From owner-freebsd-current  Tue Jan 21 11:23:14 1997
Return-Path: <owner-current>
Received: (from root@localhost)
          by freefall.freebsd.org (8.8.4/8.8.4) id LAA07035
          for current-outgoing; Tue, 21 Jan 1997 11:23:14 -0800 (PST)
Received: from godzilla.zeta.org.au (godzilla.zeta.org.au [203.2.228.19])
          by freefall.freebsd.org (8.8.4/8.8.4) with ESMTP id LAA07026
          for <freebsd-current@freebsd.org>; Tue, 21 Jan 1997 11:23:11 -0800 (PST)
Received: (from bde@localhost) by godzilla.zeta.org.au (8.8.3/8.6.9) id GAA15684; Wed, 22 Jan 1997 06:18:31 +1100
Date: Wed, 22 Jan 1997 06:18:31 +1100
From: Bruce Evans <bde@zeta.org.au>
Message-Id: <199701211918.GAA15684@godzilla.zeta.org.au>
To: mark@grondar.za, syssgm@devetir.qld.gov.au
Subject: Re: VM bogon? Was: Re: NIS breakage
Cc: freebsd-current@freebsd.org
Sender: owner-current@freebsd.org
X-Loop: FreeBSD.org
Precedence: bulk

>Stephen McKay wrote:
>> In fact, I'm now so keen on my hypothesis that I've written some code.
>> Unfortunately, I have no -current box to test it on.  Thus, if Mr Murry
>> wishes to risk all, the following patch may help.
>> 
>> ** WARNING **   I have done no testing at all on this patch.   ** WARNING **
>> 
>> 
>> --- support.s	Tue Jan 21 11:48:00 1997
>> +++ support.s.new	Tue Jan 21 19:43:35 1997
>
>It works! You are brilliant, sir!
>
>I have no more portmap bombing out, and ypbind is no longer giving these
>bogus "bad address" turds.

I duplicated the problem on a 486 configured as a 386.  I used the enclosed
program to force other processes out to swap (run /usr/bin/vi, then memhog,
then check that vi has an RSS of 0, then hit a key in vi.  vi always gets
EFAULT for reading a 255-buye buffer).

The bug probably also occurs in suword(), susword() and subyte().

susword() and susword() are also buggy on 386's if the [s]word crosses a
page boundary.

Bruce

/* memhog.c */

#include <sys/types.h>
#include <sys/time.h>
#include <sys/resource.h>

#include <err.h>
#include <stdlib.h>
#include <stdio.h>

/*
 * XXX this doesn't work to override /etc/malloc.conf, but since I have
 * < DFL_DSIZE of swap, the swap pager will kill the process before
 * malloc() fails.
 */
char *malloc_options = "";

int main(void)
{
    int i;
    struct rlimit rl;
    char *p;

    rl.rlim_cur = RLIM_INFINITY;
    rl.rlim_max = RLIM_INFINITY;
    if (setrlimit(RLIMIT_DATA, &rl) != 0)
	err(1, "setrlimit(RLIMIT_DATA)");
    if (setrlimit(RLIMIT_RSS, &rl) != 0)
	err(1, "setrlimit(RLIMIT_RSS)");
    for (i = 0; ; ++i)
    {
	p = malloc(0x1000);

	/* Consume real memory. */
	if (p != NULL) {
	    fprintf(stderr, "%d ", i);
	    *p = 1;
	}
    }
}