From owner-freebsd-bugs  Fri May 12 09:34:13 1995
Return-Path: bugs-owner
Received: (from majordom@localhost)
          by freefall.cdrom.com (8.6.10/8.6.6) id JAA11551
          for bugs-outgoing; Fri, 12 May 1995 09:34:13 -0700
Received: from hutcs.cs.hut.fi (root@hutcs.cs.hut.fi [130.233.192.2])
          by freefall.cdrom.com (8.6.10/8.6.6) with SMTP id JAA11543
          for <freebsd-bugs@freefall.cdrom.com>; Fri, 12 May 1995 09:34:10 -0700
Received: from shadows.cs.hut.fi by hutcs.cs.hut.fi with SMTP id AA23364
  (5.65c8/HUTCS-S 1.4 for <freebsd-bugs@freefall.cdrom.com>); Fri, 12 May 1995 19:21:12 +0300
From: Heikki Suonsivu <hsu@cs.hut.fi>
Received: (hsu@localhost) by shadows.cs.hut.fi (8.6.10/8.6.10) id TAA03878; Fri, 12 May 1995 19:21:12 +0300
Date: Fri, 12 May 1995 19:21:12 +0300
Message-Id: <199505121621.TAA03878@shadows.cs.hut.fi>
To: freebsd-bugs@freefall.cdrom.com
In-Reply-To: Tatu Ylonen's message of 12 May 1995 02:52:01 +0300
Subject: i386/395: CRITICAL PROBLEM: spl functions implemented incorrectly
Organization: Helsinki University of Technology, Otaniemi, Finland
Sender: bugs-owner@FreeBSD.org
Precedence: bulk


   >Description:
	   Spl functions (splbio, splclock, splhigh, splimp, splnet,
	   splsoftclock, splsofttty, splstatclock, spltty, spl0, splx)
	   are defined in /usr/src/sys/i386/include/spl.h as inline
	   functions that modify the ordinary variable cpl (extern
	   unsigned cpl in the same header).
...
   >How-To-Repeat:
	   The real effects of this problem are not predictable or
	   deterministic.  They may depend on compiler version or
	   optimization levels.  General unreliability, mysterious
	   problems, and random panics are all likely.  I started to

At least two of bugs reported by me were just like this

s = splsomething();
if (foo) {
	... something, which does verifyably not modify foo ...
	if (foo->bar) /* foo is NULL or garbage here, generating kernel
 			 page fault. */
}
splx(s);

ie. variable getting modified while it is assumed to keep its value.  I
think one of these reports was the FreeBSD 1.1.5.1 "print nfs server foo is
alive again through NULL pointer", other was something under 2.*-current,
can't remember which one (there are probably several open ones for me in
GNATS, with stack traces and later ones with some kgdb wanderarounds).

-- 
Heikki Suonsivu, T{ysikuu 10 C 83/02210 Espoo/FINLAND,
hsu@cs.hut.fi  home +358-0-8031121 work -4513377 fax -4555276  riippu SN