Fix for uncaching bug reported by Herman ten Brugge.

2005-06-15  Frank Ch. Eigler  <fche@redhat.com>

	Fix for uncaching bug reported by Herman ten Brugge.
	* mf-runtime.c (__mf_uncache_object): Search whole cache.
	* testsuite/libmudflap.c/fail40-frag.c: New test.

From-SVN: r100985

libmudflap/ChangeLog

@@ -1,3 +1,9 @@
+2005-06-15  Frank Ch. Eigler  <fche@redhat.com>
+
+	Fix for uncaching bug reported by Herman ten Brugge.
+	* mf-runtime.c (__mf_uncache_object): Search whole cache.
+	* testsuite/libmudflap.c/fail40-frag.c: New test.
+
 2005-05-23  Alfred M. Szmidt  <ams@gnu.org>
 
 	PR libmudflap/21724

libmudflap/mf-runtime.c

@@ -919,7 +919,7 @@ void __mfu_check (void *ptr, size_t sz, int type, const char *location)
                   judgement = -1;
               }
 
-            /* We now know that the access spans one or more only valid objects.  */
+            /* We now know that the access spans no invalid objects.  */
             if (LIKELY (judgement >= 0))
               for (i = 0; i < obj_count; i++)
                 {
@@ -1064,14 +1064,14 @@ __mf_uncache_object (__mf_object_t *old_obj)
   /* Can it possibly exist in the cache?  */
   if (LIKELY (old_obj->read_count + old_obj->write_count))
     {
+      /* As reported by Herman ten Brugge, we need to scan the entire
+         cache for entries that may hit this object. */
       uintptr_t low = old_obj->low;
       uintptr_t high = old_obj->high;
-      unsigned idx_low = __MF_CACHE_INDEX (low);
-      unsigned idx_high = __MF_CACHE_INDEX (high);
+      struct __mf_cache *entry = & __mf_lookup_cache [0];
       unsigned i;
-      for (i = idx_low; i <= idx_high; i++)
+      for (i = 0; i <= __mf_lc_mask; i++, entry++)
         {
-          struct __mf_cache *entry = & __mf_lookup_cache [i];
           /* NB: the "||" in the following test permits this code to
              tolerate the situation introduced by __mf_check over
              contiguous objects, where a cache entry spans several

libmudflap/testsuite/libmudflap.c/fail40-frag.c

@@ -0,0 +1,56 @@
+/* Test proper lookup-uncaching of large objects */
+#include "../config.h"
+
+#include <unistd.h>
+#include <string.h>
+#include <stdio.h>
+#include <stdlib.h>
+#ifdef HAVE_SYS_MMAN_H
+#include <sys/mman.h>
+#endif
+
+int main ()
+{
+#ifndef MAP_ANONYMOUS
+#define MAP_ANONYMOUS MAP_ANON
+#endif
+#ifdef HAVE_MMAP
+  volatile unsigned char *p;
+  unsigned num = getpagesize ();
+  unsigned i;
+  int rc;
+
+  /* Get a bit of usable address space.  We really want an 2**N+1-sized object,
+     so the low/high addresses wrap when hashed into the lookup cache.  So we
+     will manually unregister the entire mmap, then re-register a slice.  */
+  p = mmap (NULL, num, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, 0, 0);
+  if (p == NULL)
+    return 1;
+  /* Now unregister it, as if munmap was called.  But don't actually munmap, so
+     we can write into the memory.  */
+  __mf_unregister ((void *) p, num, __MF_TYPE_HEAP_I);
+
+  /* Now register it under a slightly inflated, 2**N+1 size.  */
+  __mf_register ((void *) p, num+1, __MF_TYPE_HEAP_I, "fake mmap registration");
+
+  /* Traverse array to ensure that entire lookup cache is made to point at it.  */
+  for (i=0; i<num; i++)
+    p[i] = 0;
+
+  /* Unregister it.  This should clear the entire lookup cache, even though
+     hash(low) == hash (high)  (and probably == 0) */
+  __mf_unregister ((void *) p, num+1, __MF_TYPE_HEAP_I);
+
+  /* Now touch the middle portion of the ex-array.  If the lookup cache was
+     well and truly cleaned, then this access should trap.  */
+  p[num/2] = 1;
+
+  return 0;
+#else
+  return 1;
+#endif
+}
+/* { dg-output "mudflap violation 1.*check/write.*" } */
+/* { dg-output "Nearby object 1.*" } */
+/* { dg-output "mudflap dead object.*fake mmap registration.*" } */
+/* { dg-do run { xfail *-*-* } } */