diff options
| author | dgp <dgp@noemail.net> | 2013-03-11 17:40:14 (GMT) |
|---|---|---|
| committer | dgp <dgp@noemail.net> | 2013-03-11 17:40:14 (GMT) |
| commit | eff2accc41dbf7e49b3f9560fd960449428d63e1 (patch) | |
| tree | 81bd58e44cfb63ff78e2908a44ab09e92ca2ff0a /generic/tclObj.c | |
| parent | 5f4b0ef843c83fa8695f06d3ec0a414444604db7 (diff) | |
| parent | 13c84f4f708d237fb3f9931a928ad10083c9010d (diff) | |
| download | tcl-eff2accc41dbf7e49b3f9560fd960449428d63e1.zip tcl-eff2accc41dbf7e49b3f9560fd960449428d63e1.tar.gz tcl-eff2accc41dbf7e49b3f9560fd960449428d63e1.tar.bz2 | |
Greater protection against double TclFreeObj() calls in TCL_MEM_DEBUG mode.
FossilOrigin-Name: 081509f92652bb4331d66e650540f6ae547c8da9
Diffstat (limited to 'generic/tclObj.c')
| -rw-r--r-- | generic/tclObj.c | 12 |
1 files changed, 12 insertions, 0 deletions
diff --git a/generic/tclObj.c b/generic/tclObj.c index 54ec25a..1bed667 100644 --- a/generic/tclObj.c +++ b/generic/tclObj.c @@ -1333,9 +1333,21 @@ TclFreeObj( ObjInitDeletionContext(context); + /* + * Check for a double free of the same value. This is slightly tricky + * because it is customary to free a Tcl_Obj when its refcount falls + * either from 1 to 0, or from 0 to -1. Falling from -1 to -2, though, + * and so on, is always a sign of a botch in the caller. + */ if (objPtr->refCount < -1) { Tcl_Panic("Reference count for %p was negative", objPtr); } + /* + * Now, in case we just approved drop from 1 to 0 as acceptable, make + * sure we do not accept a second free when falling from 0 to -1. + * Skip that possibility so any double free will trigger the panic. + */ + objPtr->refCount = -1; /* * Invalidate the string rep first so we can use the bytes value for our |