0: <generic parallel i/o> on ppbus 0
plip0: <PLIP network interface> on ppbus 0
1 3C5x9 board(s) on ISA found at 0x340
ep0 at 0x340-0x34f irq 10 on isa
ep0: aui/utp/bnc[*UTP*] address 00:60:97:94:d0:e7
vga0 at 0x3b0-0x3df maddr 0xa0000 msize 131072 on isa
npx0 on motherboard
npx0: INT 16 interface
apm0 flags 0x31 on isa
apm: found APM BIOS version 1.2
pcm0 not found
Waiting 8 seconds for SCSI devices to settle
sa0 at ahc0 bus 0 target 2 lun 0
sa0: <HP C1533A 9406> Removable Sequential Access SCSI-2 device
sa0: 10.000MB/s transfers (10.000MHz, offset 8)
da1 at ahc0 bus 0 target 1 lun 0
da1: <FUJITSU M2694ES-512 8134> Fixed Direct Access SCSI-CCS device
da1: 3.300MB/s transfers
da1: 1033MB (2117025 512 byte sectors: 255H 63S/T 131C)
da0 at ahc0 bus 0 target 0 lun 0
da0: <FUJITSU M2954S-512 0147> Fixed Direct Access SCSI-2 device
da0: 10.000MB/s transfers (10.000MHz, offset 15), Tagged Queueing Enabled
da0: 4149MB (8498506 512 byte sectors: 255H 63S/T 529C)
da2 at ahc0 bus 0 target 3 lun 0
da2: <SEAGATE ST118273N 6244> Fixed Direct Access SCSI-2 device
da2: 10.000MB/s transfers (10.000MHz, offset 15), Tagged Queueing Enabled
da2: 17366MB (35566480 512 byte sectors: 255H 63S/T 2213C)
changing root device to da0s2a
da3 at ahc0 bus 0 target 6 lun 0
da3: <QUANTUM FIREBALL SE8.4S PJ09> Fixed Direct Access SCSI-2 device
da3: 10.000MB/s transfers (10.000MHz, offset 15), Tagged Queueing Enabled
da3: 8191MB (16777215 512 byte sectors: 255H 63S/T 1044C)
cd0 at ahc0 bus 0 target 4 lun 0
cd0: <PLEXTOR CD-ROM PX-32CS 1.00> Removable CD-ROM SCSI-2 device
cd0: 10.000MB/s transfers (10.000MHz, offset 15)
cd0: Attempt to query device size failed: NOT READY, Medium not present
WARNING: / was not properly dismounted
==> gdb <==
aw1@titus sys/compile/TITUS$ gdb -k kernel.debug /var/crash/vmcore.8
GNU gdb 4.18
Copyright 1998 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB. Type "show warranty" for details.
This GDB was configured as "i386-unknown-freebsd"...
IdlePTD 3420160
initial pcb at 27962c
panicstr: rlist_free: free start overlaps already freed area
panic messages:
---
panic: rlist_free: free start overlaps already freed area
syncing disks... 39 39 39 39 39 39 39 39 39 39 39 39 39 39 39 39 39 39 39 39 giving up
dumping to dev 30401, offset 131072
dump 128 127 126 125 124 123 122 121 120 119 118 117 116 115 114 113 112 111 110 109 108 107 106 105 104 103 102 101 100 99 98 97 96 95 94 93 92 91 90 89 88 87 86 85 84 83 82 81 80 79 78 77 76 75 74 73 72 71 70 69 68 67 66 65 64 63 62 61 60 59 58 57 56 55 54 53 52 51 50 49 48 47 46 45 44 43 42 41 40 39 38 37 36 35 34 33 32 31 30 29 28 27 26 25 24 23 22 21 20 19 18 17 16 15 14 13 12 11 10 9 8 7 6 5 4 3 2 1
---
#0 boot (howto=256) at ../../kern/kern_shutdown.c:285
285 dumppcb.pcb_cr3 = rcr3();
(kgdb) where
#0 boot (howto=256) at ../../kern/kern_shutdown.c:285
#1 0xc014f670 in at_shutdown (
function=0xc0247de4 <__set_sysinit_set_sym_logdev_sys_init+124>, arg=0x7,
queue=0) at ../../kern/kern_shutdown.c:446
#2 0xc01590a2 in rlist_free (rlh=0xc0295524, start=0, end=7)
at ../../kern/subr_rlist.c:159
#3 0xc01f3b6b in swap_pager_freeswapspace (object=0xc6490000, from=0, to=7)
at ../../vm/swap_pager.c:422
#4 0xc01f3c4c in swap_pager_freespace (object=0xc6490000, start=33,
size=101149) at ../../vm/swap_pager.c:445
#5 0xc01f90ad in vm_map_delete (map=0xc6391500, start=134807552,
end=549113856) at ../../vm/vm_map.c:1833
#6 0xc01f9150 in vm_map_remove (map=0xc6391500, start=134807552,
end=549113856) at ../../vm/vm_map.c:1874
#7 0xc02007e7 in obreak (p=0xc639f600, uap=0xc643ef84)
at ../../vm/vm_unix.c:107
#8 0xc021f1ef in syscall (frame={tf_es = 39, tf_ds = 39, tf_edi = 134807552,
tf_esi = 134549824, tf_ebp = -1077946604, tf_isp = -968626220,
tf_ebx = 671987336, tf_edx = 671987316, tf_ecx = 671987312, tf_eax = 17,
tf_trapno = 7, tf_err = 2, tf_eip = 671951256, tf_cs = 31,
tf_eflags = 647, tf_esp = -1077946640, tf_ss = 39})
at ../../i386/i386/trap.c:1100
#9 0xc021225c in Xint0x80_syscall ()
#10 0x280d2402 in ?? ()
#11 0x804c1d0 in ?? ()
#12 0x804b09f in ?? ()
#13 0x804a6d9 in ?? ()
#14 0x8049115 in ?? ()
(kgdb) quit
>How-To-Repeat:
I have been unable to reproduce the problem on demand. Possibly relevant
components of the problem are:
These pipelines:
tifftopnm PYEA87.TIF |
ppmquant -floyd 2 |
pnmflip -r90 |
pnmscale -xsize 1181 |
ppmtogif -interlace > out
tifftopnm PYEA97.TIF |
ppmquant -floyd 2 |
pnmscale -xsize 750 |
ppmtogif -interlace > out
(now amended to run singly with intermediate files)
sendmail / procmail - the pipelines are run as part of a
make, run by cron. Quite often after the crash my mailbox is
corrupted, with a message terminating with a number of nulls,
followed by the cron message.
A heavy system load - inn processing "suck"ed news, sendmail,
often cvsup or cvs.
If changing the pipeline makes the problem go away, I'll still be able to reinstate
it if needed for diagnostic patches, etc.
>Fix:
Wish I knew.
>Release-Note:
>Audit-Trail:
>Unformatted:
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199909181959.UAA07953>