NetBSD Problem Report #12404

Received: (qmail 17273 invoked from network); 13 Mar 2001 19:45:08 -0000
Message-Id: <200103131944.UAA25613@vader.runit.sintef.no>
Date: Tue, 13 Mar 2001 20:44:36 +0100 (MET)
From: he@runit.no
Reply-To: he@runit.no
To: gnats-bugs@gnats.netbsd.org
Subject: panic: ffs_alloccg: map corrupted
X-Send-Pr-Version: 3.95

>Number:         12404
>Category:       kern
>Synopsis:       panic: ffs_alloccg: map corrupted
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    kern-bug-people
>State:          closed
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Tue Mar 13 19:46:00 +0000 2001
>Closed-Date:    Mon Jan 05 08:54:12 +0000 2015
>Last-Modified:  Mon Jan 05 08:54:12 +0000 2015
>Originator:     Havard Eidnes <he@uninett.no>
>Release:        NetBSD-current Mar 10 20:14 UTC 2001
>Organization:
	RUNIT AS
>Environment:
	NetBSD/i386
System: 
NetBSD pt.runit.no 1.5S NetBSD 1.5S (PT) #13: Sat Mar 10 23:07:47 CET 2001     he@pt.runit.no:/usr/src/sys/arch/i386/compile/PT i386

>Description:

	Found my machine crashed in the middle of "make build":

db> trace
cpu_Debugger(0,1a7,c27db000,c39e79a4,c0177d8c) at cpu_Debugger+0x4
panic(c01e3c2e,c01e3c1f,200,200,d30) at panic+0x64
ffs_mapsearch(c037e000,c27db000,d30,8,2000) at ffs_mapsearch+0x238
ffs_alloccgblk(c38c42ac,c1b39cd0,d30,1d,2000) at ffs_alloccgblk+0x4e6
ffs_alloccg(c38c42ac,1d,39eb0,2000,c037e000) at ffs_alloccg+0x132
ffs_hashalloc(c38c42ac,1d,39eb0,2000,c0175248) at ffs_hashalloc+0x23
ffs_alloc(c38c42ac,1,39eb0,2000,c039ce80) at ffs_alloc+0x108
ffs_balloc(c39e7c0c,34,c39e7ca8,0,c01dea00) at ffs_balloc+0x5cf
VOP_BALLOC(c3949050,2000,0,34,c039ce80) at VOP_BALLOC+0x4c
ffs_ballocn(c39e7ca8,c39490f8,2000,c3949050,c01dea40) at ffs_ballocn+0x9b
VOP_BALLOCN(c3949050,2000,0,34,0) at VOP_BALLOCN+0x4c
ufs_balloc_range(c3949050,2000,0,34,0) at ufs_balloc_range+0x368
ffs_write(c39e7e80,c3965aa0,2000,c3965aa0,c39e7e84) at ffs_write+0x200
layer_bypass(c39e7e80,1,c01de2e0,c3949050,c39e7f0c) at layer_bypass+0xe3
VOP_WRITE(c3965aa0,c39e7f0c,1,c039ce80,c3965aa0) at VOP_WRITE+0x38
vn_write(c38b4cf0,c38b4d0c,c39e7f0c,c039ce80,1) at vn_write+0x9e
dofilewrite(c38beca4,3,c38b4cf0,81b5000,2000) at dofilewrite+0x94
sys_write(c38beca4,c39e7f88,c39e7f80) at sys_write+0x67
syscall_plain(1f,1f,81b5000,4817d840,bfbfd07c) at syscall_plain+0x98
db> x/s 0xc01e3c2e
tcp_ctlvars+0xb2e:      ffs_alloccg: map corrupted
db> 

	At boot-up the following minor inconsistencies were fixed:

swapctl: adding /dev/wd0b as swap device at priority 0
Automatic boot in progress: starting file system checks.
/dev/rwd0a: 1260 files, 25795 used, 26292 free (284 frags, 3251 blocks, 0.5% fragmentation)
/dev/rwd0a: MARKING FILE SYSTEM CLEAN
/dev/rwd0e: 329 files, 4488 used, 53991 free (87 frags, 6738 blocks, 0.1% fragmentation)
/dev/rwd0e: MARKING FILE SYSTEM CLEAN
/dev/rwd0f: UNREF FILE I=126  OWNER=root MODE=100444
/dev/rwd0f: SIZE=10499 MTIME=Mar  6 04:42 2001  (CLEARED)
/dev/rwd0f: UNREF FILE I=181  OWNER=root MODE=100444
/dev/rwd0f: SIZE=13424 MTIME=Mar  6 12:37 2001  (CLEARED)
/dev/rwd0f: UNREF FILE I=193  OWNER=root MODE=100444
/dev/rwd0f: SIZE=70092 MTIME=Mar  6 12:43 2001  (CLEARED)
/dev/rwd0f: UNREF FILE I=225  OWNER=root MODE=100444
/dev/rwd0f: SIZE=23943 MTIME=Mar  6 05:42 2001  (CLEARED)
/dev/rwd0f: UNREF FILE I=237  OWNER=root MODE=100444
/dev/rwd0f: SIZE=33597 MTIME=Mar  6 05:48 2001  (CLEARED)
/dev/rwd0f: UNREF FILE I=243  OWNER=root MODE=100444
/dev/rwd0f: SIZE=123083 MTIME=Mar  6 10:39 2001  (CLEARED)
/dev/rwd0f: UNREF FILE I=247  OWNER=root MODE=100444
/dev/rwd0f: SIZE=201660 MTIME=Mar  6 11:21 2001  (CLEARED)
/dev/rwd0f: UNREF FILE I=281  OWNER=root MODE=100444
/dev/rwd0f: SIZE=43426 MTIME=Mar  6 10:10 2001  (CLEARED)
/dev/rwd0f: UNREF FILE I=291  OWNER=root MODE=100444
/dev/rwd0f: SIZE=26379 MTIME=Mar  6 05:50 2001  (CLEARED)
/dev/rwd0f: UNREF FILE I=298  OWNER=root MODE=100444
/dev/rwd0f: SIZE=84740 MTIME=Mar  6 12:31 2001  (CLEARED)
/dev/rwd0f: UNREF FILE I=310  OWNER=root MODE=100444
/dev/rwd0f: SIZE=9561 MTIME=Mar  6 05:43 2001  (CLEARED)
/dev/rwd0f: UNREF FILE I=316  OWNER=root MODE=100444
/dev/rwd0f: SIZE=52698 MTIME=Mar  6 05:56 2001  (CLEARED)
/dev/rwd0f: UNREF FILE I=400  OWNER=root MODE=100444
/dev/rwd0f: SIZE=5310 MTIME=Mar  6 10:10 2001  (CLEARED)
/dev/rwd0f: UNREF FILE I=452  OWNER=root MODE=100444
/dev/rwd0f: SIZE=795757 MTIME=Mar  6 09:30 2001  (CLEARED)
/dev/rwd0f: FREE BLK COUNT(S) WRONG IN SUPERBLK (SALVAGED)
/dev/rwd0f: SUMMARY INFORMATION BAD (SALVAGED)
/dev/rwd0f: BLK(S) MISSING IN BIT MAPS (SALVAGED)
/dev/rwd0f: 13100 files, 227780 used, 88475 free (7627 frags, 10106 blocks, 2.4% fragmentation)
/dev/rwd0f: MARKING FILE SYSTEM CLEAN
/dev/rwd1a: UNREF FILE I=115360  OWNER=root MODE=100644
/dev/rwd1a: SIZE=5448 MTIME=Mar 12 14:56 2001  (CLEARED)
/dev/rwd1a: UNREF FILE I=115465  OWNER=root MODE=100644
/dev/rwd1a: SIZE=11424 MTIME=Mar 12 14:56 2001  (CLEARED)
/dev/rwd1a: UNREF FILE I=115473  OWNER=root MODE=100644
/dev/rwd1a: SIZE=7500 MTIME=Mar 12 14:56 2001  (CLEARED)
/dev/rwd1a: UNREF FILE I=115477  OWNER=root MODE=100644
/dev/rwd1a: SIZE=23580 MTIME=Mar 12 14:57 2001  (CLEARED)
/dev/rwd1a: UNREF FILE I=115514  OWNER=root MODE=100644
/dev/rwd1a: SIZE=105012 MTIME=Mar 12 15:00 2001  (CLEARED)
/dev/rwd1a: UNREF FILE I=115516  OWNER=root MODE=100644
/dev/rwd1a: SIZE=10974 MTIME=Mar  6 22:47 2001  (CLEARED)
/dev/rwd1a: UNREF FILE I=115518  OWNER=root MODE=100644
/dev/rwd1a: SIZE=5388 MTIME=Mar  6 22:47 2001  (CLEARED)
/dev/rwd1a: UNREF FILE I=115520  OWNER=root MODE=100644
/dev/rwd1a: SIZE=7152 MTIME=Mar  6 22:47 2001  (CLEARED)
/dev/rwd1a: UNREF FILE I=115522  OWNER=root MODE=100644
/dev/rwd1a: SIZE=23412 MTIME=Mar  6 22:48 2001  (CLEARED)
/dev/rwd1a: UNREF FILE I=115564  OWNER=root MODE=100644
/dev/rwd1a: SIZE=101943 MTIME=Mar  6 22:50 2001  (CLEARED)
/dev/rwd1a: UNREF FILE I=115697  OWNER=root MODE=100644
/dev/rwd1a: SIZE=83784 MTIME=Mar 12 15:02 2001  (CLEARED)
/dev/rwd1a: UNREF FILE I=115699  OWNER=root MODE=100644
/dev/rwd1a: SIZE=23208 MTIME=Mar 12 15:03 2001  (CLEARED)
/dev/rwd1a: UNREF FILE I=115701  OWNER=root MODE=100644
/dev/rwd1a: SIZE=24660 MTIME=Mar 12 15:03 2001  (CLEARED)
/dev/rwd1a: UNREF FILE I=115703  OWNER=root MODE=100644
/dev/rwd1a: SIZE=1116 MTIME=Mar 12 15:03 2001  (CLEARED)
/dev/rwd1a: UNREF FILE I=115709  OWNER=root MODE=100644
/dev/rwd1a: SIZE=26732 MTIME=Mar 12 15:04 2001  (CLEARED)
/dev/rwd1a: UNREF FILE I=115713  OWNER=root MODE=100644
/dev/rwd1a: SIZE=19368 MTIME=Mar 12 15:04 2001  (CLEARED)
/dev/rwd1a: UNREF FILE I=115717  OWNER=root MODE=100644
/dev/rwd1a: SIZE=11492 MTIME=Mar 12 15:04 2001  (CLEARED)
/dev/rwd1a: UNREF FILE I=115719  OWNER=root MODE=100644
/dev/rwd1a: SIZE=37664 MTIME=Mar 12 15:05 2001  (CLEARED)
/dev/rwd1a: UNREF FILE I=115725  OWNER=root MODE=100644
/dev/rwd1a: SIZE=102872 MTIME=Mar 12 15:08 2001  (CLEARED)
/dev/rwd1a: UNREF FILE I=115728  OWNER=root MODE=100644
/dev/rwd1a: SIZE=28040 MTIME=Mar 12 15:08 2001  (CLEARED)
/dev/rwd1a: UNREF FILE I=115730  OWNER=root MODE=100644
/dev/rwd1a: SIZE=31084 MTIME=Mar 12 15:09 2001  (CLEARED)
/dev/rwd1a: UNREF FILE I=115733  OWNER=root MODE=100644
/dev/rwd1a: SIZE=51852 MTIME=Mar 12 15:11 2001  (CLEARED)
/dev/rwd1a: UNREF FILE I=115736  OWNER=root MODE=100644
/dev/rwd1a: SIZE=48676 MTIME=Mar 12 15:12 2001  (CLEARED)
/dev/rwd1a: UNREF FILE I=115738  OWNER=root MODE=100644
/dev/rwd1a: SIZE=40868 MTIME=Mar 12 15:12 2001  (CLEARED)
/dev/rwd1a: UNREF FILE I=115742  OWNER=root MODE=100644
/dev/rwd1a: SIZE=4496 MTIME=Mar 12 15:13 2001  (CLEARED)
/dev/rwd1a: UNREF FILE I=115744  OWNER=root MODE=100644
/dev/rwd1a: SIZE=1272 MTIME=Mar 12 15:13 2001  (CLEARED)
/dev/rwd1a: UNREF FILE I=115746  OWNER=root MODE=100644
/dev/rwd1a: SIZE=80996 MTIME=Mar  6 22:52 2001  (CLEARED)
/dev/rwd1a: UNREF FILE I=115747  OWNER=root MODE=100644
/dev/rwd1a: SIZE=17268 MTIME=Mar 12 15:13 2001  (CLEARED)
/dev/rwd1a: UNREF FILE I=115752  OWNER=root MODE=100644
/dev/rwd1a: SIZE=55524 MTIME=Mar 12 15:14 2001  (CLEARED)
/dev/rwd1a: UNREF FILE I=115757  OWNER=root MODE=100644
/dev/rwd1a: SIZE=21998 MTIME=Mar  6 22:53 2001  (CLEARED)
/dev/rwd1a: UNREF FILE I=115761  OWNER=root MODE=100644
/dev/rwd1a: SIZE=23828 MTIME=Mar  6 22:53 2001  (CLEARED)
/dev/rwd1a: UNREF FILE I=115763  OWNER=root MODE=100644
/dev/rwd1a: SIZE=1119 MTIME=Mar  6 22:53 2001  (CLEARED)
/dev/rwd1a: UNREF FILE I=115765  OWNER=root MODE=100644
/dev/rwd1a: SIZE=26263 MTIME=Mar  6 22:54 2001  (CLEARED)
/dev/rwd1a: UNREF FILE I=115770  OWNER=root MODE=100644
/dev/rwd1a: SIZE=18384 MTIME=Mar  6 22:54 2001  (CLEARED)
/dev/rwd1a: UNREF FILE I=115782  OWNER=root MODE=100644
/dev/rwd1a: SIZE=11415 MTIME=Mar  6 22:54 2001  (CLEARED)
/dev/rwd1a: UNREF FILE I=115786  OWNER=root MODE=100644
/dev/rwd1a: SIZE=36971 MTIME=Mar  6 22:55 2001  (CLEARED)
/dev/rwd1a: UNREF FILE I=115794  OWNER=root MODE=100644
/dev/rwd1a: SIZE=100991 MTIME=Mar  6 22:58 2001  (CLEARED)
/dev/rwd1a: UNREF FILE I=115800  OWNER=root MODE=100644
/dev/rwd1a: SIZE=26893 MTIME=Mar  6 22:58 2001  (CLEARED)
/dev/rwd1a: UNREF FILE I=115812  OWNER=root MODE=100644
/dev/rwd1a: SIZE=30094 MTIME=Mar  6 22:59 2001  (CLEARED)
/dev/rwd1a: UNREF FILE I=115817  OWNER=root MODE=100644
/dev/rwd1a: SIZE=50809 MTIME=Mar  6 23:01 2001  (CLEARED)
/dev/rwd1a: UNREF FILE I=115821  OWNER=root MODE=100644
/dev/rwd1a: SIZE=47457 MTIME=Mar  6 23:02 2001  (CLEARED)
/dev/rwd1a: UNREF FILE I=115825  OWNER=root MODE=100644
/dev/rwd1a: SIZE=36061 MTIME=Mar  6 23:03 2001  (CLEARED)
/dev/rwd1a: UNREF FILE I=115826  OWNER=root MODE=100644
/dev/rwd1a: SIZE=7884 MTIME=Mar 12 15:14 2001  (CLEARED)
/dev/rwd1a: UNREF FILE I=115829  OWNER=root MODE=100644
/dev/rwd1a: SIZE=51276 MTIME=Mar 12 15:15 2001  (CLEARED)
/dev/rwd1a: UNREF FILE I=115831  OWNER=root MODE=100644
/dev/rwd1a: SIZE=4469 MTIME=Mar  6 23:03 2001  (CLEARED)
/dev/rwd1a: UNREF FILE I=115835  OWNER=root MODE=100644
/dev/rwd1a: SIZE=1220 MTIME=Mar  6 23:03 2001  (CLEARED)
/dev/rwd1a: UNREF FILE I=115837  OWNER=root MODE=100644
/dev/rwd1a: SIZE=15986 MTIME=Mar  6 23:03 2001  (CLEARED)
/dev/rwd1a: UNREF FILE I=115840  OWNER=root MODE=100644
/dev/rwd1a: SIZE=55066 MTIME=Mar  6 23:04 2001  (CLEARED)
/dev/rwd1a: UNREF FILE I=115843  OWNER=root MODE=100644
/dev/rwd1a: SIZE=10096 MTIME=Mar 12 15:15 2001  (CLEARED)
/dev/rwd1a: UNREF FILE I=115844  OWNER=root MODE=100644
/dev/rwd1a: SIZE=7840 MTIME=Mar  6 23:04 2001  (CLEARED)
/dev/rwd1a: UNREF FILE I=115847  OWNER=root MODE=100644
/dev/rwd1a: SIZE=5460 MTIME=Mar 12 15:15 2001  (CLEARED)
/dev/rwd1a: UNREF FILE I=115849  OWNER=root MODE=100644
/dev/rwd1a: SIZE=51266 MTIME=Mar  6 23:05 2001  (CLEARED)
/dev/rwd1a: UNREF FILE I=115858  OWNER=root MODE=100644
/dev/rwd1a: SIZE=10063 MTIME=Mar  6 23:05 2001  (CLEARED)
/dev/rwd1a: UNREF FILE I=115862  OWNER=root MODE=100644
/dev/rwd1a: SIZE=5463 MTIME=Mar  6 23:05 2001  (CLEARED)
/dev/rwd1a: FREE BLK COUNT(S) WRONG IN SUPERBLK (SALVAGED)
/dev/rwd1a: SUMMARY INFORMATION BAD (SALVAGED)
/dev/rwd1a: BLK(S) MISSING IN BIT MAPS (SALVAGED)
/dev/rwd1a: 107551 files, 1094807 used, 116430 free (34254 frags, 10272 blocks, 2.8% fragmentation)
/dev/rwd1a: MARKING FILE SYSTEM CLEAN


