Bug 121030 - FreetypeFontInstance use-after-free during CppunitTest_sw_dialogs_test
Summary: FreetypeFontInstance use-after-free during CppunitTest_sw_dialogs_test
Status: RESOLVED FIXED
Alias: None
Product: LibreOffice
Classification: Unclassified
Component: graphics stack (show other bugs)
Version:
(earliest affected)
6.2.0.0.alpha1+
Hardware: All All
: medium normal
Assignee: Not Assigned
URL:
Whiteboard: target:6.2.0
Keywords:
Depends on:
Blocks:
 
Reported: 2018-10-29 15:38 UTC by Stephan Bergmann
Modified: 2018-11-01 16:01 UTC (History)
3 users (show)

See Also:
Crash report or crash signature:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Stephan Bergmann 2018-10-29 15:38:59 UTC 
At least on a current master Linux ASan build (in an X11 session), `make CppunitTest_sw_dialogs_test` (run as part of `make screenshot`) fails with

> =================================================================
> ==18158==ERROR: AddressSanitizer: heap-use-after-free on address 0x61100039c998 at pc 0x7f8d033e36a8 bp 0x7ffcaeaee9d0 sp 0x7ffcaeaee9c8
> READ of size 8 at 0x61100039c998 thread T0
>  #0 in FreetypeFontInstance::GetFreetypeFont() const at vcl/inc/unx/freetype_glyphcache.hxx:118:52 (instdir/program/libvcllo.so +0x22096a7)
>  #1 in getFreetypeFontFromGlyph(GlyphItem const&) at vcl/inc/unx/freetype_glyphcache.hxx:126:72 (instdir/program/libvcllo.so +0x220bbc7)
>  #2 in CairoTextRender::GetGlyphBoundRect(GlyphItem const&, tools::Rectangle&) at vcl/unx/generic/gdi/cairotextrender.cxx:447:25 (instdir/program/libvcllo.so +0x21fde64)
>  #3 in SvpSalGraphics::GetGlyphBoundRect(GlyphItem const&, tools::Rectangle&) at vcl/headless/svptext.cxx:97:30 (instdir/program/libvcllo.so +0x21f78b6)
>  #4 in SalLayout::GetBoundRect(SalGraphics&, tools::Rectangle&) const at vcl/source/gdi/sallayout.cxx:680:26 (instdir/program/libvcllo.so +0x19dd9ad)
>  #5 in OutputDevice::GetTextBoundRect(tools::Rectangle&, rtl::OUString const&, int, int, int, unsigned long, long const*, std::__debug::vector<GlyphItem, std::allocator<GlyphItem> > const*) const at vcl/source/outdev/text.cxx:2362:28 (instdir/program/libvcllo.so +0x13367ed)
>  #6 in Ruler::ImplVDrawText(OutputDevice&, long, long, rtl::OUString const&, long, long) at svtools/source/control/ruler.cxx:347:20 (instdir/program/libsvtlo.so +0x9db7b5)
>  #7 in Ruler::ImplDrawTicks(OutputDevice&, long, long, long, long, long) at svtools/source/control/ruler.cxx:593:17 (instdir/program/libsvtlo.so +0x9df2d8)
>  #8 in Ruler::ImplFormat(OutputDevice const&) at svtools/source/control/ruler.cxx:1243:5 (instdir/program/libsvtlo.so +0x9e673a)
>  #9 in Ruler::ImplDraw(OutputDevice&) at svtools/source/control/ruler.cxx:1314:9 (instdir/program/libsvtlo.so +0x9e7631)
>  #10 in Ruler::Paint(OutputDevice&, tools::Rectangle const&) at svtools/source/control/ruler.cxx:2063:5 (instdir/program/libsvtlo.so +0x9ef2e7)
>  #11 in SwCommentRuler::Paint(OutputDevice&, tools::Rectangle const&) at sw/source/uibase/misc/swruler.cxx:102:15 (instdir/program/libswlo.so +0x3e32a26)
>  #12 in PaintHelper::DoPaint(vcl::Region const*) at vcl/source/window/paint.cxx:300:24 (instdir/program/libvcllo.so +0x8765e1)
>  #13 in vcl::Window::ImplCallPaint(vcl::Region const*, ImplPaintFlags) at vcl/source/window/paint.cxx:604:17 (instdir/program/libvcllo.so +0x87b692)
>  #14 in PaintHelper::~PaintHelper() at vcl/source/window/paint.cxx:540:30 (instdir/program/libvcllo.so +0x8799a2)
>  #15 in vcl::Window::ImplCallPaint(vcl::Region const*, ImplPaintFlags) at vcl/source/window/paint.cxx:610:1 (instdir/program/libvcllo.so +0x87b7ba)
>  #16 in PaintHelper::~PaintHelper() at vcl/source/window/paint.cxx:540:30 (instdir/program/libvcllo.so +0x8799a2)
>  #17 in vcl::Window::ImplCallPaint(vcl::Region const*, ImplPaintFlags) at vcl/source/window/paint.cxx:610:1 (instdir/program/libvcllo.so +0x87b7ba)
>  #18 in PaintHelper::~PaintHelper() at vcl/source/window/paint.cxx:540:30 (instdir/program/libvcllo.so +0x8799a2)
>  #19 in vcl::Window::ImplCallPaint(vcl::Region const*, ImplPaintFlags) at vcl/source/window/paint.cxx:610:1 (instdir/program/libvcllo.so +0x87b7ba)
>  #20 in PaintHelper::~PaintHelper() at vcl/source/window/paint.cxx:540:30 (instdir/program/libvcllo.so +0x8799a2)
>  #21 in vcl::Window::ImplCallPaint(vcl::Region const*, ImplPaintFlags) at vcl/source/window/paint.cxx:610:1 (instdir/program/libvcllo.so +0x87b7ba)
>  #22 in PaintHelper::~PaintHelper() at vcl/source/window/paint.cxx:540:30 (instdir/program/libvcllo.so +0x8799a2)
>  #23 in vcl::Window::ImplCallPaint(vcl::Region const*, ImplPaintFlags) at vcl/source/window/paint.cxx:610:1 (instdir/program/libvcllo.so +0x87b7ba)
>  #24 in vcl::Window::ImplCallOverlapPaint() at vcl/source/window/paint.cxx:628:9 (instdir/program/libvcllo.so +0x87bd42)
>  #25 in vcl::Window::ImplHandlePaintHdl(Timer*) at vcl/source/window/paint.cxx:649:9 (instdir/program/libvcllo.so +0x87c09a)
>  #26 in vcl::Window::LinkStubImplHandlePaintHdl(void*, Timer*) at vcl/source/window/paint.cxx:632:1 (instdir/program/libvcllo.so +0x87bde7)
>  #27 in Link<Timer*, void>::Call(Timer*) const at include/tools/link.hxx:84:45 (instdir/program/libvcllo.so +0x1d6d326)
>  #28 in Timer::Invoke() at vcl/source/app/timer.cxx:77:21 (instdir/program/libvcllo.so +0x1d6cfa6)
>  #29 in Scheduler::ProcessTaskScheduling() at vcl/source/app/scheduler.cxx:474:20 (instdir/program/libvcllo.so +0x1cb5ed8)
>  #30 in Scheduler::CallbackTaskScheduling() at vcl/source/app/scheduler.cxx:284:5 (instdir/program/libvcllo.so +0x1cb3cdc)
>  #31 in SalTimer::CallCallback() at vcl/inc/saltimer.hxx:55:13 (instdir/program/libvclplug_gtk3lo.so +0x1b4cd8)
>  #32 in sal_gtk_timeout_dispatch(_GSource*, int (*)(void*), void*) at vcl/unx/gtk3/gtk3gtkdata.cxx:696:45 (instdir/program/libvclplug_gtk3lo.so +0x1b2bf6)
>  #33 in g_main_dispatch at gmain.c:3182:28 (/lib64/libglib-2.0.so.0 +0x4e26c)
>  #34 in g_main_context_dispatch at gmain.c:3847:7 (/lib64/libglib-2.0.so.0 +0x4e26c)
>  #35 in g_main_context_iterate at gmain.c:3920:5 (/lib64/libglib-2.0.so.0 +0x4e637)
>  #36 in g_main_context_iteration at gmain.c:3981:12 (/lib64/libglib-2.0.so.0 +0x4e6cf)
>  #37 in GtkSalData::Yield(bool, bool) at vcl/unx/gtk3/gtk3gtkdata.cxx:463:31 (instdir/program/libvclplug_gtk3lo.so +0x1af0dc)
>  #38 in GtkInstance::DoYield(bool, bool) at vcl/unx/gtk3/../gtk/gtkinst.cxx:406:29 (instdir/program/libvclplug_gtk3lo.so +0x1b9186)
>  #39 in ImplYield(bool, bool) at vcl/source/app/svapp.cxx:438:48 (instdir/program/libvcllo.so +0x1d21c17)
>  #40 in Application::Yield() at vcl/source/app/svapp.cxx:502:5 (instdir/program/libvcllo.so +0x1d216a3)
>  #41 in Dialog::ensureRepaint() at vcl/source/window/dialog.cxx:992:9 (instdir/program/libvcllo.so +0xabfdd6)
>  #42 in Dialog::createScreenshot() at vcl/source/window/dialog.cxx:1003:5 (instdir/program/libvcllo.so +0xabff50)
>  #43 in ScreenshotTest::saveScreenshot(Dialog&) at test/source/screenshot_test.cxx:111:40 (workdir/LinkTarget/CppunitTest/../Library/libtest.so +0x91502)
>  #44 in ScreenshotTest::dumpDialogToPath(Dialog&) at test/source/screenshot_test.cxx:180:9 (workdir/LinkTarget/CppunitTest/../Library/libtest.so +0x92bcd)
>  #45 in ScreenshotTest::dumpDialogToPath(rtl::OString const&) at test/source/screenshot_test.cxx:212:13 (workdir/LinkTarget/CppunitTest/../Library/libtest.so +0x93656)
>  #46 in ScreenshotTest::processDialogBatchFile(rtl::OUString const&) at test/source/screenshot_test.cxx:272:17 (workdir/LinkTarget/CppunitTest/../Library/libtest.so +0x94371)
>  #47 in SwDialogsTest::openAnyDialog() at sw/qa/unit/sw-dialogs-test.cxx:98:5 (workdir/LinkTarget/CppunitTest/libtest_sw_dialogs_test.so +0x8867)
>  #48 in void std::__invoke_impl<void, void (SwDialogsTest::*&)(), SwDialogsTest*&>(std::__invoke_memfun_deref, void (SwDialogsTest::*&)(), SwDialogsTest*&) at /usr/lib/gcc/x86_64-redhat-linux/8/../../../../include/c++/8/bits/invoke.h:73:14 (workdir/LinkTarget/CppunitTest/libtest_sw_dialogs_test.so +0x1428f)
>  #49 in std::__invoke_result<void (SwDialogsTest::*&)(), SwDialogsTest*&>::type std::__invoke<void (SwDialogsTest::*&)(), SwDialogsTest*&>(void (SwDialogsTest::*&)(), SwDialogsTest*&) at /usr/lib/gcc/x86_64-redhat-linux/8/../../../../include/c++/8/bits/invoke.h:95:14 (workdir/LinkTarget/CppunitTest/libtest_sw_dialogs_test.so +0x14121)
>  #50 in void std::_Bind<void (SwDialogsTest::* (SwDialogsTest*))()>::__call<void, 0ul>(std::tuple<>&&, std::_Index_tuple<0ul>) at /usr/lib/gcc/x86_64-redhat-linux/8/../../../../include/c++/8/functional:400:11 (workdir/LinkTarget/CppunitTest/libtest_sw_dialogs_test.so +0x14063)
>  #51 in void std::_Bind<void (SwDialogsTest::* (SwDialogsTest*))()>::operator()<void>() at /usr/lib/gcc/x86_64-redhat-linux/8/../../../../include/c++/8/functional:482:17 (workdir/LinkTarget/CppunitTest/libtest_sw_dialogs_test.so +0x13e7e)
>  #52 in std::_Function_handler<void (), std::_Bind<void (SwDialogsTest::* (SwDialogsTest*))()> >::_M_invoke(std::_Any_data const&) at /usr/lib/gcc/x86_64-redhat-linux/8/../../../../include/c++/8/bits/std_function.h:297:2 (workdir/LinkTarget/CppunitTest/libtest_sw_dialogs_test.so +0x1384c)
>  #53 in std::function<void ()>::operator()() const at /usr/lib/gcc/x86_64-redhat-linux/8/../../../../include/c++/8/bits/std_function.h:687:14 (workdir/LinkTarget/CppunitTest/libtest_sw_dialogs_test.so +0x144ae)
>  #54 in CppUnit::TestCaller<SwDialogsTest>::runTest() at workdir/UnpackedTarball/cppunit/include/cppunit/TestCaller.h:175:7 (workdir/LinkTarget/CppunitTest/libtest_sw_dialogs_test.so +0x133d8)
>  #55 in CppUnit::TestCaseMethodFunctor::operator()() const at workdir/UnpackedTarball/cppunit/src/cppunit/TestCase.cpp:32:5 (workdir/UnpackedTarball/cppunit/src/cppunit/.libs/libcppunit-1.14.so.0 +0x10c085)
>  #56 in (anonymous namespace)::Protector::protect(CppUnit::Functor const&, CppUnit::ProtectorContext const&) at test/source/vclbootstrapprotector.cxx:49:14 (workdir/LinkTarget/Library/libvclbootstrapprotector.so +0x1505)
>  #57 in CppUnit::ProtectorChain::ProtectFunctor::operator()() const at workdir/UnpackedTarball/cppunit/src/cppunit/ProtectorChain.cpp:20:25 (workdir/UnpackedTarball/cppunit/src/cppunit/.libs/libcppunit-1.14.so.0 +0xf37e1)
>  #58 in (anonymous namespace)::Prot::protect(CppUnit::Functor const&, CppUnit::ProtectorContext const&) at unotest/source/cpp/unobootstrapprotector/unobootstrapprotector.cxx:89:12 (workdir/LinkTarget/Library/unobootstrapprotector.so +0x4c35)
>  #59 in CppUnit::ProtectorChain::ProtectFunctor::operator()() const at workdir/UnpackedTarball/cppunit/src/cppunit/ProtectorChain.cpp:20:25 (workdir/UnpackedTarball/cppunit/src/cppunit/.libs/libcppunit-1.14.so.0 +0xf37e1)
>  #60 in (anonymous namespace)::Prot::protect(CppUnit::Functor const&, CppUnit::ProtectorContext const&) at unotest/source/cpp/unoexceptionprotector/unoexceptionprotector.cxx:63:16 (workdir/LinkTarget/Library/unoexceptionprotector.so +0x38c8)
>  #61 in CppUnit::ProtectorChain::ProtectFunctor::operator()() const at workdir/UnpackedTarball/cppunit/src/cppunit/ProtectorChain.cpp:20:25 (workdir/UnpackedTarball/cppunit/src/cppunit/.libs/libcppunit-1.14.so.0 +0xf37e1)
>  #62 in CppUnit::DefaultProtector::protect(CppUnit::Functor const&, CppUnit::ProtectorContext const&) at workdir/UnpackedTarball/cppunit/src/cppunit/DefaultProtector.cpp:15:12 (workdir/UnpackedTarball/cppunit/src/cppunit/.libs/libcppunit-1.14.so.0 +0xbe26f)
>  #63 in CppUnit::ProtectorChain::ProtectFunctor::operator()() const at workdir/UnpackedTarball/cppunit/src/cppunit/ProtectorChain.cpp:20:25 (workdir/UnpackedTarball/cppunit/src/cppunit/.libs/libcppunit-1.14.so.0 +0xf37e1)
