From owner-freebsd-current  Sat Aug 10 13:27:02 1996
Return-Path: owner-current
Received: (from root@localhost)
          by freefall.freebsd.org (8.7.5/8.7.3) id NAA18386
          for current-outgoing; Sat, 10 Aug 1996 13:27:02 -0700 (PDT)
Received: from godzilla.zeta.org.au (godzilla.zeta.org.au [203.2.228.19])
          by freefall.freebsd.org (8.7.5/8.7.3) with SMTP id NAA18381
          for <freebsd-current@FreeBSD.org>; Sat, 10 Aug 1996 13:26:56 -0700 (PDT)
Received: (from bde@localhost) by godzilla.zeta.org.au (8.6.12/8.6.9) id GAA07492; Sun, 11 Aug 1996 06:22:30 +1000
Date: Sun, 11 Aug 1996 06:22:30 +1000
From: Bruce Evans <bde@zeta.org.au>
Message-Id: <199608102022.GAA07492@godzilla.zeta.org.au>
To: freebsd-current@FreeBSD.org, j@uriah.heep.sax.de
Subject: Re: Crash in rtrequest()
Cc: fenner@parc.xerox.com
Sender: owner-current@FreeBSD.org
X-Loop: FreeBSD.org
Precedence: bulk

>Anyway, the stacktrace i've been quoting was fairly complete:

>(kgdb) backtrace
>[...]
>#10 0xf01bab61 in calltrap ()
>#11 0xf0143967 in rt_setgate (rt0=0xf0f39800, dst=0xf0f3a730, gate=0xf0e17450)
>    at ../../net/route.c:682
>#12 0xf01435be in rtrequest (req=11, dst=0xf0f3a730, gateway=0x0, netmask=0x0, 
>    flags=0, ret_nrt=0xefbffe68) at ../../net/route.c:468
>#13 0xf0142f21 in rtalloc1 (dst=0xf0f3a730, report=1, ignflags=0)
>    at ../../net/route.c:130
>#14 0xf0142e6b in rtalloc (ro=0xf0f3a72c) at ../../net/route.c:98
>#15 0xf01490fd in in_pcbladdr ()
>#16 0xf015197e in tcp_connect ()
>#17 0xf0151363 in tcp_usr_connect ()
>#18 0xf012458f in soconnect ()
>#19 0xf01270ef in connect ()
>[...]

>The ``calltrap'' is actually the crashing instance of rtrequest(), but

The bogus backtrace was supposed to be fixed in rev.1.10 of i386/exception.s,
but the fix got deleted in rev.1.14.  Backtraces for NULL pointers and the
like will always show `calltrap' instead of the routine where the fault
occurred until this is fixed.

>rt_setgate() has been called by another instance of rtrequest:

>	makeroute:
>		R_Malloc(rt, struct rtentry *, sizeof(*rt));
>		if (rt == 0)
>			senderr(ENOBUFS);
>		Bzero(rt, sizeof(*rt));
>		rt->rt_flags = RTF_UP | flags;
>		if (rt_setgate(rt, dst, gateway)) {	<<=== here
>			Free(rt);
>			senderr(ENOBUFS);
>		}

Apparently rt_key(rt0) is NULL in rt_setgate().

Bruce