[Bug 3398794]: Use Tcl errors in scripts, not panics.

3 files changed, 84 insertions, 46 deletions

diff --git a/ChangeLog b/ChangeLog
index 05f864a..746955a 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,7 +1,15 @@
+2011-08-30  Donal K. Fellows  <dkf@users.sf.net>
+
+	* generic/tclInterp.c (SlaveCommandLimitCmd, SlaveTimeLimitCmd):
+	[Bug 3398794]: Ensure that low-level conditions in the limit API are
+	enforced at the script level through errors, not a Tcl_Panic. This
+	means that interpreters cannot read their own limits (writing already
+	did not work).
+
 2011-08-30  Reinhard Max  <max@suse.de>
 
-	* unix/tclUnixSock.c (TcpWatchProc): Put back the check for server
-	sockets (bug #3394732).
+	* unix/tclUnixSock.c (TcpWatchProc): [Bug 3394732]: Put back the check
+	for server sockets.
 
 2011-08-29  Don Porter  <dgp@users.sourceforge.net>
 
@@ -9,20 +17,20 @@
 
 2011-08-27  Don Porter  <dgp@users.sourceforge.net>
 
-	* generic/tclStringObj.c:  [RFE 3396731] Revise the [string reverse]
+	* generic/tclStringObj.c:  [RFE 3396731]: Revise the [string reverse]
 	* tests/string.test:	implementation to operate on the representation
 	that comes in, avoid conversion to other reps.
 
 2011-08-23  Don Porter  <dgp@users.sourceforge.net>
 
-	* generic/tclIORChan.c:	[Bug 3396948] Leak of ReflectedChannelMap.
+	* generic/tclIORChan.c:	[Bug 3396948]: Leak of ReflectedChannelMap.
 
 2011-08-19  Don Porter  <dgp@users.sourceforge.net>
 
-	* generic/tclIORTrans.c: [Bugs 3393279, 3393280] ReflectClose(.) is
+	* generic/tclIORTrans.c: [Bugs 3393279, 3393280]: ReflectClose(.) is
 	missing Tcl_EventuallyFree() calls at some of its exits.
 
-	* generic/tclIO.c: [Bugs 3394654, 3393276] Revise FlushChannel() to
+	* generic/tclIO.c: [Bugs 3394654, 3393276]: Revise FlushChannel() to
 	account for the possibility that the ChanWrite() call might recycle
 	the buffer out from under us.
 
@@ -31,22 +39,22 @@
 
 2011-08-19  Alexandre Ferrieux  <ferrieux@users.sourceforge.net>
 
-	* generic/tclTest.c: [Bug 2981154] async-4.3 segfault.
-	* tests/async.test:  [Bug 1774689] async-4.3 sometimes fails.
+	* generic/tclTest.c: [Bug 2981154]: async-4.3 segfault.
+	* tests/async.test:  [Bug 1774689]: async-4.3 sometimes fails.
 
 2011-08-18  Alexandre Ferrieux  <ferrieux@users.sourceforge.net>
 
-	* generic/tclIO.c: [Bug 3096275] Sync fcopy buffers input.
+	* generic/tclIO.c: [Bug 3096275]: Sync fcopy buffers input.
 
 2011-08-18  Jan Nijtmans  <nijtmans@users.sf.net>
 
-	* generic/tclUniData.c: [Bug 3393714] overflow in toupper delta
+	* generic/tclUniData.c: [Bug 3393714]: Overflow in toupper delta
 	* tools/uniParse.tcl
 	* tests/utf.test
 
 2011-08-17  Alexandre Ferrieux  <ferrieux@users.sourceforge.net>
 
-	* generic/tclIO.c:  [Bug 2946474] Consistently resume backgrounded
+	* generic/tclIO.c:  [Bug 2946474]: Consistently resume backgrounded
 	* tests/ioCmd.test: flushes+closes when exiting.
 
 2011-08-17  Alexandre Ferrieux  <ferrieux@users.sourceforge.net>
@@ -55,12 +63,12 @@
 
 2011-08-17  Don Porter  <dgp@users.sourceforge.net>
 
-	* generic/tclGet.c: [Bug 3393150] Overlooked free of intreps.
+	* generic/tclGet.c: [Bug 3393150]: Overlooked free of intreps.
 	(It matters for bignums!)
 
 2011-08-16  Don Porter  <dgp@users.sourceforge.net>
 
-	* generic/tclCompile.c: [Bug 3392070] More complete prevention of
+	* generic/tclCompile.c: [Bug 3392070]: More complete prevention of
 	Tcl_Obj reference cycles when producing an intrep of ByteCode.
 
