Menu

#3727 Memory corruption in Tcl_UpdateLinkedVar

obsolete: 8.4.15
closed-fixed
Jeffrey Hobbs
09. Linked C Variables (10)
9
2007-09-10
2007-06-20
Anonymous
No

Solaris 10 on sparc

Calling Tcl_UnlinkVar in a callback that is invoked by Tcl_UpdateLinkedVar causes memory corruption because linkPtr is used after it has been freed.

Here is a patch to fix the problem by making a second call to Tcl_VarTraceInfo.

--- tcl8.4.15/generic/tclLink.c 2007-05-10 11:23:58.000000000 -0700
+++ tcl8.4.15-new/generic/tclLink.c 2007-06-20 14:19:24.792783000 -0700
@@ -206,6 +206,12 @@
Tcl_IncrRefCount(objPtr);
Tcl_ObjSetVar2(interp, linkPtr->varName, NULL, objPtr, TCL_GLOBAL_ONLY);
Tcl_DecrRefCount(objPtr);
+ /* Callback may have unlinked the variable */
+ linkPtr = (Link *) Tcl_VarTraceInfo(interp, varName, TCL_GLOBAL_ONLY,
+ LinkTraceProc, (ClientData) NULL);
+ if (linkPtr == NULL) {
+ return;
+ }
linkPtr->flags = (linkPtr->flags & ~LINK_BEING_UPDATED) | savedFlag;
}

Discussion

  • Donal K. Fellows

    Donal K. Fellows - 2007-06-21
    • priority: 5 --> 9
     

  • Edward Maros

    Edward Maros - 2007-07-16

    Logged In: YES
    user_id=334297
    Originator: NO

    This patch has allowed our application to run continuously for several weeks where before we would have aborts once a day.

     

  • Jeffrey Hobbs

    Jeffrey Hobbs - 2007-09-10

    Logged In: YES
    user_id=72656
    Originator: NO

    In 8.4.16 and 8.5b1.

     

  • Jeffrey Hobbs

    Jeffrey Hobbs - 2007-09-10
    • status: open --> closed-fixed
     
MongoDB Logo MongoDB