[Libreoffice] [PATCH] writer AnchoredObjects accessed after deletion under some circumstances

Thu Nov 10 08:44:30 PST 2011

So, I have a document which triggers the attached traces.txt if I close
the document before the layout completes.

Here's what I think I see. The SwView goes away first, and the writer
layout hierarchy goes away with it. Then the SwDoc goes away. The
"SwLayouter" basically belongs to the SwDoc (for some good reason ?).

During layout SwLayouter::InsertObjForTmpConsiderWrapInfluence can be
called to add some pointers to AnchoredObjects into it temporarily.
AnchoredObjects belong to the layout, and go away when the layout
hierarchy is destroyed. If the layout process completes these get
cleared out from the SwLayouter along the way.

However, if you close the document before layout is complete,
AnchoredObjects remain registered in SwLayouter, then the SwDoc
destruction calls SwLayouter::ClearObjsTmpConsiderWrapInfluence which
can try to access AnchoredObjects which were destroyed by the earlier
destruction, ka-boom.

traces attached in traces.txt

Attached is what I think is a plausible fix. Anyone got any alternative
ideas or horrified (more than usual) by the suggested fix.

C.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: sw.clear.SwLayouter.whenlayoutdies.patch
Type: text/x-patch
Size: 2199 bytes
Desc: not available
URL: <http://lists.freedesktop.org/archives/libreoffice/attachments/20111110/5350933d/attachment.bin>
-------------- next part --------------
==2958==    at 0x22EB2603: SwAnchoredObject::SetTmpConsiderWrapInfluence(bool) (anchoredobject.cxx:869)
==2958==    by 0x22F2CB81: SwObjsMarkedAsTmpConsiderWrapInfluence::Clear() (objstmpconsiderwrapinfl.cxx:79)
==2958==    by 0x22F1E26A: SwLayouter::ClearObjsTmpConsiderWrapInfluence(SwDoc const&) (layouter.cxx:425)
==2958==    by 0x22C5D38A: SwDoc::SetModified() (doc.cxx:1816)
==2958==    by 0x22CCA6C6: SwDoc::SetDefault(SfxItemSet const&) (docfmt.cxx:1300)
==2958==    by 0x22CC9ED7: SwDoc::SetDefault(SfxPoolItem const&) (docfmt.cxx:1178)
==2958==    by 0x22CE7742: SwDoc::~SwDoc() (docnew.cxx:473)
==2958==    by 0x22CE8EF9: SwDoc::~SwDoc() (docnew.cxx:666)
==2958==    by 0x2340DABB: SwDocShell::RemoveLink() (docshini.cxx:517)
==2958==    by 0x2340D2EA: SwDocShell::~SwDocShell() (docshini.cxx:425)
==2958==    by 0x2340D4F3: SwDocShell::~SwDocShell() (docshini.cxx:433)
==2958==    by 0x85D4D8B: SvRefBase::QueryDelete() (ref.cxx:50)
==2958==    by 0x677F714: SvRefBase::ReleaseReference() (ref.hxx:380)
==2958==    by 0x677FCD0: SfxObjectShellRef::~SfxObjectShellRef() (in /home/caolan/LibreOffice/core/solver/unxlngx6/lib/libsfxlo.so)
==2958==    by 0x6A9C964: SfxViewFrame::ReleaseObjectShell_Impl() (viewfrm.cxx:1106)
==2958==    by 0x6A9E060: SfxViewFrame::~SfxViewFrame() (viewfrm.cxx:1480)
==2958==    by 0x6A9E239: SfxViewFrame::~SfxViewFrame() (viewfrm.cxx:1501)
==2958==    by 0x6A9CB5C: SfxViewFrame::Close() (viewfrm.cxx:1139)
==2958==    by 0x6A71419: SfxFrame::DoClose_Impl() (frame.cxx:185)

gdb log of point of destruction of SwAnchoredObject accessed above.

#0  SwAnchoredObject::~SwAnchoredObject (this=0x18d8400, __in_chrg=<optimized out>)
    at /home/caolan/LibreOffice/core/sw/source/core/layout/anchoredobject.cxx:124
#1  0x00007fffc70f877a in SwFlyFrm::~SwFlyFrm (this=0x18d8340, __in_chrg=<optimized out>)
    at /home/caolan/LibreOffice/core/sw/source/core/layout/fly.cxx:287
#2  0x00007fffc71087bf in SwFlyFreeFrm::~SwFlyFreeFrm (this=0x18d8340, __in_chrg=<optimized out>)
    at /home/caolan/LibreOffice/core/sw/source/core/layout/flylay.cxx:83
#3  0x00007fffc710df59 in SwFlyLayFrm::~SwFlyLayFrm (this=0x18d8340, __in_chrg=<optimized out>)
    at /home/caolan/LibreOffice/core/sw/source/core/inc/flyfrms.hxx:124
#4  0x00007fffc710df9c in SwFlyLayFrm::~SwFlyLayFrm (this=0x18d8340, __in_chrg=<optimized out>)
    at /home/caolan/LibreOffice/core/sw/source/core/inc/flyfrms.hxx:124
#5  0x00007fffc7191ea8 in SwLayoutFrm::~SwLayoutFrm (this=0x18d8000, __in_chrg=<optimized out>)
    at /home/caolan/LibreOffice/core/sw/source/core/layout/ssfrm.cxx:584
#6  0x00007fffc7146dc6 in SwRootFrm::~SwRootFrm (this=0x18d8000, __in_chrg=<optimized out>)
    at /home/caolan/LibreOffice/core/sw/source/core/layout/newfrm.cxx:603
#7  0x00007fffc7146e36 in SwRootFrm::~SwRootFrm (this=0x18d8000, __in_chrg=<optimized out>)
    at /home/caolan/LibreOffice/core/sw/source/core/layout/newfrm.cxx:638
#8  0x00007fffc74dbcc0 in boost::checked_delete<SwRootFrm> (x=0x18d8000)
    at /home/caolan/LibreOffice/core/solver/unxlngx6/inc/boost/checked_delete.hpp:34
#9  0x00007fffc74dc626 in boost::detail::sp_counted_impl_p<SwRootFrm>::dispose (this=0x18d8300)
    at /home/caolan/LibreOffice/core/solver/unxlngx6/inc/boost/smart_ptr/detail/sp_counted_impl.hpp:78
#10 0x00007fffc6e1a38c in boost::detail::sp_counted_base::release (this=0x18d8300)
    at /home/caolan/LibreOffice/core/solver/unxlngx6/inc/boost/smart_ptr/detail/sp_counted_base_gcc_x86.hpp:145
#11 0x00007fffc6e1a41b in boost::detail::shared_count::~shared_count (this=0x190add0, __in_chrg=<optimized out>)
    at /home/caolan/LibreOffice/core/solver/unxlngx6/inc/boost/smart_ptr/detail/shared_count.hpp:217
#12 0x00007fffc74db51c in boost::shared_ptr<SwRootFrm>::~shared_ptr (this=0x190adc8, __in_chrg=<optimized out>)
    at /home/caolan/LibreOffice/core/solver/unxlngx6/inc/boost/smart_ptr/shared_ptr.hpp:168
#13 0x00007fffc74db1eb in ViewShell::~ViewShell (this=0x190ad20, __in_chrg=<optimized out>)
    at /home/caolan/LibreOffice/core/sw/source/core/view/vnew.cxx:277
#14 0x00007fffc6e304bb in SwCrsrShell::~SwCrsrShell (this=0x190ad20, __in_chrg=<optimized out>)
    at /home/caolan/LibreOffice/core/sw/source/core/crsr/crsrsh.cxx:2616
#15 0x00007fffc7051d34 in SwEditShell::~SwEditShell (this=0x190ad20, __in_chrg=<optimized out>)
    at /home/caolan/LibreOffice/core/sw/source/core/edit/edws.cxx:66
#16 0x00007fffc70b4559 in SwFEShell::~SwFEShell (this=0x190ad20, __in_chrg=<optimized out>)
    at /home/caolan/LibreOffice/core/sw/source/core/frmedt/fews.cxx:704
#17 0x00007fffc7895690 in SwWrtShell::~SwWrtShell (this=0x190ad20, __in_chrg=<optimized out>)
    at /home/caolan/LibreOffice/core/sw/source/ui/wrtsh/wrtsh1.cxx:1738
#18 0x00007fffc789571e in SwWrtShell::~SwWrtShell (this=0x190ad20, __in_chrg=<optimized out>)
    at /home/caolan/LibreOffice/core/sw/source/ui/wrtsh/wrtsh1.cxx:1746
#19 0x00007fffc77cccf9 in SwView::~SwView (this=0x18c3420, __in_chrg=<optimized out>)
    at /home/caolan/LibreOffice/core/sw/source/ui/uiview/view.cxx:1075
#20 0x00007fffc77cd12e in SwView::~SwView (this=0x18c3420, __in_chrg=<optimized out>)
    at /home/caolan/LibreOffice/core/sw/source/ui/uiview/view.cxx:1090
#21 0x00007ffff62c2638 in SfxViewFrame::ReleaseObjectShell_Impl (this=0x18b8680)
    at /home/caolan/LibreOffice/core/sfx2/source/view/viewfrm.cxx:1084
#22 0x00007ffff62c4061 in SfxViewFrame::~SfxViewFrame (this=0x18b8680, __in_chrg=<optimized out>)
    at /home/caolan/LibreOffice/core/sfx2/source/view/viewfrm.cxx:1480
#23 0x00007ffff62c423a in SfxViewFrame::~SfxViewFrame (this=0x18b8680, __in_chrg=<optimized out>)
    at /home/caolan/LibreOffice/core/sfx2/source/view/viewfrm.cxx:1501
#24 0x00007ffff62c2b5d in SfxViewFrame::Close (this=0x18b8680)
    at /home/caolan/LibreOffice/core/sfx2/source/view/viewfrm.cxx:1139
#25 0x00007ffff629741a in SfxFrame::DoClose_Impl (this=0x18f1580)