Menu
▾
▴
[Tcl-bugs] [ tcl-Bugs-635200 ] crash in string object manipulation
|
From: SourceForge.net <no...@so...> - 2003-01-20 18:10:12
|
Bugs item #635200, was opened at 2002-11-07 13:51 You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=110894&aid=635200&group_id=10894 Category: 42. UTF-8 Strings Group: 8.4.1 Status: Open Resolution: Fixed Priority: 9 Submitted By: Vince Darley (vincentdarley) Assigned to: Andreas Kupries (andreas_kupries) Summary: crash in string object manipulation Initial Comment: The following code: int len; Tcl_Obj *objPtr; objPtr = Tcl_NewObj(); Tcl_AppendToObj(objPtr, "foobar\n", 7); Tcl_GetUnicodeFromObj(objPtr, &len); Tcl_AppendToObj(objPtr, "foobar\n", 7); Tcl_GetUnicodeFromObj(objPtr, &len); Tcl_SetObjLength(objPtr, 0); Tcl_AppendToObj(objPtr, "foobar\n", 7); results in a crash because objPtr->bytes == NULL and Tcl_AppendToObj tries to copy into it. The crash occurs in AppendUtfToUtfRep here: memcpy((VOID *) (objPtr->bytes + oldLength), (VOID *) bytes, (size_t) numBytes); I don't know enough to be able to attempt to reproduce this in pure Tcl, but my implementation of tip113 ran into this problem... ---------------------------------------------------------------------- >Comment By: Andreas Kupries (andreas_kupries) Date: 2003-01-20 10:13 Message: Logged In: YES user_id=75003 See also Tcl Bug 671138. ---------------------------------------------------------------------- Comment By: Jeffrey Hobbs (hobbs) Date: 2003-01-20 10:10 Message: Logged In: YES user_id=72656 Fix invalid. Still needs analysis. ---------------------------------------------------------------------- Comment By: Vince Darley (vincentdarley) Date: 2003-01-17 03:29 Message: Logged In: YES user_id=32170 Studied the code a bit more closely, and the fix is actually quite simpe. Tcl_SetObjLength is completely unaware of the fact that a Unicode StringObj may not have a valid objPtr->bytes, so by zeroing out the Unicode rep, that function has destroyed all available information about the object! Will commit a fix asap. ---------------------------------------------------------------------- Comment By: Vince Darley (vincentdarley) Date: 2003-01-14 10:58 Message: Logged In: YES user_id=32170 Upping priority to suggest this crash should be fixed for 8.4.2. Here is a sample script: teststringobj set 1 foo teststringobj getunicode 1 teststringobj append 1 bar -1 teststringobj getunicode 1 teststringobj append 1 bar -1 teststringobj setlength 1 0 teststringobj append 1 bar -1 teststringobj get 1 *crash* ---------------------------------------------------------------------- Comment By: Vince Darley (vincentdarley) Date: 2002-11-13 14:12 Message: Logged In: YES user_id=32170 See stringObj.test test number 14.1 for how to reproduce this using the tcl test suite. The test is currently marked as knownBug. ---------------------------------------------------------------------- Comment By: Vince Darley (vincentdarley) Date: 2002-11-11 14:10 Message: Logged In: YES user_id=32170 Had a closer look at the code. The basic problem is this: Objects with a Unicode internal representation can have their string representation invalidated (as when more Unicode bytes are appended to the object), so that 'objPtr->bytes == NULL'. If, at that point, either Tcl_SetObjLength or Tcl_AttemptSetObjLength is called, the object is in a bad state. Neither of those functions knows what they are doing in that case (in fact, the first thing they do is invalidate the Unicode representation which is terribly wasteful!), and they end of placing the object in a state from which is cannot recover (both internal and string rep are gone).. I don't have enough expertise in this area to go much further, so I'd appreciate any help. ---------------------------------------------------------------------- Comment By: Vince Darley (vincentdarley) Date: 2002-11-11 05:04 Message: Logged In: YES user_id=32170 Also, if one replaces the last two calls with: Tcl_SetObjLength(objPtr, 0); Tcl_GetStringFromObj(objPtr, NULL); Tcl_AppendToObj(objPtr, "foobar\n", 7); Tcl_AppendToObj(objPtr, "foobar\n", 7); Tcl_AppendToObj(objPtr, "foobar\n", 7); Tcl_AppendToObj(objPtr, "foobar\n", 7); Tcl_AppendToObj(objPtr, "foobar\n", 7); then Tcl tramples all over memory. ---------------------------------------------------------------------- You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=110894&aid=635200&group_id=10894 |