https://bugs.documentfoundation.org/show_bug.cgi?id=147668
--- Comment #14 from Stephan Bergmann <[email protected]> --- Indeed I can reproduce with LanguageTool 5.6 (see comment 2) and the instructions from comment 9: Run `soffice --writer`, then after some wait open attachment 178557, the Writer window will end up showing two menu bars, then crash at > ==2802389==ERROR: AddressSanitizer: heap-use-after-free on address > 0x614000228ed8 at pc 0x7f01fe373efe bp 0x7ffe3b9ff250 sp 0x7ffe3b9ff248 > READ of size 8 at 0x614000228ed8 thread T0 > #0 in rtl::Reference<Menu>::get() const at include/rtl/ref.hxx:208:16 > (instdir/program/libfwklo.so +0x2d1defd) > #1 in VclPtr<Menu>::get() const at include/vcl/vclptr.hxx:146:28 > (instdir/program/libfwklo.so +0x3413ed8) > #2 in bool operator==<Menu>(Menu*, VclPtr<Menu> const&) at > include/vcl/vclptr.hxx:239:21 (instdir/program/libfwklo.so +0x3402e1e) > #3 in bool operator!=<Menu>(Menu*, VclPtr<Menu> const&) at > include/vcl/vclptr.hxx:262:17 (instdir/program/libfwklo.so +0x3400ae0) > #4 in framework::MenuBarManager::Activate(Menu*) at > framework/source/uielement/menubarmanager.cxx:563:16 > (instdir/program/libfwklo.so +0x33dfba5) > #5 in framework::MenuBarManager::LinkStubActivate(void*, Menu*) at > framework/source/uielement/menubarmanager.cxx:561:1 > (instdir/program/libfwklo.so +0x33df668) > #6 in Link<Menu*, bool>::Call(Menu*) const at include/tools/link.hxx:111:45 > (instdir/program/libvcllo.so +0x742d4b7) > #7 in Menu::Activate() at vcl/source/window/menu.cxx:266:28 > (instdir/program/libvcllo.so +0x73d0bf2) > #8 in Menu::HandleMenuActivateEvent(Menu*) const at > vcl/source/window/menu.cxx:2540:16 (instdir/program/libvcllo.so +0x741833a) > #9 in GtkSalMenu::ActivateAllSubmenus(Menu*) at > vcl/unx/gtk3/gtksalmenu.cxx:1446:15 (instdir/program/libvclplug_gtk3lo.so > +0x1a23c85) > #10 in GtkSalMenu::UpdateFull() at vcl/inc/unx/gtk/gtksalmenu.hxx:119:49 > (instdir/program/libvclplug_gtk3lo.so +0x19a4e9f) > #11 in GtkSalMenu::SetFrame(SalFrame const*) at > vcl/unx/gtk3/gtksalmenu.cxx:1160:9 (instdir/program/libvclplug_gtk3lo.so > +0x1a137b9) > #12 in GtkSalMenu::MenuBarHierarchyChangeHandler(Timer*) at > vcl/unx/gtk3/gtksalmenu.cxx:610:5 (instdir/program/libvclplug_gtk3lo.so > +0x1a11b63) > #13 in GtkSalMenu::LinkStubMenuBarHierarchyChangeHandler(void*, Timer*) at > vcl/unx/gtk3/gtksalmenu.cxx:605:1 (instdir/program/libvclplug_gtk3lo.so > +0x1a11578) > #14 in Link<Timer*, void>::Call(Timer*) const at > include/tools/link.hxx:111:45 (instdir/program/libvcllo.so +0xa3a3ac2) > #15 in Timer::Invoke() at vcl/source/app/timer.cxx:75:21 > (instdir/program/libvcllo.so +0xa3a30cc) > #16 in Scheduler::CallbackTaskScheduling() at > vcl/source/app/scheduler.cxx:472:16 (instdir/program/libvcllo.so +0xa2005ca) > #17 in SalTimer::CallCallback() at vcl/inc/saltimer.hxx:54:13 > (instdir/program/libvclplug_gtk3lo.so +0x12afab8) > #18 in sal_gtk_timeout_dispatch(_GSource*, int (*)(void*), void*) at > vcl/unx/gtk3/gtkdata.cxx:721:45 (instdir/program/libvclplug_gtk3lo.so > +0x12aa846) > #19 in g_main_context_dispatch at <null> (/lib64/libglib-2.0.so.0 +0x550ae) > #20 at <null> (/lib64/libglib-2.0.so.0 +0xaa307) > #21 in g_main_context_iteration at <null> (/lib64/libglib-2.0.so.0 +0x528a2) > #22 in GtkSalData::Yield(bool, bool) at vcl/unx/gtk3/gtkdata.cxx:405:31 > (instdir/program/libvclplug_gtk3lo.so +0x12a28e0) > #23 in GtkInstance::DoYield(bool, bool) at vcl/unx/gtk3/gtkinst.cxx:427:29 > (instdir/program/libvclplug_gtk3lo.so +0x12bb66d) > #24 in ImplYield(bool, bool) at vcl/source/app/svapp.cxx:474:48 > (instdir/program/libvcllo.so +0xa2ecddc) > #25 in Application::Yield() at vcl/source/app/svapp.cxx:558:5 > (instdir/program/libvcllo.so +0xa2eb4b5) > #26 in Application::Execute() at vcl/source/app/svapp.cxx:452:13 > (instdir/program/libvcllo.so +0xa2eaca1) > #27 in desktop::Desktop::Main() at desktop/source/app/app.cxx:1604:13 > (instdir/program/libsofficeapp.so +0x821b3e) > #28 in ImplSVMain() at vcl/source/app/svmain.cxx:202:35 > (instdir/program/libvcllo.so +0xa38e674) > #29 in SVMain() at vcl/source/app/svmain.cxx:234:12 > (instdir/program/libvcllo.so +0xa396da0) > #30 in soffice_main at desktop/source/app/sofficemain.cxx:98:12 > (instdir/program/libsofficeapp.so +0xa062ce) > #31 in sal_main at desktop/source/app/main.c:51:15 > (instdir/program/soffice.bin +0x31781c) > #32 in main at desktop/source/app/main.c:49:1 (instdir/program/soffice.bin > +0x3177f6) > #33 in __libc_start_call_main at <null> (/lib64/libc.so.6 +0x2d55f) > #34 in __libc_start_main@GLIBC_2.2.5 at <null> (/lib64/libc.so.6 +0x2d60b) > #35 in _start at <null> (instdir/program/soffice.bin +0x255494) > > 0x614000228ed8 is located 152 bytes inside of 400-byte region > [0x614000228e40,0x614000228fd0) > freed by thread T0 here: > #0 in free at > ~/github.com/llvm/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:52:3 > (instdir/program/soffice.bin +0x2d7a22) > #1 in rtl_freeMemory at sal/rtl/alloc_global.cxx:51:5 > (instdir/program/libuno_sal.so.3 +0x3b7d0c) > #2 in cppu::OWeakObject::operator delete(void*) at > include/cppuhelper/weak.hxx:91:11 (instdir/program/libfwklo.so +0x25e121c) > #3 in framework::MenuBarManager::~MenuBarManager() at > framework/source/uielement/menubarmanager.cxx:131:1 > (instdir/program/libfwklo.so +0x33d1471) > #4 in cppu::OWeakObject::release() at cppuhelper/source/weak.cxx:230:9 > (instdir/program/libuno_cppuhelpergcc3.so.3 +0xca3406) > #5 in > comphelper::WeakComponentImplHelper<com::sun::star::frame::XStatusListener, > com::sun::star::frame::XFrameActionListener, > com::sun::star::ui::XUIConfigurationListener, > com::sun::star::awt::XSystemDependentMenuPeer>::release() at > include/comphelper/compbase.hxx:66:76 (instdir/program/libfwklo.so +0x2d21052) > #6 in > com::sun::star::uno::Reference<com::sun::star::lang::XComponent>::clear() at > include/com/sun/star/uno/Reference.hxx:231:15 (instdir/program/libfwklo.so > +0x2806534) > #7 in framework::MenuBarWrapper::dispose() at > framework/source/uielement/menubarwrapper.cxx:132:23 > (instdir/program/libfwklo.so +0x343a3a4) > #8 in framework::LayoutManager::impl_clearUpMenuBar() at > framework/source/layoutmanager/layoutmanager.cxx:255:16 > (instdir/program/libfwklo.so +0x2cbb767) > #9 in framework::LayoutManager::implts_destroyElements() at > framework/source/layoutmanager/layoutmanager.cxx:471:5 > (instdir/program/libfwklo.so +0x2cc07ad) > #10 in framework::LayoutManager::implts_reset(bool) at > framework/source/layoutmanager/layoutmanager.cxx:440:17 > (instdir/program/libfwklo.so +0x2cbff63) > #11 in > framework::LayoutManager::frameAction(com::sun::star::frame::FrameActionEvent > const&) at framework/source/layoutmanager/layoutmanager.cxx:2715:9 > (instdir/program/libfwklo.so +0x2d02aa7) > #12 in (anonymous > namespace)::XFrameImpl::implts_sendFrameActionEvent(com::sun::star::frame::FrameAction > const&) at framework/source/services/frame.cxx:2950:79 > (instdir/program/libfwklo.so +0x2f73ba6) > #13 in (anonymous > namespace)::XFrameImpl::setComponent(com::sun::star::uno::Reference<com::sun::star::awt::XWindow> > const&, com::sun::star::uno::Reference<com::sun::star::frame::XController> > const&) at framework/source/services/frame.cxx:1456:9 > (instdir/program/libfwklo.so +0x2f574cb) > #14 in (anonymous > namespace)::SfxFrameLoader_Impl::impl_createDocumentView(com::sun::star::uno::Reference<com::sun::star::frame::XModel2> > const&, com::sun::star::uno::Reference<com::sun::star::frame::XFrame> > const&, comphelper::NamedValueCollection const&, rtl::OUString const&) at > sfx2/source/view/frmload.cxx:581:15 (instdir/program/libsfxlo.so +0x5c1a20c) > #15 in (anonymous > namespace)::SfxFrameLoader_Impl::load(com::sun::star::uno::Sequence<com::sun::star::beans::PropertyValue> > const&, com::sun::star::uno::Reference<com::sun::star::frame::XFrame> > const&) at sfx2/source/view/frmload.cxx:702:13 (instdir/program/libsfxlo.so > +0x5c1226b) > #16 in framework::LoadEnv::impl_loadContent() at > framework/source/loadenv/loadenv.cxx:1156:37 (instdir/program/libfwklo.so > +0x2e3bc62) > #17 in framework::LoadEnv::start() at > framework/source/loadenv/loadenv.cxx:395:20 (instdir/program/libfwklo.so > +0x2e323d9) > #18 in framework::LoadEnv::startLoading(rtl::OUString const&, > com::sun::star::uno::Sequence<com::sun::star::beans::PropertyValue> const&, > com::sun::star::uno::Reference<com::sun::star::frame::XFrame> const&, > rtl::OUString const&, int, LoadEnvFeatures) at > framework/source/loadenv/loadenv.cxx:300:5 (instdir/program/libfwklo.so > +0x2e2aae4) > #19 in framework::LoadDispatcher::impl_dispatch(com::sun::star::util::URL > const&, com::sun::star::uno::Sequence<com::sun::star::beans::PropertyValue> > const&, > com::sun::star::uno::Reference<com::sun::star::frame::XDispatchResultListener> > const&) at framework/source/dispatch/loaddispatcher.cxx:106:19 > (instdir/program/libfwklo.so +0x28018b9) > > previously allocated by thread T0 here: > #0 in malloc at > ~/github.com/llvm/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:69:3 > (instdir/program/soffice.bin +0x2d7cce) > #1 in rtl_allocateMemory at sal/rtl/alloc_global.cxx:38:12 > (instdir/program/libuno_sal.so.3 +0x3b7599) > #2 in cppu::OWeakObject::operator new(unsigned long) at > include/cppuhelper/weak.hxx:89:18 (instdir/program/libfwklo.so +0x25e0dec) > #3 in > framework::MenuBarWrapper::initialize(com::sun::star::uno::Sequence<com::sun::star::uno::Any> > const&) at framework/source/uielement/menubarwrapper.cxx:210:29 > (instdir/program/libfwklo.so +0x343c799) > #4 in framework::MenuBarFactory::CreateUIElement(rtl::OUString const&, > com::sun::star::uno::Sequence<com::sun::star::beans::PropertyValue> const&, > std::basic_string_view<char16_t, std::char_traits<char16_t> >, > com::sun::star::uno::Reference<com::sun::star::ui::XUIElement> const&, > com::sun::star::uno::Reference<com::sun::star::uno::XComponentContext> > const&) at framework/source/uifactory/menubarfactory.cxx:158:12 > (instdir/program/libfwklo.so +0x384c01f) > #5 in framework::MenuBarFactory::createUIElement(rtl::OUString const&, > com::sun::star::uno::Sequence<com::sun::star::beans::PropertyValue> const&) > at framework/source/uifactory/menubarfactory.cxx:59:5 > (instdir/program/libfwklo.so +0x3849a8f) > #6 in non-virtual thunk to > framework::MenuBarFactory::createUIElement(rtl::OUString const&, > com::sun::star::uno::Sequence<com::sun::star::beans::PropertyValue> const&) > at framework/source/uifactory/menubarfactory.cxx (instdir/program/libfwklo.so > +0x384c2f3) > #7 in (anonymous > namespace)::UIElementFactoryManager::createUIElement(rtl::OUString const&, > com::sun::star::uno::Sequence<com::sun::star::beans::PropertyValue> const&) > at framework/source/uifactory/uielementfactorymanager.cxx:439:39 > (instdir/program/libfwklo.so +0x386abf1) > #8 in non-virtual thunk to (anonymous > namespace)::UIElementFactoryManager::createUIElement(rtl::OUString const&, > com::sun::star::uno::Sequence<com::sun::star::beans::PropertyValue> const&) > at framework/source/uifactory/uielementfactorymanager.cxx > (instdir/program/libfwklo.so +0x3870323) > #9 in framework::LayoutManager::implts_createElement(rtl::OUString const&) > at framework/source/layoutmanager/layoutmanager.cxx:732:50 > (instdir/program/libfwklo.so +0x2cb8c19) > #10 in framework::LayoutManager::implts_createMenuBar(rtl::OUString const&) > at framework/source/layoutmanager/layoutmanager.cxx:155:18 > (instdir/program/libfwklo.so +0x2cb536b) > #11 in framework::LayoutManager::createElement(rtl::OUString const&) at > framework/source/layoutmanager/layoutmanager.cxx:1442:13 > (instdir/program/libfwklo.so +0x2ce30a7) > #12 in SfxDispatcher::SetMenu_Impl() at > sfx2/source/control/dispatch.cxx:1026:33 (instdir/program/libsfxlo.so > +0x40aa568) > #13 in SfxDispatcher::Update_Impl(bool) at > sfx2/source/control/dispatch.cxx:1091:9 (instdir/program/libsfxlo.so > +0x4098947) > #14 in > SfxBaseController::ConnectSfxFrame_Impl(SfxBaseController::ConnectSfxFrame) > at sfx2/source/view/sfxbasecontroller.cxx:1249:50 > (instdir/program/libsfxlo.so +0x5cb884f) > #15 in > SfxBaseController::attachFrame(com::sun::star::uno::Reference<com::sun::star::frame::XFrame> > const&) at sfx2/source/view/sfxbasecontroller.cxx:530:9 > (instdir/program/libsfxlo.so +0x5cb2f9e) > #16 in (anonymous > namespace)::SfxFrameLoader_Impl::impl_createDocumentView(com::sun::star::uno::Reference<com::sun::star::frame::XModel2> > const&, com::sun::star::uno::Reference<com::sun::star::frame::XFrame> > const&, comphelper::NamedValueCollection const&, rtl::OUString const&) at > sfx2/source/view/frmload.cxx:582:18 (instdir/program/libsfxlo.so +0x5c1a40b) > #17 in (anonymous > namespace)::SfxFrameLoader_Impl::load(com::sun::star::uno::Sequence<com::sun::star::beans::PropertyValue> > const&, com::sun::star::uno::Reference<com::sun::star::frame::XFrame> > const&) at sfx2/source/view/frmload.cxx:702:13 (instdir/program/libsfxlo.so > +0x5c1226b) > #18 in framework::LoadEnv::impl_loadContent() at > framework/source/loadenv/loadenv.cxx:1156:37 (instdir/program/libfwklo.so > +0x2e3bc62) > #19 in framework::LoadEnv::start() at > framework/source/loadenv/loadenv.cxx:395:20 (instdir/program/libfwklo.so > +0x2e323d9) > > SUMMARY: AddressSanitizer: heap-use-after-free include/rtl/ref.hxx:208:16 in > rtl::Reference<Menu>::get() const > Shadow bytes around the buggy address: > 0x0c288003d180: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd > 0x0c288003d190: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd > 0x0c288003d1a0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd > 0x0c288003d1b0: fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa > 0x0c288003d1c0: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd > =>0x0c288003d1d0: fd fd fd fd fd fd fd fd fd fd fd[fd]fd fd fd fd > 0x0c288003d1e0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd > 0x0c288003d1f0: fd fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa > 0x0c288003d200: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00 > 0x0c288003d210: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > 0x0c288003d220: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > Shadow byte legend (one shadow byte represents 8 application bytes): > Addressable: 00 > Partially addressable: 01 02 03 04 05 06 07 > Heap left redzone: fa > Freed heap region: fd > Stack left redzone: f1 > Stack mid redzone: f2 > Stack right redzone: f3 > Stack after return: f5 > Stack use after scope: f8 > Global redzone: f9 > Global init order: f6 > Poisoned by user: f7 > Container overflow: fc > Array cookie: ac > Intra object redzone: bb > ASan internal: fe > Left alloca redzone: ca > Right alloca redzone: cb -- You are receiving this mail because: You are the assignee for the bug.
