Fatal double fault with 20031116-JPSNAP

From: Damian Gerow (dgerow_at_afflictions.org)
Date: 11/29/03

  • Next message: Peter Jeremy: "Re: Apples linking" 
    Date: Sat, 29 Nov 2003 16:07:44 -0500
To: current@freebsd.org

    A couple days ago, I downloaded 20031116-JPSNAP to install on a new system
    -- this box had been running 5.1-R without issues for some time, but wasn't
    doing anything particular, and I had mucked up the 5.1 -> 5.2 upgrade
    (statfs stuff).

    Whenever I boot the system into multi-user mode, I see a *lot* of this:

        checking stopevent 2 with the following non-sleepable locks held:
        exclusive sleep mutex sigacts r = 0 (0xc48f9aa8) locked @ /usr/src/sys/kern/kern_synch.c:293
        checking stopevent 2 with the following non-sleepable locks held:
        exclusive sleep mutex sigacts r = 0 (0xc48f9aa8) locked @ /usr/src/sys/kern/subr_trap.c:260
        checking stopevent 2 with the following non-sleepable locks held:
        exclusive sleep mutex sigacts r = 0 (0xc48f9aa8) locked @ /usr/src/sys/kern/subr_trap.c:260

    over and over and over -- it makes the console essentially unusable.

    Thinking an update might fix it, I booted into single user mode, cvsup'ed,
    and started building. However, six buildworlds later, it appears that I'm
    constantly getting a fatal double fault, but in differing places. This
    looks like the turnstile double-panic outlined in 5.2R-TODO -- I hope this
    is enough information.

    Anyhow, here's what I see (I don't know how to use the debugger, so I've
    just guessed at commands):

        panic: Duplicate free of item 0xc1cda71c from zone 0xc103b780(PV ENTRY)

        cpuid = 0;
        Debugger("panic")
        Stopped at Debugger+0x55: xchgl %ebx,in_Debugger.0
        db> trace
        Debugger(c0895cb8,0,c08ae388,d8a48c04,100) at Debugger+0x55
        panic(c08ae388,c1cc72bc,c103b780,c08b3233,6d0) at panic+0x156
        uma_dbg_free(c103b780,0,c1cc72bc,6d0,0) at uma_dbg_free+0x111
        uma_zfree_arg(c103b780,c1cc72bc,0,a2f,c0893811) at uma_zfree_arg+0x123
        pmap_remove_pages(c1d0d364,0,bfc00000,11a,c0893811) at
        pmap_remove_pages+0x209
        exit1(c4796c80,0,c0893811,65,d8a48d40) at exit1+0x68c
        sys_exit(c4796c80,d8a48d10,c08b38d0,3ee,1) at sys_exit+0x41
        syscall(2f,2f,2f,bfbfece0,0) at syscall+0x2e0
        Xint0x80_syscall() at Xint0x80_syscall+0x1d
        --- syscall (1, FreeBSD ELF32, sys_exit), eip = 0x806427b, esp =
        0xbfbfec9c, ebp = 0xbfbfecb8 ---
        db> match
        After 6 instructions (0 loads, 0 stores),
        Stopped at Debugger+0x66: ret
        db> match

        syncing disks, buffers remaining... panic: sleeping thread (pid 14015) owns a non-sleepable lock
        cpuid = 0;
        Debugger("panic")
        Uptime: 18m4s
        panic: Assertion td->td_turnstile != NULL failed at /usr/src/sys/kern/subr_turnstile.c:437
        [the above four lines, thirteen times]

        Fatal double fault:
        eip = 0xc08118c0
        esp = 0xd77ba000
        ebp = 0xd77ba020
        cpuid = 0; apic id = 00
        panic: double fault
        cpuid = 0;
        Debugger("panic")

        Fatal trap 3: breakpoint instruction fault while in kernel mode
        cpuid = 0; apic id = 00
        instruction pointer = 0x8:0xc0811a85
        stack pointer = 0x10:0xc09bb2dc
        frame pointer = 0x10:0xc09bb2e8
        code segment = base 0x0, limit 0xfffff, type 0x1b
                                = DPL 0, pres 1, def32 1, gran 1
        processor eflags = nested task, IOPL = 0
        current process = 27 (swi8: tty:sio clock)

    And on the next buildworld, in a different place:

        panic: Duplicate free of item 0xc4bc221c from zone 0xc103b6c0(MAP ENTRY)

        cpuid = 0;
        Debugger("panic")
        Stopped at Debugger+0x55: xchgl %ebx,in_Debugger.0
        db> trace
        Debugger(c0895cb8,0,c08ae388,d8a05b8c,100) at Debugger+0x55
        panic(c08ae388,c4bc221c,c103b6c0,c08ac694,6d0) at panic+0x156
        uma_dbg_free(c103b6c0,0,c4bc221c,6d0,0) at uma_dbg_free+0x111
        uma_zfree_arg(c103b6c0,c4bc221c,0,d8a05c34,c07d9f6c) at
        uma_zfree_arg+0x123
        vm_map_entry_dispose(c1d0d84c,c4bc221c,c08ac714,829,c08ac714) at
        vm_map_entry_dispose+0x3d
        vm_map_entry_delete(c1d0d84c,c4bc221c,c08ac714,884,c1d0d888) at
        vm_map_entry_delete+0x1ac
        vm_map_delete(c1d0d84c,0,bfc00000,c1d0d84c,c48b8900) at
        vm_map_delete+0x228
        vm_map_remove(c1d0d84c,0,bfc00000,11d,c0893811) at vm_map_remove+0x58
        exit1(c4704780,0,c0893811,65,d8a05d40) at exit1+0x6c6
        sys_exit(c4704780,d8a05d10,c08b38d0,3ee,1) at sys_exit+0x41
        syscall(2f,2f,2f,bfbfec40,0) at syscall+0x2e0
        Xint0x80_syscall() at Xint0x80_syscall+0x1d
        --- syscall (1, FreeBSD ELF32, sys_exit), eip = 0x806427b, esp =
        0xbfbfebfc, ebp = 0xbfbfec18 ---
        db> match
        After 6 instructions (0 loads, 0 stores),
        Stopped at Debugger+0x66: ret
        db> match
        Uptime: 35m13s
        panic: Assertion td->td_turnstile != NULL failed at /usr/src/sys/kern/subr_turnstile.c:437
        cpuid = 0;
        Debugger("panic")
        [the above four lines thirteen times]

        Fatal double fault:
        eip = 0xc048a39f
        esp = 0xd89f8000
        ebp = 0xd89f800c
        cpuid = 0; apic id = 00
        panic: double fault
        cpuid = 0;
        Debugger("panic")

        Fatal trap 3: breakpoint instruction fault while in kernel mode
        cpuid = 0; apic id = 00
        instruction pointer = 0x8:0xc0811a85
        stack pointer = 0x10:0xc09bb2dc
        frame pointer = 0x10:0xc09bb2e8
        code segment = base 0x0, limit 0xfffff, type 0x1b
                                = DPL 0, pres 1, def32 1, gran 1
        processor eflags = nested task, IOPL = 0
        current process = 4 (g_down)

    The system is a C3 Nehemiah chip on a DFI CD70-SC (VIA Apollo Pro 266
    chipset), and was working fine with 5.1-R.

    In trying to reproduce a third panic, buildworld is about 75% complete.
    Fingers crossed I'll be able to build into 5.2-BETA.
    _______________________________________________
    freebsd-current@freebsd.org mailing list
    http://lists.freebsd.org/mailman/listinfo/freebsd-current
    To unsubscribe, send any mail to "freebsd-current-unsubscribe@freebsd.org"

  • Next message: Peter Jeremy: "Re: Apples linking"

    Relevant Pages

    • Re: IE6 started to crash randomly
      ... More useful would probably be the Stack Back Trace ... find the last instance of FAULT -> prefixing a line which seems ... Depending on how big your Help window is you may see it just above ...
      (microsoft.public.windows.inetexplorer.ie6.browser)
    • Re: IE6 started to crash randomly
      ... find the last instance of FAULT -> prefixing a line which seems ... related to your crash signature's Offset. ... Then scroll down some more to find that task's Stack Back Trace. ...
      (microsoft.public.windows.inetexplorer.ie6.browser)
    • pf panic trace [Was: Re: Return-icmp doesnt work]
      ... > I'll notify you if I have a trace! ... Here's the original panic message (the non debug kernel) with 5.4-PRE one week ... page fault while in kernel mode ... GEOM_MIRROR: Device web: provider mirror/web destroyed. ...
      (freebsd-stable)
    • pf panic trace [Was: Re: Return-icmp doesnt work]
      ... > I'll notify you if I have a trace! ... Here's the original panic message (the non debug kernel) with 5.4-PRE one week ... page fault while in kernel mode ... GEOM_MIRROR: Device web: provider mirror/web destroyed. ...
      (freebsd-stable)
    • NULL pointer deref in snapshot/soft updates
      ... Trace attached. ... Fatal trap 12: page fault while in kernel mode ...
      (freebsd-current)