heap-use-after-free in ~ScDocument
Stephan Bergmann
stephan.bergmann at allotropia.de
Fri Aug 9 11:31:31 UTC 2024
with an (Linux ASan) master build from earlier today,
JunitTest_svx_unoapi seems to fail in various unclear ways, but at least
one attempt showed a
> ==1998659==ERROR: AddressSanitizer: heap-use-after-free on address 0x51900064d5a9 at pc 0x7f314553a04b bp 0x7f30e0df9a80 sp 0x7f30e0df9a78
> READ of size 1 at 0x51900064d5a9 thread T25
> #0 in SdrModel::IsInDestruction() const at include/svx/svdmodel.hxx:602:43
> #1 in SdrObject::IsInDestruction() const at svx/source/svdraw/svdobj.cxx:3068:39
> #2 in sdr::properties::AttributeProperties::Notify(SfxBroadcaster&, SfxHint const&) at svx/source/sdr/properties/attributeproperties.cxx:460:38
> #3 in sdr::properties::TextProperties::Notify(SfxBroadcaster&, SfxHint const&) at svx/source/sdr/properties/textproperties.cxx:549:34
> #4 in SfxBroadcaster::Broadcast(SfxHint const&) at svl/source/notify/SfxBroadcaster.cxx:40:24
> #5 in SfxStyleSheet::~SfxStyleSheet() at svl/source/items/style.cxx:817:5
> #6 in ScStyleSheet::~ScStyleSheet() at sc/source/core/data/stlsheet.cxx:70:1
> #7 in ScStyleSheet::~ScStyleSheet() at sc/source/core/data/stlsheet.cxx:69:1
> #8 in cppu::OWeakObject::release() at cppuhelper/source/weak.cxx:229:9
> #9 in cppu::WeakImplHelper<>::release() at include/cppuhelper/implbase.hxx:115:66
> #10 in rtl::Reference<SfxStyleSheetBase>::clear() at include/rtl/ref.hxx:193:19
> #11 in svl::IndexedStyleSheets::Clear(svl::StyleSheetDisposer&) at svl/source/items/IndexedStyleSheets.cxx:200:22
> #12 in SfxStyleSheetBasePool::~SfxStyleSheetBasePool() at svl/source/items/style.cxx:614:34
> #13 in SfxStyleSheetPool::~SfxStyleSheetPool() at include/svl/style.hxx:305:21
> #14 in ScStyleSheetPool::~ScStyleSheetPool() at sc/source/core/data/stlpool.cxx:64:1
> #15 in ScStyleSheetPool::~ScStyleSheetPool() at sc/source/core/data/stlpool.cxx:63:1
> #16 in cppu::OWeakObject::release() at cppuhelper/source/weak.cxx:229:9
> #17 in cppu::WeakImplHelper<>::release() at include/cppuhelper/implbase.hxx:115:66
> #18 in rtl::Reference<ScStyleSheetPool>::clear() at include/rtl/ref.hxx:193:19
> #19 in ScPoolHelper::~ScPoolHelper() at sc/source/core/data/poolhelp.cxx:41:17
> #20 in ScPoolHelper::~ScPoolHelper() at sc/source/core/data/poolhelp.cxx:37:1
> #21 in salhelper::SimpleReferenceObject::release() at include/salhelper/simplereferenceobject.hxx:76:49
> #22 in rtl::Reference<ScPoolHelper>::clear() at include/rtl/ref.hxx:193:19
> #23 in ScDocument::~ScDocument() at sc/source/core/data/documen2.cxx:424:18
> #24 in void std::destroy_at<ScDocument>(ScDocument*) at ~/gcc/inst/lib/gcc/x86_64-pc-linux-gnu/15.0.0/../../../../include/c++/15.0.0/bits/stl_construct.h:88:15
> #25 in void std::_Destroy<ScDocument>(ScDocument*) at ~/gcc/inst/lib/gcc/x86_64-pc-linux-gnu/15.0.0/../../../../include/c++/15.0.0/bits/stl_construct.h:149:7
> #26 in void std::allocator_traits<std::allocator<void>>::destroy<ScDocument>(std::allocator<void>&, ScDocument*) at ~/gcc/inst/lib/gcc/x86_64-pc-linux-gnu/15.0.0/../../../../include/c++/15.0.0/bits/alloc_traits.h:671:4
> #27 in std::_Sp_counted_ptr_inplace<ScDocument, std::allocator<void>, (__gnu_cxx::_Lock_policy)2>::_M_dispose() at ~/gcc/inst/lib/gcc/x86_64-pc-linux-gnu/15.0.0/../../../../include/c++/15.0.0/bits/shared_ptr_base.h:616:2
> #28 in std::_Sp_counted_base<(__gnu_cxx::_Lock_policy)2>::_M_release() at ~/gcc/inst/lib/gcc/x86_64-pc-linux-gnu/15.0.0/../../../../include/c++/15.0.0/bits/shared_ptr_base.h:346:8
> #29 in std::__shared_count<(__gnu_cxx::_Lock_policy)2>::~__shared_count() at ~/gcc/inst/lib/gcc/x86_64-pc-linux-gnu/15.0.0/../../../../include/c++/15.0.0/bits/shared_ptr_base.h:1069:11
> #30 in std::__shared_ptr<ScDocument, (__gnu_cxx::_Lock_policy)2>::~__shared_ptr() at ~/gcc/inst/lib/gcc/x86_64-pc-linux-gnu/15.0.0/../../../../include/c++/15.0.0/bits/shared_ptr_base.h:1525:31
> #31 in std::shared_ptr<ScDocument>::~shared_ptr() at ~/gcc/inst/lib/gcc/x86_64-pc-linux-gnu/15.0.0/../../../../include/c++/15.0.0/bits/shared_ptr.h:175:11
> #32 in ScDocShell::~ScDocShell() at sc/source/ui/docshell/docsh.cxx:3013:1
> #33 in ScDocShell::~ScDocShell() at sc/source/ui/docshell/docsh.cxx:2983:1
> #34 in cppu::OWeakObject::release() at cppuhelper/source/weak.cxx:229:9
> #35 in rtl::Reference<SfxObjectShell>::~Reference() at include/rtl/ref.hxx:126:22
> #36 in IMPL_SfxBaseModel_DataContainer::~IMPL_SfxBaseModel_DataContainer() at sfx2/source/doc/sfxbasemodel.cxx:265:5
> #37 in void std::destroy_at<IMPL_SfxBaseModel_DataContainer>(IMPL_SfxBaseModel_DataContainer*) at ~/gcc/inst/lib/gcc/x86_64-pc-linux-gnu/15.0.0/../../../../include/c++/15.0.0/bits/stl_construct.h:88:15
> #38 in void std::_Destroy<IMPL_SfxBaseModel_DataContainer>(IMPL_SfxBaseModel_DataContainer*) at ~/gcc/inst/lib/gcc/x86_64-pc-linux-gnu/15.0.0/../../../../include/c++/15.0.0/bits/stl_construct.h:149:7
> #39 in void std::allocator_traits<std::allocator<void>>::destroy<IMPL_SfxBaseModel_DataContainer>(std::allocator<void>&, IMPL_SfxBaseModel_DataContainer*) at ~/gcc/inst/lib/gcc/x86_64-pc-linux-gnu/15.0.0/../../../../include/c++/15.0.0/bits/alloc_traits.h:671:4
> #40 in std::_Sp_counted_ptr_inplace<IMPL_SfxBaseModel_DataContainer, std::allocator<void>, (__gnu_cxx::_Lock_policy)2>::_M_dispose() at ~/gcc/inst/lib/gcc/x86_64-pc-linux-gnu/15.0.0/../../../../include/c++/15.0.0/bits/shared_ptr_base.h:616:2
> #41 in std::_Sp_counted_base<(__gnu_cxx::_Lock_policy)2>::_M_release() at ~/gcc/inst/lib/gcc/x86_64-pc-linux-gnu/15.0.0/../../../../include/c++/15.0.0/bits/shared_ptr_base.h:346:8
> #42 in std::__shared_count<(__gnu_cxx::_Lock_policy)2>::~__shared_count() at ~/gcc/inst/lib/gcc/x86_64-pc-linux-gnu/15.0.0/../../../../include/c++/15.0.0/bits/shared_ptr_base.h:1069:11
> #43 in std::__shared_ptr<IMPL_SfxBaseModel_DataContainer, (__gnu_cxx::_Lock_policy)2>::~__shared_ptr() at ~/gcc/inst/lib/gcc/x86_64-pc-linux-gnu/15.0.0/../../../../include/c++/15.0.0/bits/shared_ptr_base.h:1525:31
> #44 in std::__shared_ptr<IMPL_SfxBaseModel_DataContainer, (__gnu_cxx::_Lock_policy)2>::reset() at ~/gcc/inst/lib/gcc/x86_64-pc-linux-gnu/15.0.0/../../../../include/c++/15.0.0/bits/shared_ptr_base.h:1643:9
> #45 in SfxBaseModel::dispose() at sfx2/source/doc/sfxbasemodel.cxx:794:13
> #46 in SfxBaseModel::close(unsigned char) at sfx2/source/doc/sfxbasemodel.cxx:1523:5
> #47 in gcc3::callVirtualMethod(void*, unsigned int, void*, _typelib_TypeDescriptionReference*, bool, unsigned long*, unsigned int, unsigned long*, double*) at bridges/source/cpp_uno/gcc3_linux_x86-64/callvirtualmethod.cxx:87:5
> #48 in cpp_call(bridges::cpp_uno::shared::UnoInterfaceProxy*, bridges::cpp_uno::shared::VtableSlot, _typelib_TypeDescriptionReference*, int, _typelib_MethodParameter*, void*, void**, _uno_Any**) at bridges/source/cpp_uno/gcc3_linux_x86-64/uno2cpp.cxx:229:13
> #49 in unoInterfaceProxyDispatch at bridges/source/cpp_uno/gcc3_linux_x86-64/uno2cpp.cxx:409:13
> #50 in binaryurp::IncomingRequest::execute_throw(binaryurp::BinaryAny*, std::__debug::vector<binaryurp::BinaryAny, std::allocator<binaryurp::BinaryAny>>*) const at binaryurp/source/incomingrequest.cxx:236:13
> #51 in binaryurp::IncomingRequest::execute() const at binaryurp/source/incomingrequest.cxx:79:26
> #52 in request at binaryurp/source/reader.cxx:86:9
> #53 in cppu_threadpool::JobQueue::enter(void const*, bool) at cppu/source/threadpool/jobqueue.cxx:100:17
> #54 in cppu_threadpool::ORequestThread::run() at cppu/source/threadpool/thread.cxx:165:31
> #55 in threadFunc at include/osl/thread.hxx:189:15
> #56 in osl_thread_start_Impl(void*) at sal/osl/unx/thread.cxx:237:9
>
> 0x51900064d5a9 is located 809 bytes inside of 944-byte region [0x51900064d280,0x51900064d630)
> freed by thread T25 here:
> #0 in operator delete(void*, unsigned long) at ~/github.com/llvm/llvm-project/compiler-rt/lib/asan/asan_new_delete.cpp:155:3
> #1 in std::default_delete<ScDrawLayer>::operator()(ScDrawLayer*) const at ~/gcc/inst/lib/gcc/x86_64-pc-linux-gnu/15.0.0/../../../../include/c++/15.0.0/bits/unique_ptr.h:93:2
> #2 in std::__uniq_ptr_impl<ScDrawLayer, std::default_delete<ScDrawLayer>>::reset(ScDrawLayer*) at ~/gcc/inst/lib/gcc/x86_64-pc-linux-gnu/15.0.0/../../../../include/c++/15.0.0/bits/unique_ptr.h:205:4
> #3 in std::unique_ptr<ScDrawLayer, std::default_delete<ScDrawLayer>>::reset(ScDrawLayer*) at ~/gcc/inst/lib/gcc/x86_64-pc-linux-gnu/15.0.0/../../../../include/c++/15.0.0/bits/unique_ptr.h:503:7
> #4 in ScDocument::~ScDocument() at sc/source/core/data/documen2.cxx:404:17
> #5 in void std::destroy_at<ScDocument>(ScDocument*) at ~/gcc/inst/lib/gcc/x86_64-pc-linux-gnu/15.0.0/../../../../include/c++/15.0.0/bits/stl_construct.h:88:15
> #6 in void std::_Destroy<ScDocument>(ScDocument*) at ~/gcc/inst/lib/gcc/x86_64-pc-linux-gnu/15.0.0/../../../../include/c++/15.0.0/bits/stl_construct.h:149:7
> #7 in void std::allocator_traits<std::allocator<void>>::destroy<ScDocument>(std::allocator<void>&, ScDocument*) at ~/gcc/inst/lib/gcc/x86_64-pc-linux-gnu/15.0.0/../../../../include/c++/15.0.0/bits/alloc_traits.h:671:4
> #8 in std::_Sp_counted_ptr_inplace<ScDocument, std::allocator<void>, (__gnu_cxx::_Lock_policy)2>::_M_dispose() at ~/gcc/inst/lib/gcc/x86_64-pc-linux-gnu/15.0.0/../../../../include/c++/15.0.0/bits/shared_ptr_base.h:616:2
> #9 in std::_Sp_counted_base<(__gnu_cxx::_Lock_policy)2>::_M_release() at ~/gcc/inst/lib/gcc/x86_64-pc-linux-gnu/15.0.0/../../../../include/c++/15.0.0/bits/shared_ptr_base.h:346:8
> #10 in std::__shared_count<(__gnu_cxx::_Lock_policy)2>::~__shared_count() at ~/gcc/inst/lib/gcc/x86_64-pc-linux-gnu/15.0.0/../../../../include/c++/15.0.0/bits/shared_ptr_base.h:1069:11
> #11 in std::__shared_ptr<ScDocument, (__gnu_cxx::_Lock_policy)2>::~__shared_ptr() at ~/gcc/inst/lib/gcc/x86_64-pc-linux-gnu/15.0.0/../../../../include/c++/15.0.0/bits/shared_ptr_base.h:1525:31
> #12 in std::shared_ptr<ScDocument>::~shared_ptr() at ~/gcc/inst/lib/gcc/x86_64-pc-linux-gnu/15.0.0/../../../../include/c++/15.0.0/bits/shared_ptr.h:175:11
> #13 in ScDocShell::~ScDocShell() at sc/source/ui/docshell/docsh.cxx:3013:1
> #14 in ScDocShell::~ScDocShell() at sc/source/ui/docshell/docsh.cxx:2983:1
> #15 in cppu::OWeakObject::release() at cppuhelper/source/weak.cxx:229:9
> #16 in rtl::Reference<SfxObjectShell>::~Reference() at include/rtl/ref.hxx:126:22
> #17 in IMPL_SfxBaseModel_DataContainer::~IMPL_SfxBaseModel_DataContainer() at sfx2/source/doc/sfxbasemodel.cxx:265:5
> #18 in void std::destroy_at<IMPL_SfxBaseModel_DataContainer>(IMPL_SfxBaseModel_DataContainer*) at ~/gcc/inst/lib/gcc/x86_64-pc-linux-gnu/15.0.0/../../../../include/c++/15.0.0/bits/stl_construct.h:88:15
> #19 in void std::_Destroy<IMPL_SfxBaseModel_DataContainer>(IMPL_SfxBaseModel_DataContainer*) at ~/gcc/inst/lib/gcc/x86_64-pc-linux-gnu/15.0.0/../../../../include/c++/15.0.0/bits/stl_construct.h:149:7
> #20 in void std::allocator_traits<std::allocator<void>>::destroy<IMPL_SfxBaseModel_DataContainer>(std::allocator<void>&, IMPL_SfxBaseModel_DataContainer*) at ~/gcc/inst/lib/gcc/x86_64-pc-linux-gnu/15.0.0/../../../../include/c++/15.0.0/bits/alloc_traits.h:671:4
> #21 in std::_Sp_counted_ptr_inplace<IMPL_SfxBaseModel_DataContainer, std::allocator<void>, (__gnu_cxx::_Lock_policy)2>::_M_dispose() at ~/gcc/inst/lib/gcc/x86_64-pc-linux-gnu/15.0.0/../../../../include/c++/15.0.0/bits/shared_ptr_base.h:616:2
> #22 in std::_Sp_counted_base<(__gnu_cxx::_Lock_policy)2>::_M_release() at ~/gcc/inst/lib/gcc/x86_64-pc-linux-gnu/15.0.0/../../../../include/c++/15.0.0/bits/shared_ptr_base.h:346:8
> #23 in std::__shared_count<(__gnu_cxx::_Lock_policy)2>::~__shared_count() at ~/gcc/inst/lib/gcc/x86_64-pc-linux-gnu/15.0.0/../../../../include/c++/15.0.0/bits/shared_ptr_base.h:1069:11
> #24 in std::__shared_ptr<IMPL_SfxBaseModel_DataContainer, (__gnu_cxx::_Lock_policy)2>::~__shared_ptr() at ~/gcc/inst/lib/gcc/x86_64-pc-linux-gnu/15.0.0/../../../../include/c++/15.0.0/bits/shared_ptr_base.h:1525:31
> #25 in std::__shared_ptr<IMPL_SfxBaseModel_DataContainer, (__gnu_cxx::_Lock_policy)2>::reset() at ~/gcc/inst/lib/gcc/x86_64-pc-linux-gnu/15.0.0/../../../../include/c++/15.0.0/bits/shared_ptr_base.h:1643:9
> #26 in SfxBaseModel::dispose() at sfx2/source/doc/sfxbasemodel.cxx:794:13
> #27 in SfxBaseModel::close(unsigned char) at sfx2/source/doc/sfxbasemodel.cxx:1523:5
> #28 in gcc3::callVirtualMethod(void*, unsigned int, void*, _typelib_TypeDescriptionReference*, bool, unsigned long*, unsigned int, unsigned long*, double*) at bridges/source/cpp_uno/gcc3_linux_x86-64/callvirtualmethod.cxx:87:5
> #29 in cpp_call(bridges::cpp_uno::shared::UnoInterfaceProxy*, bridges::cpp_uno::shared::VtableSlot, _typelib_TypeDescriptionReference*, int, _typelib_MethodParameter*, void*, void**, _uno_Any**) at bridges/source/cpp_uno/gcc3_linux_x86-64/uno2cpp.cxx:229:13
> #30 in unoInterfaceProxyDispatch at bridges/source/cpp_uno/gcc3_linux_x86-64/uno2cpp.cxx:409:13
> #31 in binaryurp::IncomingRequest::execute_throw(binaryurp::BinaryAny*, std::__debug::vector<binaryurp::BinaryAny, std::allocator<binaryurp::BinaryAny>>*) const at binaryurp/source/incomingrequest.cxx:236:13
> #32 in binaryurp::IncomingRequest::execute() const at binaryurp/source/incomingrequest.cxx:79:26
> #33 in request at binaryurp/source/reader.cxx:86:9
> #34 in cppu_threadpool::JobQueue::enter(void const*, bool) at cppu/source/threadpool/jobqueue.cxx:100:17
> #35 in cppu_threadpool::ORequestThread::run() at cppu/source/threadpool/thread.cxx:165:31
> #36 in threadFunc at include/osl/thread.hxx:189:15
> #37 in osl_thread_start_Impl(void*) at sal/osl/unx/thread.cxx:237:9
>
> previously allocated by thread T25 here:
> #0 in operator new(unsigned long) at ~/github.com/llvm/llvm-project/compiler-rt/lib/asan/asan_new_delete.cpp:86:3
> #1 in ScDocument::InitDrawLayer(ScDocShell*) at sc/source/core/data/documen9.cxx:120:23
> #2 in ScDocShell::MakeDrawLayer() at sc/source/ui/docshell/docsh2.cxx:174:22
> #3 in ScTabView::MakeDrawLayer() at sc/source/ui/view/tabview2.cxx:1622:30
> #4 in ScTabViewShell::ScTabViewShell(SfxViewFrame&, SfxViewShell*) at sc/source/ui/view/tabvwsh4.cxx:1859:5
> #5 in ScTabViewShell::CreateInstance(SfxViewFrame&, SfxViewShell*) at sc/source/ui/view/tabvwsh.cxx:105:1
> #6 in SfxViewFactory::CreateInstance(SfxViewFrame&, SfxViewShell*) at sfx2/source/view/viewfac.cxx:26:12
> #7 in SfxBaseModel::createViewController(rtl::OUString const&, com::sun::star::uno::Sequence<com::sun::star::beans::PropertyValue> const&, com::sun::star::uno::Reference<com::sun::star::frame::XFrame> const&) at sfx2/source/doc/sfxbasemodel.cxx:4338:46
> #8 in non-virtual thunk to SfxBaseModel::createViewController(rtl::OUString const&, com::sun::star::uno::Sequence<com::sun::star::beans::PropertyValue> const&, com::sun::star::uno::Reference<com::sun::star::frame::XFrame> const&) at sfx2/source/doc/sfxbasemodel.cxx
> #9 in (anonymous namespace)::SfxFrameLoader_Impl::impl_createDocumentView(com::sun::star::uno::Reference<com::sun::star::frame::XModel2> const&, com::sun::star::uno::Reference<com::sun::star::frame::XFrame> const&, comphelper::NamedValueCollection const&, rtl::OUString const&) at sfx2/source/view/frmload.cxx:577:60
> #10 in (anonymous namespace)::SfxFrameLoader_Impl::load(com::sun::star::uno::Sequence<com::sun::star::beans::PropertyValue> const&, com::sun::star::uno::Reference<com::sun::star::frame::XFrame> const&) at sfx2/source/view/frmload.cxx:759:13
> #11 in framework::LoadEnv::impl_loadContent() at framework/source/loadenv/loadenv.cxx:1176:37
> #12 in framework::LoadEnv::start() at framework/source/loadenv/loadenv.cxx:412:20
> #13 in framework::LoadEnv::startLoading(rtl::OUString const&, com::sun::star::uno::Sequence<com::sun::star::beans::PropertyValue> const&, com::sun::star::uno::Reference<com::sun::star::frame::XFrame> const&, rtl::OUString const&, int, LoadEnvFeatures) at framework/source/loadenv/loadenv.cxx:308:5
> #14 in framework::LoadEnv::loadComponentFromURL(com::sun::star::uno::Reference<com::sun::star::frame::XComponentLoader> const&, com::sun::star::uno::Reference<com::sun::star::uno::XComponentContext> const&, rtl::OUString const&, rtl::OUString const&, int, com::sun::star::uno::Sequence<com::sun::star::beans::PropertyValue> const&) at framework/source/loadenv/loadenv.cxx:168:14
> #15 in framework::Desktop::loadComponentFromURL(rtl::OUString const&, rtl::OUString const&, int, com::sun::star::uno::Sequence<com::sun::star::beans::PropertyValue> const&) at framework/source/services/desktop.cxx:592:16
> #16 in non-virtual thunk to framework::Desktop::loadComponentFromURL(rtl::OUString const&, rtl::OUString const&, int, com::sun::star::uno::Sequence<com::sun::star::beans::PropertyValue> const&) at framework/source/services/desktop.cxx
> #17 in gcc3::callVirtualMethod(void*, unsigned int, void*, _typelib_TypeDescriptionReference*, bool, unsigned long*, unsigned int, unsigned long*, double*) at bridges/source/cpp_uno/gcc3_linux_x86-64/callvirtualmethod.cxx:87:5
> #18 in cpp_call(bridges::cpp_uno::shared::UnoInterfaceProxy*, bridges::cpp_uno::shared::VtableSlot, _typelib_TypeDescriptionReference*, int, _typelib_MethodParameter*, void*, void**, _uno_Any**) at bridges/source/cpp_uno/gcc3_linux_x86-64/uno2cpp.cxx:229:13
> #19 in unoInterfaceProxyDispatch at bridges/source/cpp_uno/gcc3_linux_x86-64/uno2cpp.cxx:409:13
> #20 in binaryurp::IncomingRequest::execute_throw(binaryurp::BinaryAny*, std::__debug::vector<binaryurp::BinaryAny, std::allocator<binaryurp::BinaryAny>>*) const at binaryurp/source/incomingrequest.cxx:236:13
> #21 in binaryurp::IncomingRequest::execute() const at binaryurp/source/incomingrequest.cxx:79:26
> #22 in request at binaryurp/source/reader.cxx:86:9
> #23 in cppu_threadpool::JobQueue::enter(void const*, bool) at cppu/source/threadpool/jobqueue.cxx:100:17
> #24 in cppu_threadpool::ORequestThread::run() at cppu/source/threadpool/thread.cxx:165:31
> #25 in threadFunc at include/osl/thread.hxx:189:15
> #26 in osl_thread_start_Impl(void*) at sal/osl/unx/thread.cxx:237:9
i.e.,
> mxPoolHelper.clear();
in ~ScDocument at sc/source/core/data/documen2.cxx:424 still used data
that has already been destroyed a few lines up in
> mpDrawLayer.reset();
at sc/source/core/data/documen2.cxx:404.
Naively just moving the mpDrawLayer.reset(); past the
mxPoolHelper.clear(); didn't seem to help, so I'm leaving this here, in
case anybody has an idea. (And adding some potentially clueful people
in CC. But don't know if this is due to recent changes, or just happens
to hit now, or...)
More information about the LibreOffice
mailing list