Subject: kern/12257: nullfs oddity
To: None <>
From: None <>
List: netbsd-bugs
Date: 02/20/2001 21:57:41
>Number:         12257
>Category:       kern
>Synopsis:       mmap(2)? problem over nullfs
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    kern-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Tue Feb 20 18:58:00 PST 2001
>Originator:     Christophe Kalt
>Release:        1.5, with 1.5.1_ALPHA kernel
System: NetBSD 1.5.1_ALPHA NetBSD 1.5.1_ALPHA (bzz) #0: Sun Feb 4 18:13:44 EST 2001 sparc

noticed when i found tail(1) crashing when run on a file as seen through
the nullfs layer.  Turns out, cmp(1) also seems to have a problem,
both use mmap(2).

$ mount | grep home
/usr/home on /home type null (local)
$ ls -li /home/kalt/Mail/procmail/olog /usr/home/kalt/Mail/procmail/olog
85099 -rw-------  1 kalt  staff  643641 Feb 20 21:06 /home/kalt/Mail/procmail/olog
85099 -rw-------  1 kalt  staff  643641 Feb 20 21:06 /usr/home/kalt/Mail/procmail/olog
$ tail -1 /home/kalt/Mail/procmail/olog
Segmentation fault - core dumped
$ tail -1 /usr/home/kalt/Mail/procmail/olog
  Folder: /var/mail/kalt                                                   4562
$ cmp /home/kalt/Mail/procmail/olog /usr/home/kalt/Mail/procmail/olog
/home/kalt/Mail/procmail/olog /usr/home/kalt/Mail/procmail/olog differ: char 108285, line 1970
$ diff /home/kalt/Mail/procmail/olog /usr/home/kalt/Mail/procmail/olog

Having made a copy of "olog", things work fine, so it seems to be something
_specific_ to that particular olog file.

looking at the core, the problem (for tail) is in rlines() (forward.c file),
after the mmap:

(gdb) set args /home/kalt/Mail/procmail/olog
(gdb) b rlines
Breakpoint 1 at 0x11804: file forward.c, line 256.
(gdb) r
Starting program: /home/kalt/NetBSD/src-1.5/usr.bin/tail/./tail /home/kalt/Mail/procmail/log

Breakpoint 1, rlines (fp=0x1012d9e8, off=10, sbp=0xeffff4a8) at forward.c:256
256             if (!(size = sbp->st_size))
(gdb) n
259             if (size > SIZE_T_MAX) {
(gdb) n
264             if ((start = mmap(NULL, (size_t)size, PROT_READ,
(gdb) n
271             for (p = start + size - 1; --size;)
(gdb) p start
$1 = 0x10140000 "From ......
(gdb) p size
$2 = 643493
(gdb) p start + size - 1
$3 = 0x101dd1a4 <Error reading address 0x101dd1a5: Bad address>

not a clue :-)

i'm keeping the file around if anyone's interested to look at this,
but no idea whether this will persist after a reboot.