Tcl Source Code

View Ticket
Login
Core Home Timeline Branches Tags Tickets Download Wiki
Attach Edit Formatted New Ticket
Ticket UUID: 5ee01098824881b5500e4692bcfa74eb853bc795
Title: lseq list conversion results in attempt to access freed memory
Type: Bug Version:
Submitter: pooryorick Created on: 2023-05-17 11:50:56
Subsystem: - New Builtin Commands Assigned To: pooryorick
Priority: 5 Medium Severity: Important
Status: Closed Last Modified: 2023-05-23 15:49:53
Resolution: Fixed Closed By: pooryorick
    Closed on: 2023-05-23 15:49:53
Description: (text/x-fossil-wiki) 
In a build of trunk with --enable-symbols and CFLAGS="-DPURIFY", the following script

<blockquote><code><verbatim>
trace add variable one write [list ::apply [list args {
	error {this error}
} [namespace current]]]
set one [lindex [lreplace [lseq 1 2] 1 1 hello] 0]
</verbatim></code></blockquote>

Results in the following error:

<blockquote><code><verbatim>
malloc(): unaligned fastbin chunk detected 3
</verbatim></code></blockquote>

The reason is that <code>lreplace</code> converts the internal repesentation
from <code>tclArithSeriesType</code> to <cod>tclListType</code>, and
<code>SetListFromAny()</code> handles the arithmetic series specially,
forgetting to increment the reference count when each <code>Tcl_Obj</code> is
added to the list.  See
[https://core.tcl-lang.org/tcl/file?udc=1&ln=3323&ci=57e46213e1e5414a&name=generic%2FtclListObj.c|this
loop].
User Comments: pooryorick added on 2023-05-17 12:12:43: (text/x-fossil-wiki) 
Fixed in [e45cee0c53].
This page was generated in about 0.009s by Fossil 2.24 [f4ffefe708] 2024-04-17 14:02:19