OpenSolaris

A prototoype for psu/fan diagnosis caused fmd to dump core at:

> ::umem_status
Status:         ready and active
Concurrency:    8
Logs:           content=128k fail=128k (inactive)
Message buffer:
umem allocator: buffer modified after being freed
modification occurred at offset 0x18 (0xdeadbeefdeadbeef replaced by 0xdeadbed9d
eadbeef)
buffer=9cf7d30  bufctl=9cfaea0  cache: umem_alloc_32
previous transaction on buffer 9cf7d30:
thread=11  time=T-60.004609723  slab=9c3c798  cache: umem_alloc_32
libumem.so.1'umem_cache_free_debug+0x135
libumem.so.1'umem_cache_free+0x42
libumem.so.1'umem_free+0xd8
libtopo.so.1'topo_free+0x1e
libtopo.so.1'topo_hdl_free+0x17
libtopo.so.1'topo_mod_free+0x24
ses.so'ses_target_free+0x54
ses.so'ses_release+0x2b
libtopo.so.1'topo_node_destroy+0x122
libtopo.so.1'topo_node_rele+0x3f
libtopo.so.1'topo_walk_bottomup+0x127
libtopo.so.1'step_sibling+0x75
libtopo.so.1'topo_walk_bottomup+0x11b
libtopo.so.1'step_sibling+0x75
libtopo.so.1'topo_walk_bottomup+0x11b
umem: heap corruption detected
stack trace:
libumem.so.1'umem_err_recoverable+0x39
libumem.so.1'umem_error+0x47f
libumem.so.1'umem_magazine_destroy+0x12a
libumem.so.1'umem_depot_ws_reap+0x88
libumem.so.1'umem_cache_reap+0x31
libumem.so.1'umem_process_updates+0x10c
libumem.so.1'umem_update_thread+0x50
libc.so.1'_thr_setup+0x70
libc.so.1'_lwp_start+0x0

The problem comes from the fact that ses_add_fac_common()
does a topo_node_setspecific() without incrementing the
refcount of the ses_enum_target_t, so we end up calling
ses_release() more times than the refcount indicates.

N/A

N/A