netbsd-bugs: port-i386/6515: crash in pmap_page

Subject: port-i386/6515: crash in pmap_page_remove in DIAGNOSTIC test
To: None <gnats-bugs@gnats.netbsd.org>
From: Bill Sommerfeld <sommerfeld@orchard.arlington.ma.us>
List: netbsd-bugs
Date: 11/30/1998 20:31:30
>Number:         6515
>Category:       port-i386
>Synopsis:       crash in pmap_page_remove in DIAGNOSTIC test
>Confidential:   no
>Severity:       critical
>Priority:       high
>Responsible:    gnats-admin (GNATS administrator)
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Mon Nov 30 12:35:00 1998
>Last-Modified:
>Originator:     Bill Sommerfeld
>Organization:
	
>Release:        19981125
>Environment:
	
System: NetBSD orchard.arlington.ma.us 1.3I NetBSD 1.3I (ORCHARDII) #2: Wed Nov 25 14:55:02 EST 1998 root@orchard.arlington.ma.us:/usr/sandbox/sys/arch/i386/compile/ORCHARDII i386


>Description:


I have a crash dump from this one as it occurred on a system where I
can't run DDB..

The fault appears to be in 

1.1          (mrg      06-Feb-98): #ifdef DIAGNOSTIC
1.1          (mrg      06-Feb-98):     if (pve->pv_ptp && (pve->pv_pmap->pm_pdir[pdei(pve->pv_va)] & PG_FRAME) 
1.5          (chuck    17-Mar-98):	!= VM_PAGE_TO_PHYS(pve->pv_ptp)) {
1.5          (chuck    17-Mar-98):       printf("pmap_page_remove: pg=%p: va=%lx, pv_ptp=%p\n", pg, pve->pv_va,
1.5          (chuck    17-Mar-98):		pve->pv_ptp);
1.5          (chuck    17-Mar-98):       printf("pmap_page_remove: PTP's phys addr: actual=%x, recorded=%lx\n",
1.5          (chuck    17-Mar-98):		(pve->pv_pmap->pm_pdir[pdei(pve->pv_va)] & PG_FRAME),
1.5          (chuck    17-Mar-98):		VM_PAGE_TO_PHYS(pve->pv_ptp));
1.1          (mrg      06-Feb-98):       panic("pmap_page_remove: mapped managed page has invalid pv_ptp field");
1.5          (chuck    17-Mar-98):     }
1.1          (mrg      06-Feb-98): #endif

instructions around fault:

0xf01c9fae <pmap_page_remove+246>:	movl   0x4(%ebx),%eax
0xf01c9fb1 <pmap_page_remove+249>:	movl   0x8(%ebx),%esi
0xf01c9fb4 <pmap_page_remove+252>:	movl   %esi,%edx
0xf01c9fb6 <pmap_page_remove+254>:	shrl   $0x16,%edx
0xf01c9fb9 <pmap_page_remove+257>:	movl   0x20(%eax),%eax
0xf01c9fbc <pmap_page_remove+260>:	movl   (%eax,%edx,4),%eax
0xf01c9fbf <pmap_page_remove+263>:	andl   $0xfffff000,%eax
0xf01c9fc4 <pmap_page_remove+268>:	cmpl   %eax,0x30(%ecx)
0xf01c9fc7 <pmap_page_remove+271>:	je     0xf01ca008 <pmap_page_remove+336>

trap frame:
$11 = {tf_es = 0xf0360010, tf_ds = 0xf0360010, tf_edi = 0x2aac, 
  tf_esi = 0x4b000, tf_ebp = 0xfc77de74, tf_ebx = 0xf04b4900, tf_edx = 0x0, 
  tf_ecx = 0xf0313d34, tf_eax = 0xfc78a000, tf_trapno = 0x6, tf_err = 0x0, 
  tf_eip = 0xf01c9fbc, tf_cs = 0x8, tf_eflags = 0x10246, tf_esp = 0xfc63a250, 
  tf_ss = 0xfc7a20a4, tf_vm86_es = 0x0, tf_vm86_ds = 0xffc00000, 
  tf_vm86_fs = 0xf03a2560, tf_vm86_gs = 0x0}

The fault occurred at pmap_page_remove+260; edx is zero; eax is
0xfc78a000, which appears to be an invalid pointer.

The fault seems to be in the evaluation of the VM_PAGE_TO_PHYS()
macro.

Additional information available on request..

>How-To-Repeat:
	unknown.  occurred during a `make build'.
>Fix:
	??? turn off DIAGNOSTIC?
>Audit-Trail:
>Unformatted: