From: Christian Ludwig <cludwig@genua.de>
Subject: Improve assertion in refcnt_take()
To: <tech@openbsd.org>
Date: Mon, 24 Feb 2025 23:12:54 +0100

Hi,

refcnt objects are always initialized to 1. When the counter drops to 0
the referenced object can be destroyed at any time. In refcnt_take()
atomic_inc_int_nv() returns the incremented counter. That means if
refs == 1, it has been 0 before. That would be a bug that should be
cought.


 - Christian

---
 sys/kern/kern_synch.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/sys/kern/kern_synch.c b/sys/kern/kern_synch.c
index 8548aea1c87b..75f7615fdf6a 100644
--- a/sys/kern/kern_synch.c
+++ b/sys/kern/kern_synch.c
@@ -906,7 +906,7 @@ refcnt_take(struct refcnt *r)
 	u_int refs;
 
 	refs = atomic_inc_int_nv(&r->r_refs);
-	KASSERT(refs != 0);
+	KASSERT(refs > 1);
 	TRACEINDEX(refcnt, r->r_traceidx, r, refs - 1, +1);
 	(void)refs;
 }
-- 
2.34.1