[Bug 204633] If INVARIANTS is enabled, free() may attempt to acquire sleeping lock

bugzilla-noreply at freebsd.org bugzilla-noreply at freebsd.org
Tue Nov 17 16:27:39 UTC 2015 

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=204633

            Bug ID: 204633
           Summary: If INVARIANTS is enabled, free() may attempt to
                    acquire sleeping lock
           Product: Base System
           Version: 11.0-CURRENT
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Some People
          Priority: ---
         Component: kern
          Assignee: freebsd-bugs at FreeBSD.org
          Reporter: jtl at freebsd.org

While testing new code with WITNESS enabled, I saw this panic:

panic: acquiring blockable sleep lock with spinlock or critical section held
(sleep mutex) 64 Bucket @ /usr/src/sys/vm/uma_dbg.c:217
cpuid = 0
KDB: stack backtrace:
db_trace_self_wrapper() at db_trace_self_wrapper+0x2b/frame 0xfffffe000021c690
vpanic() at vpanic+0x182/frame 0xfffffe000021c710
kassert_panic() at kassert_panic+0x126/frame 0xfffffe000021c780
witness_checkorder() at witness_checkorder+0x13b/frame 0xfffffe000021c800
__mtx_lock_flags() at __mtx_lock_flags+0xa4/frame 0xfffffe000021c850
uma_dbg_getslab() at uma_dbg_getslab+0x42/frame 0xfffffe000021c880
uma_dbg_alloc() at uma_dbg_alloc+0x36/frame 0xfffffe000021c8b0
uma_zalloc_arg() at uma_zalloc_arg+0x53e/frame 0xfffffe000021c910
bucket_alloc() at bucket_alloc+0xa6/frame 0xfffffe000021c930
uma_zfree_arg() at uma_zfree_arg+0x293/frame 0xfffffe000021c980
free() at free+0x8b/frame 0xfffffe000021c9c0
pmc_hook_handler() at pmc_hook_handler+0xbbb/frame 0xfffffe000021ca50
thread_exit() at thread_exit+0x1b7/frame 0xfffffe000021ca90
kern_thr_exit() at kern_thr_exit+0x119/frame 0xfffffe000021cac0
sys_thr_exit() at sys_thr_exit+0x62/frame 0xfffffe000021cae0
amd64_syscall() at amd64_syscall+0x2de/frame 0xfffffe000021cbf0
Xfast_syscall() at Xfast_syscall+0xfb/frame 0xfffffe000021cbf0
--- syscall (431, FreeBSD ELF64, sys_thr_exit), rip = 0x40b70a, rsp =
0x7fffde9f2ee8, rbp = 0x7fffde9f2f00 ---
KDB: enter: panic


The free() man page promises that free() will not sleep. However, if INVARIANTS
is enabled, free() may very well attempt to acquire a sleeping lock. In fact,
it appears that malloc() may even attempt to acquire a sleeping lock if
INVARIANTS is enabled.

The problem is that uma_zalloc_arg() calls uma_dbg_alloc(). uma_dbg_alloc()
calls uma_dbg_getslab(). uma_dbg_getslab() may acquire the zone lock, which is
a normal (sleepable) mutex.

-- 
You are receiving this mail because:
You are the assignee for the bug.

More information about the freebsd-bugs mailing list