Re: port-i386/40143 (Viewing an mpeg transport stream with mplayer causes crash)

[Andrew Doran <ad%NetBSD.org@localhost>]

The following reply was made to PR port-i386/40143; it has been noted by GNATS.

From: Andrew Doran <ad%NetBSD.org@localhost>
To: gnats-bugs%netbsd.org@localhost
Cc: 
Subject: Re: port-i386/40143 (Viewing an mpeg transport stream with mplayer 
causes crash)
Date: Fri, 20 Mar 2009 19:43:01 +0000

 1. A trap or syscall occurs. Entry is through a call gate or trap gate:
    PSL_I is set.
 
 2. An interrupt occurs before the trap/syscall frame is constructed on the
    stack. Interrupt is handled as in ring0, but saves ring3 descriptors in
    its frame.
 
 3. The interrupt is handled successfully. During this time the running user
    thread's selectors become invalid.
 
 4. On return from the interrupt (back to ring0) we restore invalid ring3
    descriptors.
 
 5. Segment fault code cannot determine if this is user state causing the
    trap, because the outer user frame is only partially constructed.
 
 6. we_re_toast
 
 trap type 4 code 94 eip c0100ea9 cs 8 eflags 10046 cr2 bbaee000 ilevel 0
 kernel: supervisor trap protection fault, code=0
 Stopped in pid 410.1 (test_ldt) at      netbsd:Xdoreti+0x89:    mov     
0x4(%esp),%fs
 db{0}> bt
 Xdoreti() at netbsd:Xdoreti+0x89
 --- interrupt ---
 0:
 db{0}> info reg
 ...
 esp         0xcf9fed38
 ...
 db{0}> x/Lx 0xcf9fed38,40
 0xcf9fed38:     cfa700b3    bfbf0097    c010001f    cf9f001f    0           12
 0xcf9fed50:     bfbfeca8    bbaee000    97          1000        97          3 
 0xcf9fed68:     0           c010c9a0    8           246 
 
                ^ frame from kernel mode interrupt (ring0->ring0)
                                                                6           
8048877
                 17          10246       bfbfec7c    1f
 
                ^ partially constructed frame from ring3->ring0 transition