Learn how easy it is to sync an existing GitHub or Google Code repo to a SourceForge project! See Demo

Close

#2327 segfault in [unset]

obsolete: 8.4.2
closed-fixed
miguel sofer
5
2004-05-22
2003-05-09
Don Porter
No

This script segfaults in Tcl 8.4.0 and later:

proc A { name } {
upvar $name var
set var [list $name]
}
proc foo {script} {
uplevel 1 $script
}
namespace eval test {
foo {A name}
unset name
}

Looks like something wrong with the new
"varName" Tcl_ObjType.

Key elements: upvar through an uplevel
to a namespace eval context; potential
shimmering/sharing of the $name value.

Discussion

  • Don Porter
    Don Porter
    2003-05-09

    Logged In: YES
    user_id=80530

    even simpler:

    proc A { name } {
    upvar $name var
    set var $name
    }
    proc foo {script} {
    uplevel 1 $script
    }
    namespace eval test {
    foo {A name}
    unset name
    }

     
  • miguel sofer
    miguel sofer
    2003-05-10

    Logged In: YES
    user_id=148712

    even simpler (look ma, no uplevel!):

    proc A { name } {
    upvar $name var
    set var $name
    }
    namespace eval test A x
    namespace eval test unset x

    Interestingly, no segfault if the last line is replaced with
    unset test::x

     
  • miguel sofer
    miguel sofer
    2003-05-12

    Logged In: YES
    user_id=148712

    Committed temporary fix by disabling usage of
    tclNsVarNameType, pending better understanding of the issue.

     
  • miguel sofer
    miguel sofer
    2003-05-12

    Logged In: YES
    user_id=148712

    This temp fix also fixed a previously undetected bug in 8.4:

    [mig@mini unix]$ tclsh
    % set x 1
    1
    % unset x
    % namespace eval test set x 0
    0
    % set x
    0

    After the temp fix, the result is as it should be:
    can't read "x": no such variable

     
  • miguel sofer
    miguel sofer
    2004-03-27

    Logged In: YES
    user_id=148712

    Mmhhh ... the bug does not appear in a --enable-symbols=all
    build :(

     
  • miguel sofer
    miguel sofer
    2004-03-27

    Logged In: YES
    user_id=148712

    It is TCL_MEM_DEBUG that shuts the bug off

     
  • miguel sofer
    miguel sofer
    2004-03-28

    Logged In: YES
    user_id=148712

    Some more puzzling data: I see no segfault now, but a panic:
    "malformed bucket chain in Tcl_DeleteHashEntry" - even under
    -DPURIFY.
    It may be some kind of double-free of the variable structure?

     
  • miguel sofer
    miguel sofer
    2004-05-22

    Logged In: YES
    user_id=148712

    Bug is now fixed. It was caused by insufficient protection
    during unset, in the case where the varName and varValue
    were a same Tcl_Obj of tclNsVarNameType.
    Resolution (simplified, see TclObjUnsetVar2 for the real
    thing):
    varPtr->refCount++; /* NEW */
    Tcl_DecrRefCount(varPtr->valuePtr);
    varPtr->refCount--; /* NEW */

     
  • miguel sofer
    miguel sofer
    2004-05-22

    • status: open --> closed-fixed