NetBSD Problem Report #40143
From steve@mctavish.co.uk Tue Dec 9 13:34:32 2008
Return-Path: <steve@mctavish.co.uk>
Received: from mail.netbsd.org (mail.netbsd.org [204.152.190.11])
by narn.NetBSD.org (Postfix) with ESMTP id 4279D63B121
for <gnats-bugs@gnats.NetBSD.org>; Tue, 9 Dec 2008 13:34:32 +0000 (UTC)
Message-Id: <20081209133429.CE23787E40@joe.mctavish.co.uk>
Date: Tue, 9 Dec 2008 13:34:29 +0000 (GMT)
From: scw@netbsd.org
Reply-To: scw@netbsd.org
To: gnats-bugs@gnats.NetBSD.org
Subject: Crash in i386:doreti_checkast()
X-Send-Pr-Version: 3.95
>Number: 40143
>Category: port-i386
>Synopsis: Viewing an mpeg transport stream with mplayer causes crash
>Confidential: no
>Severity: critical
>Priority: high
>Responsible: ad
>State: closed
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Tue Dec 09 13:35:00 +0000 2008
>Closed-Date: Sat Apr 04 10:29:20 +0000 2009
>Last-Modified: Sat Apr 04 10:29:20 +0000 2009
>Originator: Steve Woodford
>Release: NetBSD 5.0_BETA
>Organization:
>Environment:
System: NetBSD joe.mctavish.co.uk 5.0_BETA NetBSD 5.0_BETA (JOE) #0: Tue Dec 9 12:43:27 GMT 2008 steve@mctavish.co.uk:/usr/src/sys/arch/i386/compile/JOE i386
Architecture: i386
Machine: i386
>Description:
I have a DVB-T card installed in an Ubuntu box which I use for occasional
streaming of broadcast video to my NetBSD workstation. The stream is
viewed using mplayer on NetBSD.
I last used this set up some time before the netbsd-5 branch was cut and
it worked well. Now, however, shortly after starting mplayer the NetBSD
box panics. Due to having no desire to deliberately crash my NetBSD
workstation (raid parity rebuild takes forever), I've only tried to
reproduce this problem twice. On both occasions the panic occurred within
a few minutes of starting mplayer.
The NetBSD box is running 5.0_BETA from this morning (2008/12/9), but
without DDB. Best I can do at the moment is fish the panic string ouf of
the crash dump, provide a basic gdb backtrace, and disassembly of
doreti_checkast():
fatal protection fault in supervisor mode
trap type 4 code 8c eip c0100d69 cs 8 eflags 210046 cr2 d53bc000 ilevel 0
#0 0xc03273f2 in cpu_reboot ()
#1 0xc02aa999 in panic ()
#2 0xc0329dfa in trap ()
#3 0xc010ca8f in calltrap ()
#4 0xc0100d69 in doreti_checkast ()
[gdb refuses to trace further back than here]
c0100d33 <doreti_checkast>:
c0100d33: 64 a1 18 00 00 00 mov %fs:0x18,%eax
c0100d39: 83 78 24 00 cmpl $0x0,0x24(%eax)
c0100d3d: 74 1c je c0100d5b <doreti_checkast+0x28>
c0100d3f: c7 40 24 00 00 00 00 movl $0x0,0x24(%eax)
c0100d46: fb sti
c0100d47: c7 44 24 2c 03 00 00 movl $0x3,0x2c(%esp)
c0100d4e: 00
c0100d4f: 54 push %esp
c0100d50: e8 02 8e 22 00 call c0329b57 <trap>
c0100d55: 83 c4 04 add $0x4,%esp
c0100d58: fa cli
c0100d59: eb c3 jmp c0100d1e <Xdoreti+0x3e>
c0100d5b: 64 83 3d 54 01 00 00 cmpl $0x0,%fs:0x154
c0100d62: 00
c0100d63: 75 30 jne c0100d95 <doreti_checkast+0x62>
c0100d65: 8e 6c 24 00 movl 0x0(%esp),%gs
c0100d69: ***** 8e 64 24 04 movl 0x4(%esp),%fs
c0100d6d: 8e 44 24 08 movl 0x8(%esp),%es
c0100d71: 8e 5c 24 0c movl 0xc(%esp),%ds
Crash dump (30MB), kernel binary, dmesg, and config file available on request.
>How-To-Repeat:
Attempt to view a DVB-T mpeg transport stream (streamed over http) using
mplayer on 5.0_BETA.
>Fix:
Unknown.
>Release-Note:
>Audit-Trail:
From: Andrew Doran <ad@netbsd.org>
To: gnats-bugs@NetBSD.org
Cc:
Subject: Re: port-i386/40143: Crash in i386:doreti_checkast()
Date: Wed, 10 Dec 2008 13:37:07 +0000
This code block is fragile and has been broken by changes to system call /
trap return:
http://nxr.homeunix.org/source/xref/sys/arch/i386/i386/trap.c#427
Andrew
From: Steve Woodford <scw@NetBSD.org>
To: gnats-bugs@netbsd.org
Cc: port-i386-maintainer@netbsd.org,
gnats-admin@netbsd.org,
netbsd-bugs@netbsd.org
Subject: Re: port-i386/40143: Crash in i386:doreti_checkast()
Date: Tue, 20 Jan 2009 09:56:35 +0000
I've bumped the severity to critical and priority to high for this bug.
Just playing an mpeg file with mplayer is sufficient to tickle the
crash. It's got to be some kind of race condition, as it may take a few
attempts before crashing.
As this affects the netbsd-5 branch, I'd say this should be a
show-stopper for 5.0. (releng@ BCC'd)
Cheers, Steve
Responsible-Changed-From-To: port-i386-maintainer->ad
Responsible-Changed-By: ad@NetBSD.org
Responsible-Changed-When: Mon, 26 Jan 2009 23:32:34 +0000
Responsible-Changed-Why:
take directly, needs to be fixed for 5.0
From: "Jared D. McNeill" <jmcneill@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/40143 CVS commit: src/sys/dev/pci
Date: Wed, 25 Feb 2009 15:46:34 +0000 (UTC)
Module Name: src
Committed By: jmcneill
Date: Wed Feb 25 15:46:34 UTC 2009
Modified Files:
src/sys/dev/pci: azalia.c
Log Message:
PR# port-i386/40143: Viewing an mpeg transport stream with mplayer causes crash
Not directly related to the PR but this bug was discovered while testing.
In azalia_stream_halt, invalidate the intr ptr to prevent a race condition
where azalia_stream_intr can jump off into lala land during stream shutdown.
To generate a diff of this commit:
cvs rdiff -r1.66 -r1.67 src/sys/dev/pci/azalia.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
From: Greg Oster <oster@cs.usask.ca>
To: gnats-bugs@NetBSD.org
Cc: drochner@netbsd.org
Subject: Re: port-i386/40143: Crash in i386:doreti_checkast()
Date: Sat, 28 Feb 2009 13:33:36 -0600
scw@netbsd.org writes:
> >Number: 40143
> >Category: port-i386
> >Synopsis: Viewing an mpeg transport stream with mplayer causes crash
> >Confidential: no
> >Severity: serious
> >Priority: medium
> >Responsible: port-i386-maintainer
> >State: open
> >Class: sw-bug
> >Submitter-Id: net
> >Arrival-Date: Tue Dec 09 13:35:00 +0000 2008
> >Originator: Steve Woodford
> >Release: NetBSD 5.0_BETA
> >Organization:
> >Environment:
> System: NetBSD joe.mctavish.co.uk 5.0_BETA NetBSD 5.0_BETA (JOE) #0: Tue Dec
> 9 12:43:27 GMT 2008 steve@mctavish.co.uk:/usr/src/sys/arch/i386/compile/JOE i
> 386
> Architecture: i386
> Machine: i386
> >Description:
> I have a DVB-T card installed in an Ubuntu box which I use for occasional
> streaming of broadcast video to my NetBSD workstation. The stream is
> viewed using mplayer on NetBSD.
>
> I last used this set up some time before the netbsd-5 branch was cut and
> it worked well. Now, however, shortly after starting mplayer the NetBSD
> box panics. Due to having no desire to deliberately crash my NetBSD
> workstation (raid parity rebuild takes forever), I've only tried to
> reproduce this problem twice. On both occasions the panic occurred within
> a few minutes of starting mplayer.
I have been able to reliably reproduce this with:
while (1)
mplayer -ao null -vo null somefile.avi
end
and the box would keel over in a few minutes. However: after updating
my -current kernel to have this fix:
cvs rdiff -r1.142 -r1.143 src/sys/uvm/uvm_page.c
I have been unable to reproduce the panic!!! (it's been 2 hours of
pounding now, where before it only needed about 5 minutes...)
