heap-use-after-free in SwCursorShell::CreateCursor( during .uno:Undo
Stephan Bergmann
sbergman at redhat.com
Fri Jan 15 20:09:15 UTC 2021
Since
<https://git.libreoffice.org/core/+/b5ab4836c03e9428aff6a48843f2a054ceff0f85%5E%21>
"tdf#39721 sw change tracking: fix move down" introduced
CppunitTest_sw_uiwriter2 CPPUNIT_TEST_NAME=testTdf39721::TestBody, but
otherwise unrelated to that change, that test fails under ASan with
> ==1228915==ERROR: AddressSanitizer: heap-use-after-free on address 0x6140000e3840 at pc 0x7f0c89339b4d bp 0x7ffc1d8440f0 sp 0x7ffc1d8440e8
> READ of size 8 at 0x6140000e3840 thread T0
> #0 in SwCursorShell::CreateCursor() at sw/source/core/crsr/crsrsh.cxx:139:12 (instdir/program/libswlo.so +0xb653b4c)
> #1 in SwCursorShell::CreateNewShellCursor() at sw/source/core/crsr/crsrsh.cxx:172:16 (instdir/program/libswlo.so +0xb66e49e)
> #2 in SwUndRng::AddUndoRedoPaM(sw::UndoRedoContext&, bool) const at sw/source/core/undo/undobj.cxx:111:48 (instdir/program/libswlo.so +0xf72422c)
> #3 in SwUndoAttr::UndoImpl(sw::UndoRedoContext&) at sw/source/core/undo/unattr.cxx:743:5 (instdir/program/libswlo.so +0xf6b57eb)
> #4 in SwUndo::UndoWithContext(SfxUndoContext&) at sw/source/core/undo/undobj.cxx:235:5 (instdir/program/libswlo.so +0xf7271d2)
> #5 in SfxListUndoAction::UndoWithContext(SfxUndoContext&) at svl/source/undo/undo.cxx:1320:37 (instdir/program/libsvllo.so +0x1a74435)
> #6 in SfxListUndoAction::UndoWithContext(SfxUndoContext&) at svl/source/undo/undo.cxx:1320:37 (instdir/program/libsvllo.so +0x1a74435)
> #7 in SfxUndoManager::ImplUndo(SfxUndoContext*) at svl/source/undo/undo.cxx:697:22 (instdir/program/libsvllo.so +0x1a5c6eb)
> #8 in SfxUndoManager::UndoWithContext(SfxUndoContext&) at svl/source/undo/undo.cxx:665:12 (instdir/program/libsvllo.so +0x1a5d618)
> #9 in sw::UndoManager::impl_DoUndoRedo(sw::UndoManager::UndoOrRedoType) at sw/source/core/undo/docundo.cxx:607:32 (instdir/program/libswlo.so +0xf6229ff)
> #10 in sw::UndoManager::Undo() at sw/source/core/undo/docundo.cxx:640:16 (instdir/program/libswlo.so +0xf623c47)
> #11 in SwEditShell::Undo(unsigned short) at sw/source/core/edit/edundo.cxx:131:57 (instdir/program/libswlo.so +0xd6a9cab)
> #12 in SwWrtShell::Do(SwWrtShell::DoType, unsigned short) at sw/source/uibase/wrtsh/wrtundo.cxx:44:26 (instdir/program/libswlo.so +0x12fbf27a)
> #13 in SwBaseShell::ExecUndo(SfxRequest&) at sw/source/uibase/shells/basesh.cxx:558:27 (instdir/program/libswlo.so +0x12179b91)
> #14 in SfxStubSwBaseShellExecUndo(SfxShell*, SfxRequest&) at workdir/SdiTarget/sw/sdi/swslots.hxx:2205:1 (instdir/program/libswlo.so +0x12177e34)
> #15 in SfxShell::CallExec(void (*)(SfxShell*, SfxRequest&), SfxRequest&) at include/sfx2/shell.hxx:197:35 (instdir/program/libsfxlo.so +0x3c1b89a)
> #16 in SfxDispatcher::Call_Impl(SfxShell&, SfxSlot const&, SfxRequest&, bool) at sfx2/source/control/dispatch.cxx:253:16 (instdir/program/libsfxlo.so +0x3babcb6)
> #17 in SfxDispatcher::Execute_(SfxShell&, SfxSlot const&, SfxRequest&, SfxCallMode) at sfx2/source/control/dispatch.cxx:753:9 (instdir/program/libsfxlo.so +0x3bc16dd)
> #18 in SfxBindings::Execute_Impl(SfxRequest&, SfxSlot const*, SfxShell*) at sfx2/source/control/bindings.cxx:1060:22 (instdir/program/libsfxlo.so +0x3b40afd)
> #19 in SfxDispatchController_Impl::dispatch(com::sun::star::util::URL const&, com::sun::star::uno::Sequence<com::sun::star::beans::PropertyValue> const&, com::sun::star::uno::Reference<com::sun::star::frame::XDispatchResultListener> const&) at sfx2/source/control/unoctitm.cxx:758:53 (instdir/program/libsfxlo.so +0x4026878)
> #20 in SfxOfficeDispatch::dispatchWithNotification(com::sun::star::util::URL const&, com::sun::star::uno::Sequence<com::sun::star::beans::PropertyValue> const&, com::sun::star::uno::Reference<com::sun::star::frame::XDispatchResultListener> const&) at sfx2/source/control/unoctitm.cxx:243:16 (instdir/program/libsfxlo.so +0x4029039)
> #21 in framework::DispatchHelper::executeDispatch(com::sun::star::uno::Reference<com::sun::star::frame::XDispatch> const&, com::sun::star::util::URL const&, bool, com::sun::star::uno::Sequence<com::sun::star::beans::PropertyValue> const&) at framework/source/services/dispatchhelper.cxx:159:30 (instdir/program/libfwklo.so +0x2aa321a)
> #22 in framework::DispatchHelper::executeDispatch(com::sun::star::uno::Reference<com::sun::star::frame::XDispatchProvider> const&, rtl::OUString const&, rtl::OUString const&, int, com::sun::star::uno::Sequence<com::sun::star::beans::PropertyValue> const&) at framework/source/services/dispatchhelper.cxx:117:16 (instdir/program/libfwklo.so +0x2aa227f)
> #23 in non-virtual thunk to framework::DispatchHelper::executeDispatch(com::sun::star::uno::Reference<com::sun::star::frame::XDispatchProvider> const&, rtl::OUString const&, rtl::OUString const&, int, com::sun::star::uno::Sequence<com::sun::star::beans::PropertyValue> const&) at framework/source/services/dispatchhelper.cxx (instdir/program/libfwklo.so +0x2aa3944)
> #24 in unotest::MacrosTest::dispatchCommand(com::sun::star::uno::Reference<com::sun::star::lang::XComponent> const&, rtl::OUString const&, com::sun::star::uno::Sequence<com::sun::star::beans::PropertyValue> const&) at unotest/source/cpp/macros_test.cxx:85:22 (workdir/LinkTarget/CppunitTest/../Library/libunotest.so +0xe6151)
> #25 in testTdf39721::TestBody() at sw/qa/extras/uiwriter/uiwriter2.cxx:657:5 (workdir/LinkTarget/CppunitTest/libtest_sw_uiwriter2.so +0x3e8ac8)
> #26 in void std::__invoke_impl<void, void (testTdf39721::*&)(), testTdf39721*&>(std::__invoke_memfun_deref, void (testTdf39721::*&)(), testTdf39721*&) at ~/gcc/trunk/inst/lib/gcc/x86_64-pc-linux-gnu/11.0.0/../../../../include/c++/11.0.0/bits/invoke.h:73:14 (workdir/LinkTarget/CppunitTest/libtest_sw_uiwriter2.so +0x6075e7)
> #27 in std::__invoke_result<void (testTdf39721::*&)(), testTdf39721*&>::type std::__invoke<void (testTdf39721::*&)(), testTdf39721*&>(void (testTdf39721::*&)(), testTdf39721*&) at ~/gcc/trunk/inst/lib/gcc/x86_64-pc-linux-gnu/11.0.0/../../../../include/c++/11.0.0/bits/invoke.h:95:14 (workdir/LinkTarget/CppunitTest/libtest_sw_uiwriter2.so +0x607254)
> #28 in void std::_Bind<void (testTdf39721::* (testTdf39721*))()>::__call<void, 0ul>(std::tuple<>&&, std::_Index_tuple<0ul>) at ~/gcc/trunk/inst/lib/gcc/x86_64-pc-linux-gnu/11.0.0/../../../../include/c++/11.0.0/functional:420:11 (workdir/LinkTarget/CppunitTest/libtest_sw_uiwriter2.so +0x6070d0)
> #29 in void std::_Bind<void (testTdf39721::* (testTdf39721*))()>::operator()<void>() at ~/gcc/trunk/inst/lib/gcc/x86_64-pc-linux-gnu/11.0.0/../../../../include/c++/11.0.0/functional:503:17 (workdir/LinkTarget/CppunitTest/libtest_sw_uiwriter2.so +0x606e34)
> #30 in void std::__invoke_impl<void, std::_Bind<void (testTdf39721::* (testTdf39721*))()>&>(std::__invoke_other, std::_Bind<void (testTdf39721::* (testTdf39721*))()>&) at ~/gcc/trunk/inst/lib/gcc/x86_64-pc-linux-gnu/11.0.0/../../../../include/c++/11.0.0/bits/invoke.h:60:14 (workdir/LinkTarget/CppunitTest/libtest_sw_uiwriter2.so +0x606cac)
> #31 in std::enable_if<is_invocable_r_v<void, std::_Bind<void (testTdf39721::* (testTdf39721*))()>&>, void>::type std::__invoke_r<void, std::_Bind<void (testTdf39721::* (testTdf39721*))()>&>(std::_Bind<void (testTdf39721::* (testTdf39721*))()>&) at ~/gcc/trunk/inst/lib/gcc/x86_64-pc-linux-gnu/11.0.0/../../../../include/c++/11.0.0/bits/invoke.h:110:2 (workdir/LinkTarget/CppunitTest/libtest_sw_uiwriter2.so +0x606b5c)
> #32 in std::_Function_handler<void (), std::_Bind<void (testTdf39721::* (testTdf39721*))()> >::_M_invoke(std::_Any_data const&) at ~/gcc/trunk/inst/lib/gcc/x86_64-pc-linux-gnu/11.0.0/../../../../include/c++/11.0.0/bits/std_function.h:291:9 (workdir/LinkTarget/CppunitTest/libtest_sw_uiwriter2.so +0x605f9c)
> #33 in std::function<void ()>::operator()() const at ~/gcc/trunk/inst/lib/gcc/x86_64-pc-linux-gnu/11.0.0/../../../../include/c++/11.0.0/bits/std_function.h:560:9 (workdir/LinkTarget/CppunitTest/libtest_sw_uiwriter2.so +0x5c64f1)
> #34 in CppUnit::TestCaller<testTdf39721>::runTest() at workdir/UnpackedTarball/cppunit/include/cppunit/TestCaller.h:175:7 (workdir/LinkTarget/CppunitTest/libtest_sw_uiwriter2.so +0x605368)
> #35 in CppUnit::TestCaseMethodFunctor::operator()() const at workdir/UnpackedTarball/cppunit/src/cppunit/TestCase.cpp:32:5 (workdir/UnpackedTarball/cppunit/src/cppunit/.libs/libcppunit-1.15.so.1 +0x30847b)
> #36 in (anonymous namespace)::Protector::protect(CppUnit::Functor const&, CppUnit::ProtectorContext const&) at test/source/vclbootstrapprotector.cxx:46:14 (workdir/LinkTarget/Library/libvclbootstrapprotector.so +0x2bd0)
> #37 in CppUnit::ProtectorChain::ProtectFunctor::operator()() const at workdir/UnpackedTarball/cppunit/src/cppunit/ProtectorChain.cpp:20:25 (workdir/UnpackedTarball/cppunit/src/cppunit/.libs/libcppunit-1.15.so.1 +0x2d7a7c)
> #38 in (anonymous namespace)::Prot::protect(CppUnit::Functor const&, CppUnit::ProtectorContext const&) at unotest/source/cpp/unobootstrapprotector/unobootstrapprotector.cxx:78:12 (workdir/LinkTarget/Library/unobootstrapprotector.so +0x17340)
> #39 in CppUnit::ProtectorChain::ProtectFunctor::operator()() const at workdir/UnpackedTarball/cppunit/src/cppunit/ProtectorChain.cpp:20:25 (workdir/UnpackedTarball/cppunit/src/cppunit/.libs/libcppunit-1.15.so.1 +0x2d7a7c)
> #40 in (anonymous namespace)::Prot::protect(CppUnit::Functor const&, CppUnit::ProtectorContext const&) at unotest/source/cpp/unoexceptionprotector/unoexceptionprotector.cxx:62:16 (workdir/LinkTarget/Library/unoexceptionprotector.so +0x9e88)
> #41 in CppUnit::ProtectorChain::ProtectFunctor::operator()() const at workdir/UnpackedTarball/cppunit/src/cppunit/ProtectorChain.cpp:20:25 (workdir/UnpackedTarball/cppunit/src/cppunit/.libs/libcppunit-1.15.so.1 +0x2d7a7c)
> #42 in CppUnit::DefaultProtector::protect(CppUnit::Functor const&, CppUnit::ProtectorContext const&) at workdir/UnpackedTarball/cppunit/src/cppunit/DefaultProtector.cpp:15:12 (workdir/UnpackedTarball/cppunit/src/cppunit/.libs/libcppunit-1.15.so.1 +0x26177f)
> #43 in CppUnit::ProtectorChain::ProtectFunctor::operator()() const at workdir/UnpackedTarball/cppunit/src/cppunit/ProtectorChain.cpp:20:25 (workdir/UnpackedTarball/cppunit/src/cppunit/.libs/libcppunit-1.15.so.1 +0x2d7a7c)
> #44 in CppUnit::ProtectorChain::protect(CppUnit::Functor const&, CppUnit::ProtectorContext const&) at workdir/UnpackedTarball/cppunit/src/cppunit/ProtectorChain.cpp:86:18 (workdir/UnpackedTarball/cppunit/src/cppunit/.libs/libcppunit-1.15.so.1 +0x2d1228)
> #45 in CppUnit::TestResult::protect(CppUnit::Functor const&, CppUnit::Test*, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) at workdir/UnpackedTarball/cppunit/src/cppunit/TestResult.cpp:182:28 (workdir/UnpackedTarball/cppunit/src/cppunit/.libs/libcppunit-1.15.so.1 +0x378217)
> #46 in CppUnit::TestCase::run(CppUnit::TestResult*) at workdir/UnpackedTarball/cppunit/src/cppunit/TestCase.cpp:91:13 (workdir/UnpackedTarball/cppunit/src/cppunit/.libs/libcppunit-1.15.so.1 +0x306cdb)
> #47 in CppUnit::TestRunner::WrappingSuite::run(CppUnit::TestResult*) at workdir/UnpackedTarball/cppunit/src/cppunit/TestRunner.cpp:47:27 (workdir/UnpackedTarball/cppunit/src/cppunit/.libs/libcppunit-1.15.so.1 +0x3ad536)
> #48 in CppUnit::TestResult::runTest(CppUnit::Test*) at workdir/UnpackedTarball/cppunit/src/cppunit/TestResult.cpp:149:9 (workdir/UnpackedTarball/cppunit/src/cppunit/.libs/libcppunit-1.15.so.1 +0x376cce)
> #49 in CppUnit::TestRunner::run(CppUnit::TestResult&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) at workdir/UnpackedTarball/cppunit/src/cppunit/TestRunner.cpp:96:14 (workdir/UnpackedTarball/cppunit/src/cppunit/.libs/libcppunit-1.15.so.1 +0x3ae402)
> #50 in (anonymous namespace)::ProtectedFixtureFunctor::run() const at sal/cppunittester/cppunittester.cxx:324:20 (workdir/LinkTarget/Executable/cppunittester +0x32b7a7)
> #51 in sal_main() at sal/cppunittester/cppunittester.cxx:474:20 (workdir/LinkTarget/Executable/cppunittester +0x327ca1)
> #52 in main at sal/cppunittester/cppunittester.cxx:381:1 (workdir/LinkTarget/Executable/cppunittester +0x32681e)
> #53 in __libc_start_main at <null> (/lib64/libc.so.6 +0x281e1)
> #54 in _start at <null> (workdir/LinkTarget/Executable/cppunittester +0x277a2d)
>
> 0x6140000e3840 is located 0 bytes inside of 400-byte region [0x6140000e3840,0x6140000e39d0)
> freed by thread T0 here:
> #0 in operator delete(void*, unsigned long) at ~/github.com/llvm/llvm-project/compiler-rt/lib/asan/asan_new_delete.cpp:172:3 (workdir/LinkTarget/Executable/cppunittester +0x324b72)
> #1 in SwShellCursor::~SwShellCursor() at sw/source/core/crsr/viscrs.cxx:644:1 (instdir/program/libswlo.so +0xba2e776)
> #2 in SwCursorShell::ClearUpCursors() at sw/source/core/crsr/crsrsh.cxx:3591:13 (instdir/program/libswlo.so +0xb6c3168)
> #3 in SwCursorShell::UpdateCursor(unsigned short, bool) at sw/source/core/crsr/crsrsh.cxx:1570:5 (instdir/program/libswlo.so +0xb654111)
> #4 in SwCursorShell::CreateCursor() at sw/source/core/crsr/crsrsh.cxx:138:5 (instdir/program/libswlo.so +0xb653a47)
> #5 in SwCursorShell::CreateNewShellCursor() at sw/source/core/crsr/crsrsh.cxx:172:16 (instdir/program/libswlo.so +0xb66e49e)
> #6 in SwUndRng::AddUndoRedoPaM(sw::UndoRedoContext&, bool) const at sw/source/core/undo/undobj.cxx:111:48 (instdir/program/libswlo.so +0xf72422c)
> #7 in SwUndoAttr::UndoImpl(sw::UndoRedoContext&) at sw/source/core/undo/unattr.cxx:743:5 (instdir/program/libswlo.so +0xf6b57eb)
> #8 in SwUndo::UndoWithContext(SfxUndoContext&) at sw/source/core/undo/undobj.cxx:235:5 (instdir/program/libswlo.so +0xf7271d2)
> #9 in SfxListUndoAction::UndoWithContext(SfxUndoContext&) at svl/source/undo/undo.cxx:1320:37 (instdir/program/libsvllo.so +0x1a74435)
> #10 in SfxListUndoAction::UndoWithContext(SfxUndoContext&) at svl/source/undo/undo.cxx:1320:37 (instdir/program/libsvllo.so +0x1a74435)
> #11 in SfxUndoManager::ImplUndo(SfxUndoContext*) at svl/source/undo/undo.cxx:697:22 (instdir/program/libsvllo.so +0x1a5c6eb)
> #12 in SfxUndoManager::UndoWithContext(SfxUndoContext&) at svl/source/undo/undo.cxx:665:12 (instdir/program/libsvllo.so +0x1a5d618)
> #13 in sw::UndoManager::impl_DoUndoRedo(sw::UndoManager::UndoOrRedoType) at sw/source/core/undo/docundo.cxx:607:32 (instdir/program/libswlo.so +0xf6229ff)
> #14 in sw::UndoManager::Undo() at sw/source/core/undo/docundo.cxx:640:16 (instdir/program/libswlo.so +0xf623c47)
> #15 in SwEditShell::Undo(unsigned short) at sw/source/core/edit/edundo.cxx:131:57 (instdir/program/libswlo.so +0xd6a9cab)
> #16 in SwWrtShell::Do(SwWrtShell::DoType, unsigned short) at sw/source/uibase/wrtsh/wrtundo.cxx:44:26 (instdir/program/libswlo.so +0x12fbf27a)
> #17 in SwBaseShell::ExecUndo(SfxRequest&) at sw/source/uibase/shells/basesh.cxx:558:27 (instdir/program/libswlo.so +0x12179b91)
> #18 in SfxStubSwBaseShellExecUndo(SfxShell*, SfxRequest&) at workdir/SdiTarget/sw/sdi/swslots.hxx:2205:1 (instdir/program/libswlo.so +0x12177e34)
> #19 in SfxShell::CallExec(void (*)(SfxShell*, SfxRequest&), SfxRequest&) at include/sfx2/shell.hxx:197:35 (instdir/program/libsfxlo.so +0x3c1b89a)
>
> previously allocated by thread T0 here:
> #0 in operator new(unsigned long) at ~/github.com/llvm/llvm-project/compiler-rt/lib/asan/asan_new_delete.cpp:99:3 (workdir/LinkTarget/Executable/cppunittester +0x323f0d)
> #1 in SwCursorShell::CreateCursor() at sw/source/core/crsr/crsrsh.cxx:130:27 (instdir/program/libswlo.so +0xb65335b)
> #2 in SwCursorShell::CreateNewShellCursor() at sw/source/core/crsr/crsrsh.cxx:172:16 (instdir/program/libswlo.so +0xb66e49e)
> #3 in SwUndRng::AddUndoRedoPaM(sw::UndoRedoContext&, bool) const at sw/source/core/undo/undobj.cxx:111:48 (instdir/program/libswlo.so +0xf72422c)
> #4 in SwUndoAttr::UndoImpl(sw::UndoRedoContext&) at sw/source/core/undo/unattr.cxx:743:5 (instdir/program/libswlo.so +0xf6b57eb)
> #5 in SwUndo::UndoWithContext(SfxUndoContext&) at sw/source/core/undo/undobj.cxx:235:5 (instdir/program/libswlo.so +0xf7271d2)
> #6 in SfxListUndoAction::UndoWithContext(SfxUndoContext&) at svl/source/undo/undo.cxx:1320:37 (instdir/program/libsvllo.so +0x1a74435)
> #7 in SfxListUndoAction::UndoWithContext(SfxUndoContext&) at svl/source/undo/undo.cxx:1320:37 (instdir/program/libsvllo.so +0x1a74435)
> #8 in SfxUndoManager::ImplUndo(SfxUndoContext*) at svl/source/undo/undo.cxx:697:22 (instdir/program/libsvllo.so +0x1a5c6eb)
> #9 in SfxUndoManager::UndoWithContext(SfxUndoContext&) at svl/source/undo/undo.cxx:665:12 (instdir/program/libsvllo.so +0x1a5d618)
> #10 in sw::UndoManager::impl_DoUndoRedo(sw::UndoManager::UndoOrRedoType) at sw/source/core/undo/docundo.cxx:607:32 (instdir/program/libswlo.so +0xf6229ff)
> #11 in sw::UndoManager::Undo() at sw/source/core/undo/docundo.cxx:640:16 (instdir/program/libswlo.so +0xf623c47)
> #12 in SwEditShell::Undo(unsigned short) at sw/source/core/edit/edundo.cxx:131:57 (instdir/program/libswlo.so +0xd6a9cab)
> #13 in SwWrtShell::Do(SwWrtShell::DoType, unsigned short) at sw/source/uibase/wrtsh/wrtundo.cxx:44:26 (instdir/program/libswlo.so +0x12fbf27a)
> #14 in SwBaseShell::ExecUndo(SfxRequest&) at sw/source/uibase/shells/basesh.cxx:558:27 (instdir/program/libswlo.so +0x12179b91)
> #15 in SfxStubSwBaseShellExecUndo(SfxShell*, SfxRequest&) at workdir/SdiTarget/sw/sdi/swslots.hxx:2205:1 (instdir/program/libswlo.so +0x12177e34)
> #16 in SfxShell::CallExec(void (*)(SfxShell*, SfxRequest&), SfxRequest&) at include/sfx2/shell.hxx:197:35 (instdir/program/libsfxlo.so +0x3c1b89a)
> #17 in SfxDispatcher::Call_Impl(SfxShell&, SfxSlot const&, SfxRequest&, bool) at sfx2/source/control/dispatch.cxx:253:16 (instdir/program/libsfxlo.so +0x3babcb6)
> #18 in SfxDispatcher::Execute_(SfxShell&, SfxSlot const&, SfxRequest&, SfxCallMode) at sfx2/source/control/dispatch.cxx:753:9 (instdir/program/libsfxlo.so +0x3bc16dd)
> #19 in SfxBindings::Execute_Impl(SfxRequest&, SfxSlot const*, SfxShell*) at sfx2/source/control/bindings.cxx:1060:22 (instdir/program/libsfxlo.so +0x3b40afd)
>
> SUMMARY: AddressSanitizer: heap-use-after-free sw/source/core/crsr/crsrsh.cxx:139:12 in SwCursorShell::CreateCursor()
> Shadow bytes around the buggy address:
> 0x0c28800146b0: 00 00 00 00 00 00 00 00 00 00 fa fa fa fa fa fa
> 0x0c28800146c0: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
> 0x0c28800146d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 0x0c28800146e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 0x0c28800146f0: 00 00 00 00 00 00 00 00 00 00 fa fa fa fa fa fa
> =>0x0c2880014700: fa fa fa fa fa fa fa fa[fd]fd fd fd fd fd fd fd
> 0x0c2880014710: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
> 0x0c2880014720: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
> 0x0c2880014730: fd fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa
> 0x0c2880014740: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
> 0x0c2880014750: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
> Shadow byte legend (one shadow byte represents 8 application bytes):
> Addressable: 00
> Partially addressable: 01 02 03 04 05 06 07
> Heap left redzone: fa
> Freed heap region: fd
> Stack left redzone: f1
> Stack mid redzone: f2
> Stack right redzone: f3
> Stack after return: f5
> Stack use after scope: f8
> Global redzone: f9
> Global init order: f6
> Poisoned by user: f7
> Container overflow: fc
> Array cookie: ac
> Intra object redzone: bb
> ASan internal: fe
> Left alloca redzone: ca
> Right alloca redzone: cb
> Shadow gap: cc
> ==1228915==ABORTING
More information about the LibreOffice
mailing list