141635 – mvUnoCursorTable not protected by a lock

Bug 141635 - mvUnoCursorTable not protected by a lock

Summary: mvUnoCursorTable not protected by a lock

Status:	RESOLVED NOTABUG

Alias:	None

Product:	LibreOffice
Classification:	Unclassified
Component:	Writer (show other bugs)
Version: (earliest affected)	unspecified
Hardware:	All All

Importance:	medium normal
Assignee:	Michael Warner

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2021-04-12 02:46 UTC by Michael Warner
Modified:	2021-05-20 09:46 UTC (History)
CC List:	0 users

See Also:
Crash report or crash signature:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Michael Warner 2021-04-12 02:46:38 UTC

The mvUnoCursorTable in SwDoc is a publicly-accessible vector that is not protected by a lock in several places where it is used. While one thread is iterating through the vector, the cleanupUnoCursorTable() method in the same class may be called by another thread and call erase on the vector, thereby invalidating its iterators. This could lead to incorrect behavior.

Comment 1 Michael Warner 2021-04-12 02:54:11 UTC

Patch submitted:
https://gerrit.libreoffice.org/c/core/+/113962

Comment 2 Michael Stahl (allotropia) 2021-05-20 09:46:52 UTC

pretty much everything in sw is thread-unsafe by design - the entry points that can be called from multiple threads are the 100s of UNO service method implementations and they use the global SolarMutex to ensure thread safety.

if sw code is called from the UI then VCL will have SolarMutex locked.

a popular place where locks have historically been missing are the destructors of UNO service implementations, i forgot to what extent that is fixed now, see e.g. 

https://issues.apache.org/ooo/show_bug.cgi?id=105557
https://issues.apache.org/ooo/show_bug.cgi?id=107771
https://bugs.documentfoundation.org/show_bug.cgi?id=72695
https://bugs.documentfoundation.org/show_bug.cgi?id=65478