This is a follow-up of bug 124635 and can be reproduced after https://git.libreoffice.org/core/+/0a04150b6eefb5feb7ecefaa5cd63dbac8c1574f%5E%21 Steps to reproduce: 1. Open attachment 96191 [details] from bug 76293 2. Close the document -> At this point it should crash. if not, open the document and close it again... Reproduced in Version: 6.3.0.0.alpha0+ Build ID: fad98c8641342a77241124dd98e0cb781daef4ad CPU threads: 4; OS: Linux 4.15; UI render: default; VCL: gtk3; Locale: ca-ES (ca_ES.UTF-8); UI-Language: en-US Calc: threaded Backtrace -> https://bugs.documentfoundation.org/show_bug.cgi?id=124635#c7
as discussed on freenode #libreoffice-qa: May 06 10:30:55 <sberg> x1sc0, I can no longer reproduce tdf#124962 with my recent Linux master build (trying multiple times; also trying with closing the doc/terminating LO in different ways); can you? May 06 10:47:40 <x1sc0> let me check May 06 11:01:55 <x1sc0> sberg, still crashes when I close the document, open it again and close it again May 06 11:07:55 <sberg> x1sc0, (a) from when is your build (and is it Linux, using GTK3?); (b) how do you close the doc? May 06 11:08:16 <sberg> i.e, just close the doc but keep LO running, or...? May 06 11:09:24 <x1sc0> sberg, ddea172792d13516ff7e0dd43f1f78b74ade8914, gtk3, and I close the document, not LibreOffice, then I open it again from the start center May 06 11:10:19 <x1sc0> going to try with gen May 06 11:13:21 <sberg> x1sc0, ok, got it crashing again now, too; was apparently just unlucky when I tried before...
I can reproduce it with GTK3 and GTK but not with GEN. @Caolán, I thought you might be interested in this issue...
With an ASan+UBSan build, it eventually crashes with > ================================================================= > ==29882==ERROR: AddressSanitizer: heap-use-after-free on address 0x6140004d7328 at pc 0x7fe51dcb283a bp 0x7fe246cb10d0 sp 0x7fe246cb10c8 > READ of size 8 at 0x6140004d7328 thread T66 (SwAsyncRetrieve) > #0 in std::__shared_ptr<ImpGraphic, (__gnu_cxx::_Lock_policy)2>::get() const at /usr/lib/gcc/x86_64-redhat-linux/9/../../../../include/c++/9/bits/shared_ptr_base.h:1310:16 (instdir/program/libvcllo.so +0x7c37839) > #1 in std::__shared_ptr_access<ImpGraphic, (__gnu_cxx::_Lock_policy)2, false, false>::_M_get() const at /usr/lib/gcc/x86_64-redhat-linux/9/../../../../include/c++/9/bits/shared_ptr_base.h:1021:66 (instdir/program/libvcllo.so +0x7c377c7) > #2 in std::__shared_ptr_access<ImpGraphic, (__gnu_cxx::_Lock_policy)2, false, false>::operator->() const at /usr/lib/gcc/x86_64-redhat-linux/9/../../../../include/c++/9/bits/shared_ptr_base.h:1015:9 (instdir/program/libvcllo.so +0x7c34539) > #3 in Graphic::GetType() const at vcl/source/gdi/graph.cxx:312:12 (instdir/program/libvcllo.so +0x7c29bc0) > #4 in GraphicObject::GetType() const at vcl/source/graphic/GraphicObject.cxx:327:22 (instdir/program/libvcllo.so +0x86f671a) > #5 in SwBaseLink::DataChanged(rtl::OUString const&, com::sun::star::uno::Any const&) at sw/source/core/docnode/swbaslnk.cxx:158:47 (instdir/program/../program/libswlo.so +0xcd4f40a) > #6 in SwBaseLink::SwapIn(bool, bool) at sw/source/core/docnode/swbaslnk.cxx:299:17 (instdir/program/../program/libswlo.so +0xcd5466f) > #7 in SwGrfNode::SwapIn(bool) at sw/source/core/graphic/ndgrf.cxx:456:24 (instdir/program/../program/libswlo.so +0xd730bdb) > #8 in SwGrfNode::GetGrfObj(bool) const at sw/source/core/graphic/ndgrf.cxx:376:35 (instdir/program/../program/libswlo.so +0xd731967) > #9 in SwNoTextFrame::PaintPicture(OutputDevice*, SwRect const&) const at sw/source/core/doc/notxtfrm.cxx:1095:48 (instdir/program/../program/libswlo.so +0xc567598) > #10 in SwNoTextFrame::PaintSwFrame(OutputDevice&, SwRect const&, SwPrintData const*) const at sw/source/core/doc/notxtfrm.cxx:317:9 (instdir/program/../program/libswlo.so +0xc561939) > #11 in SwLayoutFrame::PaintSwFrame(OutputDevice&, SwRect const&, SwPrintData const*) const at sw/source/core/layout/paintfrm.cxx:3398:21 (instdir/program/../program/libswlo.so +0xddb8f02) > #12 in SwFlyFrame::PaintSwFrame(OutputDevice&, SwRect const&, SwPrintData const*) const at sw/source/core/layout/paintfrm.cxx:4090:20 (instdir/program/../program/libswlo.so +0xddd570e) > #13 in SwVirtFlyDrawObj::wrap_DoPaintObject(drawinglayer::geometry::ViewInformation2D const&) const at sw/source/core/draw/dflyobj.cxx:530:30 (instdir/program/../program/libswlo.so +0xce2eebb) > #14 in drawinglayer::primitive2d::SwVirtFlyDrawObjPrimitive::get2DDecomposition(drawinglayer::primitive2d::Primitive2DDecompositionVisitor&, drawinglayer::geometry::ViewInformation2D const&) const at sw/source/core/draw/dflyobj.cxx:234:35 (instdir/program/../program/libswlo.so +0xce2df15) > #15 in drawinglayer::processor2d::BaseProcessor2D::process(drawinglayer::primitive2d::BasePrimitive2D const&) at drawinglayer/source/processor2d/baseprocessor2d.cxx:47:24 (instdir/program/libdrawinglayerlo.so +0x13473c0) > #16 in drawinglayer::processor2d::VclPixelProcessor2D::processBasePrimitive2D(drawinglayer::primitive2d::BasePrimitive2D const&) at drawinglayer/source/processor2d/vclpixelprocessor2d.cxx:418:21 (instdir/program/libdrawinglayerlo.so +0x143b6ae) > #17 in drawinglayer::processor2d::BaseProcessor2D::process(drawinglayer::primitive2d::Primitive2DContainer const&) at drawinglayer/source/processor2d/baseprocessor2d.cxx:70:29 (instdir/program/libdrawinglayerlo.so +0x1347d55) > #18 in sdr::contact::ObjectContactOfPageView::DoProcessDisplay(sdr::contact::DisplayInfo&) at svx/source/sdr/contact/objectcontactofpageview.cxx:293:35 (instdir/program/libsvxcorelo.so +0x514dc8e) > #19 in sdr::contact::ObjectContactOfPageView::ProcessDisplay(sdr::contact::DisplayInfo&) at svx/source/sdr/contact/objectcontactofpageview.cxx:120:21 (instdir/program/libsvxcorelo.so +0x514b118) > #20 in SdrPageWindow::RedrawLayer(o3tl::strong_int<unsigned char, SdrLayerIDTag> const*, sdr::contact::ViewObjectContactRedirector*, basegfx::B2IRange const*) at svx/source/svdraw/sdrpagewindow.cxx:402:28 (instdir/program/libsvxcorelo.so +0x543cbcf) > #21 in SdrPageView::DrawLayer(o3tl::strong_int<unsigned char, SdrLayerIDTag>, OutputDevice*, sdr::contact::ViewObjectContactRedirector*, tools::Rectangle const&, basegfx::B2IRange const*) at svx/source/svdraw/svdpagv.cxx:313:38 (instdir/program/libsvxcorelo.so +0x6260b93) > #22 in SwViewShellImp::PaintLayer(o3tl::strong_int<unsigned char, SdrLayerIDTag>, SwPrintData const*, SwPageFrame const&, SwRect const&, Color const*, bool, sdr::contact::ViewObjectContactRedirector*) at sw/source/core/view/vdraw.cxx:148:20 (instdir/program/../program/libswlo.so +0x1021ca14) > #23 in SwRootFrame::PaintSwFrame(OutputDevice&, SwRect const&, SwPrintData const*) const at sw/source/core/layout/paintfrm.cxx:3138:33 (instdir/program/../program/libswlo.so +0xdd93fb1) > #24 in SwViewShell::Paint(OutputDevice&, tools::Rectangle const&) at sw/source/core/view/viewsh.cxx:1840:34 (instdir/program/../program/libswlo.so +0x1028365e) > #25 in SwCursorShell::Paint(OutputDevice&, tools::Rectangle const&) at sw/source/core/crsr/crsrsh.cxx:1411:18 (instdir/program/../program/libswlo.so +0xb18497c) > #26 in SwEditWin::Paint(OutputDevice&, tools::Rectangle const&) at sw/source/uibase/docvw/edtwin2.cxx:448:20 (instdir/program/../program/libswlo.so +0x118f77ee) > #27 in PaintHelper::DoPaint(vcl::Region const*) at vcl/source/window/paint.cxx:301:24 (instdir/program/libvcllo.so +0x57de9de) > #28 in vcl::Window::ImplCallPaint(vcl::Region const*, ImplPaintFlags) at vcl/source/window/paint.cxx:605:17 (instdir/program/libvcllo.so +0x57eb200) > #29 in PaintHelper::~PaintHelper() at vcl/source/window/paint.cxx:541:30 (instdir/program/libvcllo.so +0x57e75c3) > #30 in vcl::Window::ImplCallPaint(vcl::Region const*, ImplPaintFlags) at vcl/source/window/paint.cxx:611:1 (instdir/program/libvcllo.so +0x57eb547) > #31 in PaintHelper::~PaintHelper() at vcl/source/window/paint.cxx:541:30 (instdir/program/libvcllo.so +0x57e75c3) > #32 in vcl::Window::ImplCallPaint(vcl::Region const*, ImplPaintFlags) at vcl/source/window/paint.cxx:611:1 (instdir/program/libvcllo.so +0x57eb547) > #33 in PaintHelper::~PaintHelper() at vcl/source/window/paint.cxx:541:30 (instdir/program/libvcllo.so +0x57e75c3) > #34 in vcl::Window::ImplCallPaint(vcl::Region const*, ImplPaintFlags) at vcl/source/window/paint.cxx:611:1 (instdir/program/libvcllo.so +0x57eb547) > #35 in PaintHelper::~PaintHelper() at vcl/source/window/paint.cxx:541:30 (instdir/program/libvcllo.so +0x57e75c3) > #36 in vcl::Window::ImplCallPaint(vcl::Region const*, ImplPaintFlags) at vcl/source/window/paint.cxx:611:1 (instdir/program/libvcllo.so +0x57eb547) > #37 in PaintHelper::~PaintHelper() at vcl/source/window/paint.cxx:541:30 (instdir/program/libvcllo.so +0x57e75c3) > #38 in vcl::Window::ImplCallPaint(vcl::Region const*, ImplPaintFlags) at vcl/source/window/paint.cxx:611:1 (instdir/program/libvcllo.so +0x57eb547) > #39 in vcl::Window::ImplCallOverlapPaint() at vcl/source/window/paint.cxx:629:9 (instdir/program/libvcllo.so +0x57ec559) > #40 in vcl::Window::ImplHandlePaintHdl(Timer*) at vcl/source/window/paint.cxx:652:9 (instdir/program/libvcllo.so +0x57ed7ff) > #41 in vcl::Window::LinkStubImplHandlePaintHdl(void*, Timer*) at vcl/source/window/paint.cxx:633:1 (instdir/program/libvcllo.so +0x57ec6da) > #42 in Link<Timer*, void>::Call(Timer*) const at include/tools/link.hxx:84:45 (instdir/program/libvcllo.so +0x8e60171) > #43 in Timer::Invoke() at vcl/source/app/timer.cxx:77:21 (instdir/program/libvcllo.so +0x8e5f788) > #44 in Scheduler::ProcessTaskScheduling() at vcl/source/app/scheduler.cxx:477:20 (instdir/program/libvcllo.so +0x8cb7665) > #45 in Scheduler::CallbackTaskScheduling() at vcl/source/app/scheduler.cxx:285:5 (instdir/program/libvcllo.so +0x8cb3060) > #46 in SalTimer::CallCallback() at vcl/inc/saltimer.hxx:55:13 (instdir/program/libvclplug_gtk3lo.so +0xca9dd0) > #47 in sal_gtk_timeout_dispatch(_GSource*, int (*)(void*), void*) at vcl/unx/gtk3/gtk3gtkdata.cxx:761:45 (instdir/program/libvclplug_gtk3lo.so +0xca4a9d) > #48 in g_main_context_dispatch at <null> (/lib64/libglib-2.0.so.0 +0x4ffcf) > #49 at <null> (/lib64/libglib-2.0.so.0 +0x50367) > #50 in g_main_loop_run at <null> (/lib64/libglib-2.0.so.0 +0x506b2) > #51 in gio::MountOperation::Mount(_GFile*) at ucb/source/ucp/gio/gio_content.cxx:359:13 (instdir/program/../program/libucpgio1lo.so +0xceb73) > #52 in gio::Content::getGFileInfo(com::sun::star::uno::Reference<com::sun::star::ucb::XCommandEnvironment> const&, _GError**) at ucb/source/ucp/gio/gio_content.cxx:390:40 (instdir/program/../program/libucpgio1lo.so +0xcfa8a) > #53 in gio::Content::getFileInfo(com::sun::star::uno::Reference<com::sun::star::ucb::XCommandEnvironment> const&, _GFileInfo**, bool) at ucb/source/ucp/gio/gio_content.cxx:653:17 (instdir/program/../program/libucpgio1lo.so +0xd4f77) > #54 in gio::Content::getPropertyValues(com::sun::star::uno::Sequence<com::sun::star::beans::Property> const&, com::sun::star::uno::Reference<com::sun::star::ucb::XCommandEnvironment> const&) at ucb/source/ucp/gio/gio_content.cxx:454:13 (instdir/program/../program/libucpgio1lo.so +0xd0c80) > #55 in gio::Content::execute(com::sun::star::ucb::Command const&, int, com::sun::star::uno::Reference<com::sun::star::ucb::XCommandEnvironment> const&) at