From jgarman@Glue.umd.edu  Fri Dec 25 21:22:18 1998
Received: from po2.glue.umd.edu (po2.glue.umd.edu [129.2.128.45])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id VAA03116
          for <FreeBSD-gnats-submit@freebsd.org>; Fri, 25 Dec 1998 21:22:18 -0800 (PST)
          (envelope-from jgarman@Glue.umd.edu)
Received: from y.glue.umd.edu ((IDENT root)@y.glue.umd.edu [128.8.10.68])
	by po2.glue.umd.edu (8.9.0.Beta6/8.9.0.Beta6) with ESMTP id AAA25023
	for <FreeBSD-gnats-submit@freebsd.org>; Sat, 26 Dec 1998 00:22:00 -0500 (EST)
Received: from y.glue.umd.edu ((IDENT sendmail)@localhost [127.0.0.1])
	by y.glue.umd.edu (8.9.0.Beta6/8.9.0.Beta6) with SMTP id AAA28354
	for <FreeBSD-gnats-submit@freebsd.org>; Sat, 26 Dec 1998 00:22:01 -0500 (EST)
Received: from localhost by y.glue.umd.edu (8.9.0.Beta6/8.9.0.Beta6) with SMTP id AAA28336
	for <FreeBSD-gnats-submit@freebsd.org>; Sat, 26 Dec 1998 00:22:00 -0500 (EST)
Message-Id: <Pine.GSO.3.95q.981226002120.28317A-100000@y.glue.umd.edu>
Date: Sat, 26 Dec 1998 00:22:00 -0500 (EST)
From: Jason Garman <jgarman@Glue.umd.edu>
To: FreeBSD-gnats-submit@freebsd.org
Subject: daemons die with sig11 due to VM problems

>Number:         9195
>Category:       kern
>Synopsis:       daemons die with sig11 due to VM problems
>Confidential:   no
>Severity:       critical
>Priority:       high
>Responsible:    freebsd-bugs
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Fri Dec 25 21:30:01 PST 1998
>Closed-Date:    Sat Feb 13 02:32:41 PST 1999
>Last-Modified:  Sat Feb 13 02:34:19 PST 1999
>Originator:     Jason Garman
>Release:        FreeBSD 3.0-CURRENT i386
>Organization:
individual
>Environment:

FreeBSD jason.garman.net 3.0-CURRENT FreeBSD 3.0-CURRENT #5: Wed Dec 23
22:01:40 EST 1998     root@jason.garman.net:/usr/src/sys/compile/JASON
i386

on a PII/300 with 96MB of real memory, 150MB of swap

>Description:

When a "significant" amount of swap is used on this system ("significant" 
can be any number from 50% on up) then daemons that fork die with
sigsegv's due to null pointer accesses.  ie. it seems that particular
portions of the child processes' memory has been cleared. 

>How-To-Repeat:

Make the machine swap.  Try and get the daemon you want to segfault to
swap out of memory... then make it fork a few times.  It'll start
segfaulting.  It seems to correlate with the following message in syslog: 

swap_pager: suggest more swap space: 189 MB

yet my swap usage is only half.  Daemons which exhibit this behavior
include the Internet junkbuster (since it forks on every http connection),
samba, and secure shell.

A sample traceback from internet junkbuster follows:

bash$ gdb junkbuster junkbuster.core
....
Core was generated by `junkbuster'.
Program terminated with signal 11, Segmentation fault.
Reading symbols from /usr/libexec/ld.so...done.
Reading symbols from /usr/lib/aout/libc.so.3.1...done.
#0  0x40e1 in block_url (http=0x26620, csp=0x26600) at filters.c:84
84                              if((b->url->domain[0] == '\0') ||
(domaincmp(b->
url, url) == 0)) {
(gdb) x b->url
0x23cc0 <end+65108>:    0x00000000
(gdb) <enter> (several times... until...)
0x23cfc <end+65168>:    0x00000000
(gdb) 
0x23d00 <end+65172>:    0x4e524157

>Fix:
        
The inetd "fix" simply appears to keep critical parts of inetd in memory
at all times.  This seems to prevent this problem from manifesting itself
in inetd but still affects any other daemon which forks.

So no fix is known for this problem.


>Release-Note:
>Audit-Trail:
State-Changed-From-To: open->closed 
State-Changed-By: dillon 
State-Changed-When: Sat Feb 13 02:32:41 PST 1999 
State-Changed-Why:  
This bug is believed to be fixed in -stable ( and thus in the upcoming 
3.1 release ), and also fixed in -current.  It turned out that an  
optimization in the old swapper was causing dirty pages to be 'lost' 
and resulting in stale pages being reloaded from swap.  The optimization 
was removed. 
>Unformatted:
