netbsd-bugs: lib/34602: Bug in malloc implementation contains dead code in free

Subject: lib/34602: Bug in malloc implementation contains dead code in free_pages()
To: None <lib-bug-people@netbsd.org, gnats-admin@netbsd.org,>
From: None <sushant.iet@gmail.com>
List: netbsd-bugs
Date: 09/25/2006 04:35:00

>Number:         34602
>Category:       lib
>Synopsis:       Bug in malloc implementation contains dead code in free_pages()
>Confidential:   no
>Severity:       critical
>Priority:       high
>Responsible:    lib-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Mon Sep 25 04:35:00 +0000 2006
>Originator:     sushant
>Release:        netbsd-3.0
>Organization:
>Environment:
armv5tejl
>Description:
i come across one malloc() bug in netbsd-3.0 ... as in user program if
we does a free(). it goes to free_pages() and tries to move pointers
in free list.

But in the free_pages() there are some dead code that will never gets executed..

from the code segment in free_pages():
==============
free_pages() {
.....
......
   /* Return something to OS ? */
   if (!pf->next &&                            /* If we're the last one, */
     pf->size > malloc_cache &&                /* ..and the cache is full, */
     pf->end == malloc_brk &&                  /* ..and none behind us, */
     malloc_brk == sbrk((intptr_t)0)) {        /* ..and it's OK to do... */

       /*
        * Keep the cache intact.  Notice that the '>' above guarantees that
        * the pf will always have at least one page afterwards.
        */
       pf->end = (char *)pf->page + malloc_cache;
       pf->size = malloc_cache;

       brk(pf->end);
       malloc_brk = pf->end;

       idx = ptr2idx(pf->end);
       last_idx = idx - 1;

       for(i=idx;i <= last_idx;)
                 page_dir[i++] = MALLOC_NOT_MINE;

       /* XXX: We could realloc/shrink the pagedir here I guess. */
   }
=============
In this code it is recalulating the idx from the increased break limit
and setting the last_idx=idx -1;
But in the for loop it is doing for(i=idx;i<=last_idx;) that can not be possible
so this loop will never gets executed.
So i want to confirm whether it is a bug in netbsd-3.0 or intensely
it's been put here...Because it is as good as putting that for loop in
#if 0 #endif.

Waiting for the quick response...
Please while replying do CC to me as i am not the member of the
mailing list...as i am a newbie...

>How-To-Repeat:

>Fix: