NetBSD Problem Report #36475

From he@smistad.uninett.no  Tue Jun 12 09:45:29 2007
Return-Path: <he@smistad.uninett.no>
Received: from mail.netbsd.org (mail.netbsd.org [204.152.190.11])
	by narn.NetBSD.org (Postfix) with ESMTP id 1F6A463B946
	for <gnats-bugs@gnats.NetBSD.org>; Tue, 12 Jun 2007 09:45:29 +0000 (UTC)
Message-Id: <20070612094525.92F5221DC3A@smistad.uninett.no>
Date: Tue, 12 Jun 2007 11:45:25 +0200 (CEST)
From: he@NetBSD.org
Reply-To: he@NetBSD.org
To: gnats-bugs@NetBSD.org
Subject: uvm_fault() in process exit code
X-Send-Pr-Version: 3.95

>Number:         36475
>Category:       port-i386
>Synopsis:       uvm_fault() in process exit code
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    port-i386-maintainer
>State:          closed
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Tue Jun 12 09:50:00 +0000 2007
>Closed-Date:    Fri Sep 30 08:23:22 +0000 2016
>Last-Modified:  Fri Sep 30 08:23:22 +0000 2016
>Originator:     Havard Eidnes
>Release:        NetBSD 3.1_STABLE of Nov 21 2006
>Organization:
	Trying...
>Environment:
System: NetBSD quattro.urc.uninett.no 3.1_STABLE NetBSD 3.1_STABLE (QUATTRO) #1: Tue Nov 21 02:34:49 CET 2006  he@quattro.urc.uninett.no:/usr/obj/sys/arch/i386/compile/QUATTRO i386
Architecture: i386
Machine: i386
>Description:
	Kernel died with uvm_fault() (bad pointer reference)
	in the kernel.

	This machine is doing UPDATE builds of NetBSD, one
	per CPU, most of the time when it is up.

	Here's the console log:

uvm_fault(0xc08b86c0, 0xdeadb000, 0, 1) -> 0xe
kernel: page fault trap, code=0
Stopped in pid 12018.1 (nbmake) at netbsd:pmap_activate+0x39: movl 0 x5c(%eax),%eax
db{2}> tra
pmap_activate(e86b0424,0,d2afbe9c,c03aa391,c08d3a78) at netbsd:pmap_activate+0x39
uvm_proc_exit(d44963f4,ce438220,0,246,805b3490) at netbsd:uvm_proc_exit+0x36
exit1(e86b0424,0,599,e86b0424,d2afbf64) at netbsd:exit1+0x256
sys_exit(e86b0424,d2afbf64,d2afbf5c,c085184c,c039ccdb) at netbsd:sys_exit+0x23
syscall_plain() at netbsd:syscall_plain+0x1a5
--- syscall (number 1) ---
0xbdbc88c3:
db{2}> 
db{2}> machine cpu 0
using CPU 0
db{2}> tra
_kernel_lock(0,d27fbf64,20,c085217c,c039ccdb) at netbsd:_kernel_lock+0xd1
syscall_plain() at netbsd:syscall_plain+0x193
--- syscall (number 197) ---
0xbdba5a1e:
db{2}> machine cpu 1
using CPU 1
db{2}> tra
_simple_lock_try(c08d20cc,c07a7c94,585,0,c08538d4) at netbsd:_simple_lock_try+0x53
_kernel_lock(0,d340ff64,c,c0851870,c039ccdb) at netbsd:_kernel_lock+0xa9
syscall_plain() at netbsd:syscall_plain+0x193
--- syscall (number 4) ---
0x38803:
db{2}> machine cpu 2
using CPU 2
db{2}> tra
pmap_activate(e86b0424,0,d2afbe9c,c03aa391,c08d3a78) at netbsd:pmap_activate+0x39
uvm_proc_exit(d44963f4,ce438220,0,246,805b3490) at netbsd:uvm_proc_exit+0x36
exit1(e86b0424,0,599,e86b0424,d2afbf64) at netbsd:exit1+0x256
sys_exit(e86b0424,d2afbf64,d2afbf5c,c085184c,c039ccdb) at netbsd:sys_exit+0x23
syscall_plain() at netbsd:syscall_plain+0x1a5
--- syscall (number 1) ---
0xbdbc88c3:
db{2}> machine cpu 3
using CPU 3
db{2}> tra
__cpu_simple_lock_try(c08d20cc,c36b4c80,3,297,c0100f9e) at netbsd:__cpu_simple_lock_try+0xd
_simple_lock_try(c08d20cc,c07a7c94,585,7,d29a3cc8) at netbsd:_simple_lock_try+0x3e
_kernel_lock(42,dcb922ec,c080b9c0,ae0,d29a3cbc) at netbsd:_kernel_lock+0xa9
intr_biglock_wrapper(c3b53700,0,c0860010,30,10) at netbsd:intr_biglock_wrapper+0x11
Xintr_ioapic_level20() at netbsd:Xintr_ioapic_level20+0xa0
--- interrupt ---
Xspllower(0,c07a7c94,5cf,246,2) at netbsd:Xspllower+0xe
_kernel_lock_acquire_count(1,8070020,2000,dfaeef10,4dfee4d5) at netbsd:_kernel_lock_acquire_count+0xc1
uiomove(d0a56000,0,d29a3ec4,c039ccdb,2000) at netbsd:uiomove+0x92
ffs_read(d29a3e24,466e42d7,d29a3e5c,202,c065c4c0) at netbsd:ffs_read+0x4a6
VOP_READ(da0bca64,d29a3ec4,0,ce420a20,da0bca64) at netbsd:VOP_READ+0x34
vn_read(dfd4a658,dfd4a680,d29a3ec4,ce420a20,1) at netbsd:vn_read+0x78
dofileread(dcb922ec,3,dfd4a658,806e020,7fc0) at netbsd:dofileread+0x80
sys_read(dfaeef10,d29a3f64,d29a3f5c,c0851864,c08d8204) at netbsd:sys_read+0x70
syscall_plain() at netbsd:syscall_plain+0x1a5
--- syscall (number 3) ---
0xbdb46fb7:
db{2}> machine cpu 2
using CPU 2
db{2}> tra
pmap_activate(e86b0424,0,d2afbe9c,c03aa391,c08d3a78) at netbsd:pmap_activate+0x39
uvm_proc_exit(d44963f4,ce438220,0,246,805b3490) at netbsd:uvm_proc_exit+0x36
exit1(e86b0424,0,599,e86b0424,d2afbf64) at netbsd:exit1+0x256
sys_exit(e86b0424,d2afbf64,d2afbf5c,c085184c,c039ccdb) at netbsd:sys_exit+0x23
syscall_plain() at netbsd:syscall_plain+0x1a5
--- syscall (number 1) ---
0xbdbc88c3:
db{2}> show reg
ds          0x10
es          0x10
fs          0x30
gs          0x10
edi         0xe86b0424
esi         0xd44963f4
ebp         0xd2afbe6c
ebx         0xd342193c
edx         0xe86b0424
ecx         0xc3b2a000
eax         0xdeadbeef
eip         0xc0467cb5  pmap_activate+0x39
cs          0x8
eflags      0x10206
esp         0xd2afbe64
ss          0x10
netbsd:pmap_activate+0x39:      movl    0x5c(%eax),%eax
db{2}> reboot 4


	The boot messages from the machine:

BIOS CFG: Model-SubM-Rev: fc-01-00, 0x74<EBDA,KBDINT,RTC,IC2>
Copyright (c) 1996, 1997, 1998, 1999, 2000, 2001, 2002, 2003, 2004, 2005
    The NetBSD Foundation, Inc.  All rights reserved.
Copyright (c) 1982, 1986, 1989, 1991, 1993
    The Regents of the University of California.  All rights reserved.

NetBSD 3.1_STABLE (QUATTRO) #1: Tue Nov 21 02:34:49 CET 2006
        he@quattro.urc.uninett.no:/usr/obj/sys/arch/i386/compile/QUATTRO
total memory = 2047 MB
avail memory = 1973 MB
BIOS32 rev. 0 found at 0xffe90
mainbus0 (root)
mainbus0: Intel MP Specification (Version 1.4) (DELL     POWEREDGE A2)
cpu0 at mainbus0: apid 3 (boot processor)
cpu0: Intel Pentium III Xeon (686-class), 699.35 MHz, id 0x6a1
cpu0: features 383fbff<FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR>
cpu0: features 383fbff<PGE,MCA,CMOV,PAT,PSE36,MMX>
cpu0: features 383fbff<FXSR,SSE>
cpu0: I-cache 16 KB 32B/line 4-way, D-cache 16 KB 32B/line 4-way
cpu0: L2 cache 2 MB 32B/line 8-way
cpu0: ITLB 32 4 KB entries 4-way, 2 4 MB entries fully associative
cpu0: DTLB 64 4 KB entries 4-way, 8 4 MB entries 4-way
cpu0: calibrating local timer
cpu0: apic clock running at 99 MHz
cpu0: 64 page colors
cpu1 at mainbus0: apid 0 (application processor)
cpu1: starting
cpu1: Intel Pentium III Xeon (686-class), 699.29 MHz, id 0x6a1
cpu1: features 383fbff<FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR>
cpu1: features 383fbff<PGE,MCA,CMOV,PAT,PSE36,MMX>
cpu1: features 383fbff<FXSR,SSE>
cpu1: I-cache 16 KB 32B/line 4-way, D-cache 16 KB 32B/line 4-way
cpu1: L2 cache 2 MB 32B/line 8-way
cpu1: ITLB 32 4 KB entries 4-way, 2 4 MB entries fully associative
cpu1: DTLB 64 4 KB entries 4-way, 8 4 MB entries 4-way
cpu2 at mainbus0: apid 2 (application processor)
cpu2: starting
cpu2: Intel Pentium III Xeon (686-class), 699.29 MHz, id 0x6a1
cpu2: features 383fbff<FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR>
cpu2: features 383fbff<PGE,MCA,CMOV,PAT,PSE36,MMX>
cpu2: features 383fbff<FXSR,SSE>
cpu2: I-cache 16 KB 32B/line 4-way, D-cache 16 KB 32B/line 4-way
cpu2: L2 cache 2 MB 32B/line 8-way
cpu2: ITLB 32 4 KB entries 4-way, 2 4 MB entries fully associative
cpu2: DTLB 64 4 KB entries 4-way, 8 4 MB entries 4-way
cpu3 at mainbus0: apid 1 (application processor)
cpu3: starting
cpu3: Intel Pentium III Xeon (686-class), 699.29 MHz, id 0x6a1
cpu3: features 383fbff<FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR>
cpu3: features 383fbff<PGE,MCA,CMOV,PAT,PSE36,MMX>
cpu3: features 383fbff<FXSR,SSE>
cpu3: I-cache 16 KB 32B/line 4-way, D-cache 16 KB 32B/line 4-way
cpu3: L2 cache 2 MB 32B/line 8-way
cpu3: ITLB 32 4 KB entries 4-way, 2 4 MB entries fully associative
cpu3: DTLB 64 4 KB entries 4-way, 8 4 MB entries 4-way
mpbios: bus 0 is type PCI   
mpbios: bus 1 is type PCI   
mpbios: bus 2 is type PCI   
mpbios: bus 3 is type PCI   
mpbios: bus 4 is type PCI   
mpbios: bus 5 is type PCI   
mpbios: bus 6 is type PCI   
mpbios: bus 7 is type PCI   
mpbios: bus 8 is type PCI   
mpbios: bus 9 is type PCI   
mpbios: bus 10 is type PCI   
mpbios: bus 11 is type PCI   
mpbios: bus 12 is type PCI   
mpbios: bus 13 is type PCI   
mpbios: bus 14 is type PCI   
mpbios: bus 15 is type PCI   
mpbios: bus 16 is type PCI   
