Stuck with a strange core (C code) -- Please help.

SZ wrote:

Hi,

I've hit this core multiple times when running an application (coded
in C)
running on BSD OS. Using gdb getting to the core, it shows:

....
(gdb) bt
#0 0x8541fa3 in mTimerQUnlink (t=0xd7f5a51, head=0x8fec13c)
at ../../rsvp/eventwheel.c:16 0
#1 0x854288d in mTimerInsert (t=0xd7f5a51,
callback=0x873c e88 <retran_unacked >, param=0xd7f5a01 , time=50,
type=1)
at ../../rsvp/eventwheel.c:53 6
#2 0x873d266 in retran_unacked (unacked_cb=0xd 7f5a00)
at ../../rsvp/rrrmsgi3.c:1425
...
Notice that the address (0xd7f5a00) of "unacketd_c b" (pointer of a
struct)
at level 2 is passed to the function of mTimerInsert as "param". But
"param" becomes 0xd7f5a01 (which added a "1" at the end). All the
subsequent processing is based on this wrong address causing the core.
The application is compiled with gcc with "-O2" along with some other
options.

I know address here can not start with ood number. This is a weired
problem. The stack shown with bt command in gdb seems to be complete.

Anyone knows what direction should I go with for the trouble shooting?

Towards a system or application specific newsgroup or mailing list,
for example, if this is not your own code.
You did not provide us with C code, let alone a minimal example.
Is it something you cooked up yourself? What does the structure
look like? What the function call? ...

It may be an easy to spot error -- but not without source.
Quality crystal balls don't come cheap.
Cheers
Michael
--
E-Mail: Mine is an /at/ gmx /dot/ de address.

If I do:

void foo(struct foo *p)
{
char *a = (char *)p;
a++;
...
}

I increment by one the address.

Two problems spring into view:
1:
You are passing a wrong parameter or the routine is
expecting a char pointer that gets incremented in the
code of the routine
2:
There is a memory overwrite somewhere.

Procedure:

Follow the called routine (in assembler if you do
not have the source) and see where is being changed

jacob

Thanks, Jacob, for your response.

The address was not incremented in the C code purposely. It is
not char * either. Incrementing it would result in something much
larger since the structure has at least 40 bytes.

NOTE: the same routine is being run through multiple times and the problem
does not occur every time. I do have source code available. I've checked
the source code many times and did not found any where the address is purposely
changed before it gets passed to the next function.

So, I tend to believe this is memory violation of some sort. I once added
assert in the related routine to catch ood (bad) pointer, but it
then seem to core somewhere else.

I do not know if there is a good way to catch such memory violation. Would
appreciate it if anyone know a way to catch it.

Thanks again

-SZ
jacob navia <ja***@jacob.re mcomp.fr> wrote in message news:<41******* *************** @news.wanadoo.f r>...

If I do:

void foo(struct foo *p)
{
char *a = (char *)p;
a++;
...
}

I increment by one the address.

Two problems spring into view:
1:
You are passing a wrong parameter or the routine is
expecting a char pointer that gets incremented in the
code of the routine
2:
There is a memory overwrite somewhere.

Procedure:

Follow the called routine (in assembler if you do
not have the source) and see where is being changed

jacob

Thanks for your response, Michael.

Sorry, I did not make it clear. The function actually are run
through multiple times and not every time it will core. The code
never purposely increment the address. The source is just like the
following (the original source it too long to put here).
int retran_unacked (unacked_cb=0xd 7f5a00)
{
int sub = unacked_cb->sub; <---- value of sub is correct here.

other_func(unac ked_cb);

... <-- some local operations.

mTimerInsert (&unacked_cb->time, callback_func, unacked_cb, time, type);

...
}

The function itself is not so complicated and the function (other_func())
can not change "unacked_cb ". So, I have to assume there must be some
kind of memory violation. But I am not sure if there is a general good
way to track down such problem. I am not even sure the violation is somewhere
near or at totally irrelavent places.

