From e59a5820dfdb6c77acd3497b07b8236b51bd04d8 Mon Sep 17 00:00:00 2001
From: "jan.nijtmans" <nijtmans@users.sourceforge.net>
Date: Thu, 3 Jan 2013 09:22:04 +0000
Subject: test case for bug-3598580: Tcl_ListObjReplace may release deleted
 elements too early

---
 generic/tclTestObj.c | 11 +++++++++++
 tests/listObj.test   |  4 ++++
 2 files changed, 15 insertions(+)

diff --git a/generic/tclTestObj.c b/generic/tclTestObj.c
index a55704a..8e9dc93 100644
--- a/generic/tclTestObj.c
+++ b/generic/tclTestObj.c
@@ -736,6 +736,17 @@ TestobjCmd(clientData, interp, objc, objv)
         }
         SetVarToObj(destIndex, varPtr[varIndex]);
 	Tcl_SetObjResult(interp, varPtr[destIndex]);
+    } else if (strcmp(subCmd, "bug3598580") == 0) {
+	Tcl_Obj *listObjPtr, *elemObjPtr;
+	if (objc != 2) {
+	    goto wrongNumArgs;
+	}
+	elemObjPtr = Tcl_NewIntObj(123);
+	listObjPtr = Tcl_NewListObj(1, &elemObjPtr);
+	/* Replace the single list element through itself, nonsense but legal. */
+	Tcl_ListObjReplace(interp, listObjPtr, 0, 1, 1, &elemObjPtr);
+	Tcl_SetObjResult(interp, listObjPtr);
+	return TCL_OK;
      } else if (strcmp(subCmd, "convert") == 0) {
         char *typeName;
         if (objc != 4) {
diff --git a/tests/listObj.test b/tests/listObj.test
index aa319bb..390ee64 100644
--- a/tests/listObj.test
+++ b/tests/listObj.test
@@ -181,6 +181,10 @@ test listobj-9.1 {UpdateStringOfList} {
     string length [list foo\x00help]
 } 8
 
+test listobj-11.1 {bug 3598580} {
+    testobj bug3598580
+} 123
+
 # cleanup
 ::tcltest::cleanupTests
 return
-- 
cgit v0.12