Tcl Source Code

% file mkdir ./~goo
% close [open ./~goo/test w]
% glob [file join * test]
make: *** [shell] Segmentation fault

subsequent commits corrected a regression.

allow_comments - 1


Patch committed for 8.5.8 and 8.6b2.

Attached patch for 8.5

File Added - 339991: 2837800.patch

handling the NULL return solves the
crash, leaving only the bug.  Will
commit if/when SF CVS returns.

sorry, that's the PATH_FLAGS != 0 representation.

When the user "goo" does not exist, then
the value "~goo" cannot be converted to
the "path" Tcl_ObjType.

The PATH_FLAGS == 0 representation
for a "path" value holds two parts of the
path.  In the crashing case, the head
part of the path is "~goo" and the tail
part is "test".  It is assumed deep in the
code that the head part of the path can
always be converted to the "path"
Tcl_ObjType.  There is no check for
the NULL result when that is not true,
and that leads to the crash.

In 8.5+, I observe that the header comments
of TclNewFSPathObj() claim that the dirPtr
argument must be an absolute path, but
when DoGlob() calls this routine, it makes
no effort to check that constraint is met.

It's not clear whether the header comment
claim is true, or where it gets relied on, if
anywhere.

fix with tests committed for 8.4.20.

Attached patch fixes things in 8.4.

File Added - 339245: 2837800-84.patch

A different variation of the same bug
in Tcl 8.4:

% file mkdir ./~dgp ;# empty directory
% glob */.mozilla
~dgp/.mozilla

The search in subdirectories of
the current directory is actually
finding something way over 
in my home directory instead.

The actual releases of Tcl 8.4, up through
8.4.19 are slightly better:

% glob */test
no files matched glob pattern "*/test"

It's a wrong result, but at least without
the empty error message demonstrated
in the tip of the core-8-4-branch.

8.3.5 works fine.

In Tcl 8.4, there is no crash, but
the incorrect result is not much better:

% glob [file join * test]

%

Stack trace from debug build of the
tip of the core-8-5-branch:

Program received signal SIGSEGV, Segmentation fault.
0x0807bf8a in Tcl_DbDecrRefCount (objPtr=0x0,
    file=0x8160368 "/home/dgp/cvs/tcl8.5/unix/../generic/tclPathObj.c",
    line=1690) at /home/dgp/cvs/tcl8.5/unix/../generic/tclObj.c:3153
3153        if (objPtr->refCount == 0x61616161) {
(gdb) bt
#0  0x0807bf8a in Tcl_DbDecrRefCount (objPtr=0x0,
    file=0x8160368 "/home/dgp/cvs/tcl8.5/unix/../generic/tclPathObj.c",
    line=1690) at /home/dgp/cvs/tcl8.5/unix/../generic/tclObj.c:3153
#1  0x080820c9 in Tcl_FSGetTranslatedPath (interp=0x89098d0, pathPtr=0x89752d8)
    at /home/dgp/cvs/tcl8.5/unix/../generic/tclPathObj.c:1690
#2  0x080ad652 in TclpMatchInDirectory (interp=0x89098d0, resultPtr=0x8974d10,
    pathPtr=0x89752d8, pattern=0x0, types=0x0)
    at /home/dgp/cvs/tcl8.5/unix/../unix/tclUnixFile.c:222
#3  0x080682ba in Tcl_FSMatchInDirectory (interp=0x89098d0,
    resultPtr=0x8974d10, pathPtr=0x89752d8, pattern=0x0, types=0x0)
    at /home/dgp/cvs/tcl8.5/unix/../generic/tclIOUtil.c:1102
#4  0x08145dc6 in DoGlob (interp=0x89098d0, matchesObj=0x8974d10,
    separators=0x816f602 "/", pathPtr=0x8975010, flags=1,
    pattern=0x897454a "test", types=0x0)
    at /home/dgp/cvs/tcl8.5/unix/../generic/tclFileName.c:2478
#5  0x08145941 in DoGlob (interp=0x89098d0, matchesObj=0x8974d10,
    separators=0x816f602 "/", pathPtr=0x0, flags=0,
    pattern=0x8974548 "*/test", types=0x0)
    at /home/dgp/cvs/tcl8.5/unix/../generic/tclFileName.c:2364
#6  0x08145010 in TclGlob (interp=0x89098d0, pattern=0x8974548 "*/test",
    pathPrefix=0x0, globFlags=0, types=0x0)
    at /home/dgp/cvs/tcl8.5/unix/../generic/tclFileName.c:1914
#7  0x0814471e in Tcl_GlobObjCmd (dummy=0x0, interp=0x89098d0, objc=1,
    objv=0x890ac6c) at /home/dgp/cvs/tcl8.5/unix/../generic/tclFileName.c:1584
...