From owner-cvs-src@FreeBSD.ORG  Wed Feb  1 15:48:00 2006
Return-Path: <owner-cvs-src@FreeBSD.ORG>
X-Original-To: cvs-src@FreeBSD.org
Delivered-To: cvs-src@FreeBSD.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 672D316A420;
	Wed,  1 Feb 2006 15:48:00 +0000 (GMT)
	(envelope-from gallatin@cs.duke.edu)
Received: from duke.cs.duke.edu (duke.cs.duke.edu [152.3.140.1])
	by mx1.FreeBSD.org (Postfix) with ESMTP id B01E443D48;
	Wed,  1 Feb 2006 15:47:59 +0000 (GMT)
	(envelope-from gallatin@cs.duke.edu)
Received: from grasshopper.cs.duke.edu (grasshopper.cs.duke.edu [152.3.145.30])
	by duke.cs.duke.edu (8.13.4/8.13.4) with ESMTP id k11Flwvt016013
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO);
	Wed, 1 Feb 2006 10:47:58 -0500 (EST)
Received: (from gallatin@localhost)
	by grasshopper.cs.duke.edu (8.12.9p2/8.12.9/Submit) id k11FlqNx068798; 
	Wed, 1 Feb 2006 10:47:52 -0500 (EST) (envelope-from gallatin)
Date: Wed, 1 Feb 2006 10:47:52 -0500
From: Andrew Gallatin <gallatin@cs.duke.edu>
To: Pawel Jakub Dawidek <pjd@FreeBSD.org>
Message-ID: <20060201104752.A68774@grasshopper.cs.duke.edu>
References: <200601311109.k0VB9MRq025366@repoman.freebsd.org>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2.5i
In-Reply-To: <200601311109.k0VB9MRq025366@repoman.freebsd.org>;
	from pjd@FreeBSD.org on Tue, Jan 31, 2006 at 11:09:22AM +0000
X-Operating-System: FreeBSD 4.9-RELEASE-p1 on an i386
Cc: cvs-src@FreeBSD.org, src-committers@FreeBSD.org, cvs-all@FreeBSD.org
Subject: Re: cvs commit: src/sys/kern kern_malloc.c src/share/man/man9
	Makefile redzone.9 src/sys/vm redzone.c redzone.h
	src/sys/conf NOTES files options
X-BeenThere: cvs-src@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: CVS commit messages for the src tree <cvs-src.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/cvs-src>,
	<mailto:cvs-src-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/cvs-src>
List-Post: <mailto:cvs-src@freebsd.org>
List-Help: <mailto:cvs-src-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/cvs-src>,
	<mailto:cvs-src-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 01 Feb 2006 15:48:00 -0000

Pawel Jakub Dawidek [pjd@FreeBSD.org] wrote:
> pjd         2006-01-31 11:09:22 UTC
> 
>   FreeBSD src repository
> 
>   Modified files:
>     sys/kern             kern_malloc.c 
>     share/man/man9       Makefile 
>     sys/conf             NOTES files options 
>   Added files:
>     share/man/man9       redzone.9 
>     sys/vm               redzone.c redzone.h 
>   Log:
>   Add buffer corruption protection (RedZone) for kernel's malloc(9).
>   It detects both: buffer underflows and buffer overflows bugs at runtime
>   (on free(9) and realloc(9)) and prints backtraces from where memory was
>   allocated and from where it was freed.
>   

If I enable DEBUG_REDZONE on an amd64 machine (UP, 512MB ram),
I get this panic on startup:

FreeBSD 7.0-CURRENT #0: Tue Jan 31 17:17:41 EST 2006
    gallatin@venice:/usr/src/sys/amd64/compile/VENICEW
WARNING: WITNESS option enabled, expect reduced performance.
Memory modified after free 0xffffff0000006d00(248) val=5 @ 0xffffff0000006dd0
kernel trap 9 with interrupts disabled

Fatal trap 9: general protection fault while in kernel mode
instruction pointer     = 0x8:0xffffffff80302bd0
stack pointer           = 0x10:0xffffffff8075c9f0
frame pointer           = 0x10:0xffffffff8075cb10
code segment            = base 0x0, limit 0xfffff, type 0x1b
                        = DPL 0, pres 1, long 1, def32 0, gran 1
processor eflags        = resume, IOPL = 0
current process         = 0 ()
[thread pid 0 tid 0 ]
Stopped at      strlen: cmpb    $0,0(%rdi)
db> tr
Tracing pid 0 tid 0 td 0xffffffff805d70a0
strlen() at strlen
vsnprintf() at vsnprintf+0x2e
panic() at panic+0x18c
mtrash_ctor() at mtrash_ctor+0x78
uma_zalloc_arg() at uma_zalloc_arg+0x306
malloc() at malloc+0xb0
init_dynamic_kenv() at init_dynamic_kenv+0x6b
mi_startup() at mi_startup+0xd3
btext() at btext+0x2c
db> 

The place where it tried to panic is:

(gdb) l *mtrash_ctor +0x78
0xffffffff8039b128 is at ../../../vm/uma_dbg.c:137.
132
133             for (p = mem; cnt > 0; cnt--, p++)
134                     if (*p != uma_junk) {
135                             printf("Memory modified after free %p(%d) val=%x @ %p\n",
136                                 mem, size, *p, p);
137                             panic("Most recently used by %s\n", (*ksp == NULL)?
138                                 "none" : (*ksp)->ks_shortdesc);
139                     }
140             return (0);
141     }


Removing DEBUG_REDZONE allows me to boot again.  Does DEBUG_REDZONE not
work on amd64, or is there a bad interaction in general with the 
mtrash'ing done by INVARIANTS, or is this something else entirely?

Drew