The line is ns_rwlock destroy rid0x83daf50
providing that rid0x83daf50 does *not* point to a valid rwlock, or a second example using three lines... set lock [ns_rwlock create] ns_rwlock destroy $lock ns_rwlock destroy $lock Attempting to destroy the lock (intentionally or otherwise) twice will crash the server. This happens because... There are two functions in nsd/tclthread.c to manage rwlocks, mutexes etc. GetObj() and SetObj() The first three bytes of the name of a rwlock/mutex/semaphore/condvar etc are interpreted as the type identifier, the rest of the rid0x83daf50 string above is assumed to be the actual address of the thing! No further checking is performed by GetObj() to ensure that the provided address is actually correct, so you can make up any address you like and pass it to ns_rwlock or ns_mutex or whatever with the destroy sub-command and have the memory so pointed to over-written! I looked at the 4.0 beta code, this hasn't changed. I'm going to fix it for my sites - haven't decided how yet - I'll be quite happy to pass on the code to someone for review and possible inclusion in the code base. -- -- Harry Moreau ----------------
