Very Computer

Hi.

I a have a problem with my process becoming defunct at exit.
Basically the process does the following:

Get the _physical_ memory address of a buffer
   (physically contigous memory from a dma device driver).
Open /dev/mem and map this address to my address space.
Write the data to _raw_ disk device. (/dev/rdsk/xxx, scsi disk)
Close all, and unmap.
Exit.

I do not start any processes/threads or async io from my program.
The process reaches the exit call, but the parent process does not
seem to get SIGCHLD, and my process becomes defunct.

The problem only happens with the setup above. If I change my program
to write to a normal file or non raw disk device (/dev/dsk/xxx),
or if I allocate some memory and copy the data from the mapped
area to this memory and write the _copy_ to any file/device,
the problem dissappears. I.e. the problem seems to only occur with
the combination mapped /dev/mem and /dev/rdsk/xxx.
(The /dev/mem mapping will not exists in the final program,
the device driver should be able to do this.)

Has anyone _any_ idea of what this could be?
I do not think I am overwriting any memory/stack (like the parent pid),
making the exit call fail, as my (test) program is quite simple.
Could this be a bug in the rdsk driver?

--
Staale L. Hansen              | Spacetec A.S, Prestvannv. 38,
Software Engineer             | N-9005 Tromsoe, Norway

WWW:   http://www.spacetec.no | Fax:   +47 77 65 58 59

Hi again.

I've done some further ivestigations, and the following
example code shows how to reproduce the problem with defunct
(zombie) processes:

/*
 * test_defunct.c
 *
 * Test program to show strange behaviour on Solaris:
 * Solaris x86 v2.4:   "panic: i86mmu_free: didn't free pptbl!" on exit,
 *                     and reboot.
 * Solaris x86 v2.5:   the process becomes defunct after exit.
 * Solaris SPARC v2.4: "panic: srmmu_free" on exit, and reboot.
 * Solaris SPARC v2.5: everything OK (?)
 *
 * All tests done as non-privileged user, with /dev/mem readable for all
 *
 * If output file is raw disk device (/dev/rdsk/xxx) and/or the program
 * is traced with truss, strange things may happen...
 *
 * cc -o test_defunct test_defunct.c
 * truss test_defunct
 *
 * Staale L. Hansen, Kongsberg Spacetec AS, 1. may 1996.
 */

#include <stdio.h>
#include <unistd.h>
#include <fcntl.h>
#include <errno.h>
#include <sys/mman.h>

#if 1
#define FILENAME "test_file"
#else
#define FILENAME "/dev/rdsk/c2t0d0s0"
#endif

#if 0
#define PHYS_ADDR 0x008BB000UL
#define BUF_SIZE  0x00200000UL       /* 2 MB */
#else
#define PHYS_ADDR 0x00800000UL
#define BUF_SIZE  0x00100000UL       /* 1 MB */
#endif

int
main (int argc, char* argv[])
{
    int fd_mem;
    int fd_raw;
    unsigned char* buf_addr;
    size_t w_size;

    fd_mem = open ("/dev/mem", O_RDONLY);
    if (fd_mem == -1)
    {
        printf ("Can't open /dev/mem.\n");
        exit (1);
    }
    fd_raw = open (FILENAME, O_WRONLY | O_CREAT, 0666);
    if (fd_raw == -1)
    {
        printf ("Can't open test_file.\n");
        exit (1);
    }

    buf_addr = mmap (0, BUF_SIZE, PROT_READ, MAP_SHARED|MAP_NORESERVE,
                     fd_mem, PHYS_ADDR);
    if (buf_addr == (unsigned char*)-1)
    {
        printf ("Can't map memory: %s (%d)\n",
                strerror (errno), errno);
        exit (1);
    }
    close (fd_mem);

    printf ("Memory mapped at: %08lX.\n", (unsigned long)buf_addr);

    w_size = write (fd_raw, buf_addr, 0x10000);

    close (fd_raw);

    return (0);

Quote:}