serenity: Reproducible profiler crash with `BUG! Unexpected NP fault at V0x01b7cdd8`
Repro:
- Open http://45.33.8.238/linux/ in browser
- Open Profiler, double-click Browser process to start profiling
- Hit “Reload” in browser, wait a second or so
- In Profiler, hit Stop
- Select the part of the profile where stuff happens (during the reload) in the strip at the top of the profiler
- In the tree view at the bottom, keep hitting arrow-right/arrow-down to drill many stack frames into the profile – basically try to get to the frame where most work is happening (~700 / 1100 samples in my case)
Actual: Crashed 3/3 times. Stack:
[Profiler(33:33)]: BUG! Unexpected NP fault at V0x01b7cdd8
[Profiler(33:33)]: Unrecoverable page fault, read from address V0x01b7cdd8
[Profiler(33:33)]: CRASH: CPU #0 Page Fault. Ring 3.
[Profiler(33:33)]: exception code: 0004 (isr: 0000
[Profiler(33:33)]: pc=001b:080c8a39 flags=0202
[Profiler(33:33)]: stk=0023:015024e0
[Profiler(33:33)]: ds=0023 es=0023 fs=0023 gs=002b
[Profiler(33:33)]: eax=00000bcb ebx=01b70000 ecx=01502650 edx=01b7cdd8
[Profiler(33:33)]: ebp=01502558 esp=c588ffe8 esi=0811ba0c edi=01502690
[Profiler(33:33)]: cr0=80010013 cr2=01b7cdd8 cr3=03685000 cr4=00100ee4
[Profiler(33:33)]: code: 8b 0a 48 66 89 43 14 89
[Profiler(33:33)]: 0x080c8a39 malloc +491
[Profiler(33:33)]: Process regions:
[Profiler(33:33)]: BEGIN END SIZE ACCESS NAME
[Profiler(33:33)]: 08048000 -- 0810cfff 000c5000 R XS elf-map-rx
[Profiler(33:33)]: 0810d000 -- 0811cfff 00010000 RW elf-alloc-rw
[Profiler(33:33)]: 01101000 -- 01101fff 00001000 RW (null)
[Profiler(33:33)]: 01103000 -- 01502fff 00400000 RW T Stack (Main thread)
[Profiler(33:33)]: 01504000 -- 01504fff 00001000 RW Thread-specific
[Profiler(33:33)]: 01510000 -- 0151ffff 00010000 RW P malloc: ChunkedBlock(8)
[Profiler(33:33)]: 01530000 -- 0153ffff 00010000 RW P malloc: ChunkedBlock(32)
[Profiler(33:33)]: 01550000 -- 0155ffff 00010000 RW P malloc: ChunkedBlock(16)
[Profiler(33:33)]: 01570000 -- 0157ffff 00010000 RW P malloc: ChunkedBlock(64)
[Profiler(33:33)]: 01590000 -- 0159ffff 00010000 RW P malloc: ChunkedBlock(128)
[Profiler(33:33)]: 015b0000 -- 015bffff 00010000 RW P malloc: ChunkedBlock(508)
[Profiler(33:33)]: 015d0000 -- 015dffff 00010000 RW P malloc: ChunkedBlock(4090)
[Profiler(33:33)]: 015f0000 -- 015fffff 00010000 RW P malloc: ChunkedBlock(1016)
[Profiler(33:33)]: 01610000 -- 0161ffff 00010000 RW P malloc: ChunkedBlock(252)
[Profiler(33:33)]: 01506000 -- 01506fff 00001000 R S P SharedBuffer
[Profiler(33:33)]: 01521000 -- 01521fff 00001000 RW P Gfx::Bitmap [16x16] - Decoded PNG: /res/icons/16x16/app-profiler.png
[Profiler(33:33)]: 01526000 -- 01526fff 00001000 RW P Gfx::Bitmap [32x32] - Decoded PNG: /res/icons/32x32/app-profiler.png
[Profiler(33:33)]: 016d0000 -- 016dffff 00010000 RW P malloc: ChunkedBlock(2036)
[Profiler(33:33)]: 015a3000 -- 015a3fff 00001000 RW P Gfx::Bitmap [7x10] - Decoded PNG: /res/emoji/U+2B07.png
[Profiler(33:33)]: 01546000 -- 01549fff 00004000 R S /res/fonts/Katica10.font
[Profiler(33:33)]: 01566000 -- 01569fff 00004000 R S /res/fonts/KaticaBold10.font
[Profiler(33:33)]: 01586000 -- 01589fff 00004000 R S /res/fonts/KaticaBold10.font
