tih, I have seen the same problem several times.  My take on the problem
is that something is causing a spurious interrupt, and comstart() is trying
to write an empty buffer to the FIFO.

here is the c code:
        tp->t_state |= TS_BUSY;
        if (sc->sc_hwflags & COM_HW_FIFO) {
                u_char buffer[16], *cp = buffer;
                int n = q_to_b(&tp->t_outq, cp, sizeof buffer);
                do {
                        outb(iobase + com_data, *cp++);
                } while (--n);
        } else
                outb(iobase + com_data, getc(&tp->t_outq));


here is the asm output:
        orb $4,104(%esi)
        /* if (sc->sc_hwflags & COM_HW_FIFO) { */
        testb $2,60(%ebx)
        je L400
        /* u_char buffer[16], *cp = buffer; */
        leal -16(%ebp),%ebx
        pushl $16
        pushl %ebx
        leal 64(%esi),%eax
        /* int n = q_to_b(&tp->t_outq, cp, sizeof buffer); */
        pushl %eax
        call _q_to_b
        movl %eax,%ecx
        addl $12,%esp
        .align 2,0x90
L392:
        /* do {
         *         outb(iobase + com_data, *cp++);
         * } while (--n);
         */
        /* *cp -> al */
        movb (%ebx),%al
        /* cp++ */
        incl %ebx
        /* iobase + com_data ? */
        movl %edi,%edx
#APP
        /* outb(dx, *cp) */
        outb %al,%dx
#NO_APP
        /* --n */
        decl %ecx
        jne L392
        jmp L386
        .align 2,0x90


Note that the line ddb claims comstart() dies on is "movb 0(%ebx),%al"
Is "f7fec000" a valid address?  What causes a page fault?  When this
fault occurs, what is the value in %ecx?  Did q_to_b return something
incorrect?

-john