If dns_resolve()'s call to dns_resolve_impl() returns -1, it ends up running ``` dns_cancel_pending_resolve(exitconn->_base.address); if (!exitconn->_base.marked_for_close) { connection_free(TO_CONN(exitconn)); ``` But dns_cancel_pending_resolve() runs ``` while (resolve->pending_connections) { ... if (!pendconn->_base.marked_for_close) connection_free(TO_CONN(pendconn)); ``` So we would end up calling connection_free() on it twice. But we don't in practice, since the first connection_free() scribbles 0xCC on it, which sets marked_for_close to true, so we don't free it the second time! Cue Nick's circus music. Our friendly irc person says "fix not so easy btw, connection_free() still need to call if no it was attached to pending resolve list."