From edadbbc515cfa8428b349a8ec75c37a386080d98 Mon Sep 17 00:00:00 2001
From: dgp <dgp@users.sourceforge.net>
Date: Mon, 11 Mar 2013 17:37:15 +0000
Subject: Greater protection against double TclFreeObj() calls in TCL_MEM_DEBUG
 mode.

---
 generic/tclObj.c | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/generic/tclObj.c b/generic/tclObj.c
index 24b818b..96a4082 100644
--- a/generic/tclObj.c
+++ b/generic/tclObj.c
@@ -1322,9 +1322,21 @@ TclFreeObj(
 
     ObjInitDeletionContext(context);
 
+    /*
+     * Check for a double free of the same value.  This is slightly tricky
+     * because it is customary to free a Tcl_Obj when its refcount falls
+     * either from 1 to 0, or from 0 to -1.  Falling from -1 to -2, though,
+     * and so on, is always a sign of a botch in the caller.
+     */
     if (objPtr->refCount < -1) {
 	Tcl_Panic("Reference count for %lx was negative", objPtr);
     }
+    /*
+     * Now, in case we just approved drop from 1 to 0 as acceptable, make
+     * sure we do not accept a second free when falling from 0 to -1.
+     * Skip that possibility so any double free will trigger the panic.
+     */
+    objPtr->refCount = -1;
 
     /* Invalidate the string rep first so we can use the bytes value 
      * for our pointer chain, and signal an obj deletion (as opposed
-- 
cgit v0.12