| Ticket UUID: | 1981001 | |||
| Title: | oo-14.6 freed memory read (was: oo-10.2 panic) | |||
| Type: | Bug | Version: | None | |
| Submitter: | das | Created on: | 2008-06-01 00:22:09 | |
| Subsystem: | 35. TclOO Package | Assigned To: | dkf | |
| Priority: | 8 | Severity: | ||
| Status: | Closed | Last Modified: | 2008-06-17 09:20:28 | |
| Resolution: | Fixed | Closed By: | sf-robot | |
| Closed on: | 2008-06-17 02:20:28 | |||
| Description: |
oo-10.2 panics, I think this is new with the latest leak changes
Tests running in interp: ./tcltest
Tests located in: tcl/tests
Tests running in: .
Temporary files stored in .
Test files sourced into current interpreter
Running tests that match: oo-10.2
Skipping test files that match: l.*.test
Only running test files that match: oo.test
Tests began at Sun Jun 01 02:15:58 CEST 2008
oo.test
---- oo-10.2 start
Running…
Pending breakpoint 7 - ""tclPanic.c:92" resolved
(gdb) bt
#0 Tcl_PanicVA (format=0x131444 "alloc: invalid block: %p: %x %x", argList=0xbfffc414 "\300\256C") at tcl/generic/tclPanic.c:83
#1 0x000c9c27 in Tcl_Panic (format=0x131444 "alloc: invalid block: %p: %x %x") at tcl/generic/tclPanic.c:131
#2 0x000f9209 in Ptr2Block (ptr=0x43aed0 "") at tcl/generic/tclThreadAlloc.c:735
#3 0x000f88cc in TclpFree (ptr=0x43aed0 "") at tcl/generic/tclThreadAlloc.c:376
#4 0x0001e5c3 in Tcl_Free (ptr=0x43aed0 "") at tcl/generic/tclCkalloc.c:1182
#5 0x000dc1de in Tcl_DiscardInterpState (state=0x43aed0) at tcl/generic/tclResult.c:192
#6 0x000dc122 in Tcl_RestoreInterpState (interp=0x1aac10, state=0x43aed0) at tcl/generic/tclResult.c:155
#7 0x00015607 in CallCommandTraces (iPtr=0x1aac10, cmdPtr=0x3be710, oldName=0x4361b0 "::O", newName=0x0, flags=16512) at tcl/generic/tclBasic.c:2928
#8 0x0001527e in Tcl_DeleteCommandFromToken (interp=0x1aac10, cmd=0x3be710) at tcl/generic/tclBasic.c:2742
#9 0x000bf406 in TclOO_Object_Destroy (clientData=0x0, interp=0x1aac10, context=0x1b2d60, objc=2, objv=0x1b2c40) at tcl/generic/tclOOBasic.c:233
#10 0x000c0c79 in TclOOInvokeContext (interp=0x1aac10, contextPtr=0x1b2d60, objc=2, objv=0x1b2c40) at tcl/generic/tclOOCall.c:287
#11 0x000bea4e in TclOOObjectCmdCore (oPtr=0x3be410, interp=0x1aac10, objc=2, objv=0x1b2c40, flags=1, startCls=0x0) at tcl/generic/tclOO.c:1912
#12 0x000be6b1 in PublicObjectCmd (clientData=0x3be410, interp=0x1aac10, objc=2, objv=0x1b2c40) at tcl/generic/tclOO.c:1778
#13 0x00016898 in TclEvalObjvInternal (interp=0x1aac10, objc=2, objv=0x1b2c40, command=0x42fd95 "O destroy\n", length=10, flags=0) at tcl/generic/tclBasic.c:3650
#14 0x000179c2 in TclEvalEx (interp=0x1aac10, script=0x42fd90 "\n O destroy\n", numBytes=15, flags=262144, line=2) at tcl/generic/tclBasic.c:4297
#15 0x00017117 in Tcl_EvalEx (interp=0x1aac10, script=0x42fd90 "\n O destroy\n", numBytes=15, flags=262144) at tcl/generic/tclBasic.c:4003
#16 0x00018104 in TclEvalObjEx (interp=0x1aac10, objPtr=0x4304b0, flags=262144, invoker=0x0, word=0) at tcl/generic/tclBasic.c:4675
#17 0x00017e07 in Tcl_EvalObjEx (interp=0x1aac10, objPtr=0x0, flags=262144) at tcl/generic/tclBasic.c:4556
#18 0x000d811c in Tcl_UplevelObjCmd (dummy=0x0, interp=0x1aac10, objc=1, objv=0x1b2a84) at tcl/generic/tclProc.c:911
#19 0x00016898 in TclEvalObjvInternal (interp=0x1aac10, objc=3, objv=0x1b2a7c, command=0xffffffff <Address 0xffffffff out of bounds>, length=-1, flags=0) at tcl/generic/tclBasic.c:3650
#20 0x00070915 in TclExecuteByteCode (interp=0x1aac10, codePtr=0x419010) at tcl/generic/tclExecute.c:2327
#21 0x000d9331 in TclObjInterpProcCore (interp=0x1aac10, procNameObj=0x430900, skip=1, errorProc=0xd99c9 <MakeProcError>) at tcl/generic/tclProc.c:1721
#22 0x000d8f2b in TclObjInterpProc (clientData=0x337750, interp=0x1aac10, objc=11, objv=0x1b2690) at tcl/generic/tclProc.c:1615
#23 0x000af2aa in InvokeImportedCmd (clientData=0x3356d0, interp=0x1aac10, objc=11, objv=0x1b2690) at tcl/generic/tclNamesp.c:1889
#24 0x00016898 in TclEvalObjvInternal (interp=0x1aac10, objc=11, objv=0x1b2690, command=0x41f877 "test oo-10.2 {OO: recursive invoke and modify} -setup {\n oo::object create O\n} -cleanup {\n O destroy\n} -body {\n oo::objdefine O method foo {} {\n\too::objdefine [self] method foo {} {\n\t erro"..., length=281, flags=0) at tcl/generic/tclBasic.c:3650
#25 0x000179c2 in TclEvalEx (interp=0x1aac10, script=0x41b010 "# This file contains a collection of tests for Tcl's built-in object system.\n# Sourcing this file into Tcl runs the tests and generates output for errors.\n# No output means no errors were found.\n#\n# C"..., numBytes=49556, flags=0, line=664) at tcl/generic/tclBasic.c:4297
#26 0x00017117 in Tcl_EvalEx (interp=0x1aac10, script=0x41b010 "# This file contains a collection of tests for Tcl's built-in object system.\n# Sourcing this file into Tcl runs the tests and generates output for errors.\n# No output means no errors were found.\n#\n# C"..., numBytes=49556, flags=0) at tcl/generic/tclBasic.c:4003
#27 0x000a3be7 in Tcl_FSEvalFileEx (interp=0x1aac10, pathPtr=0x3da6f8, encodingName=0x0) at tcl/generic/tclIOUtil.c:1776
#28 0x0002ebfd in Tcl_SourceObjCmd (dummy=0x0, interp=0x1aac10, objc=2, objv=0x3bcc60) at tcl/generic/tclCmdMZ.c:955
#29 0x00016898 in TclEvalObjvInternal (interp=0x1aac10, objc=2, objv=0x3bcc60, command=0x0, length=0, flags=262144) at tcl/generic/tclBasic.c:3650
#30 0x00016f4c in Tcl_EvalObjv (interp=0x1aac10, objc=2, objv=0x3bcc60, flags=262144) at tcl/generic/tclBasic.c:3845
#31 0x00018038 in TclEvalObjEx (interp=0x1aac10, objPtr=0x3da5f0, flags=262144, invoker=0x0, word=0) at tcl/generic/tclBasic.c:4644
#32 0x00017e07 in Tcl_EvalObjEx (interp=0x1aac10, objPtr=0x0, flags=262144) at tcl/generic/tclBasic.c:4556
#33 0x000d811c in Tcl_UplevelObjCmd (dummy=0x0, interp=0x1aac10, objc=1, objv=0x1b24a0) at tcl/generic/tclProc.c:911
#34 0x00016898 in TclEvalObjvInternal (interp=0x1aac10, objc=3, objv=0x1b2498, command=0xffffffff <Address 0xffffffff out of bounds>, length=-1, flags=0) at tcl/generic/tclBasic.c:3650
#35 0x00070915 in TclExecuteByteCode (interp=0x1aac10, codePtr=0x347010) at tcl/generic/tclExecute.c:2327
#36 0x000d9331 in TclObjInterpProcCore (interp=0x1aac10, procNameObj=0x30b2a0, skip=1, errorProc=0xd99c9 <MakeProcError>) at tcl/generic/tclProc.c:1721
#37 0x000d8f2b in TclObjInterpProc (clientData=0x313190, interp=0x1aac10, objc=1, objv=0x1b21e0) at tcl/generic/tclProc.c:1615
#38 0x000af2aa in InvokeImportedCmd (clientData=0x382fd0, interp=0x1aac10, objc=1, objv=0x1b21e0) at tcl/generic/tclNamesp.c:1889
#39 0x00016898 in TclEvalObjvInternal (interp=0x1aac10, objc=1, objv=0x1b21e0, command=0x1d3666 "runAllTests\n", length=12, flags=0) at tcl/generic/tclBasic.c:3650
#40 0x000179c2 in TclEvalEx (interp=0x1aac10, script=0x1d3410 "# all.tcl --\n#\n# This file contains a top-level script to run all of the Tcl\n# tests. Execute it by invoking \"source all.test\" when running tcltest\n# in this directory.\n#\n# Copyright (c) 1998-1999 by"..., numBytes=610, flags=0, line=19) at tcl/generic/tclBasic.c:4297
#41 0x00017117 in Tcl_EvalEx (interp=0x1aac10, script=0x1d3410 "# all.tcl --\n#\n# This file contains a top-level script to run all of the Tcl\n# tests. Execute it by invoking \"source all.test\" when running tcltest\n# in this directory.\n#\n# Copyright (c) 1998-1999 by"..., numBytes=610, flags=0) at tcl/generic/tclBasic.c:4003
#42 0x000a3be7 in Tcl_FSEvalFileEx (interp=0x1aac10, pathPtr=0x1af8b0, encodingName=0x0) at tcl/generic/tclIOUtil.c:1776
#43 0x000ac72c in Tcl_Main (argc=-1, argv=0xbffff438, appInitProc=0x116985 <Tcl_AppInit>) at tcl/generic/tclMain.c:443
#44 0x0011697a in main (argc=10, argv=0xbffff410) at tcl/unix/tclAppInit.c:87
(gdb) c
Continuing.
alloc: invalid block: 0x43aec0: c0 0
Program received signal: “SIGABRT”.
| |||
| User Comments: |
sf-robot added on 2008-06-17 09:20:28:
Logged In: YES user_id=1312539 Originator: NO This Tracker item was closed automatically by the system. It was previously set to a Pending status, and the original submitter did not respond within 14 days (the time period specified by the administrator of this Tracker). kennykb added on 2008-06-02 09:23:11: Logged In: YES user_id=99768 Originator: NO Got it! ReleaseClassContents has to protect the Object as well as the Class corresponding to derived classes. Otherwise, the Object can be freed before there's a chance to delete the class command, yielding a read of freed memory. kennykb added on 2008-06-01 21:33:13: Logged In: YES user_id=99768 Originator: NO dkf's extension of the fix doesn't introduce any further problems, but the freed-memory read in ReleaseClassContents is still there. I'll investigate further if I can make the time. dkf added on 2008-06-01 15:12:44: Logged In: YES user_id=79902 Originator: NO Extended kbk's fix logically. kennykb added on 2008-06-01 12:16:14: File Deleted - 279749: kennykb added on 2008-06-01 12:16:13: File Added - 279753: valgrind.out Logged In: YES user_id=99768 Originator: NO Committed a partial fix; the refcount of a method was incorrectly being reset to 1 if the method was redefined while a previous invocation was on the stack. That gets over the failure in oo-10.2 but appears to introduce a new one in oo-14.6. Valgrind output attached. File Added: valgrind.out kennykb added on 2008-06-01 09:34:51: File Added - 279749: valgrind.out Logged In: YES user_id=99768 Originator: NO I *might* have time in the next few days to look into this, but it's a busy time for me too. If someone else gets to it first, the attached valgrind output might be informative. File Added: valgrind.out das added on 2008-06-01 08:01:19: Logged In: YES user_id=90580 Originator: YES ;-) ok, no worries, will see if I can take a look during the week, busy as well tough... dkf added on 2008-06-01 07:49:32: Logged In: YES user_id=79902 Originator: NO Why don't *you* find the fix for the bug for a change? I have to focus on paywork for the next week or so now. das added on 2008-06-01 07:24:22: Logged In: YES user_id=90580 Originator: YES panic only occurs in the threaded build... | |||
Attachments:
- valgrind.out [download] added by kennykb on 2008-06-01 12:16:12. [details]