Re: OSX virtualbox 3 beta still dumps core on NetBSD 5.0 release .iso

[David Young <dyoung%pobox.com@localhost>]

On Sun, Jun 21, 2009 at 02:04:58PM +0100, Chavdar Ivanov wrote:
> 2009/6/20 David Young <dyoung%pobox.com@localhost>:
> > On Sat, Jun 20, 2009 at 02:59:06PM +0100, Chavdar Ivanov wrote:
> >> On my (32-bit) laptop, I always get:
> >>
> >> ...
> >> attimer0: attached to pcppi0
> >> uvm_fault(0xc09e6a40, 0, 2) -> 0xe
> >> fatal page fault in supervisor mode
> >> trap type 6 code 2 eip c0100d69 cs 8 eflags 10246 cr2 0 ilevel 0
> >> kernel: supervisor trap page fault, code=0
> >> Stopped in pid 0.12 (system) at netbsd:spllower+0x29: addl ?%eax,0(%eax)
> >> db{0} bt
> >> spllower(0,0,0,0,ca51c000,0,0,0,0,0) at netbsd:spllower+0x29
> >> wdc_drvprobe(ca51c0f0,ca51ed28,c0445437,ca1112a0,ca1112a0,0,ca51c000,ca50564c,c01ab230,ca1112a0)
> >> at netbsd:wdc_drvprobe+0x27
> >> atabus_thread)ca50564c,0,c01002cd,0,0,0,0,0) at netbsd:atabus_thread+0x65
> >> db{1}
> >
> > What are the registers? ?(Type 'show registers'.) ?On which line does
> > the exception occur? ?(If you have a netbsd.gdb, run gdb on it and type
> > 'l *(wdc_drvprobe+0x27)'.)
> >
> > (FWIW, I don't see any such instruction as 'addl %eax,0(%eax)' in
> > spllower or cx8_spllower, but I am looking in -current, and IIRC you
> > are running 5.0. ?Significantly, spllower is one of those routines
> > that is "patched" at boot, and sometimes emulations have broken binary
> > patching.)
> 
> That's what it looks like; the first thing I did was t find the 'addl
> %eax,0(%eax) instruction, but it wasn't there, so the two entries
> pointed to later in the VBox gripes suggest correctly the patching.
> 
> The interesting bit is I seem not to be able to get it to execute
> twice the same thing - a few traces follow:

I suspect that the bug occurs when there is an interrupt or some other
asynchronous event simultaneous with the spllower() call.

On a Soekris net4801, I just had a look at spllower() in -current with
ddb.  Note that I am examining spllower *after* it has been patched
with cx8_spllower. I see that there is no instruction starting at
spllower+0x29:

db{0}> x/i spllower,16
netbsd:spllower:        movl    0x4(%esp),%ecx
netbsd:spllower+0x4:    movl    %fs:0x1fc,%edx
netbsd:spllower+0xb:    cmpl    %edx,%ecx
netbsd:spllower+0xd:    pushl   %ebx
netbsd:spllower+0xe:    jnb     netbsd:spllower+0x2f
netbsd:spllower+0x11:   movl    %fs:0x1f8,%eax
netbsd:spllower+0x17:   testl   %eax,%fs:0x22c(,%ecx,4)
netbsd:spllower+0x1f:   movl    %eax,%ebx
netbsd:spllower+0x21:   jnz     netbsd:spllower+0x31
netbsd:spllower+0x24:           %fs:0x1f8
netbsd:spllower+0x2c:   jnz     netbsd:spllower+0x11
netbsd:spllower+0x2f:   popl    %ebx
netbsd:spllower+0x30:   ret
netbsd:spllower+0x31:   popl    %ebx
netbsd:spllower+0x32:   jmp     netbsd:Xspllower
netbsd:spllower+0x37:   movl    %esi,%esi
netbsd:spllower+0x39:   leal    0(%edi),%edi
netbsd:cx8_spllower:    movl    0x4(%esp),%ecx
netbsd:cx8_spllower+0x4:        movl    %fs:0x1fc,%edx
netbsd:cx8_spllower+0xb:        cmpl    %edx,%ecx
netbsd:cx8_spllower+0xd:        pushl   %ebx
netbsd:cx8_spllower+0xe:        jnb     netbsd:cx8_spllower+0x2f

However, ddb does interpret the bytes at spllower+0x29 as an 'addl
%eax,0(%eax)' instruction:

db{0}> x/i spllower+0x29
netbsd:spllower+0x29:   addl    %eax,0(%eax)

I have a hunch that the kernel has jumped to some interrupt/trap
handler during spllower(), and then returned to the right instruction
plus-or-minus some offset.

Do you see, above, that ddb does not properly display the cmpxchg8b
instruction at spllower+0x24?  Maybe VirtualBox does not correctly
interpret the instruction?

Dave

-- 
David Young             OJC Technologies
dyoung%ojctech.com@localhost      Urbana, IL * (217) 278-3933