 2011-08-16  Donal K. Fellows  <dkf@users.sf.net>
@@ -181,7 +189,7 @@
 	* generic/tclIOSock.c (TclCreateSocketAddress): Don't bother using
 	AI_ADDRCONFIG for now, as it was causing problems in various
 	situations.
-	
+
 2011-08-04  Donal K. Fellows  <dkf@users.sf.net>
 
 	* generic/tclAssembly.c (AssembleOneLine, GetBooleanOperand)
@@ -348,16 +356,16 @@
 	* unix/Makefile.in:
 	* win/Makefile.in:
 	* win/Makefile.vc:
-	Fix a bug where bignum->double conversion is "round up" and
-	not "round to nearest" (causing expr double(1[string repeat 0 23])
-	not to be 1e+23). [Bug 3349507]
+	[Bug 3349507]: Fix a bug where bignum->double conversion is "round up"
+	and not "round to nearest" (causing expr double(1[string repeat 0 23])
+	not to be 1e+23).
 
 2011-06-28  Reinhard Max  <max@suse.de>
 
-	* unix/tclUnixSock.c (CreateClientSocket): Fix and simplify
-	posting of the writable fileevent at the end of an asynchronous
-	connection attempt. Improve comments for some of the trickery
-	around [socket -async]. [Bug 3325339]
+	* unix/tclUnixSock.c (CreateClientSocket): [Bug 3325339]: Fix and
+	simplify posting of the writable fileevent at the end of an
+	asynchronous connection attempt. Improve comments for some of the
+	trickery around [socket -async].
 
 	* tests/socket.test: Adjust tests to the async code changes. Add
 	more tests for corner cases of async sockets.
@@ -385,12 +393,12 @@
 
 2011-06-21  Don Porter  <dgp@users.sourceforge.net>
 
-	* generic/tclLink.c:	Prevent multiple links to a single Tcl
-	variable when calling Tcl_LinkVar(). [Bug 3317466]
+	* generic/tclLink.c:	[Bug 3317466]: Prevent multiple links to a
+	single Tcl variable when calling Tcl_LinkVar().
 
 2011-06-13  Don Porter  <dgp@users.sourceforge.net>
 
-	* generic/tclStrToD.c:  [Bug 3315098] Mem leak fix from Gustaf Neumann.
+	* generic/tclStrToD.c:  [Bug 3315098]: Mem leak fix from Gustaf Neumann.
 
 2011-06-08  Andreas Kupries  <andreask@activestate.com>
 
@@ -746,10 +754,10 @@
 
 2011-04-04  Don Porter  <dgp@users.sourceforge.net>
 
-	* README:	Updated README files, repairing broken URLs and
-	* macosx/README:	removing other bits that were clearly wrong.
+	* README:	[Bug 3202030]: Updated README files, repairing broken
+	* macosx/README:URLs and removing other bits that were clearly wrong.
 	* unix/README:	Still could use more eyeballs on the detailed build
-	* win/README:	advice on various plaforms. [Bug 3202030]
+	* win/README:	advice on various plaforms.
 
 2011-04-04  Donal K. Fellows  <dkf@users.sf.net>
 
@@ -973,10 +981,10 @@
 
 2011-03-09  Don Porter  <dgp@users.sourceforge.net>
 
-	* generic/tclNamesp.c:	Tighten the detector of nested [namespace code]
-	* tests/namespace.test:	quoting that the quoted scripts function
-	properly even in a namespace that contains a custom "namespace"
-	command.  [Bug 3202171]
+	* generic/tclNamesp.c:	[Bug 3202171]: Tighten the detector of nested
+	* tests/namespace.test:	[namespace code] quoting that the quoted
+	scripts function properly even in a namespace that contains a custom
+	"namespace" command.
 
 	* doc/tclvars.n:	Formatting fix.  Thanks to Pat Thotys.
 
@@ -999,8 +1007,8 @@
 	* generic/tclInt.h:	Remove TclMarkList() routine, an experimental
 	* generic/tclUtil.c:	dead-end from the 8.5 alpha days.
 
-	* generic/tclResult.c (ResetObjResult):	Correct failure to clear
-	invalid intrep.  Thanks to Colin McDonald. [Bug 3202905]
+	* generic/tclResult.c (ResetObjResult): [Bug 3202905]: Correct failure
+	to clear invalid intrep.  Thanks to Colin McDonald.
 
 2011-03-08  Donal K. Fellows  <dkf@users.sf.net>
 
@@ -1015,13 +1023,13 @@
 	* generic/tclParse.c:
 	* generic/tclUtil.c:
 
-	* generic/tclUtil.c (TclFindElement):	Guard escape sequence scans
-	to not overrun the string end.  [Bug 3192636]
+	* generic/tclUtil.c (TclFindElement):	[Bug 3192636]: Guard escape
+	sequence scans to not overrun the string end.
 