>How-To-Repeat:

	I'm presently not certain how repeatable this is.

	I'll restart the build, to see if the problem resurfaces.

	Boot log and file systems:

NetBSD 1.5S (PT) #13: Sat Mar 10 23:07:47 CET 2001
    he@pt.runit.no:/usr/src/sys/arch/i386/compile/PT
cpu0: Intel 486DX (486-class)
total memory = 16000 KB
avail memory = 13244 KB
using 225 buffers containing 900 KB of memory
mainbus0 (root)
isa0 at mainbus0
com0 at isa0 port 0x3f8-0x3ff irq 4: ns8250 or ns16450, no fifo
com0: console
com1 at isa0 port 0x2f8-0x2ff irq 3: ns8250 or ns16450, no fifo
pckbc0 at isa0 port 0x60-0x64
pckbd0 at pckbc0 (kbd slot)
pckbc0: using irq 1 for kbd slot
wskbd0 at pckbd0
wdc0 at isa0 port 0x1f0-0x1f7 irq 14
wd0 at wdc0 channel 0 drive 0: <QUANTUM FIREBALL540A>
wd0: drive supports 8-sector PIO transfers, LBA addressing
wd0: 519 MB, 1056 cyl, 16 head, 63 sec, 512 bytes/sect x 1064448 sectors
wd0: drive supports PIO mode 4, DMA mode 2
wd1 at wdc0 channel 0 drive 1: <ST51270A>
wd1: drive supports 32-sector PIO transfers, LBA addressing
wd1: 1223 MB, 2485 cyl, 16 head, 63 sec, 512 bytes/sect x 2504880 sectors
wd1: drive supports PIO mode 4, DMA mode 2
vga0 at isa0 port 0x3b0-0x3df iomem 0xa0000-0xbffff
wsdisplay0 at vga0
joy0 at isa0 port 0x201
joy0: joystick not connected
lpt0 at isa0 port 0x378-0x37b irq 7
we0 at isa0 port 0x280-0x29f iomem 0xd0000-0xd3fff irq 9
we0: SMC8216/SMC8216C Ethernet (16-bit)
we0: Ethernet address 00:00:c0:cb:c7:6f
pcppi0 at isa0 port 0x61
midi0 at pcppi0: PC speaker
sysbeep0 at pcppi0
npx0 at isa0 port 0xf0-0xff: using exception 16
fdc0 at isa0 port 0x3f0-0x3f7 irq 6 drq 2
fd0 at fdc0 drive 0: 1.44MB, 80 cyl, 2 head, 18 sec
biomask fd65 netmask ff65 ttymask ffe7
boot device: wd0
root on wd0a dumps on wd0b
root file system type: ffs
wsdisplay0: screen 0 added (80x25, vt100 emulation)
wsdisplay0: screen 1 added (80x25, vt100 emulation)
wsdisplay0: screen 2 added (80x25, vt100 emulation)
wsdisplay0: screen 3 added (80x25, vt100 emulation)
wsdisplay0: screen 4 added (80x25, vt100 emulation)
wskbd0: connecting to wsdisplay0
pckbc: cmd failed

