Re: [PATCH] Re: Junior Kernel Hacker page updated...

Stefan Farfeleder Mon, 07 Oct 2002 02:24:32 -0700

On Sun, Oct 06, 2002 at 11:14:26PM -0700, Terry Lambert wrote:
> 
> Stefan: Did the patch fix it, or not?


Sorry for the long delay. No, it did not. But I now have a rather
interesting core dump. I inserted a KASSERT, so that the code looks like
this:

    TAILQ_INSERT_TAIL(&kq->kq_head, &marker, kn_tqe);
    while (count) {
        kn = TAILQ_FIRST(&kq->kq_head);
        KASSERT(kn != NULL, ("TAILQ_FIRST returned NULL"));
        /*
         * Skip over all markers which are not ours.  This looks
         * unsafe, but we can't hit the end of the list without
         * hitting our own marker.
         */
        while ((kn->kn_status & KN_MARKER) && (kn != &marker)) {
            kn = TAILQ_NEXT(kn, kn_tqe);
        }
        TAILQ_REMOVE(&kq->kq_head, kn, kn_tqe);
        if (kn == &marker) {
[...]

Script started on Mon Oct  7 11:26:10 2002
frog# ../bin/gdb -k crash/kernel.debug.3 crash/vmcore.3

GNU gdb 5.2.0 (FreeBSD) 20020627
Copyright 2002 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "i386-undermydesk-freebsd"...
panic: bremfree: bp 0xd2adf6f0 not locked
panic messages:
---
panic: TAILQ_FIRST returned NULL
cpuid = 1; lapic.id = 01000000
panic: from debugger
cpuid = 1; lapic.id = 01000000
boot() called on cpu#1

syncing disks... panic: bremfree: bp 0xd2adf6f0 not locked
cpuid = 1; lapic.id = 01000000
boot() called on cpu#1
Uptime: 13m27s
pfs_vncache_unload(): 1 entries remaining
Dumping 1023 MB
ata0: resetting devices ..
done
ad0: timeout sending command=c5 s=d0 e=00
ad0: error executing commandata0: resetting devices ..
done
 16 32 48 64 80 96 112 128 144 160 176 192 208 224 240 256 272 288 304 320 336 352 368 
384 400 416 432 448 464 480 496 512 528 544 560 576 592 608 624 640 656 672 688 704 
720 736 752 768 784 800 816 832 848 864 880 896 912 928 944 960 976 992 1008
---
#0  doadump () at /freebsd/current/src/sys/kern/kern_shutdown.c:223
223             dumping++;
(kgdb) bt
#0  doadump () at /freebsd/current/src/sys/kern/kern_shutdown.c:223
#1  0xc01ba92a in boot (howto=260)
    at /freebsd/current/src/sys/kern/kern_shutdown.c:355
#2  0xc01babe7 in panic () at /freebsd/current/src/sys/kern/kern_shutdown.c:508
#3  0xc01fcc77 in bremfree (bp=0xd2adf6f0)
    at /freebsd/current/src/sys/kern/vfs_bio.c:632
#4  0xc01fe798 in vfs_bio_awrite (bp=0x3)
    at /freebsd/current/src/sys/kern/vfs_bio.c:1633
#5  0xc02a7afa in ffs_fsync (ap=0xe2c9d8fc)
    at /freebsd/current/src/sys/ufs/ffs/ffs_vnops.c:252
#6  0xc02a7829 in VOP_FSYNC (vp=0x0, cred=0x0, waitfor=0, td=0x0)
    at vnode_if.h:612
#7  0xc02a6d3b in ffs_sync (mp=0xc642ba00, waitfor=2, cred=0xc22b2e80, 
    td=0xc03643a0) at /freebsd/current/src/sys/ufs/ffs/ffs_vfsops.c:1127
#8  0xc0210998 in sync (td=0xc03643a0, uap=0x0)
    at /freebsd/current/src/sys/kern/vfs_syscalls.c:130
#9  0xc01ba52b in boot (howto=256)
    at /freebsd/current/src/sys/kern/kern_shutdown.c:264
#10 0xc01babe7 in panic () at /freebsd/current/src/sys/kern/kern_shutdown.c:508
#11 0xc013b1d2 in db_panic () at /freebsd/current/src/sys/ddb/db_command.c:450
#12 0xc013b152 in db_command (last_cmdp=0xc035db40, cmd_table=0x0, 
    aux_cmd_tablep=0xc03577fc, aux_cmd_tablep_end=0xc0357800)
    at /freebsd/current/src/sys/ddb/db_command.c:346
---Type <return> to continue, or q <return> to quit---
#13 0xc013b266 in db_command_loop ()
    at /freebsd/current/src/sys/ddb/db_command.c:472
#14 0xc013deca in db_trap (type=3, code=0)
    at /freebsd/current/src/sys/ddb/db_trap.c:72
#15 0xc02e9f60 in kdb_trap (type=3, code=0, regs=0xe2c9db94)
    at /freebsd/current/src/sys/i386/i386/db_interface.c:166
#16 0xc0302027 in trap (frame=
      {tf_fs = 24, tf_es = 16, tf_ds = 16, tf_edi = -968725664, tf_esi = 256, tf_ebp = 
-490087456, tf_isp = -490087488, tf_ebx = 0, tf_edx = 0, tf_ecx = 32, tf_eax = 18, 
tf_trapno = 3, tf_err = 0, tf_eip = -1070685611, tf_cs = 8, tf_eflags = 658, tf_esp = 
-1070272669, tf_ss = -1070406694})
    at /freebsd/current/src/sys/i386/i386/trap.c:605
#17 0xc02eb768 in calltrap () at {standard input}:99
#18 0xc01babcf in panic (fmt=0x0)
    at /freebsd/current/src/sys/kern/kern_shutdown.c:494
#19 0xc01a1212 in kqueue_scan (fp=0x0, maxevents=4, ulistp=0xbfbfeb90, 
    tsp=0xc754f828, td=0xc6426b60)
    at /freebsd/current/src/sys/kern/kern_event.c:717
#20 0xc01a0ad1 in kevent (td=0xc6426b60, uap=0xe2c9dd10)
    at /freebsd/current/src/sys/kern/kern_event.c:470
#21 0xc030299e in syscall (frame=
      {tf_fs = 47, tf_es = 47, tf_ds = 47, tf_edi = -1077937792, tf_esi = 4, tf_ebp = 
-1077941256, tf_isp = -490087052, tf_ebx = -1077937772, tf_edx = 2184, tf_---Type 
<return> to continue, or q <return> to quit---
ecx = 0, tf_eax = 363, tf_trapno = 0, tf_err = 2, tf_eip = 134641975, tf_cs = 31, 
tf_eflags = 514, tf_esp = -1077941412, tf_ss = 47})
    at /freebsd/current/src/sys/i386/i386/trap.c:1050
#22 0xc02eb7bd in Xint0x80_syscall () at {standard input}:141
---Can't read userspace from dump, or kernel process---

