UBSan failure since sw_redlinehide

Stephan Bergmann sbergman at redhat.com
Wed Jun 13 07:10:37 UTC 2018 

UBSan builds (like 
<https://ci.libreoffice.org/job/lo_ubsan/935/console>) started to fail 
with something like

> /sw/source/core/text/txtfrm.cxx:987:16: runtime error: downcast of address 0x2b53270e5890 which does not point to an object of type 'const SwTextNode'
> 0x2b53270e5890: note: object is of type 'SwContentNode'
>  00 00 00 00  70 f9 c7 cb 52 2b 00 00  60 5c 7a 00 e0 60 00 00  f0 5b 0e 27 53 2b 00 00  40 15 18 00
>               ^~~~~~~~~~~~~~~~~~~~~~~
>               vptr for 'SwContentNode'

during e.g. CppunitTest_sw_filters_test or 
CppunitTest_writerperfect_wpftimport a while ago.

I see that such tests succeeded with the last commit before integration 
of sw_redlinehide, 
<https://cgit.freedesktop.org/libreoffice/core/commit/?id=54a5b9144b29951fd57def1e356418f46d9b03c5> 
"drop ancient SW_FILEFORMAT_40 ifdef" and failed with the last commit of 
integrating sw_redlinehide, 
<https://cgit.freedesktop.org/libreoffice/core/commit/?id=d865866ec5cf6966757c9f2abd24b18a39f2f924> 
"sw_redlinehide: let the Show menu item toggle new mode", and bisecting 
that range points at 
<https://cgit.freedesktop.org/libreoffice/core/commit/?id=ee6eb7abf5803d8e0d929380920a6591ba9af486> 
"sw_redlinehide: SwTextFrame::DestroyImpl() needs to remove more" as 
nominally the commit that started to cause failure.

However, those 209 sw_redlinehide commits appear to be sufficiently 
fine-grained and interdependent to not make it easy to pick a suitable 
set of commits for reversion.

The issue smells like an in-destruction SwTextNode, that has already 
reached the SwContentNode base class destructor, being erroneously cast 
to an SwTextNode.  I had fixed something like that in the past with 
<https://cgit.freedesktop.org/libreoffice/core/commit/?id=32de046e05a5907a85d85cee0b293cab858a0400> 
"Move SwTxtFrm specific code from ~SwCntntFrm down to ~SwTxtFrm", but 
unfortunately without further details about the failure in the commit 
message.  It is not obvious to me whether the new failure is a return of 
that old failure, or something different.

More information about the LibreOffice mailing list