>  #64 in CppUnit::ProtectorChain::protect(CppUnit::Functor const&, CppUnit::ProtectorContext const&) at workdir/UnpackedTarball/cppunit/src/cppunit/ProtectorChain.cpp:86:18 (workdir/UnpackedTarball/cppunit/src/cppunit/.libs/libcppunit-1.14.so.0 +0xf087a)
>  #65 in CppUnit::TestResult::protect(CppUnit::Functor const&, CppUnit::Test*, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) at workdir/UnpackedTarball/cppunit/src/cppunit/TestResult.cpp:182:28 (workdir/UnpackedTarball/cppunit/src/cppunit/.libs/libcppunit-1.14.so.0 +0x13d55a)
>  #66 in CppUnit::TestCase::run(CppUnit::TestResult*) at workdir/UnpackedTarball/cppunit/src/cppunit/TestCase.cpp:91:13 (workdir/UnpackedTarball/cppunit/src/cppunit/.libs/libcppunit-1.14.so.0 +0x10b148)
>  #67 in CppUnit::TestComposite::doRunChildTests(CppUnit::TestResult*) at workdir/UnpackedTarball/cppunit/src/cppunit/TestComposite.cpp:64:30 (workdir/UnpackedTarball/cppunit/src/cppunit/.libs/libcppunit-1.14.so.0 +0x10cfc5)
>  #68 in CppUnit::TestComposite::run(CppUnit::TestResult*) at workdir/UnpackedTarball/cppunit/src/cppunit/TestComposite.cpp:23:3 (workdir/UnpackedTarball/cppunit/src/cppunit/.libs/libcppunit-1.14.so.0 +0x10cb04)
>  #69 in CppUnit::TestComposite::doRunChildTests(CppUnit::TestResult*) at workdir/UnpackedTarball/cppunit/src/cppunit/TestComposite.cpp:64:30 (workdir/UnpackedTarball/cppunit/src/cppunit/.libs/libcppunit-1.14.so.0 +0x10cfc5)
>  #70 in CppUnit::TestComposite::run(CppUnit::TestResult*) at workdir/UnpackedTarball/cppunit/src/cppunit/TestComposite.cpp:23:3 (workdir/UnpackedTarball/cppunit/src/cppunit/.libs/libcppunit-1.14.so.0 +0x10cb04)
>  #71 in CppUnit::TestRunner::WrappingSuite::run(CppUnit::TestResult*) at workdir/UnpackedTarball/cppunit/src/cppunit/TestRunner.cpp:47:27 (workdir/UnpackedTarball/cppunit/src/cppunit/.libs/libcppunit-1.14.so.0 +0x15346f)
>  #72 in CppUnit::TestResult::runTest(CppUnit::Test*) at workdir/UnpackedTarball/cppunit/src/cppunit/TestResult.cpp:149:9 (workdir/UnpackedTarball/cppunit/src/cppunit/.libs/libcppunit-1.14.so.0 +0x13ca56)
>  #73 in CppUnit::TestRunner::run(CppUnit::TestResult&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) at workdir/UnpackedTarball/cppunit/src/cppunit/TestRunner.cpp:96:14 (workdir/UnpackedTarball/cppunit/src/cppunit/.libs/libcppunit-1.14.so.0 +0x153ba6)
>  #74 in (anonymous namespace)::ProtectedFixtureFunctor::run() const at sal/cppunittester/cppunittester.cxx:316:20 (workdir/LinkTarget/Executable/cppunittester +0x533a49)
>  #75 in sal_main() at sal/cppunittester/cppunittester.cxx:466:20 (workdir/LinkTarget/Executable/cppunittester +0x531bd5)
>  #76 in main at sal/cppunittester/cppunittester.cxx:373:1 (workdir/LinkTarget/Executable/cppunittester +0x530ec6)
>  #77 in __libc_start_main at /usr/src/debug/glibc-2.28/csu/../csu/libc-start.c:308:16 (/lib64/libc.so.6 +0x24412)
>  #78 in _start at <null> (workdir/LinkTarget/Executable/cppunittester +0x4219ed)
> 
> 0x61100039c998 is located 216 bytes inside of 224-byte region [0x61100039c8c0,0x61100039c9a0)
> freed by thread T0 here:
>  #0 in operator delete(void*) at /home/sbergman/github.com/llvm-project/llvm-project-20170507/compiler-rt/lib/asan/asan_new_delete.cc:167:3 (workdir/LinkTarget/Executable/cppunittester +0x52e8d8)
>  #1 in salhelper::SimpleReferenceObject::operator delete(void*) at salhelper/source/simplereferenceobject.cxx:50:5 (instdir/program/libuno_salhelpergcc3.so.3 +0x6ee4)
>  #2 in FreetypeFontInstance::~FreetypeFontInstance() at vcl/unx/generic/glyphs/glyphcache.cxx:276:1 (instdir/program/libvcllo.so +0x2239f11)
>  #3 in salhelper::SimpleReferenceObject::release() at include/salhelper/simplereferenceobject.hxx:72:49 (instdir/program/libvcllo.so +0xf12e5b)
>  #4 in rtl::Reference<LogicalFontInstance>::~Reference() at include/rtl/ref.hxx:90:22 (instdir/program/libvcllo.so +0xefc928)
>  #5 in std::pair<rtl::Reference<LogicalFontInstance> const, std::unique_ptr<FreetypeFont, std::default_delete<FreetypeFont> > >::~pair() at /usr/lib/gcc/x86_64-redhat-linux/8/../../../../include/c++/8/bits/stl_iterator.h:1262:12 (instdir/program/libvcllo.so +0x223c3fb)
>  #6 in void __gnu_cxx::new_allocator<std::__detail::_Hash_node<std::pair<rtl::Reference<LogicalFontInstance> const, std::unique_ptr<FreetypeFont, std::default_delete<FreetypeFont> > >, true> >::destroy<std::pair<rtl::Reference<LogicalFontInstance> const, std::unique_ptr<FreetypeFont, std::default_delete<FreetypeFont> > > >(std::pair<rtl::Reference<LogicalFontInstance> const, std::unique_ptr<FreetypeFont, std::default_delete<FreetypeFont> > >*) at /usr/lib/gcc/x86_64-redhat-linux/8/../../../../include/c++/8/ext/new_allocator.h:140:28 (instdir/program/libvcllo.so +0x223c3c8)
>  #7 in void std::allocator_traits<std::allocator<std::__detail::_Hash_node<std::pair<rtl::Reference<LogicalFontInstance> const, std::unique_ptr<FreetypeFont, std::default_delete<FreetypeFont> > >, true> > >::destroy<std::pair<rtl::Reference<LogicalFontInstance> const, std::unique_ptr<FreetypeFont, std::default_delete<FreetypeFont> > > >(std::allocator<std::__detail::_Hash_node<std::pair<rtl::Reference<LogicalFontInstance> const, std::unique_ptr<FreetypeFont, std::default_delete<FreetypeFont> > >, true> >&, std::pair<rtl::Reference<LogicalFontInstance> const, std::unique_ptr<FreetypeFont, std::default_delete<FreetypeFont> > >*) at /usr/lib/gcc/x86_64-redhat-linux/8/../../../../include/c++/8/bits/alloc_traits.h:487:8 (instdir/program/libvcllo.so +0x223c2f7)
>  #8 in std::__detail::_Hashtable_alloc<std::allocator<std::__detail::_Hash_node<std::pair<rtl::Reference<LogicalFontInstance> const, std::unique_ptr<FreetypeFont, std::default_delete<FreetypeFont> > >, true> > >::_M_deallocate_node(std::__detail::_Hash_node<std::pair<rtl::Reference<LogicalFontInstance> const, std::unique_ptr<FreetypeFont, std::default_delete<FreetypeFont> > >, true>*) at /usr/lib/gcc/x86_64-redhat-linux/8/../../../../include/c++/8/bits/hashtable_policy.h:2100:7 (instdir/program/libvcllo.so +0x223c289)
>  #9 in std::__detail::_Hashtable_alloc<std::allocator<std::__detail::_Hash_node<std::pair<rtl::Reference<LogicalFontInstance> const, std::unique_ptr<FreetypeFont, std::default_delete<FreetypeFont> > >, true> > >::_M_deallocate_nodes(std::__detail::_Hash_node<std::pair<rtl::Reference<LogicalFontInstance> const, std::unique_ptr<FreetypeFont, std::default_delete<FreetypeFont> > >, true>*) at /usr/lib/gcc/x86_64-redhat-linux/8/../../../../include/c++/8/bits/hashtable_policy.h:2113:4 (instdir/program/libvcllo.so +0x223c194)
>  #10 in std::_Hashtable<rtl::Reference<LogicalFontInstance>, std::pair<rtl::Reference<LogicalFontInstance> const, std::unique_ptr<FreetypeFont, std::default_delete<FreetypeFont> > >, std::allocator<std::pair<rtl::Reference<LogicalFontInstance> const, std::unique_ptr<FreetypeFont, std::default_delete<FreetypeFont> > > >, std::__detail::_Select1st, GlyphCache::IFSD_Equal, GlyphCache::IFSD_Hash, std::__detail::_Mod_range_hashing, std::__detail::_Default_ranged_hash, std::__detail::_Prime_rehash_policy, std::__detail::_Hashtable_traits<true, false, true> >::clear() at /usr/lib/gcc/x86_64-redhat-linux/8/../../../../include/c++/8/bits/hashtable.h:2047:13 (instdir/program/libvcllo.so +0x223bfb5)
>  #11 in std::__cxx1998::unordered_map<rtl::Reference<LogicalFontInstance>, std::unique_ptr<FreetypeFont, std::default_delete<FreetypeFont> >, GlyphCache::IFSD_Hash, GlyphCache::IFSD_Equal, std::allocator<std::pair<rtl::Reference<LogicalFontInstance> const, std::unique_ptr<FreetypeFont, std::default_delete<FreetypeFont> > > > >::clear() at /usr/lib/gcc/x86_64-redhat-linux/8/../../../../include/c++/8/bits/unordered_map.h:846:14 (instdir/program/libvcllo.so +0x223ccc4)
>  #12 in std::__debug::unordered_map<rtl::Reference<LogicalFontInstance>, std::unique_ptr<FreetypeFont, std::default_delete<FreetypeFont> >, GlyphCache::IFSD_Hash, GlyphCache::IFSD_Equal, std::allocator<std::pair<rtl::Reference<LogicalFontInstance> const, std::unique_ptr<FreetypeFont, std::default_delete<FreetypeFont> > > > >::clear() at /usr/lib/gcc/x86_64-redhat-linux/8/../../../../include/c++/8/debug/unordered_map:199:9 (instdir/program/libvcllo.so +0x223a412)
>  #13 in GlyphCache::ClearFontCache() at vcl/unx/generic/glyphs/glyphcache.cxx:49:16 (instdir/program/libvcllo.so +0x2237682)
>  #14 in CairoTextRender::ClearDevFontCache() at vcl/unx/generic/gdi/cairotextrender.cxx:392:9 (instdir/program/libvcllo.so +0x21fd19d)
>  #15 in SvpSalGraphics::ClearDevFontCache() at vcl/headless/svptext.cxx:56:23 (instdir/program/libvcllo.so +0x21f76bb)
>  #16 in OutputDevice::ImplClearAllFontData(bool) at vcl/source/outdev/font.cxx:588:38 (instdir/program/libvcllo.so +0x12f59b8)
>  #17 in OutputDevice::ImplUpdateAllFontData(bool) at vcl/source/outdev/font.cxx:602:5 (instdir/program/libvcllo.so +0x12f647c)
>  #18 in ImplHandleSalSettings(SalEvent) at vcl/source/window/winproc.cxx:2123:17 (instdir/program/libvcllo.so +0xf30910)
>  #19 in ImplWindowFrameProc(vcl::Window*, SalEvent, void const*) at vcl/source/window/winproc.cxx:2481:13 (instdir/program/libvcllo.so +0xf292d6)
>  #20 in SalFrame::CallCallback(SalEvent, void const*) const at vcl/inc/salframe.hxx:280:29 (instdir/program/libvcllo.so +0x21a926b)
>  #21 in SalGenericDisplay::ProcessEvent(SalUserEventList::SalUserEvent) at vcl/unx/generic/app/gendisp.cxx:67:22 (instdir/program/libvcllo.so +0x21f1537)
>  #22 in SalUserEventList::DispatchUserEvents(bool) at vcl/source/app/salusereventlist.cxx:109:17 (instdir/program/libvcllo.so +0x1c13a50)
>  #23 in SalGenericDisplay::DispatchInternalEvent(bool) at vcl/unx/generic/app/gendisp.cxx:52:12 (instdir/program/libvcllo.so +0x21f12f4)
>  #24 in call_userEventFn(void*) at vcl/unx/gtk3/gtk3gtkdata.cxx:788:27 (instdir/program/libvclplug_gtk3lo.so +0x1b1bce)
>  #25 in g_idle_dispatch at gmain.c:5620:11 (/lib64/libglib-2.0.so.0 +0x4ab7a)
> 
> previously allocated by thread T0 here:
>  #0 in operator new(unsigned long) at /home/sbergman/github.com/llvm-project/llvm-project-20170507/compiler-rt/lib/asan/asan_new_delete.cc:106:3 (workdir/LinkTarget/Executable/cppunittester +0x52db20)
>  #1 in salhelper::SimpleReferenceObject::operator new(unsigned long) at salhelper/source/simplereferenceobject.cxx:34:12 (instdir/program/libuno_salhelpergcc3.so.3 +0x6f04)
>  #2 in FreetypeFontFace::CreateFontInstance(FontSelectPattern const&) const at vcl/unx/generic/glyphs/freetype_glyphcache.cxx:344:12 (instdir/program/libvcllo.so +0x221cc1f)
>  #3 in ImplFontCache::GetFontInstance(PhysicalFontCollection const*, FontSelectPattern&) at vcl/source/font/fontcache.cxx:145:36 (instdir/program/libvcllo.so +0x1f726c4)
>  #4 in ImplFontCache::GetFontInstance(PhysicalFontCollection const*, vcl::Font const&, Size const&, float, bool) at vcl/source/font/fontcache.cxx:104:12 (instdir/program/libvcllo.so +0x1f71b18)
>  #5 in OutputDevice::ImplNewFont() const at vcl/source/outdev/font.cxx:1034:35 (instdir/program/libvcllo.so +0x12eef78)
>  #6 in OutputDevice::InitFont() const at vcl/source/outdev/font.cxx:957:10 (instdir/program/libvcllo.so +0x12f2794)
>  #7 in OutputDevice::ImplLayout(rtl::OUString const&, int, int, Point const&, long, long const*, SalLayoutFlags, vcl::TextLayoutCache const*, std::__debug::vector<GlyphItem, std::allocator<GlyphItem> > const*) const at vcl/source/outdev/text.cxx:1250:10 (instdir/program/libvcllo.so +0x1320971)
>  #8 in OutputDevice::GetTextBoundRect(tools::Rectangle&, rtl::OUString const&, int, int, int, unsigned long, long const*, std::__debug::vector<GlyphItem, std::allocator<GlyphItem> > const*) const at vcl/source/outdev/text.cxx:2357:18 (instdir/program/libvcllo.so +0x13366a8)
>  #9 in Ruler::ImplInit(long) at svtools/source/control/ruler.cxx:236:5 (instdir/program/libsvtlo.so +0x9d8766)
>  #10 in Ruler::Ruler(vcl::Window*, long) at svtools/source/control/ruler.cxx:280:5 (instdir/program/libsvtlo.so +0x9d9cbc)
>  #11 in SvxRuler::SvxRuler(vcl::Window*, vcl::Window*, SvxRulerSupportFlags, SfxBindings&, long) at svx/source/dialog/svxruler.cxx:225:5 (instdir/program/libsvxlo.so +0xa0ec4e)
>  #12 in VclPtr<SvxRuler> VclPtr<SvxRuler>::Create<vcl::Window*, VclPtr<SwEditWin>&, o3tl::is_typed_flags<SvxRulerSupportFlags, 255>::Wrap, SfxBindings&, long>(vcl::Window*&&, VclPtr<SwEditWin>&, o3tl::is_typed_flags<SvxRulerSupportFlags, 255>::Wrap&&, SfxBindings&, long&&) at include/vcl/vclptr.hxx:135:46 (instdir/program/libswlo.so +0x40acf66)
>  #13 in SwView::SwView(SfxViewFrame*, SfxViewShell*) at sw/source/uibase/uiview/view.cxx:727:15 (instdir/program/libswlo.so +0x40984c8)
>  #14 in SwView::CreateInstance(SfxViewFrame*, SfxViewShell*) at sw/source/uibase/uiview/view0.cxx:78:1 (instdir/program/libswlo.so +0x40b976a)
>  #15 in SfxViewFactory::CreateInstance(SfxViewFrame*, SfxViewShell*) at sfx2/source/view/viewfac.cxx:28:12 (instdir/program/libsfxlo.so +0x15ec2a9)
>  #16 in SfxBaseModel::createViewController(rtl::OUString const&, com::sun::star::uno::Sequence<com::sun::star::beans::PropertyValue> const&, com::sun::star::uno::Reference<com::sun::star::frame::XFrame> const&) at sfx2/source/doc/sfxbasemodel.cxx:4089:46 (instdir/program/libsfxlo.so +0x1287aeb)
>  #17 in non-virtual thunk to SfxBaseModel::createViewController(rtl::OUString const&, com::sun::star::uno::Sequence<com::sun::star::beans::PropertyValue> const&, com::sun::star::uno::Reference<com::sun::star::frame::XFrame> const&) at sfx2/source/doc/sfxbasemodel.cxx (instdir/program/libsfxlo.so +0x1288945)
>  #18 in (anonymous namespace)::SfxFrameLoader_Impl::impl_createDocumentView(com::sun::star::uno::Reference<com::sun::star::frame::XModel2> const&, com::sun::star::uno::Reference<com::sun::star::frame::XFrame> const&, comphelper::NamedValueCollection const&, rtl::OUString const&) at sfx2/source/view/frmload.cxx:584:60 (instdir/program/libsfxlo.so +0x1590ce9)
>  #19 in (anonymous namespace)::SfxFrameLoader_Impl::load(com::sun::star::uno::Sequence<com::sun::star::beans::PropertyValue> const&, com::sun::star::uno::Reference<com::sun::star::frame::XFrame> const&) at sfx2/source/view/frmload.cxx:711:13 (instdir/program/libsfxlo.so +0x158c436)
>  #20 in framework::LoadEnv::impl_loadContent() at framework/source/loadenv/loadenv.cxx:1149:37 (instdir/program/libfwklo.so +0x56a94c)
>  #21 in framework::LoadEnv::startLoading() at framework/source/loadenv/loadenv.cxx:383:20 (instdir/program/libfwklo.so +0x56046f)
>  #22 in framework::LoadEnv::loadComponentFromURL(com::sun::star::uno::Reference<com::sun::star::frame::XComponentLoader> const&, com::sun::star::uno::Reference<com::sun::star::uno::XComponentContext> const&, rtl::OUString const&, rtl::OUString const&, int, com::sun::star::uno::Sequence<com::sun::star::beans::PropertyValue> const&) at framework/source/loadenv/loadenv.cxx:169:14 (instdir/program/libfwklo.so +0x55d5d3)
>  #23 in framework::Desktop::loadComponentFromURL(rtl::OUString const&, rtl::OUString const&, int, com::sun::star::uno::Sequence<com::sun::star::beans::PropertyValue> const&) at framework/source/services/desktop.cxx:619:12 (instdir/program/libfwklo.so +0x6229af)
>  #24 in non-virtual thunk to framework::Desktop::loadComponentFromURL(rtl::OUString const&, rtl::OUString const&, int, com::sun::star::uno::Sequence<com::sun::star::beans::PropertyValue> const&) at framework/source/services/desktop.cxx (instdir/program/libfwklo.so +0x622b7a)
>  #25 in unotest::MacrosTest::loadFromDesktop(rtl::OUString const&, rtl::OUString const&, com::sun::star::uno::Sequence<com::sun::star::beans::PropertyValue> const&) at unotest/source/cpp/macros_test.cxx:50:60 (workdir/LinkTarget/CppunitTest/../Library/libunotest.so +0x31aa9)
>  #26 in SwDialogsTest::setUp() at sw/qa/unit/sw-dialogs-test.cxx:64:18 (workdir/LinkTarget/CppunitTest/libtest_sw_dialogs_test.so +0x7d6c)
>  #27 in CppUnit::TestCaller<SwDialogsTest>::setUp() at workdir/UnpackedTarball/cppunit/include/cppunit/TestCaller.h:180:15 (workdir/LinkTarget/CppunitTest/libtest_sw_dialogs_test.so +0x13479)
>  #28 in CppUnit::TestCaseMethodFunctor::operator()() const at workdir/UnpackedTarball/cppunit/src/cppunit/TestCase.cpp:32:5 (workdir/UnpackedTarball/cppunit/src/cppunit/.libs/libcppunit-1.14.so.0 +0x10c085)
>  #29 in (anonymous namespace)::Protector::protect(CppUnit::Functor const&, CppUnit::ProtectorContext const&) at test/source/vclbootstrapprotector.cxx:49:14 (workdir/LinkTarget/Library/libvclbootstrapprotector.so +0x1505)
>  #30 in CppUnit::ProtectorChain::ProtectFunctor::operator()() const at workdir/UnpackedTarball/cppunit/src/cppunit/ProtectorChain.cpp:20:25 (workdir/UnpackedTarball/cppunit/src/cppunit/.libs/libcppunit-1.14.so.0 +0xf37e1)
>  #31 in (anonymous namespace)::Prot::protect(CppUnit::Functor const&, CppUnit::ProtectorContext const&) at unotest/source/cpp/unobootstrapprotector/unobootstrapprotector.cxx:89:12 (workdir/LinkTarget/Library/unobootstrapprotector.so +0x4c35)
>  #32 in CppUnit::ProtectorChain::ProtectFunctor::operator()() const at workdir/UnpackedTarball/cppunit/src/cppunit/ProtectorChain.cpp:20:25 (workdir/UnpackedTarball/cppunit/src/cppunit/.libs/libcppunit-1.14.so.0 +0xf37e1)
>  #33 in (anonymous namespace)::Prot::protect(CppUnit::Functor const&, CppUnit::ProtectorContext const&) at unotest/source/cpp/unoexceptionprotector/unoexceptionprotector.cxx:63:16 (workdir/LinkTarget/Library/unoexceptionprotector.so +0x38c8)
>  #34 in CppUnit::ProtectorChain::ProtectFunctor::operator()() const at workdir/UnpackedTarball/cppunit/src/cppunit/ProtectorChain.cpp:20:25 (workdir/UnpackedTarball/cppunit/src/cppunit/.libs/libcppunit-1.14.so.0 +0xf37e1)
>  #35 in CppUnit::DefaultProtector::protect(CppUnit::Functor const&, CppUnit::ProtectorContext const&) at workdir/UnpackedTarball/cppunit/src/cppunit/DefaultProtector.cpp:15:12 (workdir/UnpackedTarball/cppunit/src/cppunit/.libs/libcppunit-1.14.so.0 +0xbe26f)
>  #36 in CppUnit::ProtectorChain::ProtectFunctor::operator()() const at workdir/UnpackedTarball/cppunit/src/cppunit/ProtectorChain.cpp:20:25 (workdir/UnpackedTarball/cppunit/src/cppunit/.libs/libcppunit-1.14.so.0 +0xf37e1)
>  #37 in CppUnit::ProtectorChain::protect(CppUnit::Functor const&, CppUnit::ProtectorContext const&) at workdir/UnpackedTarball/cppunit/src/cppunit/ProtectorChain.cpp:86:18 (workdir/UnpackedTarball/cppunit/src/cppunit/.libs/libcppunit-1.14.so.0 +0xf087a)
>  #38 in CppUnit::TestResult::protect(CppUnit::Functor const&, CppUnit::Test*, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) at workdir/UnpackedTarball/cppunit/src/cppunit/TestResult.cpp:182:28 (workdir/UnpackedTarball/cppunit/src/cppunit/.libs/libcppunit-1.14.so.0 +0x13d55a)
>  #39 in CppUnit::TestCase::run(CppUnit::TestResult*) at workdir/UnpackedTarball/cppunit/src/cppunit/TestCase.cpp:87:16 (workdir/UnpackedTarball/cppunit/src/cppunit/.libs/libcppunit-1.14.so.0 +0x10af1c)
>  #40 in CppUnit::TestComposite::doRunChildTests(CppUnit::TestResult*) at workdir/UnpackedTarball/cppunit/src/cppunit/TestComposite.cpp:64:30 (workdir/UnpackedTarball/cppunit/src/cppunit/.libs/libcppunit-1.14.so.0 +0x10cfc5)
>  #41 in CppUnit::TestComposite::run(CppUnit::TestResult*) at workdir/UnpackedTarball/cppunit/src/cppunit/TestComposite.cpp:23:3 (workdir/UnpackedTarball/cppunit/src/cppunit/.libs/libcppunit-1.14.so.0 +0x10cb04)
>  #42 in CppUnit::TestComposite::doRunChildTests(CppUnit::TestResult*) at workdir/UnpackedTarball/cppunit/src/cppunit/TestComposite.cpp:64:30 (workdir/UnpackedTarball/cppunit/src/cppunit/.libs/libcppunit-1.14.so.0 +0x10cfc5)
>  #43 in CppUnit::TestComposite::run(CppUnit::TestResult*) at workdir/UnpackedTarball/cppunit/src/cppunit/TestComposite.cpp:23:3 (workdir/UnpackedTarball/cppunit/src/cppunit/.libs/libcppunit-1.14.so.0 +0x10cb04)
>  #44 in CppUnit::TestRunner::WrappingSuite::run(CppUnit::TestResult*) at workdir/UnpackedTarball/cppunit/src/cppunit/TestRunner.cpp:47:27 (workdir/UnpackedTarball/cppunit/src/cppunit/.libs/libcppunit-1.14.so.0 +0x15346f)
>  #45 in CppUnit::TestResult::runTest(CppUnit::Test*) at workdir/UnpackedTarball/cppunit/src/cppunit/TestResult.cpp:149:9 (workdir/UnpackedTarball/cppunit/src/cppunit/.libs/libcppunit-1.14.so.0 +0x13ca56)
>  #46 in CppUnit::TestRunner::run(CppUnit::TestResult&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) at workdir/UnpackedTarball/cppunit/src/cppunit/TestRunner.cpp:96:14 (workdir/UnpackedTarball/cppunit/src/cppunit/.libs/libcppunit-1.14.so.0 +0x153ba6)
>  #47 in (anonymous namespace)::ProtectedFixtureFunctor::run() const at sal/cppunittester/cppunittester.cxx:316:20 (workdir/LinkTarget/Executable/cppunittester +0x533a49)
>  #48 in sal_main() at sal/cppunittester/cppunittester.cxx:466:20 (workdir/LinkTarget/Executable/cppunittester +0x531bd5)
>  #49 in main at sal/cppunittester/cppunittester.cxx:373:1 (workdir/LinkTarget/Executable/cppunittester +0x530ec6)
> 
> SUMMARY: AddressSanitizer: heap-use-after-free vcl/inc/unx/freetype_glyphcache.hxx:118:52 in FreetypeFontInstance::GetFreetypeFont() const
> Shadow bytes around the buggy address:
>   0x0c228006b8e0: 00 00 00 00 00 00 00 00 fa fa fa fa fa fa fa fa
>   0x0c228006b8f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>   0x0c228006b900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>   0x0c228006b910: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
>   0x0c228006b920: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
> =>0x0c228006b930: fd fd fd[fd]fa fa fa fa fa fa fa fa fa fa fa fa
>   0x0c228006b940: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
>   0x0c228006b950: fd fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa
>   0x0c228006b960: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
>   0x0c228006b970: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
>   0x0c228006b980: fd fd fd fd fa fa fa fa fa fa fa fa fa fa fa fa
> Shadow byte legend (one shadow byte represents 8 application bytes):
>   Addressable:           00
>   Partially addressable: 01 02 03 04 05 06 07 
>   Heap left redzone:       fa
>   Freed heap region:       fd
>   Stack left redzone:      f1
>   Stack mid redzone:       f2
>   Stack right redzone:     f3
>   Stack after return:      f5
>   Stack use after scope:   f8
>   Global redzone:          f9
>   Global init order:       f6
>   Poisoned by user:        f7
>   Container overflow:      fc
>   Array cookie:            ac
>   Intra object redzone:    bb
>   ASan internal:           fe
>   Left alloca redzone:     ca
>   Right alloca redzone:    cb
>   Shadow gap:              cc
> ==18158==ABORTING
Comment 1 Stephan Bergmann 2018-10-29 15:39:33 UTC 
I experimentally added the attached patch locally to turn GlyphItem::m_pFontInstance into an rtl::Reference (as LogicalFontInstance derives from salhelper::SimpleReferenceObject; patch needs to be a bit bigger because GlpyhItem is in include/vcl/ while LogicalFontInstance is merely in vcl/inc/), but that still causes use-after-free of FreetypeFont (which isn't ref-counted, but rather held by std::unique_ptr), see below.

> diff --git a/include/vcl/glyphitem.hxx b/include/vcl/glyphitem.hxx
> index 306466b67723..ff1a347cb882 100644
> --- a/include/vcl/glyphitem.hxx
> +++ b/include/vcl/glyphitem.hxx
> @@ -41,21 +41,21 @@ struct VCL_DLLPUBLIC GlyphItem
>      sal_GlyphId m_aGlyphId;
>      Point m_aLinearPos; // absolute position of non rotated string
>  
> -    LogicalFontInstance* m_pFontInstance;
> +    rtl::Reference<LogicalFontInstance> m_pFontInstance;
>  
>      GlyphItem(int nCharPos, int nCharCount, sal_GlyphId aGlyphId, const Point& rLinearPos,
> -              long nFlags, int nOrigWidth, int nXOffset, LogicalFontInstance* pFontInstance)
> -        : m_nFlags(nFlags)
> -        , m_nCharPos(nCharPos)
> -        , m_nCharCount(nCharCount)
> -        , m_nOrigWidth(nOrigWidth)
> -        , m_nNewWidth(nOrigWidth)
> -        , m_nXOffset(nXOffset)
> -        , m_aGlyphId(aGlyphId)
> -        , m_aLinearPos(rLinearPos)
> -        , m_pFontInstance(pFontInstance)
> -    {
> -    }
> +              long nFlags, int nOrigWidth, int nXOffset,
> +              rtl::Reference<LogicalFontInstance> const & pFontInstance);
> +
> +    GlyphItem(GlyphItem const &);
> +
> +    GlyphItem(GlyphItem &&);
> +
> +    ~GlyphItem();
> +
> +    GlyphItem & operator =(GlyphItem const &);
> +
> +    GlyphItem & operator =(GlyphItem &&);
>  
>      enum
>      {
> diff --git a/solenv/clang-format/blacklist b/solenv/clang-format/blacklist
> index 2c9172ff98d4..fcdc39b509c4 100644
> --- a/solenv/clang-format/blacklist
> +++ b/solenv/clang-format/blacklist
> @@ -18063,6 +18063,7 @@ vcl/source/font/fontcharmap.cxx
>  vcl/source/font/fontinstance.cxx
>  vcl/source/font/fontmetric.cxx
>  vcl/source/font/fontselect.cxx
> +vcl/source/font/glyphitem.cxx
>  vcl/source/fontsubset/cff.cxx
>  vcl/source/fontsubset/fontsubset.cxx
>  vcl/source/fontsubset/list.cxx
> diff --git a/vcl/Library_vcl.mk b/vcl/Library_vcl.mk
> index a16134017627..d54cbbe8e989 100644
> --- a/vcl/Library_vcl.mk
> +++ b/vcl/Library_vcl.mk
> @@ -401,6 +401,7 @@ $(eval $(call gb_Library_add_exception_objects,vcl,\
>      vcl/source/font/fontcharmap \
>      vcl/source/font/fontmetric \
>      vcl/source/font/font \
> +    vcl/source/font/glyphitem \
>      vcl/source/fontsubset/cff \
>      vcl/source/fontsubset/fontsubset \
>      vcl/source/fontsubset/list \
> diff --git a/vcl/inc/unx/freetype_glyphcache.hxx b/vcl/inc/unx/freetype_glyphcache.hxx
> index 58cd4eba38b1..c3cf5e8ab61e 100644
> --- a/vcl/inc/unx/freetype_glyphcache.hxx
> +++ b/vcl/inc/unx/freetype_glyphcache.hxx
> @@ -123,7 +123,7 @@ inline FreetypeFont* getFreetypeFontFromGlyph(const GlyphItem& rGlyph)
>      assert(rGlyph.m_pFontInstance);
>      if (!rGlyph.m_pFontInstance)
>          return nullptr;
> -    return static_cast<FreetypeFontInstance*>(rGlyph.m_pFontInstance)->GetFreetypeFont();
> +    return static_cast<FreetypeFontInstance*>(rGlyph.m_pFontInstance.get())->GetFreetypeFont();
>  }
>  
>  #endif // INCLUDED_VCL_GENERIC_GLYPHS_GCACH_FTYP_HXX
> diff --git a/vcl/qt5/Qt5Graphics_Text.cxx b/vcl/qt5/Qt5Graphics_Text.cxx
> index 79b5c8fe1f8e..c4d9970ec93a 100644
> --- a/vcl/qt5/Qt5Graphics_Text.cxx
> +++ b/vcl/qt5/Qt5Graphics_Text.cxx
> @@ -154,7 +154,7 @@ void Qt5Graphics::GetGlyphWidths(const PhysicalFontFace* /*pPFF*/, bool /*bVerti
>  
>  bool Qt5Graphics::GetGlyphBoundRect(const GlyphItem& rGlyph, tools::Rectangle& rRect)
>  {
> -    Qt5Font* pFont = static_cast<Qt5Font*>(rGlyph.m_pFontInstance);
> +    Qt5Font* pFont = static_cast<Qt5Font*>(rGlyph.m_pFontInstance.get());
>      if (!pFont)
>          return false;
>  
> diff --git a/vcl/source/font/glyphitem.cxx b/vcl/source/font/glyphitem.cxx
> new file mode 100644
> index 000000000000..9efb5c413648
> --- /dev/null
> +++ b/vcl/source/font/glyphitem.cxx
> @@ -0,0 +1,51 @@
> +/* -*- Mode: C++; tab-width: 4; indent-tabs-mode: nil; c-basic-offset: 4; fill-column: 100 -*- */
> +/*
> + * This file is part of the LibreOffice project.
> + *
> + * This Source Code Form is subject to the terms of the Mozilla Public
> + * License, v. 2.0. If a copy of the MPL was not distributed with this
> + * file, You can obtain one at http://mozilla.org/MPL/2.0/.
> + *
> + * This file incorporates work covered by the following license notice:
> + *
> + *   Licensed to the Apache Software Foundation (ASF) under one or more
> + *   contributor license agreements. See the NOTICE file distributed
> + *   with this work for additional information regarding copyright
> + *   ownership. The ASF licenses this file to you under the Apache
> + *   License, Version 2.0 (the "License"); you may not use this file
> + *   except in compliance with the License. You may obtain a copy of
> + *   the License at http://www.apache.org/licenses/LICENSE-2.0 .
> + */
> +
> +#include <sal/config.h>
> +
> +#include <vcl/glyphitem.hxx>
> +
> +#include <fontinstance.hxx>
> +
> +GlyphItem::GlyphItem(int nCharPos, int nCharCount, sal_GlyphId aGlyphId, const Point& rLinearPos,
> +                     long nFlags, int nOrigWidth, int nXOffset,
> +                     rtl::Reference<LogicalFontInstance> const & pFontInstance)
> +    : m_nFlags(nFlags)
> +    , m_nCharPos(nCharPos)
> +    , m_nCharCount(nCharCount)
> +    , m_nOrigWidth(nOrigWidth)
> +    , m_nNewWidth(nOrigWidth)
> +    , m_nXOffset(nXOffset)
> +    , m_aGlyphId(aGlyphId)
> +    , m_aLinearPos(rLinearPos)
> +    , m_pFontInstance(pFontInstance)
> +{
> +}
> +
> +GlyphItem::GlyphItem(GlyphItem const &) = default;
> +
> +GlyphItem::GlyphItem(GlyphItem &&) = default;
> +
> +GlyphItem::~GlyphItem() = default;
> +
> +GlyphItem & GlyphItem::operator =(GlyphItem const &) = default;
> +
> +GlyphItem & GlyphItem::operator =(GlyphItem &&) = default;
> +
> +/* vim:set shiftwidth=4 softtabstop=4 expandtab cinoptions=b1,g0,N-s cinkeys+=0=break: */
> diff --git a/vcl/source/gdi/CommonSalLayout.cxx b/vcl/source/gdi/CommonSalLayout.cxx
> index 8831d9457174..1536b6659743 100644
> --- a/vcl/source/gdi/CommonSalLayout.cxx
> +++ b/vcl/source/gdi/CommonSalLayout.cxx
> @@ -570,7 +570,7 @@ bool GenericSalLayout::LayoutText(ImplLayoutArgs& rArgs, const SalLayoutGlyphs*
>  
>                  Point aNewPos(aCurrPos.X() + nXOffset, aCurrPos.Y() + nYOffset);
>                  const GlyphItem aGI(nCharPos, nCharCount, nGlyphIndex, aNewPos, nGlyphFlags,
> -                                    nAdvance, nXOffset, mpFont.get());
> +                                    nAdvance, nXOffset, mpFont);
>                  m_GlyphItems.push_back(aGI);
>  
>                  aCurrPos.AdjustX(nAdvance );
> @@ -767,7 +767,7 @@ void GenericSalLayout::ApplyDXArray(ImplLayoutArgs& rArgs)
>              int const nFlags = GlyphItem::IS_IN_CLUSTER | GlyphItem::IS_RTL_GLYPH;
>              while (nCopies--)
>              {
> -                GlyphItem aKashida(nCharPos, 0, nKashidaIndex, aPos, nFlags, nKashidaWidth, 0, mpFont.get());
> +                GlyphItem aKashida(nCharPos, 0, nKashidaIndex, aPos, nFlags, nKashidaWidth, 0, mpFont);
>                  pGlyphIter = m_GlyphItems.insert(pGlyphIter, aKashida);
>                  aPos.AdjustX(nKashidaWidth );
>                  aPos.AdjustX( -nOverlap );

