Subject: Re: kern/13261: "Data modified on freelist"
To: Jun-ichiro itojun Hagino <itojun@iijlab.net>
From: Chuck Silvers <chuq@chuq.com>
List: tech-kern
Date: 08/17/2001 06:36:21
hi,
yes, please make the dump available.
-Chuck
On Fri, Aug 17, 2001 at 05:10:42PM +0900, Jun-ichiro itojun Hagino wrote:
> >Okay...
> >
> >What you should do is build your kernel with the new MALLOC_DEBUG
> >option, and set the `debug_malloc_type' variable to M_UVMAMAP, if
> >you're having lossage with that type, etc. Then you should get a
> >fault when something touches it after its freed.
>
> I'm using MALLOC_DEBUG right now. I experienced a crash while I'm
> in X, so I could not see the dying message. here's the backtrace.
> (if you want the core as well as netbsd.gdb, i can put them somewhere)
>
> itojun
>
>
> Script started on Fri Aug 17 17:06:18 2001
> # gdb netbsd.gdb
> GNU gdb 4.17
> Copyright 1998 Free Software Foundation, Inc.
> GDB is free software, covered by the GNU General Public License, and you are
> welcome to change it and/or distribute copies of it under certain conditions.
> Type "show copying" to see the conditions.
> There is absolutely no warranty for GDB. Type "show warranty" for details.
> This GDB was configured as "i386--netbsd"...
> (gdb) target kcore /usr/crash/netbsd.0.core
> panic: free: unaligned addr %p, size %ld, type %s, mask %ld
>
> #0 0xc04723e0 in addrmask ()
> (gdb) bt
> #0 0xc04723e0 in addrmask ()
> #1 0x58fa000 in ?? ()
> #2 0xc032a12f in cpu_reboot (howto=256, bootstr=0x0)
> at ../../../../arch/i386/i386/machdep.c:1846
> #3 0xc01d117e in panic () at ../../../../kern/subr_prf.c:250
> #4 0xc01c3628 in _free (addr=0xc10779ff, type=82,
> file=0xc049e826 "../../../../uvm/uvm_amap.c", line=432)
> at ../../../../kern/kern_malloc.c:477
> #5 0xc0315dd5 in amap_extend (entry=0xdcb79b40, addsize=16384)
> at ../../../../uvm/uvm_amap.c:432
> #6 0xc031c1e8 in uvm_map (map=0xdca2e528, startp=0xdcb5ff54, size=16384,
> uobj=0x0, uoffset=0, align=0, flags=1771287)
> at ../../../../uvm/uvm_map.c:642
> #7 0xc03254b0 in sys_obreak (p=0xdcb1aac8, v=0xdcb5ff80, retval=0xdcb5ff78)
> at ../../../../uvm/uvm_unix.c:95
> #8 0xc0332414 in syscall_plain (frame={tf_gs = 31, tf_fs = 134742047,
> tf_es = 31, tf_ds = -1078001633, tf_edi = 16384, tf_esi = 4,
> tf_ebp = -1077946892, tf_ebx = 1210358536, tf_edx = 1210358532,
> tf_ecx = 134967296, tf_eax = 17, tf_trapno = 3, tf_err = 2,
> tf_eip = 1210311603, tf_cs = 23, tf_eflags = 518, tf_esp = -1077946916,
> tf_ss = 31, tf_vm86_es = 0, tf_vm86_ds = 0, tf_vm86_fs = 0,
> tf_vm86_gs = 0}) at ../../../../arch/i386/i386/syscall.c:137
> #9 0xc0100f06 in syscall1 ()
> can not access 0xbfbfd5f4, invalid translation (invalid PDE)
> can not access 0xbfbfd5f4, invalid translation (invalid PDE)
> ---Type <return> to continue, or q <return> to quit---
> Cannot access memory at address 0xbfbfd5f4.
> (gdb) frame 4
> #4 0xc01c3628 in _free (addr=0xc10779ff, type=82,
> file=0xc049e826 "../../../../uvm/uvm_amap.c", line=432)
> at ../../../../kern/kern_malloc.c:477
> 477 panic("free: unaligned addr %p, size %ld, type %s, mask %ld\n",
> (gdb) list
> 472 if (size > PAGE_SIZE)
> 473 alloc = addrmask[BUCKETINDX(PAGE_SIZE)];
> 474 else
> 475 alloc = addrmask[kup->ku_indx];
> 476 if (((u_long)addr & alloc) != 0)
> 477 panic("free: unaligned addr %p, size %ld, type %s, mask %ld\n",
> 478 addr, size, memname[type], alloc);
> 479 #endif /* DIAGNOSTIC */
> 480 if (size > MAXALLOCSAVE) {
> 481 uvm_km_free(kmem_map, (vaddr_t)addr, ctob(kup->ku_pagecnt));
> (gdb) print addr
> $1 = (void *) 0xc10779ff
> (gdb) print size
> $2 = 512
> (gdb) print u(gdb) (gdb) frame 5
> #5 0xc0315dd5 in amap_extend (entry=0xdcb79b40, addsize=16384)
> at ../../../../uvm/uvm_amap.c:432
> 432 free(oldover, M_UVMAMAP);
> (gdb) print oldover
> $3 = (struct vm_anon **) 0xc10779ff
> (gdb) list
> 427 amap_unlock(amap);
> 428
> 429 /* and free */
> 430 free(oldsl, M_UVMAMAP);
> 431 free(oldbck, M_UVMAMAP);
> 432 free(oldover, M_UVMAMAP);
> 433 #ifdef UVM_AMAP_PPREF
> 434 if (oldppref && oldppref != PPREF_NONE)
> 435 free(oldppref, M_UVMAMAP);
> 436 #endif
> (gdb) print oldsl
> $4 = (u_int *) 0xc1073400
> (gdb) print oldbck
> $5 = (u_int *) 0xc0fea400
> (gdb)
> Script done on Fri Aug 17 17:07:25 2001