From nobody@FreeBSD.org  Thu Jan 18 08:41:20 2007
Return-Path: <nobody@FreeBSD.org>
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
	by hub.freebsd.org (Postfix) with ESMTP id 45C4116A412
	for <freebsd-gnats-submit@FreeBSD.org>; Thu, 18 Jan 2007 08:41:20 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (www.freebsd.org [69.147.83.33])
	by mx1.freebsd.org (Postfix) with ESMTP id 34B5713C4CB
	for <freebsd-gnats-submit@FreeBSD.org>; Thu, 18 Jan 2007 08:41:20 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (localhost [127.0.0.1])
	by www.freebsd.org (8.13.1/8.13.1) with ESMTP id l0I8fJcd043547
	for <freebsd-gnats-submit@FreeBSD.org>; Thu, 18 Jan 2007 08:41:19 GMT
	(envelope-from nobody@www.freebsd.org)
Received: (from nobody@localhost)
	by www.freebsd.org (8.13.1/8.13.1/Submit) id l0I8fJ4m043545;
	Thu, 18 Jan 2007 08:41:19 GMT
	(envelope-from nobody)
Message-Id: <200701180841.l0I8fJ4m043545@www.freebsd.org>
Date: Thu, 18 Jan 2007 08:41:19 GMT
From: Andrew Muhametshin<andrew@dobrohot.org>
To: freebsd-gnats-submit@FreeBSD.org
Subject: Periodic crashes of system at working HAL
X-Send-Pr-Version: www-3.0

>Number:         108078
>Category:       kern
>Synopsis:       nVidia driver crash in devfs_populate_loop
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    danfe
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Thu Jan 18 08:50:12 GMT 2007
>Closed-Date:    Tue Jun 12 07:53:34 GMT 2007
>Last-Modified:  Tue Jun 12 07:53:34 GMT 2007
>Originator:     Andrew Muhametshin
>Release:        6.2
>Organization:
>Environment:
FreeBSD inspirra.localdomain 6.2-STABLE FreeBSD 6.2-STABLE #1: Wed Jan 17 15:25:03 MSK 2007     root@inspirra.localdomain:/usr/obj/usr/src/sys/INSPIRRA i386

>Description:
Periodic crashes of system... Basically, (but not always), crashes of
system appear at switching from a graphic (Xorg-6.9.0) mode in the console
and back. Or at attempt to switch off/reload system, probably, during the
moment of a stop of X-window system.

I believe, that the originator of these problems "hal-0.5.8.20070104"...
Because after its switching-off, the system works day trouble-free.

###########################################################
###  The received core dump - at attempt to stop (reboot) system. 
###########################################################
$ kgdb ./kernel.debug /var/crash/vmcore.0
kgdb: kvm_nlist(_stopped_cpus):
kgdb: kvm_nlist(_stoppcbs):
[GDB will not be able to debug user-mode threads: /usr/lib/libthread_db.so: Undefined symbol "ps_pglobal_lookup"]
GNU gdb 6.1.1 [FreeBSD]
Copyright 2004 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "i386-marcel-freebsd".

Unread portion of the kernel message buffer:
<118>Jan 17 19:47:25 inspirra syslogd: exiting on signal 15
Waiting (max 60 seconds) for system process `vnlru' to stop...done
Waiting (max 60 seconds) for system process `bufdaemon' to stop...done
Waiting (max 60 seconds) for system process `syncer' to stop...
Syncing disks, vnodes remaining...5 5 2 4 4 0 2 2 0 0 0 0 done
All buffers synced.

Fatal trap 12: page fault while in kernel mode
fault virtual address   = 0x0
fault code              = supervisor write, page not present
instruction pointer     = 0x20:0xc0491fc6
stack pointer           = 0x28:0xe6b0bbb8
frame pointer           = 0x28:0xe6b0bbe4
code segment            = base 0x0, limit 0xfffff, type 0x1b
                        = DPL 0, pres 1, def32 1, gran 1
processor eflags        = interrupt enabled, resume, IOPL = 0
current process         = 1370 (reboot)
trap number             = 12
panic: page fault
Uptime: 6m7s
Dumping 958 MB (2 chunks)
  chunk 0: 1MB (159 pages) ... ok
  chunk 1: 958MB (245232 pages) 942 926 910 894 878 862 846 830 814 798 782 766 750 734 718 702 686 670 654 638 622 606 590 574 558 542 526 510 494 478 462 446 430 414 398 382 366 350 334 318 302 286 270 254 238 222 206 190 174 158 142 126 110 94 78 62 46 30 14

#0  doadump () at pcpu.h:165
165             __asm __volatile("movl %%fs:0,%0" : "=r" (td));
(kgdb) list *0xc0491fc6
0xc0491fc6 is in devfs_populate_loop (/usr/src/sys/fs/devfs/devfs_devs.c:396).
391                      * GC any lingering devices
392                      */
393                     if (!(cdp->cdp_flags & CDP_ACTIVE)) {
394                             if (cdp->cdp_inuse > 0)
395                                     continue;
396                             TAILQ_REMOVE(&cdevp_list, cdp, cdp_list);
397                             dev_unlock();
398                             dev_rel(&cdp->cdp_c);
399                             return (1);
400                     }
(kgdb) bt full
#0  doadump () at pcpu.h:165
No locals.
#1  0xc04fb844 in boot (howto=260) at /usr/src/sys/kern/kern_shutdown.c:409
        first_buf_printf = 1
#2  0xc04fbb76 in panic (fmt=0xc06c5e96 "%s") at /usr/src/sys/kern/kern_shutdown.c:565
        td = (struct thread *) 0xc540e780
        bootopt = 260
        newpanic = 0
        ap = 0xc540e780 "x&#1079;@&#1077;`\200&#1088;&#1076;"
        buf = "page fault", '\0' <repeats 245 times>
#3  0xc06a4a0c in trap_fatal (frame=0xe6b0bb78, eva=0) at /usr/src/sys/i386/i386/trap.c:837
        code = 40
        type = 12
        ss = 40
        esp = 0
        softseg = {ssd_base = 0, ssd_limit = 1048575, ssd_type = 27, ssd_dpl = 0, ssd_p = 1, ssd_xx = 12, ssd_xx1 = 3,
  ssd_def32 = 1, ssd_gran = 1}
        msg = 0x0
#4  0xc06a4712 in trap_pfault (frame=0xe6b0bb78, usermode=0, eva=0) at /usr/src/sys/i386/i386/trap.c:745
        va = 0
        vm = (struct vmspace *) 0x0
        map = 0xc56e04a0
        rv = 1
        ftype = 1 '\001'
        td = (struct thread *) 0xc540e780
        p = (struct proc *) 0xc540da78
#5  0xc06a42dd in trap (frame=
      {tf_fs = 8, tf_es = 40, tf_ds = 40, tf_edi = -987451392, tf_esi = 0, tf_ebp = -424625180, tf_isp = -424625244, tf_ebx = 1, tf_edx = 0, tf_ecx = -976627712, tf_eax = 0, tf_trapno = 12, tf_err = 2, tf_eip = -1068949562, tf_cs = 32, tf_eflags = 590406, tf_esp = -987451392, tf_ss = -982366208}) at /usr/src/sys/i386/i386/trap.c:435
        td = (struct thread *) 0xc540e780
        p = (struct proc *) 0xc540da78
        sticks = 0
        i = 0
        ucode = 0
        type = 12
        code = 2
        eva = 0
#6  0xc069089a in calltrap () at /usr/src/sys/i386/i386/exception.s:139
---Type <return> to continue, or q <return> to quit---
No locals.
#7  0xc0491fc6 in devfs_populate_loop (dm=0xc524b000, cleanup=1) at /usr/src/sys/fs/devfs/devfs_devs.c:396
        cdp = (struct cdev_priv *) 0xc5c9d800
        de = (struct devfs_dirent *) 0xc524b000
        dd = (struct devfs_dirent *) 0xc5316dd0
        pdev = (struct cdev *) 0x0
        j = 1
        q = 0x1 <Address 0x1 out of bounds>
        s = 0x0
#8  0xc049224a in devfs_cleanup (dm=0xc524b000) at /usr/src/sys/fs/devfs/devfs_devs.c:499
No locals.
#9  0xc0493127 in devfs_unmount (mp=0xc5096cf8, mntflags=524288, td=0x0) at /usr/src/sys/fs/devfs/devfs_vfsops.c:138
        error = 0
        fmp = (struct devfs_mount *) 0xc524b000
        idx = 3305729272
#10 0xc0561174 in dounmount (mp=0xc5096cf8, flags=524288, td=0xc540e780) at /usr/src/sys/kern/vfs_mount.c:1195
        coveredvp = (struct vnode *) 0xc5308bb0
        fsrootvp = (struct vnode *) 0xc5316dd0
        error = 0
        async_flag = 0
        mnt_gen_r = 0
#11 0xc056847e in vfs_unmountall () at /usr/src/sys/kern/vfs_subr.c:2838
        mp = (struct mount *) 0xc5096cf8
        td = (struct thread *) 0xc540e780
        error = 0
#12 0xc04fb6f0 in boot (howto=0) at /usr/src/sys/kern/kern_shutdown.c:391
        bp = (struct buf *) 0xd859baa8
        iter = 0
        nbusy = 0
        pbusy = 0
        first_buf_printf = 1
#13 0xc04fb024 in reboot (td=0x0, uap=0x0) at /usr/src/sys/kern/kern_shutdown.c:169
        error = 0
#14 0xc06a4db2 in syscall (frame=
      {tf_fs = 59, tf_es = 59, tf_ds = 59, tf_edi = 0, tf_esi = 0, tf_ebp = -1077941432, tf_isp = -424624796, tf_ebx = 2, tf_edx = -1, tf_ecx = 672546208, tf_eax = 55, tf_trapno = 12, tf_err = 2, tf_eip = 671818107, tf_cs = 51, tf_eflags = 582, tf_esp = -1077941508, tf_ss = 59}) at /usr/src/sys/i386/i386/trap.c:983
        params = 0xbfbfeb00 <Address 0xbfbfeb00 out of bounds>
        callp = (struct sysent *) 0xc06f5ef4
---Type <return> to continue, or q <return> to quit---
        td = (struct thread *) 0xc540e780
        p = (struct proc *) 0xc540da78
        orig_tf_eflags = 582
        sticks = 0
        error = 0
        narg = 1
        args = {0, 9, -992837536, -1077941516, 0, 0, 0, 1}
        code = 55
#15 0xc06908ef in Xint0x80_syscall () at /usr/src/sys/i386/i386/exception.s:200
No locals.
#16 0x00000033 in ?? ()
No symbol table info available.
Previous frame inner to this frame (corrupt stack?)
(kgdb) quit


###########################################################
###  The received core dump - at attempt to stop Xorg (kill X-process)
###########################################################
$ kgdb ./kernel.debug /var/crash/vmcore.1
kgdb: kvm_nlist(_stopped_cpus):
kgdb: kvm_nlist(_stoppcbs):
[GDB will not be able to debug user-mode threads: /usr/lib/libthread_db.so: Undefined symbol "ps_pglobal_lookup"]
GNU gdb 6.1.1 [FreeBSD]
Copyright 2004 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "i386-marcel-freebsd".

Unread portion of the kernel message buffer:


Fatal trap 12: page fault while in kernel mode
fault virtual address   = 0x18000018
fault code              = supervisor write, page not present
instruction pointer     = 0x20:0xc0491f1c
stack pointer           = 0x28:0xe6aec7e8
frame pointer           = 0x28:0xe6aec814
code segment            = base 0x0, limit 0xfffff, type 0x1b
                        = DPL 0, pres 1, def32 1, gran 1
processor eflags        = interrupt enabled, resume, IOPL = 0
current process         = 972 (hald-addon-storage)
trap number             = 12
panic: page fault
Uptime: 23m0s
Dumping 958 MB (2 chunks)
  chunk 0: 1MB (159 pages) ... ok
  chunk 1: 958MB (245232 pages) (CTRL-C to abort)  942 926 910 894 878 862 846 830 814 798 782 766 750 734 718 702 686 670 654 638 622 606 590 574 558 542 526 510 494 478 462 446 430 414 398 382 366 350 334 318 302 286 270 254 238 222 206 190 (CTRL-C to abort)  174 158 142 126 110 94 78 62 46 30 14

