#3121 Tcl_LinkVar memory corruption causing crashes

obsolete: 8.4.9
closed-duplicate
miguel sofer
9
2005-10-22
2005-04-27
Anonymous
No

Copied email exchanges with Jeff.

Hi Eric,

Yes, I was able to repro it with a mem_debug build. I
also found that it is related to TCL_LINK_READ_ONLY -
if you remove that, the error does not occur. You should
file this at http://tcl.sourceforge.net/ where it can be
tracked through to fix.

Regards,
Jeff Hobbs, The Tcl Guy
http://www.ActiveState.com/, a division of Sophos

-----Original Message-----
From: Tse, Eric [mailto:eric.tse@intel.com]
Sent: April 26, 2005 3:23 PM
To: jeffh@activestate.com
Subject: RE: Tcl_LinkVar reproduced

Hi Jeff,

Can you reproduce it? Thanks,

ERic

--------------------------------------------------------------------------------

From: Tse, Eric
Sent: Tuesday, April 26, 2005 11:31 AM
To: 'jeffh@activestate.com'
Subject: Tcl_LinkVar reproduced

Hi Jeff,

Here is the diff from 8.4.9:

*** tclTest.c Tue Apr 26 11:11:02 2005

--- tclTest.c~ Mon Aug 30 12:58:48 2004

***************

*** 2482,2490 ****

*----------------------------------------------------------------------

*/

- static int eric1 = 0;

- static int eric2 = 0;

-

/* ARGSUSED */

static int

TestlinkCmd(dummy, interp, argc, argv)

--- 2482,2487 ----

***************

*** 2502,2510 ****

char buffer[2*TCL_DOUBLE_SPACE];

int writable, flag;

Tcl_Obj *tmp;

-

- Tcl_LinkVar(interp, "eric_var", (char *) &eric1,
TCL_LINK_INT | TCL_LINK_READ_ONLY);

- Tcl_LinkVar(interp, "eric_var", (char *) &eric2,
TCL_LINK_INT | TCL_LINK_READ_ONLY);

if (argc < 2) {

Tcl_AppendResult(interp, "wrong # args: should be
\"", argv[0],

--- 2499,2504 ----

Steps to reproduce:

- gmake tcltest

- tcltest

- type “testlink” on the prompt

etse.cad889 [~/tmp/tcl8.4.9/unix]% tcltest

% testlink

file = ../generic/tclLink.c, line = 119

Trying to decrement refCount of previously disposed
object.

Abort

Thanks,

Eric

Discussion

  • miguel sofer
    miguel sofer
    2005-10-22

    • priority: 5 --> 9
     
  • miguel sofer
    miguel sofer
    2005-10-22

    Logged In: YES
    user_id=148712

    This flew under my radar - upping prio to check for presence
    in 8.4 and HEAD.

     
  • miguel sofer
    miguel sofer
    2005-10-22

    Logged In: YES
    user_id=148712

    The problem is that Tcl_LinkVar tries to set the variable to
    an obj with refCount 0. If that fails due to a trace (in the
    example, because the variable was read only), the obj's
    refcount is decremented by the SetVar code before returning,
    and the obj is freed. Therefore, the code in Tcl_LinkVar
    should not decrRefCount again.

    This is a special of [Bug 1334947], which supersedes it.

     
  • miguel sofer
    miguel sofer
    2005-10-22

    • status: open --> closed-duplicate