pt# df 
Filesystem    1K-blocks     Used     Avail Capacity  Mounted on
/dev/wd0a         52087    25795     23687    52%    /
/dev/wd0e         58479     9749     45806    17%    /var
/dev/wd0f        316255   227780     72662    75%    /usr
mfs:97            24151      116     22827     0%    /tmp
/dev/wd1a       1211237  1097545     53130    95%    /local
kernfs                1        1         0   100%    /kern
/local/nb/src   1211237  1097545     53130    95%    /usr/src
/local/nb/obj   1211237  1097545     53130    95%    /usr/obj
pt# cat /etc/fstab
/dev/wd0a / ffs rw 1 1
/dev/wd0b none swap sw 0 0
/dev/wd0b /tmp mfs rw,-s=50000,nosuid,nodev 0 0
/dev/wd0e /var ffs rw 1 2
/dev/wd0f /usr ffs rw 1 3
/dev/wd1a /local ffs rw 1 3
/kern /kern kernfs rw
/local/nb/src /usr/src null rw 0 0
/local/nb/obj /usr/obj null rw 0 0
pt# 

>Fix:
	Don't know.
	Kernel core dump saved; kernel rebuilt with full debugging
	information, so groveling in the remains is possble.
>Release-Note:
>Audit-Trail:
State-Changed-From-To: open->closed
State-Changed-By: pooka@narn.netbsd.org
State-Changed-When: Sat, 19 Jan 2008 19:38:10 +0200
State-Changed-Why:
Let's pretend we ignored the problem long enough and it went away.
Please file a new PR if the problem resurfaces.


From: Havard Eidnes <he@uninett.no>
To: gnats-bugs@NetBSD.org, pooka@NetBSD.org
Cc: kern-bug-people@NetBSD.org, netbsd-bugs@NetBSD.org,
 gnats-admin@NetBSD.org
Subject: Re: kern/12404 (panic: ffs_alloccg: map corrupted)
Date: Sat, 19 Jan 2008 20:46:07 +0100 (CET)

 > Synopsis: panic: ffs_alloccg: map corrupted
 >
 > State-Changed-From-To: open->closed
 > State-Changed-By: pooka@narn.netbsd.org
 > State-Changed-When: Sat, 19 Jan 2008 19:38:10 +0200
 > State-Changed-Why:
 > Let's pretend we ignored the problem long enough and it went away.
 > Please file a new PR if the problem resurfaces.

 Actually, I've seen crashes with this same panic message in
 4.99.40 as well, on one of my build hosts.  I had of course
 forgotten this PR, though...

 - H=E5vard

State-Changed-From-To: closed->open
State-Changed-By: pooka@narn.netbsd.org
State-Changed-When: Sat, 19 Jan 2008 21:58:14 +0200
State-Changed-Why:
hoping really hard is not enough to make problems go away, it seems


From: Havard Eidnes <he@uninett.no>
To: gnats-bugs@NetBSD.org, pooka@NetBSD.org
Cc: kern-bug-people@NetBSD.org, netbsd-bugs@NetBSD.org,
 gnats-admin@NetBSD.org
Subject: Re: kern/12404 (panic: ffs_alloccg: map corrupted)
Date: Wed, 23 Jan 2008 11:42:20 +0100 (CET)

 It just happened again (twice today), stack backtrace is:

 start =3D 1, len =3D 11798, fs =3D /u
 offset=3D3086 3086
 cg 324
 panic: ffs_alloccg: map corrupted
 Stopped in pid 5659.1 (i386--netbsdelf-) at     netbsd:breakpoint+0x1: =
  ret
 db{1}> =

 db{1}> tra
 breakpoint(c0976e84,144,c0e,c358c0d4,c0a738e0) at netbsd:breakpoint+0x1=

 ffs_alloccgblk(1d2a8e8,0,5,4000,ffffffff) at netbsd:ffs_alloccgblk
 ffs_alloccg(d13a229c,144,1d2a8e8,0,2800) at netbsd:ffs_alloccg+0x258
 ffs_hashalloc(1d2a8e8,0,2800,c03991e0,0) at netbsd:ffs_hashalloc+0x3a
 ffs_alloc(d13a229c,0,0,1d2a8e8,0) at netbsd:ffs_alloc+0x1ae
 ffs_balloc_ufs1(271c,cde09540,0,0,cde09540) at netbsd:ffs_balloc_ufs1+0=
 x487
 ffs_balloc(def842a0,0,0,271c,cde09540) at netbsd:ffs_balloc+0x71
 ufs_gop_alloc(def842a0,0,0,271c,0) at netbsd:ufs_gop_alloc+0xc4
 ufs_balloc_range(def842a0,0,0,271c,0) at netbsd:ufs_balloc_range+0x288
 ffs_write(ce118b34,cf021a80,ce118b4c,c0494252,def842a0) at netbsd:ffs_w=
 rite+0x9c7
 VOP_WRITE(def842a0,ce118bac,10,cde09540,d63ea574) at netbsd:VOP_WRITE+0=
 x4e
 vn_write(d48402d8,d4840304,ce118bac,cde09540,1) at netbsd:vn_write+0xdf=

 dofilewrite(28,d48402d8,bbacc000,271c,d4840304) at netbsd:dofilewrite+0=
 x75
 sys_write(cf021a80,ce118c30,ce118c58,bfbec400,bfbec000) at netbsd:sys_w=
 rite+0x9c
 syscall(ce118c78,b3,ab,1f,1f) at netbsd:syscall+0x134

 This is on a 2x HTT Xeon (appears to have 4 CPUs) running 4.99.40.

 I'll keep the core-dump for a few weeks if someone is willing to look
 closer into what might be the problem.

 Regards,

 - H=E5vard

From: Mindaugas Rasiukevicius <rmind@NetBSD.org>
To: gnats-bugs@NetBSD.org, netbsd-bugs@netbsd.org
Cc: he@uninett.no, pooka@NetBSD.org
Subject: Re: kern/12404 (panic: ffs_alloccg: map corrupted)
Date: Sat, 24 May 2008 00:01:40 +0100

 Here is the patch which may fix the problem:

 http://www.netbsd.org/~rmind/ffs_balloc.diff

 It is obtained from FreeBSD (see revision 1.52 and 1.53 of ffs_balloc.c),
 with some minor changes. It looks for me that fail-path could simplified,
 eg. unwindidx could probably be removed. However I do not understand (or
 misunderstand) this code enough to claim anything.

 Would be great if some FFS-competent developer would take a deeper look at
 all the logic of this function.

 Thoughts?

 -- 
 Best regards,
 Mindaugas
 www.NetBSD.org

From: Havard Eidnes <he@NetBSD.org>
To: gnats-bugs@NetBSD.org
Cc: 
Subject: Re: kern/12404 (panic: ffs_alloccg: map corrupted)
Date: Thu, 17 Jul 2008 08:38:24 +0200 (CEST)

 Hi,

 as per discussion elsewhere, the diff was probably not fixing the
 problem, and is no longer available.

 I had another occurrance, and per request, here's "show reg"
 output together with a backtrace.  This is with 4.99.70 on the
 new system (dual-Xeon 2.2GHz, 2GB memory, 205GB RAID on ciss(4)):

 start = 1, len = 23751, fs = /u
 offset=6024 6024
 cg 164
 panic: ffs_alloccg: map corrupted
 fatal breakpoint trap in supervisor mode
 trap type 1 code 0 eip c054d23c cs 8 eflags 246 cr2 bb954000 ilevel 0
 Stopped in pid 22468.1 (as) at  netbsd:breakpoint+0x4:  popl    %ebp
 db{0}> 
 db{0}> tra
 breakpoint(c0a67f89,cc7b7728,c0a93bc0,c049c585,0,5,0,0,cc7b772c,0) at netbsd:breakpoint+0x4
 panic(c0a15eab,a4,1788,c33480d4,cd98f680,edc0900,0,d2788000,c3348000,1) at netbsd:panic+0x1b8
 ffs_alloccgblk(1db8108,0,2,8000,ffffffff,1,cc7b77e8,0,0,8108) at netbsd:ffs_alloccgblk
 ffs_alloccg(d58142ac,a4,1db8108,0,1000,0,a4,d58142ac,c3348000,c3348000) at netbsd:ffs_alloccg+0x278
 ffs_hashalloc(1db8108,0,1000,c03c49a0,0,0,b700,0,dd38463,0) at netbsd:ffs_hashalloc+0x3a
 ffs_alloc(d58142ac,0,0,1db8108,0,1000,d84f1840,cc7b79d4,de85a530,cc7b798c) at netbsd:ffs_alloc+0x22f
 ffs_balloc(d58130b8,0,0,252,d84f1840,0,0,c0494bb1,cc402480,1) at netbsd:ffs_balloc+0x11e0
 ufs_gop_alloc(d58130b8,0,0,252,0,0,d84f1840,0,1c02,0) at netbsd:ufs_gop_alloc+0xbe
 ufs_balloc_range(d58130b8,248,0,a,0,d84f1840,0,c040817d,0,0) at netbsd:ufs_balloc_range+0x26a
 ffs_write(cc7b7c04,0,c081bbc0,d58130b8,2,20002,cc7b7c1c,c04e57c8,c081b6c0,d58130b8) at netbsd:ffs_write+0x8f1
 VOP_WRITE(d58130b8,cc7b7c7c,10,d84f1840,ffffffff,ffffffff,0,16,a,bb954000) at netbsd:VOP_WRITE+0x6c
 vn_write(cd8f35c0,cd8f35c0,cc7b7c7c,d84f1840,1,e09cc900,dc56fef8,d9fc7a40,bb954000,1000) at netbsd:vn_write+0xb1
 dofilewrite(3,cd8f35c0,bb954000,a,cd8f35c0,1,cc7b7d28,0,0,dba112e0) at netbsd:dofilewrite+0x75
 sys_write(dba112e0,cc7b7d00,cc7b7d28,bb954000,bb954000,d9fc7a40,2,3,bb954000,a) at netbsd:sys_write+0x6f
 syscall(cc7b7d48,bb9400b3,bb9100ab,bfbf001f,bbbc001f,bb954000,bbb61200,bfbfdf28,bbb55118,bbb61200) at netbsd:syscall+0xab
 db{0}> show reg
 ds          0x10
 es          0x10
 fs          0x30
 gs          0x10
 edi         0x2
 esi         0xc0a15eab  copyright+0x3302b
 ebp         0xcc7b76dc
 ebx         0x100
 edx         0x8
 ecx         0
 eax         0x1
 eip         0xc054d23c  breakpoint+0x4
 cs          0x8
 eflags      0x246
 esp         0xcc7b76dc
 ss          0x10
 netbsd:breakpoint+0x4:  popl    %ebp
 db{0}> 

 Looking at the code, it appears that the backtrace is misleading,
 the panic() is in ffs_mapsearch(), not in ffs_alloccgblk().  I'll
 admit that I don't understand why ddb gets the backtrace wrong.
 Here's the disassembly of that function, up to and including the
 panic() call:

 db{0}> x/i ffs_mapsearch
 netbsd:ffs_mapsearch:   pushl   %ebp
 db{0}> x/i,20
 netbsd:ffs_mapsearch:   pushl   %ebp
 netbsd:ffs_mapsearch+0x1:       movl    %esp,%ebp
 netbsd:ffs_mapsearch+0x3:       pushl   %edi
 netbsd:ffs_mapsearch+0x4:       pushl   %esi
 netbsd:ffs_mapsearch+0x5:       pushl   %ebx
 netbsd:ffs_mapsearch+0x6:       subl    $0x4c,%esp
 netbsd:ffs_mapsearch+0x9:       movl    0xc(%ebp),%ecx
 netbsd:ffs_mapsearch+0xc:       movl    %edx,0xffffffc4(%ebp)
 netbsd:ffs_mapsearch+0xf:       movl    0x8(%ebp),%edx
 netbsd:ffs_mapsearch+0x12:      movl    %eax,0xffffffc8(%ebp)
 netbsd:ffs_mapsearch+0x15:      movl    %ecx,%eax
 netbsd:ffs_mapsearch+0x17:      orl     %edx,%eax
 netbsd:ffs_mapsearch+0x19:      jz      netbsd:ffs_mapsearch+0x1ef
 netbsd:ffs_mapsearch+0x1f:      movl    0xffffffc8(%ebp),%ebx
 netbsd:ffs_mapsearch+0x22:      movl    0xbc(%ebx),%eax
 netbsd:ffs_mapsearch+0x28:      movl    %ecx,0x4(%esp)
 netbsd:ffs_mapsearch+0x2c:      movl    %edx,0(%esp)
 netbsd:ffs_mapsearch+0x2f:      movl    %eax,%ebx
 netbsd:ffs_mapsearch+0x31:      sarl    $0x1f,%ebx
 netbsd:ffs_mapsearch+0x34:      movl    %ebx,0xc(%esp)
 netbsd:ffs_mapsearch+0x38:      movl    %eax,0x8(%esp)
 netbsd:ffs_mapsearch+0x3c:      call    netbsd:__moddi3
 netbsd:ffs_mapsearch+0x41:      movl    %edx,%ebx
 netbsd:ffs_mapsearch+0x43:      movl    %edx,%ecx
 netbsd:ffs_mapsearch+0x45:      sarl    $0x1f,%ebx
 netbsd:ffs_mapsearch+0x48:      movl    %ebx,%ebx
 netbsd:ffs_mapsearch+0x4a:      sarl    $0x1f,%ebx
 netbsd:ffs_mapsearch+0x4d:      movl    %ebx,%ecx
 netbsd:ffs_mapsearch+0x4f:      movl    %ebx,%ecx
 netbsd:ffs_mapsearch+0x51:      shrl    $0x1d,%ecx
 netbsd:ffs_mapsearch+0x54:      xorl    %ebx,%ebx
 netbsd:ffs_mapsearch+0x56:      addl    %eax,%ecx
 db{0}> 
 netbsd:ffs_mapsearch+0x58:      adcl    %edx,%ebx
 netbsd:ffs_mapsearch+0x5a:      movl    0xffffffc4(%ebp),%edx
 netbsd:ffs_mapsearch+0x5d:      shrdl   $0x3,%ecx,%ebx
 netbsd:ffs_mapsearch+0x61:      sarl    $0x3,%ebx
 netbsd:ffs_mapsearch+0x64:      movl    %ecx,%esi
 netbsd:ffs_mapsearch+0x66:      cmpl    $0x90255,0x4(%edx)
 netbsd:ffs_mapsearch+0x6d:      jz      netbsd:ffs_mapsearch+0x208
 netbsd:ffs_mapsearch+0x73:      addl    $0x3d8,%edx
 netbsd:ffs_mapsearch+0x79:      movl    %edx,0xffffffdc(%ebp)
 netbsd:ffs_mapsearch+0x7c:      movl    0xffffffc8(%ebp),%eax
 netbsd:ffs_mapsearch+0x7f:      movl    0xbc(%eax),%edx
 netbsd:ffs_mapsearch+0x85:      addl    $0x7,%edx
 netbsd:ffs_mapsearch+0x88:      movl    %edx,%eax
 netbsd:ffs_mapsearch+0x8a:      sarl    $0x1f,%eax
 netbsd:ffs_mapsearch+0x8d:      shrl    $0x1d,%eax
 netbsd:ffs_mapsearch+0x90:      leal    0(%eax,%edx,1),%ebx
 netbsd:ffs_mapsearch+0x93:      movl    0x10(%ebp),%edx
 netbsd:ffs_mapsearch+0x96:      sarl    $0x3,%ebx
 netbsd:ffs_mapsearch+0x99:      subl    %esi,%ebx
 netbsd:ffs_mapsearch+0x9b:      decl    %edx
 netbsd:ffs_mapsearch+0x9c:      movl    %edx,0xffffffcc(%ebp)
 netbsd:ffs_mapsearch+0x9f:      movl    0xffffffc8(%ebp),%edx
 netbsd:ffs_mapsearch+0xa2:      movl    0xffffffcc(%ebp),%edi
 netbsd:ffs_mapsearch+0xa5:      movl    0x38(%edx),%eax
 netbsd:ffs_mapsearch+0xa8:      movl    %ebx,0(%esp)
 netbsd:ffs_mapsearch+0xab:      movl    %eax,%ecx
 netbsd:ffs_mapsearch+0xad:      movl    netbsd:fragtbl(,%eax,4),%eax
 netbsd:ffs_mapsearch+0xb4:      andl    $0x7,%ecx
 netbsd:ffs_mapsearch+0xb7:      addl    %edi,%ecx
 netbsd:ffs_mapsearch+0xb9:      movl    $0x1,%edi
 netbsd:ffs_mapsearch+0xbe:      movl    %edi,%edx
 netbsd:ffs_mapsearch+0xc0:      movl    %eax,0x8(%esp)
 db{0}> 
 netbsd:ffs_mapsearch+0xc4:      movl    0xffffffdc(%ebp),%eax
 netbsd:ffs_mapsearch+0xc7:      shll    %cl,%edx
 netbsd:ffs_mapsearch+0xc9:      movl    %edx,0xc(%esp)
 netbsd:ffs_mapsearch+0xcd:      addl    %esi,%eax
 netbsd:ffs_mapsearch+0xcf:      movl    %eax,0x4(%esp)
 netbsd:ffs_mapsearch+0xd3:      call    netbsd:scanc
 netbsd:ffs_mapsearch+0xd8:      testl   %eax,%eax
 netbsd:ffs_mapsearch+0xda:      movl    %eax,%edx
 netbsd:ffs_mapsearch+0xdc:      jz      netbsd:ffs_mapsearch+0x218
 netbsd:ffs_mapsearch+0xe2:      leal    0(%esi,%ebx,1),%eax
 netbsd:ffs_mapsearch+0xe5:      subl    %edx,%eax
 netbsd:ffs_mapsearch+0xe7:      movl    0xffffffc4(%ebp),%edx
 netbsd:ffs_mapsearch+0xea:      leal    0(,%eax,8),%edi
 netbsd:ffs_mapsearch+0xf1:      leal    0x8(%edi),%ebx
 netbsd:ffs_mapsearch+0xf4:      cmpl    %ebx,%edi
 netbsd:ffs_mapsearch+0xf6:      movl    %edi,0x2c(%edx)
 netbsd:ffs_mapsearch+0xf9:      movl    %ebx,0xffffffd8(%ebp)
 netbsd:ffs_mapsearch+0xfc:      jnl     netbsd:ffs_mapsearch+0x1ba
 netbsd:ffs_mapsearch+0x102:     movl    0x10(%ebp),%edx
 netbsd:ffs_mapsearch+0x105:     movl    $0x8,%ecx
 netbsd:ffs_mapsearch+0x10a:     movl    0xffffffc8(%ebp),%eax
 netbsd:ffs_mapsearch+0x10d:     movl    0x10(%ebp),%ebx
 netbsd:ffs_mapsearch+0x110:     movl    netbsd:around(,%edx,4),%edx
 netbsd:ffs_mapsearch+0x117:     movl    0x38(%eax),%eax
 netbsd:ffs_mapsearch+0x11a:     movl    netbsd:inside(,%ebx,4),%ebx
 netbsd:ffs_mapsearch+0x121:     movl    $0xff,0xffffffd0(%ebp)
 netbsd:ffs_mapsearch+0x128:     movl    %edx,0xfffffff0(%ebp)
 netbsd:ffs_mapsearch+0x12b:     movl    0x10(%ebp),%edx
 netbsd:ffs_mapsearch+0x12e:     movl    %eax,0xffffffe4(%ebp)
 netbsd:ffs_mapsearch+0x131:     movl    0xffffffe4(%ebp),%esi
 netbsd:ffs_mapsearch+0x134:     movl    %ebx,0xffffffec(%ebp)
 netbsd:ffs_mapsearch+0x137:     subl    %edx,%eax
 db{0}> 
