Panic dereferencing p->p_leader during exit1()

Peter Jeremy peterjeremy at optushome.com.au
Tue Apr 8 01:00:38 PDT 2003 

My wife got the following from a system running (effectively)
4.8-RELEASE (I built/installed world just before the kernel version
was updated from 4.8-RC to 4.8-RELEASE).  I gather she made a few
attempts to get mozilla to start and then the system panic'd.

According to the crashdump, p->p_leader is NULL but according to
the code, this can never happen.  This is a UP Athlon XP-1800
with the kernel built for a K7.  Anyone got any ideas?

IdlePTD at phsyical address 0x003a3000
initial pcb at physical address 0x00302ac0
panicstr: page fault
panic messages:
---
Fatal trap 12: page fault while in kernel mode
fault virtual address   = 0x184
fault code              = supervisor read, page not present
instruction pointer     = 0x8:0xc015c0dd
stack pointer           = 0x10:0xe18ebeb4
frame pointer           = 0x10:0xe18ebed8
code segment            = base 0x0, limit 0xfffff, type 0x1b
                        = DPL 0, pres 1, def32 1, gran 1
processor eflags        = interrupt enabled, resume, IOPL = 0
current process         = 213 (m)
interrupt mask          = none
trap number             = 12
panic: page fault

syncing disks... 47 
done
Uptime: 41s

dumping to dev #ad/0x40001, offset 1017136
dump ata0: resetting devices .. done
511 510 509 508 507 506 505 504 503 502 501 500
...
---
#0  dumpsys () at /usr/src/sys/kern/kern_shutdown.c:487
487             if (dumping++) {
(kgdb) where
#0  dumpsys () at /usr/src/sys/kern/kern_shutdown.c:487
#1  0xc016429b in boot (howto=256) at /usr/src/sys/kern/kern_shutdown.c:316
#2  0xc01646d9 in panic (fmt=0xc02baaac "%s")
    at /usr/src/sys/kern/kern_shutdown.c:595
#3  0xc02759fb in trap_fatal (frame=0xe18ebe74, eva=388)
    at /usr/src/sys/i386/i386/trap.c:974
#4  0xc02756a9 in trap_pfault (frame=0xe18ebe74, usermode=0, eva=388)
    at /usr/src/sys/i386/i386/trap.c:867
#5  0xc027524f in trap (frame={tf_fs = 16, tf_es = 16, tf_ds = 16, 
      tf_edi = -510718880, tf_esi = -510718880, tf_ebp = -510738728, 
      tf_isp = -510738784, tf_ebx = 0, tf_edx = -510718880, tf_ecx = 8, 
      tf_eax = 0, tf_trapno = 12, tf_err = 0, tf_eip = -1072316195, tf_cs = 8, 
      tf_eflags = 66198, tf_esp = 41, tf_ss = -510718880})
    at /usr/src/sys/i386/i386/trap.c:466
#6  0xc015c0dd in exit1 (p=0xe18f0c60, rv=41)
    at /usr/src/sys/kern/kern_exit.c:190
#7  0xc01661de in sigexit (p=0xe18f0c60, sig=41)
    at /usr/src/sys/kern/kern_sig.c:1503
#8  0xc0165f58 in postsig (sig=41) at /usr/src/sys/kern/kern_sig.c:1406
#9  0xc0275e00 in syscall2 (frame={tf_fs = 47, tf_es = 47, tf_ds = 47, 
      tf_edi = 114688, tf_esi = 146527456, tf_ebp = -1077943264, 
      tf_isp = -510738476, tf_ebx = 1187677356, tf_edx = 1187677156, 
      tf_ecx = 1187677152, tf_eax = 0, tf_trapno = 7, tf_err = 2, 
      tf_eip = 1187619448, tf_cs = 31, tf_eflags = 642, tf_esp = -1077943324, 
      tf_ss = 47}) at /usr/src/sys/i386/i386/trap.c:174
#10 0xc0268815 in Xint0x80_syscall ()
#11 0x46c99cf9 in ?? ()
...

(kgdb) up 6
#6  0xc015c0dd in exit1 (p=0xe18f0c60, rv=41)
    at /usr/src/sys/kern/kern_exit.c:190
190             if(p->p_leader->p_peers) {
(kgdb) p *p
$1 = {p_procq = {tqe_next = 0x0, tqe_prev = 0xc0318c88}, p_list = {
    le_next = 0xe18f0ac0, le_prev = 0xc0318bc0}, p_cred = 0xc1fb28c0, 
  p_fd = 0xc2060900, p_stats = 0xe18e9cd0, p_limit = 0xc2059900, 
  p_upages_obj = 0xe18e3f00, p_procsig = 0xc2053040, p_flag = 24580, 
  p_stat = 2 '\002', p_pad1 = "\000\000", p_pid = 213, p_hash = {
    le_next = 0x0, le_prev = 0xc104b354}, p_pglist = {le_next = 0x0, 
    le_prev = 0xe18f0afc}, p_pptr = 0xe18f0ac0, p_sibling = {le_next = 0x0, 
    le_prev = 0xe18f0b10}, p_children = {lh_first = 0x0}, p_ithandle = {
    callout = 0x0}, p_oppid = 0, p_dupfd = 0, p_vmspace = 0xd477b440, 
  p_estcpu = 42, p_cpticks = 17, p_pctcpu = 229, p_wchan = 0x0, 
  p_wmesg = 0xc02985e9 "biord", p_swtime = 11, p_slptime = 0, p_realtimer = {
    it_interval = {tv_sec = 0, tv_usec = 0}, it_value = {tv_sec = 0, 
      tv_usec = 0}}, p_runtime = 2935395, p_uu = 0, p_su = 549755813891, 
  p_iu = 0, p_uticks = 884763262976, p_sticks = 1095216660492, 
  p_iticks = 549755813888, p_traceflag = 0, p_tracep = 0xa8, p_siglist = {
    __bits = {0, 0, 0, 0}}, p_textvp = 0xe18f5e40, p_lock = 0 '\000', 
  p_oncpu = 0 '\000', p_lastcpu = 0 '\000', p_rqindex = 13 '\r', 
  p_locks = -377, p_simple_locks = 0, p_stops = 0, p_stype = 0, 
  p_step = 0 '\000', p_pfsflags = 0 '\000', p_pad3 = "\000", p_retval = {0, 
    1187677156}, p_sigiolst = {slh_first = 0x0}, p_sigparent = 20, 
  p_oldsigmask = {__bits = {0, 0, 0, 0}}, p_sig = 0, p_code = 0, p_klist = {
    slh_first = 0x0}, p_sigmask = {__bits = {0, 0, 0, 0}}, p_sigstk = {
    ss_sp = 0x0, ss_size = 0, ss_flags = 4}, p_priority = 55 '7', 
  p_usrpri = 55 '7', p_nice = 0 '\000', 
  p_comm = "mozilla-bin\000\000\000\000\000", p_pgrp = 0xc2048620, 
  p_sysent = 0xc02c8580, p_rtprio = {type = 1, prio = 0}, p_prison = 0x0, 
  p_args = 0xc2048500, p_addr = 0xe18e9000, p_md = {md_regs = 0xe18ebfa8}, 
  p_xstat = 0, p_acflag = 16, p_ru = 0xc202b300, p_nthreads = 0, 
  p_aioinfo = 0xa8, p_wakeup = 0, p_peers = 0x0, p_leader = 0x0, p_asleep = {
    as_priority = 0, as_timo = 0}, p_emuldata = 0x20}
(kgdb) 

Peter

More information about the freebsd-stable mailing list