From owner-freebsd-bugs  Thu Aug 22 13:00:10 1996
Return-Path: owner-bugs
Received: (from root@localhost)
          by freefall.freebsd.org (8.7.5/8.7.3) id NAA11826
          for bugs-outgoing; Thu, 22 Aug 1996 13:00:10 -0700 (PDT)
Received: (from gnats@localhost)
          by freefall.freebsd.org (8.7.5/8.7.3) id NAA11802;
          Thu, 22 Aug 1996 13:00:05 -0700 (PDT)
Resent-Date: Thu, 22 Aug 1996 13:00:05 -0700 (PDT)
Resent-Message-Id: <199608222000.NAA11802@freefall.freebsd.org>
Resent-From: gnats (GNATS Management)
Resent-To: freebsd-bugs
Resent-Reply-To: FreeBSD-gnats@freefall.FreeBSD.org, jgreco@ns.sol.net
Received: from anacreon.sol.net (anacreon.sol.net [206.55.64.116])
          by freefall.freebsd.org (8.7.5/8.7.3) with SMTP id MAA11689
          for <FreeBSD-gnats-submit@freebsd.org>; Thu, 22 Aug 1996 12:57:52 -0700 (PDT)
Received: (from root@localhost) by anacreon.sol.net (8.6.12/8.6.12) id OAA23038; Thu, 22 Aug 1996 14:57:39 -0500
Message-Id: <199608221957.OAA23038@anacreon.sol.net>
Date: Thu, 22 Aug 1996 14:57:39 -0500
From: jgreco@ns.sol.net
Reply-To: jgreco@ns.sol.net
To: FreeBSD-gnats-submit@freebsd.org
X-Send-Pr-Version: 3.2
Subject: kern/1533: VM Crash with massive numbers of mmap's
Sender: owner-bugs@freebsd.org
X-Loop: FreeBSD.org
Precedence: bulk


>Number:         1533
>Category:       kern
>Synopsis:       Machine can be panicked by a userland program.
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          open
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Thu Aug 22 13:00:02 PDT 1996
>Last-Modified:
>Originator:     Joe Greco
>Organization:
sol.net Network Services
>Release:        FreeBSD 2.1-STABLE i386
>Environment:

	Pentium 133, ASUS Triton-II motherboard, 192MB RAM, 
	3 x NCR 810 SCSI controllers, 15 Hawk 1GB drives plus 2 Barra 4G's,
	SMC EtherPower 10/100

	Kernel configuration:

Local modifications:	DK_NDRIVE --> 32
			MSG_BSIZE --> (16384 - 3 * sizeof(unsigned int))

sysctl -w kern.update=300

/sys/i386/conf/NEWSREADER_DB:

#
# NEWSREADER_DB -- Generic machine with WD/AHx/NCR/BTx family disks
#
#	$Id: NEWSREADER_DB,v 1.46.2.18 1996/07/16 08:53:04 davidg Exp $
#

machine		"i386"
#cpu		"I386_CPU"
cpu		"I486_CPU"
cpu		"I586_CPU"
ident		"NEWSREADER_DB"
maxusers	256

options         "MAXMEM=262720"         #real memory  = 67698688 (16528 pages)
                                        #+192MB = 256MB

options		MATH_EMULATE		#Support for x87 emulation
options		INET			#InterNETworking
options		FFS			#Berkeley Fast Filesystem
options		NFS			#Network Filesystem
options		MSDOSFS			#MSDOS Filesystem
options		"CD9660"		#ISO 9660 Filesystem
options		PROCFS			#Process filesystem
options		"COMPAT_43"		#Compatible with BSD 4.3
options		"SCSI_DELAY=5"		#Be pessimistic about Joe SCSI device
options		BOUNCE_BUFFERS		#include support for DMA bounce buffers
options		UCONSOLE		#Allow users to grab the console

options               "CHILD_MAX=512"
options               "OPEN_MAX=256"
#options               "NMBCLUSTERS=512"

options		SYSVSHM
options		SYSVSEM
options		SYSVMSG

config		kernel	root on wd0 

controller	isa0
controller	eisa0
controller	pci0

controller	fdc0	at isa? port "IO_FD1" bio irq 6 drq 2 vector fdintr
disk		fd0	at fdc0 drive 0
#disk		fd1	at fdc0 drive 1
#tape		ft0	at fdc0 drive 2

#controller	wdc0	at isa? port "IO_WD1" bio irq 14 vector wdintr
#disk		wd0	at wdc0 drive 0
#disk		wd1	at wdc0 drive 1

#controller	wdc1	at isa? port "IO_WD2" bio irq 15 vector wdintr
#disk		wd2	at wdc1 drive 0
#disk		wd3	at wdc1 drive 1

