| Ticket UUID: | 1153871 | |||
| Title: | Tcl_CreateObjTrace destroyes user-supplied clientData | |||
| Type: | Bug | Version: | obsolete: 8.4.9 | |
| Submitter: | yurivict | Created on: | 2005-02-28 23:20:31 | |
| Subsystem: | 46. Traces | Assigned To: | dgp | |
| Priority: | 9 Immediate | Severity: | ||
| Status: | Closed | Last Modified: | 2005-03-11 05:10:49 | |
| Resolution: | Fixed | Closed By: | dgp | |
| Closed on: | 2005-03-10 22:10:49 | |||
| Description: |
Caller supplied clientData argument to Tcl_CreateObjTrace. OBSERVE\D PROBLEM: coredump, analysis shows that clientData pointer supplied by user was typecasted to the pointer to the private structure TraceCommandInfo defined only in tclCmdMZ.c: tclCmdMZ.c:4318: tcmdPtr = (TraceCommandInfo*)tracePtr->clientData; tcmdPtr->curFlags = traceFlags; tcmdPtr->curCode = code; and subsequent assignments to TraceCommandInfo destroy user-owned memory area. Yuri | |||
| User Comments: |
dgp added on 2005-03-11 05:10:49:
Logged In: YES user_id=80530 fixes committed for 8.4.10 and 8.5a3. dgp added on 2005-03-09 06:46:51: File Added - 124731: 1153871-8.5.patch Logged In: YES user_id=80530 Here's the corresponding patch for Tcl 8.5a3 ... dgp added on 2005-03-09 06:45:26: File Added - 124730: 1153871.patch dgp added on 2005-03-09 06:45:24: Logged In: YES user_id=80530 please test whether this patch for Tcl 8.4.9 corrects the problem. msofer added on 2005-03-02 04:14:17: Logged In: YES user_id=148712 (1) Agreed about "unconditionally wrong", not denying the bug! (2) Tcl_CreateObjTrace is documented to accept only TCL_ALLOW_INLINE_COMPILATION as flag value. It should probably throw an error (return NULL) if it receives any other value. Note that under these conditions, the clientData is not deref'ed or overwritten. (3) Alternatively, we may find a way to enable Tcl_CreateObjTrace to process correctly other flag values. This implies some internal redesign. In the meantime - please use the function as documented. yurivict added on 2005-03-02 04:00:21: Logged In: YES user_id=129507 Actually it was called twice, for enter and leave. for enter with flags TCL_ALLOW_INLINE_COMPILATION for leave with flags TCL_TRACE_LEAVE_EXEC | TCL_ALLOW_INLINE_COMPILATION ---- seems to be unconditionally wrong for TCL to dereference user-supplied clientData, line: tcmdPtr = (TraceCommandInfo*)tracePtr->clientData; Yuri msofer added on 2005-03-02 02:10:31: Logged In: YES user_id=148712 Looking at the code: Tcl_CreateObjTrace should only be passed flag values 0 or TCL_ALLOW_INLINE_COMPILATION. So we definitely have a bug in that we're not checking that value. What you are observing suggests that the flag somehow got a different value - or that that flag value itself was corrupted. Could you please confirm what flag value was passed to Tcl_CreateObjTrace? yurivict added on 2005-03-01 08:34:52: Logged In: YES user_id=129507 Tcl_CreateObjTrace was called before any TCLs, then memory corrution way down the road by subsequent TCL scripts. It's very obscure, I could only catch it by "gdb watch" command. Documentation should be fixed too since it says something about "arbitrary one-word value" which is not even the case. Yuri msofer added on 2005-03-01 08:01:20: Logged In: YES user_id=148712 Core dump => setting to max priority I assume that this was not triggered by a tcl script, right? In any case, we also seem to be lacking a test in the testsuite. | |||
Home
Timeline
Branches
Tags
Tickets
Download
Wiki