58317 – RHL9: trivial script causes expect to coredump

Bug 58317 - RHL9: trivial script causes expect to coredump

Summary: RHL9: trivial script causes expect to coredump

Keywords:
Status:	CLOSED RAWHIDE
Alias:	None
Product:	Red Hat Linux
Classification:	Retired
Component:	tcltk
Sub Component:
Version:	9
Hardware:	i386
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Jens Petersen
QA Contact:
Docs Contact:
URL:
Whiteboard:
Duplicates (1):	105038 (view as bug list)
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2002-01-14 06:05 UTC by Jonathan Kamens
Modified:	2007-04-18 16:39 UTC (History)
CC List:	2 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2004-05-18 12:26:21 UTC
Embargoed:

Attachments	(Terms of Use)
A patch which should fix the problem (593 bytes, patch) 2003-10-14 16:28 UTC, Bernd Schmidt	no flags	Details \| Diff
View All

Description Jonathan Kamens 2002-01-14 06:05:13 UTC

This script causes expect to coredump:

#!/usr/bin/expect -f
spawn false
wait -i $spawn_id

This comment in exp_close in exp_command.c gives a hint about what's going
wrong:

	    /* at this point esPtr may have been freed so don't touch it
               any longer */

Unfortunately, the esPtr which this comment says shouldn't be touched anymore is
in fact touched in the for loop in exp_close_all in exp_chan.c  This is as far
as I got at debugging this problem before running into the extent of my expect
knowledge.

Note that this simple modification to the script makes the coredump go away,
presumably by causing the channel to be removed from the list checked by
exp_close_all before the script exits:

#!/usr/bin/expect -f
spawn false
set timeout -1
expect eof
wait -i $spawn_id

Comment 1 Derek Tattersall 2002-04-13 00:34:36 UTC

This script causes expect to coredump in skipjack beta4 as well.

Comment 2 Derek Tattersall 2002-07-09 00:26:44 UTC

The script causes a core dump in Limbo re-0701.  However, ActiveTcl 8.4.0.1-beta2 
appears to have solved this problem.

Comment 3 Jens Petersen 2002-08-14 10:44:58 UTC

Thanks.  The problem is still present in expect-5.38.0 too.

Comment 4 Jens Petersen 2003-09-25 08:11:43 UTC

*** Bug 105038 has been marked as a duplicate of this bug. ***

Comment 5 Bernd Schmidt 2003-10-14 16:28:27 UTC

Created attachment 95168 [details]
A patch which should fix the problem

Comment 6 Bernd Schmidt 2003-10-14 16:30:20 UTC

This is a simple use-after-free problem which can be fixed by rewriting the loop
in exp_close_all.

Comment 8 Jens Petersen 2003-10-15 11:47:30 UTC

Thanks for the patch.  Who should I attribute it to btw?

Comment 9 Jens Petersen 2003-10-15 12:26:09 UTC

Actually it looks like this is already fixed in expect-5.39.0 afaict
from looking at the code.

Comment 10 Jens Petersen 2003-10-15 12:48:54 UTC

Should be fixed finally in tcltk-8.3.5-91 (ie expect-5.39.0-91).

Comment 11 Jens Petersen 2003-10-15 13:38:21 UTC

Actual fixed release number is -93.

Comment 14 Jens Petersen 2003-12-11 05:44:09 UTC

Re-opening until package for RHL 9 available.

Note You need to log in before you can comment on or make changes to this bug.