Re: panic using firefox

[Kamil Rytarowski <n54%gmx.com@localhost>]

On 12.04.2016 14:14, Robert Swindells wrote:
> Patrick Welche wrote:
>> With a amd64 kernel built from Mar 28 16:05 GMT source, I just saw:
> [snip]

I just reproduced it.

>> (gdb) frame 5
>> #5  0xffffffff8054547a in filt_sordetach (kn=0xfffffe804e698780)
>>    at ../../../../kern/uipc_socket.c:2250
>> 2250            SLIST_REMOVE(&so->so_rcv.sb_sel.sel_klist, kn, knote, kn_selnext);
>> (gdb) list
>> 2245    {
>> 2246            struct socket   *so;
>> 2247    
>> 2248            so = ((file_t *)kn->kn_obj)->f_socket;
>> 2249            solock(so);
>> 2250            SLIST_REMOVE(&so->so_rcv.sb_sel.sel_klist, kn, knote, kn_selnext);
>> 2251            if (SLIST_EMPTY(&so->so_rcv.sb_sel.sel_klist))
>> 2252                    so->so_rcv.sb_flags &= ~SB_KNOTE;
>> 2253            sounlock(so);
>> 2254    }
> I have seen the same crash twice with sources from Apr 11, I have
> crash dumps but the kernel wasn't a debug build.
>
> Looking at the firefox sources the call to kevent(2) is presumably from:
>
> ipc/chromium/src/third_party/libevent/kqueue.c
>
> I guess it could be interesting to look at the fields of the socket
> struct.
>
> Robert Swindells

NetBSD rugged 7.99.28 NetBSD 7.99.28 (GENERIC) #0: Wed Apr 27 05:36:02
CEST 2016  root@chieftec:/tmp/netbsd-tmp/sys/arch/amd64/compile/GENERIC
amd64

May 11 22:44:19 rugged /netbsd: uvm_fault(0xfffffe8411c06e80, 0x0, 1) -> e
May 11 22:44:19 rugged /netbsd: fatal page fault in supervisor mode
May 11 22:44:19 rugged /netbsd: trap type 6 code 0 rip ffffffff80882a8e
cs 8 rflags 10282 cr2 8 ilevel 0 rsp fffffe811edc3b80
May 11 22:44:19 rugged /netbsd: curlwp 0xfffffe83ff81c0c0 pid 2100.16
lowest kstack 0xfffffe811edc02c0
May 11 22:44:19 rugged /netbsd: panic: trap
May 11 22:44:19 rugged /netbsd: cpu1: Begin traceback...
May 11 22:44:19 rugged /netbsd: vpanic() at netbsd:vpanic+0x140
May 11 22:44:19 rugged /netbsd: snprintf() at netbsd:snprintf
May 11 22:44:19 rugged /netbsd: trap() at netbsd:trap+0xc4b
May 11 22:44:19 rugged /netbsd: --- trap (number 6) ---
May 11 22:44:19 rugged /netbsd: filt_sordetach() at
netbsd:filt_sordetach+0x3f
May 11 22:44:19 rugged /netbsd: knote_detach() at netbsd:knote_detach+0x70
May 11 22:44:19 rugged /netbsd: kevent1() at netbsd:kevent1+0x686
May 11 22:44:19 rugged /netbsd: sys___kevent50() at
netbsd:sys___kevent50+0x33
May 11 22:44:19 rugged /netbsd: syscall() at netbsd:syscall+0x15b
May 11 22:44:19 rugged /netbsd: --- syscall (number 435) ---
May 11 22:44:19 rugged /netbsd: 77c66f63ac1a:
May 11 22:44:19 rugged /netbsd: cpu1: End traceback...
May 11 22:44:19 rugged /netbsd:
May 11 22:44:19 rugged /netbsd: dumping to dev 20,0 (offset=193655,
size=4170097):
May 11 22:44:19 rugged /netbsd: dump device bad
May 11 22:44:19 rugged /netbsd:
May 11 22:44:19 rugged /netbsd:

pkgsrc: firefox-46.0nb2

netbsd:filt_sordetach+0x3f points to 0xffffffff80882a8e

$ addr2line -e /netbsd.gdb  0xffffffff80882a8e         
/usr/src/sys/kern/uipc_socket.c:2225 (discriminator 3)

It panics in this line:

SLIST_REMOVE(&so->so_rcv.sb_sel.sel_klist, kn, knote, kn_selnext);


(gdb) disas filt_sordetach
Dump of assembler code for function filt_sordetach:
   0xffffffff80882a4f <+0>:    push   %rbp
   0xffffffff80882a50 <+1>:    mov    %rsp,%rbp
   0xffffffff80882a53 <+4>:    push   %r13
   0xffffffff80882a55 <+6>:    push   %r12
   0xffffffff80882a57 <+8>:    push   %rbx
   0xffffffff80882a58 <+9>:    sub    $0x8,%rsp
   0xffffffff80882a5c <+13>:    mov    %rdi,%rbx
   0xffffffff80882a5f <+16>:    mov    0x60(%rdi),%rax
   0xffffffff80882a63 <+20>:    mov    0x18(%rax),%r12
   0xffffffff80882a67 <+24>:    mov    (%r12),%r13
   0xffffffff80882a6b <+28>:    mov    %r13,%rdi
   0xffffffff80882a6e <+31>:    callq  0xffffffff8011bf80 <mutex_enter>
   0xffffffff80882a73 <+36>:    mov    (%r12),%rax
   0xffffffff80882a77 <+40>:    cmp    %rax,%r13
   0xffffffff80882a7a <+43>:    jne    0xffffffff80882adb
<filt_sordetach+140>
   0xffffffff80882a7c <+45>:    mov    0x148(%r12),%rdx
   0xffffffff80882a84 <+53>:    cmp    %rdx,%rbx
   0xffffffff80882a87 <+56>:    jne    0xffffffff80882a8e
<filt_sordetach+63>
   0xffffffff80882a89 <+58>:    jmp    0xffffffff80882acd
<filt_sordetach+126>
   0xffffffff80882a8b <+60>:    mov    %rax,%rdx
   0xffffffff80882a8e <+63>:    mov    0x8(%rdx),%rax                  
     <================== here
   0xffffffff80882a92 <+67>:    cmp    %rax,%rbx
   0xffffffff80882a95 <+70>:    jne    0xffffffff80882a8b
<filt_sordetach+60>
   0xffffffff80882a97 <+72>:    mov    0x8(%rbx),%rax
   0xffffffff80882a9b <+76>:    mov    %rax,0x8(%rdx)
   0xffffffff80882a9f <+80>:    mov    0x148(%r12),%rax
   0xffffffff80882aa7 <+88>:    test   %rax,%rax
   0xffffffff80882aaa <+91>:    je     0xffffffff80882abf
<filt_sordetach+112>
   0xffffffff80882aac <+93>:    mov    (%r12),%rdi
   0xffffffff80882ab0 <+97>:    add    $0x8,%rsp
   0xffffffff80882ab4 <+101>:    pop    %rbx
   0xffffffff80882ab5 <+102>:    pop    %r12
   0xffffffff80882ab7 <+104>:    pop    %r13
   0xffffffff80882ab9 <+106>:    pop    %rbp
   0xffffffff80882aba <+107>:    jmpq   0xffffffff8011bfa0 <mutex_exit>
   0xffffffff80882abf <+112>:    andl   $0xfffffeff,0x1e8(%r12)
   0xffffffff80882acb <+124>:    jmp    0xffffffff80882aac
<filt_sordetach+93>
   0xffffffff80882acd <+126>:    mov    0x8(%rbx),%rax
   0xffffffff80882ad1 <+130>:    mov    %rax,0x148(%r12)
   0xffffffff80882ad9 <+138>:    jmp    0xffffffff80882aa7
<filt_sordetach+88>
   0xffffffff80882adb <+140>:    mov    %r13,%rsi
   0xffffffff80882ade <+143>:    mov    %r12,%rdi
   0xffffffff80882ae1 <+146>:    callq  0xffffffff8088a0f2 <solockretry>

Attachment: signature.asc
Description: OpenPGP digital signature