 2011-03-05  Don Porter  <dgp@users.sourceforge.net>
 
-	* generic/tclParse.c (TclParseBackslash): Correct trunction checks in
-	* tests/parse.test:	\x and \u substitutions.  [Bug 3200987]
+	* generic/tclParse.c (TclParseBackslash): [Bug 3200987]: Correct
+	* tests/parse.test:	trunction checks in \x and \u substitutions.
 
 2011-03-05  Miguel Sofer  <msofer@users.sf.net>
 
@@ -1094,17 +1102,17 @@
 	* generic/tclStubInit.c:
 	* win/makefile.vc:
 
-	* generic/tclExecute.c (ExprObjCallback): fix object leak
+	* generic/tclExecute.c (ExprObjCallback): Fix object leak
 
-	* generic/tclExecute.c (TEBCresume): store local var array and
+	* generic/tclExecute.c (TEBCresume): Store local var array and
 	constants in automatic vars to reduce indirection, slight perf
 	increase
 
-	* generic/tclOOCall.c (TclOODeleteContext): added missing '*' so
+	* generic/tclOOCall.c (TclOODeleteContext): Added missing '*' so
 	that trunk compiles.
 
-	* generic/tclBasic.c (TclNRRunCallbacks): don't do the trampoline
-	dance for commands that do not have an nreProc, [Patch 3168229]
+	* generic/tclBasic.c (TclNRRunCallbacks): [Patch 3168229]: Don't do
+	the trampoline dance for commands that do not have an nreProc.
 
 2011-03-01  Donal K. Fellows  <dkf@users.sf.net>
 
diff --git a/generic/tclInterp.c b/generic/tclInterp.c
index a156a57..5b6d14f 100644
--- a/generic/tclInterp.c
+++ b/generic/tclInterp.c
@@ -4345,6 +4345,19 @@ SlaveCommandLimitCmd(
     ScriptLimitCallback *limitCBPtr;
     Tcl_HashEntry *hPtr;
 
+    /*
+     * First, ensure that we are not reading or writing the calling
+     * interpreter's limits; it may only manipulate its children. Note that
+     * the low level API enforces this with Tcl_Panic, which we want to
+     * avoid. [Bug 3398794]
+     */
+
+    if (interp == slaveInterp) {
+	Tcl_AppendResult(interp,
+		"limits on current interpreter inaccessible", NULL);
+	return TCL_ERROR;
+    }
+
     if (objc == consumedObjc) {
 	Tcl_Obj *dictPtr;
 
@@ -4519,6 +4532,19 @@ SlaveTimeLimitCmd(
     ScriptLimitCallback *limitCBPtr;
     Tcl_HashEntry *hPtr;
 
+    /*
+     * First, ensure that we are not reading or writing the calling
+     * interpreter's limits; it may only manipulate its children. Note that
+     * the low level API enforces this with Tcl_Panic, which we want to
+     * avoid. [Bug 3398794]
+     */
+
+    if (interp == slaveInterp) {
+	Tcl_AppendResult(interp,
+		"limits on current interpreter inaccessible", NULL);
+	return TCL_ERROR;
+    }
+
     if (objc == consumedObjc) {
 	Tcl_Obj *dictPtr;
 
diff --git a/tests/interp.test b/tests/interp.test
index 35f6824..c146355 100644
--- a/tests/interp.test
+++ b/tests/interp.test
@@ -584,7 +584,6 @@ test interp-14.10 {testing interp-alias: error messages} -setup {
     invoked from within
 "a 1"}
 
-
 # part 15: testing file sharing
 test interp-15.1 {testing file sharing} {
     catch {interp delete z}
@@ -665,8 +664,7 @@ test interp-15.8 {testing file transferring} -body {
 # Torture tests for interpreter deletion order
 #
 proc kill {} {interp delete xxx}
-
-test interp-15.9 {testing deletion order} {
+test interp-16.0 {testing deletion order} {
     catch {interp delete xxx}
     interp create xxx
     xxx alias kill kill
@@ -3497,6 +3495,13 @@ test interp-35.22 {interp time limits normalize milliseconds} -body {
 } -cleanup {
     interp delete $i
 } -result {2 500}
+# Bug 3398794
+test interp-35.23 {interp command limits can't touch current interp} -body {
+    interp limit {} commands -value 10
+} -returnCodes error -result {limits on current interpreter inaccessible}
+test interp-35.24 {interp time limits can't touch current interp} -body {
+    interp limit {} time -seconds 2
+} -returnCodes error -result {limits on current interpreter inaccessible}
 
 test interp-36.1 {interp bgerror syntax} -body {
     interp bgerror
@@ -3610,7 +3615,6 @@ test interp-38.8 {interp debug basic setup} -body {
 } -returnCodes {
     error
 } -result {wrong # args: should be "interp debug path ?-frame ?bool??"}
-
 
 # cleanup
 unset -nocomplain hidden_cmds