Ticket Hash: | 7e3db761c905f6b68d4a486aa1a4cfea7af89bc4 | |||
Title: | double free/decrement in generic/itclObject.c | |||
Status: | Closed | Type: | Code_Defect | |
Severity: | Critical | Priority: | Immediate | |
Subsystem: | Resolution: | Fixed | ||
Last Modified: | 2015-12-01 19:03:35 | |||
Version Found In: | Tcl 8.6.4 and trunk | |||
User Comments: | ||||
rlehfeld added on 2015-10-19 14:00:27:
There is a double free/reference counter decrement of the methodNamePtr in procedure ItclObjectCmd in file itclObject.c. This leads to a crash. Problem can be fixed by applying the patch below. --- generic/itclObject.c.orig 2015-10-19 15:33:25.479247093 +0200 +++ generic/itclObject.c 2015-10-19 15:34:31.914399385 +0200 @@ -2943,12 +2943,12 @@ Tcl_DecrRefCount(methodNamePtr); } methodNamePtr = objv[0]; - Tcl_IncrRefCount(methodNamePtr); } } callbackPtr = Itcl_GetCurrentCallbackPtr(interp); newObjv = NULL; if (methodNamePtr != NULL) { + Tcl_IncrRefCount(methodNamePtr); if (iclsPtr->flags & (ITCL_TYPE|ITCL_WIDGETADAPTOR)) { char *myName; /* special handling for mytypemethod, mymethod, myproc */ dgp added on 2015-10-22 16:03:52: Can I have a script which triggers the crash please? rlehfeld added on 2015-11-02 12:26:30: Hi, the problem/crash is detected during execution of a complete in house written test suite/framework written in TCL. With this framework I can 100% reproduce this issue and was able to track it back to this location. The internal free obj list in tcl is getting corrupted and had to change the tcl code itself to tell me the exact location when the corruption is happening. This is happening actually at line 3013:Tcl_DecrRefCount(methodNamePtr) after executing line 3001:Tcl_NRAddCallback(interp, CallPublicObjectCmd, oPtr, clsPtr, INT2PTR(objc+incr), newObjv) in which the reference was already decremented. Once I created/applied the patch, all code actually whole test suite is running fine. Unfortunately I did not manage to reproduce the issue outside independent of the test suite even though the bug is logical but it is difficult to trigger the free list to reach the same state so that script/tcl will stumble across it :-( Best Regards René dgp added on 2015-12-01 19:03:35: Slightly modified patch accepted. Now on trunk. Thanks for the report and the fix. |