GENERIC 6.0-BETA1 from Jul 23 06:49 UTC, vmcore.431
pty leak investigation.
This is a stress test of openpty(), inspired by kern/83375.
It seems to leak ptys. The following is a trace of opening
one of the leaked ptys.
GDB: no debug ports present
KDB: debugger backends: ddb
KDB: current backend: ddb
Copyright (c) 1992-2005 The FreeBSD Project.
Copyright (c) 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994
The Regents of the University of California. All rights reserved.
FreeBSD 6.0-BETA1 #2: Sat Jul 23 09:00:42 CEST 2005
pho@current.osted.lan:/usr/src/sys/i386/compile/PHO
WARNING: WITNESS option enabled, expect reduced performance.
Timecounter "i8254" frequency 1193182 Hz quality 0
CPU: Intel(R) Celeron(R) CPU 1.80GHz (1799.14-MHz 686-class CPU)
Origin = "GenuineIntel" Id = 0xf13 Stepping = 3
Features=0x3febfbff<FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CLFLUSH,DTS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM>
real memory = 267583488 (255 MB)
avail memory = 252293120 (240 MB)
:
Trying to mount root from ufs:/dev/ad0s1a
rl0: link state changed to DOWN
sigreturn: eflags = 0x0
sigreturn: eflags = 0x0
sigreturn: eflags = 0x0
freebsd4_sigreturn: eflags = 0x0
sigreturn: eflags = 0x0
freebsd4_sigreturn: eflags = 0x0
freebsd4_sigreturn: eflags = 0x0
freebsd4_sigreturn: eflags = 0x0
freebsd4_sigreturn: eflags = 0x0
freebsd4_sigreturn: eflags = 0x0
freebsd4_sigreturn: eflags = 0x0
sigreturn: eflags = 0x0
sigreturn: eflags = 0x0
sigreturn: eflags = 0x0
sigreturn: eflags = 0x0
Out of ktrace request objects.
KDB: enter: Break sequence on console
[thread pid 11 tid 100005 ]
Stopped at kdb_enter+0x2b: nop
db> b ptcopen
db> c
~^B[thread pid 86920 tid 100117 ]
Breakpoint at ptcopen: pushl %ebp
db> s
[thread pid 86920 tid 100117 ]
Stopped at ptcopen+0x1: movl %esp,%ebp
db>
[thread pid 86920 tid 100117 ]
Stopped at ptcopen+0x3: pushl %esi
db>
[thread pid 86920 tid 100117 ]
Stopped at ptcopen+0x4: pushl %ebx
db>
[thread pid 86920 tid 100117 ]
Stopped at ptcopen+0x5: movl 0x8(%ebp),%esi
db>
[thread pid 86920 tid 100117 ]
Stopped at ptcopen+0x8: cmpl $0,0x5c(%esi)
db>
[thread pid 86920 tid 100117 ]
Stopped at ptcopen+0xc: jnz ptcopen+0x24
db>
[thread pid 86920 tid 100117 ]
Stopped at ptcopen+0x24: movl 0x74(%esi),%ebx
db>
[thread pid 86920 tid 100117 ]
Stopped at ptcopen+0x27: movl $0x5,%eax
db>
[thread pid 86920 tid 100117 ]
Stopped at ptcopen+0x2c: cmpl $0,0x22c(%ebx)
db>
[thread pid 86920 tid 100117 ]
Stopped at ptcopen+0x33: jnz ptcopen+0x92
db>
[thread pid 86920 tid 100117 ]
Stopped at ptcopen+0x92: leal -0x8(%ebp),%esp
db>
[thread pid 86920 tid 100117 ]
Stopped at ptcopen+0x95: popl %ebx
db>
[thread pid 86920 tid 100117 ]
Stopped at ptcopen+0x96: popl %esi