> =================================================================
> ==28531==ERROR: AddressSanitizer: heap-use-after-free on address 0x60c000243580 at pc 0x7f9d7a7d3b41 bp 0x7ffc4c98bd70 sp 0x7ffc4c98bd68
> READ of size 8 at 0x60c000243580 thread T0
>  #0 in rtl::Reference<FreetypeFontInstance>::is() const at include/rtl/ref.hxx:195:17 (instdir/program/libvcllo.so +0x2226b40)
>  #1 in FreetypeFont::GetGlyphBoundRect(GlyphItem const&, tools::Rectangle&) at vcl/unx/generic/glyphs/freetype_glyphcache.cxx:593:5 (instdir/program/libvcllo.so +0x221f287)
>  #2 in CairoTextRender::GetGlyphBoundRect(GlyphItem const&, tools::Rectangle&) at vcl/unx/generic/gdi/cairotextrender.cxx:452:15 (instdir/program/libvcllo.so +0x21fce63)
>  #3 in SvpSalGraphics::GetGlyphBoundRect(GlyphItem const&, tools::Rectangle&) at vcl/headless/svptext.cxx:97:30 (instdir/program/libvcllo.so +0x21f6856)
>  #4 in SalLayout::GetBoundRect(SalGraphics&, tools::Rectangle&) const at vcl/source/gdi/sallayout.cxx:680:26 (instdir/program/libvcllo.so +0x19ddbfd)
>  #5 in OutputDevice::GetTextBoundRect(tools::Rectangle&, rtl::OUString const&, int, int, int, unsigned long, long const*, std::__debug::vector<GlyphItem, std::allocator<GlyphItem> > const*) const at vcl/source/outdev/text.cxx:2362:28 (instdir/program/libvcllo.so +0x1336a3d)
>  #6 in Ruler::ImplVDrawText(OutputDevice&, long, long, rtl::OUString const&, long, long) at svtools/source/control/ruler.cxx:347:20 (instdir/program/libsvtlo.so +0x9db7e5)
>  #7 in Ruler::ImplDrawTicks(OutputDevice&, long, long, long, long, long) at svtools/source/control/ruler.cxx:593:17 (instdir/program/libsvtlo.so +0x9df308)
>  #8 in Ruler::ImplFormat(OutputDevice const&) at svtools/source/control/ruler.cxx:1243:5 (instdir/program/libsvtlo.so +0x9e676a)
>  #9 in Ruler::ImplDraw(OutputDevice&) at svtools/source/control/ruler.cxx:1314:9 (instdir/program/libsvtlo.so +0x9e7661)
>  #10 in Ruler::Paint(OutputDevice&, tools::Rectangle const&) at svtools/source/control/ruler.cxx:2063:5 (instdir/program/libsvtlo.so +0x9ef317)
>  #11 in SwCommentRuler::Paint(OutputDevice&, tools::Rectangle const&) at sw/source/uibase/misc/swruler.cxx:102:15 (instdir/program/libswlo.so +0x3e33c16)
>  #12 in PaintHelper::DoPaint(vcl::Region const*) at vcl/source/window/paint.cxx:300:24 (instdir/program/libvcllo.so +0x876671)
>  #13 in vcl::Window::ImplCallPaint(vcl::Region const*, ImplPaintFlags) at vcl/source/window/paint.cxx:604:17 (instdir/program/libvcllo.so +0x87b722)
>  #14 in PaintHelper::~PaintHelper() at vcl/source/window/paint.cxx:540:30 (instdir/program/libvcllo.so +0x879a32)
>  #15 in vcl::Window::ImplCallPaint(vcl::Region const*, ImplPaintFlags) at vcl/source/window/paint.cxx:610:1 (instdir/program/libvcllo.so +0x87b84a)
>  #16 in PaintHelper::~PaintHelper() at vcl/source/window/paint.cxx:540:30 (instdir/program/libvcllo.so +0x879a32)
>  #17 in vcl::Window::ImplCallPaint(vcl::Region const*, ImplPaintFlags) at vcl/source/window/paint.cxx:610:1 (instdir/program/libvcllo.so +0x87b84a)
>  #18 in PaintHelper::~PaintHelper() at vcl/source/window/paint.cxx:540:30 (instdir/program/libvcllo.so +0x879a32)
>  #19 in vcl::Window::ImplCallPaint(vcl::Region const*, ImplPaintFlags) at vcl/source/window/paint.cxx:610:1 (instdir/program/libvcllo.so +0x87b84a)
>  #20 in PaintHelper::~PaintHelper() at vcl/source/window/paint.cxx:540:30 (instdir/program/libvcllo.so +0x879a32)
>  #21 in vcl::Window::ImplCallPaint(vcl::Region const*, ImplPaintFlags) at vcl/source/window/paint.cxx:610:1 (instdir/program/libvcllo.so +0x87b84a)
>  #22 in PaintHelper::~PaintHelper() at vcl/source/window/paint.cxx:540:30 (instdir/program/libvcllo.so +0x879a32)
>  #23 in vcl::Window::ImplCallPaint(vcl::Region const*, ImplPaintFlags) at vcl/source/window/paint.cxx:610:1 (instdir/program/libvcllo.so +0x87b84a)
>  #24 in vcl::Window::ImplCallOverlapPaint() at vcl/source/window/paint.cxx:628:9 (instdir/program/libvcllo.so +0x87bdd2)
>  #25 in vcl::Window::ImplHandlePaintHdl(Timer*) at vcl/source/window/paint.cxx:649:9 (instdir/program/libvcllo.so +0x87c12a)
>  #26 in vcl::Window::LinkStubImplHandlePaintHdl(void*, Timer*) at vcl/source/window/paint.cxx:632:1 (instdir/program/libvcllo.so +0x87be77)
>  #27 in Link<Timer*, void>::Call(Timer*) const at include/tools/link.hxx:84:45 (instdir/program/libvcllo.so +0x1d6bd86)
>  #28 in Timer::Invoke() at vcl/source/app/timer.cxx:77:21 (instdir/program/libvcllo.so +0x1d6ba06)
>  #29 in Scheduler::ProcessTaskScheduling() at vcl/source/app/scheduler.cxx:474:20 (instdir/program/libvcllo.so +0x1cb4938)
>  #30 in Scheduler::CallbackTaskScheduling() at vcl/source/app/scheduler.cxx:284:5 (instdir/program/libvcllo.so +0x1cb273c)
>  #31 in SalTimer::CallCallback() at vcl/inc/saltimer.hxx:55:13 (instdir/program/libvclplug_gtk3lo.so +0x1b4cd8)
>  #32 in sal_gtk_timeout_dispatch(_GSource*, int (*)(void*), void*) at vcl/unx/gtk3/gtk3gtkdata.cxx:696:45 (instdir/program/libvclplug_gtk3lo.so +0x1b2bf6)
>  #33 in g_main_dispatch at gmain.c:3182:28 (/lib64/libglib-2.0.so.0 +0x4e26c)
>  #34 in g_main_context_dispatch at gmain.c:3847:7 (/lib64/libglib-2.0.so.0 +0x4e26c)
>  #35 in g_main_context_iterate at gmain.c:3920:5 (/lib64/libglib-2.0.so.0 +0x4e637)
>  #36 in g_main_context_iteration at gmain.c:3981:12 (/lib64/libglib-2.0.so.0 +0x4e6cf)
>  #37 in GtkSalData::Yield(bool, bool) at vcl/unx/gtk3/gtk3gtkdata.cxx:463:31 (instdir/program/libvclplug_gtk3lo.so +0x1af0dc)
>  #38 in GtkInstance::DoYield(bool, bool) at vcl/unx/gtk3/../gtk/gtkinst.cxx:406:29 (instdir/program/libvclplug_gtk3lo.so +0x1b9186)
>  #39 in ImplYield(bool, bool) at vcl/source/app/svapp.cxx:438:48 (instdir/program/libvcllo.so +0x1d20677)
>  #40 in Application::Yield() at vcl/source/app/svapp.cxx:502:5 (instdir/program/libvcllo.so +0x1d20103)
>  #41 in Dialog::ensureRepaint() at vcl/source/window/dialog.cxx:992:9 (instdir/program/libvcllo.so +0xabfe66)
>  #42 in Dialog::createScreenshot() at vcl/source/window/dialog.cxx:1003:5 (instdir/program/libvcllo.so +0xabffe0)
>  #43 in ScreenshotTest::saveScreenshot(Dialog&) at test/source/screenshot_test.cxx:111:40 (workdir/LinkTarget/CppunitTest/../Library/libtest.so +0x91502)
>  #44 in ScreenshotTest::dumpDialogToPath(Dialog&) at test/source/screenshot_test.cxx:180:9 (workdir/LinkTarget/CppunitTest/../Library/libtest.so +0x92bcd)
>  #45 in ScreenshotTest::dumpDialogToPath(rtl::OString const&) at test/source/screenshot_test.cxx:212:13 (workdir/LinkTarget/CppunitTest/../Library/libtest.so +0x93656)
>  #46 in ScreenshotTest::processDialogBatchFile(rtl::OUString const&) at test/source/screenshot_test.cxx:272:17 (workdir/LinkTarget/CppunitTest/../Library/libtest.so +0x94371)
>  #47 in SwDialogsTest::openAnyDialog() at sw/qa/unit/sw-dialogs-test.cxx:98:5 (workdir/LinkTarget/CppunitTest/libtest_sw_dialogs_test.so +0x8867)
>  #48 in void std::__invoke_impl<void, void (SwDialogsTest::*&)(), SwDialogsTest*&>(std::__invoke_memfun_deref, void (SwDialogsTest::*&)(), SwDialogsTest*&) at /usr/lib/gcc/x86_64-redhat-linux/8/../../../../include/c++/8/bits/invoke.h:73:14 (workdir/LinkTarget/CppunitTest/libtest_sw_dialogs_test.so +0x1428f)
>  #49 in std::__invoke_result<void (SwDialogsTest::*&)(), SwDialogsTest*&>::type std::__invoke<void (SwDialogsTest::*&)(), SwDialogsTest*&>(void (SwDialogsTest::*&)(), SwDialogsTest*&) at /usr/lib/gcc/x86_64-redhat-linux/8/../../../../include/c++/8/bits/invoke.h:95:14 (workdir/LinkTarget/CppunitTest/libtest_sw_dialogs_test.so +0x14121)
>  #50 in void std::_Bind<void (SwDialogsTest::* (SwDialogsTest*))()>::__call<void, 0ul>(std::tuple<>&&, std::_Index_tuple<0ul>) at /usr/lib/gcc/x86_64-redhat-linux/8/../../../../include/c++/8/functional:400:11 (workdir/LinkTarget/CppunitTest/libtest_sw_dialogs_test.so +0x14063)
>  #51 in void std::_Bind<void (SwDialogsTest::* (SwDialogsTest*))()>::operator()<void>() at /usr/lib/gcc/x86_64-redhat-linux/8/../../../../include/c++/8/functional:482:17 (workdir/LinkTarget/CppunitTest/libtest_sw_dialogs_test.so +0x13e7e)
>  #52 in std::_Function_handler<void (), std::_Bind<void (SwDialogsTest::* (SwDialogsTest*))()> >::_M_invoke(std::_Any_data const&) at /usr/lib/gcc/x86_64-redhat-linux/8/../../../../include/c++/8/bits/std_function.h:297:2 (workdir/LinkTarget/CppunitTest/libtest_sw_dialogs_test.so +0x1384c)
>  #53 in std::function<void ()>::operator()() const at /usr/lib/gcc/x86_64-redhat-linux/8/../../../../include/c++/8/bits/std_function.h:687:14 (workdir/LinkTarget/CppunitTest/libtest_sw_dialogs_test.so +0x144ae)
>  #54 in CppUnit::TestCaller<SwDialogsTest>::runTest() at workdir/UnpackedTarball/cppunit/include/cppunit/TestCaller.h:175:7 (workdir/LinkTarget/CppunitTest/libtest_sw_dialogs_test.so +0x133d8)
>  #55 in CppUnit::TestCaseMethodFunctor::operator()() const at workdir/UnpackedTarball/cppunit/src/cppunit/TestCase.cpp:32:5 (workdir/UnpackedTarball/cppunit/src/cppunit/.libs/libcppunit-1.14.so.0 +0x10c085)
>  #56 in (anonymous namespace)::Protector::protect(CppUnit::Functor const&, CppUnit::ProtectorContext const&) at test/source/vclbootstrapprotector.cxx:49:14 (workdir/LinkTarget/Library/libvclbootstrapprotector.so +0x1505)
>  #57 in CppUnit::ProtectorChain::ProtectFunctor::operator()() const at workdir/UnpackedTarball/cppunit/src/cppunit/ProtectorChain.cpp:20:25 (workdir/UnpackedTarball/cppunit/src/cppunit/.libs/libcppunit-1.14.so.0 +0xf37e1)
>  #58 in (anonymous namespace)::Prot::protect(CppUnit::Functor const&, CppUnit::ProtectorContext const&) at unotest/source/cpp/unobootstrapprotector/unobootstrapprotector.cxx:89:12 (workdir/LinkTarget/Library/unobootstrapprotector.so +0x4c35)
>  #59 in CppUnit::ProtectorChain::ProtectFunctor::operator()() const at workdir/UnpackedTarball/cppunit/src/cppunit/ProtectorChain.cpp:20:25 (workdir/UnpackedTarball/cppunit/src/cppunit/.libs/libcppunit-1.14.so.0 +0xf37e1)
>  #60 in (anonymous namespace)::Prot::protect(CppUnit::Functor const&, CppUnit::ProtectorContext const&) at unotest/source/cpp/unoexceptionprotector/unoexceptionprotector.cxx:63:16 (workdir/LinkTarget/Library/unoexceptionprotector.so +0x38c8)
>  #61 in CppUnit::ProtectorChain::ProtectFunctor::operator()() const at workdir/UnpackedTarball/cppunit/src/cppunit/ProtectorChain.cpp:20:25 (workdir/UnpackedTarball/cppunit/src/cppunit/.libs/libcppunit-1.14.so.0 +0xf37e1)
>  #62 in CppUnit::DefaultProtector::protect(CppUnit::Functor const&, CppUnit::ProtectorContext const&) at workdir/UnpackedTarball/cppunit/src/cppunit/DefaultProtector.cpp:15:12 (workdir/UnpackedTarball/cppunit/src/cppunit/.libs/libcppunit-1.14.so.0 +0xbe26f)
>  #63 in CppUnit::ProtectorChain::ProtectFunctor::operator()() const at workdir/UnpackedTarball/cppunit/src/cppunit/ProtectorChain.cpp:20:25 (workdir/UnpackedTarball/cppunit/src/cppunit/.libs/libcppunit-1.14.so.0 +0xf37e1)
>  #64 in CppUnit::ProtectorChain::protect(CppUnit::Functor const&, CppUnit::ProtectorContext const&) at workdir/UnpackedTarball/cppunit/src/cppunit/ProtectorChain.cpp:86:18 (workdir/UnpackedTarball/cppunit/src/cppunit/.libs/libcppunit-1.14.so.0 +0xf087a)
>  #65 in CppUnit::TestResult::protect(CppUnit::Functor const&, CppUnit::Test*, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) at workdir/UnpackedTarball/cppunit/src/cppunit/TestResult.cpp:182:28 (workdir/UnpackedTarball/cppunit/src/cppunit/.libs/libcppunit-1.14.so.0 +0x13d55a)
>  #66 in CppUnit::TestCase::run(CppUnit::TestResult*) at workdir/UnpackedTarball/cppunit/src/cppunit/TestCase.cpp:91:13 (workdir/UnpackedTarball/cppunit/src/cppunit/.libs/libcppunit-1.14.so.0 +0x10b148)
>  #67 in CppUnit::TestComposite::doRunChildTests(CppUnit::TestResult*) at workdir/UnpackedTarball/cppunit/src/cppunit/TestComposite.cpp:64:30 (workdir/UnpackedTarball/cppunit/src/cppunit/.libs/libcppunit-1.14.so.0 +0x10cfc5)
>  #68 in CppUnit::TestComposite::run(CppUnit::TestResult*) at workdir/UnpackedTarball/cppunit/src/cppunit/TestComposite.cpp:23:3 (workdir/UnpackedTarball/cppunit/src/cppunit/.libs/libcppunit-1.14.so.0 +0x10cb04)
>  #69 in CppUnit::TestComposite::doRunChildTests(CppUnit::TestResult*) at workdir/UnpackedTarball/cppunit/src/cppunit/TestComposite.cpp:64:30 (workdir/UnpackedTarball/cppunit/src/cppunit/.libs/libcppunit-1.14.so.0 +0x10cfc5)
>  #70 in CppUnit::TestComposite::run(CppUnit::TestResult*) at workdir/UnpackedTarball/cppunit/src/cppunit/TestComposite.cpp:23:3 (workdir/UnpackedTarball/cppunit/src/cppunit/.libs/libcppunit-1.14.so.0 +0x10cb04)
>  #71 in CppUnit::TestRunner::WrappingSuite::run(CppUnit::TestResult*) at workdir/UnpackedTarball/cppunit/src/cppunit/TestRunner.cpp:47:27 (workdir/UnpackedTarball/cppunit/src/cppunit/.libs/libcppunit-1.14.so.0 +0x15346f)
>  #72 in CppUnit::TestResult::runTest(CppUnit::Test*) at workdir/UnpackedTarball/cppunit/src/cppunit/TestResult.cpp:149:9 (workdir/UnpackedTarball/cppunit/src/cppunit/.libs/libcppunit-1.14.so.0 +0x13ca56)
>  #73 in CppUnit::TestRunner::run(CppUnit::TestResult&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) at workdir/UnpackedTarball/cppunit/src/cppunit/TestRunner.cpp:96:14 (workdir/UnpackedTarball/cppunit/src/cppunit/.libs/libcppunit-1.14.so.0 +0x153ba6)
>  #74 in (anonymous namespace)::ProtectedFixtureFunctor::run() const at sal/cppunittester/cppunittester.cxx:316:20 (workdir/LinkTarget/Executable/cppunittester +0x533a49)
>  #75 in sal_main() at sal/cppunittester/cppunittester.cxx:466:20 (workdir/LinkTarget/Executable/cppunittester +0x531bd5)
>  #76 in main at sal/cppunittester/cppunittester.cxx:373:1 (workdir/LinkTarget/Executable/cppunittester +0x530ec6)
>  #77 in __libc_start_main at /usr/src/debug/glibc-2.28/csu/../csu/libc-start.c:308:16 (/lib64/libc.so.6 +0x24412)
>  #78 in _start at <null> (workdir/LinkTarget/Executable/cppunittester +0x4219ed)
> 
> 0x60c000243580 is located 0 bytes inside of 120-byte region [0x60c000243580,0x60c0002435f8)
> freed by thread T0 here:
>  #0 in operator delete(void*, unsigned long) at /home/sbergman/github.com/llvm-project/llvm-project-20170507/compiler-rt/lib/asan/asan_new_delete.cc:179:3 (workdir/LinkTarget/Executable/cppunittester +0x52ef60)
>  #1 in std::default_delete<FreetypeFont>::operator()(FreetypeFont*) const at /usr/lib/gcc/x86_64-redhat-linux/8/../../../../include/c++/8/bits/unique_ptr.h:81:2 (instdir/program/libvcllo.so +0x223b4f8)
>  #2 in std::unique_ptr<FreetypeFont, std::default_delete<FreetypeFont> >::~unique_ptr() at /usr/lib/gcc/x86_64-redhat-linux/8/../../../../include/c++/8/bits/unique_ptr.h:274:4 (instdir/program/libvcllo.so +0x223b3ee)
>  #3 in std::pair<rtl::Reference<LogicalFontInstance> const, std::unique_ptr<FreetypeFont, std::default_delete<FreetypeFont> > >::~pair() at /usr/lib/gcc/x86_64-redhat-linux/8/../../../../include/c++/8/bits/stl_iterator.h:1262:12 (instdir/program/libvcllo.so +0x223b332)
>  #4 in void __gnu_cxx::new_allocator<std::__detail::_Hash_node<std::pair<rtl::Reference<LogicalFontInstance> const, std::unique_ptr<FreetypeFont, std::default_delete<FreetypeFont> > >, true> >::destroy<std::pair<rtl::Reference<LogicalFontInstance> const, std::unique_ptr<FreetypeFont, std::default_delete<FreetypeFont> > > >(std::pair<rtl::Reference<LogicalFontInstance> const, std::unique_ptr<FreetypeFont, std::default_delete<FreetypeFont> > >*) at /usr/lib/gcc/x86_64-redhat-linux/8/../../../../include/c++/8/ext/new_allocator.h:140:28 (instdir/program/libvcllo.so +0x223b308)
>  #5 in void std::allocator_traits<std::allocator<std::__detail::_Hash_node<std::pair<rtl::Reference<LogicalFontInstance> const, std::unique_ptr<FreetypeFont, std::default_delete<FreetypeFont> > >, true> > >::destroy<std::pair<rtl::Reference<LogicalFontInstance> const, std::unique_ptr<FreetypeFont, std::default_delete<FreetypeFont> > > >(std::allocator<std::__detail::_Hash_node<std::pair<rtl::Reference<LogicalFontInstance> const, std::unique_ptr<FreetypeFont, std::default_delete<FreetypeFont> > >, true> >&, std::pair<rtl::Reference<LogicalFontInstance> const, std::unique_ptr<FreetypeFont, std::default_delete<FreetypeFont> > >*) at /usr/lib/gcc/x86_64-redhat-linux/8/../../../../include/c++/8/bits/alloc_traits.h:487:8 (instdir/program/libvcllo.so +0x223b237)
>  #6 in std::__detail::_Hashtable_alloc<std::allocator<std::__detail::_Hash_node<std::pair<rtl::Reference<LogicalFontInstance> const, std::unique_ptr<FreetypeFont, std::default_delete<FreetypeFont> > >, true> > >::_M_deallocate_node(std::__detail::_Hash_node<std::pair<rtl::Reference<LogicalFontInstance> const, std::unique_ptr<FreetypeFont, std::default_delete<FreetypeFont> > >, true>*) at /usr/lib/gcc/x86_64-redhat-linux/8/../../../../include/c++/8/bits/hashtable_policy.h:2100:7 (instdir/program/libvcllo.so +0x223b1c9)
>  #7 in std::__detail::_Hashtable_alloc<std::allocator<std::__detail::_Hash_node<std::pair<rtl::Reference<LogicalFontInstance> const, std::unique_ptr<FreetypeFont, std::default_delete<FreetypeFont> > >, true> > >::_M_deallocate_nodes(std::__detail::_Hash_node<std::pair<rtl::Reference<LogicalFontInstance> const, std::unique_ptr<FreetypeFont, std::default_delete<FreetypeFont> > >, true>*) at /usr/lib/gcc/x86_64-redhat-linux/8/../../../../include/c++/8/bits/hashtable_policy.h:2113:4 (instdir/program/libvcllo.so +0x223b0d4)
>  #8 in std::_Hashtable<rtl::Reference<LogicalFontInstance>, std::pair<rtl::Reference<LogicalFontInstance> const, std::unique_ptr<FreetypeFont, std::default_delete<FreetypeFont> > >, std::allocator<std::pair<rtl::Reference<LogicalFontInstance> const, std::unique_ptr<FreetypeFont, std::default_delete<FreetypeFont> > > >, std::__detail::_Select1st, GlyphCache::IFSD_Equal, GlyphCache::IFSD_Hash, std::__detail::_Mod_range_hashing, std::__detail::_Default_ranged_hash, std::__detail::_Prime_rehash_policy, std::__detail::_Hashtable_traits<true, false, true> >::clear() at /usr/lib/gcc/x86_64-redhat-linux/8/../../../../include/c++/8/bits/hashtable.h:2047:13 (instdir/program/libvcllo.so +0x223aef5)
>  #9 in std::__cxx1998::unordered_map<rtl::Reference<LogicalFontInstance>, std::unique_ptr<FreetypeFont, std::default_delete<FreetypeFont> >, GlyphCache::IFSD_Hash, GlyphCache::IFSD_Equal, std::allocator<std::pair<rtl::Reference<LogicalFontInstance> const, std::unique_ptr<FreetypeFont, std::default_delete<FreetypeFont> > > > >::clear() at /usr/lib/gcc/x86_64-redhat-linux/8/../../../../include/c++/8/bits/unordered_map.h:846:14 (instdir/program/libvcllo.so +0x223bc04)
>  #10 in std::__debug::unordered_map<rtl::Reference<LogicalFontInstance>, std::unique_ptr<FreetypeFont, std::default_delete<FreetypeFont> >, GlyphCache::IFSD_Hash, GlyphCache::IFSD_Equal, std::allocator<std::pair<rtl::Reference<LogicalFontInstance> const, std::unique_ptr<FreetypeFont, std::default_delete<FreetypeFont> > > > >::clear() at /usr/lib/gcc/x86_64-redhat-linux/8/../../../../include/c++/8/debug/unordered_map:199:9 (instdir/program/libvcllo.so +0x2239352)
>  #11 in GlyphCache::ClearFontCache() at vcl/unx/generic/glyphs/glyphcache.cxx:49:16 (instdir/program/libvcllo.so +0x22365c2)
>  #12 in CairoTextRender::ClearDevFontCache() at vcl/unx/generic/gdi/cairotextrender.cxx:392:9 (instdir/program/libvcllo.so +0x21fc13d)
>  #13 in SvpSalGraphics::ClearDevFontCache() at vcl/headless/svptext.cxx:56:23 (instdir/program/libvcllo.so +0x21f665b)
>  #14 in OutputDevice::ImplClearAllFontData(bool) at vcl/source/outdev/font.cxx:588:38 (instdir/program/libvcllo.so +0x12f5c08)
>  #15 in OutputDevice::ImplUpdateAllFontData(bool) at vcl/source/outdev/font.cxx:602:5 (instdir/program/libvcllo.so +0x12f66cc)
>  #16 in ImplHandleSalSettings(SalEvent) at vcl/source/window/winproc.cxx:2123:17 (instdir/program/libvcllo.so +0xf30b60)
>  #17 in ImplWindowFrameProc(vcl::Window*, SalEvent, void const*) at vcl/source/window/winproc.cxx:2481:13 (instdir/program/libvcllo.so +0xf29526)
>  #18 in SalFrame::CallCallback(SalEvent, void const*) const at vcl/inc/salframe.hxx:280:29 (instdir/program/libvcllo.so +0x21a820b)
>  #19 in SalGenericDisplay::ProcessEvent(SalUserEventList::SalUserEvent) at vcl/unx/generic/app/gendisp.cxx:67:22 (instdir/program/libvcllo.so +0x21f04d7)
>  #20 in SalUserEventList::DispatchUserEvents(bool) at vcl/source/app/salusereventlist.cxx:109:17 (instdir/program/libvcllo.so +0x1c124b0)
>  #21 in SalGenericDisplay::DispatchInternalEvent(bool) at vcl/unx/generic/app/gendisp.cxx:52:12 (instdir/program/libvcllo.so +0x21f0294)
>  #22 in call_userEventFn(void*) at vcl/unx/gtk3/gtk3gtkdata.cxx:788:27 (instdir/program/libvclplug_gtk3lo.so +0x1b1bce)
>  #23 in g_idle_dispatch at gmain.c:5620:11 (/lib64/libglib-2.0.so.0 +0x4ab7a)
> 
> previously allocated by thread T0 here:
>  #0 in operator new(unsigned long) at /home/sbergman/github.com/llvm-project/llvm-project-20170507/compiler-rt/lib/asan/asan_new_delete.cc:106:3 (workdir/LinkTarget/Executable/cppunittester +0x52db20)
>  #1 in GlyphCache::CreateFont(LogicalFontInstance*) at vcl/unx/generic/glyphs/freetype_glyphcache.cxx:333:12 (instdir/program/libvcllo.so +0x221b88b)
>  #2 in GlyphCache::CacheFont(LogicalFontInstance*) at vcl/unx/generic/glyphs/glyphcache.cxx:170:26 (instdir/program/libvcllo.so +0x223777c)
>  #3 in CairoTextRender::setFont(LogicalFontInstance*, int) at vcl/unx/generic/gdi/cairotextrender.cxx:106:61 (instdir/program/libvcllo.so +0x21f8941)
>  #4 in CairoTextRender::SetFont(LogicalFontInstance*, int) at vcl/unx/generic/gdi/cairotextrender.cxx:370:5 (instdir/program/libvcllo.so +0x21fbe12)
>  #5 in SvpSalGraphics::SetFont(LogicalFontInstance*, int) at vcl/headless/svptext.cxx:31:23 (instdir/program/libvcllo.so +0x21f6544)
>  #6 in OutputDevice::InitFont() const at vcl/source/outdev/font.cxx:969:17 (instdir/program/libvcllo.so +0x12f2c22)
>  #7 in OutputDevice::ImplNewFont() const at vcl/source/outdev/font.cxx:1052:35 (instdir/program/libvcllo.so +0x12ef64e)
>  #8 in OutputDevice::InitFont() const at vcl/source/outdev/font.cxx:957:10 (instdir/program/libvcllo.so +0x12f29e4)
>  #9 in OutputDevice::ImplLayout(rtl::OUString const&, int, int, Point const&, long, long const*, SalLayoutFlags, vcl::TextLayoutCache const*, std::__debug::vector<GlyphItem, std::allocator<GlyphItem> > const*) const at vcl/source/outdev/text.cxx:1250:10 (instdir/program/libvcllo.so +0x1320bc1)
