From 1fbfeae31be33fc423d361863f7cdbf1035167fe Mon Sep 17 00:00:00 2001 From: vasiljevic Date: Sun, 27 Apr 2008 08:05:36 +0000 Subject: generic/tclAsync.c: Tcl_AsyncDelete(): panic if attempt to locate handler token fails. Happens when some other thread attempts to delete somebody else's token. --- ChangeLog | 6 ++++++ generic/tclAsync.c | 43 +++++++++++++++++++++++++++++-------------- 2 files changed, 35 insertions(+), 14 deletions(-) diff --git a/ChangeLog b/ChangeLog index 618f606..7f14005 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,9 @@ +2008-04-26 Zoran Vasiljevic + + * generic/tclAsync.c: Tcl_AsyncDelete(): panic if attempt + to locate handler token fails. Happens when some other + thread attempts to delete somebody else's token. + 2008-04-24 Andreas Kupries * tests/ioCmd.test: Extended testsuite for reflected channel diff --git a/generic/tclAsync.c b/generic/tclAsync.c index c088ce5..dcde29e 100644 --- a/generic/tclAsync.c +++ b/generic/tclAsync.c @@ -11,7 +11,7 @@ * See the file "license.terms" for information on usage and redistribution of * this file, and for a DISCLAIMER OF ALL WARRANTIES. * - * RCS: @(#) $Id: tclAsync.c,v 1.13 2007/12/13 15:23:14 dgp Exp $ + * RCS: @(#) $Id: tclAsync.c,v 1.13.2.1 2008/04/27 08:05:39 vasiljevic Exp $ */ #include "tclInt.h" @@ -259,6 +259,13 @@ Tcl_AsyncInvoke( * Side effects: * The state associated with the handler is deleted. * + * Failure to locate the handler in current thread private list + * of async handlers will result in panic; exception: the list + * is already empty (potential trouble?). + * Consequently, threads should create and delete handlers + * themselves. I.e. a handler created by one should not be + * deleted by some other thread. + * *---------------------------------------------------------------------- */ @@ -268,7 +275,14 @@ Tcl_AsyncDelete( { ThreadSpecificData *tsdPtr = TCL_TSD_INIT(&dataKey); AsyncHandler *asyncPtr = (AsyncHandler *) async; - AsyncHandler *prevPtr; + AsyncHandler *prevPtr, *thisPtr; + + /* + * If we come to this point when TSD's for the current + * thread have already been garbage-collected, we are + * in the _serious_ trouble. OTOH, we tolerate calling + * with already cleaned-up handler list (should we?). + */ /* * Conservatively check the existence of the linked list of @@ -278,21 +292,22 @@ Tcl_AsyncDelete( */ Tcl_MutexLock(&tsdPtr->asyncMutex); - if (tsdPtr->firstHandler != NULL ) { - if (tsdPtr->firstHandler == asyncPtr) { + if (tsdPtr->firstHandler != NULL) { + prevPtr = thisPtr = tsdPtr->firstHandler; + while (thisPtr != NULL && thisPtr != asyncPtr) { + prevPtr = thisPtr; + thisPtr = thisPtr->nextPtr; + } + if (thisPtr == NULL) { + panic("Tcl_AsyncDelete: cannot find async handler"); + } + if (asyncPtr == tsdPtr->firstHandler) { tsdPtr->firstHandler = asyncPtr->nextPtr; - if (tsdPtr->firstHandler == NULL) { - tsdPtr->lastHandler = NULL; - } } else { - prevPtr = tsdPtr->firstHandler; - while (prevPtr->nextPtr != asyncPtr) { - prevPtr = prevPtr->nextPtr; - } prevPtr->nextPtr = asyncPtr->nextPtr; - if (tsdPtr->lastHandler == asyncPtr) { - tsdPtr->lastHandler = prevPtr; - } + } + if (asyncPtr == tsdPtr->lastHandler) { + tsdPtr->lastHandler = prevPtr; } } Tcl_MutexUnlock(&tsdPtr->asyncMutex); -- cgit v0.12