DeviceFS Bugs

In DeviceFS.s in ‘Deregister’, the parent record (pr) is being used after the pr block of memory has been freed. The block of memory is freed in the Unlink macro (macros.s).

                    859:                 Unlink  ParentsAt, parent, pr, r3, r4
                    859:                 BVS     %10                                     ; return any errors
                    860: 
                    861:                 MOV     r0, #0
                    862:                 LDR     r1, =Service_DeviceDead
                    863:                 MOV     r2, pr
                    864:                 MOV     r3, #0                                  ; parent device dying (not a sub-device)
                    865:                 SWI     XOS_ServiceCall
                    866: 
                    867:                 LDR     r3, =&DEADDEAD
                    868:                 STR     r3, [pr, #parent_ValidationWord]        ; zap validation word
                    869:                 MOV     pr, r3

and similarly in ‘deregisterdev’ the device record (dr) is being used after the dr block of memory has been freed.

                   1361:                 Unlink  DevicesAt, device, dr, r3, r4
                   1362:                 BVS     %20                                     ; and then remove the block
                   1363: 
                   1364:                 LDR     r0, [pr, #parent_ChildCount]
                   1365:                 SUB     r0, r0, #1
                   1366:                 STR     r0, [pr, #parent_ChildCount]            ; decrease the child count
                   1367: 
                   1368:                 Debug   deregister, "updated child count", r0
                   1369: 
                   1370:                 MOV     r0, #0
                   1371:                 MOV     r1, #Service_DeviceDead
                   1372:                 LDR     r2, [dr, #device_Parent]
                   1373:                 LDR     r3, [dr, #device_DeviceName]
                   1374:                 SWI     XOS_ServiceCall                         ; issue service to tell world that device dead
                   1375: 
                   1376:                 Debug   deregister, "service call issued"
                   1377: 
                   1378:                 LDR     r3, =&DEADDEAD
                   1379:                 STR     r3, [dr, #device_ValidationWord]        ; zap the validation word associated with file

The unlink macro is only used in one other place, in fsystem.s, so it may be easier to stop unlink freeing memory and free memory explicitly.

There’s even bigger problems with other parts of DeviceFS accessing freed parent and device records when a device has been deregistered. I’ll send in a fix for the whole thing.