netbsd-bugs: kern/35899: crashes in process exit with kernel page fault

Subject: kern/35899: crashes in process exit with kernel page fault
To: None <kern-bug-people@netbsd.org, gnats-admin@netbsd.org,>
From: None <he@NetBSD.org>
List: netbsd-bugs
Date: 03/02/2007 21:50:00
>Number:         35899
>Category:       kern
>Synopsis:       uvm_fault in pmap_activate() called from uvm_proc_exit()
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    kern-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Fri Mar 02 21:50:00 +0000 2007
>Originator:     Havard Eidnes
>Release:        NetBSD 3.1_STABLE
>Organization:
	I try...
>Environment:
System: NetBSD quattro.urc.uninett.no 3.1_STABLE NetBSD 3.1_STABLE (QUATTRO) #1: Tue Nov 21 02:34:49 CET 2006  he@quattro.urc.uninett.no:/usr/obj/sys/arch/i386/compile/QUATTRO i386
Architecture: i386
Machine: i386
>Description:
	I have this 4-cpu i386 machine which I use for more or less
	continuous update + re-build runs of NetBSD.  Typically with
	2-3 weeks interval, this machine crashes with

uvm_fault(0xc08b86c0, 0xdeadb000, 0, 1) -> 0xe
kernel: page fault trap, code=0
Stopped in pid 20271.1 (sh) at  netbsd:pmap_activate+0x39:      movl    0x5c(%eax),%eax
db{3} trace
pmap_activate(d461c114,0,d284be9c,c03aa391,c08d3a78) at netbsd:pmap_activate+0x39
uvm_proc_exit(db5351e4,ce438260,0,246,0) at netbsd:uvm_proc_exit+0x36
exit1(d461c114,0,599,d461c114,d284bf64) at netbsd:exit1+0x256
sys_exit(d461c114,d284bf64,d284bf5c,c085184c,c039ccdb) at netbsd:sys_exit+0x23
syscall_plain() at netbsd:syscall_plain+0x1a5
--- syscall (number 1) ---
0xbdbac8c3:

	Some more output from the console log and my feeble attempts
	at narrowing down what the problem is:

db{3}> show reg
ds          0x10
es          0x10
fs          0x30
gs          0x10
edi         0xd461c114
esi         0xdb5351e4
ebp         0xd284be6c
ebx         0xd52b92a8
edx         0xd461c114
ecx         0xc0860160  cpu_info_primary
eax         0xdeadbeef
eip         0xc0467cb5  pmap_activate+0x39
cs          0x8
eflags      0x10206
esp         0xd284be64
ss          0x10
netbsd:pmap_activate+0x39:      movl    0x5c(%eax),%eax
db{3} x/i pmap_activate
netbsd:pmap_activate:   pushl   %ebp
db{3} x,20
netbsd:pmap_activate:   pushl   %ebp
netbsd:pmap_activate+0x1:       movl    %esp,%ebp
netbsd:pmap_activate+0x3:       subl    $0x8,%esp
netbsd:pmap_activate+0x6:       movl    0x8(%ebp),%edx
netbsd:pmap_activate+0x9:       movl    %fs:0x4,%ecx
netbsd:pmap_activate+0x10:      movl    0x10(%edx),%eax
netbsd:pmap_activate+0x13:      movl    0x1c(%eax),%eax
netbsd:pmap_activate+0x16:      cmpl    0x14(%ecx),%edx
netbsd:pmap_activate+0x19:      movl    0(%eax),%eax
netbsd:pmap_activate+0x1b:      jz      netbsd:pmap_activate+0x20
netbsd:pmap_activate+0x1d:      leave
netbsd:pmap_activate+0x1e:      ret
netbsd:pmap_activate+0x1f:      nop
netbsd:pmap_activate+0x20:      cmpl    $0,0xc0(%ecx)
netbsd:pmap_activate+0x27:      jnz     netbsd:pmap_activate+0x73
netbsd:pmap_activate+0x29:      cmpl    $0,0xc4(%ecx)
netbsd:pmap_activate+0x30:      jz      netbsd:pmap_activate+0x5a
netbsd:pmap_activate+0x32:      cmpl    $-0x3f727880,%eax
netbsd:pmap_activate+0x37:      jz      netbsd:pmap_activate+0x4e
netbsd:pmap_activate+0x39:      movl    0x5c(%eax),%eax
netbsd:pmap_activate+0x3c:      movl    0x74(%edx),%edx
netbsd:pmap_activate+0x3f:      movl    %eax,0x60(%edx)
netbsd:pmap_activate+0x42:      movl    $0x1,0xc0(%ecx)
netbsd:pmap_activate+0x4c:      jmp     netbsd:pmap_activate+0x1d
netbsd:pmap_activate+0x4e:      movl    $0,0xc0(%ecx)
netbsd:pmap_activate+0x58:      jmp     netbsd:pmap_activate+0x1d
netbsd:pmap_activate+0x5a:      pushl   $0xc080baa0
netbsd:pmap_activate+0x5f:      pushl   $0x79a
netbsd:pmap_activate+0x64:      pushl   $0xc080b9c0
netbsd:pmap_activate+0x69:      pushl   $0xc07952a0
netbsd:pmap_activate+0x6e:      call    netbsd:__assert
netbsd:pmap_activate+0x73:      pushl   $0xc07aec2a
db{3} x,5
netbsd:pmap_activate+0x73:      pushl   $0xc07aec2a
netbsd:pmap_activate+0x78:      pushl   $0x799
netbsd:pmap_activate+0x7d:      jmp     netbsd:pmap_activate+0x64
netbsd:pmap_activate+0x7f:      nop
netbsd:pmap_reactivate: pushl   %ebp
db{3} x/x 0xd461c114
0xd461c114:     d323ead8
db{3} x,10
0xd461c114:     d323ead8    0           d2f7ef48    d67e4d0c    db5351e4    0
0xd461c12c:     db535250    c0860160    4           7           1           0
0xd461c144:     0           0           0           0
db{3} x 0xdb5351e4
0xdb5351e4:     d396c908
db{3} x,10
0xdb5351e4:     d396c908    d4d46038    ce423c30    0           0           d385ab6c    d2689d48    c08d13c0    ddba5014    0           14          6002
0xdb535214:     bdbc8102    4f2f        0           e30cc5c8
db{3} x 0xc08d13c0
netbsd:vmspace0:        deadbeef
db{3} x vmspace0
netbsd:vmspace0:        deadbeef
db{3} x proc0
netbsd:proc0:   0
db{3} x,10
netbsd:proc0:   0           ce422000    c08d09c0    c08d0a20    c08d09e0    c08d1520    c08d18a0    c08d13c0    c08d0ba0    0           0           20200
netbsd:proc0+0x30:      2           0           ce4301d0    c08d1884
db{3} x/x 0xc08d13c0
netbsd:vmspace0:        deadbeef
db{3} 


>How-To-Repeat:
	Run a machine with lots and lost of fork+exit (NetBSD builds
	does this).  Watch it crash semi-reliably every 2-3 weeks or so.
>Fix:
	Sorry, I do not know.