[Libreoffice-bugs] [Bug 124962] CRASH: closing a document that previously crash at import time (gtk3/gtk)

bugzilla-daemon at bugs.documentfoundation.org bugzilla-daemon at bugs.documentfoundation.org
Tue May 7 06:17:56 UTC 2019 

https://bugs.documentfoundation.org/show_bug.cgi?id=124962

--- Comment #3 from Stephan Bergmann <sbergman at redhat.com> ---
With an ASan+UBSan build, it eventually crashes with

> =================================================================
> ==29882==ERROR: AddressSanitizer: heap-use-after-free on address 0x6140004d7328 at pc 0x7fe51dcb283a bp 0x7fe246cb10d0 sp 0x7fe246cb10c8
> READ of size 8 at 0x6140004d7328 thread T66 (SwAsyncRetrieve)
>  #0 in std::__shared_ptr<ImpGraphic, (__gnu_cxx::_Lock_policy)2>::get() const at /usr/lib/gcc/x86_64-redhat-linux/9/../../../../include/c++/9/bits/shared_ptr_base.h:1310:16 (instdir/program/libvcllo.so +0x7c37839)
>  #1 in std::__shared_ptr_access<ImpGraphic, (__gnu_cxx::_Lock_policy)2, false, false>::_M_get() const at /usr/lib/gcc/x86_64-redhat-linux/9/../../../../include/c++/9/bits/shared_ptr_base.h:1021:66 (instdir/program/libvcllo.so +0x7c377c7)
>  #2 in std::__shared_ptr_access<ImpGraphic, (__gnu_cxx::_Lock_policy)2, false, false>::operator->() const at /usr/lib/gcc/x86_64-redhat-linux/9/../../../../include/c++/9/bits/shared_ptr_base.h:1015:9 (instdir/program/libvcllo.so +0x7c34539)
>  #3 in Graphic::GetType() const at vcl/source/gdi/graph.cxx:312:12 (instdir/program/libvcllo.so +0x7c29bc0)
>  #4 in GraphicObject::GetType() const at vcl/source/graphic/GraphicObject.cxx:327:22 (instdir/program/libvcllo.so +0x86f671a)
>  #5 in SwBaseLink::DataChanged(rtl::OUString const&, com::sun::star::uno::Any const&) at sw/source/core/docnode/swbaslnk.cxx:158:47 (instdir/program/../program/libswlo.so +0xcd4f40a)
>  #6 in SwBaseLink::SwapIn(bool, bool) at sw/source/core/docnode/swbaslnk.cxx:299:17 (instdir/program/../program/libswlo.so +0xcd5466f)
>  #7 in SwGrfNode::SwapIn(bool) at sw/source/core/graphic/ndgrf.cxx:456:24 (instdir/program/../program/libswlo.so +0xd730bdb)
>  #8 in SwGrfNode::GetGrfObj(bool) const at sw/source/core/graphic/ndgrf.cxx:376:35 (instdir/program/../program/libswlo.so +0xd731967)
>  #9 in SwNoTextFrame::PaintPicture(OutputDevice*, SwRect const&) const at sw/source/core/doc/notxtfrm.cxx:1095:48 (instdir/program/../program/libswlo.so +0xc567598)
>  #10 in SwNoTextFrame::PaintSwFrame(OutputDevice&, SwRect const&, SwPrintData const*) const at sw/source/core/doc/notxtfrm.cxx:317:9 (instdir/program/../program/libswlo.so +0xc561939)
>  #11 in SwLayoutFrame::PaintSwFrame(OutputDevice&, SwRect const&, SwPrintData const*) const at sw/source/core/layout/paintfrm.cxx:3398:21 (instdir/program/../program/libswlo.so +0xddb8f02)
>  #12 in SwFlyFrame::PaintSwFrame(OutputDevice&, SwRect const&, SwPrintData const*) const at sw/source/core/layout/paintfrm.cxx:4090:20 (instdir/program/../program/libswlo.so +0xddd570e)
>  #13 in SwVirtFlyDrawObj::wrap_DoPaintObject(drawinglayer::geometry::ViewInformation2D const&) const at sw/source/core/draw/dflyobj.cxx:530:30 (instdir/program/../program/libswlo.so +0xce2eebb)
>  #14 in drawinglayer::primitive2d::SwVirtFlyDrawObjPrimitive::get2DDecomposition(drawinglayer::primitive2d::Primitive2DDecompositionVisitor&, drawinglayer::geometry::ViewInformation2D const&) const at sw/source/core/draw/dflyobj.cxx:234:35 (instdir/program/../program/libswlo.so +0xce2df15)
>  #15 in drawinglayer::processor2d::BaseProcessor2D::process(drawinglayer::primitive2d::BasePrimitive2D const&) at drawinglayer/source/processor2d/baseprocessor2d.cxx:47:24 (instdir/program/libdrawinglayerlo.so +0x13473c0)
>  #16 in drawinglayer::processor2d::VclPixelProcessor2D::processBasePrimitive2D(drawinglayer::primitive2d::BasePrimitive2D const&) at drawinglayer/source/processor2d/vclpixelprocessor2d.cxx:418:21 (instdir/program/libdrawinglayerlo.so +0x143b6ae)
>  #17 in drawinglayer::processor2d::BaseProcessor2D::process(drawinglayer::primitive2d::Primitive2DContainer const&) at drawinglayer/source/processor2d/baseprocessor2d.cxx:70:29 (instdir/program/libdrawinglayerlo.so +0x1347d55)
>  #18 in sdr::contact::ObjectContactOfPageView::DoProcessDisplay(sdr::contact::DisplayInfo&) at svx/source/sdr/contact/objectcontactofpageview.cxx:293:35 (instdir/program/libsvxcorelo.so +0x514dc8e)
>  #19 in sdr::contact::ObjectContactOfPageView::ProcessDisplay(sdr::contact::DisplayInfo&) at svx/source/sdr/contact/objectcontactofpageview.cxx:120:21 (instdir/program/libsvxcorelo.so +0x514b118)
>  #20 in SdrPageWindow::RedrawLayer(o3tl::strong_int<unsigned char, SdrLayerIDTag> const*, sdr::contact::ViewObjectContactRedirector*, basegfx::B2IRange const*) at svx/source/svdraw/sdrpagewindow.cxx:402:28 (instdir/program/libsvxcorelo.so +0x543cbcf)
>  #21 in SdrPageView::DrawLayer(o3tl::strong_int<unsigned char, SdrLayerIDTag>, OutputDevice*, sdr::contact::ViewObjectContactRedirector*, tools::Rectangle const&, basegfx::B2IRange const*) at svx/source/svdraw/svdpagv.cxx:313:38 (instdir/program/libsvxcorelo.so +0x6260b93)
>  #22 in SwViewShellImp::PaintLayer(o3tl::strong_int<unsigned char, SdrLayerIDTag>, SwPrintData const*, SwPageFrame const&, SwRect const&, Color const*, bool, sdr::contact::ViewObjectContactRedirector*) at sw/source/core/view/vdraw.cxx:148:20 (instdir/program/../program/libswlo.so +0x1021ca14)
>  #23 in SwRootFrame::PaintSwFrame(OutputDevice&, SwRect const&, SwPrintData const*) const at sw/source/core/layout/paintfrm.cxx:3138:33 (instdir/program/../program/libswlo.so +0xdd93fb1)
>  #24 in SwViewShell::Paint(OutputDevice&, tools::Rectangle const&) at sw/source/core/view/viewsh.cxx:1840:34 (instdir/program/../program/libswlo.so +0x1028365e)
>  #25 in SwCursorShell::Paint(OutputDevice&, tools::Rectangle const&) at sw/source/core/crsr/crsrsh.cxx:1411:18 (instdir/program/../program/libswlo.so +0xb18497c)
>  #26 in SwEditWin::Paint(OutputDevice&, tools::Rectangle const&) at sw/source/uibase/docvw/edtwin2.cxx:448:20 (instdir/program/../program/libswlo.so +0x118f77ee)
>  #27 in PaintHelper::DoPaint(vcl::Region const*) at vcl/source/window/paint.cxx:301:24 (instdir/program/libvcllo.so +0x57de9de)
>  #28 in vcl::Window::ImplCallPaint(vcl::Region const*, ImplPaintFlags) at vcl/source/window/paint.cxx:605:17 (instdir/program/libvcllo.so +0x57eb200)
>  #29 in PaintHelper::~PaintHelper() at vcl/source/window/paint.cxx:541:30 (instdir/program/libvcllo.so +0x57e75c3)
>  #30 in vcl::Window::ImplCallPaint(vcl::Region const*, ImplPaintFlags) at vcl/source/window/paint.cxx:611:1 (instdir/program/libvcllo.so +0x57eb547)
>  #31 in PaintHelper::~PaintHelper() at vcl/source/window/paint.cxx:541:30 (instdir/program/libvcllo.so +0x57e75c3)
>  #32 in vcl::Window::ImplCallPaint(vcl::Region const*, ImplPaintFlags) at vcl/source/window/paint.cxx:611:1 (instdir/program/libvcllo.so +0x57eb547)
>  #33 in PaintHelper::~PaintHelper() at vcl/source/window/paint.cxx:541:30 (instdir/program/libvcllo.so +0x57e75c3)
>  #34 in vcl::Window::ImplCallPaint(vcl::Region const*, ImplPaintFlags) at vcl/source/window/paint.cxx:611:1 (instdir/program/libvcllo.so +0x57eb547)
>  #35 in PaintHelper::~PaintHelper() at vcl/source/window/paint.cxx:541:30 (instdir/program/libvcllo.so +0x57e75c3)
>  #36 in vcl::Window::ImplCallPaint(vcl::Region const*, ImplPaintFlags) at vcl/source/window/paint.cxx:611:1 (instdir/program/libvcllo.so +0x57eb547)
>  #37 in PaintHelper::~PaintHelper() at vcl/source/window/paint.cxx:541:30 (instdir/program/libvcllo.so +0x57e75c3)
>  #38 in vcl::Window::ImplCallPaint(vcl::Region const*, ImplPaintFlags) at vcl/source/window/paint.cxx:611:1 (instdir/program/libvcllo.so +0x57eb547)
>  #39 in vcl::Window::ImplCallOverlapPaint() at vcl/source/window/paint.cxx:629:9 (instdir/program/libvcllo.so +0x57ec559)
>  #40 in vcl::Window::ImplHandlePaintHdl(Timer*) at vcl/source/window/paint.cxx:652:9 (instdir/program/libvcllo.so +0x57ed7ff)
>  #41 in vcl::Window::LinkStubImplHandlePaintHdl(void*, Timer*) at vcl/source/window/paint.cxx:633:1 (instdir/program/libvcllo.so +0x57ec6da)
>  #42 in Link<Timer*, void>::Call(Timer*) const at include/tools/link.hxx:84:45 (instdir/program/libvcllo.so +0x8e60171)
>  #43 in Timer::Invoke() at vcl/source/app/timer.cxx:77:21 (instdir/program/libvcllo.so +0x8e5f788)
>  #44 in Scheduler::ProcessTaskScheduling() at vcl/source/app/scheduler.cxx:477:20 (instdir/program/libvcllo.so +0x8cb7665)
>  #45 in Scheduler::CallbackTaskScheduling() at vcl/source/app/scheduler.cxx:285:5 (instdir/program/libvcllo.so +0x8cb3060)
>  #46 in SalTimer::CallCallback() at vcl/inc/saltimer.hxx:55:13 (instdir/program/libvclplug_gtk3lo.so +0xca9dd0)
>  #47 in sal_gtk_timeout_dispatch(_GSource*, int (*)(void*), void*) at vcl/unx/gtk3/gtk3gtkdata.cxx:761:45 (instdir/program/libvclplug_gtk3lo.so +0xca4a9d)
>  #48 in g_main_context_dispatch at <null> (/lib64/libglib-2.0.so.0 +0x4ffcf)
>  #49  at <null> (/lib64/libglib-2.0.so.0 +0x50367)
>  #50 in g_main_loop_run at <null> (/lib64/libglib-2.0.so.0 +0x506b2)
>  #51 in gio::MountOperation::Mount(_GFile*) at ucb/source/ucp/gio/gio_content.cxx:359:13 (instdir/program/../program/libucpgio1lo.so +0xceb73)
>  #52 in gio::Content::getGFileInfo(com::sun::star::uno::Reference<com::sun::star::ucb::XCommandEnvironment> const&, _GError**) at ucb/source/ucp/gio/gio_content.cxx:390:40 (instdir/program/../program/libucpgio1lo.so +0xcfa8a)
>  #53 in gio::Content::getFileInfo(com::sun::star::uno::Reference<com::sun::star::ucb::XCommandEnvironment> const&, _GFileInfo**, bool) at ucb/source/ucp/gio/gio_content.cxx:653:17 (instdir/program/../program/libucpgio1lo.so +0xd4f77)
>  #54 in gio::Content::getPropertyValues(com::sun::star::uno::Sequence<com::sun::star::beans::Property> const&, com::sun::star::uno::Reference<com::sun::star::ucb::XCommandEnvironment> const&) at ucb/source/ucp/gio/gio_content.cxx:454:13 (instdir/program/../program/libucpgio1lo.so +0xd0c80)
>  #55 in gio::Content::execute(com::sun::star::ucb::Command const&, int, com::sun::star::uno::Reference<com::sun::star::ucb::XCommandEnvironment> const&) at ucb/source/ucp/gio/gio_content.cxx:948:18 (instdir/program/../program/libucpgio1lo.so +0xe248b)
>  #56 in non-virtual thunk to gio::Content::execute(com::sun::star::ucb::Command const&, int, com::sun::star::uno::Reference<com::sun::star::ucb::XCommandEnvironment> const&) at ucb/source/ucp/gio/gio_content.cxx (instdir/program/../program/libucpgio1lo.so +0xe7a43)
>  #57 in ucbhelper::Content_Impl::executeCommand(com::sun::star::ucb::Command const&) at ucbhelper/source/client/content.cxx:1254:19 (instdir/program/libucbhelper.so +0x346408)
>  #58 in ucbhelper::Content::getPropertyValuesInterface(com::sun::star::uno::Sequence<rtl::OUString> const&) at ucbhelper/source/client/content.cxx:491:28 (instdir/program/libucbhelper.so +0x349df1)
>  #59 in ucbhelper::Content::getPropertyValues(com::sun::star::uno::Sequence<rtl::OUString> const&) at ucbhelper/source/client/content.cxx:450:30 (instdir/program/libucbhelper.so +0x3474ca)
>  #60 in ucbhelper::Content::getPropertyValue(rtl::OUString const&) at ucbhelper/source/client/content.cxx:429:28 (instdir/program/libucbhelper.so +0x346f8a)
>  #61 in ucbhelper::Content::isDocument() at ucbhelper/source/client/content.cxx:1025:10 (instdir/program/libucbhelper.so +0x34e4e4)
>  #62 in ucbhelper::Content::openWriteableStream() at ucbhelper/source/client/content.cxx:732:11 (instdir/program/libucbhelper.so +0x34f898)
>  #63 in utl::MediaDescriptor::impl_openStreamWithURL(rtl::OUString const&, bool) at unotools/source/misc/mediadescriptor.cxx:671:32 (instdir/program/libutllo.so +0x118b43a)
>  #64 in utl::MediaDescriptor::impl_addInputStream(bool) at unotools/source/misc/mediadescriptor.cxx:526:16 (instdir/program/libutllo.so +0x118705f)
>  #65 in utl::MediaDescriptor::addInputStream() at unotools/source/misc/mediadescriptor.cxx:487:12 (instdir/program/libutllo.so +0x1186479)
>  #66 in SwAsyncRetrieveInputStreamThread::threadFunction() at sw/source/core/docnode/retrieveinputstream.cxx:64:13 (instdir/program/../program/libswlo.so +0xccf020b)
>  #67 in ObservableThread::run() at sw/source/core/docnode/observablethread.cxx:48:5 (instdir/program/../program/libswlo.so +0xccd343d)
>  #68 in threadFunc at include/osl/thread.hxx:185:15 (instdir/program/../program/libswlo.so +0xc994d5f)
>  #69 in osl_thread_start_Impl(void*) at sal/osl/unx/thread.cxx:235:9 (instdir/program/libuno_sal.so.3 +0x4e04ad)
>  #70 in start_thread at <null> (/lib64/libpthread.so.0 +0x85a1)
>  #71 in clone at <null> (/lib64/libc.so.6 +0xfb162)
> 
> 0x6140004d7328 is located 232 bytes inside of 416-byte region [0x6140004d7240,0x6140004d73e0)
> freed by thread T66 (SwAsyncRetrieve) here:
>  #0 in operator delete(void*, unsigned long) at /data/sbergman/github.com/llvm/llvm-project/compiler-rt/lib/asan/asan_new_delete.cc:178:3 (instdir/program/soffice.bin +0x326db7)
>  #1 in SwGrfNode::~SwGrfNode() at sw/source/core/graphic/ndgrf.cxx:279:1 (instdir/program/../program/libswlo.so +0xd72fcd5)
>  #2 in SwNodes::RemoveNode(unsigned long, unsigned long, bool) at sw/source/core/docnode/nodes.cxx:2281:13 (instdir/program/../program/libswlo.so +0xcc5f7e1)
>  #3 in SwNodes::DelNodes(SwNodeIndex const&, unsigned long) at sw/source/core/docnode/nodes.cxx:1364:17 (instdir/program/../program/libswlo.so +0xcc75cc1)
>  #4 in SwDoc::~SwDoc() at sw/source/core/doc/docnew.cxx:494:15 (instdir/program/../program/libswlo.so +0xbc3b91c)
>  #5 in SwDoc::release() at sw/source/core/doc/doc.cxx:150:9 (instdir/program/../program/libswlo.so +0xb67d7d3)
>  #6 in rtl::Reference<SwDoc>::clear() at include/rtl/ref.hxx:159:19 (instdir/program/../program/libswlo.so +0xcaea51e)
>  #7 in SwDocShell::RemoveLink() at sw/source/uibase/app/docshini.cxx:460:16 (instdir/program/../program/libswlo.so +0x1101b777)
>  #8 in SwDocShell::~SwDocShell() at sw/source/uibase/app/docshini.cxx:388:5 (instdir/program/../program/libswlo.so +0x1101a514)
>  #9 in SwDocShell::~SwDocShell() at sw/source/uibase/app/docshini.cxx:378:1 (instdir/program/../program/libswlo.so +0x1101b92b)
> 
> previously allocated by thread T0 here:
>  #0 in operator new(unsigned long) at /data/sbergman/github.com/llvm/llvm-project/compiler-rt/lib/asan/asan_new_delete.cc:105:3 (instdir/program/soffice.bin +0x325f97)
>  #1 in SwNodes::MakeGrfNode(SwNodeIndex const&, rtl::OUString const&, rtl::OUString const&, Graphic const*, SwGrfFormatColl*, SwAttrSet const*) at sw/source/core/graphic/ndgrf.cxx:415:17 (instdir/program/../program/libswlo.so +0xd732c9f)
>  #2 in sw::DocumentContentOperationsManager::InsertGraphic(SwPaM const&, rtl::OUString const&, rtl::OUString const&, Graphic const*, SfxItemSet const*, SfxItemSet const*, SwFrameFormat*) at sw/source/core/doc/DocumentContentOperationsManager.cxx:2758:29 (instdir/program/../program/libswlo.so +0xc145a01)
>  #3 in SwXFrame::attachToRange(com::sun::star::uno::Reference<com::sun::star::text::XTextRange> const&) at sw/source/core/unocore/unoframe.cxx:2804:57 (instdir/program/../program/libswlo.so +0xf89cc8f)
>  #4 in SwXFrame::attach(com::sun::star::uno::Reference<com::sun::star::text::XTextRange> const&) at sw/source/core/unocore/unoframe.cxx:3040:9 (instdir/program/../program/libswlo.so +0xf8a7c49)
>  #5 in SwXText::insertTextContent(com::sun::star::uno::Reference<com::sun::star::text::XTextRange> const&, com::sun::star::uno::Reference<com::sun::star::text::XTextContent> const&, unsigned char) at sw/source/core/unocore/unotext.cxx:618:15 (instdir/program/../program/libswlo.so +0x1010d8db)
>  #6 in XMLTextImportHelper::InsertTextContent(com::sun::star::uno::Reference<com::sun::star::text::XTextContent> const&) at xmloff/source/text/txtimp.cxx:1249:27 (instdir/program/libxolo.so +0x49d65cb)
>  #7 in XMLTextFrameContext_Impl::Create() at xmloff/source/text/XMLTextFrameContext.cxx:700:32 (instdir/program/libxolo.so +0x48194ce)
>  #8 in XMLTextFrameContext_Impl::XMLTextFrameContext_Impl(SvXMLImport&, unsigned short, rtl::OUString const&, com::sun::star::uno::Reference<com::sun::star::xml::sax::XAttributeList> const&, com::sun::star::text::TextContentAnchorType, unsigned short, com::sun::star::uno::Reference<com::sun::star::xml::sax::XAttributeList> const&, bool) at xmloff/source/text/XMLTextFrameContext.cxx:1096:5 (instdir/program/libxolo.so +0x48266ff)
>  #9 in XMLTextFrameContext::CreateChildContext(unsigned short, rtl::OUString const&, com::sun::star::uno::Reference<com::sun::star::xml::sax::XAttributeList> const&) at xmloff/source/text/XMLTextFrameContext.cxx:1517:36 (instdir/program/libxolo.so +0x48381d0)
> 
> Thread T66 (SwAsyncRetrieve) created by T0 here:
>  #0 in pthread_create at /data/sbergman/github.com/llvm/llvm-project/compiler-rt/lib/asan/asan_interceptors.cc:209:3 (instdir/program/soffice.bin +0x271e92)
>  #1 in osl_thread_create_Impl(void (*)(void*), void*, short) at sal/osl/unx/thread.cxx:284:17 (instdir/program/libuno_sal.so.3 +0x4d94ae)
>  #2 in osl_createSuspendedThread at sal/osl/unx/thread.cxx:334:12 (instdir/program/libuno_sal.so.3 +0x4d9c69)
>  #3 in osl::Thread::create() at include/osl/thread.hxx:73:21 (instdir/program/../program/libswlo.so +0xc98a938)
>  #4 in ThreadManager::StartThread(ThreadManager::tThreadData const&) at sw/source/core/docnode/threadmanager.cxx:178:31 (instdir/program/../program/libswlo.so +0xcd66fc6)
>  #5 in ThreadManager::AddThread(rtl::Reference<ObservableThread> const&) at sw/source/core/docnode/threadmanager.cxx:94:15 (instdir/program/../program/libswlo.so +0xcd66875)
>  #6 in SwThreadManager::AddThread(rtl::Reference<ObservableThread> const&) at sw/source/core/docnode/swthreadmanager.cxx:56:33 (instdir/program/../program/libswlo.so +0xcd61927)
>  #7 in SwAsyncRetrieveInputStreamThreadConsumer::CreateThread(rtl::OUString const&, rtl::OUString const&) at sw/source/core/docnode/retrieveinputstreamconsumer.cxx:53:54 (instdir/program/../program/libswlo.so +0xccf65d1)
>  #8 in SwGrfNode::TriggerAsyncRetrieveInputStream() at sw/source/core/graphic/ndgrf.cxx:821:27 (instdir/program/../program/libswlo.so +0xd73d661)
>  #9 in SwNoTextFrame::PaintPicture(OutputDevice*, SwRect const&) const at sw/source/core/doc/notxtfrm.cxx:1121:29 (instdir/program/../program/libswlo.so +0xc5683df)
>  #10 in SwNoTextFrame::PaintSwFrame(OutputDevice&, SwRect const&, SwPrintData const*) const at sw/source/core/doc/notxtfrm.cxx:317:9 (instdir/program/../program/libswlo.so +0xc561939)
>  #11 in SwLayoutFrame::PaintSwFrame(OutputDevice&, SwRect const&, SwPrintData const*) const at sw/source/core/layout/paintfrm.cxx:3398:21 (instdir/program/../program/libswlo.so +0xddb8f02)
>  #12 in SwFlyFrame::PaintSwFrame(OutputDevice&, SwRect const&, SwPrintData const*) const at sw/source/core/layout/paintfrm.cxx:4090:20 (instdir/program/../program/libswlo.so +0xddd570e)
>  #13 in SwVirtFlyDrawObj::wrap_DoPaintObject(drawinglayer::geometry::ViewInformation2D const&) const at sw/source/core/draw/dflyobj.cxx:530:30 (instdir/program/../program/libswlo.so +0xce2eebb)
>  #14 in drawinglayer::primitive2d::SwVirtFlyDrawObjPrimitive::get2DDecomposition(drawinglayer::primitive2d::Primitive2DDecompositionVisitor&, drawinglayer::geometry::ViewInformation2D const&) const at sw/source/core/draw/dflyobj.cxx:234:35 (instdir/program/../program/libswlo.so +0xce2df15)
>  #15 in drawinglayer::processor2d::BaseProcessor2D::process(drawinglayer::primitive2d::BasePrimitive2D const&) at drawinglayer/source/processor2d/baseprocessor2d.cxx:47:24 (instdir/program/libdrawinglayerlo.so +0x13473c0)
>  #16 in drawinglayer::processor2d::VclPixelProcessor2D::processBasePrimitive2D(drawinglayer::primitive2d::BasePrimitive2D const&) at drawinglayer/source/processor2d/vclpixelprocessor2d.cxx:418:21 (instdir/program/libdrawinglayerlo.so +0x143b6ae)
>  #17 in drawinglayer::processor2d::BaseProcessor2D::process(drawinglayer::primitive2d::Primitive2DContainer const&) at drawinglayer/source/processor2d/baseprocessor2d.cxx:70:29 (instdir/program/libdrawinglayerlo.so +0x1347d55)
>  #18 in sdr::contact::ObjectContactOfPageView::DoProcessDisplay(sdr::contact::DisplayInfo&) at svx/source/sdr/contact/objectcontactofpageview.cxx:293:35 (instdir/program/libsvxcorelo.so +0x514dc8e)
>  #19 in sdr::contact::ObjectContactOfPageView::ProcessDisplay(sdr::contact::DisplayInfo&) at svx/source/sdr/contact/objectcontactofpageview.cxx:120:21 (instdir/program/libsvxcorelo.so +0x514b118)
>  #20 in SdrPageWindow::RedrawLayer(o3tl::strong_int<unsigned char, SdrLayerIDTag> const*, sdr::contact::ViewObjectContactRedirector*, basegfx::B2IRange const*) at svx/source/svdraw/sdrpagewindow.cxx:402:28 (instdir/program/libsvxcorelo.so +0x543cbcf)
>  #21 in SdrPageView::DrawLayer(o3tl::strong_int<unsigned char, SdrLayerIDTag>, OutputDevice*, sdr::contact::ViewObjectContactRedirector*, tools::Rectangle const&, basegfx::B2IRange const*) at svx/source/svdraw/svdpagv.cxx:279:31 (instdir/program/libsvxcorelo.so +0x6260413)
>  #22 in SwViewShellImp::PaintLayer(o3tl::strong_int<unsigned char, SdrLayerIDTag>, SwPrintData const*, SwPageFrame const&, SwRect const&, Color const*, bool, sdr::contact::ViewObjectContactRedirector*) at sw/source/core/view/vdraw.cxx:148:20 (instdir/program/../program/libswlo.so +0x1021ca14)
>  #23 in SwRootFrame::PaintSwFrame(OutputDevice&, SwRect const&, SwPrintData const*) const at sw/source/core/layout/paintfrm.cxx:3138:33 (instdir/program/../program/libswlo.so +0xdd93fb1)
>  #24 in SwViewShell::Paint(OutputDevice&, tools::Rectangle const&) at sw/source/core/view/viewsh.cxx:1840:34 (instdir/program/../program/libswlo.so +0x1028365e)
>  #25 in SwCursorShell::Paint(OutputDevice&, tools::Rectangle const&) at sw/source/core/crsr/crsrsh.cxx:1411:18 (instdir/program/../program/libswlo.so +0xb18497c)
>  #26 in SwViewShell::ImplUnlockPaint(bool) at sw/source/core/view/viewsh.cxx:506:17 (instdir/program/../program/libswlo.so +0x10253df7)
>  #27 in SwViewShell::UnlockPaint(bool) at sw/inc/viewsh.hxx:612:9 (instdir/program/../program/libswlo.so +0xd5c5dc9)
>  #28 in SwView::OuterResizePixel(Point const&, Size const&) at sw/source/uibase/uiview/viewport.cxx:1141:18 (instdir/program/../program/libswlo.so +0x12472e9f)
>  #29 in SwView::DocSzChgd(Size const&) at sw/source/uibase/uiview/viewport.cxx:202:9 (instdir/program/../program/libswlo.so +0x124451c5)
>  #30 in SizeNotify(SwViewShell const*, Size const&) at sw/source/uibase/docvw/edtwin3.cxx:66:18 (instdir/program/../program/libswlo.so +0x118f99ff)
>  #31 in SwViewShell::UISizeNotify() at sw/source/core/view/viewsh.cxx:2364:9 (instdir/program/../program/libswlo.so +0x1024c913)
>  #32 in SwViewShell::ImplEndAction(bool) at sw/source/core/view/viewsh.cxx:458:5 (instdir/program/../program/libswlo.so +0x1024c0da)
>  #33 in SwViewShell::EndAction(bool) at sw/inc/viewsh.hxx:600:9 (instdir/program/../program/libswlo.so +0xb1c9269)
>  #34 in SwCursorShell::EndAction(bool, bool) at sw/source/core/crsr/crsrsh.cxx:254:18 (instdir/program/../program/libswlo.so +0xb137c21)
>  #35 in SwView::ReadUserDataSequence(com::sun::star::uno::Sequence<com::sun::star::beans::PropertyValue> const&) at sw/source/uibase/uiview/view.cxx:1508:26 (instdir/program/../program/libswlo.so +0x1232d7a3)
>  #36 in SfxBaseController::ConnectSfxFrame_Impl(SfxBaseController::ConnectSfxFrame) at sfx2/source/view/sfxbasecontroller.cxx:1346:52 (instdir/program/libsfxlo.so +0x5411e19)
>  #37 in SfxBaseController::attachFrame(com::sun::star::uno::Reference<com::sun::star::frame::XFrame> const&) at sfx2/source/view/sfxbasecontroller.cxx:532:9 (instdir/program/libsfxlo.so +0x5409241)
>  #38 in (anonymous namespace)::SfxFrameLoader_Impl::impl_createDocumentView(com::sun::star::uno::Reference<com::sun::star::frame::XModel2> const&, com::sun::star::uno::Reference<com::sun::star::frame::XFrame> const&, comphelper::NamedValueCollection const&, rtl::OUString const&) at sfx2/source/view/frmload.cxx:597:18 (instdir/program/libsfxlo.so +0x538a53a)
>  #39 in (anonymous namespace)::SfxFrameLoader_Impl::load(com::sun::star::uno::Sequence<com::sun::star::beans::PropertyValue> const&, com::sun::star::uno::Reference<com::sun::star::frame::XFrame> const&) at sfx2/source/view/frmload.cxx:714:13 (instdir/program/libsfxlo.so +0x538322a)
>  #40 in framework::LoadEnv::impl_loadContent() at framework/source/loadenv/loadenv.cxx:1152:37 (instdir/program/../program/libfwklo.so +0x1e43c05)
>  #41 in framework::LoadEnv::startLoading() at framework/source/loadenv/loadenv.cxx:385:20 (instdir/program/../program/libfwklo.so +0x1e342d9)
>  #42 in framework::LoadDispatcher::impl_dispatch(com::sun::star::util::URL const&, com::sun::star::uno::Sequence<com::sun::star::beans::PropertyValue> const&, com::sun::star::uno::Reference<com::sun::star::frame::XDispatchResultListener> const&) at framework/source/dispatch/loaddispatcher.cxx:106:19 (instdir/program/../program/libfwklo.so +0x1b36be4)
>  #43 in framework::LoadDispatcher::dispatch(com::sun::star::util::URL const&, com::sun::star::uno::Sequence<com::sun::star::beans::PropertyValue> const&) at framework/source/dispatch/loaddispatcher.cxx:52:5 (instdir/program/../program/libfwklo.so +0x1b38874)
>  #44 in sfx2::RecentDocsView::ExecuteHdl_Impl(sfx2::RecentDocsView*, void*) at sfx2/source/control/recentdocsview.cxx:400:37 (instdir/program/libsfxlo.so +0x3a6b86c)
>  #45 in sfx2::RecentDocsView::LinkStubExecuteHdl_Impl(void*, void*) at sfx2/source/control/recentdocsview.cxx:392:1 (instdir/program/libsfxlo.so +0x3a6b577)
>  #46 in Link<void*, void>::Call(void*) const at include/tools/link.hxx:84:45 (instdir/program/libvcllo.so +0x6831731)
>  #47 in ImplHandleUserEvent(ImplSVEvent*) at vcl/source/window/winproc.cxx:1958:30 (instdir/program/libvcllo.so +0x681f0f1)
>  #48 in ImplWindowFrameProc(vcl::Window*, SalEvent, void const*) at vcl/source/window/winproc.cxx:2511:13 (instdir/program/libvcllo.so +0x68080c6)
>  #49 in SalFrame::CallCallback(SalEvent, void const*) const at vcl/inc/salframe.hxx:294:29 (instdir/program/libvcllo.so +0x979f29a)
>  #50 in SalGenericDisplay::ProcessEvent(SalUserEventList::SalUserEvent) at vcl/unx/generic/app/gendisp.cxx:67:22 (instdir/program/libvcllo.so +0x983c293)
>  #51 in SalUserEventList::DispatchUserEvents(bool) at vcl/source/app/salusereventlist.cxx:109:17 (instdir/program/libvcllo.so +0x8a92905)
>  #52 in SalGenericDisplay::DispatchInternalEvent(bool) at vcl/unx/generic/app/gendisp.cxx:52:12 (instdir/program/libvcllo.so +0x983bcd6)
>  #53 in call_userEventFn(void*) at vcl/unx/gtk3/gtk3gtkdata.cxx:853:27 (instdir/program/libvclplug_gtk3lo.so +0xca2627)
>  #54  at <null> (/lib64/libglib-2.0.so.0 +0x4c8ea)
> 
> SUMMARY: AddressSanitizer: heap-use-after-free /usr/lib/gcc/x86_64-redhat-linux/9/../../../../include/c++/9/bits/shared_ptr_base.h:1310:16 in std::__shared_ptr<ImpGraphic, (__gnu_cxx::_Lock_policy)2>::get() const
> Shadow bytes around the buggy address:
>   0x0c2880092e10: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
>   0x0c2880092e20: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
>   0x0c2880092e30: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fa
>   0x0c2880092e40: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
>   0x0c2880092e50: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
> =>0x0c2880092e60: fd fd fd fd fd[fd]fd fd fd fd fd fd fd fd fd fd
>   0x0c2880092e70: fd fd fd fd fd fd fd fd fd fd fd fd fa fa fa fa
>   0x0c2880092e80: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
>   0x0c2880092e90: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
>   0x0c2880092ea0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
>   0x0c2880092eb0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fa
> Shadow byte legend (one shadow byte represents 8 application bytes):
>   Addressable:           00
>   Partially addressable: 01 02 03 04 05 06 07 
>   Heap left redzone:       fa
>   Freed heap region:       fd
>   Stack left redzone:      f1
>   Stack mid redzone:       f2
>   Stack right redzone:     f3
>   Stack after return:      f5
>   Stack use after scope:   f8
>   Global redzone:          f9
>   Global init order:       f6
>   Poisoned by user:        f7
>   Container overflow:      fc
>   Array cookie:            ac
>   Intra object redzone:    bb
>   ASan internal:           fe
>   Left alloca redzone:     ca
>   Right alloca redzone:    cb
>   Shadow gap:              cc
> ==29882==ABORTING

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.freedesktop.org/archives/libreoffice-bugs/attachments/20190507/674905e5/attachment-0001.html>

More information about the Libreoffice-bugs mailing list