mpbios: bus 17 is type PCI   
mpbios: bus 18 is type PCI   
mpbios: bus 19 is type PCI   
mpbios: bus 20 is type ISA   
ioapic0 at mainbus0 apid 4 (I/O APIC)
ioapic0: pa 0xfec00000, version 11, 16 pins
ioapic0: misconfigured as apic 0
ioapic0: remapped to apic 4
ioapic1 at mainbus0 apid 5 (I/O APIC)
ioapic1: pa 0xfec01000, version 11, 16 pins
ioapic1: misconfigured as apic 0
ioapic1: remapped to apic 5
pci0 at mainbus0 bus 0: configuration mode 1
pci0: i/o space, memory space enabled, rd/line, rd/mult, wr/inv ok
pchb0 at pci0 dev 0 function 0
pchb0: ServerWorks CNB20-HE PCI bridge (rev. 0x21)
pchb1 at pci0 dev 0 function 1
pchb1: ServerWorks CNB20-HE PCI bridge (rev. 0x01)
pchb2 at pci0 dev 0 function 2
pchb2: ServerWorks CNB30-LE PCI bridge (rev. 0x00)
pci1 at pchb2 bus 3
pci1: i/o space, memory space enabled, rd/line, rd/mult, wr/inv ok
ppb0 at pci1 dev 9 function 0: Digital Equipment DC21152 PCI-PCI Bridge (rev. 0x03)
pci2 at ppb0 bus 4
pci2: i/o space, memory space enabled, rd/line, wr/inv ok
fxp0 at pci2 dev 4 function 0: i82558 Ethernet, rev 5
fxp0: interrupting at ioapic1 pin 7 (irq 11)
fxp0: Ethernet address 00:03:47:71:ba:a2
inphy0 at fxp0 phy 1: i82555 10/100 media interface, rev. 0
inphy0: 10baseT, 10baseT-FDX, 100baseTX, 100baseTX-FDX, auto
fxp1 at pci2 dev 5 function 0: i82558 Ethernet, rev 5
fxp1: interrupting at ioapic1 pin 11 (irq 10)
fxp1: Ethernet address 00:03:47:71:ba:a3
inphy1 at fxp1 phy 1: i82555 10/100 media interface, rev. 0
inphy1: 10baseT, 10baseT-FDX, 100baseTX, 100baseTX-FDX, auto
ppb1 at pci1 dev 11 function 0: Intel i960 RN PCI-PCI (rev. 0x01)
pci3 at ppb1 bus 5
pci3: i/o space, memory space enabled, rd/line, wr/inv ok
amr0 at pci1 dev 11 function 1: AMI RAID <Series 467>
amr0: interrupting at ioapic1 pin 9 (irq 10)
amr0: firmware <1.01>, BIOS <1p00>, 64MB RAM
ld0 at amr0 unit 0: RAID 5, optimal
ld0: 51834 MB, 6607 cyl, 255 head, 63 sec, 512 bytes/sect x 106156032 sectors
pchb3 at pci0 dev 0 function 3
pchb3: ServerWorks CNB30-LE PCI bridge (rev. 0x00)
pci4 at pchb3 bus 14
pci4: i/o space, memory space enabled, rd/line, rd/mult, wr/inv ok
ppb2 at pci4 dev 13 function 0: Digital Equipment DC21154 PCI-PCI Bridge (rev. 0x05)
pci5 at ppb2 bus 15
pci5: i/o space, memory space enabled, rd/line, wr/inv ok
mly0 at pci5 dev 8 function 0: Mylex eXtremeRAID 3000
mly0: interrupting at ioapic1 pin 4 (irq 11)
mly0: controller initialization started
mly0: 3 physical channels, firmware 7.02-0-00 (20021213), 128MB RAM
scsibus0 at mly0 channel 0: 16 targets, 1 lun per target
scsibus1 at mly0 channel 1: 16 targets, 1 lun per target
scsibus2 at mly0 channel 2: 16 targets, 1 lun per target
scsibus3 at mly0 channel 3: 16 targets, 1 lun per target
scsibus4 at mly0 channel 4: 16 targets, 1 lun per target
vga1 at pci0 dev 4 function 0: ATI Technologies 3D Rage IIC (rev. 0x7a)
wsdisplay0 at vga1 kbdmux 1
wsmux1: connecting to wsdisplay0
