tech-kern: Re: kern/13261: "Data modified on freelist"

Subject: Re: kern/13261: "Data modified on freelist"
To: Jun-ichiro itojun Hagino <itojun@iijlab.net>
From: Chuck Silvers <chuq@chuq.com>
List: tech-kern
Date: 08/17/2001 06:36:21
hi,

yes, please make the dump available.

-Chuck


On Fri, Aug 17, 2001 at 05:10:42PM +0900, Jun-ichiro itojun Hagino wrote:
> >Okay...
> >
> >What you should do is build your kernel with the new MALLOC_DEBUG
> >option, and set the `debug_malloc_type' variable to M_UVMAMAP, if
> >you're having lossage with that type, etc.  Then you should get a
> >fault when something touches it after its freed.
> 
> 	I'm using MALLOC_DEBUG right now.  I experienced a crash while I'm
> 	in X, so I could not see the dying message.  here's the backtrace.
> 	(if you want the core as well as netbsd.gdb, i can put them somewhere)
> 
> itojun
> 
> 
> Script started on Fri Aug 17 17:06:18 2001
> # gdb netbsd.gdb
> GNU gdb 4.17
> Copyright 1998 Free Software Foundation, Inc.
> GDB is free software, covered by the GNU General Public License, and you are
> welcome to change it and/or distribute copies of it under certain conditions.
> Type "show copying" to see the conditions.
> There is absolutely no warranty for GDB.  Type "show warranty" for details.
> This GDB was configured as "i386--netbsd"...
> (gdb) target kcore /usr/crash/netbsd.0.core
> panic: free: unaligned addr %p, size %ld, type %s, mask %ld
> 
> #0  0xc04723e0 in addrmask ()
> (gdb) bt
> #0  0xc04723e0 in addrmask ()
> #1  0x58fa000 in ?? ()
> #2  0xc032a12f in cpu_reboot (howto=256, bootstr=0x0)
>     at ../../../../arch/i386/i386/machdep.c:1846
> #3  0xc01d117e in panic () at ../../../../kern/subr_prf.c:250
> #4  0xc01c3628 in _free (addr=0xc10779ff, type=82, 
>     file=0xc049e826 "../../../../uvm/uvm_amap.c", line=432)
>     at ../../../../kern/kern_malloc.c:477
> #5  0xc0315dd5 in amap_extend (entry=0xdcb79b40, addsize=16384)
>     at ../../../../uvm/uvm_amap.c:432
> #6  0xc031c1e8 in uvm_map (map=0xdca2e528, startp=0xdcb5ff54, size=16384, 
>     uobj=0x0, uoffset=0, align=0, flags=1771287)
>     at ../../../../uvm/uvm_map.c:642
> #7  0xc03254b0 in sys_obreak (p=0xdcb1aac8, v=0xdcb5ff80, retval=0xdcb5ff78)
>     at ../../../../uvm/uvm_unix.c:95
> #8  0xc0332414 in syscall_plain (frame={tf_gs = 31, tf_fs = 134742047, 
>       tf_es = 31, tf_ds = -1078001633, tf_edi = 16384, tf_esi = 4, 
>       tf_ebp = -1077946892, tf_ebx = 1210358536, tf_edx = 1210358532, 
>       tf_ecx = 134967296, tf_eax = 17, tf_trapno = 3, tf_err = 2, 
>       tf_eip = 1210311603, tf_cs = 23, tf_eflags = 518, tf_esp = -1077946916, 
>       tf_ss = 31, tf_vm86_es = 0, tf_vm86_ds = 0, tf_vm86_fs = 0, 
>       tf_vm86_gs = 0}) at ../../../../arch/i386/i386/syscall.c:137
> #9  0xc0100f06 in syscall1 ()
> can not access 0xbfbfd5f4, invalid translation (invalid PDE)
> can not access 0xbfbfd5f4, invalid translation (invalid PDE)
> ---Type <return> to continue, or q <return> to quit---
> Cannot access memory at address 0xbfbfd5f4.
> (gdb) frame 4
> #4  0xc01c3628 in _free (addr=0xc10779ff, type=82, 
>     file=0xc049e826 "../../../../uvm/uvm_amap.c", line=432)
>     at ../../../../kern/kern_malloc.c:477
> 477                     panic("free: unaligned addr %p, size %ld, type %s, mask %ld\n",
> (gdb) list
> 472             if (size > PAGE_SIZE)
> 473                     alloc = addrmask[BUCKETINDX(PAGE_SIZE)];
> 474             else
> 475                     alloc = addrmask[kup->ku_indx];
> 476             if (((u_long)addr & alloc) != 0)
> 477                     panic("free: unaligned addr %p, size %ld, type %s, mask %ld\n",
> 478                             addr, size, memname[type], alloc);
> 479     #endif /* DIAGNOSTIC */
> 480             if (size > MAXALLOCSAVE) {
> 481                     uvm_km_free(kmem_map, (vaddr_t)addr, ctob(kup->ku_pagecnt));
> (gdb) print addr
> $1 = (void *) 0xc10779ff
> (gdb) print size
> $2 = 512
> (gdb) print u(gdb)        (gdb) frame 5
> #5  0xc0315dd5 in amap_extend (entry=0xdcb79b40, addsize=16384)
>     at ../../../../uvm/uvm_amap.c:432
> 432             free(oldover, M_UVMAMAP);
> (gdb) print oldover
> $3 = (struct vm_anon **) 0xc10779ff
> (gdb) list
> 427             amap_unlock(amap);
> 428     
> 429             /* and free */
> 430             free(oldsl, M_UVMAMAP);
> 431             free(oldbck, M_UVMAMAP);
> 432             free(oldover, M_UVMAMAP);
> 433     #ifdef UVM_AMAP_PPREF
> 434             if (oldppref && oldppref != PPREF_NONE)
> 435                     free(oldppref, M_UVMAMAP);
> 436     #endif
> (gdb) print oldsl
> $4 = (u_int *) 0xc1073400
> (gdb) print oldbck
> $5 = (u_int *) 0xc0fea400
> (gdb) 
> Script done on Fri Aug 17 17:07:25 2001