[pups] Issues of AUUGN

Johnny Billquist bqt at softjar.se
Wed Oct 4 18:22:03 AEST 2006 

Dave Horsfall wrote:
> [ Meant to go to list, but sent to DMR only by mistake. ]
> 
> On Wed, 4 Oct 2006 dmr at plan9.bell-labs.com wrote:
> 
>>>It contains the famous Thrust Meter, a few papers by Yours Truly, and 
>>>I think it has the short assembly program that would bring a PDP-11/70 
>>>to its knees (the infamous "SPL" firmware bug).
>>
>>Was this the feature (not really a bug; it's in the manual) that SPL 
>>suppressed interrupts for one instruction after the SPL?  I suppose it 
>>was indeed a bug that this happened even in user mode where SPL was 
>>intended to be a no-op.
> 
> Yep, that's the one.  I regard it as a bug because it indeed happened in 
> user mode...
> 
>>I remember trying this.  It depends on completely filling memory with 
>>SPLs, which I could not figure out how to do using an instruction 
>>sequence.  However, putting a bunch of SPLs into a file and reading it 
>>in over the program did the job.
> 
> There was a clever assembly program that did it; it relied upon the 
> instruction counter wrapping around (I can't remember in which direction, 
> or whether it first relocated itself).  Anyone, it managed to fill memory 
> with SPLs, so the next instruction after overwriting its last instruction 
> was SPL, and for the foreseeable future after that...

It would have to wrap forwards. Basically, if you just have a

	MOV	(PC)+,(R0)+
	SPL	#7

and make sure that the rest of the memory don't do anything overly 
foolish, and make sure that R0 starts pointing after this piece, it will 
eventually fill the whole memory. The final step will be the MOV which 
overwrites itself with an SPL, and then we're done.

However, another way of achieving this, if you have some kind of control 
of the MMU is to just fill one page with SPLs, and then remap all of 
your memory to be that page. The last page you remap is just the page 
that holds all the code doing the setup.

I'm not sure you can control that under Unix well enough, but in RSX 
this wouldn't be impossible, I think.

> If I find the article I'll post it here; I don't think there are too many 
> 11/70s still in public operation.

Well, ours is occasionally. It's off at the moment, since we're not 
allowed to consume that much money anymore, but Magica.Update.UU.SE is 
just a key turn away from being online.

>>It was a bit hard to break out of--the halt switch didn't work. At first 
>>I thought that power-off was the only solution, but it turned out that 
>>holding down both reset and halt simultaneously did the job.
> 
> I'll remember that, should I ever see an emulator :-)  I still remember 
> Ian Johnstone cursing me...

:-)

Oh, that would be having the HALT switch down and pressing the START 
switch, by the way. That combination will trigger a Unibus reset, and 
will bring the CPU out of almost all catatonic states that I've seen, 
including serious bus problems.

	Johnny

More information about the TUHS mailing list