Tk Toolkit / Read-Only Bugs / #2736 Wish crash when destroying . with reflected channel

#2736 Wish crash when destroying . with reflected channel

Milestone: obsolete: 8.6b1.1

Status: open-fixed

Owner: Don Porter

Labels: 75. wish (49)

Priority: 5

Updated: 2010-03-16

Created: 2009-12-20

Creator: Schelte Bron

Private: No

When destroying ".", wish crashes with the following message (followed by lots of debug info):
*** glibc detected *** /home/sbron/usr/bin/wish8.6: free(): invalid pointer: 0x00000000006297e0 ***

This doesn't happen when just exiting the application. The script to reproduce this situation involves a reflected channel, so it may just as easily be a refchan problem. But since the issue only occurs in combination with wish, I opened the bug in the Tk tracker.

Discussion

Schelte Bron - 2009-12-20

Full output of the crash

tkcrash.txt

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Schelte Bron - 2009-12-20

Script to reproduce the issue

rctest2.tcl

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Schelte Bron - 2009-12-20

Problem found on OpenSuSE 11.2 x86_64

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Donal K. Fellows - 2009-12-20

I don't suppose you could use a tool like efence to narrow down whether it is Tcl or Tk doing the FMR on exit? Right now, we've no idea where to begin looking (TclFreeObj is a rather commonly called utility function that's been extensively tested; if it's wrong, it's because something else working with Tcl_Objs has gone wrong...)

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Alexandre Ferrieux - 2009-12-21

Half-reproduced on mingw: doesn't crash but hangs somewhere in Tk_MainEx, probably in the interp tear-down:

Tk_MainLoop();
Tcl_DeleteInterp(interp);
Tcl_Release(interp);
Tcl_SetStartupScript(NULL, NULL);
Tcl_Exit(0);

This, by the way, shows that Tk_MainEx applies a method halfway between the old full-finalization and the newer quick-exit. My immediate reaction would be that this is fundamentally wrong, and that following the 2001201 fix (Tcl, not Tk), the three lines between Tk_MainLoop and Tcl_Exit should be removed.

The attached patch, doing exactly this, passes the test suite, fixes the above bug (at least the hang in my case), and is the natural projection of the Exit/Finalize reform on Tk.

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Alexandre Ferrieux - 2009-12-21

Skip questionable interp deletion before exit.

main.patch

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Alexandre Ferrieux - 2009-12-21

status: open --> open-fixed
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Schelte Bron - 2009-12-21

Reproduced the problem on OpenSuSE 11.2 i686 (I have no access to the x86_64 machine at the moment), applied the patch and confirmed that the crash no longer happens.

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Don Porter - 2010-03-16

assigned_to: hobbs --> dgp
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Don Porter - 2010-03-16

Sometime I'm going to have to find the time
to really grok this exit reform stuff, cause
it totally gives me the willies.

Since I worked diligently to put that
balanced cleanup stuff in place in the
T*_Main* routines way back when
(for 8.4.0?), I need to understand better
why they are being removed.

If you would like to refer to this comment somewhere else in this project, copy and paste the following link: