Fatal trap 12: page fault while in kernel mode(subr_turnstile.c) w/ trace

[Robin Breathe]

John Baldwin wrote:
> Oof, you seem to have possibly hit a corrupted thread object.

Sounds unpleasant.

>>(kgdb) l *0xc0537aa6
>>0xc0537aa6 is in turnstile_wait (/usr/src/sys/kern/subr_turnstile.c:439).
>>434             td = curthread;
>>435             tc = TC_LOOKUP(lock);
>>436             mtx_assert(&tc->tc_lock, MA_OWNED);
>>437             MPASS(td->td_turnstile != NULL);
>>438             MPASS(owner != NULL);
>>439             MPASS(owner->td_proc->p_magic == P_MAGIC);
>>440
>>441             /* If the passed in turnstile is NULL, use this thread's 
>>turnstile. */
>>442             if (ts == NULL) {
>>443                     ts = td->td_turnstile;
>>(kgdb)
> 
> owner is not NULL, but it blew up trying to read owner->td_proc.
> Hmm, actually then, I think the owner pointer is bad.  There was
> a while after one of the KSE commits when people would get panics
> with a thread whose td_proc was NULL, but I don't know if that bug
> was ever figured out or fixed.  For owner to be wrong though,
> mtx_lock in the relevant mutex must have been corrupted somehow.

I see (partially). Is there anything I can do to help track the culprit, 
running the command which leads to panic inside gdb? Anything vaguely 
sensible? It would obviously be a bonus if we could track this bad-boy 
down before 5.2 gets out the door.

- Robin
-- 
Robin Breathe              robin at isometry.net              +441865741800