[Profiler(33:33)]: 0156b000 -- 0156bfff 00001000 RW P Gfx::Bitmap [7x10] - Decoded PNG: /res/emoji/U+2B06.png
[Profiler(33:33)]: 01630000 -- 0163ffff 00010000 P malloc: ChunkedBlock(8188)
[Profiler(33:33)]: 01650000 -- 0165ffff 00010000 RW P malloc: ChunkedBlock(16376)
[Profiler(33:33)]: 01670000 -- 0167ffff 00010000 P malloc: ChunkedBlock(32756)
[Profiler(33:33)]: 039d0000 -- 039dffff 00010000 RW P malloc: ChunkedBlock(508)
[Profiler(33:33)]: 016b0000 -- 016bffff 00010000 RW P malloc: ChunkedBlock(32)
[Profiler(33:33)]: 016f0000 -- 016fffff 00010000 P malloc: BigAllocationBlock
[Profiler(33:33)]: 01710000 -- 0171ffff 00010000 P malloc: BigAllocationBlock
[Profiler(33:33)]: 03970000 -- 0397ffff 00010000 RW P malloc: ChunkedBlock(1016)
[Profiler(33:33)]: 01cd0000 -- 01cdffff 00010000 RW P malloc: ChunkedBlock(32)
[Profiler(33:33)]: 01810000 -- 0181ffff 00010000 RW P malloc: ChunkedBlock(32)
[Profiler(33:33)]: 01dd0000 -- 01ddffff 00010000 RW P malloc: ChunkedBlock(1016)
[Profiler(33:33)]: 03890000 -- 0389ffff 00010000 RW P malloc: ChunkedBlock(1016)
[Profiler(33:33)]: 03990000 -- 0399ffff 00010000 RW P malloc: ChunkedBlock(508)
[Profiler(33:33)]: 01890000 -- 0189ffff 00010000 RW P malloc: ChunkedBlock(32)
[Profiler(33:33)]: 03a10000 -- 03a2ffff 00020000 RW P malloc: BigAllocationBlock
[Profiler(33:33)]: 018d0000 -- 018dffff 00010000 RW P malloc: ChunkedBlock(32)
[Profiler(33:33)]: 01c30000 -- 01c3ffff 00010000 RW P malloc: ChunkedBlock(1016)
[Profiler(33:33)]: 01cf0000 -- 01cfffff 00010000 RW P malloc: ChunkedBlock(128)
[Profiler(33:33)]: 01d90000 -- 01d9ffff 00010000 RW P malloc: ChunkedBlock(252)
[Profiler(33:33)]: 03930000 -- 0393ffff 00010000 RW P malloc: ChunkedBlock(508)
[Profiler(33:33)]: 01970000 -- 0197ffff 00010000 RW P malloc: ChunkedBlock(32)
[Profiler(33:33)]: 01d50000 -- 01d5ffff 00010000 P malloc: ChunkedBlock(32756)
[Profiler(33:33)]: 01d30000 -- 01d3ffff 00010000 RW P malloc: ChunkedBlock(508)
[Profiler(33:33)]: 019d0000 -- 019dffff 00010000 RW P malloc: ChunkedBlock(32)
[Profiler(33:33)]: 01db0000 -- 01dbffff 00010000 RW P malloc: ChunkedBlock(1016)
[Profiler(33:33)]: 01d10000 -- 01d1ffff 00010000 RW P malloc: ChunkedBlock(508)
[Profiler(33:33)]: 01a30000 -- 01a3ffff 00010000 RW P malloc: ChunkedBlock(32)
[Profiler(33:33)]: 03870000 -- 0387ffff 00010000 RW P malloc: ChunkedBlock(508)
[Profiler(33:33)]: 01cb0000 -- 01cbffff 00010000 RW P malloc: ChunkedBlock(508)
[Profiler(33:33)]: 038b0000 -- 038bffff 00010000 RW P malloc: ChunkedBlock(1016)
[Profiler(33:33)]: 038d0000 -- 038dffff 00010000 RW P malloc: ChunkedBlock(1016)
[Profiler(33:33)]: 01ad0000 -- 01adffff 00010000 RW P malloc: ChunkedBlock(32)
[Profiler(33:33)]: 038f0000 -- 038fffff 00010000 RW P malloc: ChunkedBlock(508)
[Profiler(33:33)]: 01a70000 -- 01a7ffff 00010000 P malloc: ChunkedBlock(128)
[Profiler(33:33)]: 03950000 -- 0395ffff 00010000 RW P malloc: ChunkedBlock(1016)
[Profiler(33:33)]: 039b0000 -- 039bffff 00010000 RW P malloc: ChunkedBlock(1016)
[Profiler(33:33)]: 01b70000 -- 01b7ffff 00010000 RW P malloc: ChunkedBlock(16)
[Profiler(33:33)]: 01b90000 -- 01b9ffff 00010000 RW P malloc: ChunkedBlock(252)
[Profiler(33:33)]: 03910000 -- 0391ffff 00010000 RW P malloc: ChunkedBlock(1016)
[Profiler(33:33)]: 03b00000 -- 03b0ffff 00010000 P malloc: ChunkedBlock(16)
