Re: mmap( MAP_ANON) is broken on current. (was Still seeing Failed assertion: "p[i] == 0" on armv7 buildworld)

Sat, 22 Nov 2025 08:37:40 -0800 



On 22.11.2025 16:40, Konstantin Belousov wrote:

On Sat, Nov 22, 2025 at 03:31:24PM +0100, Michal Meloun wrote:

This patch KASSERTs almost immediately when the system enters multi-user
mode while processing mmap() syscall:

panic: vm_object_coalesce: obj 0xc73ddb28 next_pindex 0x13 next_size 0x5
obj_size 0x176


Yes, the assert was mis-placed.  Please try this variant.

commit 2b1a1bcd2926bd89b8422c665b0aa411e29c883b
Author: Konstantin Belousov <[email protected]>
Date:   Sat Nov 22 16:02:50 2025 +0200

     vm_object_coalesce(): fix logic to detect coalesce possibility, simplify

diff --git a/sys/vm/vm_object.c b/sys/vm/vm_object.c
index 5b4517d2bf0c..9bb4e54edd96 100644
--- a/sys/vm/vm_object.c
+++ b/sys/vm/vm_object.c
@@ -2189,13 +2189,19 @@ vm_object_coalesce(vm_object_t prev_object, 
vm_ooffset_t prev_offset,
        next_size >>= PAGE_SHIFT;
        next_pindex = OFF_TO_IDX(prev_offset) + prev_size;

  
-	if (prev_object->ref_count > 1 &&

-           prev_object->size != next_pindex &&
+       if (prev_object->ref_count > 1 ||
+           prev_object->size != next_pindex ||
            (prev_object->flags & OBJ_ONEMAPPING) == 0) {
                VM_OBJECT_WUNLOCK(prev_object);
                return (FALSE);
        }

  
+	KASSERT(next_pindex + next_size > prev_object->size,

+           ("vm_object_coalesce: "
+           "obj %p next_pindex %#jx next_size %#jx obj_size %#jx",
+           prev_object, (uintmax_t)next_pindex, (uintmax_t)next_size,
+           (uintmax_t)prev_object->size));
+
        /*
         * Account for the charge.
         */
@@ -2222,26 +2228,13 @@ vm_object_coalesce(vm_object_t prev_object, 
vm_ooffset_t prev_offset,
         * Remove any pages that may still be in the object from a previous
         * deallocation.
         */
-       if (next_pindex < prev_object->size) {
-               vm_object_page_remove(prev_object, next_pindex, next_pindex +
-                   next_size, 0);
-#if 0
-               if (prev_object->cred != NULL) {
-                       KASSERT(prev_object->charge >=
-                           ptoa(prev_object->size - next_pindex),
-                           ("object %p overcharged 1 %jx %jx", prev_object,
-                               (uintmax_t)next_pindex, (uintmax_t)next_size));
-                       prev_object->charge -= ptoa(prev_object->size -
-                           next_pindex);
-               }
-#endif
-       }
+       vm_object_page_remove(prev_object, next_pindex, next_pindex +
+           next_size, 0);

  
  	/*

         * Extend the object if necessary.
         */
-       if (next_pindex + next_size > prev_object->size)
-               prev_object->size = next_pindex + next_size;
+       prev_object->size = next_pindex + next_size;

  
  	VM_OBJECT_WUNLOCK(prev_object);

        return (TRUE);



Unfortunately, that didn't help. I will try the vm_map.c patch again 
for confirmation.
























					Reply via email to