#0  doadump () at pcpu.h:165
165             __asm __volatile("movl %%fs:0,%0" : "=r" (td));
(kgdb) list *0xc0491f1c
0xc0491f1c is in devfs_populate_loop (/usr/src/sys/fs/devfs/devfs_devs.c:381).
376                                 ("%s %d %s %p %p", __func__, __LINE__,
377                                 cdp->cdp_c.si_name, cdp, de->de_cdp));
378                             KASSERT(de->de_dir != NULL, ("Null de->de_dir"));
379                             dev_unlock();
380
381                             TAILQ_REMOVE(&de->de_dir->de_dlist, de, de_list);
382                             de->de_cdp = NULL;
383                             de->de_inode = 0;
384                             devfs_delete(dm, de, 0);
385                             dev_lock();
(kgdb) bt full
#0  doadump () at pcpu.h:165
No locals.
#1  0xc04fb844 in boot (howto=260) at /usr/src/sys/kern/kern_shutdown.c:409
        first_buf_printf = 1
#2  0xc04fbb76 in panic (fmt=0xc06c5e96 "%s") at /usr/src/sys/kern/kern_shutdown.c:565
        td = (struct thread *) 0xc53e3d80
        bootopt = 260
        newpanic = 0
        ap = 0xc53e3d80 "`&#1100;H&#1077;"
        buf = "page fault", '\0' <repeats 245 times>
#3  0xc06a4a0c in trap_fatal (frame=0xe6aec7a8, eva=0) at /usr/src/sys/i386/i386/trap.c:837
        code = 40
        type = 12
        ss = 40
        esp = 0
        softseg = {ssd_base = 0, ssd_limit = 1048575, ssd_type = 27, ssd_dpl = 0, ssd_p = 1, ssd_xx = 13, ssd_xx1 = 3,
  ssd_def32 = 1, ssd_gran = 1}
        msg = 0x0
#4  0xc06a4712 in trap_pfault (frame=0xe6aec7a8, usermode=0, eva=402653208) at /usr/src/sys/i386/i386/trap.c:745
        va = 402653184
        vm = (struct vmspace *) 0x0
        map = 0xc53c5de0
        rv = 1
        ftype = 1 '\001'
        td = (struct thread *) 0xc53e3d80
        p = (struct proc *) 0xc548d860
#5  0xc06a42dd in trap (frame=
      {tf_fs = 8, tf_es = 40, tf_ds = 40, tf_edi = -1043333119, tf_esi = -989298688, tf_ebp = -424753132, tf_isp = -424753196, tf_ebx = 0, tf_edx = 402653184, tf_ecx = 4, tf_eax = 415354817, tf_trapno = 12, tf_err = 2, tf_eip = -1068949732, tf_cs = 32, tf_eflags = 66054, tf_esp = -989378944, tf_ss = -976346752}) at /usr/src/sys/i386/i386/trap.c:435
        td = (struct thread *) 0xc53e3d80
        p = (struct proc *) 0xc548d860
        sticks = 3318550528
        i = 0
        ucode = 0
        type = 12
        code = 2
        eva = 402653208
#6  0xc069089a in calltrap () at /usr/src/sys/i386/i386/exception.s:139
---Type <return> to continue, or q <return> to quit---
No locals.
#7  0xc0491f1c in devfs_populate_loop (dm=0xc5074680, cleanup=0) at /usr/src/sys/fs/devfs/devfs_devs.c:381
        cdp = (struct cdev_priv *) 0xc5ce4900
        de = (struct devfs_dirent *) 0xc1d00001
        dd = (struct devfs_dirent *) 0x0
        pdev = (struct cdev *) 0xc5088000
        j = 0
        q = 0x0
        s = 0xc5088000 "\002"
#8  0xc0492215 in devfs_populate (dm=0xc5074680) at /usr/src/sys/fs/devfs/devfs_devs.c:486
No locals.
#9  0xc0494701 in devfs_lookupx (ap=0x18c1cfc1, dm_unlock=0xe6aec920) at /usr/src/sys/fs/devfs/devfs_vnops.c:586
        cnp = (struct componentname *) 0xe6aecbe8
        dvp = (struct vnode *) 0xc5088000
        vpp = (struct vnode **) 0xe6aecbd4
        td = (struct thread *) 0xc53e3d80
        de = (struct devfs_dirent *) 0x2002
        dd = (struct devfs_dirent *) 0xc4d12700
        dde = (struct devfs_dirent **) 0x18c1cfc1
        dmp = (struct devfs_mount *) 0xc5074680
        cdev = (struct cdev *) 0xc0576c8a
        error = -424752740
        flags = 86032452
        nameiop = 0
        specname = "&#1102;\031p&#1102;(&#1080;&#9565;&#1060;\000\000\000\000&#1044;&#1093;&#9565;&#1060;&#1088;&#9561;U&#1102;\b|\b&#1077;\006\000\000\000,|\b&#1077;\200=>&#1077;&#1069;&#1093;&#9565;&#1060;&#9567;{\b&#1077;&#1069;&#1093;&#9565;&#1060;(jV&#1102;&#9567;{\b&#1077;&#9567;{\b&#1077;D&#1080;&#9565;&#1060;"
        pname = 0xc508a805 "xpt0"
#10 0xc0494b6c in devfs_lookup (ap=0xe6aec99c) at /usr/src/sys/fs/devfs/devfs_vnops.c:666
        j = -424752740
        dmp = (struct devfs_mount *) 0x18c1cfc1
        dm_unlock = 1
#11 0xc06b4fc8 in VOP_LOOKUP_APV (vop=0xc06f21a0, a=0xe6aec99c) at vnode_if.c:99
        rc = -1066458720
#12 0xc055d6db in lookup (ndp=0xe6aecbc0) at vnode_if.h:56
        cp = 0xc508a809 ""
        dp = (struct vnode *) 0xc5088000
        tdp = (struct vnode *) 0xc5088000
        mp = (struct mount *) 0x0
        docache = 32
        wantparent = 0
---Type <return> to continue, or q <return> to quit---
        rdonly = 0
        trailing_slash = 0
        error = 0
        dpunlocked = 0
        cnp = (struct componentname *) 0xe6aecbe8
        td = (struct thread *) 0xc53e3d80
        vfslocked = 0
        dvfslocked = 0
        tvfslocked = 0
#13 0xc055ce78 in namei (ndp=0xe6aecbc0) at /usr/src/sys/kern/vfs_lookup.c:211
        fdp = (struct filedesc *) 0xc53e7b00
        cp = 0xc53e7b00 "d{>&#1077;&#9570;{>&#1077;@&#1090;A&#1077;&#9567;{\b&#1077;"
        dp = (struct vnode *) 0xc5087bb0
        aiov = {iov_base = 0xc046731c, iov_len = 3303227776}
        auio = {uio_iov = 0xc4e99400, uio_iovcnt = -424752524, uio_offset = 52788373911512, uio_resid = 128,
  uio_segflg = 3309190528, uio_rw = 3870214720, uio_td = 0xc04ebad2}
        error = -989299792
        linklen = -989299792
        cnp = (struct componentname *) 0xe6aecbe8
        td = (struct thread *) 0x18c1cfc1
        p = (struct proc *) 0x18000000
        vfslocked = 0
#14 0xc05758d7 in vn_open_cred (ndp=0xe6aecbc0, flagp=0xe6aeccc0, cmode=0, cred=0xc4d11d00, fdidx=4)
    at /usr/src/sys/kern/vfs_vnops.c:183
        vp = (struct vnode *) 0xc52adaf8
        mp = (struct mount *) 0x3002
        td = (struct thread *) 0xc53e3d80
        vat = {va_type = 76, va_mode = 28672, va_nlink = -15094, va_uid = 3870214828, va_gid = 3226259977,
  va_fsid = 4294967264, va_fileid = 0, va_size = 16622446252193218564, va_blocksize = -1068707012, va_atime = {
    tv_sec = -985761024, tv_nsec = 4}, va_mtime = {tv_sec = 20, tv_nsec = 4}, va_ctime = {tv_sec = -985761024,
    tv_nsec = -985081760}, va_birthtime = {tv_sec = -424752392, tv_nsec = -1068692406}, va_gen = 3309206272, va_flags = 4,
  va_rdev = 20, va_bytes = 14212865097219453983, va_filerev = 17179928166, va_vaflags = 3309885536, va_spare = -981839152}
        mode = -424752552
        fmode = 3
        error = -424751868
        vfslocked = 4
#15 0xc05755c3 in vn_open (ndp=0x4, flagp=0x18c1cfc1, cmode=415354817, fdidx=415354817) at /usr/src/sys/kern/vfs_vnops.c:91
        td = (struct thread *) 0x18000000
#16 0xc056c638 in kern_open (td=0xc53e3d80, path=0x18c1cfc1 <Address 0x18c1cfc1 out of bounds>, pathseg=415354817, flags=3,
---Type <return> to continue, or q <return> to quit---
    mode=0) at /usr/src/sys/kern/vfs_syscalls.c:1009
        p = (struct proc *) 0x18c1cfc1
        fdp = (struct filedesc *) 0xc53e7b00
        fp = (struct file *) 0xc57a52d0
        vp = (struct vnode *) 0xc0527283
        vat = {va_type = 3309190528, va_mode = 0, va_nlink = 0, va_uid = 3305795584, va_gid = 3261076738,
  va_fsid = 3870215284, va_fileid = -1068475662, va_size = 1257124423831869568, va_blocksize = 758314, va_atime = {
    tv_sec = -583978624, tv_nsec = -424752028}, va_mtime = {tv_sec = -424751980, tv_nsec = 137969}, va_ctime = {
    tv_sec = -1066417568, tv_nsec = -424751980}, va_birthtime = {tv_sec = 0, tv_nsec = -985776768}, va_gen = 3870215304,
  va_flags = 3226491917, va_rdev = 3870215316, va_bytes = 3870215364, va_filerev = 13857677946798394536,
  va_vaflags = 3870215316, va_spare = 1169053929}
        mp = (struct mount *) 0x1
        cmode = 402653184
        nfp = (struct file *) 0xc57a52d0
        type = 402653184
        indx = 4
        error = -424751868
        lf = {l_start = -4255747712928039552, l_len = -1824296203303222272, l_pid = -985761024, l_type = -13156,
  l_whence = -6482}
        nd = {ni_dirp = 0x281c70a2 <Address 0x281c70a2 out of bounds>, ni_segflg = UIO_USERSPACE, ni_startdir = 0x0,
  ni_rootdir = 0xc5087bb0, ni_topdir = 0x0, ni_vp = 0x0, ni_dvp = 0xc5088000, ni_pathlen = 1, ni_next = 0xc508a809 "",
  ni_loopcnt = 0, ni_cnd = {cn_nameiop = 0, cn_flags = 86032452, cn_thread = 0xc53e3d80, cn_cred = 0xc4d11d00,
    cn_lkflags = 2, cn_pnbuf = 0xc508a800 "/dev/xpt0", cn_nameptr = 0xc508a805 "xpt0", cn_namelen = 4, cn_consume = 0}}
        vfslocked = -424752256
#17 0xc056c536 in open (td=0x18c1cfc1, uap=0xe6aecd04) at /usr/src/sys/kern/vfs_syscalls.c:973
        error = 0
#18 0xc06a4db2 in syscall (frame=
      {tf_fs = 59, tf_es = 59, tf_ds = 59, tf_edi = 134557696, tf_esi = 0, tf_ebp = -1077944584, tf_isp = -424751772, tf_ebx = 673109172, tf_edx = 0, tf_ecx = 0, tf_eax = 5, tf_trapno = 0, tf_err = 2, tf_eip = 673895975, tf_cs = 51, tf_eflags = 582, tf_esp = -1077944612, tf_ss = 59}) at /usr/src/sys/i386/i386/trap.c:983
        params = 0xbfbfdee0 <Address 0xbfbfdee0 out of bounds>
        callp = (struct sysent *) 0xc06f5c9c
        td = (struct thread *) 0xc53e3d80
        p = (struct proc *) 0xc548d860
        orig_tf_eflags = 582
        sticks = 37
        error = 0
        narg = 3
        args = {672952482, 2, 0, 671821798, 134526336, 0, -424751828, -1066830998}
---Type <return> to continue, or q <return> to quit---
        code = 5
#19 0xc06908ef in Xint0x80_syscall () at /usr/src/sys/i386/i386/exception.s:200
No locals.
#20 0x00000033 in ?? ()
No symbol table info available.
Previous frame inner to this frame (corrupt stack?)
(kgdb) quit


