Date: Fri, 09 Jan 1998 11:57:42 -0800 From: David Greenman <dg@root.com> To: Penisoara Adrian <ady@warpnet.ro> Cc: Kevin Day <toasty@home.dragondata.com>, freebsd-current@FreeBSD.ORG Subject: Re: Fatal trap 12 & debugging info ?? Message-ID: <199801091957.LAA08072@implode.root.com> In-Reply-To: Your message of "Fri, 09 Jan 1998 21:29:54 %2B0200." <Pine.BSF.3.96.980109211858.290A-100000@ady.warpnet.ro>
next in thread | previous in thread | raw e-mail | index | archive | help
> I've manually patched kern_exec.c (rev 1.69 introduced a <pioctl.h>
>include and a STOPEVENT() call, make depend wasn't so happy with those)
>and now I'm awaiting... hoping it won't panic anymore :)
Hmmm.
> BTW, I can't find PR#5313 (GNATS didn't find it, or I'm not using the
>right query params) that "bde" made reference to in r1.70 CVS log; any
>kind soul care to help me finding it ?
Attached.
-DG
David Greenman
Core-team/Principal Architect, The FreeBSD Project
>From dima@burka.rdy.com Tue Dec 16 00:28:31 1997
Received: from burka.rdy.com (dima@burka.rdy.com [205.149.163.30])
by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id AAA06695
for <FreeBSD-gnats-submit@freebsd.org>; Tue, 16 Dec 1997 00:28:30 -0800 (PST)
(envelope-from dima@burka.rdy.com)
Received: by burka.rdy.com id AAA27196;
(8.8.8/RDY) Tue, 16 Dec 1997 00:28:29 -0800 (PST)
Message-Id: <199712160828.AAA27196@burka.rdy.com>
Date: Tue, 16 Dec 1997 00:28:29 -0800 (PST)
>From: dima@best.net
Reply-To: dima@best.net
To: FreeBSD-gnats-submit@freebsd.org
Subject: panic: free: multiple frees
X-Send-Pr-Version: 3.2
>Number: 5313
>Category: kern
>Synopsis: system crashes with "free: multiple frees" message.
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: freebsd-bugs
>State: closed
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Tue Dec 16 00:30:00 PST 1997
>Last-Modified: Sat Dec 20 12:00:53 MET 1997
>Originator: Dima Ruban
>Organization:
BEST Internet Communications, Inc.
>Release: FreeBSD 2.2.5-STABLE i386
>Environment:
Here's dmesg output:
Copyright (c) 1992-1997 FreeBSD Inc.
Copyright (c) 1982, 1986, 1989, 1991, 1993
The Regents of the University of California. All rights reserved.
FreeBSD 2.2.5-STABLE #20: Wed Dec 3 11:33:30 PST 1997
dillon@tick.best.net:/src/src/sys/compile/BEST
CPU: Pentium Pro (199.31-MHz 686-class CPU)
Origin = "GenuineIntel" Id = 0x619 Stepping=9
Features=0xf9ff<FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,<b11>,MTRR,PGE,MCA,CMOV>
real memory = 134217728 (131072K bytes)
avail memory = 121167872 (118328K bytes)
Probing for devices on PCI bus 0:
chip0 <Intel 82440FX (Natoma) PCI and memory controller> rev 2 on pci0:0
chip1 <Intel 82371SB PCI-ISA bridge> rev 1 on pci0:1:0
chip2 <Intel 82371SB IDE interface> rev 0 on pci0:1:1
vga0 <VGA-compatible display device> rev 211 int a irq 12 on pci0:10
de0 <Digital 21140A Fast Ethernet> rev 32 int a irq 10 on pci0:11
de0: SMC 9332BDT 21140A [10-100Mb/s] pass 2.0
de0: address 00:e0:29:06:cc:47
ahc0 <Adaptec 2940 Ultra SCSI host adapter> rev 0 int a irq 11 on pci0:12
ahc0: aic7880 Wide Channel, SCSI Id=7, 16 SCBs
ahc0 waiting for scsi devices to settle
ahc0: target 0 Tagged Queuing Device
(ahc0:0:0): "SEAGATE ST34371W 0484" type 0 fixed SCSI 2
sd0(ahc0:0:0): Direct-Access 4148MB (8496884 512 byte sectors)
sd0(ahc0:0:0): with 5172 cyls, 10 heads, and an average 164 sectors/track
ahc0: target 1 Tagged Queuing Device
(ahc0:1:0): "SEAGATE ST19171W 0023" type 0 fixed SCSI 2
sd1(ahc0:1:0): Direct-Access 8683MB (17783112 512 byte sectors)
sd1(ahc0:1:0): with 5268 cyls, 20 heads, and an average 168 sectors/track
ahc0: target 2 Tagged Queuing Device
(ahc0:2:0): "SEAGATE ST19171W 0023" type 0 fixed SCSI 2
sd2(ahc0:2:0): Direct-Access 8683MB (17783112 512 byte sectors)
sd2(ahc0:2:0): with 5268 cyls, 20 heads, and an average 168 sectors/track
Probing for devices on the ISA bus:
sc0 at 0x60-0x6f irq 1 on motherboard
sc0: VGA color <16 virtual consoles, flags=0x0>
sio0 at 0x3f8-0x3ff irq 4 flags 0x10 on isa
sio0: type 16550A
sio1 at 0x2f8-0x2ff irq 3 on isa
sio1: type 16550A
lpt0 at 0x378-0x37f irq 7 on isa
lpt0: Interrupt-driven port
lp0: TCP/IP capable interface
fdc0 at 0x3f0-0x3f7 irq 6 drq 2 on isa
fdc0: FIFO enabled, 8 bytes threshold
fd0: 1.44MB 3.5in
npx0 on motherboard
npx0: INT 16 interface
ccd0: Concatenated disk driver
>Description:
System panics with 'panic: free: multiple frees' randomly.
Hardware configuration is summarized in boot output, above.
Crash dump is available.
Here's backtrace from the dump:
#0 boot (howto=0x104) at ../../kern/kern_shutdown.c:266
#1 0xf01132a3 in panic (fmt=0xf0101459 "from debugger")
at ../../kern/kern_shutdown.c:390
#2 0xf0101475 in db_panic (dummy1=0xf01b5149, dummy2=0x0, dummy3=0xffffffff,
dummy4=0xefbffc90 "") at ../../ddb/db_command.c:440
#3 0xf0101365 in db_command (last_cmdp=0xf01ddb24, cmd_table=0xf01dd974,
aux_cmd_tablep=0xf02032d0) at ../../ddb/db_command.c:337
#4 0xf01014e2 in db_command_loop () at ../../ddb/db_command.c:462
#5 0xf0103c38 in db_trap (type=0x3, code=0x0) at ../../ddb/db_trap.c:73
#6 0xf01b4f4b in kdb_trap (type=0x3, code=0x0, regs=0xefbffd80)
at ../../i386/i386/db_interface.c:126
#7 0xf01be764 in trap (frame={tf_es = 0x10, tf_ds = 0x10,
tf_edi = 0xf1781908, tf_esi = 0xf010fca7, tf_ebp = 0xefbffdc4,
tf_isp = 0xefbffda8, tf_ebx = 0x100, tf_edx = 0xf01b5111,
tf_ecx = 0x3f9, tf_eax = 0x12, tf_trapno = 0x3, tf_err = 0x0,
tf_eip = 0xf01b5149, tf_cs = 0x8, tf_eflags = 0x256,
tf_esp = 0xf01b5101, tf_ss = 0xf0113238}) at ../../i386/i386/trap.c:403
#8 0xf01b5149 in Debugger (msg=0xf0113238 "panic")
at ../../i386/i386/db_interface.c:254
#9 0xf011329a in panic (fmt=0xf010fca7 "free: multiple frees")
at ../../kern/kern_shutdown.c:388
#10 0xf010fd87 in free (addr=0xf5dbd000, type=0x4a)
at ../../kern/kern_malloc.c:342
#11 0xf010c500 in execve (p=0xf2685e00, uap=0xefbfff94, retval=0xefbfff84)
at ../../kern/kern_exec.c:371
#12 0xf01bf1a7 in syscall (frame={tf_es = 0xefbf0027, tf_ds = 0xefbf0027,
tf_edi = 0x50620, tf_esi = 0x0, tf_ebp = 0xefbfdc98,
tf_isp = 0xefbfffe4, tf_ebx = 0x50630, tf_edx = 0x50630,
tf_ecx = 0x5132f, tf_eax = 0x3b, tf_trapno = 0xc, tf_err = 0x7,
tf_eip = 0x28a55, tf_cs = 0x1f, tf_eflags = 0x206, tf_esp = 0xefbfdc7c,
tf_ss = 0x27}) at ../../i386/i386/trap.c:890
#13 0x28a55 in ?? ()
#14 0x34d4 in ?? ()
#15 0x3237 in ?? ()
#16 0x235d in ?? ()
#17 0x21e2 in ?? ()
#18 0x22d7 in ?? ()
#19 0x906b in ?? ()
#20 0x8f7b in ?? ()
#21 0x107e in ?? ()
>How-To-Repeat:
>Fix:
>Audit-Trail:
From: Bruce Evans <bde@zeta.org.au>
To: dima@best.net, FreeBSD-gnats-submit@FreeBSD.ORG
Cc: Subject: Re: kern/5313: panic: free: multiple frees
Date: Tue, 16 Dec 1997 20:53:06 +1100
>#9 0xf011329a in panic (fmt=0xf010fca7 "free: multiple frees")
> at ../../kern/kern_shutdown.c:388
>#10 0xf010fd87 in free (addr=0xf5dbd000, type=0x4a)
> at ../../kern/kern_malloc.c:342
There is one obvious problem. imgp->image_header needs to be cleared
in both arms of the if statement since it is always set). This fix has
not been tested.
Bruce
diff -c2 kern_exec.c~ kern_exec.c
*** kern_exec.c~ Mon Dec 8 06:07:52 1997
--- kern_exec.c Tue Dec 16 20:47:32 1997
***************
*** 219,226 ****
brelse(bp);
bp = NULL;
! } else {
free((void *)imgp->image_header, M_TEMP);
! imgp->image_header = NULL;
! }
/* free old vnode and name buffer */
vrele(ndp->ni_vp);
--- 218,224 ----
brelse(bp);
bp = NULL;
! } else
free((void *)imgp->image_header, M_TEMP);
! imgp->image_header = NULL;
/* free old vnode and name buffer */
vrele(ndp->ni_vp);
State-Changed-From-To: open-feedback
State-Changed-By: davidg
State-Changed-When: Tue Dec 16 08:00:39 PST 1997
State-Changed-Why:
A fix was committed to both -current and -stable that might fix this
problem (and others?!). Please confirm closure.
State-Changed-From-To: feedback-closed
State-Changed-By: joerg
State-Changed-When: Sat Dec 20 12:00:29 MET 1997
State-Changed-Why:
Supplied feedback suggest fix was successful.
>Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199801091957.LAA08072>