Date: Tue, 10 Feb 2004 23:10:53 -0500 From: "Brian F. Feldman" <green@FreeBSD.org> To: current@FreeBSD.org Subject: Re: panic (page fault) in poll (on pipe) Message-ID: <200402110410.i1B4Aren001195@green.homeunix.org> In-Reply-To: Message from Brian Fundakowski Feldman <green@FreeBSD.org> <200402100457.i1A4v1As001530@green.homeunix.org>
next in thread | previous in thread | raw e-mail | index | archive | help
With Alfred's help, I think I've determined the send side of the socket not
calling selwakeup() is the problem. If there's a missing selwakeup{,pri}(),
then the object can be freed while it's still on the select/poll queues.
So far, I haven't had a crash, whereas mozilla, running multithreaded, with
libpthread on SMP, can otherwise cause it very quickly.
Index: uipc_socket.c
===================================================================
RCS file: /usr/ncvs/src/sys/kern/uipc_socket.c,v
retrieving revision 1.161
diff -u -r1.161 uipc_socket.c
--- uipc_socket.c 31 Jan 2004 10:40:23 -0000 1.161
+++ uipc_socket.c 11 Feb 2004 03:36:05 -0000
@@ -291,6 +291,7 @@
struct socket *so;
{
struct socket *head = so->so_head;
+ int s;
KASSERT(so->so_count == 0, ("socket %p so_count not 0", so));
@@ -314,6 +315,12 @@
so->so_state &= ~SS_INCOMP;
so->so_head = NULL;
}
+ so->so_snd.sb_flags |= SB_NOINTR;
+ (void)sblock(&so->so_snd, M_WAITOK);
+ s = splimp();
+ socantsendmore(so);
+ splx(s);
+ sbunlock(&so->so_snd);
sbrelease(&so->so_snd, so);
sorflush(so);
sodealloc(so);
--
Brian Fundakowski Feldman \'[ FreeBSD ]''''''''''\
<> green@FreeBSD.org \ The Power to Serve! \
Opinions expressed are my own. \,,,,,,,,,,,,,,,,,,,,,,\
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200402110410.i1B4Aren001195>