https://bugs.documentfoundation.org/show_bug.cgi?id=104517
Bug ID: 104517
Summary: WeakReference ScHeaderFooterTextData::xContentObj can
die too early in JunitTest_sc_unoapi_4
Product: LibreOffice
Version: unspecified
Hardware: All
OS: All
Status: UNCONFIRMED
Severity: normal
Priority: medium
Component: Calc
Assignee: [email protected]
Reporter: [email protected]
CC: [email protected]
Since
<https://cgit.freedesktop.org/libreoffice/core/commit/?id=fc29ace3438eea09afe3ddbb5118458cbb531b06>
"better fix for memory leak around calc header-footer UNO objects":
* ScHeaderFooterTextData::xContentObj has been changed to a WeakReference
* ScHeaderFooterTextObj::getString is checking that xContentObj is still alive:
> uno::Reference<css::sheet::XHeaderFooterContent> xContentObj =
> aTextData.GetContentObj();
> if (!xContentObj.is())
> throw css::uno::RuntimeException("");
I assume that throw is meant to be of the "this cannot happen" kind (like an
assert)---as otherwise that commit would apparently not be a sound change.
However, at least JunitTest_sc_unoapi_4 sporadically triggers that throw (see
e.g.,
<https://cgit.freedesktop.org/libreoffice/core/commit/?id=8bd3d06d974fbd301665630e3c5396db9c9e30d9>
"Throw RuntimeException with message"). I've found that running that test with
env var SAL_LOG=+WARN+INFO (which changes timing by producing lots of info log
output) makes the failure more likely.
When locally changing ScHeaderFooterTextData::xContentObj to be a raw pointer
(so that dead deref in ScHeaderFooterTextObj::getString can be observed with
memory checkers) and running the test with ASan, I get:
> ==9225==ERROR: AddressSanitizer: heap-use-after-free on address
> 0x60800077cb48 at pc 0x7f523b2aca49 bp 0x7f52497e09f0 sp 0x7f52497e09e8
> READ of size 8 at 0x60800077cb48 thread T116 (cppu_threadpool)
> info:sal.file:9225:90:sal/osl/unx/file.cxx:1032:
> osl_openFile(/home/sbergman/lo-clang/core/workdir/JunitTest/sc_unoapi_4/user/user/CqlwmE,
> writeable) => 68
> info:sal.file:9225:90:sal/osl/unx/file.cxx:1074:
> osl_closeFile(/home/sbergman/lo-clang/core/workdir/JunitTest/sc_unoapi_4/user/user/CqlwmE:68)
> info:sal.osl.condition:9225:90:sal/osl/unx/conditn.cxx:85:
> osl_destroyCondition(0x6080002c7e20)
> #0 0x7f523b2aca48 in
> com::sun::star::uno::Reference<com::sun::star::sheet::XHeaderFooterContent>::Reference(com::sun::star::sheet::XHeaderFooterContent*)
> include/com/sun/star/uno/Reference.hxx:152:22
> #1 0x7f523e013502 in ScHeaderFooterTextData::GetContentObj() const
> sc/inc/textuno.hxx:133:96
> #2 0x7f523e108370 in ScHeaderFooterTextObj::getString()
> sc/source/ui/unoobj/textuno.cxx:333:78
> #3 0x7f523e108a9c in non-virtual thunk to
> ScHeaderFooterTextObj::getString() sc/source/ui/unoobj/textuno.cxx
> #4 0x7f525ff6371a in gcc3::callVirtualMethod(void*, unsigned int, void*,
> _typelib_TypeDescriptionReference*, bool, unsigned long*, unsigned int,
> unsigned long*, double*)
> bridges/source/cpp_uno/gcc3_linux_x86-64/callvirtualmethod.cxx:77:5
> #5 0x7f525ff6019f in
> cpp_call(bridges::cpp_uno::shared::UnoInterfaceProxy*,
> bridges::cpp_uno::shared::VtableSlot, _typelib_TypeDescriptionReference*,
> int, _typelib_MethodParameter*, void*, void**, _uno_Any**)
> bridges/source/cpp_uno/gcc3_linux_x86-64/uno2cpp.cxx:233:13
> #6 0x7f525ff5ea48 in
> bridges::cpp_uno::shared::unoInterfaceProxyDispatch(_uno_Interface*,
> _typelib_TypeDescription const*, void*, void**, _uno_Any**)
> bridges/source/cpp_uno/gcc3_linux_x86-64/uno2cpp.cxx:420:13
> #7 0x7f525ae5a865 in
> binaryurp::IncomingRequest::execute_throw(binaryurp::BinaryAny*,
> std::__debug::vector<binaryurp::BinaryAny,
> std::allocator<binaryurp::BinaryAny> >*) const
> binaryurp/source/incomingrequest.cxx:239:13
> #8 0x7f525ae5888c in binaryurp::IncomingRequest::execute() const
> binaryurp/source/incomingrequest.cxx:78:26
> #9 0x7f525aebc79b in request binaryurp/source/reader.cxx:85:9
> #10 0x7f52c6ca3303 in cppu_threadpool::JobQueue::enter(long, bool)
> cppu/source/threadpool/jobqueue.cxx:107:17
> #11 0x7f52c6ccd4a9 in cppu_threadpool::ORequestThread::run()
> cppu/source/threadpool/thread.cxx:165:31
> #12 0x7f52c6cd9742 in threadFunc include/osl/thread.hxx:185:15
> #13 0x7f52cfcf537f in osl_thread_start_Impl(void*)
> sal/osl/unx/thread.cxx:240:9
> #14 0x7f52ce2915c9 in start_thread (/lib64/libpthread.so.0+0x75c9)
> #15 0x7f52cd9a80ec in __clone (/lib64/libc.so.6+0x1030ec)
>
> 0x60800077cb48 is located 40 bytes inside of 88-byte region
> [0x60800077cb20,0x60800077cb78)
> freed by thread T118 (cppu_threadpool) here:
> #0 0x4cf730 in __interceptor_cfree.localalias.1
> /home/sbergman/clang/git/src/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:54
> #1 0x7f52cfafc2e0 in rtl_freeMemory_SYSTEM(void*)
> sal/rtl/alloc_global.cxx:279:5
> #2 0x7f52cfafcf50 in rtl_freeMemory sal/rtl/alloc_global.cxx:355:5
> #3 0x7f525ff6aa68 in
> bridges::cpp_uno::shared::freeUnoInterfaceProxy(_uno_ExtEnvironment*, void*)
> bridges/source/cpp_uno/shared/unointerfaceproxy.cxx:42:19
> #4 0x7f52c6ee2976 in (anonymous
> namespace)::s_stub_defenv_revokeInterface(__va_list_tag (*) [1])
> cppu/source/uno/lbenv.cxx:372:17
> #5 0x7f52c6e9dbc7 in s_environment_invoke_v(_uno_Environment*,
> _uno_Environment*, void (*)(__va_list_tag (*) [1]), __va_list_tag (*) [1])
> cppu/source/uno/EnvStack.cxx:293:9
> #6 0x7f52c6e9d8f2 in uno_Environment_invoke_v
> cppu/source/uno/EnvStack.cxx:312:5
> #7 0x7f52c6e9e0a2 in uno_Environment_invoke
> cppu/source/uno/EnvStack.cxx:321:5
> #8 0x7f525ae09d59 in
> com::sun::star::uno::UnoInterfaceReference::~UnoInterfaceReference()
> include/uno/dispatcher.hxx:103:9
> #9 0x7f525ae59dae in
> binaryurp::IncomingRequest::execute_throw(binaryurp::BinaryAny*,
> std::__debug::vector<binaryurp::BinaryAny,
> std::allocator<binaryurp::BinaryAny> >*) const
> binaryurp/source/incomingrequest.cxx:137:18
> #10 0x7f525ae5888c in binaryurp::IncomingRequest::execute() const
> binaryurp/source/incomingrequest.cxx:78:26
> #11 0x7f525aebc79b in request binaryurp/source/reader.cxx:85:9
> #12 0x7f52c6ca3303 in cppu_threadpool::JobQueue::enter(long, bool)
> cppu/source/threadpool/jobqueue.cxx:107:17
