panic.c revision 281888b30170d9201cff6510aa98cb0a7151b09e
/*
* CDDL HEADER START
*
* The contents of this file are subject to the terms of the
* Common Development and Distribution License (the "License").
* You may not use this file except in compliance with the License.
*
* You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
* See the License for the specific language governing permissions
* and limitations under the License.
*
* When distributing Covered Code, include this CDDL HEADER in each
* file and include the License file at usr/src/OPENSOLARIS.LICENSE.
* If applicable, add the following below this CDDL HEADER, with the
* fields enclosed by brackets "[]" replaced with your own identifying
* information: Portions Copyright [yyyy] [name of copyright owner]
*
* CDDL HEADER END
*/
/*
* Copyright 2007 Sun Microsystems, Inc. All rights reserved.
* Use is subject to license terms.
*/
#pragma ident "%Z%%M% %I% %E% SMI"
/*
* When the operating system detects that it is in an invalid state, a panic
* is initiated in order to minimize potential damage to user data and to
* facilitate debugging. There are three major tasks to be performed in
* a system panic: recording information about the panic in memory (and thus
* making it part of the crash dump), synchronizing the file systems to
* preserve user file data, and generating the crash dump. We define the
* system to be in one of four states with respect to the panic code:
*
* CALM - the state of the system prior to any thread initiating a panic
*
* QUIESCE - the state of the system when the first thread to initiate
* a system panic records information about the cause of the panic
* and renders the system quiescent by stopping other processors
*
* SYNC - the state of the system when we synchronize the file systems
* DUMP - the state when we generate the crash dump.
*
* The transitions between these states are irreversible: once we begin
* panicking, we only make one attempt to perform the actions associated with
* each state.
*
* The panic code itself must be re-entrant because actions taken during any
* state may lead to another system panic. Additionally, any Solaris
* thread may initiate a panic at any time, and so we must have synchronization
* between threads which attempt to initiate a state transition simultaneously.
* The panic code makes use of a special locking primitive, a trigger, to
* perform this synchronization. A trigger is simply a word which is set
* atomically and can only be set once. We declare three triggers, one for
* each transition between the four states. When a thread enters the panic
* code it attempts to set each trigger; if it fails it moves on to the
* next trigger. A special case is the first trigger: if two threads race
* to perform the transition to QUIESCE, the losing thread may execute before
* the winner has a chance to stop its CPU. To solve this problem, we have
* the loser look ahead to see if any other triggers are set; if not, it
* presumes a panic is underway and simply spins. Unfortunately, since we
* are panicking, it is not possible to know this with absolute certainty.
*
* There are two common reasons for re-entering the panic code once a panic
* has been initiated: (1) after we debug_enter() at the end of QUIESCE,
* the operator may type "sync" instead of "go", and the PROM's sync callback
* routine will invoke panic(); (2) if the clock routine decides that sync
* or dump is not making progress, it will invoke panic() to force a timeout.
* The design assumes that a third possibility, another thread causing an
* unrelated panic while sync or dump is still underway, is extremely unlikely.
* If this situation occurs, we may end up triggering dump while sync is
* still in progress. This third case is considered extremely unlikely because
* all other CPUs are stopped and low-level interrupts have been blocked.
*
* The panic code is entered via a call directly to the vpanic() function,
* or its varargs wrappers panic() and cmn_err(9F). The vpanic routine
* is implemented in assembly language to record the current machine
* registers, attempt to set the trigger for the QUIESCE state, and
* if successful, switch stacks on to the panic_stack before calling into
* the common panicsys() routine. The first thread to initiate a panic
* is allowed to make use of the reserved panic_stack so that executing
* the panic code itself does not overwrite valuable data on that thread's
* stack *ahead* of the current stack pointer. This data will be preserved
* in the crash dump and may prove invaluable in determining what this
* thread has previously been doing. The first thread, saved in panic_thread,
* is also responsible for stopping the other CPUs as quickly as possible,
* and then setting the various panic_* variables. Most important among
* these is panicstr, which allows threads to subsequently bypass held
* locks so that we can proceed without ever blocking. We must stop the
* other CPUs *prior* to setting panicstr in case threads running there are
* currently spinning to acquire a lock; we want that state to be preserved.
* Every thread which initiates a panic has its T_PANIC flag set so we can
* identify all such threads in the crash dump.
*
* The panic_thread is also allowed to make use of the special memory buffer
* panicbuf, which on machines with appropriate hardware is preserved across
* reboots. We allow the panic_thread to store its register set and panic
* message in this buffer, so even if we fail to obtain a crash dump we will
* be able to examine the machine after reboot and determine some of the
* state at the time of the panic. If we do get a dump, the panic buffer
* data is structured so that a debugger can easily consume the information
*
* Each platform or architecture is required to implement the functions
* panic_savetrap() to record trap-specific information to panicbuf,
* panic_saveregs() to record a register set to panicbuf, panic_stopcpus()
* to halt all CPUs but the panicking CPU, panic_quiesce_hw() to perform
* miscellaneous platform-specific tasks *after* panicstr is set,
* panic_showtrap() to print trap-specific information to the console,
* and panic_dump_hw() to perform platform tasks prior to calling dumpsys().
*
* A Note on Word Formation, courtesy of the Oxford Guide to English Usage:
*
* Words ending in -c interpose k before suffixes which otherwise would
* indicate a soft c, and thus the verb and adjective forms of 'panic' are
* spelled "panicked", "panicking", and "panicky" respectively. Use of
* the ill-conceived "panicing" and "panic'd" is discouraged.
*/
#include <sys/sysmacros.h>
#include <sys/archsystm.h>
/*
* Panic variables which are set once during the QUIESCE state by the
* first thread to initiate a panic. These are examined by post-mortem
* debugging tools; the inconsistent use of 'panic' versus 'panic_' in
* the variable naming is historical and allows legacy tools to work.
*/
char *volatile panicstr; /* format string to first panicsys() */
int panic_ipl; /* ipl on panic_cpu at time of panic */
char panic_preempt; /* t_preempt for panic_thread */
/*
* the system is in operation. Again, the stupid names are historic.
*/
int halt_on_panic = 0; /* halt after dump instead of reboot? */
int nopanicdebug = 0; /* reboot instead of call debugger? */
int in_sync = 0; /* skip vfs_syncall() and just dump? */
/*
* The do_polled_io flag is set by the panic code to inform the SCSI subsystem
* to use polled mode instead of interrupt-driven i/o.
*/
int do_polled_io = 0;
/*
* The panic_forced flag is set by the uadmin A_DUMP code to inform the
* panic subsystem that it should not attempt an initial debug_enter.
*/
int panic_forced = 0;
/*
* Triggers for panic state transitions:
*/
int panic_quiesce; /* trigger for CALM -> QUIESCE */
int panic_sync; /* trigger for QUIESCE -> SYNC */
int panic_dump; /* trigger for SYNC -> DUMP */
void
{
int s = spl8();
t->t_schedflag |= TS_DONT_SWAP;
t->t_bound_cpu = cp;
t->t_preempt++;
panic_enter_hw(s);
/*
* If we're on the interrupt stack and an interrupt thread is available
* in this CPU's pool, preserve the interrupt stack by detaching an
* interrupt thread and making its stack the intr_stack.
*/
/*
* Clear only the high level bits of cpu_intr_actv.
* We want to indicate that high-level interrupts are
* not active without destroying the low-level interrupt
* information stored there.
*/
}
/*
* Record one-time panic information and quiesce the other CPUs.
* Then print out the panic message and stack trace.
*/
if (on_panic_stack) {
if (t->t_panic_trap != NULL)
else
/*
* Call into the platform code to stop the other CPUs.
* We currently have all interrupts blocked, and expect that
* the platform code will lower ipl only as far as needed to
* perform cross-calls, and will acquire as *few* locks as is
* possible -- panicstr is not set so we can still deadlock.
*/
panic_stopcpus(cp, t, s);
panic_lbolt = lbolt;
panic_thread = t;
panic_regs = t->t_pcb;
if (intr_stack != NULL) {
}
/*
* Lower ipl to 10 to keep clock() from running, but allow
* keyboard interrupts to enter the debugger. These callbacks
* are executed with panicstr set so they can bypass locks.
*/
(void) FTRACE_STOP();
/*
* If log_consq has been initialized and syslogd has started,
* print any messages in log_consq that haven't been consumed.
*/
fm_banner();
#if defined(__x86)
/*
* A hypervisor panic originates outside of Solaris, so we
* don't want to prepend the panic message with misleading
* pointers from within Solaris.
*/
if (!IN_XPV_PANIC())
#endif
(void *)t);
printf("\n\n");
if (t->t_panic_trap != NULL) {
printf("\n");
}
printf("\n");
!nopanicdebug && !panic_forced) {
debug_enter("panic: entering debugger "
"(continue to save dump)");
} else {
debug_enter("panic: entering debugger "
"(no dump device, continue to reboot)");
}
}
printf("\n");
} else
goto spin;
/*
* Prior to performing sync or dump, we make sure that do_polled_io is
* set, but we'll leave ipl at 10; deadman(), a CY_HIGH_LEVEL cyclic,
* will re-enter panic if we are not making progress with sync or dump.
*/
/*
* Sync the filesystems. Reset t_cred if not set because much of
* the filesystem code depends on CRED() being valid.
*/
do_polled_io = 1;
vfs_syncall();
}
/*
* Take the crash dump. If the dump trigger is already set, try to
* enter the debugger again before rebooting the system.
*/
if (panic_trigger(&panic_dump)) {
panic_dump_hw(s);
errorq_panic();
do_polled_io = 1;
dumpsys();
debug_enter("panic: entering debugger (continue to reboot)");
} else
printf("dump aborted: please record the above information!\n");
if (halt_on_panic)
else
spin:
/*
* Restore ipl to at most CLOCK_LEVEL so we don't end up spinning
* and unable to jump into the debugger.
*/
for (;;)
;
}
void
{
}