I can mail you the source if needed.

Thanks again.

-SZ
Michael Mair <Mi**********@i nvalid.invalid> wrote in message news:<2v******* ******@uni-berlin.de>...

SZ wrote:
....


Towards a system or application specific newsgroup or mailing list,
for example, if this is not your own code.
You did not provide us with C code, let alone a minimal example.
Is it something you cooked up yourself? What does the structure
look like? What the function call? ...

It may be an easy to spot error -- but not without source.
Quality crystal balls don't come cheap.
Cheers
Michael

SZ wrote:

int retran_unacked (unacked_cb=0xd 7f5a00)
Since you said you were using some flavor of BSD, that address seems to
refer to some stack... so my guess is that the unacked_cb was declared
as an automatic variable, and in this case...
{
int sub = unacked_cb->sub; <---- value of sub is correct here.

other_func(unac ked_cb);

... <-- some local operations.

mTimerInsert (&unacked_cb->time, callback_func, unacked_cb, time, type);
.... this line is wrong. You are passing a pointer a field of an
automatic variable (&unacked_cb->time) to a function that probably
remembers it and will they to modify the pointed integer at some other
point in time when the automatic object is no longer live.
manuel,

...
}

The function itself is not so complicated and the function (other_func())
can not change "unacked_cb ". So, I have to assume there must be some
kind of memory violation. But I am not sure if there is a general good
way to track down such problem. I am not even sure the violation is somewhere
near or at totally irrelavent places.

I can mail you the source if needed.

Thanks again.

-SZ
Michael Mair <Mi**********@i nvalid.invalid> wrote in message news:<2v******* ******@uni-berlin.de>...

SZ wrote:

...

Towards a system or application specific newsgroup or mailing list,
for example, if this is not your own code.
You did not provide us with C code, let alone a minimal example.
Is it something you cooked up yourself? What does the structure
look like? What the function call? ...

It may be an easy to spot error -- but not without source.
Quality crystal balls don't come cheap.
Cheers
Michael

Hello SZ,
one thing first: Please do not top-post.

Sorry, I did not make it clear. The function actually are run
through multiple times and not every time it will core. The code
never purposely increment the address.
Okay, so this really speaks of stack corruption or some other
flavour of pointer trouble.

The source is just like the
following (the original source it too long to put here).
Note: Many people who post code look-alikes leave out the critical
parts so the original code is really necessary if you cannot
break it down to a minimal example.
int retran_unacked (unacked_cb=0xd 7f5a00)
{
int sub = unacked_cb->sub; <---- value of sub is correct here.

other_func(unac ked_cb);

... <-- some local operations.

mTimerInsert (&unacked_cb->time, callback_func, unacked_cb, time, type);

...
}

The function itself is not so complicated and the function (other_func())
can not change "unacked_cb ".
Is the place in the parameter lists where you pass unacked_cb
or the address of unacked_cb->time const qualified? Otherwise
I would say try it. Your compiler may tell you interesting
things about it.

So, I have to assume there must be some
kind of memory violation. But I am not sure if there is a general good
way to track down such problem. I am not even sure the violation is somewhere
near or at totally irrelavent places.
Okay, this is somewhat offtopic:
<OT>
You claim to have tried finding the error with about any other means,
so I have only one suggestion now:
Find out the addresses where things are stored and watch the contents
with hardware watchpoints. Example:
--------------
$ print &object
0xdeadbeef
$ watch *((struct objtype *)0xdeadbeef)
--------------
Important is to use the actual "address", otherwise the watchpoint
will cease existance after leaving the function where it was defined.
You have to delete the hardware watchpoints before a new run.
</OT>

I can mail you the source if needed.

Don't. If you have some webspace, put it up and post the URL.
There are many people here who know more than I or have at least
sooner time to have a peek at it than I do.
Cheers
Michael
--
E-Mail: Mine is an /at/ gmx /dot/ de address.

