re: kern/50186: sparc memfault panic after 7.99.21 ARP changes

["John D. Baker" <jdbaker%mylinuxisp.com@localhost>]

The following reply was made to PR kern/50186; it has been noted by GNATS.

From: "John D. Baker" <jdbaker%mylinuxisp.com@localhost>
To: gnats-bugs%NetBSD.org@localhost
Cc: 
Subject: re: kern/50186: sparc memfault panic after 7.99.21 ARP changes
Date: Tue, 1 Sep 2015 10:35:04 -0500 (CDT)

 On Tue, 1 Sep 2015, matthew green wrote:
 
 >  John, can you try the above gdb commands for yourself?  thanks.
 
 My freshly-built DEBUG-enabled GENERIC behaves the same.  The panic:
 
 cpu0: data fault: pc=0xf00a626c addr=0x10 sfsr=0x326<PERR=0x0,LVL=0x3,AT=0x1,FT=0x1,FAV,OW>
 panic: kernel fault
 Stopped in pid 0.5 (system) at  netbsd:cpu_Debugger+0x4:        or              %
 o7, %g0, %g1
 db> bt
 cpu_Debugger(0xf03efba0, 0xf9ac3d20, 0xf0482c00, 0xf0483a98, 0xf0483800, 0x104) a
 t netbsd:panic+0x20
 panic(0xf03efba0, 0x0, 0xf00a626c, 0x10, 0xf9ac3d40, 0xf045c800) at netbsd:mem_a
 ccess_fault4m+0x5b0
 mem_access_fault4m(0x9, 0x326, 0x10, 0xf9ac3de0, 0xf0459b60, 0xf0a5c540) at netb
 sd:memfault_sun4m+0xe8
 memfault_sun4m(0xf0b8452c, 0x1, 0x0, 0xf04712e0, 0xf0a5c544, 0xf0a5c544) at netb
 sd:arptimer+0x6c
 arptimer(0xf0b84480, 0xf0a5c540, 0xf0b88808, 0x0, 0xf0b8452c, 0xf0488800) at net
 bsd:callout_softclock+0x154
 callout_softclock(0xf04712e4, 0x1000000, 0x10000, 0xf04712e0, 0xf0b84480, 0xf00a
 61d8) at netbsd:softint_thread+0x94
 softint_thread(0xf0a5c540, 0x3000, 0x2000, 0x0, 0x0, 0xf9a3b218) at netbsd:lwp_t
 rampoline+0x8
 db> 
 
 Loading into 'gdb' gives the same as you observed:
 
 Reading symbols from netbsd.gdb...done.
 (gdb) l *(arptimer+0x6c)
 0xf00a6244 is in arptimer (/x/current/src/sys/netinet/if_arp.c:352).
 347             ifp = lle->lle_tbl->llt_ifp;
 348     
 349             callout_stop(&lle->la_timer);
 350     
 351             /* XXX: LOR avoidance. We still have ref on lle. */
 352             LLE_WUNLOCK(lle);
 353     
 354             /* We have to call this w/o lock */
 355             arptfree(lle);
 356     
 
 (gdb) disass/m arptimer
 Dump of assembler code for function arptimer:
 [...]
 350     
 351             /* XXX: LOR avoidance. We still have ref on lle. */
 352             LLE_WUNLOCK(lle);
    0xf00a6244 <+108>:   call  0xf0163fd0 <rw_vector_exit>
    0xf00a6248 <+112>:   mov  %i4, %o0
 
 The program counter reported in the initial fault message:
 
 0xf00a626c
 
 gives:
 
 (gdb) l *0xf00a626c
 0xf00a626c is in arptimer (/x/current/src/sys/netinet/if_arp.c:1438).
 1433            if (la->la_rt != NULL) {
 1434                    rtfree(la->la_rt);
 1435                    la->la_rt = NULL;
 1436            }
 1437    
 1438            rtrequest(RTM_DELETE, rt_getkey(rt), NULL, rt_mask(rt), 0, NULL);
 1439    }
 1440    
 1441    /*
 1442     * Lookup or enter a new address in arptab.
 
 and disassembling there gives:
 
 1437    
 1438            rtrequest(RTM_DELETE, rt_getkey(rt), NULL, rt_mask(rt), 0, NULL);
    0xf00a6268 <+144>:   clr  %o2
    0xf00a626c <+148>:   ld  [ %i3 + 0x10 ], %o3
    0xf00a6270 <+152>:   clr  %o4
    0xf00a6274 <+156>:   clr  %o5
    0xf00a6278 <+160>:   ld  [ %i3 + 0xb4 ], %o1
    0xf00a627c <+164>:   call  0xf025a39c <rtrequest>
    0xf00a6280 <+168>:   mov  2, %o0
 
 I don't know SPARC assembly or the register usage conventions, but it
 looks to me like there is an expected load at offset 0x10 from an address
 in "i3", but since the address reported in the fault message is "0x10",
 it would seem that "i3" contains 0 (zero).
 
 -- 
 |/"\ John D. Baker, KN5UKS               NetBSD     Darwin/MacOS X
 |\ / jdbaker[snail]mylinuxisp[flyspeck]com    OpenBSD            FreeBSD
 | X  No HTML/proprietary data in email.   BSD just sits there and works!
 |/ \ GPGkeyID:  D703 4A7E 479F 63F8 D3F4  BD99 9572 8F23 E4AD 1645