[Profiler(33:33)]: 03a80000 -- 03a8ffff 00010000 RW P malloc: ChunkedBlock(64)
[Profiler(33:33)]: 03ae0000 -- 03aeffff 00010000 RW P malloc: ChunkedBlock(64)
[Profiler(33:33)]: 015c3000 -- 015c3fff 00001000 RW P Gfx::Bitmap [9x9] - Decoded PNG: /res/icons/treeview-collapse.png
[Profiler(33:33)]: 0156d000 -- 0156dfff 00001000 RW P Gfx::Bitmap [16x16] - Decoded PNG: /res/icons/16x16/inspector-object.png
[Profiler(33:33)]: 015ad000 -- 015adfff 00001000 RW GraphicsBitmap [100x1]
[Profiler(33:33)]: 015ab000 -- 015abfff 00001000 RW P Gfx::Bitmap [9x9] - Decoded PNG: /res/icons/treeview-expand.png
[Profiler(33:33)]: 03177000 -- 03432fff 002bc000 RW S P SharedBuffer
[Profiler(33:33)]: 039f0000 -- 039fffff 00010000 RW P malloc: ChunkedBlock(508)
[Profiler(33:33)]: 015a5000 -- 015a5fff 00001000 RW P Gfx::Bitmap [16x16] - Decoded PNG: /res/icons/16x16/inspector-object-red.png
[Profiler(33:33)]: 0154d000 -- 0154dfff 00001000 R S P SharedBuffer
[Profiler(33:33)]: 01690000 -- 0169ffff 00010000 RW P malloc: ChunkedBlock(64)
[Profiler(33:33)]: 01730000 -- 0173ffff 00010000 RW P malloc: ChunkedBlock(64)
[Profiler(33:33)]: 01750000 -- 0175ffff 00010000 RW P malloc: ChunkedBlock(64)
[Profiler(33:33)]: 01770000 -- 0177ffff 00010000 RW P malloc: ChunkedBlock(64)
[Profiler(33:33)]: 01790000 -- 0179ffff 00010000 RW P malloc: ChunkedBlock(64)
[Profiler(33:33)]: 017b0000 -- 017bffff 00010000 RW P malloc: ChunkedBlock(64)
[Profiler(33:33)]: 017d0000 -- 017dffff 00010000 P malloc: BigAllocationBlock
[Profiler(33:33)]: 4012c000 -- 40df7fff 00ccc000 R S /bin/Browser
[Profiler(33:33)]: 02eba000 -- 03175fff 002bc000 RW S P SharedBuffer
[Profiler(33:33)]: 41ac6000 -- 42791fff 00ccc000 R S /bin/Browser
[Profiler(33:33)]: 02b10000 -- 02b8ffff 00080000 RW P malloc: BigAllocationBlock
[Profiler(33:33)]: Kernel regions:
About this issue
- Original URL
- State: closed
- Created 4 years ago
- Comments: 15 (6 by maintainers)
Commits related to this issue
- Kernel: Fix losing PTEs We can't use a HashMap with a small key that doesn't guarantee collisions. Change it to a HashTable instead. Fixes #3254 — committed to tomuta/serenity by tomuta 4 years ago
- Kernel: Fix losing PTEs We can't use a HashMap with a small key that doesn't guarantee collisions. Change it to a HashTable instead. Fixes #3254 — committed to SerenityOS/serenity by tomuta 4 years ago
- Kernel: Release page tables when no longer needed When unmapping regions, check if page tables can be freed. This is a follow-up change for #3254. — committed to tomuta/serenity by tomuta 4 years ago
- Kernel: Release page tables when no longer needed When unmapping regions, check if page tables can be freed. This is a follow-up change for #3254. — committed to SerenityOS/serenity by tomuta 4 years ago
Excellent job tracking this down @tomuta
This bug is caused by this line: https://github.com/SerenityOS/serenity/blob/777b298880bbcac15213616adf0edf2e14255791/Kernel/VM/MemoryManager.cpp#L230 Which basically “loses” PTEs if the
page_directory_indexhappens to be the same (it returnsAK::HashSetResult::InsertedNewEntryin that case). This really should not be aHashMapbut something like astd::set(not sure if AK has an equivalent).