(kgdb) frame 19
#19 0xc01a1212 in kqueue_scan (fp=0x0, maxevents=4, ulistp=0xbfbfeb90, 
    tsp=0xc754f828, td=0xc6426b60)
    at /freebsd/current/src/sys/kern/kern_event.c:717
717                     KASSERT(kn != NULL, ("TAILQ_FIRST returned NULL"));
(kgdb) info locals
kq = (struct kqueue *) 0xc754f800
kevp = (struct kevent *) 0xc754f828
atv = {tv_sec = 0, tv_usec = 0}
rtv = {tv_sec = 434, tv_usec = -1070420864}
ttv = {tv_sec = 1, tv_usec = -1070411616}
kn = (struct knote *) 0x0
marker = {kn_link = {sle_next = 0xc01b0d37}, kn_selnext = {
    sle_next = 0xc0368a20}, kn_tqe = {tqe_next = 0x0, tqe_prev = 0xc6650ac8}, 
  kn_kq = 0xc6426bcc, kn_kevent = {ident = 3344374324, filter = -30080, 
    flags = 49206, fflags = 3224546432, data = 431, udata = 0xe2c9dca0}, 
  kn_status = 16, kn_sfflags = -1070167424, kn_sdata = 8, kn_ptr = {
    p_fp = 0xc032ac80, p_proc = 0xc032ac80}, kn_fop = 0x1af, kn_hook = 0x3}
count = 4
timeout = 0
nkev = 0
error = 0
(kgdb) p *kq
$2 = {kq_head = {tqh_first = 0x0, tqh_last = 0xc754f800}, kq_count = 1, 
  kq_sel = {si_thrlist = {tqe_next = 0x0, tqe_prev = 0x0}, si_thread = 0x0, 
    si_note = {slh_first = 0x0}, si_flags = 0}, kq_fdp = 0xc7571a00, 
  kq_state = 0, kq_kev = {{ident = 23, filter = -1, flags = 1, fflags = 0, 
      data = 69, udata = 0x80cd800}, {ident = 23, filter = -1, flags = 1, 
      fflags = 0, data = 164, udata = 0x80cd800}, {ident = 27, filter = -1, 
      flags = 1, fflags = 0, data = 218, udata = 0x80cf800}, {ident = 19, 
      filter = -1, flags = 1, fflags = 0, data = 182, udata = 0x80cc800}, {
      ident = 0, filter = 0, flags = 0, fflags = 0, data = 0, udata = 0x0}, {
      ident = 0, filter = 0, flags = 0, fflags = 0, data = 0, udata = 0x0}, {
      ident = 0, filter = 0, flags = 0, fflags = 0, data = 0, udata = 0x0}, {
      ident = 0, filter = 0, flags = 0, fflags = 0, data = 0, udata = 0x0}}}
(kgdb) q
frog# ^Dexit

Script done on Mon Oct  7 11:32:50 2002

I'm confused why marker - if it was removed by TAILQ_REMOVE - hasn't
kn_tqe.tqe_next and kn_tqe.tqe_prev set to (void *)-1.

Regards,
Stefan Farfeleder

To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-current" in the body of the message

Re: [PATCH] Re: Junior Kernel Hacker page updated...

Reply via email to