[Tcl-bugs] [Bug #119216] Namespace double delete - causes core dump

[<no...@so...>]

Bug #119216, was updated on 2000-Oct-25 22:03
Here is a current snapshot of the bug.

Project: Tcl
Category: Commands
Status: Open
Resolution: None
Bug Group: 8.2.2
Priority: 8
Summary: Namespace double delete - causes core dump

Details: OriginalBugID: 3875 Bug
Version: 8.2.2
SubmitDate: '1999-12-14'
LastModified: '2000-04-03'
Severity: CRIT
Status: Assigned
Submitter: techsupp
ChangedBy: hobbs
OS: Solaris
OSVersion: all unix and NT
Machine: Sun, IRIX
FixedDate: '2000-10-25'
ClosedDate: '2000-10-25'


Name:
scott waldon

CVS:
n/a

Extensions:
Itcl 3.1a

CustomShell:
Dash patch and print statements to find this

Comments:
This error exists on SGI, HP, Sun, and NT - Berry Kerchval from scriptics worked with us on
site last week and narrowed it down to some code that does something like this. I boiled it down
to this 20 line script. This particular script bombs on Tcl 7.6 as well as 8.2. Our production code
doesn't seem to exhibit this behavior on 7.6.

ReproducibleScript:
It is possible that this is an itcl error - however since it appears to be in the namespace code 
which is part of the tcl core I filed it here.

package require Itcl

puts "\n\n\nDefine Class ABC"
itcl::class ABC { 

    public method SomeMethod {} {
        puts "In SomeMethod"
        #       
        # The renaming or redefintion of command from a command
        # of type itcl::class to a tcl::proc causes a nasty
        # core dump. This causes a double delete on the namespace

        uplevel #0 [list proc ABC { args } {}]
    }
} 

puts "Create Class instance <foo>"
ABC foo

foo SomeMethod

ObservedBehavior:
the interpreter core dumps - here are the print statements put in by Berry Kercheval from scriptics
that helped us track down the problem. Notice the double delete.

    CreateNS: init  NS cnt to 0
    CreateNS: init  NS cnt to 0
    deleting namespace
    NamespaceFree: freeing
    CreateNS: init auto_mkindex_parser NS cnt to 0
    CreateNS: init Labeledwidget NS cnt to 0
    Tcl8Port-Script: 1
    CreateNS: init itcl NS cnt to 0
    CreateNS: init import NS cnt to 0
    CreateNS: init parser NS cnt to 0
    CreateNS: init builtin NS cnt to 0
    CreateNS: init old-parser NS cnt to 0
    CreateNS: init old-builtin NS cnt to 0
    SetNSFA: incr itcl NS cnt to 1
    FNSNIP: decr itcl NS cnt to 0

    Define Class ABC
    CreateNS: init ABC NS cnt to 0
    Create Class instance <foo>
    Load Pkg - Create Tcl Command with same name
    In SomeMethod
    namespace ABC is dying
    deleting namespace ABC
    deleting namespace ABC
    NamespaceFree: freeing ABC
    Itcl_ReleaseData can t find reference for 0x9bd48
    Abort (core dumped)

purify output below - this purify output is different from the original that caused us to research
this problem - in that the original problem  died due to FMR/FMW and had no SBR's - but both
are probably caused by the same thing.

