--- Comment #10 from gronke <[hidden email]> ---
I used a similar script to reproduce the bug and noticed it only occurs when
the host's epair nic went up before destroying the jail.

This snippet manually attaches the nic to the jail after it was started and
takes "yes" as first argument to change the host's nic state.

$ ./crash-demo.sh no
> done
$ ./crash-demo.sh yes
> crash




ifconfig $BRIDGE_IF create
set -x

for i in $(seq 0 200); do

  #jail -c vnet persist path=$RELEASE_FOLDER name=jail-vnet
  jail -c vnet persist name=jail-vnet

  epair_a="$(ifconfig epair create)"
  epair_b="$(echo $epair_a | rev | cut -c2- | rev)b"

  mac_a=$(openssl rand -hex 6 | sed 's/\(..\)/\1:/g; s/.$//')

  ifconfig $epair_a name a-$i
  ifconfig a-$i ether "$mac_a"

  if [ "$UPDOWNIF" == "yes" ]; then
    ifconfig a-$i up

  ifconfig $BRIDGE_IF addm a-$i
  ifconfig $epair_b vnet jail-vnet

  jexec jail-vnet /sbin/ifconfig $epair_b name vnet0
  jexec jail-vnet /sbin/ifconfig vnet0 up
  jexec jail-vnet /sbin/ifconfig

  jail -r jail-vnet

  if [ "$UPDOWNIF" == "yes" ]; then
    ifconfig a-$i down
  ifconfig $BRIDGE_IF deletem a-$i
  ifconfig a-$i destroy


echo "done"