db>
[thread pid 86920 tid 100117 ]
Stopped at ptcopen+0x97: leave
db> call doadump
Dumping 254 MB (2 chunks)
chunk 0: 1MB (159 pages) ... ok
chunk 1: 255MB (65072 pages) 239 223 207 191 175 159 143 127 111 95 79 63 47 31 15 ... ok
Dump complete
= 0xf
db> show pcpu
cpuid = 0
curthread = 0xc184d300: pid 86920 "bash"
curpcb = 0xcf392d90
fpcurthread = none
idlethread = 0xc1540780: pid 11 "idle: cpu0"
APIC ID = 0
currentldt = 0x50
spin locks held:
db> where
Tracing pid 86920 tid 100117 td 0xc184d300
ptcopen(c1d63900,1,2000,c184d300,c1d63900) at ptcopen+0x97
devfs_open(cf392a64) at devfs_open+0x23f
VOP_OPEN_APV(c08b1cc0,cf392a64) at VOP_OPEN_APV+0x7e
vn_open_cred(cf392bcc,cf392ccc,1a4,c1a89c80,3) at vn_open_cred+0x3fe
vn_open(cf392bcc,cf392ccc,1a4,3,c085627a) at vn_open+0x1e
kern_open(c184d300,80b6c10,0,1,1b6) at kern_open+0xb6
open(c184d300,cf392d04,3,0,296) at open+0x1a
syscall(3b,bfbf003b,bfbf003b,1b6,80b6c10) at syscall+0x22f
Xint0x80_syscall() at Xint0x80_syscall+0x1f
--- syscall (5, FreeBSD ELF32, open), eip = 0x2819759b, esp = 0xbfbfeafc, ebp = 0xbfbfeb28 ---
db> reset
(kgdb) f 21
#21 0xc06656a7 in ptcopen (dev=0xc08bf160, flag=0x1, devtype=0x2000, td=0x0) at ../../../kern/tty_pty.c:292
292 }
(kgdb) info loc
tp = (struct tty *) 0xcf392a64
pt = (struct ptsc *) 0x0
(kgdb) p *dev
$5 = {si_flags = 0x17032005, si_atime = {tv_sec = 0x80400004, tv_nsec = 0xc085ac18}, si_ctime = {tv_sec = 0xc0665610, tv_nsec = 0x0},
si_mtime = {tv_sec = 0xc06656ac, tv_nsec = 0xc06656fc}, si_uid = 0xc066598c, si_gid = 0xc0665ad4, si_mode = 0x58b8,
si_drv0 = 0xc060e490, si_refcount = 0xc060e4b0, si_list = {le_next = 0xc060e490, le_prev = 0xc0660d68}, si_clone = {le_next = 0x0,
le_prev = 0x0}, si_alist = {lh_first = 0x0}, si_children = {lh_first = 0x0}, si_siblings = {le_next = 0x0, le_prev = 0x0},
si_parent = 0x0, si_inode = 0x0, si_name = 0xc1de7000 "\004", si_drv1 = 0x0, si_drv2 = 0xc085ac1c, si_devsw = 0x1,
si_iosize_max = 0x1000000, si_usecount = 0xc0665f3c, si_threadcount = 0x0, __si_u = {__sit_tty = 0x1, __sid_snapdata = 0x1},
__si_namebuf = "\000\000\000\000\214_fÀ", '\0' <repeats 32 times>, "\005 \003\027\004\000@\200\næ\204À¸ifÀ\000\000\000\000lä`À"}
(kgdb) p *tp
$6 = {t_rawq = {c_cc = 0xc0900e60, c_cbcount = 0xc2057dd0, c_cbmax = 0x1, c_cbreserved = 0xc1a89c80, c_cf = 0xc184d300 "$vÅÁ@x\204Á",
c_cl = 0x3---Can't read userspace from dump, or kernel process---
(kgdb) l *ptcopen+0x33
0xc0665643 is in ptcopen (../../../kern/tty_pty.c:279).
274 if (!dev->si_drv1)
275 ptyinit(dev);
276 if (!dev->si_drv1)
277 return(ENXIO);
278 tp = dev->si_tty;
279 if (tp->t_oproc)
280 return (EIO);
281 tp->t_timeout = -1;
282 tp->t_oproc = ptsstart;
283 tp->t_stop = ptsstop;