From aw1@stade.co.uk Sat Sep 18 16:13:39 1999 Return-Path: Received: from tele-post-20.mail.demon.net (tele-post-20.mail.demon.net [194.217.242.20]) by hub.freebsd.org (Postfix) with ESMTP id 555741501B for ; Sat, 18 Sep 1999 16:13:37 -0700 (PDT) (envelope-from aw1@stade.co.uk) Received: from stade.demon.co.uk ([158.152.29.164]) by tele-post-20.mail.demon.net with esmtp (Exim 2.12 #2) id 11STfg-000P1g-0K for FreeBSD-gnats-submit@freebsd.org; Sat, 18 Sep 1999 23:13:33 +0000 Received: from titus.stade.co.uk (titus.stade.co.uk [192.168.1.5]) by stade.demon.co.uk (8.9.3/8.9.3) with ESMTP id VAA05566 for ; Sat, 18 Sep 1999 21:01:25 +0100 (BST) (envelope-from aw1@titus.stade.co.uk) Received: (from aw1@localhost) by titus.stade.co.uk (8.9.3/8.9.3) id UAA07953; Sat, 18 Sep 1999 20:59:21 +0100 (BST) (envelope-from aw1) Message-Id: <199909181959.UAA07953@titus.stade.co.uk> Date: Sat, 18 Sep 1999 20:59:21 +0100 (BST) From: Adrian Wontroba Reply-To: aw1@stade.co.uk To: FreeBSD-gnats-submit@freebsd.org Subject: 3.3 panic rlist_free: free start overlaps already freed area X-Send-Pr-Version: 3.2 >Number: 13810 >Category: kern >Synopsis: 3.3 panic rlist_free: free start overlaps already freed area >Confidential: no >Severity: serious >Priority: medium >Responsible: freebsd-bugs >State: closed >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Sat Sep 18 16:20:01 PDT 1999 >Closed-Date: Fri Feb 4 02:43:45 PST 2000 >Last-Modified: Fri Feb 4 02:49:22 PST 2000 >Originator: Adrian Wontroba >Release: FreeBSD 3.3-STABLE i386 >Organization: Yes, some would be nice! >Environment: 3.3-STABLE, cvsupped at 14:12 BST on 18 September FreeBSD titus.stade.co.uk 3.3-STABLE FreeBSD 3.3-STABLE #0: Sat Sep 18 17:34:12 BST 1999 toor@titus.stade.co.uk:/d3p2/FreeBSD/stable/src/sys/compile/TITUS i386 >Description: From time to time over the last month or so this system has paniced with rlist_free. Till recently this was an occasional happening. Recently, the panics have become more frequent, prompting me to: Ensure I had a debugging kernel. Capture the crash dump. Amend what I suspect is one of the triggers for the problem - a long pipeline containing several image processing programs, which grow very large. kernel configuration, dmesg, and gdb output: ==> config <== # $Header: /p1/home/aw1/kernel-config/TITUS,v 1.25 1999/08/29 12:39:22 aw1 Exp aw1 $ # kernel configuration for titus # # based on # Id: GENERIC,v 1.143.2.14 1999/05/17 05:49:45 obrien Exp $ machine "i386" cpu "I686_CPU" ident TITUS maxusers 32 options MATH_EMULATE #Support for x87 emulation options INET #InterNETworking options FFS #Berkeley Fast Filesystem options FFS_ROOT #FFS usable as root device [keep this!] options MFS #Memory Filesystem options MFS_ROOT #MFS usable as root device, "MFS" req'ed options NFS #Network Filesystem options NFS_ROOT #NFS usable as root device, "NFS" req'ed options MSDOSFS #MSDOS Filesystem options "CD9660" #ISO 9660 Filesystem options "CD9660_ROOT" #CD-ROM usable as root. "CD9660" req'ed options PROCFS #Process filesystem options "COMPAT_43" #Compatible with BSD 4.3 [KEEP THIS!] options SCSI_DELAY=8000 #Be pessimistic about Joe SCSI device options UCONSOLE #Allow users to grab the console Options FAILSAFE #Be conservative options USERCONFIG #boot -c editor options VISUAL_USERCONFIG #visual boot -c editor options SOFTUPDATES options INCLUDE_CONFIG_FILE # Include this file in kernel options "NO_F00F_HACK" options "MD5" options "VM86" options VESA # needs VM86 defined too!! options SCSI_REPORT_GEOMETRY config kernel root on da0 controller isa0 controller pnp0 controller eisa0 controller pci0 controller fdc0 at isa? port "IO_FD1" bio irq 6 drq 2 disk fd0 at fdc0 drive 0 controller ahc0 options AHC_ALLOW_MEMIO controller scbus0 at ahc0 disk da0 at scbus0 target 0 unit 0 disk da1 at scbus0 target 1 unit 0 tape sa0 at scbus0 target 2 unit 0 disk da2 at scbus0 target 3 unit 0 device cd0 at scbus0 target 4 unit 0 # target 5 - spare disk da3 at scbus0 target 6 unit 0 # target 7 - controller device pass0 # atkbdc0 controlls both the keyboard and the PS/2 mouse controller atkbdc0 at isa? port IO_KBD tty device atkbd0 at isa? tty irq 1 device psm0 at isa? tty irq 12 device vga0 at isa? port ? conflicts # splash screen/screen saver pseudo-device splash # syscons is the default console driver, resembling an SCO console device sc0 at isa? tty device npx0 at isa? port IO_NPX irq 13 # # Laptop support (see LINT for more options) # device apm0 at isa? flags 0x31 # Advanced Power Management device sio0 at isa? port "IO_COM1" flags 0x10 tty irq 4 device sio1 at isa? port "IO_COM2" tty irq 3 # Parallel port device ppc0 at isa? port? flags 0x40 net irq 7 controller ppbus0 device lpt0 at ppbus? device plip0 at ppbus? device ppi0 at ppbus? #controller vpo0 at ppbus? device ep0 at isa? port 0x340 net irq 10 pseudo-device loop pseudo-device ether pseudo-device sl 1 pseudo-device ppp 1 pseudo-device tun 1 pseudo-device pty 32 pseudo-device gzip # Exec gzipped a.out's pseudo-device vn #Vnode driver (turns a file into a device) pseudo-device snp 3 #Snoop device - to look at pty/vty/etc.. options KTRACE #kernel tracing options SYSVSHM options SYSVMSG options SYSVSEM pseudo-device bpfilter 4 #Berkeley packet filter # Luigi's snd code (use INSTEAD of snd0 and all VOXWARE drivers!). device pcm0 at isa? port ? irq 7 drq 1 # SMB bus # System Management Bus support provided by the 'smbus' device. controller smbus0 device smb0 at smbus? # I2C Bus controller iicbus0 controller iicbb0 device ic0 at iicbus? device iic0 at iicbus? device iicsmb0 at iicbus? # bt848 device (needs pci / smb / i2c) device bktr0 ==> dmesg <== Copyright (c) 1992-1999 FreeBSD Inc. Copyright (c) 1982, 1986, 1989, 1991, 1993 The Regents of the University of California. All rights reserved. FreeBSD 3.3-STABLE #0: Sat Sep 18 17:34:12 BST 1999 toor@titus.stade.co.uk:/d3p2/FreeBSD/stable/src/sys/compile/TITUS Timecounter "i8254" frequency 1193182 Hz CPU: Pentium Pro (199.43-MHz 686-class CPU) Origin = "GenuineIntel" Id = 0x619 Stepping = 9 Features=0xf9ff real memory = 134217728 (131072K bytes) config> pnp 1 0 os enable irq0 5 drq0 0 drq1 1 port0 0x220 port1 0x300 port2 0x388 config> pnp 1 1 os enable port0 0x201 config> quit avail memory = 127205376 (124224K bytes) Preloaded elf kernel "kernel" at 0xc0331000. Preloaded userconfig_script "/boot/kernel.conf" at 0xc033109c. Preloaded elf module "splash_bmp.ko" at 0xc03310ec. Preloaded splash_image_data "/boot/images/daemon_640.bmp" at 0xc0331190. Pentium Pro MTRR support enabled Probing for devices on PCI bus 0: chip0: rev 0x02 on pci0.0.0 chip1: rev 0x01 on pci0.7.0 vga0: rev 0x01 int a irq 11 on pci0.11.0 bktr0: rev 0x12 int a irq 15 on pci0.15.0 bti2c0: iicbb0: on bti2c0 iicbus0: on iicbb0 master-only iicsmb0: on iicbus0 smbus0: on iicsmb0 smb0: on smbus0 iic0: on iicbus0 smbus1: on bti2c0 smb1: on smbus1 bktr0: Hauppauge Model 60134 CV Hauppauge WinCast/TV, Philips FR1216 PAL tuner, msp3400c stereo. bktr0: Detected a MSP3410D-B4 ahc0: rev 0x01 int a irq 15 on pci0.17.0 ahc0: aic7860 Single Channel A, SCSI Id=7, 3/255 SCBs Probing for PnP devices: CSN 1 Vendor ID: CTL00f0 [0xf0008c0e] Serial 0xffffffff Comp ID: PNPb02f [0x2fb0d041] pcm1 (SB16pnp sn 0xffffffff) at 0x220-0x22f irq 5 drq 0 flags 0x11 on isa Probing for devices on the ISA bus: sc0 on isa sc0: VGA color <16 virtual consoles, flags=0x0> atkbdc0 at 0x60-0x6f on motherboard atkbd0 irq 1 on isa psm0 irq 12 on isa psm0: model Generic PS/2 mouse, device ID 0 sio0 at 0x3f8-0x3ff irq 4 flags 0x10 on isa sio0: type 16550A sio1 at 0x2f8-0x2ff irq 3 on isa sio1: type 16550A fdc0 at 0x3f0-0x3f7 irq 6 drq 2 on isa fdc0: FIFO enabled, 8 bytes threshold fd0: 1.44MB 3.5in ppc0 at 0x378 irq 7 flags 0x40 on isa ppc0: Generic chipset (ECP/PS2/NIBBLE) in COMPATIBLE mode ppc0: FIFO with 16/16/8 bytes threshold lpt0: on ppbus 0 lpt0: Interrupt-driven port ppi0: on ppbus 0 plip0: on ppbus 0 1 3C5x9 board(s) on ISA found at 0x340 ep0 at 0x340-0x34f irq 10 on isa ep0: aui/utp/bnc[*UTP*] address 00:60:97:94:d0:e7 vga0 at 0x3b0-0x3df maddr 0xa0000 msize 131072 on isa npx0 on motherboard npx0: INT 16 interface apm0 flags 0x31 on isa apm: found APM BIOS version 1.2 pcm0 not found Waiting 8 seconds for SCSI devices to settle sa0 at ahc0 bus 0 target 2 lun 0 sa0: Removable Sequential Access SCSI-2 device sa0: 10.000MB/s transfers (10.000MHz, offset 8) da1 at ahc0 bus 0 target 1 lun 0 da1: Fixed Direct Access SCSI-CCS device da1: 3.300MB/s transfers da1: 1033MB (2117025 512 byte sectors: 255H 63S/T 131C) da0 at ahc0 bus 0 target 0 lun 0 da0: Fixed Direct Access SCSI-2 device da0: 10.000MB/s transfers (10.000MHz, offset 15), Tagged Queueing Enabled da0: 4149MB (8498506 512 byte sectors: 255H 63S/T 529C) da2 at ahc0 bus 0 target 3 lun 0 da2: Fixed Direct Access SCSI-2 device da2: 10.000MB/s transfers (10.000MHz, offset 15), Tagged Queueing Enabled da2: 17366MB (35566480 512 byte sectors: 255H 63S/T 2213C) changing root device to da0s2a da3 at ahc0 bus 0 target 6 lun 0 da3: Fixed Direct Access SCSI-2 device da3: 10.000MB/s transfers (10.000MHz, offset 15), Tagged Queueing Enabled da3: 8191MB (16777215 512 byte sectors: 255H 63S/T 1044C) cd0 at ahc0 bus 0 target 4 lun 0 cd0: Removable CD-ROM SCSI-2 device cd0: 10.000MB/s transfers (10.000MHz, offset 15) cd0: Attempt to query device size failed: NOT READY, Medium not present WARNING: / was not properly dismounted ==> gdb <== aw1@titus sys/compile/TITUS$ gdb -k kernel.debug /var/crash/vmcore.8 GNU gdb 4.18 Copyright 1998 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Type "show copying" to see the conditions. There is absolutely no warranty for GDB. Type "show warranty" for details. This GDB was configured as "i386-unknown-freebsd"... IdlePTD 3420160 initial pcb at 27962c panicstr: rlist_free: free start overlaps already freed area panic messages: --- panic: rlist_free: free start overlaps already freed area syncing disks... 39 39 39 39 39 39 39 39 39 39 39 39 39 39 39 39 39 39 39 39 giving up dumping to dev 30401, offset 131072 dump 128 127 126 125 124 123 122 121 120 119 118 117 116 115 114 113 112 111 110 109 108 107 106 105 104 103 102 101 100 99 98 97 96 95 94 93 92 91 90 89 88 87 86 85 84 83 82 81 80 79 78 77 76 75 74 73 72 71 70 69 68 67 66 65 64 63 62 61 60 59 58 57 56 55 54 53 52 51 50 49 48 47 46 45 44 43 42 41 40 39 38 37 36 35 34 33 32 31 30 29 28 27 26 25 24 23 22 21 20 19 18 17 16 15 14 13 12 11 10 9 8 7 6 5 4 3 2 1 --- #0 boot (howto=256) at ../../kern/kern_shutdown.c:285 285 dumppcb.pcb_cr3 = rcr3(); (kgdb) where #0 boot (howto=256) at ../../kern/kern_shutdown.c:285 #1 0xc014f670 in at_shutdown ( function=0xc0247de4 <__set_sysinit_set_sym_logdev_sys_init+124>, arg=0x7, queue=0) at ../../kern/kern_shutdown.c:446 #2 0xc01590a2 in rlist_free (rlh=0xc0295524, start=0, end=7) at ../../kern/subr_rlist.c:159 #3 0xc01f3b6b in swap_pager_freeswapspace (object=0xc6490000, from=0, to=7) at ../../vm/swap_pager.c:422 #4 0xc01f3c4c in swap_pager_freespace (object=0xc6490000, start=33, size=101149) at ../../vm/swap_pager.c:445 #5 0xc01f90ad in vm_map_delete (map=0xc6391500, start=134807552, end=549113856) at ../../vm/vm_map.c:1833 #6 0xc01f9150 in vm_map_remove (map=0xc6391500, start=134807552, end=549113856) at ../../vm/vm_map.c:1874 #7 0xc02007e7 in obreak (p=0xc639f600, uap=0xc643ef84) at ../../vm/vm_unix.c:107 #8 0xc021f1ef in syscall (frame={tf_es = 39, tf_ds = 39, tf_edi = 134807552, tf_esi = 134549824, tf_ebp = -1077946604, tf_isp = -968626220, tf_ebx = 671987336, tf_edx = 671987316, tf_ecx = 671987312, tf_eax = 17, tf_trapno = 7, tf_err = 2, tf_eip = 671951256, tf_cs = 31, tf_eflags = 647, tf_esp = -1077946640, tf_ss = 39}) at ../../i386/i386/trap.c:1100 #9 0xc021225c in Xint0x80_syscall () #10 0x280d2402 in ?? () #11 0x804c1d0 in ?? () #12 0x804b09f in ?? () #13 0x804a6d9 in ?? () #14 0x8049115 in ?? () (kgdb) quit >How-To-Repeat: I have been unable to reproduce the problem on demand. Possibly relevant components of the problem are: These pipelines: tifftopnm PYEA87.TIF | ppmquant -floyd 2 | pnmflip -r90 | pnmscale -xsize 1181 | ppmtogif -interlace > out tifftopnm PYEA97.TIF | ppmquant -floyd 2 | pnmscale -xsize 750 | ppmtogif -interlace > out (now amended to run singly with intermediate files) sendmail / procmail - the pipelines are run as part of a make, run by cron. Quite often after the crash my mailbox is corrupted, with a message terminating with a number of nulls, followed by the cron message. A heavy system load - inn processing "suck"ed news, sendmail, often cvsup or cvs. If changing the pipeline makes the problem go away, I'll still be able to reinstate it if needed for diagnostic patches, etc. >Fix: Wish I knew. >Release-Note: >Audit-Trail: State-Changed-From-To: open->closed State-Changed-By: ru State-Changed-When: Fri Feb 4 02:43:45 PST 2000 State-Changed-Why: Closed at originator's request: On Wed, Feb 02, 2000 at 07:02:26PM +0000, Adrian Wontroba wrote: > This pr can, I think, be closed. Blowing away my source tree and > re-cvsing it from my local repository, which I was doing for other > reasons, made my few of panics a week go away. I guess I had a > stale source in there somewhere. I should have thought of doing it > sooner. >Unformatted: