how to debug RB_TREE for memory corruption?

[Lev Serebryakov]

Hello, Hackers.

  I'm writing some code, which uses RB_TREE from <sys/tree.h>. At some
momoent, it crashes within REMOVE method with "elm" 0xa5a5a5a5 (I have
malloc() debug options turned on).
  So, it seems, that free()ed element presents somewhere in the tree,
am I right?
  Ok, I add printing of whole tree BEFORE removal call with simple
recursive function. It doesn't crash and doesn't print any invalid pointers!

  How could it happen!? Tree is perfectly valid at line BEFORE
RB_DELETE() call and crashes with bad pointer in this method!

  I could (theoretically!) belive, that my code forget to delete node
from tree in some situations. But in such case tree printing function
will crash (or print "0xa5a5a5a5" pointer) before RB_DELETE crash!

  Any hints how to debug such strange situation?

-- 
// Black Lion AKA Lev Serebryakov <lev at FreeBSD.org>