Subject: bug in amap_wiperange?
To: None <tech-kern@netbsd.org>
From: enami tsugutomo <enami@sm.sony.co.jp>
List: tech-kern
Date: 11/26/2001 09:34:24
While reading uvm_amap.c, i found two questionable code in
amap_wiperange() when byanon == FALSE.

(1) There is a check `curslot >= stop', where `stop' is an initial
    value of amap->am_nused.  Since it is number of slot used,
    comparing it against `curslot' doesn't make sense.  I guess it
    should be `slotoff + slots'.

(2) When we remove a slot, we shouldn't advance an index `lcv' since
    we'll copy the last entry in am_slots[].  I guess, we should stay
    there instead.

enami.
Index: uvm_amap.c
===================================================================
RCS file: /cvsroot/syssrc/sys/uvm/uvm_amap.c,v
retrieving revision 1.37
diff -c -r1.37 uvm_amap.c
*** uvm_amap.c	2001/11/10 07:36:59	1.37
--- uvm_amap.c	2001/11/26 00:32:30
***************
*** 990,996 ****
  	struct vm_amap *amap;
  	int slotoff, slots;
  {
! 	int byanon, lcv, stop, curslot, ptr;
  	struct vm_anon *anon;
  
  	/*
--- 1011,1017 ----
  	struct vm_amap *amap;
  	int slotoff, slots;
  {
! 	int byanon, lcv, stop, curslot, ptr, slotstop;
  	struct vm_anon *anon;
  
  	/*
***************
*** 1006,1024 ****
  		byanon = FALSE;
  		lcv = 0;
  		stop = amap->am_nused;
  	}
  
! 	for (; lcv < stop; lcv++) {
  		int refs;
  
  		if (byanon) {
! 			if (amap->am_anon[lcv] == NULL)
  				continue;
- 			curslot = lcv;
  		} else {
  			curslot = amap->am_slots[lcv];
! 			if (curslot < slotoff || curslot >= stop)
  				continue;
  		}
  		anon = amap->am_anon[curslot];
  
--- 1027,1049 ----
  		byanon = FALSE;
  		lcv = 0;
  		stop = amap->am_nused;
+ 		slotstop = slotoff + slots;
  	}
  
! 	for (; lcv < stop;) {
  		int refs;
  
  		if (byanon) {
! 			curslot = lcv++;
! 			if (amap->am_anon[curslot] == NULL)
  				continue;
  		} else {
  			curslot = amap->am_slots[lcv];
! 			if (curslot < slotoff || curslot >= slotstop) {
! 				lcv++;
  				continue;
+ 			}
+ 			stop--;
  		}
  		anon = amap->am_anon[curslot];