On Tue, 2 Aug 2005, Erich Titl wrote:
Paul
I looked at the assertion error, it appears to be triggered by a call to
multi_del_iroutes and hence mroute_helper_del_iroute. just before the
assertion net_len_refcount is decremented and thus may become negative.
I believe the following code is not entirely correct and does not
rgenerate the refcount if it becomes zero.
mroute.c:
if (!mh->net_len_refcount[ir->netbits])
mroute_helper_regenerate (mh);
IMHO should read
if (mh->net_len_refcount[ir->netbits] < 1)
mroute_helper_regenerate (mh);
because this regeneration takes place when the first iroute ets added
too. It may be possible that the regeneration code is not executed in a
previous call to mroute_helper_del_iroute call and thus the refcount
gets decremented below zero in a subsequent call.
James, would you mind to comment on this?
No, that's not the problem.
The code in mroute_helper_{add,del}_iroute is correct.
The assertion is being thrown by design because mroute_helper_del_iroute
is being called for a given netbits value, without a corresponding earlier
call to mroute_helper_add_iroute for that same netbits value.
Think of it as a test to prevent a double free. Your patch above would
allow the double free, and therefore mask the underlying problem which is
occuring in the code which calls mroute_helper_{add,del}_iroute.
I've figured out a recipe to reproduce this, and I should have a fix
shortly.
James