From mboxrd@z Thu Jan 1 00:00:00 1970 From: konrad wilk Subject: Re: Xen 4.3 + tmem = Xen BUG at domain_page.c:143 Date: Tue, 11 Jun 2013 14:52:59 -0400 Message-ID: <51B7720B.10607@oracle.com> References: <51B72A09.8080709@oracle.com> <51B7547702000078000DD225@nat28.tlf.novell.com> <51B742B0.3070500@oracle.com> <51B76EA602000078000DD36D@nat28.tlf.novell.com> Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="------------070203030806090805010102" Return-path: In-Reply-To: <51B76EA602000078000DD36D@nat28.tlf.novell.com> List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-devel-bounces@lists.xen.org Errors-To: xen-devel-bounces@lists.xen.org To: Jan Beulich Cc: "xen-devel@lists.xen.org" List-Id: xen-devel@lists.xenproject.org This is a multi-part message in MIME format. --------------070203030806090805010102 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit > The BUG_ON() here is definitely valid - a few lines down, after the > enclosing if(), we use it in ways that requires this to not have > triggered. It basically tells you whether an in range idx was found, > which apparently isn't the case here. > > As I think George already pointed out - printing accum here would > be quite useful: It should have at least one of the low 32 bits set, > given that dcache->entries must be at most 32 according to the > data you already got logged. With extra debugging (see attached patch) (XEN) domain_page.c:125:d1 mfn: 1eb483, [0]: bffff1ff, ~ffffffff40000e00, idx: 9 garbage: 40000e00, inuse: ffffffff (XEN) domain_page.c:125:d1 mfn: 1eb480, [0]: fdbfffff, ~ffffffff02400000, idx: 22 garbage: 2400000, inuse: ffffffff (XEN) domain_page.c:125:d1 mfn: 2067ca, [0]: fffff7ff, ~ffffffff00000800, idx: 11 garbage: 800, inuse: ffffffff (XEN) domain_page.c:125:d1 mfn: 183642, [0]: ffffffff, ~ffffffff00000000, idx: 32 garbage: 0, inuse: ffffffff (XEN) domain_page.c:170:d1 mfn (183642) -> 2 idx: 32(i:1,j:0), branch:9 0xffffffff00000000 (XEN) domain_page.c:176:d1 [0] idx=13, mfn=0x203b00, refcnt: 0 (XEN) domain_page.c:176:d1 [1] idx=25, mfn=0x1839e1, refcnt: 0 (XEN) domain_page.c:176:d1 [2] idx=3, mfn=0x1824d2, refcnt: 0 (XEN) domain_page.c:176:d1 [3] idx=5, mfn=0x1eb48b, refcnt: 0 (XEN) domain_page.c:176:d1 [4] idx=28, mfn=0x203b04, refcnt: 0 (XEN) domain_page.c:176:d1 [5] idx=0, mfn=0x1eb485, refcnt: 0 (XEN) domain_page.c:176:d1 [6] idx=30, mfn=0x203afe, refcnt: 0 (XEN) domain_page.c:176:d1 [7] idx=20, mfn=0x203aff, refcnt: 0 And that does point the picture that we have exhausted the full 32 entries of mapcache. Now off to find out who is holding them and why. Aren't these operations (map/unmap domain_page) suppose to be shortlived? > Jan --------------070203030806090805010102 Content-Type: text/x-patch; name="xen-domain_page-v3.patch" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="xen-domain_page-v3.patch" diff --git a/xen/Rules.mk b/xen/Rules.mk index 3f0b262..bc6b437 100644 --- a/xen/Rules.mk +++ b/xen/Rules.mk @@ -3,6 +3,7 @@ # If you change any of these configuration options then you must # 'make clean' before rebuilding. # +debug := y verbose ?= n perfc ?= n perfc_arrays ?