Re: panic: vm_object_madvise: page 0xfffffe0413c58630 is fictiti

On 27.11.2012 20:16, Alan Cox wrote:
> On 11/27/2012 12:43, Andre Oppermann wrote:
>> On 27.11.2012 19:27, Alan Cox wrote:
>>> On 11/27/2012 12:08, Andre Oppermann wrote:
>>>> On 27.11.2012 17:42, Alan Cox wrote:
>>>>> On 11/27/2012 09:06, Konstantin Belousov wrote:
>>>>>> On Tue, Nov 27, 2012 at 12:26:44PM +0100, Andre Oppermann wrote:
>>>>>>> FreeBSD bbb.ccc 10.0-CURRENT FreeBSD 10.0-CURRENT #0:
>>>>>>> Fri Nov 23 17:00:40 CET 2012
>>>>>>> aaa@bbb.ccc:/usr/obj/usr/src/head/sys/GENERIC  amd64
>>>>>>>
>>>>>>> #0  doadump (textdump=3D-2014022336) at pcpu.h:229
>>>>>>> #1  0xffffffff8033e2d2 in db_fncall (dummy1=3D<value optimized out>,
>>>>>>> dummy2=3D<value optimized out>,
>>>>>>>         dummy3=3D<value optimized out>, dummy4=3D<value optimized o=
ut>)
>>>>>>>         at /usr/src/head/sys/ddb/db_command.c:578
>>>>>>> #2  0xffffffff8033e074 in db_command (last_cmdp=3D<value optimized
>>>>>>> out>,
>>>>>>>         cmd_table=3D<value optimized out>, dopager=3D1) at
>>>>>>> /usr/src/head/sys/ddb/db_command.c:449
>>>>>>> #3  0xffffffff8033dd62 in db_command_loop () at
>>>>>>> /usr/src/head/sys/ddb/db_command.c:502
>>>>>>> #4  0xffffffff80340690 in db_trap (type=3D<value optimized out>,
>>>>>>> code=3D0)
>>>>>>>         at /usr/src/head/sys/ddb/db_main.c:231
>>>>>>> #5  0xffffffff808b375e in kdb_trap (type=3D3, code=3D0, tf=3D<value
>>>>>>> optimized
>>>>>>> out>)
>>>>>>>         at /usr/src/head/sys/kern/subr_kdb.c:654
>>>>>>> #6  0xffffffff80bfc71a in trap (frame=3D0xffffff8487f478a0)
>>>>>>>         at /usr/src/head/sys/amd64/amd64/trap.c:579
>>>>>>> #7  0xffffffff80be65b2 in calltrap () at /tmp/exception-3nQ6Cf.s:179
>>>>>>> #8  0xffffffff808b2f5e in kdb_enter (why=3D0xffffffff80e5e23b "pani=
c",
>>>>>>> msg=3D<value optimized out>)
>>>>>>>         at cpufunc.h:63
>>>>>>> #9  0xffffffff8088086f in panic (fmt=3D<value optimized out>)
>>>>>>>         at /usr/src/head/sys/kern/kern_shutdown.c:628
>>>>>>> #10 0xffffffff80adea4a in vm_object_madvise (object=3D<value
>>>>>>> optimized out>,
>>>>>>>         pindex=3D<value optimized out>, end=3D8952, advise=3D<value
>>>>>>> optimized out>)
>>>>>>>         at /usr/src/head/sys/vm/vm_object.c:1101
>>>>>>> #11 0xffffffff80ad759a in vm_map_madvise (map=3D0xfffffe0018260188,
>>>>>>> start=3D<value optimized out>,
>>>>>>>         end=3D<value optimized out>, behav=3D5) at
>>>>>>> /usr/src/head/sys/vm/vm_map.c:2140
>>>>>>> #12 0xffffffff80adbd8d in sys_madvise (td=3D<value optimized out>,
>>>>>>> uap=3D<value optimized out>)
>>>>>>>         at /usr/src/head/sys/vm/vm_mmap.c:752
>>>>>>> #13 0xffffffff80bfd3a5 in amd64_syscall (td=3D0xfffffe0018230000,
>>>>>>> traced=3D0) at subr_syscall.c:135
>>>>>>> #14 0xffffffff80be689b in Xfast_syscall () at
>>>>>>> /tmp/exception-3nQ6Cf.s:329
>>>>>>> #15 0x00000000016f3bfa in ?? ()
>>>>>> I think this is an omission in the check for the object types. BTW,
>>>>>> this
>>>>>> pattern already repeats in several places, I thought about adding
>>>>>> either
>>>>>> new pager method, like boolean_t vm_pager_is_pageable(), or just a
>>>>>> flag
>>>>>> fields to the struct vm_pager to classify the vm objects.
>>>>>
>>>>>
>>>>> A fictitious page should always have a non-zero wire count.  In
>>>>> fact, it
>>>>> should always be one and never change.  (See vm_page_unwire().)  In
>>>>> vm_object_madvise(), there is a check against the page's wire count
>>>>> that
>>>>> precedes the KASSERT().  This check should prevent the KASSERT() from
>>>>> being reached for the various device-backed object types.  So,
>>>>> something
>>>>> else has gone wrong here, or rather something has gone wrong elsewhere
>>>>> that caused the KASSERT() failure here.
>>>>>
>>>>> Andre, can we see the contents of the offending struct vm_page and
>>>>> also
>>>>> the struct vm_object to which the offending page belongs to?  Also,
>>>>> are
>>>>> you running a kernel with any experimental zero-copy send support?
>>>>
>>>> No experimental zero-copy support, or anything else, just a stock
>>>> GENERIC kernel.
>>>>
>>>> (kgdb) frame 11
>>>> #11 0xffffffff80ad759a in vm_map_madvise (map=3D0xfffffe0018260188,
>>>> start=3D<value optimized out>,
>>>>       end=3D<value optimized out>, behav=3D5) at
>>>> /usr/src/head/sys/vm/vm_map.c:2140
>>>> 2140
>>>> vm_object_madvise(current->object.vm_object, pstart,
>>>> (kgdb) p *map
>>>> $1 =3D {header =3D {prev =3D 0xfffffe025631c438, next =3D 0xfffffe0248=
f119d8,
>>>> left =3D 0x0, right =3D 0x0,
>>>>       start =3D 4096, end =3D 140737488355328, avail_ssize =3D 0, adj_=
free =3D
>>>> 0, max_free =3D 0, object =3D {
>>>>         vm_object =3D 0x0, sub_map =3D 0x0}, offset =3D 0, eflags =3D =
0,
>>>> protection =3D 0 '\0',
>>>>       max_protection =3D 0 '\0', inheritance =3D 0 '\0', read_ahead =
=3D 0
>>>> '\0', wired_count =3D 0,
>>>>       next_read =3D 0, cred =3D 0x0}, lock =3D {lock_object =3D {
>>>>         lo_name =3D 0xffffffff80e66905 "vm map (user)", lo_flags =3D
>>>> 36896768, lo_data =3D 0,
>>>>         lo_witness =3D 0xffffff80006c9700}, sx_lock =3D 17}, system_mt=
x =3D
>>>> {lock_object =3D {
>>>>         lo_name =3D 0xffffffff80e668d7 "vm map (system)", lo_flags =3D
>>>> 21168128, lo_data =3D 0,
>>>>         lo_witness =3D 0xffffff80006c9500}, mtx_lock =3D 4}, nentries =
=3D 32,
>>>> size =3D 64647168,
>>>>     timestamp =3D 52, needs_wakeup =3D 0 '\0', system_map =3D 0 '\0', =
flags =3D
>>>> 0 '\0',
>>>>     root =3D 0xfffffe02560a6258, pmap =3D 0xfffffe00182602b8, busy =3D=
 0}
>>>> (kgdb) p* map->pmap
>>>> $6 =3D {pm_mtx =3D {lock_object =3D {lo_name =3D 0xffffffff80e66934 "p=
map",
>>>> lo_flags =3D 21168128,
>>>>         lo_data =3D 0, lo_witness =3D 0xffffff80006c9900}, mtx_lock =
=3D 4},
>>>> pm_pml4 =3D 0xfffffe0256458000,
>>>>     pm_pvchunk =3D {tqh_first =3D 0xfffffe0256142000, tqh_last =3D
>>>> 0xfffffe025644c008}, pm_active =3D {
>>>>       __bits =3D {1}}, pm_stats =3D {resident_count =3D 12683, wired_c=
ount
>>>> =3D 0},
>>>>     pm_root =3D 0xfffffe041289e040}
>>>> (kgdb) p* map->root
>>>> $7 =3D {prev =3D 0xfffffe0018ed0708, next =3D 0xfffffe02560a6870, left=
 =3D
>>>> 0xfffffe0018ed0708,
>>>>     right =3D 0xfffffe02560a6870, start =3D 34393292800, end =3D 34431=
041536,
>>>> avail_ssize =3D 0,
>>>>     adj_free =3D 140703057047552, max_free =3D 140703057047552, object=
 =3D {
>>>>       vm_object =3D 0xfffffe0256484570, sub_map =3D 0xfffffe0256484570=
