[Libreoffice-commits] core.git: 2 commits - sc/source sw/source
Michael Stahl
mstahl at redhat.com
Fri Jan 9 16:26:19 PST 2015
sc/source/ui/unoobj/cellsuno.cxx | 6 ++++++
sw/source/uibase/utlui/content.cxx | 19 +++++++++++++++++--
2 files changed, 23 insertions(+), 2 deletions(-)
New commits:
commit 90d8f4fca566e46171b260ee3aadc655871c92ba
Author: Michael Stahl <mstahl at redhat.com>
Date: Sat Jan 10 00:57:52 2015 +0100
fdo#87845: sw: fix crash in navigator dialog when view is closed
Since we have a SwContentTree::Notify() now, might as well clear our
pointers to recently deceased SwWrtShells when the obituary arrives.
(regression from b5c1f352522c34a744ad0226e73904ce5af81b11)
Change-Id: I44282658468f1b758038fbf1c7fc13dfe1b4b8ed
diff --git a/sw/source/uibase/utlui/content.cxx b/sw/source/uibase/utlui/content.cxx
index cdd36f1..2d83cd9 100644
--- a/sw/source/uibase/utlui/content.cxx
+++ b/sw/source/uibase/utlui/content.cxx
@@ -23,6 +23,7 @@
#include <tools/urlobj.hxx>
#include <sfx2/docfile.hxx>
#include <sfx2/dispatch.hxx>
+#include <sfx2/event.hxx>
#include <vcl/help.hxx>
#include <vcl/settings.hxx>
#include <sot/formats.hxx>
@@ -50,6 +51,7 @@
#include <IDocumentDrawModelAccess.hxx>
#include <IDocumentOutlineNodes.hxx>
#include <unotools.hxx>
+#include <unotxvw.hxx>
#include <crsskip.hxx>
#include <cmdid.h>
#include <helpid.h>
@@ -2220,7 +2222,8 @@ void SwContentTree::SetActiveShell(SwWrtShell* pSh)
{
if(!lcl_FindShell(pActiveShell))
{
- EndListening(*pActiveShell->GetView().GetDocShell());
+ if (pActiveShell)
+ EndListening(*pActiveShell->GetView().GetDocShell());
pActiveShell = pSh;
bIsActive = true;
bIsConstant = false;
@@ -2231,7 +2234,8 @@ void SwContentTree::SetActiveShell(SwWrtShell* pSh)
// the screen filled new.
if(bIsActive && bClear)
{
- StartListening(*pActiveShell->GetView().GetDocShell());
+ if (pActiveShell)
+ StartListening(*pActiveShell->GetView().GetDocShell());
FindActiveTypeAndRemoveUserData();
for(sal_uInt16 i=0; i < CONTENT_TYPE_MAX; i++)
{
@@ -2267,6 +2271,17 @@ void SwContentTree::Notify(SfxBroadcaster & rBC, SfxHint const& rHint)
if (pHint && SFX_HINT_DOCCHANGED == pHint->GetId())
{
m_bActiveDocModified = true;
+ return;
+ }
+
+ SfxViewEventHint const*const pVEHint(
+ dynamic_cast<SfxViewEventHint const*>(&rHint));
+ if (pActiveShell
+ && pVEHint && pVEHint->GetEventName() == "OnViewClosed"
+ && dynamic_cast<SwXTextView *>(pVEHint->GetController().get())
+ ->GetView() == &pActiveShell->GetView())
+ {
+ SetActiveShell(0); // our view is dying, clear our pointers to it
}
else
{
commit c6dc3b9f9adb292ae42ba246082bc9dcb1445c6c
Author: Michael Stahl <mstahl at redhat.com>
Date: Fri Jan 9 22:48:06 2015 +0100
sc: fix use-after-free race in ScCellRangesBase
Probably 03cca068ed901d1862c440a6f414d17609785974 was not sufficient,
because the ~ScCellRangesBase may access a deleted ScDocument after the
early return.
READ of size 8 at 0x61b000191cb0 thread T7 (cppu_threadpool)
#0 0x2b3c8fd7c8b3 in ScDocument::RemoveUnoObject(SfxListener&) sc/source/core/data/documen3.cxx:863:9
#1 0x2b3c94517824 in ScCellRangesBase::~ScCellRangesBase() sc/source/ui/unoobj/cellsuno.cxx:1467:9
#2 0x2b3c9459cf98 in ScCellRangeObj::~ScCellRangeObj() sc/source/ui/unoobj/cellsuno.cxx:4786:1
#3 0x2b3c945eca28 in ScCellObj::~ScCellObj() sc/source/ui/unoobj/cellsuno.cxx:6088:1
#4 0x2b3c945ecef1 in ScCellObj::~ScCellObj() sc/source/ui/unoobj/cellsuno.cxx:6087:1
#5 0x2b3c945ed093 in non-virtual thunk to ScCellObj::~ScCellObj() sc/source/ui/unoobj/cellsuno.cxx:6088:1
#6 0x2b3c56cb35ec in cppu::OWeakObject::release() cppuhelper/source/weak.cxx:205:9
#7 0x2b3c94523d63 in ScCellRangesBase::release() sc/source/ui/unoobj/cellsuno.cxx:1772:5
#8 0x2b3c945a77ec in ScCellRangeObj::release() sc/source/ui/unoobj/cellsuno.cxx:4835:5
#9 0x2b3c945f842c in ScCellObj::release() sc/source/ui/unoobj/cellsuno.cxx:6128:5
#10 0x2b3c945fb953 in non-virtual thunk to ScCellObj::release() sc/source/ui/unoobj/cellsuno.cxx:6129:1
#11 0x2b3c7f305faa in bridges::cpp_uno::shared::freeUnoInterfaceProxy(_uno_ExtEnvironment*, void*) bridges/source/cpp_uno/shared/unointerfaceproxy.cxx:42:5
freed by thread T14 (cppu_threadpool) here:
#0 0x43436b in operator delete(void*) (/data/lo/build_clang/instdir/program/soffice.bin+0x43436b)
#1 0x2b3c9382462e in ScDocShell::~ScDocShell() sc/source/ui/docshell/docsh.cxx:2722:1
#2 0x2b3c93824d46 in virtual thunk to ScDocShell::~ScDocShell() sc/source/ui/docshell/docsh.cxx:2755:1
#3 0x2b3c58e2058a in SvRefBase::ReleaseRef() include/tools/ref.hxx:194:29
#4 0x2b3c58e12726 in tools::SvRef<SfxObjectShell>::~SvRef() include/tools/ref.hxx:52:24
#5 0x2b3c5a8a8f99 in IMPL_SfxBaseModel_DataContainer::~IMPL_SfxBaseModel_DataContainer() sfx2/source/doc/sfxbasemodel.cxx:247:5
#6 0x2b3c5a8a9141 in IMPL_SfxBaseModel_DataContainer::~IMPL_SfxBaseModel_DataContainer() sfx2/source/doc/sfxbasemodel.cxx:246:5
#7 0x2b3c5a7b1905 in SfxBaseModel::dispose() sfx2/source/doc/sfxbasemodel.cxx:795:5
#8 0x2b3c5a7c8146 in SfxBaseModel::close(unsigned char) sfx2/source/doc/sfxbasemodel.cxx:1418:5
Change-Id: Ia041dc6596d1b0b6b979a20fa93e1490c657e15b
diff --git a/sc/source/ui/unoobj/cellsuno.cxx b/sc/source/ui/unoobj/cellsuno.cxx
index 5228bab..6d1e54a 100644
--- a/sc/source/ui/unoobj/cellsuno.cxx
+++ b/sc/source/ui/unoobj/cellsuno.cxx
@@ -1550,6 +1550,12 @@ void ScCellRangesBase::Notify( SfxBroadcaster&, const SfxHint& rHint )
uno::Reference<uno::XInterface> const xThis(m_wThis);
if (!xThis.is())
{ // fdo#72695: if UNO object is already dead, don't revive it with event
+ if (dynamic_cast<const SfxSimpleHint*>(&rHint) &&
+ SFX_HINT_DYING == static_cast<const SfxSimpleHint&>(rHint).GetId())
+ { // if the document dies, must reset to avoid crash in dtor!
+ ForgetCurrentAttrs();
+ pDocShell = nullptr;
+ }
return;
}
if ( dynamic_cast<const ScUpdateRefHint*>(&rHint) )
More information about the Libreoffice-commits
mailing list