>  #10 in OutputDevice::GetTextBoundRect(tools::Rectangle&, rtl::OUString const&, int, int, int, unsigned long, long const*, std::__debug::vector<GlyphItem, std::allocator<GlyphItem> > const*) const at vcl/source/outdev/text.cxx:2357:18 (instdir/program/libvcllo.so +0x13368f8)
>  #11 in Ruler::ImplInit(long) at svtools/source/control/ruler.cxx:236:5 (instdir/program/libsvtlo.so +0x9d8796)
>  #12 in Ruler::Ruler(vcl::Window*, long) at svtools/source/control/ruler.cxx:280:5 (instdir/program/libsvtlo.so +0x9d9cec)
>  #13 in SvxRuler::SvxRuler(vcl::Window*, vcl::Window*, SvxRulerSupportFlags, SfxBindings&, long) at svx/source/dialog/svxruler.cxx:225:5 (instdir/program/libsvxlo.so +0xa0ec4e)
>  #14 in VclPtr<SvxRuler> VclPtr<SvxRuler>::Create<vcl::Window*, VclPtr<SwEditWin>&, o3tl::is_typed_flags<SvxRulerSupportFlags, 255>::Wrap, SfxBindings&, long>(vcl::Window*&&, VclPtr<SwEditWin>&, o3tl::is_typed_flags<SvxRulerSupportFlags, 255>::Wrap&&, SfxBindings&, long&&) at include/vcl/vclptr.hxx:135:46 (instdir/program/libswlo.so +0x40ae156)
>  #15 in SwView::SwView(SfxViewFrame*, SfxViewShell*) at sw/source/uibase/uiview/view.cxx:727:15 (instdir/program/libswlo.so +0x40996b8)
>  #16 in SwView::CreateInstance(SfxViewFrame*, SfxViewShell*) at sw/source/uibase/uiview/view0.cxx:78:1 (instdir/program/libswlo.so +0x40ba95a)
>  #17 in SfxViewFactory::CreateInstance(SfxViewFrame*, SfxViewShell*) at sfx2/source/view/viewfac.cxx:28:12 (instdir/program/libsfxlo.so +0x15ec2a9)
>  #18 in SfxBaseModel::createViewController(rtl::OUString const&, com::sun::star::uno::Sequence<com::sun::star::beans::PropertyValue> const&, com::sun::star::uno::Reference<com::sun::star::frame::XFrame> const&) at sfx2/source/doc/sfxbasemodel.cxx:4089:46 (instdir/program/libsfxlo.so +0x1287aeb)
>  #19 in non-virtual thunk to SfxBaseModel::createViewController(rtl::OUString const&, com::sun::star::uno::Sequence<com::sun::star::beans::PropertyValue> const&, com::sun::star::uno::Reference<com::sun::star::frame::XFrame> const&) at sfx2/source/doc/sfxbasemodel.cxx (instdir/program/libsfxlo.so +0x1288945)
>  #20 in (anonymous namespace)::SfxFrameLoader_Impl::impl_createDocumentView(com::sun::star::uno::Reference<com::sun::star::frame::XModel2> const&, com::sun::star::uno::Reference<com::sun::star::frame::XFrame> const&, comphelper::NamedValueCollection const&, rtl::OUString const&) at sfx2/source/view/frmload.cxx:584:60 (instdir/program/libsfxlo.so +0x1590ce9)
>  #21 in (anonymous namespace)::SfxFrameLoader_Impl::load(com::sun::star::uno::Sequence<com::sun::star::beans::PropertyValue> const&, com::sun::star::uno::Reference<com::sun::star::frame::XFrame> const&) at sfx2/source/view/frmload.cxx:711:13 (instdir/program/libsfxlo.so +0x158c436)
>  #22 in framework::LoadEnv::impl_loadContent() at framework/source/loadenv/loadenv.cxx:1149:37 (instdir/program/libfwklo.so +0x56a94c)
>  #23 in framework::LoadEnv::startLoading() at framework/source/loadenv/loadenv.cxx:383:20 (instdir/program/libfwklo.so +0x56046f)
>  #24 in framework::LoadEnv::loadComponentFromURL(com::sun::star::uno::Reference<com::sun::star::frame::XComponentLoader> const&, com::sun::star::uno::Reference<com::sun::star::uno::XComponentContext> const&, rtl::OUString const&, rtl::OUString const&, int, com::sun::star::uno::Sequence<com::sun::star::beans::PropertyValue> const&) at framework/source/loadenv/loadenv.cxx:169:14 (instdir/program/libfwklo.so +0x55d5d3)
>  #25 in framework::Desktop::loadComponentFromURL(rtl::OUString const&, rtl::OUString const&, int, com::sun::star::uno::Sequence<com::sun::star::beans::PropertyValue> const&) at framework/source/services/desktop.cxx:619:12 (instdir/program/libfwklo.so +0x6229af)
>  #26 in non-virtual thunk to framework::Desktop::loadComponentFromURL(rtl::OUString const&, rtl::OUString const&, int, com::sun::star::uno::Sequence<com::sun::star::beans::PropertyValue> const&) at framework/source/services/desktop.cxx (instdir/program/libfwklo.so +0x622b7a)
>  #27 in unotest::MacrosTest::loadFromDesktop(rtl::OUString const&, rtl::OUString const&, com::sun::star::uno::Sequence<com::sun::star::beans::PropertyValue> const&) at unotest/source/cpp/macros_test.cxx:50:60 (workdir/LinkTarget/CppunitTest/../Library/libunotest.so +0x31aa9)
>  #28 in SwDialogsTest::setUp() at sw/qa/unit/sw-dialogs-test.cxx:64:18 (workdir/LinkTarget/CppunitTest/libtest_sw_dialogs_test.so +0x7d6c)
>  #29 in CppUnit::TestCaller<SwDialogsTest>::setUp() at workdir/UnpackedTarball/cppunit/include/cppunit/TestCaller.h:180:15 (workdir/LinkTarget/CppunitTest/libtest_sw_dialogs_test.so +0x13479)
>  #30 in CppUnit::TestCaseMethodFunctor::operator()() const at workdir/UnpackedTarball/cppunit/src/cppunit/TestCase.cpp:32:5 (workdir/UnpackedTarball/cppunit/src/cppunit/.libs/libcppunit-1.14.so.0 +0x10c085)
>  #31 in (anonymous namespace)::Protector::protect(CppUnit::Functor const&, CppUnit::ProtectorContext const&) at test/source/vclbootstrapprotector.cxx:49:14 (workdir/LinkTarget/Library/libvclbootstrapprotector.so +0x1505)
>  #32 in CppUnit::ProtectorChain::ProtectFunctor::operator()() const at workdir/UnpackedTarball/cppunit/src/cppunit/ProtectorChain.cpp:20:25 (workdir/UnpackedTarball/cppunit/src/cppunit/.libs/libcppunit-1.14.so.0 +0xf37e1)
>  #33 in (anonymous namespace)::Prot::protect(CppUnit::Functor const&, CppUnit::ProtectorContext const&) at unotest/source/cpp/unobootstrapprotector/unobootstrapprotector.cxx:89:12 (workdir/LinkTarget/Library/unobootstrapprotector.so +0x4c35)
>  #34 in CppUnit::ProtectorChain::ProtectFunctor::operator()() const at workdir/UnpackedTarball/cppunit/src/cppunit/ProtectorChain.cpp:20:25 (workdir/UnpackedTarball/cppunit/src/cppunit/.libs/libcppunit-1.14.so.0 +0xf37e1)
>  #35 in (anonymous namespace)::Prot::protect(CppUnit::Functor const&, CppUnit::ProtectorContext const&) at unotest/source/cpp/unoexceptionprotector/unoexceptionprotector.cxx:63:16 (workdir/LinkTarget/Library/unoexceptionprotector.so +0x38c8)
>  #36 in CppUnit::ProtectorChain::ProtectFunctor::operator()() const at workdir/UnpackedTarball/cppunit/src/cppunit/ProtectorChain.cpp:20:25 (workdir/UnpackedTarball/cppunit/src/cppunit/.libs/libcppunit-1.14.so.0 +0xf37e1)
>  #37 in CppUnit::DefaultProtector::protect(CppUnit::Functor const&, CppUnit::ProtectorContext const&) at workdir/UnpackedTarball/cppunit/src/cppunit/DefaultProtector.cpp:15:12 (workdir/UnpackedTarball/cppunit/src/cppunit/.libs/libcppunit-1.14.so.0 +0xbe26f)
>  #38 in CppUnit::ProtectorChain::ProtectFunctor::operator()() const at workdir/UnpackedTarball/cppunit/src/cppunit/ProtectorChain.cpp:20:25 (workdir/UnpackedTarball/cppunit/src/cppunit/.libs/libcppunit-1.14.so.0 +0xf37e1)
>  #39 in CppUnit::ProtectorChain::protect(CppUnit::Functor const&, CppUnit::ProtectorContext const&) at workdir/UnpackedTarball/cppunit/src/cppunit/ProtectorChain.cpp:86:18 (workdir/UnpackedTarball/cppunit/src/cppunit/.libs/libcppunit-1.14.so.0 +0xf087a)
>  #40 in CppUnit::TestResult::protect(CppUnit::Functor const&, CppUnit::Test*, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) at workdir/UnpackedTarball/cppunit/src/cppunit/TestResult.cpp:182:28 (workdir/UnpackedTarball/cppunit/src/cppunit/.libs/libcppunit-1.14.so.0 +0x13d55a)
>  #41 in CppUnit::TestCase::run(CppUnit::TestResult*) at workdir/UnpackedTarball/cppunit/src/cppunit/TestCase.cpp:87:16 (workdir/UnpackedTarball/cppunit/src/cppunit/.libs/libcppunit-1.14.so.0 +0x10af1c)
>  #42 in CppUnit::TestComposite::doRunChildTests(CppUnit::TestResult*) at workdir/UnpackedTarball/cppunit/src/cppunit/TestComposite.cpp:64:30 (workdir/UnpackedTarball/cppunit/src/cppunit/.libs/libcppunit-1.14.so.0 +0x10cfc5)
>  #43 in CppUnit::TestComposite::run(CppUnit::TestResult*) at workdir/UnpackedTarball/cppunit/src/cppunit/TestComposite.cpp:23:3 (workdir/UnpackedTarball/cppunit/src/cppunit/.libs/libcppunit-1.14.so.0 +0x10cb04)
>  #44 in CppUnit::TestComposite::doRunChildTests(CppUnit::TestResult*) at workdir/UnpackedTarball/cppunit/src/cppunit/TestComposite.cpp:64:30 (workdir/UnpackedTarball/cppunit/src/cppunit/.libs/libcppunit-1.14.so.0 +0x10cfc5)
>  #45 in CppUnit::TestComposite::run(CppUnit::TestResult*) at workdir/UnpackedTarball/cppunit/src/cppunit/TestComposite.cpp:23:3 (workdir/UnpackedTarball/cppunit/src/cppunit/.libs/libcppunit-1.14.so.0 +0x10cb04)
>  #46 in CppUnit::TestRunner::WrappingSuite::run(CppUnit::TestResult*) at workdir/UnpackedTarball/cppunit/src/cppunit/TestRunner.cpp:47:27 (workdir/UnpackedTarball/cppunit/src/cppunit/.libs/libcppunit-1.14.so.0 +0x15346f)
>  #47 in CppUnit::TestResult::runTest(CppUnit::Test*) at workdir/UnpackedTarball/cppunit/src/cppunit/TestResult.cpp:149:9 (workdir/UnpackedTarball/cppunit/src/cppunit/.libs/libcppunit-1.14.so.0 +0x13ca56)
>  #48 in CppUnit::TestRunner::run(CppUnit::TestResult&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) at workdir/UnpackedTarball/cppunit/src/cppunit/TestRunner.cpp:96:14 (workdir/UnpackedTarball/cppunit/src/cppunit/.libs/libcppunit-1.14.so.0 +0x153ba6)
>  #49 in (anonymous namespace)::ProtectedFixtureFunctor::run() const at sal/cppunittester/cppunittester.cxx:316:20 (workdir/LinkTarget/Executable/cppunittester +0x533a49)
> 
> SUMMARY: AddressSanitizer: heap-use-after-free include/rtl/ref.hxx:195:17 in rtl::Reference<FreetypeFontInstance>::is() const
> Shadow bytes around the buggy address:
>   0x0c1880040660: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
>   0x0c1880040670: fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa
>   0x0c1880040680: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fa
>   0x0c1880040690: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
>   0x0c18800406a0: fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa fa
> =>0x0c18800406b0:[fd]fd fd fd fd fd fd fd fd fd fd fd fd fd fd fa
>   0x0c18800406c0: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
>   0x0c18800406d0: fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa fa
>   0x0c18800406e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fa
>   0x0c18800406f0: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
>   0x0c1880040700: 00 00 00 00 00 00 00 fa fa fa fa fa fa fa fa fa
> Shadow byte legend (one shadow byte represents 8 application bytes):
>   Addressable:           00
>   Partially addressable: 01 02 03 04 05 06 07 
>   Heap left redzone:       fa
>   Freed heap region:       fd
>   Stack left redzone:      f1
>   Stack mid redzone:       f2
>   Stack right redzone:     f3
>   Stack after return:      f5
>   Stack use after scope:   f8
>   Global redzone:          f9
>   Global init order:       f6
>   Poisoned by user:        f7
>   Container overflow:      fc
>   Array cookie:            ac
>   Intra object redzone:    bb
>   ASan internal:           fe
>   Left alloca redzone:     ca
>   Right alloca redzone:    cb
>   Shadow gap:              cc
> ==28531==ABORTING
Comment 2 Stephan Bergmann 2018-10-30 16:38:47 UTC 
The failure from comment 1 is effectively how `make CppunitTest_sw_dialogs_test` fails now with an updated master (at 02a2b75550e8e94e29d252178cfb223452812d2b), without applying the patch from comment 1 any more.
Comment 3 Jan-Marek Glogowski 2018-10-30 19:53:54 UTC 
Nice backtraces. With this additional info it is clear what is happening here.

The Freetype font cache is separate layer, below LO's general font cache, but it is not refcount handled, so this clear renders all cached font instances in the SalLayoutGlyphs invalid on UNIX.

What is missing now is the invalidation of the FreetypeFont pointer when cleaning that font cache, as it has a map of all logical font instances. This can be detected by the cached SalLayoutGlyphsInpl, so it can invalidate itself, by returning empty(), which will result in a new valid cache.

I'll do a fix tomorrow, unless you or someone else beats me to it.

And probably getting rid of the GlyphCache and FreetypeFont, merging the functionality into the general FontCache.
Comment 4 Jan-Marek Glogowski 2018-10-31 18:32:37 UTC 
There is a Gerrit patch since a few hours: https://gerrit.libreoffice.org/#/c/62688/

Originally it failed on Mac, as I copied broken defines from include/vcl/dllapi.h (missing the X of MACOSX), which is a different bug.
Comment 5 Commit Notification 2018-11-01 10:21:24 UTC 
Jan-Marek Glogowski committed a patch related to this issue.
It has been pushed to "master":

https://git.libreoffice.org/core/+/4a66d7f0dd40c54307b5f750723f68b53703b01a%5E%21

tdf#121030 invalidate referenced FontInstances

It will be available in 6.2.0.

The patch should be included in the daily builds available at
https://dev-builds.libreoffice.org/daily/ in the next 24-48 hours. More
information about daily builds can be found at:
https://wiki.documentfoundation.org/Testing_Daily_Builds

Affected users are encouraged to test the fix and report feedback.
Comment 6 Stephan Bergmann 2018-11-01 16:01:46 UTC 
(In reply to Commit Notification from comment #5)
> Jan-Marek Glogowski committed a patch related to this issue.
> It has been pushed to "master":
> 
> https://git.libreoffice.org/core/+/
> 4a66d7f0dd40c54307b5f750723f68b53703b01a%5E%21
> 
> tdf#121030 invalidate referenced FontInstances

...which fixes `make CppunitTest_sw_dialogs_test` for my local ASan build