},
>>>> offset =3D 1810432, eflags =3D 0,
>>>>     protection =3D 3 '\003', max_protection =3D 7 '\a', inheritance =
=3D 1
>>>> '\001', read_ahead =3D 15 '\017',
>>>>     wired_count =3D 0, next_read =3D 0, cred =3D 0x0}
>>>>
>>>> (kgdb) p *current
>>>> $2 =3D {prev =3D 0xfffffe025631c438, next =3D 0xfffffe0248f119d8, left=
 =3D
>>>> 0x0, right =3D 0x0, start =3D 4096,
>>>>     end =3D 140737488355328, avail_ssize =3D 0, adj_free =3D 0, max_fr=
ee =3D 0,
>>>> object =3D {vm_object =3D 0x0,
>>>>       sub_map =3D 0x0}, offset =3D 0, eflags =3D 0, protection =3D 0 '=
\0',
>>>> max_protection =3D 0 '\0',
>>>>     inheritance =3D 0 '\0', read_ahead =3D 0 '\0', wired_count =3D 0,
>>>> next_read =3D 0, cred =3D 0x0}
>>>>
>>>> (kgdb) p *entry
>>>> $3 =3D {prev =3D 0xfffffe0018ed0708, next =3D 0xfffffe02560a6870, left=
 =3D
>>>> 0xfffffe0018ed0708,
>>>>     right =3D 0xfffffe02560a6870, start =3D 34393292800, end =3D 34431=
041536,
>>>> avail_ssize =3D 0,
>>>>     adj_free =3D 140703057047552, max_free =3D 140703057047552, object=
 =3D {
>>>>       vm_object =3D 0xfffffe0256484570, sub_map =3D 0xfffffe0256484570=
},
>>>> offset =3D 1810432, eflags =3D 0,
>>>>     protection =3D 3 '\003', max_protection =3D 7 '\a', inheritance =
=3D 1
>>>> '\001', read_ahead =3D 15 '\017',
>>>>     wired_count =3D 0, next_read =3D 0, cred =3D 0x0}
>>>
>>>
>>> The following tells us that this is an OBJT_DEFAULT (i.e., anonymous)
>>> memory object.  Such objects should never contain fictitious pages.  Can
>>> you please print the contents of the offending struct vm_page using the
>>> address from the panic message?
>>
>> (kgdb) p (struct vm_page)*0xfffffe0413c58630
>> $12 =3D {pageq =3D {tqe_next =3D 0xfffffe04127fbcc8, tqe_prev =3D
>> 0xfffffe0412658358}, listq =3D {
>>      tqe_next =3D 0xfffffe0413c586a8, tqe_prev =3D 0xfffffe0413c585c8},
>> left =3D 0xfffffe0413c585b8,
>>    right =3D 0xfffffe0413c586a8, object =3D 0xfffffe0256484570, pindex =
=3D
>> 8868, phys_addr =3D 10744668160,
>>    md =3D {pv_list =3D {tqh_first =3D 0xfffffe025654d9a0, tqh_last =3D
>> 0xfe025654d9a8}, pat_mode =3D 6},
>>    queue =3D 1 '\001', segind =3D 4 '\004', hold_count =3D 0, order =3D =
13
>> '\r', pool =3D 0 '\0', cow =3D 0,
>>    wire_count =3D 0, aflags =3D 1 '\001', oflags =3D 0 '\0', flags =3D 6=
5535,
>> act_count =3D 5 '\005',
>>    busy =3D 0 '\0', valid =3D 255 '=FF', dirty =3D 0 '\0'}
>>
>
> Except for the value of the "flags" field, this looks like a perfectly
> ordinary page of physical memory.  In other words, this is not a
> fictitious page.  Moreover, there is nothing inconsistent about the
> other fields.
>
> A "flags" field value of 65535 should be an impossibility.  We only
> define flags for 9 of the 16 bits in the field.
>
> Is there any chance you're loading and using a kernel module that is
> older than your kernel?

No kernel modules loaded at all.  It's the first time ever I got this
panic.  Maybe it's just a Heisenbug.  IIRC I don't have ECC in this
machine.

-- =

Andre

_______________________________________________
freebsd-current@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to "freebsd-current-unsubscribe@freebsd.org"