###########################################################
###  My dmesg
###########################################################
$ cat /var/run/dmesg.boot
Copyright (c) 1992-2007 The FreeBSD Project.
Copyright (c) 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994
        The Regents of the University of California. All rights reserved.
FreeBSD is a registered trademark of The FreeBSD Foundation.
FreeBSD 6.2-STABLE #1: Wed Jan 17 15:25:03 MSK 2007
    root@inspirra.localdomain:/usr/obj/usr/src/sys/INSPIRRA
Timecounter "i8254" frequency 1193182 Hz quality 0
CPU: AMD Sempron(tm) Processor 2800+ (1603.36-MHz 686-class CPU)
  Origin = "AuthenticAMD"  Id = 0x40ff2  Stepping = 2
  Features=0x78bfbff<FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CLFLUSH,MMX,FXSR,SSE,SSE2>
  Features2=0x2001<SSE3,CX16>
  AMD Features=0xea500800<SYSCALL,NX,MMX+,FFXSR,RDTSCP,LM,3DNow+,3DNow>
  AMD Features2=0x19<LAHF,<b3>,CR8>
real memory  = 1005518848 (958 MB)
avail memory = 968347648 (923 MB)
ACPI APIC Table: <Nvidia ASUSACPI>
ioapic0 <Version 1.1> irqs 0-23 on motherboard
netsmb_dev: loaded
acpi0: <Nvidia ASUSACPI> on motherboard
acpi_bus_number: can't get _ADR
acpi_bus_number: can't get _ADR
acpi_bus_number: can't get _ADR
acpi_bus_number: can't get _ADR
acpi0: Power Button (fixed)
acpi_bus_number: can't get _ADR
acpi_bus_number: can't get _ADR
acpi_bus_number: can't get _ADR
acpi_bus_number: can't get _ADR
Timecounter "ACPI-fast" frequency 3579545 Hz quality 1000
acpi_timer0: <24-bit timer at 3.579545MHz> port 0x4008-0x400b on acpi0
cpu0: <ACPI CPU> on acpi0
acpi_button0: <Power Button> on acpi0
pcib0: <ACPI Host-PCI bridge> port 0xcf8-0xcff on acpi0
pci0: <ACPI PCI bus> on pcib0
pci0: <memory, RAM> at device 0.0 (no driver attached)
pci0: <memory, RAM> at device 0.1 (no driver attached)
pci0: <memory, RAM> at device 0.2 (no driver attached)
pci0: <memory, RAM> at device 0.3 (no driver attached)
pci0: <memory, RAM> at device 0.4 (no driver attached)
pci0: <memory, RAM> at device 0.5 (no driver attached)
pci0: <memory, RAM> at device 0.6 (no driver attached)
pci0: <memory, RAM> at device 0.7 (no driver attached)
pcib1: <ACPI PCI-PCI bridge> at device 2.0 on pci0
pci1: <ACPI PCI bus> on pcib1
pcib2: <ACPI PCI-PCI bridge> at device 3.0 on pci0
pci2: <ACPI PCI bus> on pcib2
pcib3: <ACPI PCI-PCI bridge> at device 4.0 on pci0
pci3: <ACPI PCI bus> on pcib3
nvidia0: <GeForce 6150> mem 0xfc000000-0xfcffffff,0xd0000000-0xdfffffff,0xfb000000-0xfbffffff irq 16 at device 5.0 on pci0
nvidia0: [GIANT-LOCKED]
pci0: <memory, RAM> at device 9.0 (no driver attached)
isab0: <PCI-ISA bridge> at device 10.0 on pci0
isa0: <ISA bus> on isab0
nfsmb0: <nForce2/3/4 MCP SMBus Controller> port 0x4c00-0x4c3f,0x4c40-0x4c7f at device 10.1 on pci0
smbus0: <System Management Bus> on nfsmb0
nfsmb1: <nForce2/3/4 MCP SMBus Controller> on nfsmb0
smbus1: <System Management Bus> on nfsmb1
pci0: <memory, RAM> at device 10.2 (no driver attached)
ohci0: <OHCI (generic) USB controller> mem 0xfe02f000-0xfe02ffff at device 11.0 on pci0
ohci0: [GIANT-LOCKED]
usb0: OHCI version 1.0, legacy support
usb0: SMM does not respond, resetting
usb0: <OHCI (generic) USB controller> on ohci0
usb0: USB revision 1.0
uhub0: nVidia OHCI root hub, class 9/0, rev 1.00/1.00, addr 1
uhub0: 8 ports with 8 removable, self powered
ehci0: <EHCI (generic) USB 2.0 controller> mem 0xfe02e000-0xfe02e0ff at device 11.1 on pci0
ehci0: [GIANT-LOCKED]
usb1: EHCI version 1.0
usb1: companion controller, 8 ports each: usb0
usb1: <EHCI (generic) USB 2.0 controller> on ehci0
usb1: USB revision 2.0
uhub1: nVidia EHCI root hub, class 9/0, rev 2.00/1.00, addr 1
uhub1: 8 ports with 8 removable, self powered
atapci0: <nVidia nForce MCP51 UDMA133 controller> port 0x1f0-0x1f7,0x3f6,0x170-0x177,0x376,0xf400-0xf40f at device 13.0 on pci0
ata0: <ATA channel 0> on atapci0
ata1: <ATA channel 1> on atapci0
atapci1: <nVidia nForce MCP51 SATA300 controller> port 0x9f0-0x9f7,0xbf0-0xbf3,0x970-0x977,0xb70-0xb73,0xe000-0xe00f mem 0xfe02d000-0xfe02dfff irq 20 at device 14.0 on pci0
ata2: <ATA channel 0> on atapci1
ata3: <ATA channel 1> on atapci1
atapci2: <nVidia nForce MCP51 SATA300 controller> port 0x9e0-0x9e7,0xbe0-0xbe3,0x960-0x967,0xb60-0xb63,0xcc00-0xcc0f mem 0xfe02c000-0xfe02cfff irq 21 at device 15.0 on pci0
ata4: <ATA channel 0> on atapci2
ata5: <ATA channel 1> on atapci2
pcib4: <ACPI PCI-PCI bridge> at device 16.0 on pci0
pci4: <ACPI PCI bus> on pcib4
vge0: <VIA Networking Gigabit Ethernet> port 0x9c00-0x9cff mem 0xfdbff000-0xfdbff0ff irq 16 at device 8.0 on pci4
miibus0: <MII bus> on vge0
ciphy0: <Cicada CS8201 10/100/1000TX PHY> on miibus0
ciphy0:  10baseT, 10baseT-FDX, 100baseTX, 100baseTX-FDX, 1000baseT, 1000baseT-FDX, auto
vge0: Ethernet address: 00:a0:c5:30:50:6d
pcm0: <Creative EMU10K1> port 0x9800-0x981f irq 17 at device 9.0 on pci4
pcm0: <SigmaTel STAC9708/11 AC97 Codec>
pci0: <multimedia> at device 16.1 (no driver attached)
pci0: <bridge> at device 20.0 (no driver attached)
acpi_tz0: <Thermal Zone> on acpi0
speaker0: <PC speaker> port 0x61 on acpi0
fdc0: <floppy drive controller> port 0x3f0-0x3f5,0x3f7 irq 6 drq 2 on acpi0
fdc0: [FAST]
fd0: <1440-KB 3.5" drive> on fdc0 drive 0
sio0: <16550A-compatible COM port> port 0x3f8-0x3ff irq 4 flags 0x10 on acpi0
sio0: type 16550A
atkbdc0: <Keyboard controller (i8042)> port 0x60,0x64 irq 1 on acpi0
atkbd0: <AT Keyboard> irq 1 on atkbdc0
kbd0 at atkbd0
atkbd0: [GIANT-LOCKED]
psm0: <PS/2 Mouse> flags 0x4 irq 12 on atkbdc0
psm0: [GIANT-LOCKED]
psm0: model MouseMan+, device ID 0
pmtimer0 on isa0
orm0: <ISA Option ROM> at iomem 0xd0000-0xd3fff on isa0
sc0: <System console> at flags 0x100 on isa0
sc0: VGA <16 virtual consoles, flags=0x300>
vga0: <Generic ISA VGA> at port 0x3c0-0x3df iomem 0xa0000-0xbffff on isa0
ppc0: parallel port not found.
sio1: configured irq 3 not in bitmap of probed irqs 0
sio1: port may not be enabled
ubt0: Broadcom Corp Jabra - A320s, rev 2.00/1.00, addr 2
ubt0: Broadcom Corp Jabra - A320s, rev 2.00/1.00, addr 2
ubt0: Interface 0 endpoints: interrupt=0x81, bulk-in=0x82, bulk-out=0x2
ubt0: Interface 1 (alt.config 5) endpoints: isoc-in=0x83, isoc-out=0x3; wMaxPacketSize=49; nframes=6, buffer size=294
Timecounter "TSC" frequency 1603357185 Hz quality 800
Timecounters tick every 1.000 msec
ipfw2 (+ipv6) initialized, divert loadable, rule-based forwarding enabled, default to deny, logging limited to 100 packets/entry by default
ad0: 114473MB <Seagate ST3120026A 3.06> at ata0-master UDMA100
acd0: DVDR <Optiarc DVD RW AD-7173A/1-01> at ata1-master UDMA66
ad4: 76319MB <Seagate ST380811AS 3.AAE> at ata2-master SATA150
ad8: 238475MB <Seagate ST3250620NS 3.AEE> at ata4-master SATA150
cd0 at ata1 bus 0 target 0 lun 0
cd0: <Optiarc DVD RW AD-7173A 1-01> Removable CD-ROM SCSI-0 device
cd0: 66.000MB/s transfers
cd0: Attempt to query device size failed: NOT READY, Medium not present
Trying to mount root from ufs:/dev/ad4s1a