= n diff --git a/xen/arch/x86/domain_page.c b/xen/arch/x86/domain_page.c index efda6af..af63d76 100644 --- a/xen/arch/x86/domain_page.c +++ b/xen/arch/x86/domain_page.c @@ -59,12 +59,12 @@ void __init mapcache_override_current(struct vcpu *v) void *map_domain_page(unsigned long mfn) { unsigned long flags; - unsigned int idx, i; + unsigned int idx, i, j = 0; struct vcpu *v; struct mapcache_domain *dcache; struct mapcache_vcpu *vcache; struct vcpu_maphash_entry *hashent; - + int branch = 0; #ifdef NDEBUG if ( mfn <= PFN_DOWN(__pa(HYPERVISOR_VIRT_END - 1)) ) return mfn_to_virt(mfn); @@ -115,31 +115,67 @@ void *map_domain_page(unsigned long mfn) /* /First/, clean the garbage map and update the inuse list. */ for ( i = 0; i < BITS_TO_LONGS(dcache->entries); i++ ) { + unsigned long garbage = dcache->garbage[i]; + unsigned long _inuse = dcache->inuse[i]; + barrier(); dcache->inuse[i] &= ~xchg(&dcache->garbage[i], 0); + if (v->domain->domain_id) { + if (~dcache->inuse[i]) { + gdprintk(XENLOG_INFO, "mfn: %lx, [%d]: %lx, ~%lx, idx: %d garbage: %lx, inuse: %lx\n", mfn, i, dcache->inuse[i], ~dcache->inuse[i], + find_first_zero_bit(dcache->inuse, dcache->entries), garbage, _inuse); + branch |= 8; + } + } accum |= ~dcache->inuse[i]; } - if ( accum ) + if ( accum ) { idx = find_first_zero_bit(dcache->inuse, dcache->entries); + branch |= 1; + } else { + branch |= 2; /* Replace a hash entry instead. */ i = MAPHASH_HASHFN(mfn); do { hashent = &vcache->hash[i]; if ( hashent->idx != MAPHASHENT_NOTINUSE && !hashent->refcnt ) { + branch |= 4; idx = hashent->idx; ASSERT(l1e_get_pfn(MAPCACHE_L1ENT(idx)) == hashent->mfn); l1e_write(&MAPCACHE_L1ENT(idx), l1e_empty()); hashent->idx = MAPHASHENT_NOTINUSE; hashent->mfn = ~0UL; + if (idx >= dcache->entries) { + branch |= 8; + gdprintk(XENLOG_INFO, "mfn (%lx) -> %ld idx (iter:%d)\n", mfn, MAPHASH_HASHFN(mfn), j); + + for (i = 0; i < MAPHASH_ENTRIES;i++) { + hashent = &vcache->hash[i]; + + gdprintk(XENLOG_INFO, "[%d] idx=%d, mfn=0x%lx, refcnt: %d\n", + i, hashent->idx, hashent->mfn, hashent->refcnt); + } + } break; } if ( ++i == MAPHASH_ENTRIES ) i = 0; + j++; } while ( i != MAPHASH_HASHFN(mfn) ); } + if (idx >= dcache->entries) { + gdprintk(XENLOG_INFO, "mfn (%lx) -> %ld idx: %d(i:%d,j:%d), branch:%x 0x%lx\n", mfn, MAPHASH_HASHFN(mfn), idx, i, j, branch, accum); + + for (i = 0; i < MAPHASH_ENTRIES;i++) { + hashent = &vcache->hash[i]; + + gdprintk(XENLOG_INFO, "[%d] idx=%d, mfn=0x%lx, refcnt: %d\n", + i, hashent->idx, hashent->mfn, hashent->refcnt); + } + } BUG_ON(idx >= dcache->entries); /* /Second/, flush TLBs. */ @@ -254,6 +290,7 @@ int mapcache_domain_init(struct domain *d) 2 * PFN_UP(BITS_TO_LONGS(MAPCACHE_ENTRIES) * sizeof(long))) > MAPCACHE_VIRT_START + (PERDOMAIN_SLOT_MBYTES << 20)); bitmap_pages = PFN_UP(BITS_TO_LONGS(MAPCACHE_ENTRIES) * sizeof(long)); + gdprintk(XENLOG_INFO, "domain bitmap pages: %d\n", bitmap_pages); dcache->inuse = (void *)MAPCACHE_VIRT_END + PAGE_SIZE; dcache->garbage = dcache->inuse + (bitmap_pages + 1) * PAGE_SIZE / sizeof(long); @@ -276,6 +313,7 @@ int mapcache_vcpu_init(struct vcpu *v) if ( is_hvm_vcpu(v) || !dcache->inuse ) return 0; + gdprintk(XENLOG_INFO, "ents: %d, entries: %d\n", ents, dcache->entries); if ( ents > dcache->entries ) { /* Populate page tables. */ --------------070203030806090805010102 Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ Xen-devel mailing list Xen-devel@lists.xen.org http://lists.xen.org/xen-devel --------------070203030806090805010102--