Thanks, Michael, please the see the following:

Michael Mair <Mi**********@i nvalid.invalid> wrote in message news:<2v******* ******@uni-berlin.de>...

....

Note: Many people who post code look-alikes leave out the critical
parts so the original code is really necessary if you cannot
break it down to a minimal example.
Ok, I've put the source of the problematic function at the end.


Is the place in the parameter lists where you pass unacked_cb
or the address of unacked_cb->time const qualified? Otherwise
I would say try it. Your compiler may tell you interesting
things about it.
I did not put const qualifier. But I just did and compiled without
any warning or error. NOTE: it is not the contents of "unacked_cb "
gets changed, but the pointer itself gets incremented unexpected.
I tried: retran_unacked( RRR_SENT_UNACKE D_CB * const unacked_cb CCXT_T CXT)
without any warning with compiler.
Okay, this is somewhat offtopic:
<OT>
You claim to have tried finding the error with about any other means,
so I have only one suggestion now:
Find out the addresses where things are stored and watch the contents
with hardware watchpoints. Example:
--------------
$ print &object
0xdeadbeef
$ watch *((struct objtype *)0xdeadbeef)
--------------
Important is to use the actual "address", otherwise the watchpoint
will cease existance after leaving the function where it was defined.
You have to delete the hardware watchpoints before a new run.
</OT>

The problem here is that unacked_cb is a pointer pointing to a dynamically
allocated memory and there many such pointers. Before the problem occurs,
I don't know which one will have the problem. Therefore, it is not possible
to type the debug command beforehand. I hope the "watch" function can be
coded into the c code to ensure every such pointer will not get changed
during its life cycle.

Notice the remarks I put behand "<--------" signs. The struct of
RRR_SENT_UNACKE D_CB really has nothing specially. It has some pointers and
ints defined inside. But in this case, I guess it is irrelavent since we are talking
pointer itself's change, not its content's change.

Thanks lot.

-SZ
Here is the source code:

void
retran_unacked( RRR_SENT_UNACKE D_CB *unacked_cb CCXT_T CXT)
{
RRR_NEXT_HOP_CB *next_hop = unacked_cb->next_hop_cb;
int frr_rc;
PSB *psbp;

next_hop->nh_event_usage _count++; <---- next_hop is correct,
so unacked_cb is ok here.
if (RPL_RL && (unacked_cb->sa_resend_atte mpts >= RPL_RL))
{
if ((unacked_cb->sa_pkt_msg_typ e == PATH) ||
(unacked_cb->sa_pkt_msg_typ e == RESV))
{
frr_rc = RRR_FRR_CONTINU E;
if (RRR_EX_FAST_RE ROUTE())
{
frr_rc = rrr_frr_proc_se nt_unacked_msg(
unacked_cb->sa_pkt_msg_typ e,
unacked_cb->spi_msg_id_inf o->msg_id_psb_par ent CCXT);
}

if (frr_rc == RRR_FRR_CONTINU E)
{
rrr_maybe_send_ error_packet(un acked_cb->sa_pkt_msg_typ e,
unacked_cb->sa_state_handl e,
unacked_cb->sa_upstrm_lih_ set,
unacked_cb->sa_upstrm_li h
CCXT);
}
}

rrr_delete_sent _unacked_cb(una cked_cb, next_hop CCXT);
}
else
{
rrr_resend_pack et(unacked_cb, next_hop CCXT);

if (next_hop->nh_use_msg_i ds == ATG_NO)
{
rrr_delete_sent _unacked_cb(una cked_cb, next_hop CCXT);
}
else
{
unacked_cb->sa_resend_atte mpts++;
if (next_hop->nh_rr_decay != 100) {
unacked_cb->sa_retrans_int erval *=
(100 + next_hop->nh_rr_decay) ;
unacked_cb->sa_retrans_int erval /= 100;
} else {
unacked_cb->sa_retrans_int erval =
unacked_cb->sa_retrans_int erval << 1;
}
if (unacked_cb->sa_pkt_msg_typ e == PATH_TEAR) {
if (!unacked_cb->spi_msg_id_inf o) {
rrr_delete_sent _unacked_cb(una cked_cb,
next_hop CCXT);
goto EXIT_LABEL;
}
psbp = sent_unacked_cb->spi_msg_id_inf o->msg_id_psb_par ent;
if (!psbp) {
rrr_delete_sent _unacked_cb(una cked_cb,
next_hop CCXT);
goto EXIT_LABEL;
}
if (psbp->rapid_retran & RPL_PATH_TEAR) {
psbp->rapid_retran &= ~(RPL_PATH_TEAR |RPL_PATH_ERROR );
rrr_delete_retr ies_for_psb(psb p,
RRR_KILL_RETRY_ FOR_ALL_MSGS CCXT);
deferred_kill_P SB(psbp CCXT);
}
goto EXIT_LABEL;
}
if (unacked_cb->sa_retrans_int erval >= RPL_RM) {
if (unacked_cb->sa_pkt_msg_typ e == PATH_TEAR) {
if (!unacked_cb->spi_msg_id_inf o) {
rrr_delete_sent _unacked_cb(una cked_cb,
next_hop CCXT);
goto EXIT_LABEL;
}
psbp = sent_unacked_cb->spi_msg_id_inf o->msg_id_psb_par ent;
if (!psbp) {
rrr_delete_sent _unacked_cb(una cked_cb,
next_hop CCXT);
goto EXIT_LABEL;
}
if (psbp->rapid_retran & RPL_PATH_TEAR) {
psbp->rapid_retran &=
~(RPL_PATH_TEAR |RPL_PATH_ERROR );
rrr_delete_retr ies_for_psb(psb p,
RRR_KILL_RETRY_ FOR_ALL_MSGS CCXT);
deferred_kill_P SB(psbp CCXT);
}
goto EXIT_LABEL;
} else if (unacked_cb->sa_pkt_msg_typ e == PATH_ERR){
if (!unacked_cb->spi_msg_id_inf o) {
rrr_delete_sent _unacked_cb(una cked_cb,
next_hop CCXT);
goto EXIT_LABEL;
}
psbp = sent_unacked_cb->spi_msg_id_inf o->msg_id_psb_par ent;
if (!psbp) {
rrr_delete_sent _unacked_cb(una cked_cb,
next_hop CCXT);
goto EXIT_LABEL;
}
if (psbp->rapid_retran & RPL_PATH_ERROR) {
rrr_delete_sent _unacked_cb(una cked_cb,
next_hop CCXT);
psbp->rapid_retran &= ~RPL_PATH_ERROR ;
frr_rc = rrr_frr_proc_pa th_tear(psbp,
ATG_MPLS_XC_REL _REAS_IF_DOWN,
TRUE
CCXT);
if (frr_rc == RRR_FRR_CONTINU E) {
psbp->ps_rel_reaso n = ATG_MPLS_XC_REL _REAS_IF_DOWN;
tear_or_kill_PS B(psbp CCXT);
}
}
goto EXIT_LABEL;
} else if (unacked_cb->sa_pkt_msg_typ e == RESV_TEAR){
rrr_delete_sent _unacked_cb(una cked_cb,
next_hop CCXT);
goto EXIT_LABEL;
} else if (unacked_cb->sa_pkt_msg_typ e == RESV_ERR) {
rrr_delete_sent _unacked_cb(una cked_cb,
next_hop CCXT);
goto EXIT_LABEL;
}
unacked_cb->sa_retrans_int erval = RPL_RF;
}
unacked_cb->sa_resend_ti me =
unacked_cb->sa_retrans_int erval;

mTimerInsert(&u nacked_cb->m_timer, (vfcnptr_2)retr an_unacked,
unacked_cb,unac ked_cb->sa_resend_time , TTYPE_ONESHOT); <------
The stack shows that
both &unacked_cb->m_timer
and unacked_cb are added by 1.
}
}
EXIT_LABEL:
next_hop->nh_event_usage _count--;
rrr_maybe_free_ next_hop(next_h op CCXT);

return;

} /* retran_unacked */

Thanks, Michael, please the see the following:

Michael Mair <Mi**********@i nvalid.invalid> wrote in message news:<2v******* ******@uni-berlin.de>...

....

Note: Many people who post code look-alikes leave out the critical
parts so the original code is really necessary if you cannot
break it down to a minimal example.
Ok, I've put the source of the problematic function at the end.


Is the place in the parameter lists where you pass unacked_cb
or the address of unacked_cb->time const qualified? Otherwise
I would say try it. Your compiler may tell you interesting
things about it.
I did not put const qualifier. But I just did and compiled without
any warning or error. NOTE: it is not the contents of "unacked_cb "
gets changed, but the pointer itself gets incremented unexpected.
I tried: retran_unacked( RRR_SENT_UNACKE D_CB * const unacked_cb CCXT_T CXT)
without any warning with compiler.
Okay, this is somewhat offtopic:
<OT>
You claim to have tried finding the error with about any other means,
so I have only one suggestion now:
Find out the addresses where things are stored and watch the contents
with hardware watchpoints. Example:
--------------
$ print &object
0xdeadbeef
$ watch *((struct objtype *)0xdeadbeef)
--------------
Important is to use the actual "address", otherwise the watchpoint
will cease existance after leaving the function where it was defined.
You have to delete the hardware watchpoints before a new run.
</OT>

The problem here is that unacked_cb is a pointer pointing to a dynamically
allocated memory and there many such pointers. Before the problem occurs,
I don't know which one will have the problem. Therefore, it is not possible
to type the debug command beforehand. I hope the "watch" function can be
coded into the c code to ensure every such pointer will not get changed
during its life cycle.

Notice the remarks I put behand "<--------" signs. The struct of
RRR_SENT_UNACKE D_CB really has nothing specially. It has some pointers and
ints defined inside. But in this case, I guess it is irrelavent since we are talking
pointer itself's change, not its content's change.

Thanks lot.

-SZ
Here is the source code:

void
retran_unacked( RRR_SENT_UNACKE D_CB *unacked_cb CCXT_T CXT)
{
RRR_NEXT_HOP_CB *next_hop = unacked_cb->next_hop_cb;
int frr_rc;
PSB *psbp;

next_hop->nh_event_usage _count++; <---- next_hop is correct,
so unacked_cb is ok here.
if (RPL_RL && (unacked_cb->sa_resend_atte mpts >= RPL_RL))
{
if ((unacked_cb->sa_pkt_msg_typ e == PATH) ||
(unacked_cb->sa_pkt_msg_typ e == RESV))
{
frr_rc = RRR_FRR_CONTINU E;
if (RRR_EX_FAST_RE ROUTE())
{
frr_rc = rrr_frr_proc_se nt_unacked_msg(
unacked_cb->sa_pkt_msg_typ e,
unacked_cb->spi_msg_id_inf o->msg_id_psb_par ent CCXT);
}

if (frr_rc == RRR_FRR_CONTINU E)
{
rrr_maybe_send_ error_packet(un acked_cb->sa_pkt_msg_typ e,
unacked_cb->sa_state_handl e,
unacked_cb->sa_upstrm_lih_ set,
unacked_cb->sa_upstrm_li h
CCXT);
}
}

rrr_delete_sent _unacked_cb(una cked_cb, next_hop CCXT);
}
else
{
rrr_resend_pack et(unacked_cb, next_hop CCXT);

if (next_hop->nh_use_msg_i ds == ATG_NO)
{
rrr_delete_sent _unacked_cb(una cked_cb, next_hop CCXT);
}
else
{
unacked_cb->sa_resend_atte mpts++;
if (next_hop->nh_rr_decay != 100) {
unacked_cb->sa_retrans_int erval *=
(100 + next_hop->nh_rr_decay) ;
unacked_cb->sa_retrans_int erval /= 100;
} else {
unacked_cb->sa_retrans_int erval =
unacked_cb->sa_retrans_int erval << 1;
}
if (unacked_cb->sa_pkt_msg_typ e == PATH_TEAR) {
if (!unacked_cb->spi_msg_id_inf o) {
rrr_delete_sent _unacked_cb(una cked_cb,
next_hop CCXT);
goto EXIT_LABEL;
}
psbp = sent_unacked_cb->spi_msg_id_inf o->msg_id_psb_par ent;
if (!psbp) {
rrr_delete_sent _unacked_cb(una cked_cb,
next_hop CCXT);
goto EXIT_LABEL;
}
if (psbp->rapid_retran & RPL_PATH_TEAR) {
psbp->rapid_retran &= ~(RPL_PATH_TEAR |RPL_PATH_ERROR );
rrr_delete_retr ies_for_psb(psb p,
RRR_KILL_RETRY_ FOR_ALL_MSGS CCXT);
deferred_kill_P SB(psbp CCXT);
}
goto EXIT_LABEL;
}
if (unacked_cb->sa_retrans_int erval >= RPL_RM) {
if (unacked_cb->sa_pkt_msg_typ e == PATH_TEAR) {
if (!unacked_cb->spi_msg_id_inf o) {
rrr_delete_sent _unacked_cb(una cked_cb,
next_hop CCXT);
goto EXIT_LABEL;
}
psbp = sent_unacked_cb->spi_msg_id_inf o->msg_id_psb_par ent;
if (!psbp) {
rrr_delete_sent _unacked_cb(una cked_cb,
next_hop CCXT);
goto EXIT_LABEL;
}
if (psbp->rapid_retran & RPL_PATH_TEAR) {
psbp->rapid_retran &=
~(RPL_PATH_TEAR |RPL_PATH_ERROR );
rrr_delete_retr ies_for_psb(psb p,
RRR_KILL_RETRY_ FOR_ALL_MSGS CCXT);
deferred_kill_P SB(psbp CCXT);
}
goto EXIT_LABEL;
} else if (unacked_cb->sa_pkt_msg_typ e == PATH_ERR){
if (!unacked_cb->spi_msg_id_inf o) {
rrr_delete_sent _unacked_cb(una cked_cb,
next_hop CCXT);
goto EXIT_LABEL;
}
psbp = sent_unacked_cb->spi_msg_id_inf o->msg_id_psb_par ent;
if (!psbp) {
rrr_delete_sent _unacked_cb(una cked_cb,
next_hop CCXT);
goto EXIT_LABEL;
}
if (psbp->rapid_retran & RPL_PATH_ERROR) {
rrr_delete_sent _unacked_cb(una cked_cb,
next_hop CCXT);
psbp->rapid_retran &= ~RPL_PATH_ERROR ;
frr_rc = rrr_frr_proc_pa th_tear(psbp,
ATG_MPLS_XC_REL _REAS_IF_DOWN,
TRUE
CCXT);
if (frr_rc == RRR_FRR_CONTINU E) {
psbp->ps_rel_reaso n = ATG_MPLS_XC_REL _REAS_IF_DOWN;
tear_or_kill_PS B(psbp CCXT);
}
}
goto EXIT_LABEL;
} else if (unacked_cb->sa_pkt_msg_typ e == RESV_TEAR){
rrr_delete_sent _unacked_cb(una cked_cb,
next_hop CCXT);
goto EXIT_LABEL;
} else if (unacked_cb->sa_pkt_msg_typ e == RESV_ERR) {
rrr_delete_sent _unacked_cb(una cked_cb,
next_hop CCXT);
goto EXIT_LABEL;
}
unacked_cb->sa_retrans_int erval = RPL_RF;
}
unacked_cb->sa_resend_ti me =
unacked_cb->sa_retrans_int erval;

mTimerInsert(&u nacked_cb->m_timer, (vfcnptr_2)retr an_unacked,
unacked_cb,unac ked_cb->sa_resend_time , TTYPE_ONESHOT); <------
The stack shows that
both &unacked_cb->m_timer
and unacked_cb are added by 1.
}
}
EXIT_LABEL:
next_hop->nh_event_usage _count--;
rrr_maybe_free_ next_hop(next_h op CCXT);

return;

} /* retran_unacked */

see inline
[snip]

/* NOTE: both pointer parameters are void * because one of them may not
point to a valid object - i.e. off by one byte*/
void CheckPointers(c onst void *p1,const void *p2, const char * context)
{
if (p1!=p2)
{
fprintf(stderr, "%s %p!=%p\n",conte xt,p1,p2); /* set a break point here
*/
}
}

void
retran_unacked( RRR_SENT_UNACKE D_CB *unacked_cb CCXT_T CXT)
{
RRR_NEXT_HOP_CB *next_hop = unacked_cb->next_hop_cb;
int frr_rc;
PSB *psbp; RRR_SENT_UNACKE D_CB *unacked_cb_bac k=unacked_cb;
next_hop->nh_event_usage _count++; <---- next_hop is correct,
so unacked_cb is ok here.
if (RPL_RL && (unacked_cb->sa_resend_atte mpts >= RPL_RL))
{
if ((unacked_cb->sa_pkt_msg_typ e == PATH) ||
(unacked_cb->sa_pkt_msg_typ e == RESV))
{
frr_rc = RRR_FRR_CONTINU E;
if (RRR_EX_FAST_RE ROUTE())
{
frr_rc = rrr_frr_proc_se nt_unacked_msg(
unacked_cb->sa_pkt_msg_typ e,
unacked_cb->spi_msg_id_inf o->msg_id_psb_par ent CCXT);
}

if (frr_rc == RRR_FRR_CONTINU E)
{
rrr_maybe_send_ error_packet(un acked_cb->sa_pkt_msg_typ e,
unacked_cb->sa_state_handl e,
unacked_cb->sa_upstrm_lih_ set,
unacked_cb->sa_upstrm_li h
CCXT);
}
}

rrr_delete_sent _unacked_cb(una cked_cb, next_hop CCXT);
}
else
{
rrr_resend_pack et(unacked_cb, next_hop CCXT);

if (next_hop->nh_use_msg_i ds == ATG_NO)
{
rrr_delete_sent _unacked_cb(una cked_cb, next_hop CCXT);
}
else
{
unacked_cb->sa_resend_atte mpts++;
if (next_hop->nh_rr_decay != 100) {
unacked_cb->sa_retrans_int erval *=
(100 + next_hop->nh_rr_decay) ; unacked_cb->sa_retrans_int erval /= 100;
} else {
unacked_cb->sa_retrans_int erval =
unacked_cb->sa_retrans_int erval << 1;
}
if (unacked_cb->sa_pkt_msg_typ e == PATH_TEAR) {
if (!unacked_cb->spi_msg_id_inf o) {
rrr_delete_sent _unacked_cb(una cked_cb,
next_hop CCXT);
goto EXIT_LABEL;
}
psbp = sent_unacked_cb->spi_msg_id_inf o->msg_id_psb_par ent;
if (!psbp) {
rrr_delete_sent _unacked_cb(una cked_cb,
next_hop CCXT);
goto EXIT_LABEL;
}
if (psbp->rapid_retran & RPL_PATH_TEAR) {
psbp->rapid_retran &= ~(RPL_PATH_TEAR |RPL_PATH_ERROR );
rrr_delete_retr ies_for_psb(psb p,
RRR_KILL_RETRY_ FOR_ALL_MSGS CCXT);
deferred_kill_P SB(psbp CCXT);
}
goto EXIT_LABEL;
}
if (unacked_cb->sa_retrans_int erval >= RPL_RM) {
if (unacked_cb->sa_pkt_msg_typ e == PATH_TEAR) {
if (!unacked_cb->spi_msg_id_inf o) {
rrr_delete_sent _unacked_cb(una cked_cb,
next_hop CCXT);
goto EXIT_LABEL;
}
psbp = sent_unacked_cb->spi_msg_id_inf o->msg_id_psb_par ent; if (!psbp) {
rrr_delete_sent _unacked_cb(una cked_cb,
next_hop CCXT);
goto EXIT_LABEL;
}
if (psbp->rapid_retran & RPL_PATH_TEAR) {
psbp->rapid_retran &=
~(RPL_PATH_TEAR |RPL_PATH_ERROR );
rrr_delete_retr ies_for_psb(psb p,
RRR_KILL_RETRY_ FOR_ALL_MSGS CCXT);
deferred_kill_P SB(psbp CCXT);
}
goto EXIT_LABEL;
} else if (unacked_cb->sa_pkt_msg_typ e == PATH_ERR){
if (!unacked_cb->spi_msg_id_inf o) {
rrr_delete_sent _unacked_cb(una cked_cb,
next_hop CCXT);
goto EXIT_LABEL;
}
psbp = sent_unacked_cb->spi_msg_id_inf o->msg_id_psb_par ent; if (!psbp) {
rrr_delete_sent _unacked_cb(una cked_cb,
next_hop CCXT);
goto EXIT_LABEL;
}
if (psbp->rapid_retran & RPL_PATH_ERROR) {
rrr_delete_sent _unacked_cb(una cked_cb,
next_hop CCXT);
psbp->rapid_retran &= ~RPL_PATH_ERROR ;
frr_rc = rrr_frr_proc_pa th_tear(psbp,
ATG_MPLS_XC_REL _REAS_IF_DOWN,
TRUE
CCXT);
if (frr_rc == RRR_FRR_CONTINU E) {
psbp->ps_rel_reaso n = ATG_MPLS_XC_REL _REAS_IF_DOWN; tear_or_kill_PS B(psbp CCXT);
}
}
goto EXIT_LABEL;
} else if (unacked_cb->sa_pkt_msg_typ e == RESV_TEAR){
rrr_delete_sent _unacked_cb(una cked_cb,
next_hop CCXT);
goto EXIT_LABEL;
} else if (unacked_cb->sa_pkt_msg_typ e == RESV_ERR) {
rrr_delete_sent _unacked_cb(una cked_cb,
next_hop CCXT);
goto EXIT_LABEL;
}
unacked_cb->sa_retrans_int erval = RPL_RF;
}
unacked_cb->sa_resend_ti me =
unacked_cb->sa_retrans_int erval;
if unacked_cb is bad below then it should be bad above - work back from here
adding calls to CheckPointers. mTimerInsert(&u nacked_cb->m_timer, (vfcnptr_2)retr an_unacked,
unacked_cb,unac ked_cb->sa_resend_time , TTYPE_ONESHOT); <------ The stack shows that
both &unacked_cb->m_timer and unacked_cb are added by 1.

}
}
EXIT_LABEL:
next_hop->nh_event_usage _count--;
rrr_maybe_free_ next_hop(next_h op CCXT);

return;

} /* retran_unacked */

see top and inline
Add copius calls to CheckPointers(u nacked_cb,unack ed_cb_back,"Con text
String"); throughout retran_unacked to figure out where unacked_cb is being
corrupted.