illumos gate

If you run dlstat show-phys -r with or without the optional final argument it generates a core dump.
Stack trace is:

> $C
08040ab8 libdladm.so.1`dladm_dld_kcp+0x13(0)
08040b28 libdladm.so.1`i_dlstat_query_stats+0x1f(0, 8040b58, feddcccf, 8040ba0, a0, fedd3271)
08040db8 libdladm.so.1`dlstat_rx_ring_stats+0xa3(0, 0)

This appears to be short and missing the caller of dlstat_rx_ring_stats which is suspicious.
Using an interaction debugger I was able to determine it was processing "aggr0" in my case.
The function in error is:

void *
dlstat_rx_ring_stats(dladm_handle_t dh, datalink_id_t linkid)
{
        uint_t                  rx_ring_idlist[MAX_RINGS_PER_GROUP];
        uint_t                  rx_ring_idlist_size;
.
.
.
        i_dlstat_get_idlist(dh, modname, DLSTAT_RX_RING_IDLIST,
            rx_ring_idlist, &rx_ring_idlist_size);

        return (i_dlstat_query_stats(dh, modname, DLSTAT_MAC_RX_RING,
            rx_ring_idlist, rx_ring_idlist_size,
            i_dlstat_rx_ring_retrieve_stat));
}

MAX_RINGS_PER_GROUP is 128. The value in rx_ring_idlist_size returned by the call to i_dlstat_get_idlist was 160. That will overflow the rx_ring_idlist[] array and corrupt the stack.
The library searches kstats for its data, and for Rx, in this specific case it is searching for kstat for aggr0, instance 0, and with a name "mac_rx_ring". The identifier "mac_rx_ring" has the format "mac_rx_ring_%d_%d". The first decimal is the group number, and the second the ring within the group. So, the assumption in the function that this will only return MAX_RINGS_PER_GROUP entries is inherently incorrect, as we have multiple groups.