From owner-freebsd-current  Sat Aug 10 12:09:40 1996
Return-Path: owner-current
Received: (from root@localhost)
          by freefall.freebsd.org (8.7.5/8.7.3) id MAA14864
          for current-outgoing; Sat, 10 Aug 1996 12:09:40 -0700 (PDT)
Received: from irz301.inf.tu-dresden.de (irz301.inf.tu-dresden.de [141.76.1.11])
          by freefall.freebsd.org (8.7.5/8.7.3) with SMTP id MAA14858
          for <freebsd-current@FreeBSD.org>; Sat, 10 Aug 1996 12:09:36 -0700 (PDT)
Received: from sax.sax.de (sax.sax.de [193.175.26.33]) by irz301.inf.tu-dresden.de (8.6.12/8.6.12-s1) with ESMTP id VAA06700; Sat, 10 Aug 1996 21:09:29 +0200
Received: (from uucp@localhost) by sax.sax.de (8.6.12/8.6.12-s1) with UUCP id VAA14451; Sat, 10 Aug 1996 21:09:29 +0200
Received: (from j@localhost) by uriah.heep.sax.de (8.7.5/8.6.9) id VAA02585; Sat, 10 Aug 1996 21:05:23 +0200 (MET DST)
From: J Wunsch <j@uriah.heep.sax.de>
Message-Id: <199608101905.VAA02585@uriah.heep.sax.de>
Subject: Re: Crash in rtrequest()
To: freebsd-current@FreeBSD.org (FreeBSD-current users)
Date: Sat, 10 Aug 1996 21:05:21 +0200 (MET DST)
Cc: fenner@parc.xerox.com (Bill Fenner)
Reply-To: joerg_wunsch@uriah.heep.sax.de (Joerg Wunsch)
In-Reply-To: <96Aug10.114311pdt.177517@crevenia.parc.xerox.com> from Bill Fenner at "Aug 10, 96 11:43:08 am"
X-Phone: +49-351-2012 669
X-PGP-Fingerprint: DC 47 E6 E4 FF A6 E9 8F  93 21 E0 7D F9 12 D6 4E 
X-Mailer: ELM [version 2.4ME+ PL17 (25)]
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Sender: owner-current@FreeBSD.org
X-Loop: FreeBSD.org
Precedence: bulk

As Bill Fenner wrote:

> Do you think I could have access to this core dump?  I'd like to see exactly
> what rt0 looks like, and who actually called rt_setgate.  Your fix only hides
> the problem, and this is code that I wrote in route.c , so I'd like to get to
> the bottom of it.

D*mn, i've already removed the coredump. :-(

Anyway, the stacktrace i've been quoting was fairly complete:

(kgdb) backtrace
[...]
#10 0xf01bab61 in calltrap ()
#11 0xf0143967 in rt_setgate (rt0=0xf0f39800, dst=0xf0f3a730, gate=0xf0e17450)
    at ../../net/route.c:682
#12 0xf01435be in rtrequest (req=11, dst=0xf0f3a730, gateway=0x0, netmask=0x0, 
    flags=0, ret_nrt=0xefbffe68) at ../../net/route.c:468
#13 0xf0142f21 in rtalloc1 (dst=0xf0f3a730, report=1, ignflags=0)
    at ../../net/route.c:130
#14 0xf0142e6b in rtalloc (ro=0xf0f3a72c) at ../../net/route.c:98
#15 0xf01490fd in in_pcbladdr ()
#16 0xf015197e in tcp_connect ()
#17 0xf0151363 in tcp_usr_connect ()
#18 0xf012458f in soconnect ()
#19 0xf01270ef in connect ()
[...]

The ``calltrap'' is actually the crashing instance of rtrequest(), but
rt_setgate() has been called by another instance of rtrequest:

	makeroute:
		R_Malloc(rt, struct rtentry *, sizeof(*rt));
		if (rt == 0)
			senderr(ENOBUFS);
		Bzero(rt, sizeof(*rt));
		rt->rt_flags = RTF_UP | flags;
		if (rt_setgate(rt, dst, gateway)) {	<<=== here
			Free(rt);
			senderr(ENOBUFS);
		}

I've been analyzing rt0 (but forgot to quote _this_), it was almost
entirely zero except of the rt_flags field 131079 = RTF_WASCLONED |
RTF_UP | RTF_GATEWAY | RTF_HOST.  Maybe one of the pointers also was
nonempty, i eventually forgot this detail.

rtrequest (req=11, dst=0xf0f3a730, gateway=0x0, netmask=0x0, flags=0, ...)
           RTM_RESOLVE?            ^^^^^^^
	                           This looks suspicous since there's
                                   RTF_GATEWAY set?!

-- 
cheers, J"org

joerg_wunsch@uriah.heep.sax.de -- http://www.sax.de/~joerg/ -- NIC: JW11-RIPE
Never trust an operating system you don't have sources for. ;-)