Bug 58624 - SwAccessibleParagraph -> SwAccessibleMap lifetime mismatch
Summary: SwAccessibleParagraph -> SwAccessibleMap lifetime mismatch
Status: RESOLVED FIXED
Alias: None
Product: LibreOffice
Classification: Unclassified
Component: Writer (show other bugs)
Version:
(earliest affected)
4.0.0.0.alpha0+ Master
Hardware: Other All
: medium normal
Assignee: Michael Stahl
QA Contact:
URL:
Whiteboard: target:5.4.0 target:5.3.3
Keywords:
Depends on:
Blocks:
 
Reported: 2012-12-21 15:31 UTC by Stephan Bergmann
Modified: 2017-03-27 22:21 UTC (History)
1 user (show)

See Also:
Crash report or crash signature:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Stephan Bergmann 2012-12-21 15:31:09 UTC
Linux-RHEL6-x86_64@14-with-check tinderbox once failed during toolkit_unoapi test with

> #0  0x00000030b5e09220 in pthread_mutex_lock () from /lib64/libpthread.so.0
> #1  0x00007f02ac11b618 in osl_acquireMutex (Mutex=0x9999999999999999) at /home/tinderbox/master/sal/osl/unx/mutex.c:114
> #2  0x00007f02918fbfe7 in osl::Mutex::acquire (this=0x39cbb50) at /home/tinderbox/master/solver/unxlngx6/inc/osl/mutex.hxx:58
> #3  0x00007f02918ff4f2 in osl::Guard<osl::Mutex>::Guard (this=0x7f028adebe40, t=...) at /home/tinderbox/master/solver/unxlngx6/inc/osl/mutex.hxx:144
> #4  0x00007f0291920966 in SwAccessibleMap::RemoveContext (this=0x39cbb40, pFrm=0x35520f0) at /home/tinderbox/master/sw/source/core/access/accmap.cxx:1553
> #5  0x00007f0291908c9a in SwAccessibleContext::RemoveFrmFromAccessibleMap (this=0x39cf558) at /home/tinderbox/master/sw/source/core/access/acccontext.cxx:1429
> #6  0x00007f0291903c1c in SwAccessibleContext::~SwAccessibleContext (this=0x39cf558, __in_chrg=<value optimized out>) at /home/tinderbox/master/sw/source/core/access/acccontext.cxx:532
> #7  0x00007f029193df92 in SwAccessibleParagraph::~SwAccessibleParagraph (this=0x39cf530, __in_chrg=<value optimized out>) at /home/tinderbox/master/sw/source/core/access/accpara.cxx:500
> #8  0x00007f029193e014 in ::~SwAccessibleParagraph (this=0x39cf530, __in_chrg=<value optimized out>) at /home/tinderbox/master/sw/source/core/access/accpara.cxx:500
> #9  0x00007f02ab3c88ac in cppu::OWeakObject::release (this=0x39cf558) at /home/tinderbox/master/cppuhelper/source/weak.cxx:204
> #10 0x00007f02918ff128 in cppu::WeakImplHelper5<com::sun::star::accessibility::XAccessible, com::sun::star::accessibility::XAccessibleContext, com::sun::star::accessibility::XAccessibleComponent, com::sun::star::accessibility::XAccessibleEventBroadcaster, com::sun::star::lang::XServiceInfo>::release (this=0x39cf558) at /home/tinderbox/master/solver/unxlngx6/inc/cppuhelper/implbase5.hxx:110
> #11 0x00007f029194bfaa in SwAccessibleParagraph::release (this=0x39cf530) at /home/tinderbox/master/sw/source/core/access/accpara.hxx:296
> #12 0x00007f029aa7904d in bridges::cpp_uno::shared::freeUnoInterfaceProxy (pEnv=0x324f6e0, pProxy=0x39cc050) at /home/tinderbox/master/bridges/source/cpp_uno/shared/unointerfaceproxy.cxx:43
> #13 0x00007f02ab68c5c0 in (anonymous namespace)::s_stub_defenv_revokeInterface (pParam=0x7f028adec240) at /home/tinderbox/master/cppu/source/uno/lbenv.cxx:391
> #14 0x00007f02ab687fad in s_environment_invoke_v (pCurrEnv=0x0, pTargetEnv=0x324f6e0, pCallee=0x7f02ab68c2b6 <(anonymous namespace)::s_stub_defenv_revokeInterface(va_list*)>, pParam=0x7f028adec240) at /home/tinderbox/master/cppu/source/uno/EnvStack.cxx:287
> #15 0x00007f02ab688053 in uno_Environment_invoke_v (pTargetEnv=0x324f6e0, pCallee=0x7f02ab68c2b6 <(anonymous namespace)::s_stub_defenv_revokeInterface(va_list*)>, pParam=0x7f028adec240) at /home/tinderbox/master/cppu/source/uno/EnvStack.cxx:306
> #16 0x00007f02ab68813e in uno_Environment_invoke (pEnv=0x324f6e0, pCallee=0x7f02ab68c2b6 <(anonymous namespace)::s_stub_defenv_revokeInterface(va_list*)>) at /home/tinderbox/master/cppu/source/uno/EnvStack.cxx:315
> #17 0x00007f02ab68c977 in (anonymous namespace)::defenv_revokeInterface (pEnv=0x324f6e0, pInterface=0x3966b30) at /home/tinderbox/master/cppu/source/uno/lbenv.cxx:447
> #18 0x00007f029aa7917b in bridges::cpp_uno::shared::releaseProxy (pUnoI=0x3966b30) at /home/tinderbox/master/bridges/source/cpp_uno/shared/unointerfaceproxy.cxx:85
> #19 0x00007f0297ad66d9 in com::sun::star::uno::UnoInterfaceReference::~UnoInterfaceReference (this=0x7f028adec430, __in_chrg=<value optimized out>) at /home/tinderbox/master/solver/unxlngx6/inc/uno/dispatcher.hxx:88
> #20 0x00007f0297ad07af in binaryurp::Bridge::releaseStub (this=0x324f510, oid=..., type=...) at /home/tinderbox/master/binaryurp/source/bridge.cxx:525
> #21 0x00007f0297aeb79a in binaryurp::IncomingRequest::execute_throw (this=0x39c8ae0, returnValue=0x7f028adecb00, outArguments=0x7f028adeca70) at /home/tinderbox/master/binaryurp/source/incomingrequest.cxx:139
> #22 0x00007f0297aeae63 in binaryurp::IncomingRequest::execute (this=0x39c8ae0) at /home/tinderbox/master/binaryurp/source/incomingrequest.cxx:74
> #23 0x00007f0297b05c1a in binaryurp::(anonymous namespace)::request (pThreadSpecificData=0x39c8ae0) at /home/tinderbox/master/binaryurp/source/reader.cxx:87
> #24 0x00007f02ab655178 in cppu_threadpool::JobQueue::enter (this=0x390e5d0, nDisposeId=62443856, bReturnWhenNoJob=1 '\001') at /home/tinderbox/master/cppu/source/threadpool/jobqueue.cxx:115
> #25 0x00007f02ab659439 in cppu_threadpool::ORequestThread::run (this=0x3b8d150) at /home/tinderbox/master/cppu/source/threadpool/thread.cxx:173
> #26 0x00007f02ab659c99 in osl::threadFunc (param=0x3b8d160) at /home/tinderbox/master/solver/unxlngx6/inc/osl/thread.hxx:187
> #27 0x00007f02ac12630b in osl_thread_start_Impl (pData=0x3a6d090) at /home/tinderbox/master/sal/osl/unx/thread.c:252
> #28 0x00000030b5e07851 in start_thread () from /lib64/libpthread.so.0
> #29 0x00000030b5ae890d in clone () from /lib64/libc.so.6

(while main thread was harmlessly blocking on vcl::SolarMutexObject::acquire during Application::Yield).

SwAccessibleParagraph -> SwAccessibleContext is a UNO object with a SwAccessibleMap * pMap member.  However, lifetime of that SwAccessibleMap appears to be controlled by SwViewImp (pAccMap member, created in SwViewImp::CreateAccessibleMap, destroyed in ~SwViewImp) while lifetime of SwViewImp appears to be unrelated to lifetime of SwAccessibleParagraph UNO object.
Comment 1 QA Administrators 2015-01-05 17:51:02 UTC Comment hidden (obsolete)
Comment 2 Michael Stahl 2015-01-20 09:30:10 UTC
it's possible this is "fixed" by:

commit 296e8b597c141b6b54cbf943871d6a6820c1779d
Author:     Michael Stahl <mstahl@redhat.com>
AuthorDate: Thu Dec 18 21:52:51 2014 +0100

    fdo#87199: sw: fix root cause of a11y crash when merging cells


... which should dispose (and thereby remove from the SwAccessibleMap) more SwAccessible instances but it's hard to know for sure...
Comment 3 Stephan Bergmann 2015-01-20 10:35:49 UTC
...so tentatively close as WORKSFORME for now; doesn't help much to have this issue remain open for years anyway
Comment 4 Michael Stahl 2015-01-29 17:22:49 UTC
unfortunately still happens on current master, again in toolkit_unoapi,
a mail from "Linux-F19-x86_64@14-with-check" has the same stack.
Comment 5 QA Administrators 2016-02-21 08:34:24 UTC Comment hidden (obsolete)
Comment 6 Michael Stahl 2016-02-22 11:19:39 UTC
yes unfortunately this still happens
Comment 7 Commit Notification 2016-02-26 12:14:48 UTC
Michael Stahl committed a patch related to this issue.
It has been pushed to "master":

http://cgit.freedesktop.org/libreoffice/core/commit/?id=d0b09f41efe938e94a84e783c9ff5742edcbfba8

sw: related: tdf#58624 convert to assert() in ~SwAccessibleMap()

It will be available in 5.2.0.

The patch should be included in the daily builds available at
http://dev-builds.libreoffice.org/daily/ in the next 24-48 hours. More
information about daily builds can be found at:
http://wiki.documentfoundation.org/Testing_Daily_Builds

Affected users are encouraged to test the fix and report feedback.
Comment 8 Michael Stahl 2016-02-26 12:32:20 UTC
mystery - the SwAccessibleMap contains thread-safe WeakReferences to SwAccessibles, ~SwAccessibleMap actually resets the back-pointer in all SwAccessibles to null, *and* the ~SwAccessibleContext locks the SolarMutex, so it's a complete mystery how it can happen that ~SwAccessibleContext sees a non-null m_pMap pointing to dead map
Comment 9 QA Administrators 2017-03-06 14:54:21 UTC Comment hidden (obsolete)
Comment 10 Michael Stahl 2017-03-24 13:39:42 UTC
finally tracked it down -> fixed on master
Comment 11 Commit Notification 2017-03-24 13:41:10 UTC
Michael Stahl committed a patch related to this issue.
It has been pushed to "master":

http://cgit.freedesktop.org/libreoffice/core/commit/?id=0c2229dcab143925c6ad390e0735e2d98c3eecca

tdf#58624 sw: fix ~SwAccessibleContext() use-after-free race

It will be available in 5.4.0.

The patch should be included in the daily builds available at
http://dev-builds.libreoffice.org/daily/ in the next 24-48 hours. More
information about daily builds can be found at:
http://wiki.documentfoundation.org/Testing_Daily_Builds

Affected users are encouraged to test the fix and report feedback.
Comment 12 Commit Notification 2017-03-27 22:21:56 UTC
Michael Stahl committed a patch related to this issue.
It has been pushed to "libreoffice-5-3":

http://cgit.freedesktop.org/libreoffice/core/commit/?id=aba392d1a07b8b0d40583d7e893a409cf96f1725&h=libreoffice-5-3

tdf#58624 sw: fix ~SwAccessibleContext() use-after-free race

It will be available in 5.3.3.

The patch should be included in the daily builds available at
http://dev-builds.libreoffice.org/daily/ in the next 24-48 hours. More
information about daily builds can be found at:
http://wiki.documentfoundation.org/Testing_Daily_Builds

Affected users are encouraged to test the fix and report feedback.