Later...
Greg Oster
From: Greg Oster <oster@cs.usask.ca>
To: gnats-bugs@NetBSD.org
Cc:
Subject: Re: port-i386/40143: Crash in i386:doreti_checkast()
Date: Sat, 28 Feb 2009 13:39:11 -0600
Greg Oster writes:
> The following reply was made to PR port-i386/40143; it has been noted by GNAT
> S.
>
> From: Greg Oster <oster@cs.usask.ca>
> To: gnats-bugs@NetBSD.org
> Cc: drochner@netbsd.org
> Subject: Re: port-i386/40143: Crash in i386:doreti_checkast()
> Date: Sat, 28 Feb 2009 13:33:36 -0600
>
> scw@netbsd.org writes:
> > >Number: 40143
> > >Category: port-i386
> > >Synopsis: Viewing an mpeg transport stream with mplayer causes cras
> h
> > >Confidential: no
> > >Severity: serious
> > >Priority: medium
> > >Responsible: port-i386-maintainer
> > >State: open
> > >Class: sw-bug
> > >Submitter-Id: net
> > >Arrival-Date: Tue Dec 09 13:35:00 +0000 2008
> > >Originator: Steve Woodford
> > >Release: NetBSD 5.0_BETA
> > >Organization:
> > >Environment:
> > System: NetBSD joe.mctavish.co.uk 5.0_BETA NetBSD 5.0_BETA (JOE) #0: Tue D
> ec
> > 9 12:43:27 GMT 2008 steve@mctavish.co.uk:/usr/src/sys/arch/i386/compile/JO
> E i
> > 386
> > Architecture: i386
> > Machine: i386
> > >Description:
> > I have a DVB-T card installed in an Ubuntu box which I use for occasional
> > streaming of broadcast video to my NetBSD workstation. The stream is
> > viewed using mplayer on NetBSD.
> >
> > I last used this set up some time before the netbsd-5 branch was cut and
> > it worked well. Now, however, shortly after starting mplayer the NetBSD
> > box panics. Due to having no desire to deliberately crash my NetBSD
> > workstation (raid parity rebuild takes forever), I've only tried to
> > reproduce this problem twice. On both occasions the panic occurred within
> > a few minutes of starting mplayer.
>
> I have been able to reliably reproduce this with:
>
> while (1)
> mplayer -ao null -vo null somefile.avi
> end
>
> and the box would keel over in a few minutes. However: after updating
> my -current kernel to have this fix:
>
> cvs rdiff -r1.142 -r1.143 src/sys/uvm/uvm_page.c
>
> I have been unable to reproduce the panic!!! (it's been 2 hours of
> pounding now, where before it only needed about 5 minutes...)
I'm reminded that I'm actually running with this one too:
cvs rdiff -r1.143 -r1.144 src/sys/uvm/uvm_page.c
(both of these should get pulled up to netbsd-5)
Later...
Greg Oster
From: Greg Oster <oster@cs.usask.ca>
To: gnats-bugs@NetBSD.org
Cc:
Subject: Re: port-i386/40143: Crash in i386:doreti_checkast()
Date: Sat, 28 Feb 2009 14:23:41 -0600
Greg Oster writes:
> The following reply was made to PR port-i386/40143; it has been noted by GNAT
> S.
>
> From: Greg Oster <oster@cs.usask.ca>
> To: gnats-bugs@NetBSD.org
> Cc:
> Subject: Re: port-i386/40143: Crash in i386:doreti_checkast()
> Date: Sat, 28 Feb 2009 13:39:11 -0600
>
> Greg Oster writes:
> > The following reply was made to PR port-i386/40143; it has been noted by G
> NAT
> > S.
> >
> > From: Greg Oster <oster@cs.usask.ca>
> > To: gnats-bugs@NetBSD.org
> > Cc: drochner@netbsd.org
> > Subject: Re: port-i386/40143: Crash in i386:doreti_checkast()
> > Date: Sat, 28 Feb 2009 13:33:36 -0600
> >
> > scw@netbsd.org writes:
> > > >Number: 40143
> > > >Category: port-i386
> > > >Synopsis: Viewing an mpeg transport stream with mplayer causes c
> ras
> > h
> > > >Confidential: no
> > > >Severity: serious
> > > >Priority: medium
> > > >Responsible: port-i386-maintainer
> > > >State: open
> > > >Class: sw-bug
> > > >Submitter-Id: net
> > > >Arrival-Date: Tue Dec 09 13:35:00 +0000 2008
> > > >Originator: Steve Woodford
> > > >Release: NetBSD 5.0_BETA
> > > >Organization:
> > > >Environment:
> > > System: NetBSD joe.mctavish.co.uk 5.0_BETA NetBSD 5.0_BETA (JOE) #0: Tu
> e D
> > ec
> > > 9 12:43:27 GMT 2008 steve@mctavish.co.uk:/usr/src/sys/arch/i386/compile
> /JO
> > E i
> > > 386
> > > Architecture: i386
> > > Machine: i386
> > > >Description:
> > > I have a DVB-T card installed in an Ubuntu box which I use for occasion
> al
> > > streaming of broadcast video to my NetBSD workstation. The stream is
> > > viewed using mplayer on NetBSD.
> > >
> > > I last used this set up some time before the netbsd-5 branch was cut an
> d
> > > it worked well. Now, however, shortly after starting mplayer the NetBSD
> > > box panics. Due to having no desire to deliberately crash my NetBSD
> > > workstation (raid parity rebuild takes forever), I've only tried to
> > > reproduce this problem twice. On both occasions the panic occurred with
> in
> > > a few minutes of starting mplayer.
> >
> > I have been able to reliably reproduce this with:
> >
> > while (1)
> > mplayer -ao null -vo null somefile.avi
> > end
> >
> > and the box would keel over in a few minutes. However: after updating
> > my -current kernel to have this fix:
> >
> > cvs rdiff -r1.142 -r1.143 src/sys/uvm/uvm_page.c
> >
> > I have been unable to reproduce the panic!!! (it's been 2 hours of
> > pounding now, where before it only needed about 5 minutes...)
>
> I'm reminded that I'm actually running with this one too:
>
> cvs rdiff -r1.143 -r1.144 src/sys/uvm/uvm_page.c
>
> (both of these should get pulled up to netbsd-5)
Hmm.. just pulling these up to 5.0 was *not* sufficient to remove the
panic.
Later...
Greg Oster
From: Steve Woodford <scw@NetBSD.org>
To: gnats-bugs@netbsd.org
Cc: ad@netbsd.org,
gnats-admin@netbsd.org,
netbsd-bugs@netbsd.org
Subject: Re: port-i386/40143: Crash in i386:doreti_checkast()
Date: Sat, 28 Feb 2009 20:30:59 +0000
On Saturday 28 February 2009 20:25:01 Greg Oster wrote:
> Hmm.. just pulling these up to 5.0 was *not* sufficient to remove
> the panic.
Indeed. Applying the 1.142->1.144 diffs for uvm_page.c to the 5.0 tree
(a few months old) from which my own local kernel was built resulted in
a hang while starting X11.
Cheers, Steve
From: Andrew Doran <ad@NetBSD.org>
To: gnats-bugs@netbsd.org
Cc:
Subject: Re: port-i386/40143 (Viewing an mpeg transport stream with mplayer causes crash)
Date: Fri, 20 Mar 2009 19:43:01 +0000
1. A trap or syscall occurs. Entry is through a call gate or trap gate:
PSL_I is set.
2. An interrupt occurs before the trap/syscall frame is constructed on the
stack. Interrupt is handled as in ring0, but saves ring3 descriptors in
its frame.
3. The interrupt is handled successfully. During this time the running user
thread's selectors become invalid.
4. On return from the interrupt (back to ring0) we restore invalid ring3
descriptors.
5. Segment fault code cannot determine if this is user state causing the
trap, because the outer user frame is only partially constructed.
6. we_re_toast
trap type 4 code 94 eip c0100ea9 cs 8 eflags 10046 cr2 bbaee000 ilevel 0
kernel: supervisor trap protection fault, code=0
Stopped in pid 410.1 (test_ldt) at netbsd:Xdoreti+0x89: mov 0x4(%esp),%fs
db{0}> bt
Xdoreti() at netbsd:Xdoreti+0x89
--- interrupt ---
0:
db{0}> info reg
...
esp 0xcf9fed38
...
db{0}> x/Lx 0xcf9fed38,40
0xcf9fed38: cfa700b3 bfbf0097 c010001f cf9f001f 0 12
0xcf9fed50: bfbfeca8 bbaee000 97 1000 97 3
0xcf9fed68: 0 c010c9a0 8 246
^ frame from kernel mode interrupt (ring0->ring0)
6 8048877
17 10246 bfbfec7c 1f
^ partially constructed frame from ring3->ring0 transition
From: Andrew Doran <ad@NetBSD.org>
To: gnats-bugs@netbsd.org
Cc:
Subject: Re: port-i386/40143 (Viewing an mpeg transport stream with mplayer causes crash)
Date: Fri, 20 Mar 2009 22:25:20 +0000
The error recovery should be easy to solve for most interrupts and traps:
disable interrupts until the prologue has assembled a frame, and only then
re-enable interrupts. It can be done by converting existing trap gates into
interrupt gates, and by sprinkling 'cli' where needed.
A problem with this approach is call gates, which do not disable interrupts
on entry. Call gates are used for IBCS and SVR4 system calls (and any other
emulation, if you feel like it). For call gates one approach would be to
have the trap handler clean up the mess.
This does not solve the underlying problem, which is selectors becoming
invalid while in kernel: assuming that mplayer is functioning correctly it
should not happen. This is a seperate issue that also needs to be resolved.
It appears to be caused by bugs with USER_LDT.
State-Changed-From-To: open->feedback
State-Changed-By: ad@NetBSD.org
State-Changed-When: Sat, 21 Mar 2009 14:48:48 +0000
State-Changed-Why:
Should be fixed, please confirm.
From: matthew green <mrg@eterna.com.au>
To: gnats-bugs@NetBSD.org
Cc: ad@NetBSD.org, netbsd-bugs@netbsd.org, gnats-admin@netbsd.org,
scw@netbsd.org
Subject: re: port-i386/40143 (Viewing an mpeg transport stream with mplayer causes crash)
Date: Sun, 22 Mar 2009 10:07:40 +1100
Synopsis: Viewing an mpeg transport stream with mplayer causes crash
State-Changed-From-To: open->feedback
State-Changed-By: ad@NetBSD.org
State-Changed-When: Sat, 21 Mar 2009 14:48:48 +0000
State-Changed-Why:
Should be fixed, please confirm.
i can no longer reproduce this problem. great work! thanks!
.mrg.
From: Greg Oster <oster@cs.usask.ca>
To: gnats-bugs@NetBSD.org
Cc: ad@NetBSD.org, gnats-admin@netbsd.org, netbsd-bugs@netbsd.org,
scw@netbsd.org
Subject: Re: port-i386/40143 (Viewing an mpeg transport stream with mplayer causes crash)
Date: Sun, 22 Mar 2009 22:30:49 -0600
matthew green writes:
> The following reply was made to PR port-i386/40143; it has been noted by GNAT
> S.
>
> From: matthew green <mrg@eterna.com.au>
> To: gnats-bugs@NetBSD.org
> Cc: ad@NetBSD.org, netbsd-bugs@netbsd.org, gnats-admin@netbsd.org,
> scw@netbsd.org
> Subject: re: port-i386/40143 (Viewing an mpeg transport stream with mplayer c
> auses crash)
> Date: Sun, 22 Mar 2009 10:07:40 +1100
>
> Synopsis: Viewing an mpeg transport stream with mplayer causes crash
>
> State-Changed-From-To: open->feedback
> State-Changed-By: ad@NetBSD.org
> State-Changed-When: Sat, 21 Mar 2009 14:48:48 +0000
> State-Changed-Why:
> Should be fixed, please confirm.
>
>
> i can no longer reproduce this problem. great work! thanks!
"What he said." My test box has been up for 5 hours during testing,
when normally it'd be dead in 2 minutes under a lesser load..
Later...
Greg Oster
State-Changed-From-To: feedback->closed
State-Changed-By: ad@NetBSD.org
State-Changed-When: Sat, 04 Apr 2009 10:29:20 +0000
State-Changed-Why:
fixed
>Unformatted:
(Contact us)
$NetBSD: query-full-pr,v 1.39 2013/11/01 18:47:49 spz Exp $
$NetBSD: gnats_config.sh,v 1.8 2006/05/07 09:23:38 tsutsui Exp $
Copyright © 1994-2007
The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.
Home