ahc1 at pci0 dev 5 function 0: Adaptec aic7899 Ultra160 SCSI adapter
ahc1: interrupting at ioapic1 pin 1 (irq 11)
ahc1: aic7899: Ultra160 Wide Channel A, SCSI Id=7, 32/253 SCBs
scsibus5 at ahc1: 16 targets, 8 luns per target
ahc2 at pci0 dev 5 function 1: Adaptec aic7899 Ultra160 SCSI adapter
ahc2: interrupting at ioapic1 pin 2 (irq 10)
ahc2: aic7899: Ultra160 Wide Channel B, SCSI Id=7, 32/253 SCBs
scsibus6 at ahc2: 16 targets, 8 luns per target
fxp2 at pci0 dev 8 function 0: i82559 Ethernet, rev 8
fxp2: interrupting at ioapic1 pin 10 (irq 11)
fxp2: Ethernet address 00:b0:d0:49:8f:87
inphy2 at fxp2 phy 1: i82555 10/100 media interface, rev. 4
inphy2: 10baseT, 10baseT-FDX, 100baseTX, 100baseTX-FDX, auto
pcib0 at pci0 dev 15 function 0
pcib0: ServerWorks OSB4 southbridge (rev. 0x4f)
rccide0 at pci0 dev 15 function 1
rccide0: ServerWorks OSB4 IDE Controller (rev. 0x00)
rccide0: bus-master DMA support present
rccide0: primary channel configured to compatibility mode
rccide0: primary channel interrupting at ioapic0 pin 14 (irq 14)
atabus0 at rccide0 channel 0
rccide0: secondary channel configured to compatibility mode
rccide0: secondary channel interrupting at ioapic0 pin 15 (irq 15)
atabus1 at rccide0 channel 1
ohci0 at pci0 dev 15 function 2: ServerWorks OSB4/CSB5 USB Host Controller (rev. 0x04)
ohci0: interrupting at ioapic0 pin 5 (irq 5)
ohci0: OHCI version 1.0, legacy support
usb0 at ohci0: USB revision 1.0
uhub0 at usb0
uhub0: ServerWorks OHCI root hub, class 9/0, rev 1.00/1.00, addr 1
uhub0: 4 ports with 4 removable, self powered
isa0 at pcib0
lpt0 at isa0 port 0x378-0x37b irq 7
com0 at isa0 port 0x3f8-0x3ff irq 4: ns16550a, working fifo
com0: console
com1 at isa0 port 0x2f8-0x2ff irq 3: ns16550a, working fifo
pckbc0 at isa0 port 0x60-0x64
pcppi0 at isa0 port 0x61
midi0 at pcppi0: PC speaker
sysbeep0 at pcppi0
isapnp0 at isa0 port 0x279: ISA Plug 'n Play device support
npx0 at isa0 port 0xf0-0xff: using exception 16
fdc0 at isa0 port 0x3f0-0x3f7 irq 6 drq 2
isapnp0: no ISA Plug 'n Play devices found
ioapic0: enabling
ioapic1: enabling
fd0 at fdc0 drive 0: 1.44MB, 80 cyl, 2 head, 18 sec
Kernelized RAIDframe activated
scsibus5: waiting 2 seconds for devices to settle...
scsibus6: waiting 2 seconds for devices to settle...
atapibus0 at atabus0: 2 targets
cd0 at atapibus0 drive 0: <TEAC CD-ROM CD-224E, , 3.7D> cdrom removable
cd0: 32-bit data port
cd0: drive supports PIO mode 4, DMA mode 2, Ultra-DMA mode 2 (Ultra/33)
cd0(rccide0:0:0): using PIO mode 4, DMA mode 2, Ultra-DMA mode 2 (Ultra/33) (using DMA)
sd0 at scsibus3 target 0 lun 0: <MYLEX, RAID 5, ONLN> disk fixed
sd0: 237 GB, 660 cyl, 128 head, 5890 sec, 512 bytes/sect x 497631232 sectors
sd0: sync (50.00ns offset 8), 16-bit (40.000MB/s) transfers, tagged queueing
boot device: ld0
root on ld0a dumps on ld0b
root file system type: ffs
cpu1: CPU 0 running
cpu3: CPU 1 running
cpu2: CPU 2 running
Tue Jun 12 07:49:03 GMT 2007