 netbsd:ffs_mapsearch+0x139:     movl    %eax,0xffffffd4(%ebp)
 netbsd:ffs_mapsearch+0x13c:     movl    0xffffffe4(%ebp),%eax
 netbsd:ffs_mapsearch+0x13f:     subl    %esi,%ecx
 netbsd:ffs_mapsearch+0x141:     sarl    %cl,0xffffffd0(%ebp)
 netbsd:ffs_mapsearch+0x144:     addl    %edi,%eax
 netbsd:ffs_mapsearch+0x146:     movl    %eax,0xffffffe0(%ebp)
 netbsd:ffs_mapsearch+0x149:     movl    %edi,%eax
 netbsd:ffs_mapsearch+0x14b:     movl    0xffffffdc(%ebp),%ebx
 netbsd:ffs_mapsearch+0x14e:     cdq
 netbsd:ffs_mapsearch+0x14f:     shrl    $0x1d,%edx
 netbsd:ffs_mapsearch+0x152:     leal    0(%edx,%edi,1),%ecx
 netbsd:ffs_mapsearch+0x155:     movl    %ecx,%eax
 netbsd:ffs_mapsearch+0x157:     sarl    $0x3,%eax
 netbsd:ffs_mapsearch+0x15a:     movzbl  0(%ebx,%eax,1),%eax
 netbsd:ffs_mapsearch+0x15e:     movl    0xffffffd4(%ebp),%ebx
 netbsd:ffs_mapsearch+0x161:     testl   %ebx,%ebx
 netbsd:ffs_mapsearch+0x163:     js      netbsd:ffs_mapsearch+0x1a2
 netbsd:ffs_mapsearch+0x165:     movl    0xffffffd0(%ebp),%esi
 netbsd:ffs_mapsearch+0x168:     andl    $0x7,%ecx
 netbsd:ffs_mapsearch+0x16b:     movzbl  %eax,%eax
 netbsd:ffs_mapsearch+0x16e:     subl    %edx,%ecx
 netbsd:ffs_mapsearch+0x170:     sarl    %cl,%eax
 netbsd:ffs_mapsearch+0x172:     andl    %esi,%eax
 netbsd:ffs_mapsearch+0x174:     leal    0(%eax,%eax,1),%esi
 netbsd:ffs_mapsearch+0x177:     movl    0xfffffff0(%ebp),%eax
 netbsd:ffs_mapsearch+0x17a:     andl    %esi,%eax
 netbsd:ffs_mapsearch+0x17c:     cmpl    %eax,0xffffffec(%ebp)
 netbsd:ffs_mapsearch+0x17f:     jz      netbsd:ffs_mapsearch+0x1e2
 netbsd:ffs_mapsearch+0x181:     movl    0xfffffff0(%ebp),%ecx
 netbsd:ffs_mapsearch+0x184:     xorl    %ebx,%ebx
 netbsd:ffs_mapsearch+0x186:     movl    0xffffffec(%ebp),%edx
 netbsd:ffs_mapsearch+0x189:     jmp     netbsd:ffs_mapsearch+0x19c
 db{0}> 
 netbsd:ffs_mapsearch+0x18b:     nop
 netbsd:ffs_mapsearch+0x18c:     leal    0(%esi),%esi
 netbsd:ffs_mapsearch+0x190:     addl    %ecx,%ecx
 netbsd:ffs_mapsearch+0x192:     movl    %esi,%eax
 netbsd:ffs_mapsearch+0x194:     addl    %edx,%edx
 netbsd:ffs_mapsearch+0x196:     andl    %ecx,%eax
 netbsd:ffs_mapsearch+0x198:     cmpl    %edx,%eax
 netbsd:ffs_mapsearch+0x19a:     jz      netbsd:ffs_mapsearch+0x1e4
 netbsd:ffs_mapsearch+0x19c:     incl    %ebx
 netbsd:ffs_mapsearch+0x19d:     cmpl    0xffffffd4(%ebp),%ebx
 netbsd:ffs_mapsearch+0x1a0:     jle     netbsd:ffs_mapsearch+0x190
 netbsd:ffs_mapsearch+0x1a2:     movl    0xffffffe4(%ebp),%eax
 netbsd:ffs_mapsearch+0x1a5:     addl    %eax,0xffffffe0(%ebp)
 netbsd:ffs_mapsearch+0x1a8:     movl    0xffffffe4(%ebp),%ecx
 netbsd:ffs_mapsearch+0x1ab:     movl    0xffffffe4(%ebp),%ebx
 netbsd:ffs_mapsearch+0x1ae:     movl    0xffffffe0(%ebp),%eax
 netbsd:ffs_mapsearch+0x1b1:     addl    %ebx,%edi
 netbsd:ffs_mapsearch+0x1b3:     subl    %ecx,%eax
 netbsd:ffs_mapsearch+0x1b5:     cmpl    %eax,0xffffffd8(%ebp)
 netbsd:ffs_mapsearch+0x1b8:     jnle    netbsd:ffs_mapsearch+0x149
 netbsd:ffs_mapsearch+0x1ba:     movl    0xffffffc8(%ebp),%eax
 netbsd:ffs_mapsearch+0x1bd:     movl    %edi,0x4(%esp)
 netbsd:ffs_mapsearch+0x1c1:     movl    $0xc0a15ec6,0(%esp)
 netbsd:ffs_mapsearch+0x1c8:     addl    $0xd4,%eax
 netbsd:ffs_mapsearch+0x1cd:     movl    %eax,0x8(%esp)
 netbsd:ffs_mapsearch+0x1d1:     call    netbsd:printf
 netbsd:ffs_mapsearch+0x1d6:     movl    $0xc0a15ed9,0(%esp)
 netbsd:ffs_mapsearch+0x1dd:     call    netbsd:panic
 netbsd:ffs_mapsearch+0x1e2:     xorl    %ebx,%ebx
 netbsd:ffs_mapsearch+0x1e4:     addl    $0x4c,%esp
 netbsd:ffs_mapsearch+0x1e7:     leal    0(%ebx,%edi,1),%eax
 netbsd:ffs_mapsearch+0x1ea:     popl    %ebx
 db{0}> 
 netbsd:ffs_mapsearch+0x1eb:     popl    %esi
 netbsd:ffs_mapsearch+0x1ec:     popl    %edi
 netbsd:ffs_mapsearch+0x1ed:     popl    %ebp
 netbsd:ffs_mapsearch+0x1ee:     ret
 netbsd:ffs_mapsearch+0x1ef:     movl    0xffffffc4(%ebp),%eax
 netbsd:ffs_mapsearch+0x1f2:     movl    0xffffffc4(%ebp),%edx
 netbsd:ffs_mapsearch+0x1f5:     movl    0x2c(%eax),%esi
 netbsd:ffs_mapsearch+0x1f8:     shrl    $0x3,%esi
 netbsd:ffs_mapsearch+0x1fb:     cmpl    $0x90255,0x4(%edx)
 netbsd:ffs_mapsearch+0x202:     jnz     netbsd:ffs_mapsearch+0x73
 netbsd:ffs_mapsearch+0x208:     movl    0xffffffc4(%ebp),%ebx
 netbsd:ffs_mapsearch+0x20b:     movl    0x60(%ebx),%eax
 netbsd:ffs_mapsearch+0x20e:     addl    %eax,%ebx
 netbsd:ffs_mapsearch+0x210:     movl    %ebx,0xffffffdc(%ebp)
 netbsd:ffs_mapsearch+0x213:     jmp     netbsd:ffs_mapsearch+0x7c
 netbsd:ffs_mapsearch+0x218:     movl    0xffffffc8(%ebp),%edx
 netbsd:ffs_mapsearch+0x21b:     leal    0x1(%esi),%eax
 netbsd:ffs_mapsearch+0x21e:     movl    %eax,0xffffffe8(%ebp)
 netbsd:ffs_mapsearch+0x221:     movl    0x38(%edx),%eax
 netbsd:ffs_mapsearch+0x224:     movl    0xffffffcc(%ebp),%edx
 netbsd:ffs_mapsearch+0x227:     movl    %eax,%ecx
 netbsd:ffs_mapsearch+0x229:     movl    netbsd:fragtbl(,%eax,4),%eax
 netbsd:ffs_mapsearch+0x230:     andl    $0x7,%ecx
 netbsd:ffs_mapsearch+0x233:     addl    %edx,%ecx
 netbsd:ffs_mapsearch+0x235:     movl    0xffffffe8(%ebp),%edx
 netbsd:ffs_mapsearch+0x238:     shll    %cl,%edi
 netbsd:ffs_mapsearch+0x23a:     movl    %eax,0x8(%esp)
 netbsd:ffs_mapsearch+0x23e:     movl    0xffffffdc(%ebp),%eax
 netbsd:ffs_mapsearch+0x241:     movl    %edi,0xc(%esp)
 netbsd:ffs_mapsearch+0x245:     movl    %edx,0(%esp)
 netbsd:ffs_mapsearch+0x248:     movl    %eax,0x4(%esp)
 netbsd:ffs_mapsearch+0x24c:     call    netbsd:scanc
 db{0}> 

