Bug 104517 - WeakReference ScHeaderFooterTextData::xContentObj can die too early in JunitTest_sc_unoapi_4
Summary: WeakReference ScHeaderFooterTextData::xContentObj can die too early in JunitT...
Status: NEW
Alias: None
Product: LibreOffice
Classification: Unclassified
Component: Calc (show other bugs)
Version:
(earliest affected)
unspecified
Hardware: All All
: medium normal
Assignee: Not Assigned
URL:
Whiteboard:
Keywords:
Depends on:
Blocks: Dev-related
  Show dependency treegraph
 
Reported: 2016-12-09 09:29 UTC by Stephan Bergmann
Modified: 2021-08-09 20:45 UTC (History)
2 users (show)

See Also:
Crash report or crash signature:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Stephan Bergmann 2016-12-09 09:29:45 UTC 
Since <https://cgit.freedesktop.org/libreoffice/core/commit/?id=fc29ace3438eea09afe3ddbb5118458cbb531b06> "better fix for memory leak around calc header-footer UNO objects":

* ScHeaderFooterTextData::xContentObj has been changed to a WeakReference

* ScHeaderFooterTextObj::getString is checking that xContentObj is still alive:

>  uno::Reference<css::sheet::XHeaderFooterContent> xContentObj = aTextData.GetContentObj();
>  if (!xContentObj.is())
>      throw css::uno::RuntimeException("");

I assume that throw is meant to be of the "this cannot happen" kind (like an assert)---as otherwise that commit would apparently not be a sound change.

However, at least JunitTest_sc_unoapi_4 sporadically triggers that throw (see e.g., <https://cgit.freedesktop.org/libreoffice/core/commit/?id=8bd3d06d974fbd301665630e3c5396db9c9e30d9> "Throw RuntimeException with message").  I've found that running that test with env var SAL_LOG=+WARN+INFO (which changes timing by producing lots of info log output) makes the failure more likely.

When locally changing ScHeaderFooterTextData::xContentObj to be a raw pointer (so that dead deref in ScHeaderFooterTextObj::getString can be observed with memory checkers) and running the test with ASan, I get:

> ==9225==ERROR: AddressSanitizer: heap-use-after-free on address 0x60800077cb48 at pc 0x7f523b2aca49 bp 0x7f52497e09f0 sp 0x7f52497e09e8
> READ of size 8 at 0x60800077cb48 thread T116 (cppu_threadpool)
> info:sal.file:9225:90:sal/osl/unx/file.cxx:1032: osl_openFile(/home/sbergman/lo-clang/core/workdir/JunitTest/sc_unoapi_4/user/user/CqlwmE, writeable) => 68
> info:sal.file:9225:90:sal/osl/unx/file.cxx:1074: osl_closeFile(/home/sbergman/lo-clang/core/workdir/JunitTest/sc_unoapi_4/user/user/CqlwmE:68)
> info:sal.osl.condition:9225:90:sal/osl/unx/conditn.cxx:85: osl_destroyCondition(0x6080002c7e20)
>     #0 0x7f523b2aca48 in com::sun::star::uno::Reference<com::sun::star::sheet::XHeaderFooterContent>::Reference(com::sun::star::sheet::XHeaderFooterContent*) include/com/sun/star/uno/Reference.hxx:152:22
>     #1 0x7f523e013502 in ScHeaderFooterTextData::GetContentObj() const sc/inc/textuno.hxx:133:96
>     #2 0x7f523e108370 in ScHeaderFooterTextObj::getString() sc/source/ui/unoobj/textuno.cxx:333:78
>     #3 0x7f523e108a9c in non-virtual thunk to ScHeaderFooterTextObj::getString() sc/source/ui/unoobj/textuno.cxx
>     #4 0x7f525ff6371a in gcc3::callVirtualMethod(void*, unsigned int, void*, _typelib_TypeDescriptionReference*, bool, unsigned long*, unsigned int, unsigned long*, double*) bridges/source/cpp_uno/gcc3_linux_x86-64/callvirtualmethod.cxx:77:5
>     #5 0x7f525ff6019f in cpp_call(bridges::cpp_uno::shared::UnoInterfaceProxy*, bridges::cpp_uno::shared::VtableSlot, _typelib_TypeDescriptionReference*, int, _typelib_MethodParameter*, void*, void**, _uno_Any**) bridges/source/cpp_uno/gcc3_linux_x86-64/uno2cpp.cxx:233:13
>     #6 0x7f525ff5ea48 in bridges::cpp_uno::shared::unoInterfaceProxyDispatch(_uno_Interface*, _typelib_TypeDescription const*, void*, void**, _uno_Any**) bridges/source/cpp_uno/gcc3_linux_x86-64/uno2cpp.cxx:420:13
>     #7 0x7f525ae5a865 in binaryurp::IncomingRequest::execute_throw(binaryurp::BinaryAny*, std::__debug::vector<binaryurp::BinaryAny, std::allocator<binaryurp::BinaryAny> >*) const binaryurp/source/incomingrequest.cxx:239:13
>     #8 0x7f525ae5888c in binaryurp::IncomingRequest::execute() const binaryurp/source/incomingrequest.cxx:78:26
>     #9 0x7f525aebc79b in request binaryurp/source/reader.cxx:85:9
>     #10 0x7f52c6ca3303 in cppu_threadpool::JobQueue::enter(long, bool) cppu/source/threadpool/jobqueue.cxx:107:17
>     #11 0x7f52c6ccd4a9 in cppu_threadpool::ORequestThread::run() cppu/source/threadpool/thread.cxx:165:31
>     #12 0x7f52c6cd9742 in threadFunc include/osl/thread.hxx:185:15
>     #13 0x7f52cfcf537f in osl_thread_start_Impl(void*) sal/osl/unx/thread.cxx:240:9
>     #14 0x7f52ce2915c9 in start_thread (/lib64/libpthread.so.0+0x75c9)
>     #15 0x7f52cd9a80ec in __clone (/lib64/libc.so.6+0x1030ec)
> 
> 0x60800077cb48 is located 40 bytes inside of 88-byte region [0x60800077cb20,0x60800077cb78)
> freed by thread T118 (cppu_threadpool) here:
>     #0 0x4cf730 in __interceptor_cfree.localalias.1 /home/sbergman/clang/git/src/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:54
>     #1 0x7f52cfafc2e0 in rtl_freeMemory_SYSTEM(void*) sal/rtl/alloc_global.cxx:279:5
>     #2 0x7f52cfafcf50 in rtl_freeMemory sal/rtl/alloc_global.cxx:355:5
>     #3 0x7f525ff6aa68 in bridges::cpp_uno::shared::freeUnoInterfaceProxy(_uno_ExtEnvironment*, void*) bridges/source/cpp_uno/shared/unointerfaceproxy.cxx:42:19
>     #4 0x7f52c6ee2976 in (anonymous namespace)::s_stub_defenv_revokeInterface(__va_list_tag (*) [1]) cppu/source/uno/lbenv.cxx:372:17
>     #5 0x7f52c6e9dbc7 in s_environment_invoke_v(_uno_Environment*, _uno_Environment*, void (*)(__va_list_tag (*) [1]), __va_list_tag (*) [1]) cppu/source/uno/EnvStack.cxx:293:9
>     #6 0x7f52c6e9d8f2 in uno_Environment_invoke_v cppu/source/uno/EnvStack.cxx:312:5
>     #7 0x7f52c6e9e0a2 in uno_Environment_invoke cppu/source/uno/EnvStack.cxx:321:5
>     #8 0x7f525ae09d59 in com::sun::star::uno::UnoInterfaceReference::~UnoInterfaceReference() include/uno/dispatcher.hxx:103:9
>     #9 0x7f525ae59dae in binaryurp::IncomingRequest::execute_throw(binaryurp::BinaryAny*, std::__debug::vector<binaryurp::BinaryAny, std::allocator<binaryurp::BinaryAny> >*) const binaryurp/source/incomingrequest.cxx:137:18
>     #10 0x7f525ae5888c in binaryurp::IncomingRequest::execute() const binaryurp/source/incomingrequest.cxx:78:26
>     #11 0x7f525aebc79b in request binaryurp/source/reader.cxx:85:9
>     #12 0x7f52c6ca3303 in cppu_threadpool::JobQueue::enter(long, bool) cppu/source/threadpool/jobqueue.cxx:107:17
>     #13 0x7f52c6ccd4a9 in cppu_threadpool::ORequestThread::run() cppu/source/threadpool/thread.cxx:165:31
>     #14 0x7f52c6cd9742 in threadFunc include/osl/thread.hxx:185:15
>     #15 0x7f52cfcf537f in osl_thread_start_Impl(void*) sal/osl/unx/thread.cxx:240:9
>     #16 0x7f52ce2915c9 in start_thread (/lib64/libpthread.so.0+0x75c9)
> 
> previously allocated by thread T116 (cppu_threadpool) here:
>     #0 0x4cf8e8 in malloc /home/sbergman/clang/git/src/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:64
>     #1 0x7f52cfafc2b0 in rtl_allocateMemory_SYSTEM(unsigned long) sal/rtl/alloc_global.cxx:272:12
>     #2 0x7f52cfafc88a in rtl_allocateMemory sal/rtl/alloc_global.cxx:310:12
>     #3 0x7f523b2a009f in ScPageHFItem::QueryValue(com::sun::star::uno::Any&, unsigned char) const sc/source/core/data/attrib.cxx:575:9
>     #4 0x7f52bb04b9c2 in SfxItemPropertySet::getPropertyValue(SfxItemPropertySimpleEntry const&, SfxItemSet const&, com::sun::star::uno::Any&) const svl/source/items/itemprop.cxx:188:16
>     #5 0x7f523e0f56c0 in ScStyleObj::getPropertyValue_Impl(rtl::OUString const&) sc/source/ui/unoobj/styleuno.cxx:1948:39
>     #6 0x7f523e0f81dd in ScStyleObj::getPropertyValue(rtl::OUString const&) sc/source/ui/unoobj/styleuno.cxx:1984:12
>     #7 0x7f523e0f832c in non-virtual thunk to ScStyleObj::getPropertyValue(rtl::OUString const&) sc/source/ui/unoobj/styleuno.cxx
>     #8 0x7f525ff6019f in cpp_call(bridges::cpp_uno::shared::UnoInterfaceProxy*, bridges::cpp_uno::shared::VtableSlot, _typelib_TypeDescriptionReference*, int, _typelib_MethodParameter*, void*, void**, _uno_Any**) bridges/source/cpp_uno/gcc3_linux_x86-64/uno2cpp.cxx:233:13
>     #9 0x7f525ff5ea48 in bridges::cpp_uno::shared::unoInterfaceProxyDispatch(_uno_Interface*, _typelib_TypeDescription const*, void*, void**, _uno_Any**) bridges/source/cpp_uno/gcc3_linux_x86-64/uno2cpp.cxx:420:13
>     #10 0x7f525ae5a865 in binaryurp::IncomingRequest::execute_throw(binaryurp::BinaryAny*, std::__debug::vector<binaryurp::BinaryAny, std::allocator<binaryurp::BinaryAny> >*) const binaryurp/source/incomingrequest.cxx:239:13
>     #11 0x7f525ae5888c in binaryurp::IncomingRequest::execute() const binaryurp/source/incomingrequest.cxx:78:26
>     #12 0x7f525aebc79b in request binaryurp/source/reader.cxx:85:9
>     #13 0x7f52c6ca3303 in cppu_threadpool::JobQueue::enter(long, bool) cppu/source/threadpool/jobqueue.cxx:107:17
>     #14 0x7f52c6ccd4a9 in cppu_threadpool::ORequestThread::run() cppu/source/threadpool/thread.cxx:165:31
>     #15 0x7f52c6cd9742 in threadFunc include/osl/thread.hxx:185:15
>     #16 0x7f52cfcf537f in osl_thread_start_Impl(void*) sal/osl/unx/thread.cxx:240:9
>     #17 0x7f52ce2915c9 in start_thread (/lib64/libpthread.so.0+0x75c9)

(with a Clang trunk -Og build that likely inlines some calls, so their frames would be missing).