From nobody@FreeBSD.ORG Fri Feb 19 12:11:12 1999
Return-Path: <nobody@FreeBSD.ORG>
Received: by hub.freebsd.org (Postfix, from userid 32767)
	id CD5F911764; Fri, 19 Feb 1999 12:11:11 -0800 (PST)
Message-Id: <19990219201111.CD5F911764@hub.freebsd.org>
Date: Fri, 19 Feb 1999 12:11:11 -0800 (PST)
From: hgoldste@bbs.mpcs.com
Sender: nobody@FreeBSD.ORG
To: freebsd-gnats-submit@freebsd.org
Subject: panic during heavy sio i/o;no coproc; vesa+vm86
X-Send-Pr-Version: www-1.0

>Number:         10166
>Category:       kern
>Synopsis:       panic during heavy sio i/o;no coproc; vesa+vm86
>Confidential:   no
>Severity:       critical
>Priority:       high
>Responsible:    freebsd-bugs
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Fri Feb 19 12:20:00 PST 1999
>Closed-Date:    Thu May 24 18:31:27 PDT 2001
>Last-Modified:  Thu May 24 18:31:44 PDT 2001
>Originator:     Howard Goldstein
>Release:        3.1-RELEASE
>Organization:
no org
>Environment:
BIOS basemem: 611K, extmem: 15360K (from 0xe801 call)
Copyright (c) 1992-1999 FreeBSD Inc.
Copyright (c) 1982, 1986, 1989, 1991, 1993
        The Regents of the University of California. All rights reserved.
FreeBSD 3.1-RELEASE #5: Fri Feb 19 14:39:13 EST 1999
    hgoldste@bbs.mpcs.com:/usr/src/sys/compile/PICOBSD-D.1600
Timecounter "i8254"  frequency 1193182 Hz
CPU: NexGen 586 (386-class CPU)
real memory  = 16777216 (16384K bytes)
avail memory = 13070336 (12764K bytes)
Preloaded elf kernel "kernel" at 0xf0380000.
Preloaded userconfig_script "/kernel.config" at 0xf0380084.
Probing for devices on the ISA bus:
sc0 on isa
sc0: VGA color <16 virtual consoles, flags=0x0>
atkbdc0 at 0x60-0x6f on motherboard
atkbd0 irq 1 on isa
sio0 at 0x3f8-0x3ff irq 4 on isa
sio0: type 16550A
sio1 at 0x2f8-0x2ff irq 3 on isa
sio1: type 16550A
sio2 at 0x3e8-0x3ef irq 10 on isa
sio2: type 16550A
sio3 at 0x2e8-0x2ef irq 11 flags 0x10 on isa
sio3: type 16550A, console
ppc0 at 0x378 irq 7 on isa
ppc0: Generic chipset (NIBBLE-only) in COMPATIBLE mode
nlpt0: <generic printer> on ppbus 0
nlpt0: Interrupt-driven port
fdc0 at 0x3f0-0x3f7 irq 6 drq 2 on isa
fdc0: FIFO enabled, 8 bytes threshold
fd0: 1.44MB 3.5in
vga0 at 0x3b0-0x3df maddr 0xa0000 msize 131072 on isa
npx0 on motherboard
npx0: 387 emulator
fla0 at maddr 0xdc000 msize 8192 on isa
fla0: <M-Systems DiskOnChip 2000> (driver: 19990131)
fla0: 7MB (15920 sectors), 995 cyls, 16 heads, 1 S/T, 512 B/S
rootfs is 1600 Kbyte compiled in MFS

>Description:
This was tough to catch!  My app ditches the text console
in place of a graphics display.  Thank you ddb ghods I have
some good bt:

kernel trap 12 with interrupts disabled


Fatal trap 12: page fault while in kernel mode
fault virtual address   = 0x76107fa
fault code              = supervisor read, page not present
instruction pointer     = 0x8:0xf01a7bc3
stack pointer           = 0x10:0xf2899c4c
frame pointer           = 0x10:0xf2899c70
code segment            = base 0x0, limit 0xfffff, type 0x1b
                        = DPL 0, pres 1, def32 1, gran 1
processor eflags        = resume, IOPL = 0
current process         = 51 (vdusrvr)
interrupt mask          = tty 
kernel: type 12 trap, code=0
Stopped at      random_poll+0xef3:      testb   $0x1,0x84(%eax)
db> bt
No such command
db> ?
Bad character
?
db> ps
  pid   proc     addr    uid  ppid  pgrp  flag stat wmesg   wchan   cmd
   52 f28740a0 f289b000    0    50    45 004006  2                  v2show
   51 f2874200 f2898000    0    50    45 004006  2                  vdusrvr
   50 f2874360 f2896000    0    45    45 004086  3   pause f28960f0 vdumaster
   49 f28744c0 f2893000    0     1    49 004086  3   ttyin f0379080 getty
   48 f2874620 f2890000    0     1    48 004086  3   ttyin f03763bc getty
   47 f2874780 f2888000    0     1    47 004086  3   ttyin f03762c8 getty
   46 f28748e0 f2885000    0     1    46 004086  3   ttyin f03761d4 -sh
   45 f2874a40 f2882000    0     1    45 004086  3    wait f2874a40 vduconsole
    3 f2874ba0 f287d000    0     0     0 000204  3  syncer f037a4dc syncer
    2 f2874d00 f287b000    0     0     0 000204  3  psleep f035c91c pagedaemon
    1 f2874e60 f2879000    0     0     1 004084  3    wait f2874e60 init
    0 f037981c f038b000    0     0     0 000204  3   sched f037981c swapper
db> trace /u
random_poll(f0571000,f2899ca8,f0191b67,0,f0570010) at random_poll+0xef3
random_poll(0,f0570010,2ed,2ed,0) at random_poll+0xe6a
Xfastintr4(f2899cd4,80000000,0,f2899cd4,f2899cdc) at Xfastintr4+0x17
random_poll(f2899cd4,75,0,30f000c,b) at random_poll+0x2178
siocnputc(1c03,75,5,f2899d08,f013183f) at siocnputc+0x30
cnputc(75,2,0,f01be8fe,f2899d54) at cnputc+0x42
vprintf(75,f2899d78) at vprintf+0xef
kvprintf(f01bea3c,f01317a8,f2899d78,a,f2899d94) at kvprintf+0x62d
printf(f01bea29,c,f01be8f3,f01bea1d) at printf+0x3d
trap(f2899e0c,76107ca,f2874200,c,0) at trap+0x7e8
trap(f2899e0c,0,76107ca,80000000,f2874200) at trap+0x757
trap(f2870010,f01c0010,f286c980,f2874200,f2899e48) at trap+0x3b6
alltraps(1c80,f2899f34,7f0000,f2899ef8,f2899f34) at alltraps+0x28
spec_vnoperate(f2899ef8,f2899ef8,f0591600,f286c980,f2899ed0) at spec_vnoperate+0x2c3
ufs_itimes(f2899ef8,f2899f0c,f0150c01,f2899ef8,5dc) at ufs_itimes+0x24c8
ufs_vnoperatespec(f2899ef8,5dc,f2874200,f2899f2c,f2899ef8) at ufs_vnoperatespec+0x15
vn_rdwr(f0591600,f2899f34,f0403900,f2874200,f01c4efc) at vn_rdwr+0x23d
read(f2874200,f2899f84) at read+0x95
syscall(27,efbf0027,25620,1,efbfdd18) at syscall+0x127
Xint0x80_syscall() at Xint0x80_syscall+0x2c
db> 

>How-To-Repeat:
Not sure	
>Fix:
Not sure

>Release-Note:
>Audit-Trail:

From: Bruce Evans <bde@zeta.org.au>
To: freebsd-gnats-submit@FreeBSD.ORG, hgoldste@bbs.mpcs.com
Cc:  
Subject: Re: kern/10166: panic during heavy sio i/o;no coproc; vesa+vm86
Date: Sat, 20 Feb 1999 16:12:46 +1100

 >db> trace /u
 >random_poll(f0571000,f2899ca8,f0191b67,0,f0570010) at random_poll+0xef3
 >random_poll(0,f0570010,2ed,2ed,0) at random_poll+0xe6a
 >Xfastintr4(f2899cd4,80000000,0,f2899cd4,f2899cdc) at Xfastintr4+0x17
 >random_poll(f2899cd4,75,0,30f000c,b) at random_poll+0x2178
 >siocnputc(1c03,75,5,f2899d08,f013183f) at siocnputc+0x30
 
 You are apparently using rndcontrol(8) for an interrupt with a "fast"
 interrupt handler.  Don't do that.  Among other things, it breaks
 interrupt masking, so bad things like reentering random_poll() can
 happen; the trace shows this happening.
 
 Bruce
 

From: Howard Goldstein <hgoldste@bbs.mpcs.com>
To: Bruce Evans <bde@zeta.org.au>
Cc: freebsd-gnats-submit@FreeBSD.ORG
Subject: Re: kern/10166: panic during heavy sio i/o;no coproc; vesa+vm86
Date: Sat, 20 Feb 1999 08:16:24 -0500 (EST)

 Bruce Evans writes:
  > You are apparently using rndcontrol(8) for an interrupt with a "fast"
  > interrupt handler.  Don't do that.  
 
 I'm not.  rndcontrol doesn't report using any interrupts...
 
 Does stuff earlier in the backtrace suggest something toasty
 elsewhere, perhaps in mfs? 
 

From: Howard Goldstein <hgoldste@bbs.mpcs.com>
To: Bruce Evans <bde@zeta.org.au>
Cc: freebsd-gnats-submit@FreeBSD.ORG, freebsd-bugs@FreeBSD.ORG
Subject: Re: kern/10166: panic during heavy sio i/o;no coproc; vesa+vm86
Date: Sat, 20 Feb 1999 11:43:15 -0500 (EST)

 My target doesn't have a swap to take a dump on or a very large flash 
 for a full debug kernel, but Iwas able to build the suspect vfs and
 ufs stuff with -g and grab some (hopefully good) backtraces and
 structure contents with kgdb.  
 
 Is the call in frame #15 (at the end of the transcript) suspicious?
 
 [as an aside it seems if I do the break to console I consistently wind
 up in random_poll+ef3...I guess I ought to compile that with -g too...]
 
 
 # 
 
 Fatal trap 12: page fault kernel trap 12 with interrupts disabled
 
 
 Fatal trap 12: page fault while in kernel mode
 fault virtual address   = 0x76107fa
 fault code              = supervisor read, page not present
 instruction pointer     = 0x8:0xf01a7bc3
 stack pointer           = 0x10:0xf289bc4c
 frame pointer           = 0x10:0xf289bc70
 code segment            = base 0x0, limit 0xfffff, type 0x1b
                         = DPL 0, pres 1, def32 1, gran 1
 processor eflags        = resume, IOPL = 0
 current process         = 60 (vdusrvr)
 interrupt mask          = tty 
 kernel: type 12 trap, code=0
 Stopped at      random_poll+0xef3:      testb   $0x1,0x84(%eax)
 db> trace
 random_poll(f0571000,f289bca8,f0191b67,0,f0570010) at random_poll+0xef3
 random_poll(0,f0570010,2ed,2ed,0) at random_poll+0xe6a
 Xfastintr4(f289bcd4,80000000,80000000,f289bcd4,f289bcdc) at Xfastintr4+0x17
 random_poll(f289bcd4,20,0,30f000c,b) at random_poll+0x2178
 siocnputc(1c03,20,5,f289bd08,f013183f) at siocnputc+0x30
 cnputc(20,ffffffff,0,20,f289bd54) at cnputc+0x42
 vprintf(20,f289bd78) at vprintf+0xef
 kvprintf(f01bea3d,f01317a8,f289bd78,a,f289bd94) at kvprintf+0x65
 printf(f01bea29,c,f01be8f3,f01bea1d) at printf+0x3d
 trap(f289be0c,76107ca,f2874200,c,0) at trap+0x7e8
 trap(f289be0c,0,76107ca,80000000,f2874200) at trap+0x757
 trap(f2870010,f01c0010,f286c8c0,f2874200,f289be48) at trap+0x3b6
 alltraps(1c80,f289bf34,5f0000,f289bef8,f289bf34) at alltraps+0x28
 spec_vnoperate(f289bef8,f289bef8,f05915c0,f286c8c0,f289bed0) at spec_vnoperate+0x2c3
 ufs_itimes(f289bef8,f289bf0c,f0150c01,f289bef8,5dc) at ufs_itimes+0x24c8
 ufs_vnoperatespec(f289bef8,5dc,f2874200,f289bf2c,f289bef8) at ufs_vnoperatespec+0x15
 vn_rdwr(f05915c0,f289bf34,f0403900,f2874200,f01c4efc) at vn_rdwr+0x23d
 read(f2874200,f289bf84) at read+0x95
 syscall(f01a0027,27,25620,1,efbfdd18) at syscall+0x127
 Xint0x80_syscall() at Xint0x80_syscall+0x2c
 db> gdb
 Next trap will enter GDB remote protocol mode
 db> 
 Next trap will enter DDB debugger
 db> 
 Next trap will enter GDB remote protocol mode
 db> gdb
 Next trap will enter DDB debugger
 db> gdb
 Next trap will enter GDB remote protocol mode
 db> cont
 kernel trap 12 with interrupts disabled
 
 
 Fatal trap 12: page fault while in kernel mode
 fault virtual address   = 0x76107fa
 fault code              = supervisor read, page not present
 instruction pointer     = 0x8:0xf01a7bc3
 stack pointer           = 0x10:0xf289bc4c
 frame pointer           = 0x10:0xf289bc70
 code segment            = base 0x0, limit 0xfffff, type 0x1b
                         = DPL 0, pres 1, def32 1, gran 1
 processor eflags        = resume, IOPL = 0
 current process         = 60 (vdusrvr)
 interrupt mask          = tty 
 $T0b08:c37b1af0;05:70bc89f2;04:4cbc89f2;#67$T0b08:c37b1af0;05:70bc89f2;04:4cbc89f2;#67~.
 slice:/sys/compile/PICOBSD-D.1600# gdb -k kernel
 GDB is free software and you are welcome to distribute copies of it
  under certain conditions; type "show copying" to see the conditions.
 There is absolutely no warranty for GDB; type "show warranty" for details.
 GDB 4.16 (i386-unknown-freebsd), 
 Copyright 1996 Free Software Foundation, Inc...
 (kgdb) target remote /dev/cuaa1
 Remote debugging using /dev/cuaa1
 0xf01a7bc3 in siointr1 ()
 (kgdb) bt
 #0  0xf01a7bc3 in siointr1 ()
 #1  0xf01a7b3a in siointr ()
 #2  0xf0191b67 in Xfastintr4 ()
 #3  0xf01a8e48 in siocnclose ()
 #4  0xf01a90b8 in siocnputc ()
 #5  0xf01900fe in cnputc ()
 #6  0xf013183f in putchar ()
 #7  0xf01319ad in kvprintf ()
 #8  0xf013172d in printf ()
 #9  0xf019d1e8 in trap_fatal ()
 #10 0xf019d157 in trap_pfault ()
 #11 0xf019cdb6 in trap ()
 #12 0xf01a7a17 in sioread ()
 #13 0xf0154603 in spec_read (ap=0xf289bef8)
     at ../../miscfs/specfs/spec_vnops.c:278
 #14 0xf01740dc in ufsspec_read (ap=0xf289bef8)
     at ../../ufs/ufs/ufs_vnops.c:1811
 #15 0xf017464d in ufs_vnoperatespec (ap=0xf289bef8)
     at ../../ufs/ufs/ufs_vnops.c:2312
 #16 0xf0150c01 in vn_read (fp=0xf05915c0, uio=0xf289bf34, cred=0xf0403900)
     at vnode_if.h:303
 #17 0xf0133911 in read ()
 #18 0xf019d687 in syscall ()
 ---Type <return> to continue, or q <return> to quit---
 #19 0xf019174c in Xint0x80_syscall ()
 #20 0x80487b5 in ?? ()
 #21 0x80480e9 in ?? ()
 (kgdb) l
 175      *
 176      * This allows simple addition of new kernel subsystems that require
 177      * boot time initialization.  It also allows substitution of subsystem
 178      * (for instance, a scheduler, kernel profiler, or VM system) by object
 179      * module.  Finally, it allows for optional "kernel threads".
 180      */
 181     void
 182     main(framep)
 183             void *framep;
 184     {
 (kgdb) bt
 #0  0xf01a7bc3 in siointr1 ()
 #1  0xf01a7b3a in siointr ()
 #2  0xf0191b67 in Xfastintr4 ()
 #3  0xf01a8e48 in siocnclose ()
 #4  0xf01a90b8 in siocnputc ()
 #5  0xf01900fe in cnputc ()
 #6  0xf013183f in putchar ()
 #7  0xf01319ad in kvprintf ()
 #8  0xf013172d in printf ()
 #9  0xf019d1e8 in trap_fatal ()
 #10 0xf019d157 in trap_pfault ()
 #11 0xf019cdb6 in trap ()
 #12 0xf01a7a17 in sioread ()
 #13 0xf0154603 in spec_read (ap=0xf289bef8)
     at ../../miscfs/specfs/spec_vnops.c:278
 #14 0xf01740dc in ufsspec_read (ap=0xf289bef8)
     at ../../ufs/ufs/ufs_vnops.c:1811
 #15 0xf017464d in ufs_vnoperatespec (ap=0xf289bef8)
     at ../../ufs/ufs/ufs_vnops.c:2312
 #16 0xf0150c01 in vn_read (fp=0xf05915c0, uio=0xf289bf34, cred=0xf0403900)
     at vnode_if.h:303
 #17 0xf0133911 in read ()
 #18 0xf019d687 in syscall ()
 ---Type <return> to continue, or q <return> to quit---
 #19 0xf019174c in Xint0x80_syscall ()
 #20 0x80487b5 in ?? ()
 #21 0x80480e9 in ?? ()
 (kgdb) frame
 #0  0xf01a7bc3 in siointr1 ()
 (kgdb) frame 13
 #13 0xf0154603 in spec_read (ap=0xf289bef8)
     at ../../miscfs/specfs/spec_vnops.c:278
 278                     error = (*cdevsw[major(vp->v_rdev)]->d_read)
 (kgdb) print *vp
 $1 = {v_flag = 8, v_usecount = 1, v_writecount = 1, v_holdcnt = 0, 
   v_lastr = 0, v_id = 239, v_mount = 0xf0586e00, v_op = 0xf057e800, 
   v_freelist = {tqe_next = 0x0, tqe_prev = 0x0}, v_mntvnodes = {
     le_next = 0xf286c980, le_prev = 0xf286c768}, v_cleanblkhd = {
     tqh_first = 0x0, tqh_last = 0xf286c8f0}, v_dirtyblkhd = {tqh_first = 0x0, 
     tqh_last = 0xf286c8f8}, v_synclist = {le_next = 0x0, le_prev = 0x0}, 
   v_numoutput = 0, v_type = VCHR, v_un = {vu_mountedhere = 0xf056d900, 
     vu_socket = 0xf056d900, vu_specinfo = 0xf056d900, 
     vu_fifoinfo = 0xf056d900}, v_lease = 0x0, v_lastw = 0, v_cstart = 0, 
   v_lasta = 0, v_clen = 0, v_maxio = 0, v_object = 0x0, v_interlock = {
     lock_data = 0}, v_vnlock = 0x0, v_tag = VT_UFS, v_data = 0xf0596e00, 
   v_cache_src = {lh_first = 0x0}, v_cache_dst = {tqh_first = 0xf0591580, 
     tqh_last = 0xf0591590}, v_dd = 0xf286c8c0, v_ddid = 0, v_pollinfo = {
     vpi_lock = {lock_data = 0}, vpi_selinfo = {si_pid = 0, si_flags = 0}, 
     vpi_events = 0, vpi_revents = 0}}
 (kgdb) l
 273
 274             switch (vp->v_type) {
 275
 276             case VCHR:
 277                     VOP_UNLOCK(vp, 0, p);
 278                     error = (*cdevsw[major(vp->v_rdev)]->d_read)
 279                             (vp->v_rdev, uio, ap->a_ioflag);
 280                     vn_lock(vp, LK_EXCLUSIVE | LK_RETRY, p);
 281                     return (error);
 282
 (kgdb) frame 14
 #14 0xf01740dc in ufsspec_read (ap=0xf289bef8)
     at ../../ufs/ufs/ufs_vnops.c:1811
 1811            error = VOCALL(spec_vnodeop_p, VOFFSET(vop_read), ap);
 (kgdb) frame 15
 #15 0xf017464d in ufs_vnoperatespec (ap=0xf289bef8)
     at ../../ufs/ufs/ufs_vnops.c:2312
 2312            return (VOCALL(ufs_specop_p, ap->a_desc->vdesc_offset, ap));
 (kgdb) frame 13
 #13 0xf0154603 in spec_read (ap=0xf289bef8)
     at ../../miscfs/specfs/spec_vnops.c:278
 278                     error = (*cdevsw[major(vp->v_rdev)]->d_read)
 (kgdb) l
 273
 274             switch (vp->v_type) {
 275
 276             case VCHR:
 277                     VOP_UNLOCK(vp, 0, p);
 278                     error = (*cdevsw[major(vp->v_rdev)]->d_read)
 279                             (vp->v_rdev, uio, ap->a_ioflag);
 280                     vn_lock(vp, LK_EXCLUSIVE | LK_RETRY, p);
 281                     return (error);
 282
 (kgdb) l 270
 265     #ifdef DIAGNOSTIC
 266             if (uio->uio_rw != UIO_READ)
 267                     panic("spec_read mode");
 268             if (uio->uio_segflg == UIO_USERSPACE && uio->uio_procp != curproc)
 269                     panic("spec_read proc");
 270     #endif
 271             if (uio->uio_resid == 0)
 272                     return (0);
 273
 274             switch (vp->v_type) {
 (kgdb) print *uio
 $2 = {uio_iov = 0xf289bf2c, uio_iovcnt = 1, uio_offset = 0x0000000000161bdb, 
   uio_resid = 1500, uio_segflg = UIO_USERSPACE, uio_rw = UIO_READ, 
   uio_procp = 0xf2874200}
 (kgdb)  print *p
 $3 = {p_procq = {tqe_next = 0xf037a3f4, tqe_prev = 0x0}, p_list = {
     le_next = 0xf2874360, le_prev = 0xf28740a8}, p_cred = 0xf056d980, 
   p_fd = 0xf05a8380, p_stats = 0xf289a214, p_limit = 0xf058f600, 
   p_upages_obj = 0xf03711ec, p_procsig = 0xf056d960, p_flag = 16390, 
   p_stat = 2 '\002', p_pad1 = "\000\000", p_pid = 60, p_hash = {le_next = 0x0, 
     le_prev = 0xf056feb0}, p_pglist = {le_next = 0x0, le_prev = 0xf28740dc}, 
   p_pptr = 0xf2874360, p_sibling = {le_next = 0x0, le_prev = 0xf28740e8}, 
   p_children = {lh_first = 0x0}, p_ithandle = {callout = 0xf116c3d8}, 
   p_oppid = 0, p_dupfd = 0, p_vmspace = 0xf2877a00, p_estcpu = 29, 
   p_cpticks = 15, p_pctcpu = 130, p_wchan = 0x0, 
   p_wmesg = 0xf01b5bec "select", p_swtime = 892, p_slptime = 0, p_realtimer = {
     it_interval = {tv_sec = 0, tv_usec = 0}, it_value = {tv_sec = 0, 
       tv_usec = 0}}, p_runtime = 95169842, p_switchtime = {tv_sec = 951, 
     tv_usec = 285744}, p_uticks = 8217, p_sticks = 3685, p_iticks = 101, 
   p_traceflag = 0, p_tracep = 0x0, p_siglist = 0, p_textvp = 0xf286cbc0, 
   p_lock = 0 '\000', p_oncpu = 0 '\000', p_lastcpu = 0 '\000', 
   p_pad2 = 0 '\000', p_locks = 0, p_simple_locks = 0, p_stops = 0, 
   p_stype = 0, p_step = 0 '\000', p_pfsflags = 0 '\000', p_pad3 = "\000", 
   p_retval = {0, 0}, p_sigiolst = {slh_first = 0x0}, p_sigparent = 0, 
   p_oldsigmask = 0, p_sig = 0, p_code = 0, p_sigmask = 0, p_priority = 57 '9', 
   p_usrpri = 57 '9', p_nice = 0 '\000', 
   p_comm = "vdusrvr\000r\000\000\000\000\000\000\000", p_pgrp = 0xf056da40, 
   p_sysent = 0xf01c4cd4, p_rtprio = {type = 1, prio = 0}, p_addr = 0xf289a000, 
 ---Type <return> to continue, or q <return> to quit---
   p_md = {md_regs = 0xf289bfac}, p_xstat = 0, p_acflag = 0, p_ru = 0x0, 
   p_nthreads = 0, p_aioinfo = 0x0, p_wakeup = 0, p_peers = 0x0, 
   p_leader = 0xf2874200, p_asleep = {as_priority = 0, as_timo = 0}}
 (kgdb) print cdevsw
 $5 = {0xf035e58c, 0xf01c7f74, 0xf035ef18, 0x0, 0xf035cafc, 0xf01c7ea8, 
   0xf01c7ef4, 0xf01c79f8, 0x0, 0xf035f5ec, 0x0, 0x0, 0xf035e468, 0x0, 0x0, 
   0x0, 0xf01c4b9c, 0x0, 0x0, 0x0, 0x0, 0x0, 0xf01c613c, 0x0, 0x0, 0x0, 0x0, 
   0x0, 0xf035f9b4, 0x0 <repeats 72 times>, 0xf036158c, 0x0 <repeats 154 times>}
 (kgdb)(kgdb) 
 (kgdb) frame 14
 #14 0xf01740dc in ufsspec_read (ap=0xf289bef8)
     at ../../ufs/ufs/ufs_vnops.c:1811
 1811            error = VOCALL(spec_vnodeop_p, VOFFSET(vop_read), ap);
 (kgdb) print *ap
 $8 = {a_desc = 0xf01c421c, a_vp = 0xf286c8c0, a_uio = 0xf289bf34, 
   a_ioflag = 6225920, a_cred = 0xf0403900}
 (kgdb) print *spec_vnodeop_p
 $9 = (int (*)()) 0xf0148250 <vop_panic>
    ^^^^ ????????????
 whoa wat's that?
 
 (kgdb) l 1800
 1795     */
 1796    int
 1797    ufsspec_read(ap)
 1798            struct vop_read_args /* {
 1799                    struct vnode *a_vp;
 1800                    struct uio *a_uio;
 1801                    int  a_ioflag;
 1802                    struct ucred *a_cred;
 1803            } */ *ap;
 1804    {
 (kgdb)  print *ap->a_vp
 $11 = {v_flag = 8, v_usecount = 1, v_writecount = 1, v_holdcnt = 0, 
   v_lastr = 0, v_id = 239, v_mount = 0xf0586e00, v_op = 0xf057e800, 
   v_freelist = {tqe_next = 0x0, tqe_prev = 0x0}, v_mntvnodes = {
     le_next = 0xf286c980, le_prev = 0xf286c768}, v_cleanblkhd = {
     tqh_first = 0x0, tqh_last = 0xf286c8f0}, v_dirtyblkhd = {tqh_first = 0x0, 
     tqh_last = 0xf286c8f8}, v_synclist = {le_next = 0x0, le_prev = 0x0}, 
   v_numoutput = 0, v_type = VCHR, v_un = {vu_mountedhere = 0xf056d900, 
     vu_socket = 0xf056d900, vu_specinfo = 0xf056d900, 
     vu_fifoinfo = 0xf056d900}, v_lease = 0x0, v_lastw = 0, v_cstart = 0, 
   v_lasta = 0, v_clen = 0, v_maxio = 0, v_object = 0x0, v_interlock = {
     lock_data = 0}, v_vnlock = 0x0, v_tag = VT_UFS, v_data = 0xf0596e00, 
   v_cache_src = {lh_first = 0x0}, v_cache_dst = {tqh_first = 0xf0591580, 
     tqh_last = 0xf0591590}, v_dd = 0xf286c8c0, v_ddid = 0, v_pollinfo = {
     vpi_lock = {lock_data = 0}, vpi_selinfo = {si_pid = 0, si_flags = 0}, 
     vpi_events = 0, vpi_revents = 0}}
 (kgdb)print *ap->a_uio
 $12 = {uio_iov = 0xf289bf2c, uio_iovcnt = 1, uio_offset = 0x0000000000161bdb, 
   uio_resid = 1500, uio_segflg = UIO_USERSPACE, uio_rw = UIO_READ, 
   uio_procp = 0xf2874200}
 (kgdb) print ap->a_ioflag
 $13 = 6225920
 (kgdb) print *ap->a_cred
 $14 = {cr_ref = 25, cr_uid = 0, cr_ngroups = 1, cr_groups = {
     0 <repeats 16 times>}}
 (kgdb) frame 15
 #15 0xf017464d in ufs_vnoperatespec (ap=0xf289bef8)
     at ../../ufs/ufs/ufs_vnops.c:2312
 2312            return (VOCALL(ufs_specop_p, ap->a_desc->vdesc_offset, ap));
 (kgdb) frame 16
 #16 0xf0150c01 in vn_read (fp=0xf05915c0, uio=0xf289bf34, cred=0xf0403900)
     at vnode_if.h:303
 303             return (VCALL(vp, VOFFSET(vop_read), &a));
 (kgdb) print a
 $18 = {a_desc = 0xf01c421c, a_vp = 0xf286c8c0, a_uio = 0xf289bf34, 
   a_ioflag = 6225920, a_cred = 0xf0403900}
 (kgdb)
 
 

From: Bruce Evans <bde@zeta.org.au>
To: bde@zeta.org.au, hgoldste@bbs.mpcs.com
Cc: freebsd-gnats-submit@FreeBSD.ORG
Subject: Re: kern/10166: panic during heavy sio i/o;no coproc; vesa+vm86
Date: Sun, 21 Feb 1999 13:22:51 +1100

 > > You are apparently using rndcontrol(8) for an interrupt with a "fast"
 > > interrupt handler.  Don't do that.  
 >
 >I'm not.  rndcontrol doesn't report using any interrupts...
 >
 >Does stuff earlier in the backtrace suggest something toasty
 >elsewhere, perhaps in mfs? 
 
 It suggests that the rndcontrol function was not called after all,
 because some of the earlier stuff is garbage.  The symbols are
 inconsistent with the running kernel.
 
 Bruce
 

From: Bruce Evans <bde@zeta.org.au>
To: bde@zeta.org.au, hgoldste@bbs.mpcs.com
Cc: freebsd-bugs@FreeBSD.ORG, freebsd-gnats-submit@FreeBSD.ORG
Subject: Re: kern/10166: panic during heavy sio i/o;no coproc; vesa+vm86
Date: Sun, 21 Feb 1999 13:34:06 +1100

 >My target doesn't have a swap to take a dump on or a very large flash 
 >for a full debug kernel, but Iwas able to build the suspect vfs and
 >ufs stuff with -g and grab some (hopefully good) backtraces and
 >structure contents with kgdb.  
 
 The symbols seem to be OK for these, but no data is printed for the
 critical frame(s) (the one shown as calling trap(), and possible one
 not shown that actually calls trap()).
 
 >Is the call in frame #15 (at the end of the transcript) suspicious?
 
 No.
 
 >[as an aside it seems if I do the break to console I consistently wind
 >up in random_poll+ef3...I guess I ought to compile that with -g too...]
 
 This is garbage.  You should wind up at Debugger+0x35 or thereabouts.
 random_poll doesn't contain any addresses beyond random_poll+0x50.
 
 Bruce
 

From: Howard Goldstein <hgoldste@bbs.mpcs.com>
To: Bruce Evans <bde@zeta.org.au>
Cc: hgoldste@bbs.mpcs.com, freebsd-gnats-submit@FreeBSD.ORG
Subject: Re: kern/10166: panic during heavy sio i/o;no coproc; vesa+vm86
Date: Sun, 21 Feb 1999 14:12:31 -0500 (EST)

 Bruce Evans writes:
  > The symbols seem to be OK for these, but no data is printed for the
  > critical frame(s) (the one shown as calling trap(), and possible one=
 
  > not shown that actually calls trap()).
 
