Menu
▾
▴
[Tcl-bugs] [ tcl-Bugs-3081065 ] post-free writes to Tcl_Obj fields
|
From: SourceForge.net <no...@so...> - 2010-10-06 21:05:01
|
Bugs item #3081065, was opened at 2010-10-04 20:25 Message generated for change (Settings changed) made by nijtmans You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=110894&aid=3081065&group_id=10894 Please note that this message will contain a full copy of the comment thread, including the initial issue submission, for this request, not just the latest update. Category: 47. Bytecode Compiler Group: development: 8.6b1.1 >Status: Open Resolution: Fixed Priority: 9 Private: No Submitted By: Don Porter (dgp) Assigned to: Don Porter (dgp) Summary: post-free writes to Tcl_Obj fields Initial Comment: Tcl HEAD: $ make test TESTFLAGS='-singleproc 1 -file "http.test httpold.test"' ... http.test Running httpd in thread 1080544144 httpold.test Running http 1.0 tests in slave interp httpold.test: Total 31 Passed 31 Skipped 0 Failed 0 make: *** [test-tcl] Segmentation fault segfault after [tcltest::cleanupTests] returns. ---------------------------------------------------------------------- >Comment By: Jan Nijtmans (nijtmans) Date: 2010-10-06 23:05 Message: Two minor observations: - If this can happen in FreeSubstCodeInternalRep, then it can happen in FreeByteCodeInternalRep as well. - After modifying FreeByteCodeInternalRep, it's implementation is equal to FreeSubstCodeInternalRep, so one of them could be eliminated. I don't know if a test case can be found for this, but better safe than sorry. Here is a patch. The FreeByteCodeInternalRep change should be backported to 8.5 and 8.4 as well IMHO. ---------------------------------------------------------------------- Comment By: Don Porter (dgp) Date: 2010-10-06 20:39 Message: Committed. ---------------------------------------------------------------------- Comment By: Don Porter (dgp) Date: 2010-10-06 20:24 Message: Attached is a fix with test. ---------------------------------------------------------------------- Comment By: Don Porter (dgp) Date: 2010-10-05 18:30 Message: When calling TclCleanupByteCode() to free the internal rep of a Tcl_Obj, it is possible to reduce the refcount on that same Tcl_Obj to zero, causing it to be freed. This means a freeIntRepProc ought not be writing to the objPtr->fields after TCBC returns. ---------------------------------------------------------------------- Comment By: Don Porter (dgp) Date: 2010-10-05 15:19 Message: Attached is a demo script. The crash is in MoveObjs in the thread-enabled allocator. The chain of Tcl_Obj's is corrupted with a NULL value where a link in the chain ought to be. Suspect the real cause must be something continuing to write NULLs to an intrep after the Tcl_Obj has been freed. The <substcode> Tcl_ObjType is a likely suspect, but not yet confirmed. ---------------------------------------------------------------------- Comment By: Kevin B KENNY (kennykb) Date: 2010-10-04 22:41 Message: Stack trace: ==24462== Invalid read of size 4 ==24462== at 0x4137C32: MoveObjs (tclThreadAlloc.c:719) ==24462== by 0x413794F: TclThreadFreeObj (tclThreadAlloc.c:630) ==24462== by 0x4115C3E: TclFreeObj (tclObj.c:1447) ==24462== by 0x414AA06: DeleteArray (tclVar.c:5430) ==24462== by 0x414649E: UnsetVarStruct (tclVar.c:2532) ==24462== by 0x414A69F: TclDeleteNamespaceVars (tclVar.c:5253) ==24462== by 0x410F89E: TclTeardownNamespace (tclNamesp.c:1053) ==24462== by 0x4052B0B: DeleteInterpProc (tclBasic.c:1419) ==24462== by 0x4125AF8: Tcl_EventuallyFree (tclPreserve.c:299) ==24462== by 0x4052944: Tcl_DeleteInterp (tclBasic.c:1308) ==24462== by 0x40E8DEE: SlaveObjCmdDeleteProc (tclInterp.c:2587) ==24462== by 0x4054A41: Tcl_DeleteCommandFromToken (tclBasic.c:3021) ==24462== Address 0x10 is not stack'd, malloc'd or (recently) free'd ---------------------------------------------------------------------- Comment By: miguel sofer (msofer) Date: 2010-10-04 21:35 Message: no repro here, and valgrind looks happy enough ---------------------------------------------------------------------- Comment By: Don Porter (dgp) Date: 2010-10-04 20:33 Message: Narrowing it down, same segfault from: make test TESTFLAGS='-singleproc 1 -file "http.test httpold.test" -match httpold-5.1' so only one test is run. ---------------------------------------------------------------------- You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=110894&aid=3081065&group_id=10894 |