[Simh] A few more possible bugs found

Michael Bloom mabloom at dslextreme.com
Tue Mar 20 21:02:49 EDT 2012 

1) In s100_ss1.c
Mode and Count are three element arrays,  ss1_tc itself isn't.
Shouldn't:
     { HRDATA (T0_MODE,    ss1_tc[0].mode,                     3), },
     { HRDATA (T0_COUNT,   ss1_tc[0].count,                    16), },
     { HRDATA (T1_MODE,    ss1_tc[1].mode,                     3), },
     { HRDATA (T1_COUNT,   ss1_tc[1].count,                    16), },
     { HRDATA (T2_MODE,    ss1_tc[2].mode,                     3), },
     { HRDATA (T2_COUNT,   ss1_tc[2].count,                    16), },

be:
    { HRDATA (T0_MODE,    ss1_tc[0].mode[0],                     3), },
     { HRDATA (T0_COUNT,   ss1_tc[0].count[0],                    16), },
     { HRDATA (T1_MODE,    ss1_tc[0].mode[1],                     3), },
     { HRDATA (T1_COUNT,   ss1_tc[0].count[1],                    16), },
     { HRDATA (T2_MODE,    ss1_tc[0].mode[2],                     3), },
     { HRDATA (T2_COUNT,   ss1_tc[0].count[2],                    16), },

2) In the Interdata routines pasi_svc(), paso_svc(), ttpi_svc(), and 
ttpo_svc(), there are conditionals having the form:
       if (TT_GET_MODE (X) == TT_MODE_8B)
and
       if (TT_GET_MODE (X) != TT_MODE_8B)

which are always false and true respectively.

This is because TT_GET_MODE(anything) evaluates to (anything & 0x3)
and TT_MODE_8B evaluates to 0x10000,
  so the tests become (X & 0x3 ) != 0x10000, or the inverse.

3) There appears to be a memory leak in xq_attach(): tcptr is malloced 
but not freed if the subsequent malloc(sizeof(ETH_DEV)) fails.  The same 
kind of leak also appears to be the present in xu_attach().

4) In  Ea_ch() in pdp1_cpu.c: For the test
     if (rm & !sbs_act & ((MB & 0607777) == 0607777))
Is it really intended to use a boolean value with a bitwise operator?
( should ~ have been used instead of !, or perhaps parenthesis added to 
make it clearer?)

5) In pif_io(), in HP2100/hp2100_pif.c
At the line
        setIRQ (select_code, !pif_control & pif_flag & pif_flagbuf);
Is it really intended to use a boolean value with a bitwise operator?
(should ~ have been used instead of !, or perhaps parenthesis added to 
make it clearer?)

6) In pdp1_stddev.c, in tto_svc (), stack variable 'c' can be tested 
without being initialized. There's only a 1 in 256 chance of it doing 
the wrong thing, but it should still be initialized.

7) In s3_cd.c,  cdr_svc(), testing s2sel seems meaningless.


8) The printf just before the end of load_cr_boot() in ibm1130_cr.c 
should probably either contain a %s, or not use a format at all.

9) At line 98 in I1401/i1401_iq.c, there is an awful lot of code that 
won't get executed in case BCD_R because it starts with a return that is 
unconditional because the previous line had been commented out.

More information about the Simh mailing list