 Here's some more bt.  I can reproduce this very easily.  Please let me
 know if there are other things I can poke around for to make this
 easier.
 
 #=20
 
 Fatal trap 12: pkernel trap 12 with interrupts disabled
 
 
 Fatal trap 12: page fault while in kernel mode
 fault virtual address   =3D 0x76107fa
 fault code              =3D supervisor read, page not present
 instruction pointer     =3D 0x8:0xf01a7bc3
 stack pointer           =3D 0x10:0xf2899c4c
 frame pointer           =3D 0x10:0xf2899c70
 code segment            =3D base 0x0, limit 0xfffff, type 0x1b
                         =3D DPL 0, pres 1, def32 1, gran 1
 processor eflags        =3D resume, IOPL =3D 0
 current process         =3D 50 (vdusrvr)
 interrupt mask          =3D tty=20
 kernel: type 12 trap, code=3D0
 Stopped at      random_poll+0xef3:      testb   $0x1,0x84(%eax)
 db> trace
 random_poll(f0571000,f2899ca8,f0191b67,0,10) at random_poll+0xef3
 random_poll(0,10,2ed,2ed,20) at random_poll+0xe6a
 Xfastintr4(f2899cd4,80000000,283,f2899cd4,f2899cdc) at Xfastintr4+0x17
 random_poll(f2899cd4,70,0,30f000c,3a6f680b) at random_poll+0x2178
 siocnputc(1c03,70,5,f2899d08,f013183f) at siocnputc+0x30
 cnputc(70,9,0,f01be8fe,f2899d54) at cnputc+0x42
 vprintf(70,f2899d78) at vprintf+0xef
 kvprintf(f01bea3c,f01317a8,f2899d78,a,f2899d94) at kvprintf+0x62d
 printf(f01bea29,c,f01be8f3,f01bea1d) at printf+0x3d
 trap(f2899e0c,76107ca,f2874200,c,0) at trap+0x7e8
 trap(f2899e0c,0,76107ca,80000000,f2874200) at trap+0x757
 trap(10,f2890010,f286c980,f2874200,f2899e48) at trap+0x3b6
 alltraps(1c80,f2899f34,7f0010,f2899ef8,f2899f34) at alltraps+0x28
 spec_vnoperate(f2899ef8,f2899ef8,f0591680,f286c980,f2899ed0) at spec_vn=
 operate+0x2c3
 ufs_itimes(f2899ef8,f2899f0c,f0150c01,f2899ef8,5dc) at ufs_itimes+0x24c=
 8
 ufs_vnoperatespec(f2899ef8,5dc,f2874200,f2899f2c,f2899ef8) at ufs_vnope=
 ratespec+0x15
 vn_rdwr(f0591680,f2899f34,f0403900,f2874200,f01c4efc) at vn_rdwr+0x23d
 read(f2874200,f2899f84) at read+0x95
 syscall(10027,27,25620,efbfd6bc,efbfdd18) at syscall+0x127
 Xint0x80_syscall() at Xint0x80_syscall+0x2c
 db>
 
 *****
 
 Remote debugging using /dev/cuaa1
 0xf01a7bc3 in siointr1 (com=3D0xf0571000) at ../../i386/isa/sio.c:1545
 1545                                            if (com->tp =3D=3D NULL=
 
 (kgdb) bt
 #0  0xf01a7bc3 in siointr1 (com=3D0xf0571000) at ../../i386/isa/sio.c:1=
 545
 #1  0xf01a7b3a in siointr (unit=3D0) at ../../i386/isa/sio.c:1465
 #2  0xf0191b67 in Xfastintr4 ()
 #3  0xf01a8e48 in siocnclose (sp=3D0xf2899cd4) at ../../i386/isa/sio.c:=
 2600
 #4  0xf01a90b8 in siocnputc (dev=3D7171, c=3D112) at ../../i386/isa/sio=
 .c:2742
 #5  0xf01900fe in cnputc (c=3D112) at ../../i386/i386/cons.c:413
 #6  0xf013183f in putchar (c=3D112, arg=3D0xf2899d78) at ../../kern/sub=
 r_prf.c:309
 #7  0xf0131f75 in kvprintf (fmt=3D0xf01bea3c " while in %s mode\n",=20
     func=3D0xf01317a8 <putchar>, arg=3D0xf2899d78, radix=3D10,=20
     ap=3D0xf2899d94 "\035=EA\e=F0") at ../../kern/subr_prf.c:590
 #8  0xf013172d in printf (
     fmt=3D0xf01bea29 "\n\nFatal trap %d: %s while in %s mode\n")
     at ../../kern/subr_prf.c:262
 #9  0xf019d1e8 in trap_fatal (frame=3D0xf2899e0c, eva=3D123799498)
     at ../../i386/i386/trap.c:858
 #10 0xf019d157 in trap_pfault (frame=3D0xf2899e0c, usermode=3D0, eva=3D=
 123799498)
     at ../../i386/i386/trap.c:835
 #11 0xf019cdb6 in trap (frame=3D{tf_es =3D 16, tf_ds =3D -225902576,=20=
 
       tf_edi =3D -226047616, tf_esi =3D -226016768, tf_ebp =3D -2258620=
 72,=20
       tf_isp =3D -225862092, tf_ebx =3D -225861896, tf_edx =3D 128,=20
       tf_ecx =3D -262743808, tf_eax =3D 123799414, tf_trapno =3D 12, tf=
 _err =3D 0,=20
       tf_eip =3D -266700265, tf_cs =3D -226033656, tf_eflags =3D 66118,=
 =20
       tf_esp =3D -225861972, tf_ss =3D -267041277}) at ../../i386/i386/=
 trap.c:437
 ---Type <return> to continue, or q <return> to quit---
 #12 0xf01a7a17 in sioread (dev=3D7296, uio=3D0xf2899f34, flag=3D8323088=
 )
     at ../../i386/isa/sio.c:1385
 #13 0xf0154603 in spec_read (ap=3D0xf2899ef8)
     at ../../miscfs/specfs/spec_vnops.c:278
 #14 0xf01740dc in ufsspec_read (ap=3D0xf2899ef8)
     at ../../ufs/ufs/ufs_vnops.c:1811
 #15 0xf017464d in ufs_vnoperatespec (ap=3D0xf2899ef8)
     at ../../ufs/ufs/ufs_vnops.c:2312
 #16 0xf0150c01 in vn_read (fp=3D0xf0591680, uio=3D0xf2899f34, cred=3D0x=
 f0403900)
     at vnode_if.h:303
 #17 0xf0133911 in read (p=3D0xf2874200, uap=3D0xf2899f84)
     at ../../kern/sys_generic.c:121
 #18 0xf019d687 in syscall (frame=3D{tf_es =3D 65575, tf_ds =3D 39, tf_e=
 di =3D 153120,=20
       tf_esi =3D -272640324, tf_ebp =3D -272638696, tf_isp =3D -2258616=
 76,=20
       tf_ebx =3D -1, tf_edx =3D 671417344, tf_ecx =3D -272640264, tf_ea=
 x =3D 3,=20
       tf_trapno =3D 0, tf_err =3D 2, tf_eip =3D 134516156, tf_cs =3D 31=
 ,=20
       tf_eflags =3D 582, tf_esp =3D -272640376, tf_ss =3D 39})
     at ../../i386/i386/trap.c:1100
 #19 0xf019174c in Xint0x80_syscall ()
 #20 0x80487ed in ?? ()
 #21 0x80480e9 in ?? ()
 (kgdb)bx =3D -1, tf_edx =3D 671417344, tf_ecx =3D -272640264, tf_eax =3D=
  3,=20
       tf_trapno =3D 0, tf_err =3D 2, tf_eip =3D 134516156, tf_cs =3D 31=
 ,=20
       tf_eflags =3D 582, tf_esp =3D -272640376, tf_ss =3D 39})
     at ../../i386/i386/trap.c:1100
 #19 0xf019174c in Xint0x80_syscall ()
 #20 0x80487ed in ?? ()
 #21 0x80480e9 in ?? ()
 (kgdb)  frame 11
 #11 0xf019cdb6 in trap (frame=3D{tf_es =3D 16, tf_ds =3D -225902576,=20=
 
       tf_edi =3D -226047616, tf_esi =3D -226016768, tf_ebp =3D -2258620=
 72,=20
       tf_isp =3D -225862092, tf_ebx =3D -225861896, tf_edx =3D 128,=20
       tf_ecx =3D -262743808, tf_eax =3D 123799414, tf_trapno =3D 12, tf=
 _err =3D 0,=20
       tf_eip =3D -266700265, tf_cs =3D -226033656, tf_eflags =3D 66118,=
 =20
       tf_esp =3D -225861972, tf_ss =3D -267041277}) at ../../i386/i386/=
 trap.c:437
 437                             (void) trap_pfault(&frame, FALSE, eva);=
 
 (kgdb) print eva
 $1 =3D 123799498
 (kgdb) print *eva
 Cannot access memory at address 0x76107ca.
 (kgdb) l
 432     #endif
 433                     /* kernel trap */
 434
 435                     switch (type) {
 436                     case T_PAGEFLT:                 /* page fault *=
 /
 437                             (void) trap_pfault(&frame, FALSE, eva);=
 
 438                             return;
 439
 440                     case T_DNA:
 441     #if NNPX > 0
 (kgdb)  frame 10
 #10 0xf019d157 in trap_pfault (frame=3D0xf2899e0c, usermode=3D0, eva=3D=
 123799498)
     at ../../i386/i386/trap.c:835
 835                     trap_fatal(frame, eva);
 (kgdb) l
 830             if (!usermode) {
 831                     if (intr_nesting_level =3D=3D 0 && curpcb && cu=
 rpcb->pcb_onfault) {
 832                             frame->tf_eip =3D (int)curpcb->pcb_onfa=
 ult;
 833                             return (0);
 834                     }
 835                     trap_fatal(frame, eva);
 836                     return (-1);
 837             }
 838
 839             /* kludge to pass faulting virtual address to sendsig *=
 /
 (kgdb) print *frame
 $2 =3D {tf_es =3D 16, tf_ds =3D -225902576, tf_edi =3D -226047616,=20
   tf_esi =3D -226016768, tf_ebp =3D -225862072, tf_isp =3D -225862092,=20=
 
   tf_ebx =3D -225861896, tf_edx =3D 128, tf_ecx =3D -262743808, tf_eax =
 =3D 123799414,=20
   tf_trapno =3D 12, tf_err =3D 0, tf_eip =3D -266700265, tf_cs =3D -226=
 033656,=20
   tf_eflags =3D 66118, tf_esp =3D -225861972, tf_ss =3D -267041277}
 (kgdb) print *curpcb
 $3 =3D 15962112
 (kgdb) print curpcb
 $4 =3D -225869824
 (kgdb)  print eva
 $5 =3D 123799498
 (kgdb) print *eva
 Cannot access memory at address 0x76107ca.
 (kgdb)  frame 9
 #9  0xf019d1e8 in trap_fatal (frame=3D0xf2899e0c, eva=3D123799498)
     at ../../i386/i386/trap.c:858
 858                     printf("\n\nFatal trap %d: %s while in %s mode\=
 n",
 (kgdb) l
 853             code =3D frame->tf_err;
 854             type =3D frame->tf_trapno;
 855             sdtossd(&gdt[IDXSEL(frame->tf_cs & 0xffff)].sd, &softse=
 g);
 856
 857             if (type <=3D MAX_TRAP_MSG)
 858                     printf("\n\nFatal trap %d: %s while in %s mode\=
 n",
 859                             type, trap_msg[type],
 860                             frame->tf_eflags & PSL_VM ? "vm86" :
 861                             ISPL(frame->tf_cs) =3D=3D SEL_UPL ? "us=
 er" : "kernel");
 862     #ifdef SMP
 (kgdb) print type    =20
 print code
 $7 =3D 12
 (kgdb) print code
 $8 =3D 0
 (kgdb)  frame 12
 #12 0xf01a7a17 in sioread (dev=3D7296, uio=3D0xf2899f34, flag=3D8323088=
 )
     at ../../i386/isa/sio.c:1385
 1385            tp =3D com_addr(unit)->tp;
 (kgdb) l
 1380            if (mynor & CONTROL_MASK)
 1381                    return (ENODEV);
 1382            unit =3D MINOR_TO_UNIT(mynor);
 1383            if (com_addr(unit)->gone)
 1384                    return (ENODEV);
 1385            tp =3D com_addr(unit)->tp;
 1386            return ((*linesw[tp->t_line].l_read)(tp, uio, flag));
 1387    }
 1388
 1389    static int
 (kgdb) print *unit
 Cannot access memory at address 0x7610776.
 (kgdb) print unit
 $9 =3D 123799414
 (kgdb) print tp
 $10 =3D (struct tty *) 0x7610776
 (kgdb) frame 13
 #13 0xf0154603 in spec_read (ap=3D0xf2899ef8)
     at ../../miscfs/specfs/spec_vnops.c:278
 278                     error =3D (*cdevsw[major(vp->v_rdev)]->d_read)
 (kgdb) print *vp
 $11 =3D {v_flag =3D 8, v_usecount =3D 1, v_writecount =3D 1, v_holdcnt =
 =3D 0,=20
   v_lastr =3D 0, v_id =3D 151, v_mount =3D 0xf0586e00, v_op =3D 0xf057e=
 800,=20
   v_freelist =3D {tqe_next =3D 0x0, tqe_prev =3D 0x0}, v_mntvnodes =3D =
 {
     le_next =3D 0xf286ca40, le_prev =3D 0xf286c828}, v_cleanblkhd =3D {=
 
     tqh_first =3D 0x0, tqh_last =3D 0xf286c9b0}, v_dirtyblkhd =3D {tqh_=
 first =3D 0x0,=20
     tqh_last =3D 0xf286c9b8}, v_synclist =3D {le_next =3D 0x0, le_prev =
 =3D 0x0},=20
   v_numoutput =3D 0, v_type =3D VCHR, v_un =3D {vu_mountedhere =3D 0xf0=
 56d900,=20
     vu_socket =3D 0xf056d900, vu_specinfo =3D 0xf056d900,=20
     vu_fifoinfo =3D 0xf056d900}, v_lease =3D 0x0, v_lastw =3D 0, v_csta=
 rt =3D 0,=20
   v_lasta =3D 0, v_clen =3D 0, v_maxio =3D 0, v_object =3D 0x0, v_inter=
 lock =3D {
     lock_data =3D 0}, v_vnlock =3D 0x0, v_tag =3D VT_UFS, v_data =3D 0x=
 f05a6f00,=20
   v_cache_src =3D {lh_first =3D 0x0}, v_cache_dst =3D {tqh_first =3D 0x=
 f0591640,=20
     tqh_last =3D 0xf0591650}, v_dd =3D 0xf286c980, v_ddid =3D 0, v_poll=
 info =3D {
     vpi_lock =3D {lock_data =3D 0}, vpi_selinfo =3D {si_pid =3D 0, si_f=
 lags =3D 0},=20
     vpi_events =3D 0, vpi_revents =3D 0}}
 (kgdb) l
 273
 274             switch (vp->v_type) {
 275
 276             case VCHR:
 277                     VOP_UNLOCK(vp, 0, p);
 278                     error =3D (*cdevsw[major(vp->v_rdev)]->d_read)
 279                             (vp->v_rdev, uio, ap->a_ioflag);
 280                     vn_lock(vp, LK_EXCLUSIVE | LK_RETRY, p);
 281                     return (error);
 282
 (kgdb) l
 273
 274             switch (vp->v_type) {
 275
 276             case VCHR:
 277                     VOP_UNLOCK(vp, 0, p);
 278                     error =3D (*cdevsw[major(vp->v_rdev)]->d_read)
 279                             (vp->v_rdev, uio, ap->a_ioflag);
 280                     vn_lock(vp, LK_EXCLUSIVE | LK_RETRY, p);
 281                     return (error);
 282
 (kgdb) print *uio
 $12 =3D {uio_iov =3D 0xf2899f2c, uio_iovcnt =3D 1, uio_offset =3D 0x000=
 00000000e5f20,=20
   uio_resid =3D 1500, uio_segflg =3D UIO_USERSPACE, uio_rw =3D UIO_READ=
 ,=20
   uio_procp =3D 0xf2874200}
 (kgdb) print *ap
 Cannot access memory at address 0x80000000.
 (kgdb) print p
 $13 =3D (struct proc *) 0xf2874200
 (kgdb) print *p
 $14 =3D {p_procq =3D {tqe_next =3D 0xf037a3f4, tqe_prev =3D 0x0}, p_lis=
 t =3D {
     le_next =3D 0xf2874360, le_prev =3D 0xf28740a8}, p_cred =3D 0xf056d=
 980,=20
   p_fd =3D 0xf05a5380, p_stats =3D 0xf2898214, p_limit =3D 0xf058f200,=20=
 
   p_upages_obj =3D 0xf037151c, p_procsig =3D 0xf056d960, p_flag =3D 163=
 90,=20
   p_stat =3D 2 '\002', p_pad1 =3D "\000\000", p_pid =3D 50, p_hash =3D =
 {
     le_next =3D 0xf2874d00, le_prev =3D 0xf056fe88}, p_pglist =3D {le_n=
 ext =3D 0x0,=20
     le_prev =3D 0xf28740dc}, p_pptr =3D 0xf2874360, p_sibling =3D {le_n=
 ext =3D 0x0,=20
     le_prev =3D 0xf28740e8}, p_children =3D {lh_first =3D 0x0}, p_ithan=
 dle =3D {
     callout =3D 0xf116c428}, p_oppid =3D 0, p_dupfd =3D 0, p_vmspace =3D=
  0xf2877a00,=20
   p_estcpu =3D 39, p_cpticks =3D 19, p_pctcpu =3D 163, p_wchan =3D 0x0,=
 =20
   p_wmesg =3D 0xf01b5bec "select", p_swtime =3D 709, p_slptime =3D 0, p=
 _realtimer =3D {
     it_interval =3D {tv_sec =3D 0, tv_usec =3D 0}, it_value =3D {tv_sec=
  =3D 0,=20
       tv_usec =3D 0}}, p_runtime =3D 77187615, p_switchtime =3D {tv_sec=
  =3D 720,=20
     tv_usec =3D 349840}, p_uticks =3D 5219, p_sticks =3D 4460, p_iticks=
  =3D 77,=20
   p_traceflag =3D 0, p_tracep =3D 0x0, p_siglist =3D 0, p_textvp =3D 0x=
 f286cc80,=20
   p_lock =3D 0 '\000', p_oncpu =3D 0 '\000', p_lastcpu =3D 0 '\000',=20=
 
