Apparently, On Sat, Dec 14, 2002 at 07:37:31PM -0500,
Brian F. Feldman said words to the effect of;
> John Baldwin <[EMAIL PROTECTED]> wrote:
> >
> > On 12-Dec-2002 Kris Kennaway wrote:
> > > I got this on an alpha tonight. It was under heavy load at the time
> > > (18 simultaneous package builds had just been spawned on the machine).
> > > Any ideas?
> > >
> > > Slab at 0xfffffc00042d3fb8, freei 2 = 0.
> > > panic: Duplicate free of item 0xfffffc00042d22e0 from zone
>0xfffffc0007d31800(VMSPACE)
> > >
> > > db_print_backtrace() at db_print_backtrace+0x18
> > > panic() at panic+0x104
> > > uma_dbg_free() at uma_dbg_free+0x170
> > > uma_zfree_arg() at uma_zfree_arg+0x150
> > > vmspace_free() at vmspace_free+0xe4
> > > swapout_procs() at swapout_procs+0x428
> > > vm_daemon() at vm_daemon+0x74
> > > fork_exit() at fork_exit+0xe0
> > > exception_return() at exception_return
> > > --- root of call graph ---
> > > panic
> > > Stopped at Debugger+0x34: zapnot v0,#0xf,v0 <v0=0x0>
> > > db>
> >
> > I have seen this on a couple of different arch's I think. A vmspace
> > shouldn't be free'd here, it's refcount should not be that low.
> > I wonder if something is free'ing the vmspace w/o dropping the refcount?
>
> The problem appears to be that swapout_procs() is swapping out a process
> that is in the process of exiting (in exit1()) and having already
> relinquished its vmspace, but has not set PRS_ZOMBIE yet (which would be
> preventing the swapout). It's clearly not correct for a process in exit1()
> to be swapped out, and the vmspace _needs_ to be decremented in the correct
> place or resources are NEVER freed when the race is lost.
P_WEXIT is set, so the process won't get swapped out. The problem is that
the vmspace refcnt is 0 when swapout_procs is called, since it was
decremented in exit1. The refcnt is incremented before p_flag is tested
for P_WEXIT, the swapout is skipped because its found to be set, and then
vmspace_free is called which decrements the refcnt to 0 and prematurely
frees the vmspace. Decrementing the refcnt in exit1 breaks the normal
refernce count semantics because the vmspace is not being freed then.
Jake
To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-current" in the body of the message
