Avoid crash in shutdown when accessing already destroyed BASIC_DLL

Desktop / LibreOffice - Mike Kaganski [collabora.com] - 21 December 2019 07:12 EST

... as seen in https://ci.libreoffice.org/job/gerrit_linux_gcc_release/48425/console

The problem was that SbxErrObject::getErrObject created a static object which called GetSbxData_Impl() in its destructor, which in turn accessed BASIC_DLL, which was invalidated by deleting BasicDLL objects either in SfxApplication::~SfxApplication or in MacroSnippet::~MacroSnippet, thus already invalid when static was destroyed.

So fix this by creating the global error object in the SbxAppData, not as function-local static, so that its lifetime is limited to the data.

The crash happened also on Windows, but was somehow masked (possibly by custom error handler?), with this call stack:

sblo.dll!std::unique_ptr>::operator*() Line 1886 at C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\VC\Tools\MSVC\14.24.28314\include\memory(1886) sblo.dll!GetSbxData_Impl() Line 110 at C:\lo\src\core\basic\source\runtime\basrdll.cxx(110) sblo.dll!SbxBase::GetError() Line 96 at C:\lo\src\core\basic\source\sbx\sbxbase.cxx(96) sblo.dll!SbxValue::Put(const SbxValues & rVal) Line 414 at C:\lo\src\core\basic\source\sbx\sbxvalue.cxx(414) sblo.dll!SbxValue::Clear() Line 179 at C:\lo\src\core\basic\source\sbx\sbxvalue.cxx(179) sblo.dll!SbxValue::~SbxValue() Line 139 at C:\lo\src\core\basic\source\sbx\sbxvalue.cxx(139) sblo.dll!SbxVariable::~SbxVariable() Line 125 at C:\lo\src\core\basic\source\sbx\sbxvar.cxx(125) sblo.dll!SbxProperty::~SbxProperty() Line 861 at C:\lo\src\core\basic\source\sbx\sbxobj.cxx(861) sblo.dll!SbUnoProperty::~SbUnoProperty() Line 2591 at C:\lo\src\core\basic\source\classes\sbunoobj.cxx(2591) sblo.dll!SbUnoProperty::`vbase destructor'() sblo.dll!SbUnoProperty::`scalar deleting destructor'(unsigned int) tllo.dll!SvRefBase::ReleaseRef() Line 163 at C:\lo\src\core\include\tools\ref.hxx(163) sblo.dll!tools::SvRef::~SvRef() Line 56 at C:\lo\src\core\include\tools\ref.hxx(56) sblo.dll!SbxVarEntry::~SbxVarEntry() sblo.dll!SbxVarEntry::`scalar deleting destructor'(unsigned int) sblo.dll!std::_Default_allocator_traits>::destroy(std::allocator & __formal, SbxVarEntry * const _Ptr) Line 677 at C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\VC\Tools\MSVC\14.24.28314\include\xmemory(677) sblo.dll!std::_Destroy_range>(SbxVarEntry * _First, SbxVarEntry * const _Last, std::allocator & _Al) Line 951 at C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\VC\Tools\MSVC\14.24.28314\include\xmemory(951) sblo.dll!std::vector>::_Destroy(SbxVarEntry * _First, SbxVarEntry * _Last) Line 1616 at C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\VC\Tools\MSVC\14.24.28314\include\vector(1616) sblo.dll!std::vector>::_Tidy() Line 1698 at C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\VC\Tools\MSVC\14.24.28314\include\vector(1698) sblo.dll!std::vector>::~vector>() Line 674 at C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\VC\Tools\MSVC\14.24.28314\include\vector(674) sblo.dll!SbxArray::~SbxArray() Line 75 at C:\lo\src\core\basic\source\sbx\sbxarray.cxx(75) sblo.dll!SbxArray::`vbase destructor'() sblo.dll!SbxArray::`vector deleting destructor'(unsigned int) tllo.dll!SvRefBase::ReleaseRef() Line 163 at C:\lo\src\core\include\tools\ref.hxx(163) sblo.dll!tools::SvRef::~SvRef() Line 56 at C:\lo\src\core\include\tools\ref.hxx(56) sblo.dll!SbxObject::~SbxObject() Line 111 at C:\lo\src\core\basic\source\sbx\sbxobj.cxx(111) sblo.dll!SbUnoObject::~SbUnoObject() Line 2387 at C:\lo\src\core\basic\source\classes\sbunoobj.cxx(2387) sblo.dll!SbxErrObject::~SbxErrObject() Line 183 at C:\lo\src\core\basic\source\classes\errobject.cxx(183) sblo.dll!SbxErrObject::`vbase destructor'() sblo.dll!SbxErrObject::`scalar deleting destructor'(unsigned int) tllo.dll!SvRefBase::ReleaseRef() Line 163 at C:\lo\src\core\include\tools\ref.hxx(163) sblo.dll!tools::SvRef::~SvRef() Line 56 at C:\lo\src\core\include\tools\ref.hxx(56) sblo.dll!`SbxErrObject::getErrObject'::`2'::`dynamic atexit destructor for 'pGlobErr''() ucrtbased.dll!_execute_onexit_table::__l2::() Line 206 at minkernel\crts\ucrt\src\appcrt\startup\onexit.cpp(206) ucrtbased.dll!__crt_seh_guarded_call::operator()(void),int (void) &,void (void)>(__acrt_lock_and_call::__l2::void (void) && setup, _execute_onexit_table::__l2::int (void) & action, __acrt_lock_and_call::__l2::void (void) && cleanup) Line 204 at vccrt\vcruntime\inc\internal_shared.h(204) ucrtbased.dll!__acrt_lock_and_call(void)>(const __acrt_lock_id lock_id, _execute_onexit_table::__l2::int (void) && action) Line 975 at minkernel\crts\ucrt\inc\corecrt_internal.h(975) ucrtbased.dll!_execute_onexit_table(_onexit_table_t * table) Line 231 at minkernel\crts\ucrt\src\appcrt\startup\onexit.cpp(231) sblo.dll!__scrt_dllmain_uninitialize_c() Line 399 at d:\agent\_work\5\s\src\vctools\crt\vcstartup\src\utility\utility.cpp(399) sblo.dll!dllmain_crt_process_detach(const bool is_terminating) Line 182 at d:\agent\_work\5\s\src\vctools\crt\vcstartup\src\startup\dll_dllmain.cpp(182) sblo.dll!dllmain_crt_dispatch(HINSTANCE__ * const instance, const unsigned long reason, void * const reserved) Line 220 at d:\agent\_work\5\s\src\vctools\crt\vcstartup\src\startup\dll_dllmain.cpp(220) sblo.dll!dllmain_dispatch(HINSTANCE__ * const instance, const unsigned long reason, void * const reserved) Line 293 at d:\agent\_work\5\s\src\vctools\crt\vcstartup\src\startup\dll_dllmain.cpp(293) sblo.dll!_DllMainCRTStartup(HINSTANCE__ * const instance, const unsigned long reason, void * const reserved) Line 335 at d:\agent\_work\5\s\src\vctools\crt\vcstartup\src\startup\dll_dllmain.cpp(335) ntdll.dll!LdrpCallInitRoutine() ntdll.dll!LdrpProcessDetachNode() ntdll.dll!LdrpUnloadNode() ntdll.dll!LdrpUnloadNode() ntdll.dll!LdrpUnloadNode() ntdll.dll!LdrpDecrementModuleLoadCountEx() ntdll.dll!LdrUnloadDll() KernelBase.dll!FreeLibrary() cppunitd_dll.dll!CppUnit::DynamicLibraryManager::doReleaseLibrary() Line 30 at C:\lo\src\core\workdir\UnpackedTarball\cppunit\src\cppunit\Win32DynamicLibraryManager.cpp(30) cppunitd_dll.dll!CppUnit::DynamicLibraryManager::releaseLibrary() Line 69 at C:\lo\src\core\workdir\UnpackedTarball\cppunit\src\cppunit\DynamicLibraryManager.cpp(69) cppunitd_dll.dll!CppUnit::DynamicLibraryManager::~DynamicLibraryManager() Line 19 at C:\lo\src\core\workdir\UnpackedTarball\cppunit\src\cppunit\DynamicLibraryManager.cpp(19) cppunitd_dll.dll!CppUnit::DynamicLibraryManager::`scalar deleting destructor'(unsigned int) cppunitd_dll.dll!CppUnit::PlugInManager::unload(CppUnit::PlugInManager::PlugInInfo & plugIn) Line 83 at C:\lo\src\core\workdir\UnpackedTarball\cppunit\src\cppunit\PlugInManager.cpp(83) cppunitd_dll.dll!CppUnit::PlugInManager::~PlugInManager() Line 24 at C:\lo\src\core\workdir\UnpackedTarball\cppunit\src\cppunit\PlugInManager.cpp(24) cppunittester.exe!`anonymous namespace'::ProtectedFixtureFunctor::run() Line 327 at C:\lo\src\core\sal\cppunittester\cppunittester.cxx(327) cppunittester.exe!sal_main() Line 466 at C:\lo\src\core\sal\cppunittester\cppunittester.cxx(466) cppunittester.exe!main(int argc, char * * argv) Line 373 at C:\lo\src\core\sal\cppunittester\cppunittester.cxx(373) cppunittester.exe!invoke_main() Line 79 at d:\agent\_work\5\s\src\vctools\crt\vcstartup\src\startup\exe_common.inl(79) cppunittester.exe!__scrt_common_main_seh() Line 288 at d:\agent\_work\5\s\src\vctools\crt\vcstartup\src\startup\exe_common.inl(288) cppunittester.exe!__scrt_common_main() Line 331 at d:\agent\_work\5\s\src\vctools\crt\vcstartup\src\startup\exe_common.inl(331) cppunittester.exe!mainCRTStartup() Line 17 at d:\agent\_work\5\s\src\vctools\crt\vcstartup\src\startup\exe_main.cpp(17) kernel32.dll!BaseThreadInitThunk() ntdll.dll!RtlUserThreadStart()

Change-Id: I597dc242f71d220bbb42aef2611e4fd7e20a7be6 Reviewed-on: https://gerrit.libreoffice.org/85586

3ebf6a090b22 Avoid crash in shutdown when accessing already destroyed BASIC_DLL
basic/inc/sbxbase.hxx | 4 ++++
basic/source/classes/errobject.cxx | 12 ++++++++++--
2 files changed, 14 insertions(+), 2 deletions(-)

Upstream: cgit.freedesktop.org


  • Share