I believe that f_count can be legitimately very large, e.g. malicious code can dup same fd up to the per-process filedescriptors limit, and then fork as much as it can. On some machine, I see
which already overflows u_int. More, the malicious code can create transient references by sending fds over unix sockets.
I realized that this check is missed after reading https://secfault-security.com/blog/FreeBSD-SA-1902.fd.html