https://bugs.documentfoundation.org/show_bug.cgi?id=153519
Bug ID: 153519
Summary: heap-use-after-free involving
SwContentTree::m_aUpdTimer during UITest_sw_navigator
Product: LibreOffice
Version: unspecified
Hardware: All
OS: All
Status: UNCONFIRMED
Severity: normal
Priority: medium
Component: Writer
Assignee: [email protected]
Reporter: [email protected]
UITest_sw_navigator UITEST_TEST_NAME=tdf151051.tdf151051.test_tdf151051
occasionally (see e.g. <https://ci.libreoffice.org/job/lo_ubsan/2659/>) fails
with
> ======================================================================
> ERROR: test_tdf151051 (tdf151051.tdf151051)
> ----------------------------------------------------------------------
> Traceback (most recent call last):
> File "uitest/uitest/test.py", line 95, in load_file
> yield self.load_component_from_url(url)
> File "sw/qa/uitest/navigator/tdf151051.py", line 41, in test_tdf151051
> xHeadings.executeAction("EXPAND", tuple())
> tdf151051.com.sun.star.lang.DisposedException: Binary URP bridge disposed
> during call at binaryurp/source/bridge.cxx:613
With my local Linux ASan+UBSan --enable-dbgutil build on master towards LO 7.6
at 2023-02-09 f121b890f8f70fe2a0e633d3b4ad59c27ebba9b3, doing
> cd sw && while make -rs UITest_sw_navigator; do :; done
while the machine is also loaded with other work done in parallel, I managed to
see it fail twice (once after 58 and once after 133 successful attempts) and
report
> =================================================================
> ==3401690==ERROR: AddressSanitizer: heap-use-after-free on address
> 0x60f000248c28 at pc 0x7f37120f0163 bp 0x7fff9f5bc110 sp 0x7fff9f5bc108
> READ of size 4 at 0x60f000248c28 thread T0
> #0 in SvTreeListEntry::HasChildrenOnDemand() const at
> vcl/source/treelist/treelistentry.cxx:201:30
> #1 in SvTreeListBox::Expand(SvTreeListEntry*) at
> vcl/source/treelist/treelistbox.cxx:2040:18
> #2 in TreeListEntryUIObject::execute(rtl::OUString const&,
> std::__debug::map<rtl::OUString, rtl::OUString, std::less<rtl::OUString>,
> std::allocator<std::pair<rtl::OUString const, rtl::OUString>>> const&) at
> vcl/source/treelist/uiobject.cxx:144:21
> #3 in UIObjectUnoObj::executeAction(rtl::OUString const&,
> com::sun::star::uno::Sequence<com::sun::star::beans::PropertyValue>
> const&)::$_0::operator()() const at
> vcl/source/uitest/uno/uiobject_uno.cxx:138:16
> #4 in void std::__invoke_impl<void,
> UIObjectUnoObj::executeAction(rtl::OUString const&,
> com::sun::star::uno::Sequence<com::sun::star::beans::PropertyValue>
> const&)::$_0&>(std::__invoke_other,
> UIObjectUnoObj::executeAction(rtl::OUString const&,
> com::sun::star::uno::Sequence<com::sun::star::beans::PropertyValue>
> const&)::$_0&) at
> ~/gcc/trunk/inst/lib/gcc/x86_64-pc-linux-gnu/13.0.1/../../../../include/c++/13.0.1/bits/invoke.h:61:14
> #5 in std::enable_if<is_invocable_r_v<void,
> UIObjectUnoObj::executeAction(rtl::OUString const&,
> com::sun::star::uno::Sequence<com::sun::star::beans::PropertyValue>
> const&)::$_0&>, void>::type std::__invoke_r<void,
> UIObjectUnoObj::executeAction(rtl::OUString const&,
> com::sun::star::uno::Sequence<com::sun::star::beans::PropertyValue>
> const&)::$_0&>(UIObjectUnoObj::executeAction(rtl::OUString const&,
> com::sun::star::uno::Sequence<com::sun::star::beans::PropertyValue>
> const&)::$_0&) at
> ~/gcc/trunk/inst/lib/gcc/x86_64-pc-linux-gnu/13.0.1/../../../../include/c++/13.0.1/bits/invoke.h:111:2
> #6 in std::_Function_handler<void (),
> UIObjectUnoObj::executeAction(rtl::OUString const&,
> com::sun::star::uno::Sequence<com::sun::star::beans::PropertyValue>
> const&)::$_0>::_M_invoke(std::_Any_data const&) at
> ~/gcc/trunk/inst/lib/gcc/x86_64-pc-linux-gnu/13.0.1/../../../../include/c++/13.0.1/bits/std_function.h:290:9
> #7 in std::function<void ()>::operator()() const at
> ~/gcc/trunk/inst/lib/gcc/x86_64-pc-linux-gnu/13.0.1/../../../../include/c++/13.0.1/bits/std_function.h:591:9
> #8 in (anonymous namespace)::ExecuteWrapper::ExecuteActionHdl(Timer*) at
> vcl/source/uitest/uno/uiobject_uno.cxx:103:13
> #9 in (anonymous namespace)::ExecuteWrapper::LinkStubExecuteActionHdl(void*,
> Timer*) at vcl/source/uitest/uno/uiobject_uno.cxx:98:1
> #10 in Link<Timer*, void>::Call(Timer*) const at
> include/tools/link.hxx:111:45
> #11 in Timer::Invoke() at vcl/source/app/timer.cxx:75:21
> #12 in Scheduler::CallbackTaskScheduling() at
> vcl/source/app/scheduler.cxx:481:20
> #13 in SalTimer::CallCallback() at vcl/inc/saltimer.hxx:54:13
> #14 in SvpSalInstance::CheckTimeout(bool) at vcl/headless/svpinst.cxx:161:53
> #15 in SvpSalInstance::ImplYield(bool, bool) at
> vcl/headless/svpinst.cxx:399:17
> #16 in SvpSalInstance::DoYield(bool, bool) at vcl/headless/svpinst.cxx:471:21
> #17 in ImplYield(bool, bool) at vcl/source/app/svapp.cxx:475:48
> #18 in Application::Yield() at vcl/source/app/svapp.cxx:559:5
> #19 in Application::Execute() at vcl/source/app/svapp.cxx:453:13
> #20 in desktop::Desktop::Main() at desktop/source/app/app.cxx:1604:13
> #21 in ImplSVMain() at vcl/source/app/svmain.cxx:203:35
> #22 in SVMain() at vcl/source/app/svmain.cxx:235:12
> #23 in soffice_main at desktop/source/app/sofficemain.cxx:94:12
> #24 in sal_main at desktop/source/app/main.c:51:15
> #25 in main at desktop/source/app/main.c:49:1
>
> 0x60f000248c28 is located 152 bytes inside of 168-byte region
> [0x60f000248b90,0x60f000248c38)
> freed by thread T0 here:
> #0 in operator delete(void*, unsigned long) at
> ~/github.com/llvm/llvm-project/compiler-rt/lib/asan/asan_new_delete.cpp:164:3
> #1 in SvTreeListEntry::~SvTreeListEntry() at
> vcl/source/treelist/treelistentry.cxx:61:1
> #2 in std::default_delete<SvTreeListEntry>::operator()(SvTreeListEntry*)
> const at
> ~/gcc/trunk/inst/lib/gcc/x86_64-pc-linux-gnu/13.0.1/../../../../include/c++/13.0.1/bits/unique_ptr.h:102:2
> #3 in std::unique_ptr<SvTreeListEntry,
> std::default_delete<SvTreeListEntry>>::~unique_ptr() at
> ~/gcc/trunk/inst/lib/gcc/x86_64-pc-linux-gnu/13.0.1/../../../../include/c++/13.0.1/bits/unique_ptr.h:407:4
> #4 in void std::destroy_at<std::unique_ptr<SvTreeListEntry,
> std::default_delete<SvTreeListEntry>>>(std::unique_ptr<SvTreeListEntry,
> std::default_delete<SvTreeListEntry>>*) at
> ~/gcc/trunk/inst/lib/gcc/x86_64-pc-linux-gnu/13.0.1/../../../../include/c++/13.0.1/bits/stl_construct.h:88:15
> #5 in void std::_Destroy<std::unique_ptr<SvTreeListEntry,
> std::default_delete<SvTreeListEntry>>>(std::unique_ptr<SvTreeListEntry,
> std::default_delete<SvTreeListEntry>>*) at
> ~/gcc/trunk/inst/lib/gcc/x86_64-pc-linux-gnu/13.0.1/../../../../include/c++/13.0.1/bits/stl_construct.h:149:7
> #6 in void
> std::_Destroy_aux<false>::__destroy<std::unique_ptr<SvTreeListEntry,
> std::default_delete<SvTreeListEntry>>*>(std::unique_ptr<SvTreeListEntry,
> std::default_delete<SvTreeListEntry>>*, std::unique_ptr<SvTreeListEntry,
> std::default_delete<SvTreeListEntry>>*) at
> ~/gcc/trunk/inst/lib/gcc/x86_64-pc-linux-gnu/13.0.1/../../../../include/c++/13.0.1/bits/stl_construct.h:163:6
> #7 in void std::_Destroy<std::unique_ptr<SvTreeListEntry,
> std::default_delete<SvTreeListEntry>>*>(std::unique_ptr<SvTreeListEntry,
> std::default_delete<SvTreeListEntry>>*, std::unique_ptr<SvTreeListEntry,
> std::default_delete<SvTreeListEntry>>*) at
> ~/gcc/trunk/inst/lib/gcc/x86_64-pc-linux-gnu/13.0.1/../../../../include/c++/13.0.1/bits/stl_construct.h:195:7
> #8 in void std::_Destroy<std::unique_ptr<SvTreeListEntry,
> std::default_delete<SvTreeListEntry>>*, std::unique_ptr<SvTreeListEntry,
> std::default_delete<SvTreeListEntry>>>(std::unique_ptr<SvTreeListEntry,
> std::default_delete<SvTreeListEntry>>*, std::unique_ptr<SvTreeListEntry,
> std::default_delete<SvTreeListEntry>>*,
> std::allocator<std::unique_ptr<SvTreeListEntry,
> std::default_delete<SvTreeListEntry>>>&) at
> ~/gcc/trunk/inst/lib/gcc/x86_64-pc-linux-gnu/13.0.1/../../../../include/c++/13.0.1/bits/alloc_traits.h:947:7
> #9 in std::__cxx1998::vector<std::unique_ptr<SvTreeListEntry,
> std::default_delete<SvTreeListEntry>>,
> std::allocator<std::unique_ptr<SvTreeListEntry,
> std::default_delete<SvTreeListEntry>>>>::_M_erase_at_end(std::unique_ptr<SvTreeListEntry,
> std::default_delete<SvTreeListEntry>>*) at
> ~/gcc/trunk/inst/lib/gcc/x86_64-pc-linux-gnu/13.0.1/../../../../include/c++/13.0.1/bits/stl_vector.h:1932:6
> #10 in std::__cxx1998::vector<std::unique_ptr<SvTreeListEntry,
> std::default_delete<SvTreeListEntry>>,
> std::allocator<std::unique_ptr<SvTreeListEntry,
> std::default_delete<SvTreeListEntry>>>>::clear() at
> ~/gcc/trunk/inst/lib/gcc/x86_64-pc-linux-gnu/13.0.1/../../../../include/c++/13.0.1/bits/stl_vector.h:1601:9
> #11 in std::__debug::vector<std::unique_ptr<SvTreeListEntry,
> std::default_delete<SvTreeListEntry>>,
> std::allocator<std::unique_ptr<SvTreeListEntry,
> std::default_delete<SvTreeListEntry>>>>::clear() at
> ~/gcc/trunk/inst/lib/gcc/x86_64-pc-linux-gnu/13.0.1/../../../../include/c++/13.0.1/debug/vector:729:9
> #12 in SvTreeListEntry::ClearChildren() at
> vcl/source/treelist/treelistentry.cxx:28:16
> #13 in SvTreeList::Clear() at vcl/source/treelist/treelist.cxx:123:16
> #14 in SvTreeListBox::Clear() at vcl/source/treelist/treelistbox.cxx:420:17
> #15 in SalInstanceTreeView::clear() at vcl/source/app/salvtables.cxx:4240:18
> #16 in SwContentTree::clear() at sw/source/uibase/utlui/content.cxx:2661:18
> #17 in SwContentTree::Display(bool) at
> sw/source/uibase/utlui/content.cxx:2506:5
> #18 in SwContentTree::TimerUpdate(Timer*) at
> sw/source/uibase/utlui/content.cxx:3777:17
> #19 in SwContentTree::LinkStubTimerUpdate(void*, Timer*) at
> sw/source/uibase/utlui/content.cxx:3747:1
> #20 in Link<Timer*, void>::Call(Timer*) const at
> include/tools/link.hxx:111:45
> #21 in Timer::Invoke() at vcl/source/app/timer.cxx:75:21
> #22 in Scheduler::CallbackTaskScheduling() at
> vcl/source/app/scheduler.cxx:481:20
> #23 in SalTimer::CallCallback() at vcl/inc/saltimer.hxx:54:13
> #24 in SvpSalInstance::CheckTimeout(bool) at vcl/headless/svpinst.cxx:161:53
> #25 in SvpSalInstance::ImplYield(bool, bool) at
> vcl/headless/svpinst.cxx:399:17
> #26 in SvpSalInstance::DoYield(bool, bool) at vcl/headless/svpinst.cxx:471:21
> #27 in ImplYield(bool, bool) at vcl/source/app/svapp.cxx:475:48
> #28 in Application::Yield() at vcl/source/app/svapp.cxx:559:5
> #29 in Application::Execute() at vcl/source/app/svapp.cxx:453:13
> #30 in desktop::Desktop::Main() at desktop/source/app/app.cxx:1604:13
> #31 in ImplSVMain() at vcl/source/app/svmain.cxx:203:35
> #32 in SVMain() at vcl/source/app/svmain.cxx:235:12
> #33 in soffice_main at desktop/source/app/sofficemain.cxx:94:12
> #34 in sal_main at desktop/source/app/main.c:51:15
> #35 in main at desktop/source/app/main.c:49:1
>
> previously allocated by thread T0 here:
> #0 in operator new(unsigned long) at
> ~/github.com/llvm/llvm-project/compiler-rt/lib/asan/asan_new_delete.cpp:95:3
> #1 in SalInstanceTreeView::do_insert(weld::TreeIter const*, int,
> rtl::OUString const*, rtl::OUString const*, rtl::OUString const*,
> VirtualDevice const*, bool, weld::TreeIter*, bool) at
> vcl/source/app/salvtables.cxx:3780:31
> #2 in SalInstanceTreeView::insert(weld::TreeIter const*, int, rtl::OUString
> const*, rtl::OUString const*, rtl::OUString const*, VirtualDevice*, bool,
> weld::TreeIter*) at vcl/source/app/salvtables.cxx:4123:5
> #3 in virtual thunk to SalInstanceTreeView::insert(weld::TreeIter const*,
> int, rtl::OUString const*, rtl::OUString const*, rtl::OUString const*,
> VirtualDevice*, bool, weld::TreeIter*) at vcl/source/app/salvtables.cxx
> #4 in SwContentTree::insert(weld::TreeIter const*, rtl::OUString const&,
> rtl::OUString const&, bool, weld::TreeIter*) at
> sw/source/uibase/utlui/content.cxx:2097:18
> #5 in SwContentTree::Display(bool) at
> sw/source/uibase/utlui/content.cxx:2555:17
> #6 in SwContentTree::ExecCommand(std::basic_string_view<char,
> std::char_traits<char>>, bool) at sw/source/uibase/utlui/content.cxx:3530:9
> #7 in SwNavigationPI::ToolBoxSelectHdl(rtl::OString const&) at
> sw/source/uibase/utlui/navipi.cxx:300:29
> #8 in SwNavigationPI::LinkStubToolBoxSelectHdl(void*, rtl::OString const&)
> at sw/source/uibase/utlui/navipi.cxx:194:1
> #9 in Link<rtl::OString const&, void>::Call(rtl::OString const&) const at
> include/tools/link.hxx:111:45
> #10 in weld::Toolbar::signal_clicked(rtl::OString const&) at
> include/vcl/weld.hxx:2452:62
> #11 in SalInstanceToolbar::ClickHdl(ToolBox*) at
> vcl/source/app/salvtables.cxx:1246:5
> #12 in SalInstanceToolbar::LinkStubClickHdl(void*, ToolBox*) at
> vcl/source/app/salvtables.cxx:1243:1
> #13 in Link<ToolBox*, void>::Call(ToolBox*) const at
> include/tools/link.hxx:111:45
> #14 in ToolBox::Select() at vcl/source/window/toolbox2.cxx:373:17
> #15 in ToolBoxUIObject::execute(rtl::OUString const&,
> std::__debug::map<rtl::OUString, rtl::OUString, std::less<rtl::OUString>,
> std::allocator<std::pair<rtl::OUString const, rtl::OUString>>> const&) at
> vcl/source/uitest/uiobject.cxx:1673:24
> #16 in UIObjectUnoObj::executeAction(rtl::OUString const&,
> com::sun::star::uno::Sequence<com::sun::star::beans::PropertyValue>
> const&)::$_0::operator()() const at
> vcl/source/uitest/uno/uiobject_uno.cxx:138:16
> #17 in void std::__invoke_impl<void,
> UIObjectUnoObj::executeAction(rtl::OUString const&,
> com::sun::star::uno::Sequence<com::sun::star::beans::PropertyValue>
> const&)::$_0&>(std::__invoke_other,
> UIObjectUnoObj::executeAction(rtl::OUString const&,
> com::sun::star::uno::Sequence<com::sun::star::beans::PropertyValue>
> const&)::$_0&) at
> ~/gcc/trunk/inst/lib/gcc/x86_64-pc-linux-gnu/13.0.1/../../../../include/c++/13.0.1/bits/invoke.h:61:14
> #18 in std::enable_if<is_invocable_r_v<void,
> UIObjectUnoObj::executeAction(rtl::OUString const&,
> com::sun::star::uno::Sequence<com::sun::star::beans::PropertyValue>
> const&)::$_0&>, void>::type std::__invoke_r<void,
> UIObjectUnoObj::executeAction(rtl::OUString const&,
> com::sun::star::uno::Sequence<com::sun::star::beans::PropertyValue>
> const&)::$_0&>(UIObjectUnoObj::executeAction(rtl::OUString const&,
> com::sun::star::uno::Sequence<com::sun::star::beans::PropertyValue>
> const&)::$_0&) at
> ~/gcc/trunk/inst/lib/gcc/x86_64-pc-linux-gnu/13.0.1/../../../../include/c++/13.0.1/bits/invoke.h:111:2
> #19 in std::_Function_handler<void (),
> UIObjectUnoObj::executeAction(rtl::OUString const&,
> com::sun::star::uno::Sequence<com::sun::star::beans::PropertyValue>
> const&)::$_0>::_M_invoke(std::_Any_data const&) at
> ~/gcc/trunk/inst/lib/gcc/x86_64-pc-linux-gnu/13.0.1/../../../../include/c++/13.0.1/bits/std_function.h:290:9
> #20 in std::function<void ()>::operator()() const at
> ~/gcc/trunk/inst/lib/gcc/x86_64-pc-linux-gnu/13.0.1/../../../../include/c++/13.0.1/bits/std_function.h:591:9
