I started to look at ref counting to convince myself that the db_bu field in a cached dmu_impl_t object is guaranteed to point at a valid arc_buf_t.
I have seen a "deadbeef" crash on a busy system when zfs_write() is pre-pagefaulting in the file's pages. The page fault handler eventually winds its way to dbuf_hold_impl, who manages to find a cached dmu_impl_t record. This record however, points to a freed arc_buf_t via its b_data field. The field is not null, but it points to a freed object, hence the crash upon trying to lock the rwlock of the alleged arc_buf. Ref counting should prevent something like this, correct? -- This message posted from opensolaris.org