ucb/source/ucp/gio/gio_content.cxx:948:18 (instdir/program/../program/libucpgio1lo.so +0xe248b) > #56 in non-virtual thunk to gio::Content::execute(com::sun::star::ucb::Command const&, int, com::sun::star::uno::Reference<com::sun::star::ucb::XCommandEnvironment> const&) at ucb/source/ucp/gio/gio_content.cxx (instdir/program/../program/libucpgio1lo.so +0xe7a43) > #57 in ucbhelper::Content_Impl::executeCommand(com::sun::star::ucb::Command const&) at ucbhelper/source/client/content.cxx:1254:19 (instdir/program/libucbhelper.so +0x346408) > #58 in ucbhelper::Content::getPropertyValuesInterface(com::sun::star::uno::Sequence<rtl::OUString> const&) at ucbhelper/source/client/content.cxx:491:28 (instdir/program/libucbhelper.so +0x349df1) > #59 in ucbhelper::Content::getPropertyValues(com::sun::star::uno::Sequence<rtl::OUString> const&) at ucbhelper/source/client/content.cxx:450:30 (instdir/program/libucbhelper.so +0x3474ca) > #60 in ucbhelper::Content::getPropertyValue(rtl::OUString const&) at ucbhelper/source/client/content.cxx:429:28 (instdir/program/libucbhelper.so +0x346f8a) > #61 in ucbhelper::Content::isDocument() at ucbhelper/source/client/content.cxx:1025:10 (instdir/program/libucbhelper.so +0x34e4e4) > #62 in ucbhelper::Content::openWriteableStream() at ucbhelper/source/client/content.cxx:732:11 (instdir/program/libucbhelper.so +0x34f898) > #63 in utl::MediaDescriptor::impl_openStreamWithURL(rtl::OUString const&, bool) at unotools/source/misc/mediadescriptor.cxx:671:32 (instdir/program/libutllo.so +0x118b43a) > #64 in utl::MediaDescriptor::impl_addInputStream(bool) at unotools/source/misc/mediadescriptor.cxx:526:16 (instdir/program/libutllo.so +0x118705f) > #65 in utl::MediaDescriptor::addInputStream() at unotools/source/misc/mediadescriptor.cxx:487:12 (instdir/program/libutllo.so +0x1186479) > #66 in SwAsyncRetrieveInputStreamThread::threadFunction() at sw/source/core/docnode/retrieveinputstream.cxx:64:13 (instdir/program/../program/libswlo.so +0xccf020b) > #67 in ObservableThread::run() at sw/source/core/docnode/observablethread.cxx:48:5 (instdir/program/../program/libswlo.so +0xccd343d) > #68 in threadFunc at include/osl/thread.hxx:185:15 (instdir/program/../program/libswlo.so +0xc994d5f) > #69 in osl_thread_start_Impl(void*) at sal/osl/unx/thread.cxx:235:9 (instdir/program/libuno_sal.so.3 +0x4e04ad) > #70 in start_thread at <null> (/lib64/libpthread.so.0 +0x85a1) > #71 in clone at <null> (/lib64/libc.so.6 +0xfb162) > > 0x6140004d7328 is located 232 bytes inside of 416-byte region [0x6140004d7240,0x6140004d73e0) > freed by thread T66 (SwAsyncRetrieve) here: > #0 in operator delete(void*, unsigned long) at /data/sbergman/github.com/llvm/llvm-project/compiler-rt/lib/asan/asan_new_delete.cc:178:3 (instdir/program/soffice.bin +0x326db7) > #1 in SwGrfNode::~SwGrfNode() at sw/source/core/graphic/ndgrf.cxx:279:1 (instdir/program/../program/libswlo.so +0xd72fcd5) > #2 in SwNodes::RemoveNode(unsigned long, unsigned long, bool) at sw/source/core/docnode/nodes.cxx:2281:13 (instdir/program/../program/libswlo.so +0xcc5f7e1) > #3 in SwNodes::DelNodes(SwNodeIndex const&, unsigned long) at sw/source/core/docnode/nodes.cxx:1364:17 (instdir/program/../program/libswlo.so +0xcc75cc1) > #4 in SwDoc::~SwDoc() at sw/source/core/doc/docnew.cxx:494:15 (instdir/program/../program/libswlo.so +0xbc3b91c) > #5 in SwDoc::release() at sw/source/core/doc/doc.cxx:150:9 (instdir/program/../program/libswlo.so +0xb67d7d3) > #6 in rtl::Reference<SwDoc>::clear() at include/rtl/ref.hxx:159:19 (instdir/program/../program/libswlo.so +0xcaea51e) > #7 in SwDocShell::RemoveLink() at sw/source/uibase/app/docshini.cxx:460:16 (instdir/program/../program/libswlo.so +0x1101b777) > #8 in SwDocShell::~SwDocShell() at sw/source/uibase/app/docshini.cxx:388:5 (instdir/program/../program/libswlo.so +0x1101a514) > #9 in SwDocShell::~SwDocShell() at sw/source/uibase/app/docshini.cxx:378:1 (instdir/program/../program/libswlo.so +0x1101b92b) > > previously allocated by thread T0 here: > #0 in operator new(unsigned long) at /data/sbergman/github.com/llvm/llvm-project/compiler-rt/lib/asan/asan_new_delete.cc:105:3 (instdir/program/soffice.bin +0x325f97) > #1 in SwNodes::MakeGrfNode(SwNodeIndex const&, rtl::OUString const&, rtl::OUString const&, Graphic const*, SwGrfFormatColl*, SwAttrSet const*) at sw/source/core/graphic/ndgrf.cxx:415:17 (instdir/program/../program/libswlo.so +0xd732c9f) > #2 in sw::DocumentContentOperationsManager::InsertGraphic(SwPaM const&, rtl::OUString const&, rtl::OUString const&, Graphic const*, SfxItemSet const*, SfxItemSet const*, SwFrameFormat*) at sw/source/core/doc/DocumentContentOperationsManager.cxx:2758:29 (instdir/program/../program/libswlo.so +0xc145a01) > #3 in SwXFrame::attachToRange(com::sun::star::uno::Reference<com::sun::star::text::XTextRange> const&) at sw/source/core/unocore/unoframe.cxx:2804:57 (instdir/program/../program/libswlo.so +0xf89cc8f) > #4 in SwXFrame::attach(com::sun::star::uno::Reference<com::sun::star::text::XTextRange> const&) at sw/source/core/unocore/unoframe.cxx:3040:9 (instdir/program/../program/libswlo.so +0xf8a7c49) > #5 in SwXText::insertTextContent(com::sun::star::uno::Reference<com::sun::star::text::XTextRange> const&, com::sun::star::uno::Reference<com::sun::star::text::XTextContent> const&, unsigned char) at sw/source/core/unocore/unotext.cxx:618:15 (instdir/program/../program/libswlo.so +0x1010d8db) > #6 in XMLTextImportHelper::InsertTextContent(com::sun::star::uno::Reference<com::sun::star::text::XTextContent> const&) at xmloff/source/text/txtimp.cxx:1249:27 (instdir/program/libxolo.so +0x49d65cb) > #7 in XMLTextFrameContext_Impl::Create() at xmloff/source/text/XMLTextFrameContext.cxx:700:32 (instdir/program/libxolo.so +0x48194ce) > #8 in XMLTextFrameContext_Impl::XMLTextFrameContext_Impl(SvXMLImport&, unsigned short, rtl::OUString const&, com::sun::star::uno::Reference<com::sun::star::xml::sax::XAttributeList> const&, com::sun::star::text::TextContentAnchorType, unsigned short, com::sun::star::uno::Reference<com::sun::star::xml::sax::XAttributeList> const&, bool) at xmloff/source/text/XMLTextFrameContext.cxx:1096:5 (instdir/program/libxolo.so +0x48266ff) > #9 in XMLTextFrameContext::CreateChildContext(unsigned short, rtl::OUString const&, com::sun::star::uno::Reference<com::sun::star::xml::sax::XAttributeList> const&) at xmloff/source/text/XMLTextFrameContext.cxx:1517:36 (instdir/program/libxolo.so +0x48381d0) > > Thread T66 (SwAsyncRetrieve) created by T0 here: > #0 in pthread_create at /data/sbergman/github.com/llvm/llvm-project/compiler-rt/lib/asan/asan_interceptors.cc:209:3 (instdir/program/soffice.bin +0x271e92) > #1 in osl_thread_create_Impl(void (*)(void*), void*, short) at sal/osl/unx/thread.cxx:284:17 (instdir/program/libuno_sal.so.3 +0x4d94ae) > #2 in osl_createSuspendedThread at sal/osl/unx/thread.cxx:334:12 (instdir/program/libuno_sal.so.3 +0x4d9c69) > #3 in osl::Thread::create() at include/osl/thread.hxx:73:21 (instdir/program/../program/libswlo.so +0xc98a938) > #4 in ThreadManager::StartThread(ThreadManager::tThreadData const&) at sw/source/core/docnode/threadmanager.cxx:178:31 (instdir/program/../program/libswlo.so +0xcd66fc6) > #5 in ThreadManager::AddThread(rtl::Reference<ObservableThread> const&) at sw/source/core/docnode/threadmanager.cxx:94:15 (instdir/program/../program/libswlo.so +0xcd66875) > #6 in SwThreadManager::AddThread(rtl::Reference<ObservableThread> const&) at sw/source/core/docnode/swthreadmanager.cxx:56:33 (instdir/program/../program/libswlo.so +0xcd61927) > #7 in SwAsyncRetrieveInputStreamThreadConsumer::CreateThread(rtl::OUString const&, rtl::OUString const&) at sw/source/core/docnode/retrieveinputstreamconsumer.cxx:53:54 (instdir/program/../program/libswlo.so +0xccf65d1) > #8 in SwGrfNode::TriggerAsyncRetrieveInputStream() at sw/source/core/graphic/ndgrf.cxx:821:27 (instdir/program/../program/libswlo.so +0xd73d661) > #9 in SwNoTextFrame::PaintPicture(OutputDevice*, SwRect const&) const at sw/source/core/doc/notxtfrm.cxx:1121:29 (instdir/program/../program/libswlo.so +0xc5683df) > #10 in SwNoTextFrame::PaintSwFrame(OutputDevice&, SwRect const&, SwPrintData const*) const at sw/source/core/doc/notxtfrm.cxx:317:9 (instdir/program/../program/libswlo.so +0xc561939) > #11 in SwLayoutFrame::PaintSwFrame(OutputDevice&, SwRect const&, SwPrintData const*) const at sw/source/core/layout/paintfrm.cxx:3398:21 (instdir/program/../program/libswlo.so +0xddb8f02) > #12 in SwFlyFrame::PaintSwFrame(OutputDevice&, SwRect const&, SwPrintData const*) const at sw/source/core/layout/paintfrm.cxx:4090:20 (instdir/program/../program/libswlo.so +0xddd570e) > #13 in SwVirtFlyDrawObj::wrap_DoPaintObject(drawinglayer::geometry::ViewInformation2D const&) const at sw/source/core/draw/dflyobj.cxx:530:30 (instdir/program/../program/libswlo.so +0xce2eebb) > #14 in drawinglayer::primitive2d::SwVirtFlyDrawObjPrimitive::get2DDecomposition(drawinglayer::primitive2d::Primitive2DDecompositionVisitor&, drawinglayer::geometry::ViewInformation2D const&) const at sw/source/core/draw/dflyobj.cxx:234:35 (instdir/program/../program/libswlo.so +0xce2df15) > #15 in drawinglayer::processor2d::BaseProcessor2D::process(drawinglayer::primitive2d::BasePrimitive2D const&) at drawinglayer/source/processor2d/baseprocessor2d.cxx:47:24 (instdir/program/libdrawinglayerlo.so +0x13473c0) > #16 in drawinglayer::processor2d::VclPixelProcessor2D::processBasePrimitive2D(drawinglayer::primitive2d::BasePrimitive2D const&) at drawinglayer/source/processor2d/vclpixelprocessor2d.cxx:418:21 (instdir/program/libdrawinglayerlo.so +0x143b6ae) > #17 in drawinglayer::processor2d::BaseProcessor2D::process(drawinglayer::primitive2d::Primitive2DContainer const&) at drawinglayer/source/processor2d/baseprocessor2d.cxx:70:29 (instdir/program/libdrawinglayerlo.so +0x1347d55) > #18 in sdr::contact::ObjectContactOfPageView::DoProcessDisplay(sdr::contact::DisplayInfo&) at svx/source/sdr/contact/objectcontactofpageview.cxx:293:35 (instdir/program/libsvxcorelo.so +0x514dc8e) > #19 in sdr::contact::ObjectContactOfPageView::ProcessDisplay(sdr::contact::DisplayInfo&) at svx/source/sdr/contact/objectcontactofpageview.cxx:120:21 (instdir/program/libsvxcorelo.so +0x514b118) > #20 in SdrPageWindow::RedrawLayer(o3tl::strong_int<unsigned char, SdrLayerIDTag> const*, sdr::contact::ViewObjectContactRedirector*, basegfx::B2IRange const*) at svx/source/svdraw/sdrpagewindow.cxx:402:28 (instdir/program/libsvxcorelo.so +0x543cbcf) > #21 in SdrPageView::DrawLayer(o3tl::strong_int<unsigned char, SdrLayerIDTag>, OutputDevice*, sdr::contact::ViewObjectContactRedirector*, tools::Rectangle const&, basegfx::B2IRange const*) at svx/source/svdraw/svdpagv.cxx:279:31 (instdir/program/libsvxcorelo.so +0x6260413) > #22 in SwViewShellImp::PaintLayer(o3tl::strong_int<unsigned char, SdrLayerIDTag>, SwPrintData const*, SwPageFrame const&, SwRect const&, Color const*, bool, sdr::contact::ViewObjectContactRedirector*) at sw/source/core/view/vdraw.cxx:148:20 (instdir/program/../program/libswlo.so +0x1021ca14) > #23 in SwRootFrame::PaintSwFrame(OutputDevice&, SwRect const&, SwPrintData const*) const at sw/source/core/layout/paintfrm.cxx:3138:33 (instdir/program/../program/libswlo.so +0xdd93fb1) > #24 in SwViewShell::Paint(OutputDevice&, tools::Rectangle const&) at sw/source/core/view/viewsh.cxx:1840:34 (instdir/program/../program/libswlo.so +0x1028365e) > #25 in SwCursorShell::Paint(OutputDevice&, tools::Rectangle const&) at sw/source/core/crsr/crsrsh.cxx:1411:18 (instdir/program/../program/libswlo.so +0xb18497c) > #26 in SwViewShell::ImplUnlockPaint(bool) at sw/source/core/view/viewsh.cxx:506:17 (instdir/program/../program/libswlo.so +0x10253df7) > #27 in SwViewShell::UnlockPaint(bool) at sw/inc/viewsh.hxx:612:9 (instdir/program/../program/libswlo.so +0xd5c5dc9) > #28 in SwView::OuterResizePixel(Point const&, Size const&) at sw/source/uibase/uiview/viewport.cxx:1141:18 (instdir/program/../program/libswlo.so +0x12472e9f) > #29 in SwView::DocSzChgd(Size const&) at sw/source/uibase/uiview/viewport.cxx:202:9 (instdir/program/../program/libswlo.so +0x124451c5) > #30 in SizeNotify(SwViewShell const*, Size const&) at sw/source/uibase/docvw/edtwin3.cxx:66:18 (instdir/program/../program/libswlo.so +0x118f99ff) > #31 in SwViewShell::UISizeNotify() at sw/source/core/view/viewsh.cxx:2364:9 (instdir/program/../program/libswlo.so +0x1024c913) > #32 in SwViewShell::ImplEndAction(bool) at sw/source/core/view/viewsh.cxx:458:5 (instdir/program/../program/libswlo.so +0x1024c0da) > #33 in SwViewShell::EndAction(bool) at sw/inc/viewsh.hxx:600:9 (instdir/program/../program/libswlo.so +0xb1c9269) > #34 in SwCursorShell::EndAction(bool, bool) at sw/source/core/crsr/crsrsh.cxx:254:18 (instdir/program/../program/libswlo.so +0xb137c21) > #35 in SwView::ReadUserDataSequence(com::sun::star::uno::Sequence<com::sun::star::beans::PropertyValue> const&) at sw/source/uibase/uiview/view.cxx:1508:26 (instdir/program/../program/libswlo.so +0x1232d7a3) > #36 in SfxBaseController::ConnectSfxFrame_Impl(SfxBaseController::ConnectSfxFrame) at sfx2/source/view/sfxbasecontroller.cxx:1346:52 (instdir/program/libsfxlo.so +0x5411e19) > #37 in SfxBaseController::attachFrame(com::sun::star::uno::Reference<com::sun::star::frame::XFrame> const&) at sfx2/source/view/sfxbasecontroller.cxx:532:9 (instdir/program/libsfxlo.so +0x5409241) > #38 in (anonymous namespace)::SfxFrameLoader_Impl::impl_createDocumentView(com::sun::star::uno::Reference<com::sun::star::frame::XModel2> const&, com::sun::star::uno::Reference<com::sun::star::frame::XFrame> const&, comphelper::NamedValueCollection const&, rtl::OUString const&) at sfx2/source/view/frmload.cxx:597:18 (instdir/program/libsfxlo.so +0x538a53a) > #39 in (anonymous namespace)::SfxFrameLoader_Impl::load(com::sun::star::uno::Sequence<com::sun::star::beans::PropertyValue> const&, com::sun::star::uno::Reference<com::sun::star::frame::XFrame> const&) at sfx2/source/view/frmload.cxx:714:13 (instdir/program/libsfxlo.so +0x538322a) > #40 in framework::LoadEnv::impl_loadContent() at framework/source/loadenv/loadenv.cxx:1152:37 (instdir/program/../program/libfwklo.so +0x1e43c05) > #41 in framework::LoadEnv::startLoading() at framework/source/loadenv/loadenv.cxx:385:20 (instdir/program/../program/libfwklo.so +0x1e342d9) > #42 in framework::LoadDispatcher::impl_dispatch(com::sun::star::util::URL const&, com::sun::star::uno::Sequence<com::sun::star::beans::PropertyValue> const&, com::sun::star::uno::Reference<com::sun::star::frame::XDispatchResultListener> const&) at framework/source/dispatch/loaddispatcher.cxx:106:19 (instdir/program/../program/libfwklo.so +0x1b36be4) > #43 in framework::LoadDispatcher::dispatch(com::sun::star::util::URL const&, com::sun::star::uno::Sequence<com::sun::star::beans::PropertyValue> const&) at framework/source/dispatch/loaddispatcher.cxx:52:5 (instdir/program/../program/libfwklo.so +0x1b38874) > #44 in sfx2::RecentDocsView::ExecuteHdl_Impl(sfx2::RecentDocsView*, void*) at sfx2/source/control/recentdocsview.cxx:400:37 (instdir/program/libsfxlo.so +0x3a6b86c) > #45 in sfx2::RecentDocsView::LinkStubExecuteHdl_Impl(void*, void*) at sfx2/source/control/recentdocsview.cxx:392:1 (instdir/program/libsfxlo.so +0x3a6b577) > #46 in Link<void*, void>::Call(void*) const at include/tools/link.hxx:84:45 (instdir/program/libvcllo.so +0x6831731) > #47 in ImplHandleUserEvent(ImplSVEvent*) at vcl/source/window/winproc.cxx:1958:30 (instdir/program/libvcllo.so +0x681f0f1) > #48 in ImplWindowFrameProc(vcl::Window*, SalEvent, void const*) at vcl/source/window/winproc.cxx:2511:13 (instdir/program/libvcllo.so +0x68080c6) > #49 in SalFrame::CallCallback(SalEvent, void const*) const at vcl/inc/salframe.hxx:294:29 (instdir/program/libvcllo.so +0x979f29a) > #50 in SalGenericDisplay::ProcessEvent(SalUserEventList::SalUserEvent) at vcl/unx/generic/app/gendisp.cxx:67:22 (instdir/program/libvcllo.so +0x983c293) > #51 in SalUserEventList::DispatchUserEvents(bool) at vcl/source/app/salusereventlist.cxx:109:17 (instdir/program/libvcllo.so +0x8a92905) > #52 in SalGenericDisplay::DispatchInternalEvent(bool) at vcl/unx/generic/app/gendisp.cxx:52:12 (instdir/program/libvcllo.so +0x983bcd6) > #53 in call_userEventFn(void*) at vcl/unx/gtk3/gtk3gtkdata.cxx:853:27 (instdir/program/libvclplug_gtk3lo.so +0xca2627) > #54 at <null> (/lib64/libglib-2.0.so.0 +0x4c8ea) > > SUMMARY: AddressSanitizer: heap-use-after-free /usr/lib/gcc/x86_64-redhat-linux/9/../../../../include/c++/9/bits/shared_ptr_base.h:1310:16 in std::__shared_ptr<ImpGraphic, (__gnu_cxx::_Lock_policy)2>::get() const > Shadow bytes around the buggy address: > 0x0c2880092e10: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd > 0x0c2880092e20: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd > 0x0c2880092e30: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fa > 0x0c2880092e40: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd > 0x0c2880092e50: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd > =>0x0c2880092e60: fd fd fd fd fd[fd]fd fd fd fd fd fd fd fd fd fd > 0x0c2880092e70: fd fd fd fd fd fd fd fd fd fd fd fd fa fa fa fa > 0x0c2880092e80: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd > 0x0c2880092e90: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd > 0x0c2880092ea0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd > 0x0c2880092eb0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fa > Shadow byte legend (one shadow byte represents 8 application bytes): > Addressable: 00 > Partially addressable: 01 02 03 04 05 06 07 > Heap left redzone: fa > Freed heap region: fd > Stack left redzone: f1 > Stack mid redzone: f2 > Stack right redzone: f3 > Stack after return: f5 > Stack use after scope: f8 > Global redzone: f9 > Global init order: f6 > Poisoned by user: f7 > Container overflow: fc > Array cookie: ac > Intra object redzone: bb > ASan internal: fe > Left alloca redzone: ca > Right alloca redzone: cb > Shadow gap: cc > ==29882==ABORTING
Stephan Bergmann committed a patch related to this issue. It has been pushed to "master": https://git.libreoffice.org/core/+/8a443fe0f4ab50e2156e2c7e0cf713f2949e3164%5E%21 tdf#124962: Reduce risk of g_main_loop_run from within gio MountOperation It will be available in 6.3.0. The patch should be included in the daily builds available at https://dev-builds.libreoffice.org/daily/ in the next 24-48 hours. More information about daily builds can be found at: https://wiki.documentfoundation.org/Testing_Daily_Builds Affected users are encouraged to test the fix and report feedback.
Verified in Version: 6.3.0.0.alpha1+ Build ID: 4c2034b808fed4f9dfd715d8a4813e788a7e97a4 CPU threads: 4; OS: Linux 4.15; UI render: default; VCL: gtk3; Locale: ca-ES (ca_ES.UTF-8); UI-Language: en-US Calc: threaded @Stephan Bergmann, thanks for fixing this issue!!