> #13 0x7f52c6ccd4a9 in cppu_threadpool::ORequestThread::run()
> cppu/source/threadpool/thread.cxx:165:31
> #14 0x7f52c6cd9742 in threadFunc include/osl/thread.hxx:185:15
> #15 0x7f52cfcf537f in osl_thread_start_Impl(void*)
> sal/osl/unx/thread.cxx:240:9
> #16 0x7f52ce2915c9 in start_thread (/lib64/libpthread.so.0+0x75c9)
>
> previously allocated by thread T116 (cppu_threadpool) here:
> #0 0x4cf8e8 in malloc
> /home/sbergman/clang/git/src/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:64
> #1 0x7f52cfafc2b0 in rtl_allocateMemory_SYSTEM(unsigned long)
> sal/rtl/alloc_global.cxx:272:12
> #2 0x7f52cfafc88a in rtl_allocateMemory sal/rtl/alloc_global.cxx:310:12
> #3 0x7f523b2a009f in ScPageHFItem::QueryValue(com::sun::star::uno::Any&,
> unsigned char) const sc/source/core/data/attrib.cxx:575:9
> #4 0x7f52bb04b9c2 in
> SfxItemPropertySet::getPropertyValue(SfxItemPropertySimpleEntry const&,
> SfxItemSet const&, com::sun::star::uno::Any&) const
> svl/source/items/itemprop.cxx:188:16
> #5 0x7f523e0f56c0 in ScStyleObj::getPropertyValue_Impl(rtl::OUString
> const&) sc/source/ui/unoobj/styleuno.cxx:1948:39
> #6 0x7f523e0f81dd in ScStyleObj::getPropertyValue(rtl::OUString const&)
> sc/source/ui/unoobj/styleuno.cxx:1984:12
> #7 0x7f523e0f832c in non-virtual thunk to
> ScStyleObj::getPropertyValue(rtl::OUString const&)
> sc/source/ui/unoobj/styleuno.cxx
> #8 0x7f525ff6019f in
> cpp_call(bridges::cpp_uno::shared::UnoInterfaceProxy*,
> bridges::cpp_uno::shared::VtableSlot, _typelib_TypeDescriptionReference*,
> int, _typelib_MethodParameter*, void*, void**, _uno_Any**)
> bridges/source/cpp_uno/gcc3_linux_x86-64/uno2cpp.cxx:233:13
> #9 0x7f525ff5ea48 in
> bridges::cpp_uno::shared::unoInterfaceProxyDispatch(_uno_Interface*,
> _typelib_TypeDescription const*, void*, void**, _uno_Any**)
> bridges/source/cpp_uno/gcc3_linux_x86-64/uno2cpp.cxx:420:13
> #10 0x7f525ae5a865 in
> binaryurp::IncomingRequest::execute_throw(binaryurp::BinaryAny*,
> std::__debug::vector<binaryurp::BinaryAny,
> std::allocator<binaryurp::BinaryAny> >*) const
> binaryurp/source/incomingrequest.cxx:239:13
> #11 0x7f525ae5888c in binaryurp::IncomingRequest::execute() const
> binaryurp/source/incomingrequest.cxx:78:26
> #12 0x7f525aebc79b in request binaryurp/source/reader.cxx:85:9
> #13 0x7f52c6ca3303 in cppu_threadpool::JobQueue::enter(long, bool)
> cppu/source/threadpool/jobqueue.cxx:107:17
> #14 0x7f52c6ccd4a9 in cppu_threadpool::ORequestThread::run()
> cppu/source/threadpool/thread.cxx:165:31
> #15 0x7f52c6cd9742 in threadFunc include/osl/thread.hxx:185:15
> #16 0x7f52cfcf537f in osl_thread_start_Impl(void*)
> sal/osl/unx/thread.cxx:240:9
> #17 0x7f52ce2915c9 in start_thread (/lib64/libpthread.so.0+0x75c9)
(with a Clang trunk -Og build that likely inlines some calls, so their frames
would be missing).
--
You are receiving this mail because:
You are the assignee for the bug._______________________________________________
Libreoffice-bugs mailing list
[email protected]
https://lists.freedesktop.org/mailman/listinfo/libreoffice-bugs
