kern/46186: SIGKILL to a debugged process while exiting hits KASSERT((ksi->ksi_flags & KSI_QUEUED) == 0)

["Greg A. Woods" <woods%planix.com@localhost>]

>Number:         46186
>Category:       kern
>Synopsis:       SIGKILL to a debugged process while exiting hits 
>KASSERT((ksi->ksi_flags & KSI_QUEUED) == 0)
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    kern-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Tue Mar 13 18:10:00 +0000 2012
>Originator:     Greg A. Woods
>Release:        NetBSD 5.1_STABLE 2012/01/25
>Organization:
Planix, Inc.; Kelowna, BC; Canada
>Environment:
        
        
System: NetBSD 5.1_STABLE (GENERIC) #8: Thu Jan 26 13:54:58 PST 2012
Architecture: i386
Machine: i386
>Description:

        This is probably another case of of PR#42309, but somehow the
        pull-up for that fix was never made so it lives on in netbsd-5,
        and so this bug report is essentially a pull-up request.

        It would be really nice if pull-ups were more automatic, even
        for "fixes" that are not explicitly for open PRs, but especially
        for all fixes against open PRs.

panic: kernel diagnostic assertion "(ksi->ksi_flags & KSI_QUEUED) == 0" failed: 
file "/rest/work/woods/m-NetBSD-5/sys/kern/kern_sig.c", line 549
fatal breakpoint trap in supervisor mode
trap type 1 code 0 eip c05cc08c cs 8 eflags 246 cr2 bbb6e8c4 ilevel 0
Stopped in pid 2604.1 (ksh) at  netbsd:breakpoint+0x4:  popl    %ebp
db{3}> trace
breakpoint(c0bfe2b6,dce89be8,c3397000,dce89bfc,0,cc619780,cc606e74,cc619780,cc606d80,0)
 at netbsd:breakpoint+0x4
panic(c0c1768c,c0b414fd,c0b8d6cc,c0b8d650,225,4,dce89c2c,c04d686e,c0b414fd,c0b8d650)
 at netbsd:panic+0x1b0
__kernassert(c0b414fd,c0b8d650,225,c0b8d6cc,cc606d80,2,0,0,f279b5d0,c3b4fb90) 
at netbsd:__kernassert+0x39
sigput(f279b5d0,dce89ca0,2,9,f279b5d0,241,0,1,9,0) at netbsd:sigput+0x10e
kpsignal2(f279b5d0,dce89ca0,f279b5d0,9,0,0,dce89ca0,0,0,0) at 
netbsd:kpsignal2+0x40c
sys_kill(dce6f7e0,dce89d00,dce89d28,dce89d40,c05b8ae2,dce76acc,25,57aa,9,bfbfeaf8)
 at netbsd:sys_kill+0x14f
syscall(dce89d48,b3,ab,1f,1f,0,bbb3a408,bfbfeb18,bbb64274,57aa) at 
netbsd:syscall+0xcf
db{3}> 

>How-To-Repeat:

        I was running gdb on xterm and hit <CTRL-D> to exit it while the
        process was still running, at which point gdb got stuck (which
        may be a separate bug):

(gdb) where
#0  0x081dc377 in read ()
#1  0x0807553a in spawn () at 
/usr/xsrc-current/xfree/xc/programs/xterm/main.c:4230
#2  0x08077ae3 in main (argc=Cannot access memory at address 0x0
) at /usr/xsrc-current/xfree/xc/programs/xterm/main.c:2186
(gdb) The program is running.  Exit anyway? (y or n) y
^?load: 0.00  cmd: gdb 10517 [wait] 0.22u 0.34s 0% 35156k
^?^?
^Z

^?^?load: 0.00  cmd: gdb 10517 [wait] 0.22u 0.34s 0% 35156k
^?


        Then tried sending SIGKILL to the xterm process from another
        shell prompt and the panic() above occurred.


        FYI the buffer-sync-on-reboot wasn't clean either:

db{3}> reboot
syncing disks... 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 giving up
Printing vnodes for busy buffers
vnode @ 0xdc4fdad0, flags (30<MPSAFE,LOCKSWORK>)
        tag VT_UFS(1), type VBLK(3), usecount 8008, writecount 0, holdcount 36
        freelisthd 0x0, mount 0xdc440208, data 0xdc523ed4 lock 0xdc4fdb70 
recursecnt 0
        tag VT_UFS, ino 1235075, on dev 4, 0 flags 0x0, effnlink 1, nlink 1
        mode 060640, owner 0, group 5, size 0
vnode @ 0xd7433730, flags (10<MPSAFE>)
        tag UNKNOWN(0), type VBLK(3), usecount 24819, writecount 0, holdcount 38
        freelisthd 0x0, mount 0x0, data 0x0 lock 0xd74337d0 recursecnt 0
giving up
sd1(mfi1:0:1:0): should have flushed queue?
sd1: cache synchronization failed
sd0(mfi1:0:0:0): should have flushed queue?
sd0: cache synchronization failed
rebooting...
x86_reset(): trying generic PCI-bus system & CPU reset...


>Fix:

        pull up the fix for PR#42309?

>Unformatted: