ASan heap-use-after-free triggered by new CppunitTest_sw_uiwriter3 test case
Michael Stahl
mst at libreoffice.org
Thu May 6 10:17:37 UTC 2021
On 06/05/2021 11.07, Stephan Bergmann wrote:
> Since
> <https://git.libreoffice.org/core/+/4ade38b97f8c22061b612bac81f5dcd3cfb83547%5E!/>
> "tdf#141613: sw_uiwriter3: fix unittest" introduced that test case,
> <https://ci.libreoffice.org//job/lo_ubsan/2001/> fails with
>
>> [_RUN_____] testTdf141613::TestBody
>> =================================================================
>> ==26995==ERROR: AddressSanitizer: heap-use-after-free on address
>> 0x60c0002ac460 at pc 0x2b0f164291e9 bp 0x7fff7ed81ee0 sp 0x7fff7ed81ed8
>> WRITE of size 8 at 0x60c0002ac460 thread T0
>> #0 0x2b0f164291e8 in
>> SfxListUndoAction::UndoWithContext(SfxUndoContext&)
>> /svl/source/undo/undo.cxx:1321:19
>> #1 0x2b0f164106cd in SfxUndoManager::ImplUndo(SfxUndoContext*)
>> /svl/source/undo/undo.cxx:697:22
>> #2 0x2b0f16411666 in
>> SfxUndoManager::UndoWithContext(SfxUndoContext&)
>> /svl/source/undo/undo.cxx:665:12
>> #3 0x2b0f5329e1eb in
>> sw::UndoManager::impl_DoUndoRedo(sw::UndoManager::UndoOrRedoType)
>> /sw/source/core/undo/docundo.cxx:608:32
>> #4 0x2b0f5329f44b in sw::UndoManager::Undo()
>> /sw/source/core/undo/docundo.cxx:641:16
>>
>> 0x60c0002ac460 is located 96 bytes inside of 120-byte region
>> [0x60c0002ac400,0x60c0002ac478)
>> freed by thread T0 here:
>> #0 0x4f75f0 in operator delete(void*)
>> /home/tdf/lode/packages/llvm-llvmorg-9.0.1.src/compiler-rt/lib/asan/asan_new_delete.cc:160
>>
>> #1 0x2b0f16428760 in SfxListUndoAction::~SfxListUndoAction()
>> /svl/source/undo/undo.cxx:1306:1
>> #2 0x2b0f1645b5d1 in
>> std::default_delete<SfxUndoAction>::operator()(SfxUndoAction*) const
>> /home/tdf/lode/opt_private/gcc-7.3.0/lib/gcc/x86_64-pc-linux-gnu/7.3.0/../../../../include/c++/7.3.0/bits/unique_ptr.h:78:2
>>
>> #3 0x2b0f1643b153 in std::unique_ptr<SfxUndoAction,
>> std::default_delete<SfxUndoAction> >::~unique_ptr()
>> /home/tdf/lode/opt_private/gcc-7.3.0/lib/gcc/x86_64-pc-linux-gnu/7.3.0/../../../../include/c++/7.3.0/bits/unique_ptr.h:268:4
>>
>> #4 0x2b0f1644b34c in void
>> std::_Destroy<std::unique_ptr<SfxUndoAction,
>> std::default_delete<SfxUndoAction> > >(std::unique_ptr<SfxUndoAction,
>> std::default_delete<SfxUndoAction> >*)
>> /home/tdf/lode/opt_private/gcc-7.3.0/lib/gcc/x86_64-pc-linux-gnu/7.3.0/../../../../include/c++/7.3.0/bits/stl_construct.h:98:19
>>
>> #5 0x2b0f1644b296 in void
>> std::_Destroy_aux<false>::__destroy<std::unique_ptr<SfxUndoAction,
>> std::default_delete<SfxUndoAction> >*>(std::unique_ptr<SfxUndoAction,
>> std::default_delete<SfxUndoAction> >*, std::unique_ptr<SfxUndoAction,
>> std::default_delete<SfxUndoAction> >*)
>> /home/tdf/lode/opt_private/gcc-7.3.0/lib/gcc/x86_64-pc-linux-gnu/7.3.0/../../../../include/c++/7.3.0/bits/stl_construct.h:108:6
>>
>> #6 0x2b0f1644b214 in void
>> std::_Destroy<std::unique_ptr<SfxUndoAction,
>> std::default_delete<SfxUndoAction> >*>(std::unique_ptr<SfxUndoAction,
>> std::default_delete<SfxUndoAction> >*, std::unique_ptr<SfxUndoAction,
>> std::default_delete<SfxUndoAction> >*)
>> /home/tdf/lode/opt_private/gcc-7.3.0/lib/gcc/x86_64-pc-linux-gnu/7.3.0/../../../../include/c++/7.3.0/bits/stl_construct.h:136:7
>>
>> #7 0x2b0f1644af58 in void
>> std::_Destroy<std::unique_ptr<SfxUndoAction,
>> std::default_delete<SfxUndoAction> >*, std::unique_ptr<SfxUndoAction,
>> std::default_delete<SfxUndoAction> > >(std::unique_ptr<SfxUndoAction,
>> std::default_delete<SfxUndoAction> >*, std::unique_ptr<SfxUndoAction,
>> std::default_delete<SfxUndoAction> >*,
>> std::allocator<std::unique_ptr<SfxUndoAction,
>> std::default_delete<SfxUndoAction> > >&)
>> /home/tdf/lode/opt_private/gcc-7.3.0/lib/gcc/x86_64-pc-linux-gnu/7.3.0/../../../../include/c++/7.3.0/bits/stl_construct.h:206:7
>>
>> #8 0x2b0f16474dd3 in
>> std::__cxx1998::vector<std::unique_ptr<SfxUndoAction,
>> std::default_delete<SfxUndoAction> >,
>> std::allocator<std::unique_ptr<SfxUndoAction,
>> std::default_delete<SfxUndoAction> > >
>> >::_M_erase_at_end(std::unique_ptr<SfxUndoAction,
>> std::default_delete<SfxUndoAction> >*)
>> /home/tdf/lode/opt_private/gcc-7.3.0/lib/gcc/x86_64-pc-linux-gnu/7.3.0/../../../../include/c++/7.3.0/bits/stl_vector.h:1513:2
>>
>> #9 0x2b0f16474c70 in
>> std::__cxx1998::vector<std::unique_ptr<SfxUndoAction,
>> std::default_delete<SfxUndoAction> >,
>> std::allocator<std::unique_ptr<SfxUndoAction,
>> std::default_delete<SfxUndoAction> > > >::clear()
>> /home/tdf/lode/opt_private/gcc-7.3.0/lib/gcc/x86_64-pc-linux-gnu/7.3.0/../../../../include/c++/7.3.0/bits/stl_vector.h:1248:9
>>
>> #10 0x2b0f1643ca24 in
>> std::__debug::vector<std::unique_ptr<SfxUndoAction,
>> std::default_delete<SfxUndoAction> >,
>> std::allocator<std::unique_ptr<SfxUndoAction,
>> std::default_delete<SfxUndoAction> > > >::clear()
>> /home/tdf/lode/opt_private/gcc-7.3.0/lib/gcc/x86_64-pc-linux-gnu/7.3.0/../../../../include/c++/7.3.0/debug/vector:699:9
>>
>> #11 0x2b0f163f5ac6 in
>> svl::undo::impl::UndoManagerGuard::~UndoManagerGuard()
>> /svl/source/undo/undo.cxx:326:31
>> #12 0x2b0f163fe0eb in SfxUndoManager::ImplClearRedo_NoLock(bool)
>> /svl/source/undo/undo.cxx:466:1
>> #13 0x2b0f53295434 in sw::UndoManager::ClearRedo()
>> /sw/source/core/undo/docundo.cxx:252:28
^ you can't delete the undo stack while it's doing undo!
this was added in commit 65e52cb61d74b0c71b45b63b2da131bc6b621104
"tdf#141613 sw: fix crash at header/footer undo"
>> #14 0x2b0f4f8d2266 in SwDoc::ChgPageDesc(unsigned long, SwPageDesc
>> const&) /sw/source/core/doc/docdesc.cxx:508:36
>> #15 0x2b0f4f8eb8ab in SwDoc::ChgPageDesc(rtl::OUString const&,
>> SwPageDesc const&) /sw/source/core/doc/docdesc.cxx:980:9
>> #16 0x2b0f5328aac6 in
>> SwUndoPageDesc::UndoImpl(sw::UndoRedoContext&)
>> /sw/source/core/undo/SwUndoPageDesc.cxx:225:13
>> #17 0x2b0f533a4261 in SwUndo::UndoWithContext(SfxUndoContext&)
>> /sw/source/core/undo/undobj.cxx:235:5
More information about the LibreOffice
mailing list