From owner-freebsd-bugs  Tue Dec 19 02:32:18 1995
Return-Path: owner-bugs
Received: (from root@localhost)
          by freefall.freebsd.org (8.7.3/8.7.3) id CAA06146
          for bugs-outgoing; Tue, 19 Dec 1995 02:32:18 -0800 (PST)
Received: from Root.COM (implode.Root.COM [198.145.90.17])
          by freefall.freebsd.org (8.7.3/8.7.3) with SMTP id CAA06139
          for <freebsd-bugs@freebsd.org>; Tue, 19 Dec 1995 02:32:14 -0800 (PST)
Received: from corbin.Root.COM (corbin [198.145.90.50]) by Root.COM (8.6.12/8.6.5) with ESMTP id CAA02548; Tue, 19 Dec 1995 02:32:13 -0800
Received: from localhost (localhost [127.0.0.1]) by corbin.Root.COM (8.6.12/8.6.5) with SMTP id CAA00152; Tue, 19 Dec 1995 02:41:04 -0800
Message-Id: <199512191041.CAA00152@corbin.Root.COM>
To: Peter Dufault <dufault@hda.com>
cc: gibbs@freefall.freebsd.org, m.sapsed@bangor.ac.uk, hm@hcs.de,
        freebsd-bugs@freebsd.org
Subject: Re: Problem with FreeBSD 2.1.0-RELEASE 
In-reply-to: Your message of "Tue, 19 Dec 95 03:42:52 EST."
             <199512190842.DAA19622@hda.com> 
From: David Greenman <davidg@Root.COM>
Reply-To: davidg@Root.COM
Date: Tue, 19 Dec 1995 02:40:52 -0800
Sender: owner-bugs@freebsd.org
Precedence: bulk

>> >> Fatal trap 12: page fault while in kernel mode
>> >> Fault virtual address              = 0x60
>> >> Fault code                         = supervisor read, page not present
>> ...
>> >> Stopped at _incore+0x48: cmpl %esi, 0x48(%ebx)
>> >
>
>...
>
>> 
>>    This is a "can't happen" panic.
>
>I don't think so.  The offset to the b_lblkno was 72 (0x48) and
>the fault address was 0x60, so the bp in %ebx was 0x24 at the check
>for NULL.

   Oh, sorry - my quick base conversion went astray somewhere. :-)
   Okay, the problem looks like the buffer is getting trashed after being put
on the hash list.
   In order to diagnose this problem, I suggest adding a check in incore() for
bp->b_hash.le_next != NULL && bp->b_hash.le_next < (struct buf *) 0x100 at the
bottom of the while loop (before bp is assigned) and if this become true, print
the value of bp. Then either using DDB or more printf's, print out the
contents of the buffer. What to look for? ...I don't really know, but this
should at least give some clues about the origin of the buffer and the extent
of the corruption.
   My guess is that a temporary bp is getting put on the hash list and then
later freed (or freed, then put on the hash list, the remalloced and then
corrupted).

-DG