#options         ATAPI   #Enable ATAPI support for IDE bus
#device          wcd0    #IDE CD-ROM

controller	ncr0
controller	ncr1
controller	ncr2
controller	ahc0
controller	ahc1

#controller	bt0	at isa? port "IO_BT0" bio irq ? vector bt_isa_intr
#controller	uha0	at isa? port "IO_UHA0" bio irq ? drq 5 vector uhaintr
#controller	aha0	at isa? port "IO_AHA0" bio irq ? drq 5 vector ahaintr
#controller	aic0    at isa? port 0x340 bio irq 11 vector aicintr
#controller	nca0	at isa? port 0x1f88 bio irq 10 vector ncaintr
#controller	nca1	at isa? port 0x350 bio irq 5 vector ncaintr
#controller	sea0	at isa? bio irq 5 iomem 0xc8000 iosiz 0x2000 vector seaintr

controller      scbus0  at ncr0

disk  sd0 at scbus0     target 0 unit 0
disk  sd1 at scbus0     target 1 unit 0
disk  sd2 at scbus0     target 2 unit 0
disk  sd3 at scbus0     target 3 unit 0
disk  sd4 at scbus0     target 4 unit 0
disk  sd5 at scbus0     target 5 unit 0
disk  sd6 at scbus0     target 6 unit 0

controller      scbus1  at ncr1

disk sd10 at scbus1     target 0 unit 0
disk sd11 at scbus1     target 1 unit 0
disk sd12 at scbus1     target 2 unit 0
disk sd13 at scbus1     target 3 unit 0
disk sd14 at scbus1     target 4 unit 0
disk sd15 at scbus1     target 5 unit 0
disk sd16 at scbus1     target 6 unit 0

controller      scbus2  at ncr2

disk sd20 at scbus2     target 0 unit 0
disk sd21 at scbus2     target 1 unit 0
disk sd22 at scbus2     target 2 unit 0
disk sd23 at scbus2     target 3 unit 0
disk sd24 at scbus2     target 4 unit 0
disk sd25 at scbus2     target 5 unit 0
disk sd26 at scbus2     target 6 unit 0

#device		sd0

device		st0

#device		cd0	#Only need one of these, the code dynamically grows

#device		wt0	at isa? port 0x300 bio irq 5 drq 1 vector wtintr
#device		mcd0	at isa? port 0x300 bio irq 10 vector mcdintr

#controller	matcd0	at isa? port 0x230 bio

#device		scd0	at isa? port 0x230 bio

# syscons is the default console driver, resembling an SCO console
device		sc0	at isa? port "IO_KBD" tty irq 1 vector scintr
# Enable this and PCVT_FREEBSD for pcvt vt220 compatible console driver
#device		vt0	at isa? port "IO_KBD" tty irq 1 vector pcrint
#options		"PCVT_FREEBSD=210"	# pcvt running on FreeBSD 2.1
#options		XSERVER			# include code for XFree86
# If you have a ThinkPAD, uncomment this along with the rest of the PCVT lines
#options		PCVT_SCANSET=2		# IBM keyboards are non-std

# Mandatory, don't remove
device		npx0	at isa? port "IO_NPX" irq 13 vector npxintr

#
# Laptop support (see LINT for more options)
#
#device		apm0    at isa?		# Advanced Power Management
#options		APM_BROKEN_STATCLOCK	# Workaround some buggy APM BIOS

device		sio0	at isa? port "IO_COM1" tty irq 4 vector siointr
device		sio1	at isa? port "IO_COM2" tty irq 3 vector siointr
device		sio2	at isa? port "IO_COM3" tty irq 5 vector siointr
device		sio3	at isa? port "IO_COM4" tty irq 9 vector siointr

device		lpt0	at isa? port? tty irq 7 vector lptintr
device		lpt1	at isa? port? tty
#device		mse0	at isa? port 0x23c tty irq 5 vector mseintr
device		psm0	at isa? disable port "IO_KBD" conflicts tty irq 12 vector psmintr

# Order is important here due to intrusive probes, do *not* alphabetize
# this list of network interfaces until the probes have been fixed.
# Right now it appears that the ie0 must be probed before ep0. See
# revision 1.20 of this file.
device de0
#device fxp0
#device vx0
device ed0 at isa? port 0x280 net irq  5 iomem 0xd8000 vector edintr
device ed1 at isa? port 0x300 net irq  5 iomem 0xd8000 vector edintr
#device ie0 at isa? port 0x360 net irq  7 iomem 0xd0000 vector ieintr
#device ep0 at isa? port 0x300 net irq 10 vector epintr
#device ix0 at isa? port 0x300 net irq 10 iomem 0xd0000 iosiz 32768 vector ixintr
#device le0 at isa? port 0x300 net irq 5 iomem 0xd0000 vector le_intr
#device lnc0 at isa? port 0x280 net irq 10 drq 0 vector lncintr
#device ze0 at isa? port 0x300 net irq 5 iomem 0xd8000 vector zeintr
#device zp0 at isa? port 0x300 net irq 10 iomem 0xd8000 vector zpintr

pseudo-device	ccd	12	#Concatenated disk driver

pseudo-device	loop
pseudo-device	ether
pseudo-device	log
pseudo-device	sl	1
# ijppp uses tun instead of ppp device
pseudo-device	ppp	1
pseudo-device	tun	1
pseudo-device	pty	16
pseudo-device	gzip		# Exec gzipped a.out's
pseudo-device	vn		#Vnode driver (turns a file into a device)
pseudo-device	bpfilter	8	#Berkeley packet filter

>Description:

	Attempting to mmap() thousands of files caused the system to
	reboot or panic (can't tell which, the system is many miles away,
	but dmesg shows no saved data).  It freaked both times I tried it.

	The same program, run under Solaris, eventually quit with an
	ENOMEM error.

>How-To-Repeat:

Program:

#include        <stdio.h>
#include        <sys/types.h>
#include        <sys/stat.h>
#include        <sys/mman.h>
#include        <fcntl.h>

#define         MAX             1048576

caddr_t array[MAX];

int main()
{
        int i = 0;
        int fd;
        char filename[2048];
        struct stat s;
        caddr_t this;

        while (i < MAX) {
                gets(filename);
                if ((fd = open(filename, O_RDONLY, 0)) < 0) {
                        perror(filename);
                        sleep(1);
                } else {
                        if (fstat(fd, &s) < 0) {
                                perror("fstat");
                                sleep(1);
                        } else {
                                this = mmap((caddr_t) 0, s.st_size, PROT_READ,
                                        MAP_PRIVATE, fd, (off_t) 0);
                                if ((int) this == -1) {
                                        perror("mmap");
                                        sleep(1);
                                } else {
                                        array[i++] = this;
                                }
                        }
                        close(fd);
                }
                if (! (i % 512)) {
                        fprintf(stderr, "[%d] .. ", i);
                }
        }
}

I ran this on a news spool, as follows:

daily-bugle% find /news -type f -print | /tmp/a.out
{output output...} [34816] .. [35328] .. [35840] .. [36352] .. [36864] .. [37376] .. [37888] .. [38400] .. [38912] .. [39424] .. [39936] .. [40448] .. [40960] .. [41472] .. [41984] .. [42496] .. {hang}

In another window I was running "vmstat 1 |grep vnodes|grep K" once a second:

       vnodes 16009  2000K   2017K 19661K    17174    0     0  16,128,256
       vnodes 16009  2000K   2017K 19661K    17174    0     0  16,128,256
       vnodes 16009  2000K   2017K 19661K    17174    0     0  16,128,256
       vnodes 16009  2000K   2017K 19661K    17174    0     0  16,128,256
       vnodes 16009  2000K   2017K 19661K    17174    0     0  16,128,256
       vnodes 16009  2000K   2017K 19661K    17174    0     0  16,128,256
       vnodes 16009  2000K   2017K 19661K    17174    0     0  16,128,256
       vnodes 16009  2000K   2017K 19661K    17174    0     0  16,128,256
       vnodes 16009  2000K   2017K 19661K    17174    0     0  16,128,256
       vnodes 16037  2003K   2017K 19661K    17202    0     0  16,128,256
       vnodes 16203  2024K   2024K 19661K    17368    0     0  16,128,256
       vnodes 16347  2042K   2042K 19661K    17512    0     0  16,128,256
       vnodes 16354  2043K   2043K 19661K    17519    0     0  16,128,256
{etc etc}
       vnodes 42315  5288K   5288K 19661K    43480    0     0  16,128,256
       vnodes 42315  5288K   5288K 19661K    43480    0     0  16,128,256
       vnodes 42319  5288K   5288K 19661K    43484    0     0  16,128,256
       vnodes 42320  5288K   5288K 19661K    43485    0     0  16,128,256
       vnodes 42320  5288K   5288K 19661K    43485    0     0  16,128,256
       vnodes 42322  5288K   5288K 19661K    43487    0     0  16,128,256
       vnodes 42324  5289K   5289K 19661K    43489    0     0  16,128,256
       vnodes 42324  5289K   5289K 19661K    43489    0     0  16,128,256
       vnodes 42324  5289K   5289K 19661K    43489    0     0  16,128,256
       vnodes 42324  5289K   5289K 19661K    43489    0     0  16,128,256
       vnodes 42324  5289K   5289K 19661K    43489    0     0  16,128,256
       vnodes 42324  5289K   5289K 19661K    43489    0     0  16,128,256
       vnodes 42447  5304K   5304K 19661K    43612    0     0  16,128,256
       vnodes 42504  5311K   5311K 19661K    43669    0     0  16,128,256
       vnodes 42504  5311K   5311K 19661K    43669    0     0  16,128,256
       vnodes 42900  5361K   5361K 19661K    44065    0     0  16,128,256
{hang}

>Fix:
	
	Don't mmap trillions of files.  :-)  Probably not a good sol'n.

>Audit-Trail:
>Unformatted: