From owner-freebsd-hackers  Mon May 21 11:20:32 2001
Delivered-To: freebsd-hackers@freebsd.org
Received: from earth.backplane.com (earth-nat-cw.backplane.com [208.161.114.67])
	by hub.freebsd.org (Postfix) with ESMTP
	id 8D2D937B422; Mon, 21 May 2001 11:20:30 -0700 (PDT)
	(envelope-from dillon@earth.backplane.com)
Received: (from dillon@localhost)
	by earth.backplane.com (8.11.3/8.11.2) id f4LIKUs03769;
	Mon, 21 May 2001 11:20:30 -0700 (PDT)
	(envelope-from dillon)
Date: Mon, 21 May 2001 11:20:30 -0700 (PDT)
From: Matt Dillon <dillon@earth.backplane.com>
Message-Id: <200105211820.f4LIKUs03769@earth.backplane.com>
To: John Baldwin <jhb@FreeBSD.ORG>
Cc: "Brian F. Feldman" <green@FreeBSD.ORG>, hackers@FreeBSD.ORG
Subject: Re: RE: vmspace leak (+ tentative fix)
References:  <XFMail.010521105854.jhb@FreeBSD.org>
Sender: owner-freebsd-hackers@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-hackers.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo?subject=subscribe%20freebsd-hackers>
List-Unsubscribe: <mailto:majordomo?subject=unsubscribe%20freebsd-hackers>
X-Loop: FreeBSD.ORG

:On 21-May-01 Brian F. Feldman wrote:
:> There's a certain issue that when several processes sharing a vmspace are 
:> exiting at the same time, there is a race condition such that the shared 
:> memory is going to be lost because the check for vm->vm_refcnt being the 
:> check for the last decrement happening before the last decrement is
:> actually performed, allowing for the possibility of Giant being dropped 
:> (duh, during flushing of dirty pages), and all the trouble that entails...
:
:Erm, all that is needed here is to hold the vm_mtx lock around the decrement.
:Due to the nature of reference counts, there is no race condition so long as
:everyone properly decrements the reference count by means of lock.  Alfred's VM
:patch already does this.  Also, Giant originally provided the lock around the
:decrement.
:
:-- 
:
:John Baldwin <jhb@FreeBSD.org> -- http://www.FreeBSD.org/~jhb/

   That isn't the problem.  The problem is that the process can block
   in between the 'if (vm->vm_refcnt == 1)' test in exit1(), and the
   actual vmspace_free() in cpu_exit() (which occurs after the process
   has been reaped).  

   It is possible for the vm_refcnt check in exit1() to *NEVER* be 1
   if all the processes sharing the address space exit simultaniously
   and block anywhere between that check and the vmspace_free().  The
   result: shmexit() is never called.

						-Matt

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-hackers" in the body of the message