From: David Laight <david@l8s.co.uk>
To: gnats-bugs@NetBSD.org
Cc: 
Subject: Re: kern/12404 (panic: ffs_alloccg: map corrupted)
Date: Thu, 17 Jul 2008 17:52:53 +0100

 On Thu, Jul 17, 2008 at 06:40:02AM +0000, Havard Eidnes wrote:
 > Subject: Re: kern/12404 (panic: ffs_alloccg: map corrupted)
 >  
 >  I had another occurrance, and per request, here's "show reg"
 >  output together with a backtrace.  This is with 4.99.70 on the
 >  new system (dual-Xeon 2.2GHz, 2GB memory, 205GB RAID on ciss(4)):
 >  
 ...
 >  Looking at the code, it appears that the backtrace is misleading,
 >  the panic() is in ffs_mapsearch(), not in ffs_alloccgblk().  I'll
 >  admit that I don't understand why ddb gets the backtrace wrong.

 Almost certainly due to leaf subroutines and/or static functions
 not being in the symbol table.

 Without having looked at how this code gets called, but which mutex
 controls access to the allocation maps in each 'cylinder group' ?

 	David

 -- 
 David Laight: david@l8s.co.uk

From: Havard Eidnes <he@NetBSD.org>
To: gnats-bugs@NetBSD.org
Cc: 
Subject: Re: kern/12404 (panic: ffs_alloccg: map corrupted)
Date: Fri, 18 Jul 2008 22:59:34 +0200 (CEST)

 Another:

 start = 1, len = 23751, fs = /u
 offset=6024 6024
 cg 170
 panic: ffs_alloccg: map corrupted
 fatal breakpoint trap in supervisor mode
 trap type 1 code 0 eip c054d23c cs 8 eflags 246 cr2 bb908000 ilevel 0
 Stopped in pid 27342.1 (nbasn1_compile) at   netbsd:breakpoint+0x4:  popl  %ebp
 db{1}> tra
 breakpoint(c0a67f89,cd97e728,c316e800,c049c585,0,5,0,0,cd97e72c,0) at netbsd:breakpoint+0x4
 panic(c0a15eab,aa,1788,c33610d4,cd98c004,f673500,0,d1480000,c3361000,1) at netbsd:panic+0x1b8
 ffs_alloccgblk(1ece688,0,2,8000,ffffffff,1,cd97e7e8,0,0,e688) at netbsd:ffs_alloccgblk
 ffs_alloccg(d58b6b48,aa,1ece688,0,1000,0,aa,d58b6b48,c3361000,c3361000) at netbsd:ffs_alloccg+0x278
 ffs_hashalloc(1ece688,0,1000,c03c49a0,0,0,b700,0,dd38463,0) at netbsd:ffs_hashalloc+0x3a
 ffs_alloc(d58b6b48,0,0,1ece688,0,1000,cde45900,cd97e9d4,d786fad8,cd97e98c) at netbsd:ffs_alloc+0x22f
 ffs_balloc(d786fad8,0,0,690,cde45900,0,0,c0494bb1,cc402480,1) at netbsd:ffs_balloc+0x11e0
 ufs_gop_alloc(d786fad8,0,0,690,0,0,cde45900,0,1c02,0) at netbsd:ufs_gop_alloc+0xbe
 ufs_balloc_range(d786fad8,0,0,690,0,cde45900,0,c040817d,0,0) at netbsd:ufs_balloc_range+0x26a
 ffs_write(cd97ec04,0,c081bbc0,d786fad8,2,20002,cd97ec1c,c04e57c8,c081b6c0,d786fad8) at netbsd:ffs_write+0x8f1
 VOP_WRITE(d786fad8,cd97ec7c,10,cde45900,ffffffff,ffffffff,0,16,690,bb939000) at netbsd:VOP_WRITE+0x6c
 vn_write(d21bf740,d21bf740,cd97ec7c,cde45900,1,e04dc400,1,ce03fe1c,bb908000,1000) at netbsd:vn_write+0xb1
 dofilewrite(6,d21bf740,bb939000,690,d21bf740,1,cd97ed28,0,0,df663380) at netbsd:dofilewrite+0x75
 sys_write(df663380,cd97ed00,cd97ed28,bb908000,bb908000,ce03fe1c,2,6,bb939000,690) at netbsd:sys_write+0x6f
 syscall(cd97ed48,b3,ab,1f,1f,bb939000,bbbcf308,bfbfe228,bbbc3118,bbbcf308) at netbsd:syscall+0xab
 db{1}> show regi
 ds          0x10
 es          0x10
 fs          0x30
 gs          0x10
 edi         0x2
 esi         0xc0a15eab  copyright+0x3302b
 ebp         0xcd97e6dc
 ebx         0x100
 edx         0x8
 ecx         0
 eax         0x1
 eip         0xc054d23c  breakpoint+0x4
 cs          0x8
 eflags      0x246
 esp         0xcd97e6dc
 ss          0x10
 netbsd:breakpoint+0x4:  popl    %ebp
 db{1}> reboot 4

 In all honesty I should perhaps also mention that I've been
 getting some apparently unmotivated "internal compiler errors" (I
 use this host for more-or-less continual rebuilds of -current for
 a number of architectures), which disappear when I rebuild the
 tools and re-build with the same sources.

 I have left the machine running memtest86 overnight with no
 issues found, though.

 But still, it *may* be that it's not the file system code which
 is at fault here.

 Regards,

 - Havard

State-Changed-From-To: open->feedback
State-Changed-By: dholland@NetBSD.org
State-Changed-When: Thu, 03 Jan 2013 22:08:24 +0000
State-Changed-Why:
Has this come back in the last four years?


State-Changed-From-To: feedback->closed
State-Changed-By: he@NetBSD.org
State-Changed-When: Mon, 05 Jan 2015 08:54:12 +0000
State-Changed-Why:
This problem has not been observed lately.
I have a vague suspicion that hardware flakiness may have been
involved, at least in one of the occurrances.
The machines I reported this from have been retired, so there's
no sense in keeping this PR open anymore.


>Unformatted:

NetBSD Home
NetBSD PR Database Search

(Contact us) $NetBSD: query-full-pr,v 1.39 2013/11/01 18:47:49 spz Exp $
$NetBSD: gnats_config.sh,v 1.8 2006/05/07 09:23:38 tsutsui Exp $
Copyright © 1994-2007 The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.