Tk Source Code

Here is a double free bug that someone originally reported for Perl/Tk ([https://rt.cpan.org/Public/Bug/Display.html?id=102648]), but which I replicated in Tcl/Tk using both the original Perl/Tk example through Tcl::pTk, as well as a nearly equivalent Tcl syntax example:

<pre>
package require Tk

set en_text {Type 'A' here}
pack [entry .e \
    -textvariable en_text \
    -validate key \
    -validatecommand {
        if {"%S" eq {A}} {
            set en_text %P
            .e configure -validate key
        }
        return 1
    }
]
</pre>

Pressing 'A' causes the double free in this example. When the key is pressed, <code>InsertChars()</code> stores the existing <code>entryPtr-&gt;string</code> in the variable <code>string</code>. It then does the <code>EntryValidate()</code> &rarr; <code>EntryValidateChange()</code> to evaluate the validatecommand script. When the textvariable is set in the script, this invokes <code>EntryTextVarProc()</code> &rarr; <code>EntrySetValue()</code> which frees the existing <code>entryPtr-&gt;string</code>. After validation finishes, <code>EntrySet()</code> then tries to free the already-freed address in <code>string</code>.

It's not obvious to me what should be done about this issue. Should this at least not lead to a crash/corruption, or is it believed that the documentation already firmly warned against mixing <code>-textvariable</code> and <code>-validatecommand</code> such that this issue is expected behavior? At a minimum, it preferably crashes rather than silently corrupts—i.e. panic if <code>string != entryPtr-&gt;string</code> just before <code>ckfree((char *)string)</code>.

I am not aware of this issue affecting Ttk entry widgets.

Entry: double free when textvariable set in validatecommand script