> #21 in (anonymous namespace)::ExecuteWrapper::ExecuteActionHdl(Timer*) at
> vcl/source/uitest/uno/uiobject_uno.cxx:103:13
> #22 in (anonymous
> namespace)::ExecuteWrapper::LinkStubExecuteActionHdl(void*, Timer*) at
> vcl/source/uitest/uno/uiobject_uno.cxx:98:1
> #23 in Link<Timer*, void>::Call(Timer*) const at
> include/tools/link.hxx:111:45
> #24 in Timer::Invoke() at vcl/source/app/timer.cxx:75:21
> #25 in Scheduler::CallbackTaskScheduling() at
> vcl/source/app/scheduler.cxx:481:20
> #26 in SalTimer::CallCallback() at vcl/inc/saltimer.hxx:54:13
> #27 in SvpSalInstance::CheckTimeout(bool) at vcl/headless/svpinst.cxx:161:53
> #28 in SvpSalInstance::ImplYield(bool, bool) at
> vcl/headless/svpinst.cxx:399:17
> #29 in SvpSalInstance::DoYield(bool, bool) at vcl/headless/svpinst.cxx:471:21
> #30 in ImplYield(bool, bool) at vcl/source/app/svapp.cxx:475:48
> #31 in Application::Yield() at vcl/source/app/svapp.cxx:559:5
> #32 in Application::Execute() at vcl/source/app/svapp.cxx:453:13
> #33 in desktop::Desktop::Main() at desktop/source/app/app.cxx:1604:13
> #34 in ImplSVMain() at vcl/source/app/svmain.cxx:203:35
> #35 in SVMain() at vcl/source/app/svmain.cxx:235:12
> #36 in soffice_main at desktop/source/app/sofficemain.cxx:94:12
> #37 in sal_main at desktop/source/app/main.c:51:15
> #38 in main at desktop/source/app/main.c:49:1
>
> SUMMARY: AddressSanitizer: heap-use-after-free
> vcl/source/treelist/treelistentry.cxx:201:30 in
> SvTreeListEntry::HasChildrenOnDemand() const
> Shadow bytes around the buggy address:
> 0x60f000248980: fa fa fa fa fa fa fd fd fd fd fd fd fd fd fd fd
> 0x60f000248a00: fd fd fd fd fd fd fd fd fd fd fd fd fa fa fa fa
> 0x60f000248a80: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd
> 0x60f000248b00: fd fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa
> 0x60f000248b80: fa fa fd fd fd fd fd fd fd fd fd fd fd fd fd fd
> =>0x60f000248c00: fd fd fd fd fd[fd]fd fa fa fa fa fa fa fa fa fa
> 0x60f000248c80: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
> 0x60f000248d00: fd fd fd fd fd fa fa fa fa fa fa fa fa fa fd fd
> 0x60f000248d80: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
> 0x60f000248e00: fd fd fd fa fa fa fa fa fa fa fa fa fd fd fd fd
> 0x60f000248e80: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
> Shadow byte legend (one shadow byte represents 8 application bytes):
> Addressable: 00
> Partially addressable: 01 02 03 04 05 06 07
> Heap left redzone: fa
> Freed heap region: fd
> Stack left redzone: f1
> Stack mid redzone: f2
> Stack right redzone: f3
> Stack after return: f5
> Stack use after scope: f8
> Global redzone: f9
> Global init order: f6
> Poisoned by user: f7
> Container overflow: fc
> Array cookie: ac
> Intra object redzone: bb
> ASan internal: fe
> Left alloca redzone: ca
> Right alloca redzone: cb
> ==3401690==ABORTING
--
You are receiving this mail because:
You are the assignee for the bug.
