Learn how easy it is to sync an existing GitHub or Google Code repo to a SourceForge project! See Demo

Close

#3869 Crash under SetChannelFromAny

obsolete: 8.5b3
closed-fixed
Jeffrey Hobbs
9
2007-12-09
2007-12-08
Pat Thoyts
No

The Tk test suite is crashing today in send.test. Built with msvc6 on windows xp. A debugger shows this is coming from the bg::cleanup command and in C it flows from Tcl_Close to SetChannelFromAny. In this we try make the input objPtr into a channel ptr and call
if (objPtr->typePtr != NULL) {
if (objPtr->bytes == NULL) {
objPtr->typePtr->updateStringProc(objPtr);
}
TclFreeIntRep(objPtr);
}
At this point typePtr says we have a list object. This string rep is tclEmptyStringRep (and not null) and the internal rep is NULL. AFAICT this shouldnt happen. If we call Tcl_NewListObj(0, NULL); we get an object without the typePtr being set to list (ie: a string object). So we appear to have lost the internal rep somewhere.
When we call TclFreeIntRep it accesses the internal rep, tries to read the count member and segfaults dereferencing NULL.

I don't really know where the fault lies. But as its been trigged by the new channel object - Jeff can have it :)

Discussion

  • Jeffrey Hobbs
    Jeffrey Hobbs
    2007-12-09

    Logged In: YES
    user_id=72656
    Originator: NO

    OK, this can be reduced to this simpler case:

    catch {chan close [lreplace [list a] 0 end]}

    and I've commited the patch to fix it. What was happening is that I would update the string and free the internal rep *before* I'd validated the channel was valid. Thus you could get tclListObj without any internal rep. The free step has to occur after we've validated the channel (could also set the typePtr to NULL, but then we'd lose the other rep needlessly in some cases).

    Committed with tests.

     
  • Jeffrey Hobbs
    Jeffrey Hobbs
    2007-12-09

    • status: open --> closed-fixed