Date: Mon, 15 Apr 2013 10:35:17 +0200 From: Pawel Jakub Dawidek <pjd@FreeBSD.org> To: Gleb Kurtsou <gleb@freebsd.org> Cc: FreeBSD-current <freebsd-current@freebsd.org>, Shawn Webb <lattera@gmail.com> Subject: Re: r248583 Kernel panic: negative refcount 0xfffffe0031b59168 Message-ID: <20130415083517.GB1410@garage.freebsd.pl> In-Reply-To: <20130414044314.GA1115@reks> References: <CADt0fhwsOgFOCMg4ZGqMTtuUu8jqTyQGdbkvFfb3RS1YdijQ-g@mail.gmail.com> <20130414044314.GA1115@reks>
next in thread | previous in thread | raw e-mail | index | archive | help
--yNb1oOkm5a9FJOVX Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sat, Apr 13, 2013 at 09:43:14PM -0700, Gleb Kurtsou wrote: > On (22/03/2013 11:51), Shawn Webb wrote: > > Hey All, > >=20 > > I'm not sure if this is a result of r248583 or a different commit, but I > > hit a kernel panic when closing Chrome. I've linked to the info and > > core.txt files below. If you need me to ship you the vmcore file, let me > > know. It's 1.1GB in size. > >=20 > > Other than the pasted files, I'm not too sure where to go from here. If > > there's any other info you need, please let me know. I'm a newb at > > submitting this kind of stuff. > >=20 > > Paste of info file: http://ix.io/4Qo > > Paste of core.txt file: http://ix.io/4Qp >=20 > Shawn, did you find workaround for the problem? >=20 > I've just upgraded to recent HEAD and see the same panic on closing > chrome. Switching back to r247601 just before "Merge Capsicum overhaul" > commit makes panic disappear. I did receive Shawn's report some time ago, I even installed Chromium to try to reproduce it, but it didn't crash for me yet. If there are some easy, but reliable steps to reproduce it, like "open this webpage in tab 1, then this webpage in tab 2, then close tab 1" that would be great. This kernel coredump is not really useful, as we this is legitimate case of decrementing reference counter. The problem is that something decremented it earlier when it shouldn't or it wasn't incremented somewhere. DTrace might be useful tool here if we could instrument it to log backtrace of all increments and decrements done by the Chromium processes. > ~ # kgdb -n 1 > GNU gdb 6.1.1 [FreeBSD] > Copyright 2004 Free Software Foundation, Inc. > GDB is free software, covered by the GNU General Public License, and you = are > welcome to change it and/or distribute copies of it under certain conditi= ons. > Type "show copying" to see the conditions. > There is absolutely no warranty for GDB. Type "show warranty" for detail= s. > This GDB was configured as "amd64-marcel-freebsd"... >=20 > Unread portion of the kernel message buffer: > VNASSERT failed > 0xfffffe0196700760: tag none, type VBAD > usecount 0, writecount 0, refcount 0 mountedhere 0 > flags (VV_NOSYNC|VI_DOOMED) > lock type zfs: UNLOCKED > panic: No vop_advlock(0xfffffe0196700760, 0xffffff823adb9908) > cpuid =3D 3 > KDB: stack backtrace: > db_trace_self_wrapper() at db_trace_self_wrapper+0x2b/frame 0xffffff823ad= b9740 > kdb_backtrace() at kdb_backtrace+0x39/frame 0xffffff823adb97f0 > vpanic() at vpanic+0x127/frame 0xffffff823adb9830 > kassert_panic() at kassert_panic+0x136/frame 0xffffff823adb98a0 > VOP_ADVLOCK_APV() at VOP_ADVLOCK_APV+0x92/frame 0xffffff823adb98d0 > closef() at closef+0x9a/frame 0xffffff823adb9960 > closefp() at closefp+0xa0/frame 0xffffff823adb99b0 > amd64_syscall() at amd64_syscall+0x1f9/frame 0xffffff823adb9ab0 > Xfast_syscall() at Xfast_syscall+0xfb/frame 0xffffff823adb9ab0 > --- syscall (6, FreeBSD ELF64, sys_close), rip =3D 0x80aeaaa8a, rsp =3D 0= x7ffffebf3f38, rbp =3D 0x7ffffebf3f50 --- > [...] > (kgdb) fr 0 > #0 doadump (textdump=3D1) at pcpu.h:231 > 231 pcpu.h: No such file or directory. > in pcpu.h > (kgdb) up > #1 0xffffffff804f5827 in kern_reboot (howto=3D260) at /freebsd-src/local= /sys/kern/kern_shutdown.c:447 > 447 doadump(TRUE); > (kgdb)=20 > #2 0xffffffff804f5d36 in vpanic (fmt=3D<value optimized out>, ap=3D<valu= e optimized out>) > at /freebsd-src/local/sys/kern/kern_shutdown.c:754 > 754 kern_reboot(bootopt); > (kgdb)=20 > #3 0xffffffff804f5bc6 in kassert_panic (fmt=3D<value optimized out>) > at /freebsd-src/local/sys/kern/kern_shutdown.c:642 > 642 vpanic(fmt, ap); > (kgdb)=20 > #4 0xffffffff80747aa2 in VOP_ADVLOCK_APV (vop=3D<value optimized out>, a= =3D0xffffff823adb9908) > at vnode_if.c:2522 > 2522 VNASSERT(vop !=3D NULL, a->a_vp, ("No vop_advlock(%p, %p)", a->a_vp= , a)); > (kgdb)=20 > #5 0xffffffff804b8eaa in closef (fp=3D0xfffffe014da8ccd0, td=3D0xfffffe0= 014aea920) at vnode_if.h:1041 > 1041 vnode_if.h: No such file or directory. > in vnode_if.h > (kgdb)=20 > #6 0xffffffff804b7030 in closefp (fdp=3D0xfffffe001c8c4800, fd=3D<value = optimized out>, fp=3D0xfffffe014da8ccd0,=20 > td=3D0xfffffe0014aea920, holdleaders=3D<value optimized out>) > at /freebsd-src/local/sys/kern/kern_descrip.c:1136 > 1136 error =3D closef(fp, td); > (kgdb) p *fp > $5 =3D {f_data =3D 0xfffffe0196700760, f_ops =3D 0xffffffff80a477b8, f_cr= ed =3D 0xfffffe0067907600,=20 > f_vnode =3D 0xfffffe0196700760, f_type =3D 1, f_vnread_flags =3D 0, f_f= lag =3D 3, f_count =3D 0, f_seqcount =3D 0,=20 > f_nextoff =3D 16388, f_vnun =3D {fvn_cdevpriv =3D 0x0, fvn_advice =3D 0= x0}, f_offset =3D 16388, f_label =3D 0x0} > (kgdb) p *fp > $6 =3D {f_data =3D 0xfffffe0196700760, f_ops =3D 0xffffffff80a477b8, f_cr= ed =3D 0xfffffe0067907600,=20 > f_vnode =3D 0xfffffe0196700760, f_type =3D 1, f_vnread_flags =3D 0, f_f= lag =3D 3, f_count =3D 0, f_seqcount =3D 0,=20 > f_nextoff =3D 16388, f_vnun =3D {fvn_cdevpriv =3D 0x0, fvn_advice =3D 0= x0}, f_offset =3D 16388, f_label =3D 0x0} > (kgdb) p fp->f_vnode > $7 =3D (struct vnode *) 0xfffffe0196700760 > (kgdb) p *fp->f_vnode > $8 =3D {v_tag =3D 0xffffffff807a3e35 "none", v_op =3D 0x0, v_data =3D 0x0= , v_mount =3D 0x0, v_nmntvnodes =3D { > tqe_next =3D 0xfffffe014fd95760, tqe_prev =3D 0xfffffe011d500958}, v_= un =3D {vu_mount =3D 0x0, vu_socket =3D 0x0,=20 > vu_cdev =3D 0x0, vu_fifoinfo =3D 0x0}, v_hashlist =3D {le_next =3D 0x= 0, le_prev =3D 0x0}, v_cache_src =3D { > lh_first =3D 0x0}, v_cache_dst =3D {tqh_first =3D 0x0, tqh_last =3D 0= xfffffe01967007b0}, v_cache_dd =3D 0x0,=20 > v_lock =3D {lock_object =3D {lo_name =3D 0xffffffff80dddbb1 "zfs", lo_f= lags =3D 91881472, lo_data =3D 0,=20 > lo_witness =3D 0x0}, lk_lock =3D 1, lk_exslpfail =3D 0, lk_timo =3D= 51, lk_pri =3D 96}, v_interlock =3D { > lock_object =3D {lo_name =3D 0xffffffff807bfbb9 "vnode interlock", lo= _flags =3D 16908288, lo_data =3D 0,=20 > lo_witness =3D 0x0}, mtx_lock =3D 6}, v_vnlock =3D 0xfffffe01967007= c8, v_actfreelist =3D { > tqe_next =3D 0xfffffe0031985b10, tqe_prev =3D 0xfffffe014fd95820}, v_= bufobj =3D {bo_mtx =3D {lock_object =3D { > lo_name =3D 0xffffffff807bfbc9 "bufobj interlock", lo_flags =3D 1= 6908288, lo_data =3D 0,=20 > lo_witness =3D 0x0}, mtx_lock =3D 6}, bo_ops =3D 0xffffffff80a5af= 10, bo_object =3D 0x0, bo_synclist =3D { > le_next =3D 0x0, le_prev =3D 0x0}, bo_private =3D 0xfffffe019670076= 0, __bo_vnode =3D 0xfffffe0196700760,=20 > bo_clean =3D {bv_hd =3D {tqh_first =3D 0x0, tqh_last =3D 0xfffffe0196= 700880}, bv_root =3D 0x0, bv_cnt =3D 0},=20 > bo_dirty =3D {bv_hd =3D {tqh_first =3D 0x0, tqh_last =3D 0xfffffe0196= 7008a0}, bv_root =3D 0x0, bv_cnt =3D 0},=20 > bo_numoutput =3D 0, bo_flag =3D 0, bo_bsize =3D 131072}, v_pollinfo = =3D 0x0, v_label =3D 0x0, v_lockf =3D 0x0,=20 > v_rl =3D {rl_waiters =3D {tqh_first =3D 0x0, tqh_last =3D 0xfffffe01967= 008e8}, rl_currdep =3D 0x0}, v_cstart =3D 0,=20 > v_lasta =3D 0, v_lastw =3D 0, v_clen =3D 0, v_holdcnt =3D 0, v_usecount= =3D 0, v_iflag =3D 128, v_vflag =3D 4,=20 > v_writecount =3D 0, v_hash =3D 26636295, v_type =3D VBAD} >=20 >=20 > # kgdb -n 0 > GNU gdb 6.1.1 [FreeBSD] > Copyright 2004 Free Software Foundation, Inc. > GDB is free software, covered by the GNU General Public License, and you = are > welcome to change it and/or distribute copies of it under certain conditi= ons. > Type "show copying" to see the conditions. > There is absolutely no warranty for GDB. Type "show warranty" for detail= s. > This GDB was configured as "amd64-marcel-freebsd"... >=20 > Unread portion of the kernel message buffer: > panic: negative refcount 0xfffffe0059a400c8 > cpuid =3D 0 > KDB: stack backtrace: > db_trace_self_wrapper() at db_trace_self_wrapper+0x2b/frame 0xffffff823af= f8770 > kdb_backtrace() at kdb_backtrace+0x39/frame 0xffffff823aff8820 > vpanic() at vpanic+0x127/frame 0xffffff823aff8860 > kassert_panic() at kassert_panic+0x136/frame 0xffffff823aff88d0 > closef() at closef+0x1ff/frame 0xffffff823aff8960 > closefp() at closefp+0xa0/frame 0xffffff823aff89b0 > amd64_syscall() at amd64_syscall+0x1f9/frame 0xffffff823aff8ab0 > Xfast_syscall() at Xfast_syscall+0xfb/frame 0xffffff823aff8ab0 > --- syscall (6, FreeBSD ELF64, sys_close), rip =3D 0x80aeaaa8a, rsp =3D 0= x7fffffffbd28, rbp =3D 0x7fffffffbd40 --- > Uptime: 21m3s > [...] > (kgdb) bt > #0 doadump (textdump=3D1) at pcpu.h:231 > #1 0xffffffff804f5827 in kern_reboot (howto=3D260) at /freebsd-src/local= /sys/kern/kern_shutdown.c:447 > #2 0xffffffff804f5d36 in vpanic (fmt=3D<value optimized out>, ap=3D<valu= e optimized out>) > at /freebsd-src/local/sys/kern/kern_shutdown.c:754 > #3 0xffffffff804f5bc6 in kassert_panic (fmt=3D<value optimized out>) > at /freebsd-src/local/sys/kern/kern_shutdown.c:642 > #4 0xffffffff804b900f in closef (fp=3D<value optimized out>, td=3D<value= optimized out>) at refcount.h:66 > #5 0xffffffff804b7030 in closefp (fdp=3D0xfffffe018dc79800, fd=3D<value = optimized out>, fp=3D0xfffffe0059a400a0,=20 > td=3D0xfffffe016dfca920, holdleaders=3D<value optimized out>) > at /freebsd-src/local/sys/kern/kern_descrip.c:1136 > #6 0xffffffff806e26c9 in amd64_syscall (td=3D0xfffffe016dfca920, traced= =3D0) at subr_syscall.c:134 > #7 0xffffffff806cb13b in Xfast_syscall () at exception.S:387 > #8 0x000000080aeaaa8a in ?? () > Previous frame inner to this frame (corrupt stack?) > Current language: auto; currently minimal > (kgdb)=20 >=20 > >=20 > > Thanks, > >=20 > > Shawn Webb > > _______________________________________________ > > freebsd-current@freebsd.org mailing list > > http://lists.freebsd.org/mailman/listinfo/freebsd-current > > To unsubscribe, send any mail to "freebsd-current-unsubscribe@freebsd.o= rg" --=20 Pawel Jakub Dawidek http://www.wheelsystems.com FreeBSD committer http://www.FreeBSD.org Am I Evil? Yes, I Am! http://mobter.com --yNb1oOkm5a9FJOVX Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.19 (FreeBSD) iEUEARECAAYFAlFru8UACgkQForvXbEpPzT1LQCfX5BrnYJNEM7nfOfibDA4pZem xsMAlRV9Kmu16YNpa6qwiFF2AUddN6g= =YE/8 -----END PGP SIGNATURE----- --yNb1oOkm5a9FJOVX--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20130415083517.GB1410>