Firstly, thanks for the report.
And thanks for spending the time to look into it.
Can you tell me wheher this is a very new -current, or an earlier one..
(i.e. did I f*ck up in my latest changes, or might I already have fixed this :-)
what version number of ng_base.c is this? (I just recently made some
changes to the reference counting.)
Harti Brandt wrote:
>
> Hello,
>
> it seems like there is a problem with node reference counts. I have a
> test program, that instantiates a chain of nodes like this:
>
> ng_atm -----------> ng_sscop --------------> ng_sscf ---------> ng_socket
> | ^
> +--------------------------------------+
cool :-)
>
> the ng_sscf and ng_sscop node's disconnect procedures call
> ng_rmnode_self() in the case that the hook count drops to zero and the
> node is still valid. The shutdown methods free private memory and call
> NG_NODE_UNREF.
good, that is standard procedure, and I assume you got that from
one of the other nodes :-)
>
> When destroying the above graph I first send a shutdown to the ng_sscf
> node and then to the ng_sscop node. The sscf node disappears as expected
> leaving the sscop node with two hooks. The shutdown of that node first
> disconnects those two hooks and then calls the shutdown method of
> ng_sscop. Everything is fine, except that I find the following lines in
> /var/log/messages:
>
> Jan 29 17:26:21 beagle /boot/kernel/kernel: disconnect 0xc2c54980 from 0xc2c94d00
>(invalid) refs=3 flags=9
> Jan 29 17:26:21 beagle /boot/kernel/kernel: ng_sscop_shutdown: 0xc2c94d00 refs=2
>flags=9
> Jan 29 17:26:21 beagle /boot/kernel/kernel: Accessing freed node node: ID [7]: type
>'sscop', 0 hooks, flags 0x9, 0 refs, :
> Jan 29 17:26:21 beagle /boot/kernel/kernel: Last active @
>/usr/src/sys/modules/netgraph/netgraph/../../../netgraph/ng_base.c, line 735
> Jan 29 17:26:21 beagle /boot/kernel/kernel: problem discovered at file
>/usr/src/sys/modules/netgraph/netgraph/../../../netgraph/ng_base.c, line 2436
>
> The first two lines come from the sscop node, the other from ng_base.
> I have put a couple of printf()s into ng_base to understand what happens but
> could not find the problem. I have the feeling, that the reference count
> when entering ng_sscop_shutdown should be rather 3 than 2: one held by the
> item from which the shutdown is executed and which is UNREFed in line 2436.
> One extra reference from the ng_rmnode function and the reference, that
> is UNREFed in the ng_sscop_shutdown method. But I may be wrong.
>
> So what is the problem?
well, it looks to me like the removal of the last hook runs ng_rmnode_self(),
though this shouldn't happen because the INVALID flag should have been set
before
the hooks are removed.
There is an impbalance in the references as you noticed..
ng_apply_item holds a reference on the node to which is is applying a message
item
for the period that the node is being called. When this message is a 'shutdown'
message, ng_rmnode() also holds a reference on the node (it gets called from
other
places too) for it's duration of operation. Theoretically, ng_rmnode should
release
it's reference but the node should still exist because ng_apply_item() is still
referencing it. This is not happenning so either we never applied a reference
somewhere
where we should have, or we are dereferencing it somewhere twice.
can you send me a copy of your ng_sccop node so I can try simulate this?
in the meanwhile I'll try using the 'hole' node to simulate it.
>
> harti
> --
> harti brandt,
> http://www.fokus.gmd.de/research/cc/cats/employees/hartmut.brandt/private
> [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED]
--
__--_|\ Julian Elischer
/ \ [EMAIL PROTECTED]
( OZ ) World tour 2000-2001
---> X_.---._/
v
To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-net" in the body of the message
