From hsu@clinet.fi  Mon Oct 28 05:45:38 1996
Received: from hauki.clinet.fi (root@hauki.clinet.fi [194.100.0.1])
          by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id FAA25854
          for <FreeBSD-gnats-submit@freebsd.org>; Mon, 28 Oct 1996 05:44:07 -0800 (PST)
Received: from katiska.clinet.fi (root@katiska.clinet.fi [194.100.0.4]) by hauki.clinet.fi (8.7.6/8.6.4) with ESMTP id PAA25750 for <FreeBSD-gnats-submit@freebsd.org>; Mon, 28 Oct 1996 15:41:33 +0200 (EET)
Received: (root@localhost) by katiska.clinet.fi (8.7.6/8.6.4) id PAA05955; Mon, 28 Oct 1996 15:41:32 +0200 (EET)
Message-Id: <199610281341.PAA05955@katiska.clinet.fi>
Date: Mon, 28 Oct 1996 15:41:32 +0200 (EET)
From: Heikki Suonsivu <hsu@clinet.fi>
Reply-To: hsu@clinet.fi
To: FreeBSD-gnats-submit@freebsd.org
Subject: vm_page_alloc(ZERO): missing page on free queue
X-Send-Pr-Version: 3.2

>Number:         1914
>Category:       kern
>Synopsis:       vm_page_alloc(ZERO): missing page on free queue
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    freebsd-bugs
>State:          closed
>Quarter:
>Keywords:
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Mon Oct 28 05:50:02 PST 1996
>Closed-Date:    Mon Jan 13 15:48:55 PST 1997
>Last-Modified:  Mon Jan 13 15:50:02 PST 1997
>Originator:     Heikki Suonsivu
>Release:        FreeBSD 2.2-CURRENT i386
>Organization:
Clinet, Espoo, Finland
>Environment:

WWW server (relatively high use, couple of hits per second, ~100 virtual
servers).  -current from 1 October (or sligtly before).  This one also runs
a proxy (squid) and has two nfs exported disks.

>Description:

hsu#varasto.clinet.fi Mon 3: gdb -k kernel.5 vmcore.5
GDB is free software and you are welcome to distribute copies of it
 under certain conditions; type "show copying" to see the conditions.
There is absolutely no warranty for GDB; type "show warranty" for details.
GDB 4.13 (i386-unknown-freebsd), 
Copyright 1994 Free Software Foundation, Inc...
IdlePTD 26c000
current pcb at 20e470
panic: vm_page_alloc(ZERO): missing page on free queue

#0  boot (howto=256) at ../../kern/kern_shutdown.c:237
237                                     dumppcb.pcb_cr3 = rcr3();
(kgdb) bt
#0  boot (howto=256) at ../../kern/kern_shutdown.c:237
#1  0xf01127b2 in panic (
    fmt=0xf01c1faa "vm_page_alloc(ZERO): missing page on free queue\n")
    at ../../kern/kern_shutdown.c:361
#2  0xf01c21e1 in vm_page_alloc (object=0xf4502c80, pindex=958, page_req=3)
    at ../../vm/vm_page.c:785
#3  0xf01cb126 in pmap_page_alloc (object=0xf4502c80, pindex=958)
    at ../../i386/i386/pmap.c:676
#4  0xf01cb5da in _pmap_allocpte (pmap=0xf4148764, ptepindex=958)
    at ../../i386/i386/pmap.c:931
#5  0xf01cb71b in pmap_allocpte (pmap=0xf4148764, va=4022325248)
    at ../../i386/i386/pmap.c:1044
#6  0xf01ccb56 in pmap_copy (dst_pmap=0xf4148764, src_pmap=0xf4264964, 
    dst_addr=4022198272, len=131072, src_addr=4022198272)
    at ../../i386/i386/pmap.c:2228
#7  0xf01be7f2 in vm_map_copy_entry (src_map=0xf4264900, dst_map=0xf4148700, 
    src_entry=0xfa3b0c60, dst_entry=0xfa423c3c) at ../../vm/vm_map.c:1955
#8  0xf01be967 in vmspace_fork (vm1=0xf4264900) at ../../vm/vm_map.c:2046
#9  0xf01bb8ac in vm_fork (p1=0xf45a0c00, p2=0xf45b9800)
    at ../../vm/vm_glue.c:203
#10 0xf010c8ef in fork1 (p1=0xf45a0c00, flags=20, retval=0xefbfff84)
    at ../../kern/kern_fork.c:340
#11 0xf010c410 in fork (p=0xf45a0c00, uap=0xefbfff94, retval=0xefbfff84)
---Type <return> to continue, or q <return> to quit---
    at ../../kern/kern_fork.c:91
#12 0xf01cef67 in syscall (frame={tf_es = 39, tf_ds = 39, tf_edi = 389120, 
      tf_esi = 362884, tf_ebp = -272638856, tf_isp = -272629788, tf_ebx = 0, 
      tf_edx = 389120, tf_ecx = 362884, tf_eax = 2, tf_trapno = 12, 
      tf_err = 7, tf_eip = 180613, tf_cs = 31, tf_eflags = 514, 
      tf_esp = -272638884, tf_ss = 39}) at ../../i386/i386/trap.c:891
#13 0xf01c6f85 in Xsyscall ()
#14 0x6a82 in ?? ()
#15 0x5ee9 in ?? ()
#16 0x5c1d in ?? ()
#17 0xd03a in ?? ()
#18 0x107f in ?? ()
(kgdb) up
#1  0xf01127b2 in panic (
    fmt=0xf01c1faa "vm_page_alloc(ZERO): missing page on free queue\n")
    at ../../kern/kern_shutdown.c:361
361             boot(bootopt);
(kgdb) list
356
357     #if defined(DDB)
358             if (debugger_on_panic)
359                     Debugger ("panic");
360     #endif
361             boot(bootopt);
362     }
363
364     /*
365      * Two routines to handle adding/deleting items on the
(kgdb) up
#2  0xf01c21e1 in vm_page_alloc (object=0xf4502c80, pindex=958, page_req=3)
    at ../../vm/vm_page.c:785
785                                     splx(s);
(kgdb) list
780                                     panic("vm_page_alloc(ZERO): missing page on free queue\n");
781     #endif
782                     } else {
783                             m = vm_page_select(object, pindex, PQ_CACHE);
784                             if (m == NULL) {
785                                     splx(s);
786     #if defined(DIAGNOSTIC)
787                                     if (cnt.v_cache_count > 0)
788                                             printf("vm_page_alloc(ZERO): missing pages on cache queue: %d\n", cnt.v_cache_count);
789     #endif
(kgdb) print cnt.v_cache_count
$1 = 3445
(kgdb) print *m
$2 = {pageq = {tqe_next = 0x7205c766, tqe_prev = 0x34000004}, hashq = {
    tqe_next = 0xe5895512, tqe_prev = 0x8c9d026a}, listq = {
    tqe_next = 0x8ee08ed8, tqe_prev = 0xc2e8e8}, object = 0xbc0000, 
  pindex = 3892322304, phys_addr = 331, queue = 4281, flags = 9773, 
  pc = 48896, wire_count = 54780, hold_count = 32, act_count = 41 ')', 
  busy = 249 '', valid = 49 '1', dirty = 192 ''}
(kgdb) print object
$3 = (struct vm_object *) 0xf4502c80
(kgdb) print *object
$4 = {object_list = {tqe_next = 0x0, tqe_prev = 0xf452e780}, cached_list = {
    tqe_next = 0xdeadc0de, tqe_prev = 0xdeadc0de}, shadow_head = {
    tqh_first = 0x0, tqh_last = 0xf4502c90}, shadow_list = {
    tqe_next = 0xdeadc0de, tqe_prev = 0xdeadc0de}, memq = {
    tqh_first = 0xf02c4a08, tqh_last = 0xf02d2d98}, type = OBJT_DEFAULT, 
  size = 960, ref_count = 1, shadow_count = 0, pg_color = 13, flags = 0, 
  paging_in_progress = 0, behavior = 0, resident_page_count = 3, 
  paging_offset = 0x0000000000000000, backing_object = 0x0, 
  backing_object_offset = 0x0000000000000000, last_read = 0, 
  page_hint = 0xf02d2d88, pager_object_list = {tqe_next = 0x0, 
    tqe_prev = 0xf4524be4}, handle = 0x0, un_pager = {vnp = {
      vnp_size = 0x0000000000000001}, devp = {devp_pglist = {tqh_first = 0x1, 
        tqh_last = 0x0}}, swp = {swp_nblocks = 1, swp_allocsize = 0, 
      swp_blocks = 0x0, swp_poip = 0}}}
(kgdb) print pindex
$5 = 958
(kgdb)

kernel and dump are

ftp://ftp.clinet.fi/pub/FreeBSD/crashdumps/varasto/*.5.gz

(within 15 minutes of mailing this PR)

>How-To-Repeat:

I do not know, but perhaps described system might be a good candidate.

>Fix:
	

-- 
Heikki Suonsivu, T{ysikuu 10 C 83/02210 Espoo/FINLAND, hsu@clinet.fi
mobile +358-40-5519679 work +358-0-43542270 fax -4555276
>Release-Note:
>Audit-Trail:

From: "John S. Dyson" <toor@dyson.iquest.net>
To: hsu@clinet.fi
Cc: FreeBSD-gnats-submit@freebsd.org
Subject: Re: kern/1914: vm_page_alloc(ZERO): missing page on free queue
Date: Mon, 28 Oct 1996 19:34:07 -0500 (EST)

 > 
 > 
 > >Number:         1914
 > >Category:       kern
 > >Synopsis:       vm_page_alloc(ZERO): missing page on free queue
 > >Confidential:   no
 > >Severity:       serious
 > >Priority:       high
 > >Responsible:    freebsd-bugs
 > >State:          open
 > >Class:          sw-bug
 > >Submitter-Id:   current-users
 > >Arrival-Date:   Mon Oct 28 05:50:02 PST 1996
 > >Last-Modified:
 > >Originator:     Heikki Suonsivu
 > >Organization:
 > Clinet, Espoo, Finland
 > >Release:        FreeBSD 2.2-CURRENT i386
 > >Environment:
 > 
 Heikki,
 	There is an off by one error in that version of the code.
 On about line 693 in vm_page.c, the conditional in the for
 loop
 	(i + j) > 0
 
 should be
 
 	(i + j) >= 0
 
 
 There is also the same error on about line 604 where there is
 a for loop comparison:
 
 	i > 0;
 
 That should be:
 
 	i >= 0;
 
 Give that a shot!!!
 
 John
 
State-Changed-From-To: open->closed 
State-Changed-By: scrappy 
State-Changed-When: Mon Jan 13 15:48:55 PST 1997 
State-Changed-Why:  
Originator believes that this is fixed 

>Unformatted:
