Subject: Re: kern/13261: "Data modified on freelist"
To: None <thorpej@wasabisystems.com>
From: Jun-ichiro itojun Hagino <itojun@iijlab.net>
List: tech-kern
Date: 08/17/2001 17:10:42
>Okay...
>
>What you should do is build your kernel with the new MALLOC_DEBUG
>option, and set the `debug_malloc_type' variable to M_UVMAMAP, if
>you're having lossage with that type, etc. Then you should get a
>fault when something touches it after its freed.
I'm using MALLOC_DEBUG right now. I experienced a crash while I'm
in X, so I could not see the dying message. here's the backtrace.
(if you want the core as well as netbsd.gdb, i can put them somewhere)
itojun
Script started on Fri Aug 17 17:06:18 2001
# gdb netbsd.gdb
GNU gdb 4.17
Copyright 1998 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB. Type "show warranty" for details.
This GDB was configured as "i386--netbsd"...
(gdb) target kcore /usr/crash/netbsd.0.core
panic: free: unaligned addr %p, size %ld, type %s, mask %ld
#0 0xc04723e0 in addrmask ()
(gdb) bt
#0 0xc04723e0 in addrmask ()
#1 0x58fa000 in ?? ()
#2 0xc032a12f in cpu_reboot (howto=256, bootstr=0x0)
at ../../../../arch/i386/i386/machdep.c:1846
#3 0xc01d117e in panic () at ../../../../kern/subr_prf.c:250
#4 0xc01c3628 in _free (addr=0xc10779ff, type=82,
file=0xc049e826 "../../../../uvm/uvm_amap.c", line=432)
at ../../../../kern/kern_malloc.c:477
#5 0xc0315dd5 in amap_extend (entry=0xdcb79b40, addsize=16384)
at ../../../../uvm/uvm_amap.c:432
#6 0xc031c1e8 in uvm_map (map=0xdca2e528, startp=0xdcb5ff54, size=16384,
uobj=0x0, uoffset=0, align=0, flags=1771287)
at ../../../../uvm/uvm_map.c:642
#7 0xc03254b0 in sys_obreak (p=0xdcb1aac8, v=0xdcb5ff80, retval=0xdcb5ff78)
at ../../../../uvm/uvm_unix.c:95
#8 0xc0332414 in syscall_plain (frame={tf_gs = 31, tf_fs = 134742047,
tf_es = 31, tf_ds = -1078001633, tf_edi = 16384, tf_esi = 4,
tf_ebp = -1077946892, tf_ebx = 1210358536, tf_edx = 1210358532,
tf_ecx = 134967296, tf_eax = 17, tf_trapno = 3, tf_err = 2,
tf_eip = 1210311603, tf_cs = 23, tf_eflags = 518, tf_esp = -1077946916,
tf_ss = 31, tf_vm86_es = 0, tf_vm86_ds = 0, tf_vm86_fs = 0,
tf_vm86_gs = 0}) at ../../../../arch/i386/i386/syscall.c:137
#9 0xc0100f06 in syscall1 ()
can not access 0xbfbfd5f4, invalid translation (invalid PDE)
can not access 0xbfbfd5f4, invalid translation (invalid PDE)
---Type <return> to continue, or q <return> to quit---
Cannot access memory at address 0xbfbfd5f4.
(gdb) frame 4
#4 0xc01c3628 in _free (addr=0xc10779ff, type=82,
file=0xc049e826 "../../../../uvm/uvm_amap.c", line=432)
at ../../../../kern/kern_malloc.c:477
477 panic("free: unaligned addr %p, size %ld, type %s, mask %ld\n",
(gdb) list
472 if (size > PAGE_SIZE)
473 alloc = addrmask[BUCKETINDX(PAGE_SIZE)];
474 else
475 alloc = addrmask[kup->ku_indx];
476 if (((u_long)addr & alloc) != 0)
477 panic("free: unaligned addr %p, size %ld, type %s, mask %ld\n",
478 addr, size, memname[type], alloc);
479 #endif /* DIAGNOSTIC */
480 if (size > MAXALLOCSAVE) {
481 uvm_km_free(kmem_map, (vaddr_t)addr, ctob(kup->ku_pagecnt));
(gdb) print addr
$1 = (void *) 0xc10779ff
(gdb) print size
$2 = 512
(gdb) print u(gdb) (gdb) frame 5
#5 0xc0315dd5 in amap_extend (entry=0xdcb79b40, addsize=16384)
at ../../../../uvm/uvm_amap.c:432
432 free(oldover, M_UVMAMAP);
(gdb) print oldover
$3 = (struct vm_anon **) 0xc10779ff
(gdb) list
427 amap_unlock(amap);
428
429 /* and free */
430 free(oldsl, M_UVMAMAP);
431 free(oldbck, M_UVMAMAP);
432 free(oldover, M_UVMAMAP);
433 #ifdef UVM_AMAP_PPREF
434 if (oldppref && oldppref != PPREF_NONE)
435 free(oldppref, M_UVMAMAP);
436 #endif
(gdb) print oldsl
$4 = (u_int *) 0xc1073400
(gdb) print oldbck
$5 = (u_int *) 0xc0fea400
(gdb)
Script done on Fri Aug 17 17:07:25 2001