###########################################################
### The additional information.
###########################################################
$ pkg_info -E hal-0* -E xorg-s*
hal-0.5.8.20070104
xorg-server-6.9.0_5



>How-To-Repeat:

>Fix:

>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-bugs->freebsd-x11 
Responsible-Changed-By: remko 
Responsible-Changed-When: Thu Jan 18 09:08:42 UTC 2007 
Responsible-Changed-Why:  
This might have something to do with the HAL daemon, could the 
x11 team take a look at this please? 

http://www.freebsd.org/cgi/query-pr.cgi?pr=108078 
Responsible-Changed-From-To: freebsd-x11->freebsd-gnome 
Responsible-Changed-By: remko 
Responsible-Changed-When: Thu Jan 18 11:01:28 UTC 2007 
Responsible-Changed-Why:  
Pav notified me that this should go to gnome instead of to x11. Thanks 
pav. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=108078 
Responsible-Changed-From-To: freebsd-gnome->gnome 
Responsible-Changed-By: linimon 
Responsible-Changed-When: Thu Jan 18 11:10:01 UTC 2007 
Responsible-Changed-Why:  
Canonicalize assignment. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=108078 
Responsible-Changed-From-To: gnome->freebsd-bugs 
Responsible-Changed-By: jylefort 
Responsible-Changed-When: Thu Jan 18 17:24:18 UTC 2007 
Responsible-Changed-Why:  
It is a kernel bug. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=108078 
State-Changed-From-To: open->feedback 
State-Changed-By: kib 
State-Changed-When: Fri Jan 19 21:08:19 UTC 2007 
State-Changed-Why:  
I examined similar (not to say the same) backtraces and I am sure that 
the problem is caused by nvidia driver. Invalid reference counting for 
cloned devices in dev_clone handler destroys devfs list of devices, 
and consequent access to /dev mount point causes read from freed memory 
and traversal of destroyed list. 

Please, remove the nvidia driver from the system, and report whether the 
panics disappear. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=108078 
Responsible-Changed-From-To: freebsd-bugs->kib 
Responsible-Changed-By: kib 
Responsible-Changed-When: Fri Jan 19 21:12:27 UTC 2007 
Responsible-Changed-Why:  
I will take it (and close if nvidia driver would be confirmed 
as the cause). 

http://www.freebsd.org/cgi/query-pr.cgi?pr=108078 

From: Andrew Muhametshin <andrew@dobrohot.org>
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: kern/108078: [hal]: Periodic crashes of system at working HAL
Date: Sat, 20 Jan 2007 14:00:01 +0300

  > Please, remove the nvidia driver from the system, and report whether the
  > panics disappear.
 
 Without the nvidia-driver(9746), the panic does not appear.
 Crash of system, most often, happens at switching (Ctrl+Alt+F1.. F9) 
 between the console and X (but not each time -- is sometimes switched 
 normally, and another time there is a crash).
 
 #############################################################################
 ### Crash at switching from the console back in X
 #############################################################################
 Fatal trap 12: page fault while in kernel mode
 fault virtual address   = 0x1
 fault code              = supervisor read, page not present
 instruction pointer     = 0x20:0xc0492170
 stack pointer           = 0x28:0xe69497e8
 frame pointer           = 0x28:0xe6949814
 code segment            = base 0x0, limit 0xfffff, type 0x1b
                        = DPL 0, pres 1, def32 1, gran 1
 processor eflags        = interrupt enabled, resume, IOPL = 3
 current process         = 1183 (Xorg)
 trap number             = 12
 panic: page fault
 Uptime: 20h5m54s
 Dumping 958 MB (2 chunks)
  chunk 0: 1MB (159 pages) ... ok
  chunk 1: 958MB (245232 pages) 942 926 910 894 878 862 846 830 814 798 
 782 766 750 734 718 702 686 670 654 638 622 606 590 574 558 542 526 510 
 494 478 462 446 430 414 398 382 366 350 334 318 302 286 270 254 238 222 
 206 190 174 158 142 126 110 94 78 62 46 30 14
 
 #0  doadump () at pcpu.h:165
 165             __asm __volatile("movl %%fs:0,%0" : "=r" (td));
 (kgdb) list *0xc0492170
 0xc0492170 is in devfs_populate_loop 
 (/usr/src/sys/fs/devfs/devfs_devs.c:408).
 403                      */
 404                     if (cleanup)
 405                             continue;
 406                     KASSERT((cdp->cdp_flags & CDP_ACTIVE), ("Bogons, 
 I tell ya'!"));
 407
 408                     if (dm->dm_idx <= cdp->cdp_maxdirent &&
 409                         cdp->cdp_dirents[dm->dm_idx] != NULL) {
 410                             de = cdp->cdp_dirents[dm->dm_idx];
 411                             KASSERT(cdp == de->de_cdp, 
 ("inconsistent cdp"));
 412                             continue;
 (kgdb) bt
 #0  doadump () at pcpu.h:165
 #1  0xc04fb9b4 in boot (howto=260) at /usr/src/sys/kern/kern_shutdown.c:409
 #2  0xc04fbce6 in panic (fmt=0xc06c60f6 "%s") at 
 /usr/src/sys/kern/kern_shutdown.c:565
 #3  0xc06a4b7c in trap_fatal (frame=0xe69497a8, eva=0) at 
 /usr/src/sys/i386/i386/trap.c:837
 #4  0xc06a4882 in trap_pfault (frame=0xe69497a8, usermode=0, eva=1) at 
 /usr/src/sys/i386/i386/trap.c:745
 #5  0xc06a444d in trap (frame=
      {tf_fs = 8, tf_es = 40, tf_ds = 40, tf_edi = -426468376, tf_esi = 
 -989282304, tf_ebp = -426469356, tf_isp = -426469420, tf_ebx = 0, tf_edx 
 = 0, tf_ecx = -992924288, tf_eax = 1, tf_trapno = 12, tf_err = 0, tf_eip 
 = -1068949136, tf_cs = 32, tf_eflags = 2175639, tf_esp = -1059772343, 
 tf_ss = -426469360}) at /usr/src/sys/i386/i386/trap.c:435
 #6  0xc0690a0a in calltrap () at /usr/src/sys/i386/i386/exception.s:139
 #7  0xc0492170 in devfs_populate_loop (dm=0xc4d12d80, cleanup=0) at 
 /usr/src/sys/fs/devfs/devfs_devs.c:408
 #8  0xc0492385 in devfs_populate (dm=0xc4d12d80) at 
 /usr/src/sys/fs/devfs/devfs_devs.c:486
 #9  0xc0494a8e in devfs_lookupx (ap=0x1, dm_unlock=0xe6949920) at 
 /usr/src/sys/fs/devfs/devfs_vnops.c:615
 #10 0xc0494cdc in devfs_lookup (ap=0xe694999c) at 
 /usr/src/sys/fs/devfs/devfs_vnops.c:666
 #11 0xc06b5138 in VOP_LOOKUP_APV (vop=0xc06f24e0, a=0xe694999c) at 
 vnode_if.c:99
 #12 0xc055d84b in lookup (ndp=0xe6949bc0) at vnode_if.h:56
 #13 0xc055cfe8 in namei (ndp=0xe6949bc0) at 
 /usr/src/sys/kern/vfs_lookup.c:211
 #14 0xc0575a47 in vn_open_cred (ndp=0xe6949bc0, flagp=0xe6949cc0, 
 cmode=32, cred=0xc5e94580, fdidx=12)
    at /usr/src/sys/kern/vfs_vnops.c:183
 #15 0xc0575733 in vn_open (ndp=0xc4d12d80, flagp=0x1, cmode=1, fdidx=1) 
 at /usr/src/sys/kern/vfs_vnops.c:91
 #16 0xc056c7a8 in kern_open (td=0xc5395c00, path=0x1 <Address 0x1 out of 
 bounds>, pathseg=UIO_SYSSPACE, flags=3,
    mode=-1077943776) at /usr/src/sys/kern/vfs_syscalls.c:1009
 #17 0xc056c6a6 in open (td=0x1, uap=0xe6949d04) at 
 /usr/src/sys/kern/vfs_syscalls.c:973
 #18 0xc06a4f22 in syscall (frame=
      {tf_fs = 59, tf_es = 59, tf_ds = 59, tf_edi = 0, tf_esi = 
 137482240, tf_ebp = -1077943624, tf_isp = -426467996, tf_ebx = 
 136396288, tf_edx = 12, tf_ecx = -1077944208, tf_eax = 5, tf_trapno = 0, 
 tf_err = 2, tf_eip = 674088487, tf_cs = 51, tf_eflags = 2110102, tf_esp 
 = -1077943844, tf_ss = 59}) at /usr/src/sys/i386/i386/trap.c:983
 #19 0xc0690a5f in Xint0x80_syscall () at 
 /usr/src/sys/i386/i386/exception.s:200
 #20 0x00000033 in ?? ()
 Previous frame inner to this frame (corrupt stack?)
 
 
 
Responsible-Changed-From-To: kib->danfe 
Responsible-Changed-By: kib 
Responsible-Changed-When: Mon Jan 22 11:52:21 UTC 2007 
Responsible-Changed-Why:  
Over to x11/nvidia-driver maintainer. I expect that the problem will be 
resolved with next version of nvidia driver. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=108078 

From: Andrew Muhametshin <andrew@dobrohot.org>
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: kern/108078: [hal]: Periodic crashes of system at working HAL
Date: Mon, 05 Feb 2007 04:35:02 +0300

 I do not know, whether the current problem to previous refers, but: at 
 attempt to mount DVD, there was a crash of system.
 
 And as, each time, at attempt to switch off system, the system falls. 
 Tell please, whether there is an opportunity, to eliminate this problem 
 - differently, it is impossible to work at constant crashes?
 
 
 ###############################################################################
 ### Crash of system at attempt to mount DVD
 ###############################################################################
 $ kgdb ./kernel.debug /var/crash/vmcore.1
 kgdb: kvm_nlist(_stopped_cpus):
 kgdb: kvm_nlist(_stoppcbs):
 [GDB will not be able to debug user-mode threads: 
 /usr/lib/libthread_db.so: Undefined symbol "ps_pglobal_lookup"]
 GNU gdb 6.1.1 [FreeBSD]
 Copyright 2004 Free Software Foundation, Inc.
 GDB is free software, covered by the GNU General Public License, and you are
 welcome to change it and/or distribute copies of it under certain 
 conditions.
 Type "show copying" to see the conditions.
 There is absolutely no warranty for GDB.  Type "show warranty" for details.
 This GDB was configured as "i386-marcel-freebsd".
 
 Unread portion of the kernel message buffer:
 
 
 Fatal trap 12: page fault while in kernel mode
 fault virtual address   = 0x0
 fault code              = supervisor read, page not present
 instruction pointer     = 0x20:0xc04b6439
 stack pointer           = 0x28:0xe8af5754
 frame pointer           = 0x28:0xe8af5780
 code segment            = base 0x0, limit 0xfffff, type 0x1b
                          = DPL 0, pres 1, def32 1, gran 1
 processor eflags        = interrupt enabled, resume, IOPL = 0
 current process         = 35365 (bash)
 trap number             = 12
 panic: page fault
 Uptime: 4d4h26m46s
 Dumping 958 MB (2 chunks)
    chunk 0: 1MB (159 pages) ... ok
    chunk 1: 958MB (245232 pages) 942 926 910 894 878 862 (CTRL-C to 
 abort)  846 830 814 798 (CTRL-C to abort)  (CTRL-C to abort)  (CTRL-C to 
 abort)  782 766 750 (CTRL-C to abort)  734 718 702 686 670 654 638 622 
 606 590 574 558 542 526 510 494 478 462 446 430 414 398 382 366 350 334 
 318 302 286 270 254 238 222 206 190 174 158 142 126 110 94 78 62 46 30 14
 
 #0  doadump () at pcpu.h:165
 165             __asm __volatile("movl %%fs:0,%0" : "=r" (td));
 (kgdb) list *0xc04b6439
 0xc04b6439 is in g_io_request (/usr/src/sys/geom/geom_io.c:275).
 270                     KASSERT(bp->bio_length % 
 cp->provider->sectorsize == 0,
 271                         ("wrong length %jd for sectorsize %u",
 272                         bp->bio_length, cp->provider->sectorsize));
 273             }
 274
 275             g_trace(G_T_BIO, "bio_request(%p) from %p(%s) to %p(%s) 
 cmd %d",
 276                 bp, cp, cp->geom->name, pp, pp->name, bp->bio_cmd);
 277
 278             bp->bio_from = cp;
 279             bp->bio_to = pp;
 (kgdb) bt full
 #0  doadump () at pcpu.h:165
 No locals.
 #1  0xc04fb684 in boot (howto=260) at /usr/src/sys/kern/kern_shutdown.c:409
          first_buf_printf = 1
 #2  0xc04fb9b6 in panic (fmt=0xc06c5733 "%s") at 
 /usr/src/sys/kern/kern_shutdown.c:565
          td = (struct thread *) 0xc6094000
          bootopt = 260
          newpanic = 0
          ap = 0xc6094000 "H&h"
          buf = "page fault", '\0' <repeats 245 times>
 #3  0xc06a40ec in trap_fatal (frame=0xe8af5714, eva=0) at 
 /usr/src/sys/i386/i386/trap.c:837
          code = 40
          type = 12
          ss = 40
          esp = 0
          softseg = {ssd_base = 0, ssd_limit = 1048575, ssd_type = 27, 
 ssd_dpl = 0, ssd_p = 1, ssd_xx = 4, ssd_xx1 = 0,
    ssd_def32 = 1, ssd_gran = 1}
          msg = 0x0
 #4  0xc06a3df2 in trap_pfault (frame=0xe8af5714, usermode=0, eva=0) at 
 /usr/src/sys/i386/i386/trap.c:745
          va = 0
          vm = (struct vmspace *) 0x0
          map = 0xc6829b90
          rv = 1
          ftype = 1 '\001'
          td = (struct thread *) 0xc6094000
          p = (struct proc *) 0xc6dc2648
 #5  0xc06a39bd in trap (frame=
        {tf_fs = 8, tf_es = 40, tf_ds = 40, tf_edi = 0, tf_esi = 0, 
 tf_ebp = -391161984, tf_isp = -391162048, tf_ebx = -972216652, tf_edx = 
 2048, tf_ecx = 0, tf_eax = 1, tf_trapno = 12, tf_err = 0, tf_eip = 
 -1068800967, tf_cs = 32, tf_eflags = 66178, tf_esp = 1, tf_ss = 
 -663214896}) at /usr/src/sys/i386/i386/trap.c:435
          td = (struct thread *) 0xc6094000
          p = (struct proc *) 0xc6dc2648
          sticks = 3903805200
          i = 0
          ucode = 0
          type = 12
          code = 0
          eva = 0
 #6  0xc068ff5a in calltrap () at /usr/src/sys/i386/i386/exception.s:139
 ---Type <return> to continue, or q <return> to quit---
 No locals.
 #7  0xc04b6439 in g_io_request (bp=0xc60d26b4, cp=0xc69095c0) at 
 /usr/src/sys/geom/geom_io.c:275
          pp = (struct g_provider *) 0x0
 #8  0xc04b9266 in g_vfs_strategy (bo=0x1, bp=0xd87824d0) at 
 /usr/src/sys/geom/geom_vfs.c:106
          cp = (struct g_consumer *) 0xc69095c0
          bip = (struct bio *) 0x1
 #9  0xc04c2beb in cd9660_strategy (ap=0x1) at 
 /usr/src/sys/isofs/cd9660/cd9660_vnops.c:756
          bp = (struct buf *) 0xd87824d0
          vp = (struct vnode *) 0x1
          ip = (struct iso_node *) 0xc7baab00
          bo = (struct bufobj *) 0x1
 #10 0xc06b5920 in VOP_STRATEGY_APV (vop=0xc06f48e0, a=0xe8af57d8) at 
 vnode_if.c:1796
          rc = 1
 #11 0xc0556b4e in bufstrategy (bo=0xc856c830, bp=0x1) at vnode_if.h:928
          vp = (struct vnode *) 0x800
 #12 0xc0550214 in breadn (vp=0xc856c770, blkno=Unhandled dwarf 
 expression opcode 0x93
 ) at buf.h:426
          bp = (struct buf *) 0xd87824d0
          rabp = (struct buf *) 0x0
          i = 0
          rv = 0
          readwait = 0
 #13 0xc055011c in bread (vp=0x1, blkno=Unhandled dwarf expression opcode 
 0x93
 ) at /usr/src/sys/kern/vfs_bio.c:719
 No locals.
 #14 0xc04be9d3 in cd9660_blkatoff (vp=0xc856c770, offset=1396, res=0x0, 
 bpp=0xe8af58fc)
      at /usr/src/sys/isofs/cd9660/cd9660_lookup.c:407
          ip = (struct iso_node *) 0xc7baab00
          imp = (struct iso_mnt *) 0xc688c600
          bp = (struct buf *) 0xd87824d0
          lbn = Unhandled dwarf expression opcode 0x93
 (kgdb)
 ###############################################################################
 ### END
 ###############################################################################
 

From: Craig Rodrigues <rodrigc@crodrigues.org>
To: Andrew Muhametshin <andrew@dobrohot.org>
Cc: bug-followup@freebsd.org, Eugene Grosbein <eugen@grosbein.pp.ru>,
        danfe@freebsd.org
Subject: Re: misc/108078: Periodic crashes of system at working HAL
Date: Tue, 6 Feb 2007 18:11:42 -0500

 Hi,
 
 Can you upgrade your nVidia driver to
 9746, and try the patch available at:
 
 http://www.nvnews.net/vbulletin/showpost.php?p=1143321&postcount=27
 
 The full thread is here:
 http://www.nvnews.net/vbulletin/showthread.php?p=1143321#post1143321
 
 I received this information from freebsd-gfx-bugs@nvidia.com which
 is the e-mail address for reporting FreeBSD nVidia graphics driver 
 bugs back to nVidia.
 
 -- 
 Craig Rodrigues        
 rodrigc@crodrigues.org
State-Changed-From-To: feedback->closed 
State-Changed-By: linimon 
State-Changed-When: Tue Jun 12 07:52:58 UTC 2007 
State-Changed-Why:  
Feedback timeout (> 4 months). 

http://www.freebsd.org/cgi/query-pr.cgi?pr=108078 
>Unformatted:
