INVALID_POOL_ITEM in sfx2::sidebar::ControllerItem::ItmeUpdateReceiverInterface::NotifyItemUpdate

Stephan Bergmann sbergman at redhat.com
Thu Apr 13 16:17:57 UTC 2017 

My local ASan/UBSan build started to fail CppunitTest_sc_macros_test on 
recent master versions (see below).  What happens is that

> void AreaPropertyPanelBase::NotifyItemUpdate(
>     sal_uInt16 nSID,
>     SfxItemState eState,
>     const SfxPoolItem* pState,
>     const bool /*bIsEnabled*/)

(svx/source/sidebar/area/AreaPropertyPanelBase.cxx) is called with 
pState being INVALID_POOL_ITEM (i.e., -1).

Up the call stack, SfxStateCache::SetState_Impl 
(sfx2/source/control/statcach.cxx) is clearly documented to expect that 
pState can be INVALID_POOL_ITEM ("Slot Status, 0 or -1"), and seems to 
handle it correctly.  And ControllerItem::StateChanged 
(sfx2/source/sidebar/ControllerItem.cxx) just passes pState through to 
NotifyItemUpdate without otherwise looking at it.

So it looks like overrides of 
sfx2::sidebar::ControllerItem::ItmeUpdateReceiverInterface::NotifyItemUpdate 
(include/sfx2/sidebar/ControllerItem.hxx) would need to take 
IsInvalidItem(pState) into account.  But upon at least a very 
superficial audit, they seem to not do that.

I cannot reproduce this failure with a non-ASan/UBSan build.  The call 
is from within Timer::Invoke, so maybe this is timing dependent.  And I 
have no idea why this failure only started to happen now.  Anybody got 
an idea what's going on and where to actually put a fix?


> svx/source/sidebar/area/AreaPropertyPanelBase.cxx:1007:21: runtime error: downcast of misaligned address 0xffffffffffffffff for type 'const XFillColorItem', which requires 8 byte alignment
> 0xffffffffffffffff: note: pointer points here
> <memory cannot be printed>
>     #0 0x2b85b519c69c in svx::sidebar::AreaPropertyPanelBase::NotifyItemUpdate(unsigned short, SfxItemState, SfxPoolItem const*, bool) svx/source/sidebar/area/AreaPropertyPanelBase.cxx:1007:21
>     #1 0x2b85a920b056 in sfx2::sidebar::ControllerItem::StateChanged(unsigned short, SfxItemState, SfxPoolItem const*) sfx2/source/sidebar/ControllerItem.cxx:134:26
>     #2 0x2b85a7920912 in SfxStateCache::SetState_Impl(SfxItemState, SfxPoolItem const*, bool) sfx2/source/control/statcach.cxx:432:24
>     #3 0x2b85a791f414 in SfxStateCache::SetState(SfxItemState, SfxPoolItem const*, bool) sfx2/source/control/statcach.cxx:344:5
>     #4 0x2b85a75af32a in SfxBindings::UpdateControllers_Impl(SfxFoundCache_Impl const&, SfxPoolItem const*, SfxItemState) sfx2/source/control/bindings.cxx:1271:20
>     #5 0x2b85a75ab878 in SfxBindings::Update_Impl(SfxStateCache&) sfx2/source/control/bindings.cxx:332:17
>     #6 0x2b85a75bb744 in SfxBindings::NextJob_Impl(Timer*) sfx2/source/control/bindings.cxx:1344:17
>     #7 0x2b85a75ddbb9 in SfxBindings::NextJob(Timer*) sfx2/source/control/bindings.cxx:1289:5
>     #8 0x2b85a759d811 in SfxBindings::LinkStubNextJob(void*, Timer*) sfx2/source/control/bindings.cxx:1287:1
>     #9 0x2b855721f350 in Link<Timer*, void>::Call(Timer*) const include/tools/link.hxx:84:45
>     #10 0x2b855721e56d in Timer::Invoke() vcl/source/app/timer.cxx:89:21
>     #11 0x2b8557058685 in ImplSchedulerData::Invoke() vcl/source/app/scheduler.cxx:46:13
>     #12 0x2b855705baa9 in Scheduler::ProcessTaskScheduling(bool) vcl/source/app/scheduler.cxx:159:22
>     #13 0x2b85571aa21c in ImplYield(bool, bool, unsigned long) vcl/source/app/svapp.cxx:508:9
>     #14 0x2b85571835be in Application::Reschedule(bool) vcl/source/app/svapp.cxx:522:5
>     #15 0x2b85878fad7e in SbiRuntime::Step() basic/source/runtime/runtime.cxx:740:17
>     #16 0x2b858747ef9d in SbModule::Run(SbMethod*) basic/source/classes/sbxmod.cxx:1144:25
>     #17 0x2b858747a04c in SbModule::Notify(SfxBroadcaster&, SfxHint const&) basic/source/classes/sbxmod.cxx:809:21
>     #18 0x2b856a5a0ebe in SfxBroadcaster::Broadcast(SfxHint const&) svl/source/notify/SfxBroadcaster.cxx:49:24
>     #19 0x2b85874ab5f7 in SbMethod::Broadcast(SfxHintId) basic/source/classes/sbxmod.cxx:2126:16
>     #20 0x2b8587c7004a in SbxValue::SbxValue(SbxValue const&) basic/source/sbx/sbxvalue.cxx:62:36
>     #21 0x2b8587cb6022 in SbxVariable::SbxVariable(SbxVariable const&) basic/source/sbx/sbxvar.cxx:73:7
>     #22 0x2b8587c2d545 in SbxMethod::SbxMethod(SbxMethod const&) basic/source/sbx/sbxobj.cxx:869:7
>     #23 0x2b85879272db in SbiRuntime::FindElement(SbxObject*, unsigned int, unsigned int, unsigned long, bool, bool) basic/source/runtime/runtime.cxx:3518:37
>     #24 0x2b858792f930 in SbiRuntime::StepFIND_Impl(SbxObject*, unsigned int, unsigned int, unsigned long, bool) basic/source/runtime/runtime.cxx:3941:14
>     #25 0x2b85878dafa1 in SbiRuntime::StepFIND(unsigned int, unsigned int) basic/source/runtime/runtime.cxx:3947:5
>     #26 0x2b85878fcccd in SbiRuntime::Step() basic/source/runtime/runtime.cxx:770:13
>     #27 0x2b858747ef9d in SbModule::Run(SbMethod*) basic/source/classes/sbxmod.cxx:1144:25
>     #28 0x2b858747a04c in SbModule::Notify(SfxBroadcaster&, SfxHint const&) basic/source/classes/sbxmod.cxx:809:21
>     #29 0x2b856a5a0ebe in SfxBroadcaster::Broadcast(SfxHint const&) svl/source/notify/SfxBroadcaster.cxx:49:24
>     #30 0x2b85874ab5f7 in SbMethod::Broadcast(SfxHintId) basic/source/classes/sbxmod.cxx:2126:16
>     #31 0x2b8587c7004a in SbxValue::SbxValue(SbxValue const&) basic/source/sbx/sbxvalue.cxx:62:36
>     #32 0x2b8587cb6022 in SbxVariable::SbxVariable(SbxVariable const&) basic/source/sbx/sbxvar.cxx:73:7
>     #33 0x2b8587c2d545 in SbxMethod::SbxMethod(SbxMethod const&) basic/source/sbx/sbxobj.cxx:869:7
>     #34 0x2b85879272db in SbiRuntime::FindElement(SbxObject*, unsigned int, unsigned int, unsigned long, bool, bool) basic/source/runtime/runtime.cxx:3518:37
>     #35 0x2b858792f930 in SbiRuntime::StepFIND_Impl(SbxObject*, unsigned int, unsigned int, unsigned long, bool) basic/source/runtime/runtime.cxx:3941:14
>     #36 0x2b85878dafa1 in SbiRuntime::StepFIND(unsigned int, unsigned int) basic/source/runtime/runtime.cxx:3947:5
>     #37 0x2b85878fcccd in SbiRuntime::Step() basic/source/runtime/runtime.cxx:770:13
>     #38 0x2b858747ef9d in SbModule::Run(SbMethod*) basic/source/classes/sbxmod.cxx:1144:25
>     #39 0x2b858747a04c in SbModule::Notify(SfxBroadcaster&, SfxHint const&) basic/source/classes/sbxmod.cxx:809:21
>     #40 0x2b856a5a0ebe in SfxBroadcaster::Broadcast(SfxHint const&) svl/source/notify/SfxBroadcaster.cxx:49:24
>     #41 0x2b85874ab5f7 in SbMethod::Broadcast(SfxHintId) basic/source/classes/sbxmod.cxx:2126:16
>     #42 0x2b8587c7004a in SbxValue::SbxValue(SbxValue const&) basic/source/sbx/sbxvalue.cxx:62:36
>     #43 0x2b8587cb6022 in SbxVariable::SbxVariable(SbxVariable const&) basic/source/sbx/sbxvar.cxx:73:7
>     #44 0x2b8587c2d545 in SbxMethod::SbxMethod(SbxMethod const&) basic/source/sbx/sbxobj.cxx:869:7
>     #45 0x2b85879272db in SbiRuntime::FindElement(SbxObject*, unsigned int, unsigned int, unsigned long, bool, bool) basic/source/runtime/runtime.cxx:3518:37
>     #46 0x2b858792f930 in SbiRuntime::StepFIND_Impl(SbxObject*, unsigned int, unsigned int, unsigned long, bool) basic/source/runtime/runtime.cxx:3941:14
>     #47 0x2b85878dafa1 in SbiRuntime::StepFIND(unsigned int, unsigned int) basic/source/runtime/runtime.cxx:3947:5
>     #48 0x2b85878fcccd in SbiRuntime::Step() basic/source/runtime/runtime.cxx:770:13
>     #49 0x2b858747ef9d in SbModule::Run(SbMethod*) basic/source/classes/sbxmod.cxx:1144:25
>     #50 0x2b858747a04c in SbModule::Notify(SfxBroadcaster&, SfxHint const&) basic/source/classes/sbxmod.cxx:809:21
>     #51 0x2b856a5a0ebe in SfxBroadcaster::Broadcast(SfxHint const&) svl/source/notify/SfxBroadcaster.cxx:49:24
>     #52 0x2b85874ab5f7 in SbMethod::Broadcast(SfxHintId) basic/source/classes/sbxmod.cxx:2126:16
>     #53 0x2b8587c77a5c in SbxValue::Get(SbxValues&) const basic/source/sbx/sbxvalue.cxx:287:16
>     #54 0x2b858745ee86 in SbMethod::Call(SbxValue*, SbxVariable*) basic/source/classes/sbxmod.cxx:2081:5
>     #55 0x2b8609c3ab30 in basprov::BasicScriptImpl::invoke(com::sun::star::uno::Sequence<com::sun::star::uno::Any> const&, com::sun::star::uno::Sequence<short>&, com::sun::star::uno::Sequence<com::sun::star::uno::Any>&) scripting/source/basprov/basscript.cxx:235:35
>     #56 0x2b8609c3d192 in non-virtual thunk to basprov::BasicScriptImpl::invoke(com::sun::star::uno::Sequence<com::sun::star::uno::Any> const&, com::sun::star::uno::Sequence<short>&, com::sun::star::uno::Sequence<com::sun::star::uno::Any>&) scripting/source/basprov/basscript.cxx
>     #57 0x2b85a8b7df0f in SfxObjectShell::CallXScript(com::sun::star::uno::Reference<com::sun::star::uno::XInterface> const&, rtl::OUString const&, com::sun::star::uno::Sequence<com::sun::star::uno::Any> const&, com::sun::star::uno::Any&, com::sun::star::uno::Sequence<short>&, com::sun::star::uno::Sequence<com::sun::star::uno::Any>&, bool, com::sun::star::uno::Any const*) sfx2/source/doc/objmisc.cxx:1413:25
>     #58 0x2b85788093e0 in ScMacrosTest::testVba() sc/qa/extras/macros-test.cxx:328:9
>     #59 0x2b857882b9bb in CppUnit::TestCaller<ScMacrosTest>::runTest() workdir/UnpackedTarball/cppunit/include/cppunit/TestCaller.h:166:6
>     #60 0x2b8533c66d8b in CppUnit::TestCaseMethodFunctor::operator()() const workdir/UnpackedTarball/cppunit/src/cppunit/TestCase.cpp:32:5
>     #61 0x2b854cf14b0f in (anonymous namespace)::Protector::protect(CppUnit::Functor const&, CppUnit::ProtectorContext const&) test/source/vclbootstrapprotector.cxx:39:14
>     #62 0x2b8533c253ce in CppUnit::ProtectorChain::ProtectFunctor::operator()() const workdir/UnpackedTarball/cppunit/src/cppunit/ProtectorChain.cpp:20:25
>     #63 0x2b854386214f in (anonymous namespace)::Prot::protect(CppUnit::Functor const&, CppUnit::ProtectorContext const&) unotest/source/cpp/unobootstrapprotector/unobootstrapprotector.cxx:89:12
>     #64 0x2b8533c253ce in CppUnit::ProtectorChain::ProtectFunctor::operator()() const workdir/UnpackedTarball/cppunit/src/cppunit/ProtectorChain.cpp:20:25
>     #65 0x2b853fafc351 in (anonymous namespace)::Prot::protect(CppUnit::Functor const&, CppUnit::ProtectorContext const&) unotest/source/cpp/unoexceptionprotector/unoexceptionprotector.cxx:63:16
>     #66 0x2b8533c253ce in CppUnit::ProtectorChain::ProtectFunctor::operator()() const workdir/UnpackedTarball/cppunit/src/cppunit/ProtectorChain.cpp:20:25
>     #67 0x2b8533ba3350 in CppUnit::DefaultProtector::protect(CppUnit::Functor const&, CppUnit::ProtectorContext const&) workdir/UnpackedTarball/cppunit/src/cppunit/DefaultProtector.cpp:15:12
>     #68 0x2b8533c253ce in CppUnit::ProtectorChain::ProtectFunctor::operator()() const workdir/UnpackedTarball/cppunit/src/cppunit/ProtectorChain.cpp:20:25
>     #69 0x2b8533c21e70 in CppUnit::ProtectorChain::protect(CppUnit::Functor const&, CppUnit::ProtectorContext const&) workdir/UnpackedTarball/cppunit/src/cppunit/ProtectorChain.cpp:77:18
>     #70 0x2b8533ce10f5 in CppUnit::TestResult::protect(CppUnit::Functor const&, CppUnit::Test*, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) workdir/UnpackedTarball/cppunit/src/cppunit/TestResult.cpp:181:28
>     #71 0x2b8533c64fa4 in CppUnit::TestCase::run(CppUnit::TestResult*) workdir/UnpackedTarball/cppunit/src/cppunit/TestCase.cpp:91:13
>     #72 0x2b8533c697a7 in CppUnit::TestComposite::doRunChildTests(CppUnit::TestResult*) workdir/UnpackedTarball/cppunit/src/cppunit/TestComposite.cpp:64:30
>     #73 0x2b8533c68819 in CppUnit::TestComposite::run(CppUnit::TestResult*) workdir/UnpackedTarball/cppunit/src/cppunit/TestComposite.cpp:23:3
>     #74 0x2b8533c697a7 in CppUnit::TestComposite::doRunChildTests(CppUnit::TestResult*) workdir/UnpackedTarball/cppunit/src/cppunit/TestComposite.cpp:64:30
>     #75 0x2b8533c68819 in CppUnit::TestComposite::run(CppUnit::TestResult*) workdir/UnpackedTarball/cppunit/src/cppunit/TestComposite.cpp:23:3
>     #76 0x2b8533d1f5c9 in CppUnit::TestRunner::WrappingSuite::run(CppUnit::TestResult*) workdir/UnpackedTarball/cppunit/src/cppunit/TestRunner.cpp:47:27
>     #77 0x2b8533cdf40d in CppUnit::TestResult::runTest(CppUnit::Test*) workdir/UnpackedTarball/cppunit/src/cppunit/TestResult.cpp:148:9
>     #78 0x2b8533d2089b in CppUnit::TestRunner::run(CppUnit::TestResult&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) workdir/UnpackedTarball/cppunit/src/cppunit/TestRunner.cpp:96:14
>     #79 0x532fb4 in (anonymous namespace)::ProtectedFixtureFunctor::run() const sal/cppunittester/cppunittester.cxx:306:20
>     #80 0x52e7c3 in sal_main() sal/cppunittester/cppunittester.cxx:456:20
>     #81 0x52cb6f in main sal/cppunittester/cppunittester.cxx:363:1
>     #82 0x2b85358d1400 in __libc_start_main /usr/src/debug/glibc-2.24-33-ge9e69e4/csu/../csu/libc-start.c:289
>     #83 0x438019 in _start (workdir/LinkTarget/Executable/cppunittester+0x438019)

More information about the LibreOffice mailing list