Subject: malloc() bug in netbsd 3.0 ,malloc.c is having Dead code in free_pages()
To: None <netbsd-users@netbsd.org, netbsd-help@netbsd.org,>
From: sushant mathur <sushant.iet@gmail.com>
List: netbsd-bugs
Date: 09/07/2006 12:47:37
Hi

i come across one malloc() bug in netbsd-3.0 ... as in user program if
we does a free(). it goes to free_pages() and tries to move pointers
in free list.

But in the free_pages() there are some dead code that will never gets executed..

from the code segment in free_pages():
==============
free_pages() {
.....
......
    /* Return something to OS ? */
    if (!pf->next &&                            /* If we're the last one, */
      pf->size > malloc_cache &&                /* ..and the cache is full, */
      pf->end == malloc_brk &&                  /* ..and none behind us, */
      malloc_brk == sbrk((intptr_t)0)) {        /* ..and it's OK to do... */

        /*
         * Keep the cache intact.  Notice that the '>' above guarantees that
         * the pf will always have at least one page afterwards.
         */
        pf->end = (char *)pf->page + malloc_cache;
        pf->size = malloc_cache;

        brk(pf->end);
        malloc_brk = pf->end;

        idx = ptr2idx(pf->end);
        last_idx = idx - 1;

        for(i=idx;i <= last_idx;)
                  page_dir[i++] = MALLOC_NOT_MINE;

        /* XXX: We could realloc/shrink the pagedir here I guess. */
    }
=============
In this code it is recaluclting the idx from the increased break limit
and setting the last_idx=idx -1;
But in the for loop it is doing for(i=idx;i<=last_idx;) that can not be possible
so this loop will never gets executed.
So i want to confirm whether it is a bug in netbsd-3.0 or intensely
it's been put here...Because it is as good as putting that for loop in
#if 0 #endif.

Waiting for the quick response...
Please while replying do CC to me as i am not the member of the
mailing list...as i am a newbie...

Regards
Sushant