	Disassembly of pmap_activate() reveals:

(gdb) x/20i pmap_activate
0xc0467c7c <pmap_activate>:     push   %ebp
0xc0467c7d <pmap_activate+1>:   mov    %esp,%ebp
0xc0467c7f <pmap_activate+3>:   sub    $0x8,%esp
0xc0467c82 <pmap_activate+6>:   mov    0x8(%ebp),%edx
0xc0467c85 <pmap_activate+9>:   mov    %fs:0x4,%ecx
0xc0467c8c <pmap_activate+16>:  mov    0x10(%edx),%eax
0xc0467c8f <pmap_activate+19>:  mov    0x1c(%eax),%eax
0xc0467c92 <pmap_activate+22>:  cmp    0x14(%ecx),%edx
0xc0467c95 <pmap_activate+25>:  mov    (%eax),%eax
0xc0467c97 <pmap_activate+27>:  je     0xc0467c9c <pmap_activate+32>
0xc0467c99 <pmap_activate+29>:  leave  
0xc0467c9a <pmap_activate+30>:  ret    
0xc0467c9b <pmap_activate+31>:  nop    
0xc0467c9c <pmap_activate+32>:  cmpl   $0x0,0xc0(%ecx)
0xc0467ca3 <pmap_activate+39>:  jne    0xc0467cef <pmap_activate+115>
0xc0467ca5 <pmap_activate+41>:  cmpl   $0x0,0xc4(%ecx)
0xc0467cac <pmap_activate+48>:  je     0xc0467cd6 <pmap_activate+90>
0xc0467cae <pmap_activate+50>:  cmp    $0xc08d8780,%eax
0xc0467cb3 <pmap_activate+55>:  je     0xc0467cca <pmap_activate+78>
0xc0467cb5 <pmap_activate+57>:  mov    0x5c(%eax),%eax
(gdb) x/20i
0xc0467cb8 <pmap_activate+60>:  mov    0x74(%edx),%edx
0xc0467cbb <pmap_activate+63>:  mov    %eax,0x60(%edx)
0xc0467cbe <pmap_activate+66>:  movl   $0x1,0xc0(%ecx)
0xc0467cc8 <pmap_activate+76>:  jmp    0xc0467c99 <pmap_activate+29>
0xc0467cca <pmap_activate+78>:  movl   $0x0,0xc0(%ecx)
0xc0467cd4 <pmap_activate+88>:  jmp    0xc0467c99 <pmap_activate+29>
0xc0467cd6 <pmap_activate+90>:  push   $0xc080baa0
0xc0467cdb <pmap_activate+95>:  push   $0x79a
0xc0467ce0 <pmap_activate+100>: push   $0xc080b9c0
0xc0467ce5 <pmap_activate+105>: push   $0xc07952a0
0xc0467cea <pmap_activate+110>: call   0xc0627e38 <__assert>
0xc0467cef <pmap_activate+115>: push   $0xc07aec2a
0xc0467cf4 <pmap_activate+120>: push   $0x799
0xc0467cf9 <pmap_activate+125>: jmp    0xc0467ce0 <pmap_activate+100>
0xc0467cfb <pmap_activate+127>: nop    
0xc0467cfc <pmap_reactivate>:   push   %ebp
0xc0467cfd <pmap_reactivate+1>: mov    %esp,%ebp
0xc0467cff <pmap_reactivate+3>: push   %edi
0xc0467d00 <pmap_reactivate+4>: push   %esi
0xc0467d01 <pmap_reactivate+5>: push   %ebx

	and 0x39 = 57, so the last instruction above was where the
	problem hit.  This appears to be

	pcb = &l->l_addr->u_pcb;

	in pmap_activate() which is the source for these instructions.


>How-To-Repeat:
	Run this kernel on an MP machine, and stress it with rebuilds.
	Watch it occasionally panic as agove.

>Fix:
	Sorry, don't know.

>Release-Note:

>Audit-Trail:
From: Pavel Cahyna <pavel@NetBSD.org>
To: gnats-bugs@NetBSD.org
Cc: port-i386-maintainer@NetBSD.org, gnats-admin@NetBSD.org,
	netbsd-bugs@NetBSD.org
Subject: Re: port-i386/36475: uvm_fault() in process exit code
Date: Wed, 13 Jun 2007 00:39:34 +0200

 On Tue, Jun 12, 2007 at 09:50:00AM +0000, he@NetBSD.org wrote:
 > 	Disassembly of pmap_activate() reveals:
 > 
 > (gdb) x/20i pmap_activate
 > 0xc0467c7c <pmap_activate>:     push   %ebp
 > 0xc0467c7d <pmap_activate+1>:   mov    %esp,%ebp
 > 0xc0467c7f <pmap_activate+3>:   sub    $0x8,%esp
 > 0xc0467c82 <pmap_activate+6>:   mov    0x8(%ebp),%edx
 > 0xc0467c85 <pmap_activate+9>:   mov    %fs:0x4,%ecx
 > 0xc0467c8c <pmap_activate+16>:  mov    0x10(%edx),%eax
 > 0xc0467c8f <pmap_activate+19>:  mov    0x1c(%eax),%eax
 > 0xc0467c92 <pmap_activate+22>:  cmp    0x14(%ecx),%edx
 > 0xc0467c95 <pmap_activate+25>:  mov    (%eax),%eax
 > 0xc0467c97 <pmap_activate+27>:  je     0xc0467c9c <pmap_activate+32>
 > 0xc0467c99 <pmap_activate+29>:  leave  
 > 0xc0467c9a <pmap_activate+30>:  ret    
 > 0xc0467c9b <pmap_activate+31>:  nop    
 > 0xc0467c9c <pmap_activate+32>:  cmpl   $0x0,0xc0(%ecx)
 > 0xc0467ca3 <pmap_activate+39>:  jne    0xc0467cef <pmap_activate+115>
 > 0xc0467ca5 <pmap_activate+41>:  cmpl   $0x0,0xc4(%ecx)
 > 0xc0467cac <pmap_activate+48>:  je     0xc0467cd6 <pmap_activate+90>
 > 0xc0467cae <pmap_activate+50>:  cmp    $0xc08d8780,%eax
 > 0xc0467cb3 <pmap_activate+55>:  je     0xc0467cca <pmap_activate+78>
 > 0xc0467cb5 <pmap_activate+57>:  mov    0x5c(%eax),%eax
 > (gdb) x/20i
 > 0xc0467cb8 <pmap_activate+60>:  mov    0x74(%edx),%edx
 > 0xc0467cbb <pmap_activate+63>:  mov    %eax,0x60(%edx)
 > 0xc0467cbe <pmap_activate+66>:  movl   $0x1,0xc0(%ecx)
 > 0xc0467cc8 <pmap_activate+76>:  jmp    0xc0467c99 <pmap_activate+29>
 > 0xc0467cca <pmap_activate+78>:  movl   $0x0,0xc0(%ecx)
 > 0xc0467cd4 <pmap_activate+88>:  jmp    0xc0467c99 <pmap_activate+29>
 > 0xc0467cd6 <pmap_activate+90>:  push   $0xc080baa0
 > 0xc0467cdb <pmap_activate+95>:  push   $0x79a
 > 0xc0467ce0 <pmap_activate+100>: push   $0xc080b9c0
 > 0xc0467ce5 <pmap_activate+105>: push   $0xc07952a0
 > 0xc0467cea <pmap_activate+110>: call   0xc0627e38 <__assert>
 > 0xc0467cef <pmap_activate+115>: push   $0xc07aec2a
 > 0xc0467cf4 <pmap_activate+120>: push   $0x799
 > 0xc0467cf9 <pmap_activate+125>: jmp    0xc0467ce0 <pmap_activate+100>
 > 0xc0467cfb <pmap_activate+127>: nop    
 > 0xc0467cfc <pmap_reactivate>:   push   %ebp
 > 0xc0467cfd <pmap_reactivate+1>: mov    %esp,%ebp
 > 0xc0467cff <pmap_reactivate+3>: push   %edi
 > 0xc0467d00 <pmap_reactivate+4>: push   %esi
 > 0xc0467d01 <pmap_reactivate+5>: push   %ebx
 > 
 > 	and 0x39 = 57, so the last instruction above was where the
 > 	problem hit.  This appears to be
 > 
 > 	pcb = &l->l_addr->u_pcb;
 > 
 > 	in pmap_activate() which is the source for these instructions.

 I believe it is rather
 	pcb->pcb_ldt_sel = pmap->pm_ldt_sel;

 eax == pmap, edx == pcb.

 This means that pmap == 0xdeadbeef. Moreover, at this point, pmap should
 be the process' 0 (i.e. kernel's) pmap! (see
 	/*
  	 * borrow proc0's address space.
  	 */
  	pmap_deactivate(l);
  	p->p_vmspace = proc0.p_vmspace;
  	pmap_activate(l);

 in uvm_proc_exit)

 So either somebody freed the kernel's vmspace, or for some reason
 p->p_vmspace is not the process 0 vmspace.

 Could you look if proc0.p_vmspace->vm_map.pmap is 0xdeadbeef at this point?

State-Changed-From-To: open->analyzed
State-Changed-By: ad@NetBSD.org
State-Changed-When: Sun, 11 May 2008 23:07:29 +0000
State-Changed-Why:
We have tried and failed to find this bug. :-(
I believe that it may be fixed in -current.


State-Changed-From-To: analyzed->feedback
State-Changed-By: dholland@NetBSD.org
State-Changed-When: Sun, 06 Oct 2013 09:32:21 +0000
State-Changed-Why:
Have you seen this behavior in the last few years?


State-Changed-From-To: feedback->closed
State-Changed-By: dholland@NetBSD.org
State-Changed-When: Fri, 30 Sep 2016 08:23:22 +0000
State-Changed-Why:
not reproducible since 2008


>Unformatted:

NetBSD Home
NetBSD PR Database Search

(Contact us) $NetBSD: query-full-pr,v 1.39 2013/11/01 18:47:49 spz Exp $
$NetBSD: gnats_config.sh,v 1.8 2006/05/07 09:23:38 tsutsui Exp $
Copyright © 1994-2014 The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.