   p_pad2 =3D 0 '\000', p_locks =3D 0, p_simple_locks =3D 0, p_stops =3D=
  0,=20
   p_stype =3D 0, p_step =3D 0 '\000', p_pfsflags =3D 0 '\000', p_pad3 =3D=
  "\000",=20
   p_retval =3D {0, 671417344}, p_sigiolst =3D {slh_first =3D 0x0}, p_si=
 gparent =3D 0,=20
   p_oldsigmask =3D 0, p_sig =3D 0, p_code =3D 0, p_sigmask =3D 0, p_pri=
 ority =3D 59 ';',=20
   p_usrpri =3D 59 ';', p_nice =3D 0 '\000',=20
   p_comm =3D "vdusrvr\000r\000\000\000\000\000\000\000", p_pgrp =3D 0xf=
 056da00,=20
   p_sysent =3D 0xf01c4cd4, p_rtprio =3D {type =3D 1, prio =3D 0}, p_add=
 r =3D 0xf2898000,=20
 ---Type <return> to continue, or q <return> to quit---
   p_md =3D {md_regs =3D 0xf2899fac}, p_xstat =3D 0, p_acflag =3D 0, p_r=
 u =3D 0x0,=20
   p_nthreads =3D 0, p_aioinfo =3D 0x0, p_wakeup =3D 0, p_peers =3D 0x0,=
 =20
   p_leader =3D 0xf2874200, p_asleep =3D {as_priority =3D 0, as_timo =3D=
  0}}
 (kgdb) frame 14
 #14 0xf01740dc in ufsspec_read (ap=3D0xf2899ef8)
     at ../../ufs/ufs/ufs_vnops.c:1811
 1811            error =3D VOCALL(spec_vnodeop_p, VOFFSET(vop_read), ap)=
 ;
 (kgdb) l
 1806            struct inode *ip;
 1807            struct uio *uio;
 1808
 1809            uio =3D ap->a_uio;
 1810            resid =3D uio->uio_resid;
 1811            error =3D VOCALL(spec_vnodeop_p, VOFFSET(vop_read), ap)=
 ;
 1812            /*
 1813             * The inode may have been revoked during the call, so =
 it must not
 1814             * be accessed blindly here or in the other wrapper fun=
 ctions.
 1815             */
 (kgdb) print *ap
 $16 =3D {a_desc =3D 0xf01c421c, a_vp =3D 0xf286c980, a_uio =3D 0xf2899f=
 34,=20
   a_ioflag =3D 8323088, a_cred =3D 0xf0403900}
 (kgdb) print *ap->a_desc
 $18 =3D {vdesc_offset =3D 10, vdesc_name =3D 0xf01b2d9c "vop_read", vde=
 sc_flags =3D 0,=20
   vdesc_vp_offsets =3D 0xf01c4214, vdesc_vpp_offset =3D -1,=20
   vdesc_cred_offset =3D 16, vdesc_proc_offset =3D -1,=20
   vdesc_componentname_offset =3D -1, vdesc_transports =3D 0x0}
 (kgdb) print uio_iov
 No symbol "uio_iov" in current context.
 (kgdb) print uio->uio_iov
 $19 =3D (struct iovec *) 0xf2899f2c
 (kgdb) print *uio->uio_iov
 $20 =3D {
   iov_base =3D 0xefbfd6bc "=D6Tlm\001=D6PO\230=F1\230N\224\235\214\004=AC=
 \005|\005=AD",=20
   iov_len =3D 1500}
 (kgdb) print *uio->uio_iov.iov_base
 $21 =3D -42 '=D6'
 (kgdb) print uio->uio_iov.iov_base
 $22 =3D 0xefbfd6bc "=D6Tlm\001=D6PO\230=F1\230N\224\235\214\004=AC\005|=
 \005=AD"
 (kgdb) frame 15
 #15 0xf017464d in ufs_vnoperatespec (ap=3D0xf2899ef8)
     at ../../ufs/ufs/ufs_vnops.c:2312
 2312            return (VOCALL(ufs_specop_p, ap->a_desc->vdesc_offset, =
 ap));
 (kgdb) l
 2307    ufs_vnoperatespec(ap)
 2308            struct vop_generic_args /* {
 2309                    struct vnodeop_desc *a_desc;
 2310            } */ *ap;
 2311    {
 2312            return (VOCALL(ufs_specop_p, ap->a_desc->vdesc_offset, =
 ap));
 2313    }
 2314
 2315
 (kgdb) print *ap
 Cannot access memory at address 0x77507ff.
 (kgdb) frame 16
 #16 0xf0150c01 in vn_read (fp=3D0xf0591680, uio=3D0xf2899f34, cred=3D0x=
 f0403900)
     at vnode_if.h:303
 303             return (VCALL(vp, VOFFSET(vop_read), &a));
 (kgdb) l
 298             a.a_desc =3D VDESC(vop_read);
 299             a.a_vp =3D vp;
 300             a.a_uio =3D uio;
 301             a.a_ioflag =3D ioflag;
 302             a.a_cred =3D cred;
 303             return (VCALL(vp, VOFFSET(vop_read), &a));
 304     }
 305     struct vop_write_args {
 306             struct vnodeop_desc *a_desc;
 307             struct vnode *a_vp;
 (kgdb) print a
 $23 =3D {a_desc =3D 0xf01c421c, a_vp =3D 0xf286c980, a_uio =3D 0xf2899f=
 34,=20
   a_ioflag =3D 8323088, a_cred =3D 0xf0403900}
 (kgdb) print &a
 $24 =3D (struct vop_read_args *) 0xf2899ef8
 (kgdb) print vp
 $25 =3D (struct vnode *) 0xf286c980
 (kgdb) print *vp
 $26 =3D {v_flag =3D 8, v_usecount =3D 1, v_writecount =3D 1, v_holdcnt =
 =3D 0,=20
   v_lastr =3D 0, v_id =3D 151, v_mount =3D 0xf0586e00, v_op =3D 0xf057e=
 800,=20
   v_freelist =3D {tqe_next =3D 0x0, tqe_prev =3D 0x0}, v_mntvnodes =3D =
 {
     le_next =3D 0xf286ca40, le_prev =3D 0xf286c828}, v_cleanblkhd =3D {=
 
     tqh_first =3D 0x0, tqh_last =3D 0xf286c9b0}, v_dirtyblkhd =3D {tqh_=
 first =3D 0x0,=20
     tqh_last =3D 0xf286c9b8}, v_synclist =3D {le_next =3D 0x0, le_prev =
 =3D 0x0},=20
   v_numoutput =3D 0, v_type =3D VCHR, v_un =3D {vu_mountedhere =3D 0xf0=
 56d900,=20
     vu_socket =3D 0xf056d900, vu_specinfo =3D 0xf056d900,=20
     vu_fifoinfo =3D 0xf056d900}, v_lease =3D 0x0, v_lastw =3D 0, v_csta=
 rt =3D 0,=20
   v_lasta =3D 0, v_clen =3D 0, v_maxio =3D 0, v_object =3D 0x0, v_inter=
 lock =3D {
     lock_data =3D 0}, v_vnlock =3D 0x0, v_tag =3D VT_UFS, v_data =3D 0x=
 f05a6f00,=20
   v_cache_src =3D {lh_first =3D 0x0}, v_cache_dst =3D {tqh_first =3D 0x=
 f0591640,=20
     tqh_last =3D 0xf0591650}, v_dd =3D 0xf286c980, v_ddid =3D 0, v_poll=
 info =3D {
     vpi_lock =3D {lock_data =3D 0}, vpi_selinfo =3D {si_pid =3D 0, si_f=
 lags =3D 0},=20
     vpi_events =3D 0, vpi_revents =3D 0}}
 (kgdb) frame 17
 #17 0xf0133911 in read (p=3D0xf2874200, uap=3D0xf2899f84)
     at ../../kern/sys_generic.c:121
 121             if ((error =3D (*fp->f_ops->fo_read)(fp, &auio, fp->f_c=
 red)))
 (kgdb) l
 116              */
 117             if (KTRPOINT(p, KTR_GENIO))
 118                     ktriov =3D aiov;
 119     #endif
 120             cnt =3D uap->nbyte;
 121             if ((error =3D (*fp->f_ops->fo_read)(fp, &auio, fp->f_c=
 red)))
 122                     if (auio.uio_resid !=3D cnt && (error =3D=3D ER=
 ESTART ||
 123                         error =3D=3D EINTR || error =3D=3D EWOULDBL=
 OCK))
 124                             error =3D 0;
 125             cnt -=3D auio.uio_resid;
 (kgdb) print *fp
 Cannot access memory at address 0x76107ff.
 (kgdb) print auio
 $27 =3D {uio_iov =3D 0xf2899f2c, uio_iovcnt =3D 1, uio_offset =3D 0x000=
 00000000e5f20,=20
   uio_resid =3D 1500, uio_segflg =3D UIO_USERSPACE, uio_rw =3D UIO_READ=
 ,=20
   uio_procp =3D 0xf2874200}
 (kgdb) print *p
 $29 =3D {p_procq =3D {tqe_next =3D 0xf037a3f4, tqe_prev =3D 0x0}, p_lis=
 t =3D {
     le_next =3D 0xf2874360, le_prev =3D 0xf28740a8}, p_cred =3D 0xf056d=
 980,=20
   p_fd =3D 0xf05a5380, p_stats =3D 0xf2898214, p_limit =3D 0xf058f200,=20=
 
   p_upages_obj =3D 0xf037151c, p_procsig =3D 0xf056d960, p_flag =3D 163=
 90,=20
   p_stat =3D 2 '\002', p_pad1 =3D "\000\000", p_pid =3D 50, p_hash =3D =
 {
     le_next =3D 0xf2874d00, le_prev =3D 0xf056fe88}, p_pglist =3D {le_n=
 ext =3D 0x0,=20
     le_prev =3D 0xf28740dc}, p_pptr =3D 0xf2874360, p_sibling =3D {le_n=
 ext =3D 0x0,=20
     le_prev =3D 0xf28740e8}, p_children =3D {lh_first =3D 0x0}, p_ithan=
 dle =3D {
     callout =3D 0xf116c428}, p_oppid =3D 0, p_dupfd =3D 0, p_vmspace =3D=
  0xf2877a00,=20
   p_estcpu =3D 39, p_cpticks =3D 19, p_pctcpu =3D 163, p_wchan =3D 0x0,=
 =20
   p_wmesg =3D 0xf01b5bec "select", p_swtime =3D 709, p_slptime =3D 0, p=
 _realtimer =3D {
     it_interval =3D {tv_sec =3D 0, tv_usec =3D 0}, it_value =3D {tv_sec=
  =3D 0,=20
       tv_usec =3D 0}}, p_runtime =3D 77187615, p_switchtime =3D {tv_sec=
  =3D 720,=20
     tv_usec =3D 349840}, p_uticks =3D 5219, p_sticks =3D 4460, p_iticks=
  =3D 77,=20
   p_traceflag =3D 0, p_tracep =3D 0x0, p_siglist =3D 0, p_textvp =3D 0x=
 f286cc80,=20
   p_lock =3D 0 '\000', p_oncpu =3D 0 '\000', p_lastcpu =3D 0 '\000',=20=
 
   p_pad2 =3D 0 '\000', p_locks =3D 0, p_simple_locks =3D 0, p_stops =3D=
  0,=20
   p_stype =3D 0, p_step =3D 0 '\000', p_pfsflags =3D 0 '\000', p_pad3 =3D=
  "\000",=20
   p_retval =3D {0, 671417344}, p_sigiolst =3D {slh_first =3D 0x0}, p_si=
 gparent =3D 0,=20
   p_oldsigmask =3D 0, p_sig =3D 0, p_code =3D 0, p_sigmask =3D 0, p_pri=
 ority =3D 59 ';',=20
   p_usrpri =3D 59 ';', p_nice =3D 0 '\000',=20
   p_comm =3D "vdusrvr\000r\000\000\000\000\000\000\000", p_pgrp =3D 0xf=
 056da00,=20
   p_sysent =3D 0xf01c4cd4, p_rtprio =3D {type =3D 1, prio =3D 0}, p_add=
 r =3D 0xf2898000,=20
 ---Type <return> to continue, or q <return> to quit---
   p_md =3D {md_regs =3D 0xf2899fac}, p_xstat =3D 0, p_acflag =3D 0, p_r=
 u =3D 0x0,=20
   p_nthreads =3D 0, p_aioinfo =3D 0x0, p_wakeup =3D 0, p_peers =3D 0x0,=
 =20
   p_leader =3D 0xf2874200, p_asleep =3D {as_priority =3D 0, as_timo =3D=
  0}}
 (kgdb) print *p->p_fd
 $30 =3D {fd_ofiles =3D 0xf05a539c, fd_ofileflags =3D 0xf05a53ec "",=20
   fd_cdir =3D 0xf286fe00, fd_rdir =3D 0xf286fe00, fd_nfiles =3D 20, fd_=
 lastfile =3D 2,=20
   fd_freefile =3D 1, fd_cmask =3D 18, fd_refcnt =3D 1}
 (kgdb) frame 18
 #18 0xf019d687 in syscall (frame=3D{tf_es =3D 65575, tf_ds =3D 39, tf_e=
 di =3D 153120,=20
       tf_esi =3D -272640324, tf_ebp =3D -272638696, tf_isp =3D -2258616=
 76,=20
       tf_ebx =3D -1, tf_edx =3D 671417344, tf_ecx =3D -272640264, tf_ea=
 x =3D 3,=20
       tf_trapno =3D 0, tf_err =3D 2, tf_eip =3D 134516156, tf_cs =3D 31=
 ,=20
       tf_eflags =3D 582, tf_esp =3D -272640376, tf_ss =3D 39})
     at ../../i386/i386/trap.c:1100
 1100            error =3D (*callp->sy_call)(p, args);
 (kgdb) l
 1095            p->p_retval[0] =3D 0;
 1096            p->p_retval[1] =3D frame.tf_edx;
 1097
 1098            STOPEVENT(p, S_SCE, callp->sy_narg);
 1099
 1100            error =3D (*callp->sy_call)(p, args);
 1101
 1102            switch (error) {
 1103
 1104            case 0:
 (kgdb) print *callp
 $32 =3D {sy_narg =3D 3, sy_call =3D 0xf013387c <read>}
 (kgdb) print args
 $33 =3D {1, -272640324, 1500, 0, 134570048, 11, -272640464, -266787087}=
 
 (kgdb) print frame
 $34 =3D {tf_es =3D 65575, tf_ds =3D 39, tf_edi =3D 153120, tf_esi =3D -=
 272640324,=20
   tf_ebp =3D -272638696, tf_isp =3D -225861676, tf_ebx =3D -1, tf_edx =3D=
  671417344,=20
   tf_ecx =3D -272640264, tf_eax =3D 3, tf_trapno =3D 0, tf_err =3D 2,=20=
 
   tf_eip =3D 134516156, tf_cs =3D 31, tf_eflags =3D 582, tf_esp =3D -27=
 2640376,=20
   tf_ss =3D 39}
 (kgdb) frame 19
 #19 0xf019174c in Xint0x80_syscall ()
 (kgdb)
 
 

From: Bruce Evans <bde@zeta.org.au>
To: bde@zeta.org.au, hgoldste@bbs.mpcs.com
Cc: freebsd-gnats-submit@FreeBSD.ORG
Subject: Re: kern/10166: panic during heavy sio i/o;no coproc; vesa+vm86
Date: Mon, 22 Feb 1999 16:24:53 +1100

 >db> trace
 >random_poll(f0571000,f2899ca8,f0191b67,0,10) at random_poll+0xef3
 >random_poll(0,10,2ed,2ed,20) at random_poll+0xe6a
 >Xfastintr4(f2899cd4,80000000,283,f2899cd4,f2899cdc) at Xfastintr4+0x17
 
 `trace' (in all elf kernels?) is still broken.
 
 >...
 >(kgdb)  frame 12
 >#12 0xf01a7a17 in sioread (dev=7296, uio=0xf2899f34, flag=8323088)
 >    at ../../i386/isa/sio.c:1385
 >1385            tp = com_addr(unit)->tp;
 >(kgdb) l
 >1380            if (mynor & CONTROL_MASK)
 >1381                    return (ENODEV);
 >1382            unit = MINOR_TO_UNIT(mynor);
 >1383            if (com_addr(unit)->gone)
 >1384                    return (ENODEV);
 >1385            tp = com_addr(unit)->tp;
 >1386            return ((*linesw[tp->t_line].l_read)(tp, uio, flag));
 >1387    }
 >1388
 >1389    static int
 >(kgdb) print *unit
 >Cannot access memory at address 0x7610776.
 >(kgdb) print unit
 >$9 = 123799414
 
 `unit' is out of bounds.  The caller seems to have passed a bad `dev'.
 Unfortunately, the value for `dev' is not visible in the debugging output
 for any of the callers.
 
 >(kgdb) print tp
 >$10 = (struct tty *) 0x7610776
 >(kgdb) frame 13
 >#13 0xf0154603 in spec_read (ap=0xf2899ef8)
 >    at ../../miscfs/specfs/spec_vnops.c:278
 >278                     error = (*cdevsw[major(vp->v_rdev)]->d_read)
 >(kgdb) print *vp
 >$11 = {v_flag = 8, v_usecount = 1, v_writecount = 1, v_holdcnt = 0, 
 >  v_lastr = 0, v_id = 151, v_mount = 0xf0586e00, v_op = 0xf057e800, 
 >  v_freelist = {tqe_next = 0x0, tqe_prev = 0x0}, v_mntvnodes = {
 >    le_next = 0xf286ca40, le_prev = 0xf286c828}, v_cleanblkhd = {
 >    tqh_first = 0x0, tqh_last = 0xf286c9b0}, v_dirtyblkhd = {tqh_first = 0x0, 
 >    tqh_last = 0xf286c9b8}, v_synclist = {le_next = 0x0, le_prev = 0x0}, 
 >  v_numoutput = 0, v_type = VCHR, v_un = {vu_mountedhere = 0xf056d900, 
 >    vu_socket = 0xf056d900, vu_specinfo = 0xf056d900, 
                              ^^^^^^^^^^^ this points to a struct
                                          containing the device number
 >    vu_fifoinfo = 0xf056d900}, v_lease = 0x0, v_lastw = 0, v_cstart = 0, 
 >  v_lasta = 0, v_clen = 0, v_maxio = 0, v_object = 0x0, v_interlock = {
 >    lock_data = 0}, v_vnlock = 0x0, v_tag = VT_UFS, v_data = 0xf05a6f00, 
 >  v_cache_src = {lh_first = 0x0}, v_cache_dst = {tqh_first = 0xf0591640, 
 >    tqh_last = 0xf0591650}, v_dd = 0xf286c980, v_ddid = 0, v_pollinfo = {
 >    vpi_lock = {lock_data = 0}, vpi_selinfo = {si_pid = 0, si_flags = 0}, 
 >    vpi_events = 0, vpi_revents = 0}}
 
 Device numbers are checked at open() time.  Apparently, v_un or *vu_specinfo
 was corrupted between open() and read().
 
 Bruce
 

From: Howard Goldstein <hgoldste@bbs.mpcs.com>
To: Bruce Evans <bde@zeta.org.au>
Cc: freebsd-gnats-submit@FreeBSD.ORG
Subject: Re: kern/10166: panic during heavy sio i/o;no coproc; vesa+vm86
Date: Mon, 22 Feb 1999 13:46:08 -0500 (EST)

 Bruce Evans writes:
 
  > >(kgdb) print *unit
  > >Cannot access memory at address 0x7610776.
  > >(kgdb) print unit
  > >$9 = 123799414
  > 
  > `unit' is out of bounds.  The caller seems to have passed a bad `dev'.
  > Unfortunately, the value for `dev' is not visible in the debugging output
  > for any of the callers.
 
 ...
 
 Here it is:
 
 Fatal trkernel trap 12 with interrupts disabled
 
 
 Fatal trap 12: page fault while in kernel mode
 fault virtual address   = 0x76107fa
 fault code              = supervisor read, page not present
 instruction pointer     = 0x8:0xf01a7bc3
 stack pointer           = 0x10:0xf2899c48
 frame pointer           = 0x10:0xf2899c6c
 code segment            = base 0x0, limit 0xfffff, type 0x1b
                         = DPL 0, pres 1, def32 1, gran 1
 processor eflags        = resume, IOPL = 0
 current process         = 50 (vdusrvr)
 interrupt mask          = tty 
 kernel: type 12 trap, code=0
 Stopped at      random_poll+0xef3:      testb   $0x1,0x84(%eax)
 db> gdb
 Next trap will enter GDB remote protocol mode
 db> cont
 kernel trap 12 with interrupts disabled
 
 
 Fatal trap 12: page fault while in kernel mode
 fault virtual address   = 0x76107fa
 fault code              = supervisor read, page not present
 instruction pointer     = 0x8:0xf01a7bc3
 stack pointer           = 0x10:0xf2899c48
 frame pointer           = 0x10:0xf2899c6c
 code segment            = base 0x0, limit 0xfffff, type 0x1b
                         = DPL 0, pres 1, def32 1, gran 1
 processor eflags        = resume, IOPL = 0
 current process         = 50 (vdusrvr)
 interrupt mask          = tty 
 $T0b08:c37b1af0;05:6c9c89f2;04:489c89f2;#1c
 
 # gdb -k kernel
 GDB is free software and you are welcome to distribute copies of it
  under certain conditions; type "show copying" to see the conditions.
 There is absolutely no warranty for GDB; type "show warranty" for details.
 GDB 4.16 (i386-unknown-freebsd), 
 Copyright 1996 Free Software Foundation, Inc...
 (kgdb) help remote
 Send a command to the remote monitor.
 (kgdb) target remote /dev/cuaa1
 Remote debugging using /dev/cuaa1
 0xf01a7bc3 in siointr1 (com=0xf0571000) at ../../i386/isa/sio.c:1545
 1545                                            if (com->tp == NULL
 (kgdb) where
 #0  0xf01a7bc3 in siointr1 (com=0xf0571000) at ../../i386/isa/sio.c:1545
 #1  0xf01a7b3a in siointr (unit=0) at ../../i386/isa/sio.c:1465
 #2  0xf0191b67 in Xfastintr4 ()
 #3  0xf01a90a0 in siocnputc (dev=7171, c=97) at ../../i386/isa/sio.c:2739
 #4  0xf01900fe in cnputc (c=97) at ../../i386/i386/cons.c:413
 #5  0xf013183f in putchar (c=97, arg=0xf2899d78) at ../../kern/subr_prf.c:309
 #6  0xf01319ad in kvprintf (fmt=0xf01bea34 "p %d: %s while in %s mode\n", 
     func=0xf01317a8 <putchar>, arg=0xf2899d78, radix=10, ap=0xf2899d8c "\f")
     at ../../kern/subr_prf.c:462
 #7  0xf013172d in printf (
     fmt=0xf01bea29 "\n\nFatal trap %d: %s while in %s mode\n")
     at ../../kern/subr_prf.c:262
 #8  0xf019d1e8 in trap_fatal (frame=0xf2899e0c, eva=123799498)
     at ../../i386/i386/trap.c:858
 #9  0xf019d157 in trap_pfault (frame=0xf2899e0c, usermode=0, eva=123799498)
     at ../../i386/i386/trap.c:835
 #10 0xf019cdb6 in trap (frame={tf_es = 16, tf_ds = -225902576, 
       tf_edi = -226047616, tf_esi = -226016768, tf_ebp = -225862072, 
       tf_isp = -225862092, tf_ebx = -225861896, tf_edx = 128, 
       tf_ecx = -262743808, tf_eax = 123799414, tf_trapno = 12, tf_err = 0, 
       tf_eip = -266700265, tf_cs = -226033656, tf_eflags = 66118, 
       tf_esp = -225861972, tf_ss = -267041277}) at ../../i386/i386/trap.c:437
 #11 0xf01a7a17 in sioread (dev=7296, uio=0xf2899f34, flag=8323088)
 ---Type <return> to continue, or q <return> to quit---bt
     at ../../i386/isa/sio.c:1385
 #12 0xf0154603 in spec_read (ap=0xf2899ef8)
     at ../../miscfs/specfs/spec_vnops.c:278
 #13 0xf01740dc in ufsspec_read (ap=0xf2899ef8)
     at ../../ufs/ufs/ufs_vnops.c:1811
 #14 0xf017464d in ufs_vnoperatespec (ap=0xf2899ef8)
     at ../../ufs/ufs/ufs_vnops.c:2312
 #15 0xf0150c01 in vn_read (fp=0xf0591680, uio=0xf2899f34, cred=0xf0403900)
     at vnode_if.h:303
 01 in vn_read (fp=0xf0591680, uio=0xf2899f34, cred=0xf0403900)
     at vnode_if.h:303
 #16 0xf0133911 in read (p=0xf2874200, uap=0xf2899f84)
     at ../../kern/sys_generic.c:121
 #17 0xf019d687 in syscall (frame={tf_es = -266731481, tf_ds = -262733785, 
       tf_edi = 153120, tf_esi = -272642920, tf_ebp = -272638696, 
       tf_isp = -225861676, tf_ebx = -1, tf_edx = 671417344, 
       tf_ecx = -272642868, tf_eax = 3, tf_trapno = 0, tf_err = 2, 
       tf_eip = 134516144, tf_cs = 31, tf_eflags = 582, tf_esp = -272642972, 
       tf_ss = 39}) at ../../i386/i386/trap.c:1100
 #18 0xf019174c in Xint0x80_syscall ()
 #19 0x80487e1 in ?? ()
 #20 0x80480e9 in ?? ()
 (kgdb) frame 11
 #11 0xf01a7a17 in sioread (dev=7296, uio=0xf2899f34, flag=8323088)
     at ../../i386/isa/sio.c:1385
 1385            tp = com_addr(unit)->tp;
 (kgdb) print *unit
 Cannot access memory at address 0x7610776.
      ok that looks like before
 
  frame 12
 #12 0xf0154603 in spec_read (ap=0xf2899ef8)
     at ../../miscfs/specfs/spec_vnops.c:278
 278                     error = (*cdevsw[major(vp->v_rdev)]->d_read)
 (kgdb) print *vp
 $1 = {v_flag = 8, v_usecount = 1, v_writecount = 1, v_holdcnt = 0, 
   v_lastr = 0, v_id = 151, v_mount = 0xf0586e00, v_op = 0xf057e800, 
   v_freelist = {tqe_next = 0x0, tqe_prev = 0x0}, v_mntvnodes = {
     le_next = 0xf286ca40, le_prev = 0xf286c828}, v_cleanblkhd = {
     tqh_first = 0x0, tqh_last = 0xf286c9b0}, v_dirtyblkhd = {tqh_first = 0x0, 
     tqh_last = 0xf286c9b8}, v_synclist = {le_next = 0x0, le_prev = 0x0}, 
   v_numoutput = 0, v_type = VCHR, v_un = {vu_mountedhere = 0xf056d900, 
     vu_socket = 0xf056d900, vu_specinfo = 0xf056d900, 
     vu_fifoinfo = 0xf056d900}, v_lease = 0x0, v_lastw = 0, v_cstart = 0, 
   v_lasta = 0, v_clen = 0, v_maxio = 0, v_object = 0x0, v_interlock = {
     lock_data = 0}, v_vnlock = 0x0, v_tag = VT_UFS, v_data = 0xf05a6f00, 
   v_cache_src = {lh_first = 0x0}, v_cache_dst = {tqh_first = 0xf0591640, 
     tqh_last = 0xf0591650}, v_dd = 0xf286c980, v_ddid = 0, v_pollinfo = {
     vpi_lock = {lock_data = 0}, vpi_selinfo = {si_pid = 0, si_flags = 0}, 
     vpi_events = 0, vpi_revents = 0}}
 (kgdb) print *vp->v_un.vu_specinfo
 $4 = {si_hashchain = 0xf037a95c, si_specnext = 0x0, si_mountpoint = 0x0, 
   si_rdev = 7296, si_blksize = 1946171776}
 (kgdb) print *vp->v_mount
 $5 = {mnt_list = {cqe_next = 0xf0586600, cqe_prev = 0xf037a87c}, 
   mnt_op = 0xf01caa68, mnt_vfc = 0xf01caa9c, mnt_vnodecovered = 0x0, 
   mnt_syncer = 0x0, mnt_vnodelist = {lh_first = 0xf28a78c0}, mnt_lock = {
     lk_interlock = {lock_data = 0}, lk_flags = 16777216, lk_sharecount = 0, 
     lk_waitcount = 0, lk_exclusivecount = 0, lk_prio = 20, 
     lk_wmesg = 0xf01b7059 "vfslock", lk_timo = 0, lk_lockholder = -1}, 
   mnt_flag = 20480, mnt_kern_flag = 0, mnt_maxsymlinklen = 60, mnt_stat = {
     f_spare2 = 0, f_bsize = 1024, f_iosize = 8192, f_blocks = 1511, 
     f_bfree = 526, f_bavail = 526, f_files = 446, f_ffree = 117, f_fsid = {
       val = {65280, 303871774}}, f_owner = 0, f_type = 1, f_flags = 20480, 
     f_syncwrites = 32, f_asyncwrites = 57, 
     f_fstypename = "mfs", '\000' <repeats 12 times>, 
     f_mntonname = "/", '\000' <repeats 88 times>, 
     f_mntfromname = "root_device", '\000' <repeats 78 times>}, 
   mnt_data = 0xf0586c00, mnt_time = 919707008}
 (kgdb) print *vp->v_op
 $6 = (int (*)()) 0xf0148250 <vop_panic>
 (kgdb) frame 16
 #16 0xf0133911 in read (p=0xf2874200, uap=0xf2899f84)
     at ../../kern/sys_generic.c:121
 121             if ((error = (*fp->f_ops->fo_read)(fp, &auio, fp->f_cred)))
 (kgdb) print *fp->f_ops->fo_read
 Cannot access memory at address 0x7610813.
 (kgdb) print *fp->f_ops         
 Cannot access memory at address 0x7610813.
 (kgdb) print *fp       
 Cannot access memory at address 0x76107ff.
 (kgdb) frame 17
 #17 0xf019d687 in syscall (frame={tf_es = -266731481, tf_ds = -262733785, 
       tf_edi = 153120, tf_esi = -272642920, tf_ebp = -272638696, 
       tf_isp = -225861676, tf_ebx = -1, tf_edx = 671417344, 
       tf_ecx = -272642868, tf_eax = 3, tf_trapno = 0, tf_err = 2, 
       tf_eip = 134516144, tf_cs = 31, tf_eflags = 582, tf_esp = -272642972, 
       tf_ss = 39}) at ../../i386/i386/trap.c:1100
 1100            error = (*callp->sy_call)(p, args);
 (kgdb) l
 1095            p->p_retval[0] = 0;
 1096            p->p_retval[1] = frame.tf_edx;
 1097
 1098            STOPEVENT(p, S_SCE, callp->sy_narg);
 1099
 1100            error = (*callp->sy_call)(p, args);
 1101
 1102            switch (error) {
 1103
 1104            case 0:
 (kgdb) print *callp->sy_call
 $7 = {int ()} 0xf013387c <read>
 (kgdb) print *p
 $8 = {p_procq = {tqe_next = 0xf037a3f4, tqe_prev = 0x0}, p_list = {
     le_next = 0xf2874360, le_prev = 0xf28740a8}, p_cred = 0xf056d980, 
   p_fd = 0xf05a5380, p_stats = 0xf2898214, p_limit = 0xf058f200, 
   p_upages_obj = 0xf0370b04, p_procsig = 0xf056d960, p_flag = 16390, 
   p_stat = 2 '\002', p_pad1 = "\000\000", p_pid = 50, p_hash = {
     le_next = 0xf2874d00, le_prev = 0xf056fe88}, p_pglist = {le_next = 0x0, 
     le_prev = 0xf28740dc}, p_pptr = 0xf2874360, p_sibling = {le_next = 0x0, 
     le_prev = 0xf28740e8}, p_children = {lh_first = 0x0}, p_ithandle = {
     callout = 0xf116c428}, p_oppid = 0, p_dupfd = 0, p_vmspace = 0xf2877a00, 
   p_estcpu = 36, p_cpticks = 18, p_pctcpu = 169, p_wchan = 0x0, 
   p_wmesg = 0xf01b5bec "select", p_swtime = 566, p_slptime = 0, p_realtimer = {
     it_interval = {tv_sec = 0, tv_usec = 0}, it_value = {tv_sec = 0, 
       tv_usec = 0}}, p_runtime = 20292918, p_switchtime = {tv_sec = 578, 
     tv_usec = 235806}, p_uticks = 1373, p_sticks = 1168, p_iticks = 18, 
   p_traceflag = 0, p_tracep = 0x0, p_siglist = 0, p_textvp = 0xf286cc80, 
   p_lock = 0 '\000', p_oncpu = 0 '\000', p_lastcpu = 0 '\000', 
   p_pad2 = 0 '\000', p_locks = 0, p_simple_locks = 0, p_stops = 0, 
   p_stype = 0, p_step = 0 '\000', p_pfsflags = 0 '\000', p_pad3 = "\000", 
   p_retval = {0, 671417344}, p_sigiolst = {slh_first = 0x0}, p_sigparent = 0, 
   p_oldsigmask = 0, p_sig = 0, p_code = 0, p_sigmask = 0, p_priority = 59 ';', 
   p_usrpri = 59 ';', p_nice = 0 '\000', 
   p_comm = "vdusrvr\000r\000\000\000\000\000\000\000", p_pgrp = 0xf056da00, 
   p_sysent = 0xf01c4cd4, p_rtprio = {type = 1, prio = 0}, p_addr = 0xf2898000, 
 ---Type <return> to continue, or q <return> to quit---
   p_md = {md_regs = 0xf2899fac}, p_xstat = 0, p_acflag = 0, p_ru = 0x0, 
   p_nthreads = 0, p_aioinfo = 0x0, p_wakeup = 0, p_peers = 0x0, 
   p_leader = 0xf2874200, p_asleep = {as_priority = 0, as_timo = 0}}
 (kgdb) print *args
 $9 = 1
 (kgdb) print args
 $10 = {1, -272642920, 4096, 0, 134570036, 11, -272643060, -266787087}
 (kgdb)
 
 For what it's worth this is supposed to be a read() of up to 4096 bytes
 from a raw /dev/cuaa0 (after a select).  
 
State-Changed-From-To: open->feedback 
State-Changed-By: will 
State-Changed-When: Thu May 24 18:27:43 PDT 2001 
State-Changed-Why:  
Does this problem persist with newer versions of FreeBSD? 

http://www.FreeBSD.org/cgi/query-pr.cgi?pr=10166 
State-Changed-From-To: feedback->closed 
State-Changed-By: will 
State-Changed-When: Thu May 24 18:31:27 PDT 2001 
State-Changed-Why:  
Submitter's email address expired. 

http://www.FreeBSD.org/cgi/query-pr.cgi?pr=10166 
>Unformatted:
