Subject: kern/22752: shm panics with MozillaFirebird
To: None <gnats-bugs@gnats.netbsd.org>
From: None <spindler@kataname.com>
List: netbsd-bugs
Date: 09/11/2003 13:11:05
>Number: 22752
>Category: kern
>Synopsis: shm panics with MozillaFirebird
>Confidential: no
>Severity: serious
>Priority: high
>Responsible: kern-bug-people
>State: open
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Thu Sep 11 20:15:00 UTC 2003
>Closed-Date:
>Last-Modified:
>Originator:
>Release: NetBSD 1.6Z
>Organization:
>Environment:
System: NetBSD aggraVAtIOn 1.6Z NetBSD 1.6Z (KMEDESKTOP) #2: Wed Sep 10 17:07:11 PDT 2003 dogcow@aggraVAtIOn:/home/dogcow/obj/tnfii386/obj/blop/src/nbsrc/sys/arch/i386/compile/KMEDESKTOP i386
Architecture: i386
Machine: i386
>Description:
If MozillaFirebird opens an awful lot of pages (enough to swap, I think)
the kernel panics when the browser attempts to quit; it looks like it's
due to something deep in XFree86.
(gdb) where
#0 0x1 in ?? (?? )
1 0xc0248bfb in cpu_reboot (howto=256, bootstr=0x0)
at /blop/src/nbsrc/sys/arch/i386/i386/machdep.c:769
#2 0xc01f159f in panic () at /blop/src/nbsrc/sys/kern/subr_prf.c:242
#3 0xc0253735 in trap (frame=0xd3ae5d9c)
at /blop/src/nbsrc/sys/arch/i386/i386/trap.c:296
#4 0xc0102b87 in calltrap ()
#5 0xc0230efa in uao_free (aobj=0xd3b09138)
at /blop/src/nbsrc/sys/uvm/uvm_aobj.c:423
#6 0xc0231277 in uao_detach_locked (uobj=0xd3b09138)
at /blop/src/nbsrc/sys/uvm/uvm_aobj.c:722
#7 0xc02311cd in uao_detach (uobj=0xd3b09138)
at /blop/src/nbsrc/sys/uvm/uvm_aobj.c:649
#8 0xc01fa54c in shm_deallocate_segment (shmseg=0xc579c1a4)
at /blop/src/nbsrc/sys/kern/sysv_shm.c:187
#9 0xc01fa620 in shm_delete_mapping (vm=0xd3acd184, shmmap_s=0xc09e0040,
shmmap_se=0xc09e20d8) at /blop/src/nbsrc/sys/kern/sysv_shm.c:215
#10 0xc01fa774 in sys_shmdt (l=0xd3a9f284, v=0xd3ae5f7c, retval=0xd3ae5f74)
at /blop/src/nbsrc/sys/kern/sysv_shm.c:307
#11 0xc02530a7 in syscall_plain (frame=0xd3ae5fa8)
at /blop/src/nbsrc/sys/arch/i386/i386/syscall.c:156
#12 0xc0100a54 in syscall1 ()
can not access 0xbfbff794, invalid translation (invalid PDE)
(gdb) up
#5 0xc0230efa in uao_free (aobj=0xd3b09138)
at /blop/src/nbsrc/sys/uvm/uvm_aobj.c:423
423 uvm_swap_free(slot, 1);
(gdb) print elt
$3 = (struct uao_swhash_elt *) 0x0
(gdb) up
#6 0xc0231277 in uao_detach_locked (uobj=0xd3b09138)
at /blop/src/nbsrc/sys/uvm/uvm_aobj.c:722
722 uao_free(aobj);
(gdb) print *aobj
$13 = {u_obj = {vmobjlock = {lock_data = 0}, pgops = 0xc039992c, memq = {
tqh_first = 0x0, tqh_last = 0xd3b09140}, uo_npages = 0, uo_refs = 0},
u_pages = 193, u_flags = 0, u_swslots = 0xc0a76f40, u_swhash = 0xc0a6bec0,
u_swhashmask = 15, u_list = {le_next = 0xd3b09208, le_prev = 0xd3b09200}}
#7 0xc02311cd in uao_detach (uobj=0xd3b09138)
at /blop/src/nbsrc/sys/uvm/uvm_aobj.c:649
649 uao_detach_locked(uobj);
(gdb) print uobj
$14 = (struct uvm_object *) 0xd3b09138
(gdb) print *uobj
$15 = {vmobjlock = {lock_data = 0}, pgops = 0xc039992c, memq = {
tqh_first = 0x0, tqh_last = 0xd3b09140}, uo_npages = 0, uo_refs = 0}
(gdb) up
#8 0xc01fa54c in shm_deallocate_segment (shmseg=0xc579c1a4)
at /blop/src/nbsrc/sys/kern/sysv_shm.c:187
187 uao_detach(shm_handle->shm_object);
(gdb) print *(shm_handle->shm_object)
$19 = {vmobjlock = {lock_data = 0}, pgops = 0xc039992c, memq = {
tqh_first = 0x0, tqh_last = 0xd3b09140}, uo_npages = 0, uo_refs = 0}
(gdb) up
#9 0xc01fa620 in shm_delete_mapping (vm=0xd3acd184, shmmap_s=0xc09e0040,
shmmap_se=0xc09e20d8) at /blop/src/nbsrc/sys/kern/sysv_shm.c:215
215 shm_deallocate_segment(shmseg);
(gdb) print *shmseg
$32 = {shm_perm = {uid = 0, gid = 100, cuid = 0, cgid = 100, mode = 3492,
_seq = 580, _key = 0}, shm_segsz = 790528, shm_lpid = 1093,
shm_cpid = 830, shm_nattch = 0, shm_atime = 1063301196,
shm_dtime = 1063304768, shm_ctime = 1063301196, _shm_internal = 0xc09fb010}
(gdb) up
#10 0xc01fa774 in sys_shmdt (l=0xd3a9f284, v=0xd3ae5f7c, retval=0xd3ae5f74)
at /blop/src/nbsrc/sys/kern/sysv_shm.c:307
307 shm_delete_mapping(p->p_vmspace, shmmap_s1, shmmap_se);
(gdb) up
#11 0xc02530a7 in syscall_plain (frame=0xd3ae5fa8)
at /blop/src/nbsrc/sys/arch/i386/i386/syscall.c:156
156 error = (*callp->sy_call)(l, args, rval);
(gdb) print args
$44 = {1349189632, 0, 0, 0, -1077938212, 64, 1, -1064914816}
(gdb) print *l
$47 = {l_forw = 0xc03c8ea0, l_back = 0x0, l_list = {le_next = 0xd3a9f204,
le_prev = 0xd3a9f30c}, l_zlist = {le_next = 0x665f633e,
le_prev = 0x7367616c}, l_proc = 0xd3ae6010, l_sibling = {le_next = 0x0,
le_prev = 0xd3ae6068}, l_cpu = 0xc039e7e0, l_flag = 4, l_stat = 7,
l_lid = 1, l_swtime = 65114, l_slptime = 0, l_wchan = 0x0, l_tsleep_ch = {
c_list = {cq_next = 0xc03aaf60, cq_prev = 0xc03aaf60},
c_func = 0xc01e5b70 <endtsleep>, c_arg = 0xd3a9f284, c_time = 6529053,
c_flags = 0}, l_wmesg = 0xc0328d5a "biowait", l_holdcnt = 0,
l_ctxlink = 0x0, l_priority = 55 '7', l_usrpri = 55 '7',
l_private = 0x66656423, l_locks = 157642345, l_addr = 0xd3ae2000, l_md = {
md_regs = 0xd3ae5fa8, md_flags = 1, md_tss_sel = 464}}
(gdb) print *(l->l_proc)
$49 = {p_list = {le_next = 0xd3a7ddec, le_prev = 0xd3ae61cc},
p_cred = 0xd32cd360, p_fd = 0xd32cec94, p_cwdi = 0xd32cf114,
p_stats = 0xd3ae8008, p_limit = 0xd390b1d4, p_vmspace = 0xd3acd184,
p_sigacts = 0xd3aa404c, p_ksems = 0x0, p_exitsig = 20, p_flag = 16640,
p_stat = 2 '\002', p_pad1 = "ŻŻ", p_pid = 830, p_dead = {sle_next = 0x0},
p_pglist = {le_next = 0x0, le_prev = 0xd3303110}, p_pptr = 0xd32fd1c0,
p_sibling = {le_next = 0xd3a7ddec, le_prev = 0xd3ae6214}, p_children = {
lh_first = 0x0}, p_lwplock = {lock_data = 0}, p_lwps = {
lh_first = 0xd3a9f284}, p_raslist = {lh_first = 0x0}, p_nras = 0,
p_raslock = {lock_data = 0}, p_nlwps = 1, p_nrlwps = 1, p_nzlwps = 0,
p_nlwpid = 1, p_sa = 0x0, p_estcpu = 5, p_cpticks = 3, p_pctcpu = 49,
p_opptr = 0x0, p_dupfd = 0, p_timers = 0xc098c700, p_rtime = {tv_sec = 360,
tv_usec = 913177}, p_uticks = 13471, p_sticks = 7994, p_iticks = 120,
p_traceflag = 0, p_tracep = 0x0, p_systrace = 0x0, p_textvp = 0xd3af3a5c,
p_emul = 0xc0325460, p_emuldata = 0x0, p_userret = 0, p_userret_arg = 0x0,
p_execsw = 0xc0324d60, p_klist = {slh_first = 0x0}, p_sigctx = {
ps_siglist = {__bits = {4202496, 0, 0, 0}}, ps_sigcheck = 1 '\001',
ps_sigwaited = 0, ps_sigwait = {__bits = {0, 0, 0, 0}}, ps_sigstk = {
ss_sp = 0x0, ss_size = 0, ss_flags = 4}, ps_oldmask = {__bits = {524288,
0, 0, 0}}, ps_flags = 0, ps_siginfo = {_signo = 0, _code = 0,
_errno = 0, _reason = {_rt = {_pid = 0, _uid = 0, _sigval = {
sival_int = 0, sival_ptr = 0x0}}, _child = {_pid = 0, _uid = 0,
_status = 0, _utime = 0, _stime = 0}, _fault = {_addr = 0x0,
_trap = 0}, _poll = {_band = 0, _fd = 0}}}, ps_lwp = 0,
ps_sigcode = 0x0, ps_sigmask = {__bits = {0, 0, 0, 0}}, ps_sigignore = {
__bits = {2553843712, 0, 0, 0}}, ps_sigcatch = {__bits = {566259403, 0,
0, 0}}}, p_nice = 20 '\024',
p_comm = "XFree86\000t\000\000\000\000\000\000\000", p_pgrp = 0xd3303110,
p_psstr = 0xbfbffff0, p_psargv = 0, p_psnargv = 4, p_psenv = 8,
p_psnenv = 12, p_xstat = 0, p_acflag = 2, p_ru = 0xd3312048, p_md = {
md_flags = 2, md_syscall = 0xc0252ff8 <syscall_plain>, md_astpending = 1}}
>How-To-Repeat:
run MozillaFirebird 0.6.1 with xfree86 for quite a while, use up lots of
memory, and then quit.
XFree86 Version 4.3.0
Release Date: 27 February 2003
X Protocol Version 11, Revision 0, Release 6.6
Build Operating System: NetBSD/i386 1.6 [ELF] The NetBSD Foundation, Inc.
Build Date: 28 April 2003
>Fix:
probably, revert back to the fixed-size shm goo.
>Release-Note:
>Audit-Trail:
>Unformatted: