Itcl - the [incr Tcl] extension

View Ticket
Login
Ticket Hash: 7e3db761c905f6b68d4a486aa1a4cfea7af89bc4
Title: double free/decrement in generic/itclObject.c
Status: Closed Type: Code_Defect
Severity: Critical Priority: Immediate
Subsystem: Resolution: Fixed
Last Modified: 2015-12-01 19:03:35
Version Found In: Tcl 8.6.4 and trunk
User Comments:
rlehfeld added on 2015-10-19 14:00:27:
There is a double free/reference counter decrement of the methodNamePtr in procedure ItclObjectCmd in file itclObject.c. This leads to a crash.
Problem can be fixed by applying the patch below.

--- generic/itclObject.c.orig   2015-10-19 15:33:25.479247093 +0200
+++ generic/itclObject.c        2015-10-19 15:34:31.914399385 +0200
@@ -2943,12 +2943,12 @@
                Tcl_DecrRefCount(methodNamePtr);
            }
             methodNamePtr = objv[0];
-            Tcl_IncrRefCount(methodNamePtr);
         }
     }
     callbackPtr = Itcl_GetCurrentCallbackPtr(interp);
     newObjv = NULL;
     if (methodNamePtr != NULL) {
+       Tcl_IncrRefCount(methodNamePtr);
        if (iclsPtr->flags & (ITCL_TYPE|ITCL_WIDGETADAPTOR)) {
            char *myName;
            /* special handling for mytypemethod, mymethod, myproc */

dgp added on 2015-10-22 16:03:52:
Can I have a script which triggers the crash please?

rlehfeld added on 2015-11-02 12:26:30:
Hi,

the problem/crash is detected during execution of a complete in house written test suite/framework written in TCL. With this framework I can 100% reproduce this issue and was able to track it back to this location. The internal free obj list in tcl is getting corrupted and had to change the tcl code itself to tell me the exact location when the corruption is happening. This is happening actually at line

3013:Tcl_DecrRefCount(methodNamePtr)

after executing line

3001:Tcl_NRAddCallback(interp, CallPublicObjectCmd, oPtr, clsPtr,
	        INT2PTR(objc+incr), newObjv)

in which the reference was already decremented. Once I created/applied the patch, all code actually whole test suite is running fine. Unfortunately I did not manage to reproduce the issue outside independent of the test suite even though the bug is logical but it is difficult to trigger the free list to reach the same state so that script/tcl will stumble across it :-(

Best Regards

René

dgp added on 2015-12-01 19:03:35:
Slightly modified patch accepted. Now on trunk.

Thanks for the report and the fix.