****
FMR: Free memory read:
  * This is occurring while in:
        ItclDestroyClassNamesp [itcl_class.c]
        TclTeardownNamespace [tclNamesp.c:828]
        Tcl_DeleteNamespace [tclNamesp.c:641]
        Tcl_PopCallFrame [tclNamesp.c:398]
        Itcl_PopContext [tclStubLib.c]
        Itcl_HandleInstance [tclStubLib.c]
        EvalObjv       [tclParse.c:932]
        Tcl_EvalEx     [tclParse.c:1393]
        Tcl_EvalFile   [tclIOUtil.c:323]
        Tk_MainEx      [tkMain.c:227]
        UnixCreateMain [isight_pkg.c:183]
        IsightCreateMainInterp [isight_pkg.c:719]
  * Reading 4 bytes from 0x2870a0 in the heap.
  * Address 0x2870a0 is 32 bytes into a freed  block at 0x287080 of 332 bytes.
  * This block was allocated from:
        malloc         [rtlib.o]
        TclpAlloc      [tclAlloc.c:666]
        Tcl_Alloc      [tclCkalloc.c:810]
        Itcl_CreateClass [tclStubLib.c]
        Itcl_ClassCmd  [tclStubLib.c]
        EvalObjv       [tclParse.c:932]
        Tcl_EvalEx     [tclParse.c:1393]
        Tcl_EvalFile   [tclIOUtil.c:323]
        Tk_MainEx      [tkMain.c:227]
        UnixCreateMain [isight_pkg.c:183]
        IsightCreateMainInterp [isight_pkg.c:719]
        IsightCreateMainInterp [isight_stub.c:174]
  * There have been 6 frees since this block was freed from:
        free           [rtlib.o]
        TclpFree       [tclAlloc.c:689]
        Tcl_Free       [tclCkalloc.c:903]
        ItclFreeClass  [itcl_class.c]
        Itcl_ReleaseData [tclStubLib.c]
        ItclFreeObject [itcl_objects.c]
        Itcl_ReleaseData [tclStubLib.c]
        Tcl_DeleteCommandFromToken [tclBasic.c:2318]
        ItclDestroyClassNamesp [itcl_class.c]
        TclTeardownNamespace [tclNamesp.c:828]
        Tcl_DeleteNamespace [tclNamesp.c:641]
        Tcl_PopCallFrame [tclNamesp.c:398]

****  Purify instrumented /vob/prod/runtime/bin/SunOS_5.6/is_wish_pure.exe (pid 22235)  ****
FMR: Free memory read:
  * This is occurring while in:
        ItclDestroyClassNamesp [itcl_class.c]
        TclTeardownNamespace [tclNamesp.c:828]
        Tcl_DeleteNamespace [tclNamesp.c:641]
        Tcl_PopCallFrame [tclNamesp.c:398]
        Itcl_PopContext [tclStubLib.c]
        Itcl_HandleInstance [tclStubLib.c]
        EvalObjv       [tclParse.c:932]
        Tcl_EvalEx     [tclParse.c:1393]
        Tcl_EvalFile   [tclIOUtil.c:323]
        Tk_MainEx      [tkMain.c:227]
        UnixCreateMain [isight_pkg.c:183]
        IsightCreateMainInterp [isight_pkg.c:719]
  * Reading 4 bytes from 0x287090 in the heap.
  * Address 0x287090 is 16 bytes into a freed  block at 0x287080 of 332 bytes.
  * This block was allocated from:
        malloc         [rtlib.o]
        TclpAlloc      [tclAlloc.c:666]
        Tcl_Alloc      [tclCkalloc.c:810]
        Itcl_CreateClass [tclStubLib.c]
        Itcl_ClassCmd  [tclStubLib.c]
        EvalObjv       [tclParse.c:932]
        Tcl_EvalEx     [tclParse.c:1393]
        Tcl_EvalFile   [tclIOUtil.c:323]
        Tk_MainEx      [tkMain.c:227]
        UnixCreateMain [isight_pkg.c:183]
        IsightCreateMainInterp [isight_pkg.c:719]
        IsightCreateMainInterp [isight_stub.c:174]
  * There have been 6 frees since this block was freed from:
        free           [rtlib.o]
        TclpFree       [tclAlloc.c:689]
        Tcl_Free       [tclCkalloc.c:903]
        ItclFreeClass  [itcl_class.c]
        Itcl_ReleaseData [tclStubLib.c]
        ItclFreeObject [itcl_objects.c]
        Itcl_ReleaseData [tclStubLib.c]
        Tcl_DeleteCommandFromToken [tclBasic.c:2318]
        ItclDestroyClassNamesp [itcl_class.c]
        TclTeardownNamespace [tclNamesp.c:828]
        Tcl_DeleteNamespace [tclNamesp.c:641]
        Tcl_PopCallFrame [tclNamesp.c:398]

****  Purify instrumented /vob/prod/runtime/bin/SunOS_5.6/is_wish_pure.exe (pid 22235)  ****
SBR: Stack array bounds read:
  * This is occurring while in:
        Tcl_PanicVA    [tclPanic.c:82]
        Tcl_Panic      [tclPanic.c:121]
        Itcl_ReleaseData [tclStubLib.c]
        ItclDestroyClassNamesp [itcl_class.c]
        TclTeardownNamespace [tclNamesp.c:828]
        Tcl_DeleteNamespace [tclNamesp.c:641]
        Tcl_PopCallFrame [tclNamesp.c:398]
        Itcl_PopContext [tclStubLib.c]
        Itcl_HandleInstance [tclStubLib.c]
        EvalObjv       [tclParse.c:932]
        Tcl_EvalEx     [tclParse.c:1393]
        Tcl_EvalFile   [tclIOUtil.c:323]
  * Reading 4 bytes from 0xefffe538.
  * Frame pointer 0xefffe538
  * Address 0xefffe538 is 0 bytes above stack pointer in function ItclDestroyClassNamesp.

****  Purify instrumented /vob/prod/runtime/bin/SunOS_5.6/is_wish_pure.exe (pid 22235)  ****
SBR: Stack array bounds read:
  * This is occurring while in:
        Tcl_PanicVA    [tclPanic.c:83]
        Tcl_Panic      [tclPanic.c:121]
        Itcl_ReleaseData [tclStubLib.c]
        ItclDestroyClassNamesp [itcl_class.c]
        TclTeardownNamespace [tclNamesp.c:828]
        Tcl_DeleteNamespace [tclNamesp.c:641]
        Tcl_PopCallFrame [tclNamesp.c:398]
        Itcl_PopContext [tclStubLib.c]
        Itcl_HandleInstance [tclStubLib.c]
        EvalObjv       [tclParse.c:932]
        Tcl_EvalEx     [tclParse.c:1393]
        Tcl_EvalFile   [tclIOUtil.c:323]
  * Reading 4 bytes from 0xefffe53c.
  * Frame pointer 0xefffe538
  * Address 0xefffe53c is 4 bytes above stack pointer in function ItclDestroyClassNamesp.

****  Purify instrumented /vob/prod/runtime/bin/SunOS_5.6/is_wish_pure.exe (pid 22235)  ****
COR: Fatal core dump:
  * This is occurring while in:
        _p921static    [crtn.o]
        abort          [libc.so.1]
        Tcl_PanicVA    [tclPanic.c:93]
        Tcl_Panic      [tclPanic.c:121]
        Itcl_ReleaseData [tclStubLib.c]
        ItclDestroyClassNamesp [itcl_class.c]
        TclTeardownNamespace [tclNamesp.c:828]
        Tcl_DeleteNamespace [tclNamesp.c:641]
        Tcl_PopCallFrame [tclNamesp.c:398]
        Itcl_PopContext [tclStubLib.c]
        Itcl_HandleInstance [tclStubLib.c]
        EvalObjv       [tclParse.c:932]
  * Received signal 6 (SIGABRT - Abort)
  * Signal mask: 
  * Pending signals: 
[waldon@eng007 (waldon-t82) 28]>

DesiredBehavior:
If you move the evaluate the proc ABC prior to the method call - ie outside the class, it simply
deletes the class namespace and all its associated objects and replaces it with a proc and does
not core dump - it does this with no warning message which I find a little disturbing.



This may be an Itcl problem, verified with Itcl3.1/Tcl8.3.0 
-- 04/03/2000 hobbs

For detailed info, follow this link:
http://sourceforge.net/bugs/?func=detailbug&bug_id=119216&group_id=10894