diff options
author | dgp <dgp@users.sourceforge.net> | 2013-03-11 17:40:14 (GMT) |
---|---|---|
committer | dgp <dgp@users.sourceforge.net> | 2013-03-11 17:40:14 (GMT) |
commit | 3ba3d692ad4a5f996f5383fe2223138851bcee3e (patch) | |
tree | 81bd58e44cfb63ff78e2908a44ab09e92ca2ff0a /generic | |
parent | df4d161b0f8447292465330d03550426006fd13c (diff) | |
parent | edadbbc515cfa8428b349a8ec75c37a386080d98 (diff) | |
download | tcl-3ba3d692ad4a5f996f5383fe2223138851bcee3e.zip tcl-3ba3d692ad4a5f996f5383fe2223138851bcee3e.tar.gz tcl-3ba3d692ad4a5f996f5383fe2223138851bcee3e.tar.bz2 |
Greater protection against double TclFreeObj() calls in TCL_MEM_DEBUG mode.
Diffstat (limited to 'generic')
-rw-r--r-- | generic/tclObj.c | 12 |
1 files changed, 12 insertions, 0 deletions
diff --git a/generic/tclObj.c b/generic/tclObj.c index 54ec25a..1bed667 100644 --- a/generic/tclObj.c +++ b/generic/tclObj.c @@ -1333,9 +1333,21 @@ TclFreeObj( ObjInitDeletionContext(context); + /* + * Check for a double free of the same value. This is slightly tricky + * because it is customary to free a Tcl_Obj when its refcount falls + * either from 1 to 0, or from 0 to -1. Falling from -1 to -2, though, + * and so on, is always a sign of a botch in the caller. + */ if (objPtr->refCount < -1) { Tcl_Panic("Reference count for %p was negative", objPtr); } + /* + * Now, in case we just approved drop from 1 to 0 as acceptable, make + * sure we do not accept a second free when falling from 0 to -1. + * Skip that possibility so any double free will trigger the panic. + */ + objPtr->refCount = -1; /* * Invalidate the string rep first so we can use the bytes value for our |