Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 10 Apr 1996 23:47:08 -0400
From:      "Chuck O'Donnell" <chuck@bus.net>
To:        FreeBSD-gnats-submit@freebsd.org
Subject:   kern/1130: pty driver bug
Message-ID:  <199604110347.XAA05224@edna.bus.net>
Resent-Message-ID: <199604110350.UAA02879@freefall.freebsd.org>

next in thread | raw e-mail | index | archive | help

>Number:         1130
>Category:       kern
>Synopsis:       pty driver bug
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          open
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Wed Apr 10 20:50:01 PDT 1996
>Last-Modified:
>Originator:     Hugh Redelmeier, Chuck O'Donnell
>Organization:
Hugh Redelmeier: jove author
>Release:        FreeBSD 2.1-STABLE i386
>Environment:

	OS: FreeBSD 2.1.0-RELEASE
	Computer: Intel pentium
	jove version: 4.16 (4.16beta is shipped with system and fails too)
	shell: bash (but fails with sh and csh too)

>Description:

	Running the jove port:  when running an interactive shell in a
	buffer, pressing the return key repeats the command on the prompt
        line anywhere from 50 to 500 times.

>How-To-Repeat:

	1) run jove:
		$ jove
	2) start up an interactive shell window within jove:
		ESC x shell RETURN [note: don't type the spaces]
	3) issue a simple echo command in the window
		$ echo hi
	4) observe the multiple outputs.

>Fix:

Don't know yet.  Here's what's been done so far:


Hypothesis:

	The pseudo tty driver is confused about the length of buffer
	contents.  In particular, a write call on the pty returns 0,
	indicating a successful write of no characters; subsequent reads
	from the pty yield more characters than were written.


Investigation and Analysis:

	We used ktrace to see what was going on.  Here is how we did it,
	using two virtual terminals:

		on first terminal: start jove
		on second terminal:
			find out process id of jove process (ps & grep)
			ktrace -i -p <jovepid> -t cis
                                        [my *guess* at best flags to use]
		on first terminal:
			issue jove "shell" command
			in shell window, issue minor command like "echo hi"
		on second terminal, turn off tracing: ktrace -C

	The result was a large ktrace.out. Here is a chunk from the middle,
	with commentary:

	The first run of lines seems to be a character-at-a-time loop,
	reading from the keyboard (standard in: 0) and echoing the
	characters to the screen (standard out: 1).  The select is just to
	determine that the next interesting event is a keystroke, or that
	the screen is ready.  Here is the trace of a single cycle of this
	loop.

	   212 jove     CALL  select(0x4,0xefbfdcec,0,0,0)
	   212 jove     RET   select 1

	   212 jove     CALL  read(0,0x38a48,0x14)
	   212 jove     GIO   fd 0 read 1 bytes
		   "h"
	   212 jove     RET   read 1

	   212 jove     CALL  select(0x1,0xefbfdcd0,0,0,0xefbfdcc8)
	   212 jove     RET   select 0

	   212 jove     CALL  write(0x1,0x3e800,0x1)
	   212 jove     GIO   fd 1 wrote 1 bytes
		   "h"
	   212 jove     RET   write 1

	When the \r is read, the fun begins:

	   212 jove     CALL  select(0x4,0xefbfdcec,0,0,0)
	   212 jove     RET   select 1
	   212 jove     CALL  read(0,0x38a48,0x14)
	   212 jove     GIO   fd 0 read 1 bytes
		   "\r"
	   212 jove     RET   read 1

	Here JOVE writes 8 bytes to the file descriptor 3, presumably
	the pty feeding bash.  But wait: the result is very peculiar.
	(It is important to note that this is the first write to the
	pty; it must be	empty before this.)

	   212 jove     CALL  write(0x3,0x3b316,0x8)
	   212 jove     GIO   fd 3 wrote 0 bytes
		   ""

	Why does it appear as if 0 bytes were written, even though
	jove tried to write 8???

	I look forward from here for the next line describing process 212
	jove.  It is very far forward, past all the I/O corresponding to the
	multiple echo commands that bash sees.  It reads
	[later]    212 jove     RET   write 0
	so jove is being told that the write was successful, but 0 bytes were
	written!  Jove only checks whether the write was successful, and doesn't
	pay attention to the length reported by write.  Jove will not retry
	this write, although that would be reasonable.

	   257 bash     GIO   fd 0 read 128 bytes
		   "echo hi
		echo hi
		echo hi
		echo hi
		echo hi
		echo hi
		echo hi
		echo hi
		echo hi
		echo hi
		echo hi
		echo hi
		echo hi
		echo hi
		echo hi
		echo hi
		   "
	   257 bash     RET   read 128/0x80

	This is quite odd.  Bash is getting 128 characters, containing
	multiple copies of what jove was unable to write!!!  This read was
	issued by bash much earlier:

	[earlier]   257 bash     CALL  read(0,0x52058,0x8)   << 0x80, 128 bytes

	Notice that the amount returned by the read was the length
	requested by bash.  I think that a pty should return at most a
	line at a time, even if the read requested more.

	At this point, things are so very wrong we need not look farther in
	the trace.

	Is jove using the pty incorrectly?  In particular, does
	the pty somehow need to be set up in a way different from what jove
	has done.  Do streams modules need to be pushed?  We think jove works
	fine on other BSD systems.

	It sure looks like there is a FreeBSD bug, but it might only be in
	ktrace/kdump.  In particular, the pty write says that 0 bytes were
	written, but at least 128 bytes, some perhaps fictitious, are read.
	It is pretty clear that the 0 return is wrong, but depending on
	whether jove actually tried to repeat the write, the 128 bytes
	might be partially bogus too.


Another interesting but unanalyzed observation:

	I tried running two kdump processes instead of one: one for bash
	and one for jove.  The machine has crashed a twice while running
	i-shells, leading me to believe that maybe something is
	overloaded.  A simple "echo something" command will complete
	(albeit multiple times), but a "ls" will sometimes lockup or
	reboot the machine.
>Audit-Trail:
>Unformatted:




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199604110347.XAA05224>