vcl lok: fix UB when lok notifier is deleted before its window

Desktop / LibreOffice - Miklos Vajna [collabora.com] - 26 August 2019 07:58 EDT

During online.git's unit-copy-paste test:

==18827==ERROR: AddressSanitizer: heap-use-after-free on address 0x61c0000c88c0 at pc 0x7fcbf515fcac bp 0x7ffe9be7eef0 sp 0x7ffe9be7eee8 READ of size 8 at 0x61c0000c88c0 thread T0 (loolkit) #0 0x7fcbf515fcab in vcl::Window::PixelInvalidate(tools::Rectangle const*) core/vcl/source/window/paint.cxx:1227:20 #1 0x7fcbf515efcb in vcl::Window::LogicInvalidate(tools::Rectangle const*) core/vcl/source/window/paint.cxx:1207:9 #2 0x7fcbf5f6f9f4 in vcl::Window::queue_resize(StateChangedType) core/vcl/source/window/window2.cxx:1351:13 #3 0x7fcbf57e3a4f in DockingWindow::queue_resize(StateChangedType) core/vcl/source/window/dockwin.cxx:1046:18 #4 0x7fcbf5f6ff12 in vcl::(anonymous namespace)::queue_ungrouped_resize(vcl::Window const*) core/vcl/source/window/window2.cxx:1301:22 #5 0x7fcbf5f6e390 in vcl::Window::queue_resize(StateChangedType) core/vcl/source/window/window2.cxx:1320:26 #6 0x7fcbf5f6ff12 in vcl::(anonymous namespace)::queue_ungrouped_resize(vcl::Window const*) core/vcl/source/window/window2.cxx:1301:22 #7 0x7fcbf5f6e390 in vcl::Window::queue_resize(StateChangedType) core/vcl/source/window/window2.cxx:1320:26 #8 0x7fcbf601ebef in vcl::Window::StateChanged(StateChangedType) core/vcl/source/window/window.cxx:1929:13 #9 0x7fcbf601f761 in vcl::Window::CompatStateChanged(StateChangedType) core/vcl/source/window/window.cxx:3719:5 #10 0x7fcbf600d9b6 in vcl::Window::Show(bool, ShowFlags) core/vcl/source/window/window.cxx:2189:9 #11 0x7fcbf50ae584 in vcl::Window::Hide() core/include/vcl/window.hxx:930:50 #12 0x7fcbf5fceb7a in vcl::Window::dispose() core/vcl/source/window/window.cxx:399:5 #13 0x7fcbf629f6fb in Control::dispose() core/vcl/source/control/ctrl.cxx:62:13 #14 0x7fcbf612db90 in Button::dispose() core/vcl/source/control/button.cxx:108:14 #15 0x7fcbf617736d in RadioButton::dispose() core/vcl/source/control/button.cxx:2292:13 #16 0x7fcbf6dd52da in VclReferenceBase::disposeOnce() core/vcl/source/outdev/vclreferencebase.cxx:41:5 #17 0x7fcc1add4fa4 in VclPtr::disposeAndClear() core/include/vcl/vclptr.hxx:206:19 #18 0x7fcc1adc4b3e in sfx2::sidebar::TabBar::SetDecks(std::__debug::vector > const&) core/sfx2/source/sidebar/TabBar.cxx:116:27 #19 0x7fcc1abb2ebb in sfx2::sidebar::SidebarController::UpdateConfigurations() core/sfx2/source/sidebar/SidebarController.cxx:525:15 #20 0x7fcc1abb0d1e in sfx2::sidebar::SidebarController::notifyContextChangeEvent(com::sun::star::ui::ContextChangeEventObject const&) core/sfx2/source/sidebar/SidebarController.cxx:321:9 #21 0x7fcb4688906e in (anonymous namespace)::ContextChangeEventMultiplexer::BroadcastEventToSingleContainer(com::sun::star::ui::ContextChangeEventObject const&, com::sun::star::uno::Reference const&) core/framework/source/services/ContextChangeEventMultiplexer.cxx:254:23 #22 0x7fcb46883d44 in (anonymous namespace)::ContextChangeEventMultiplexer::broadcastContextChangeEvent(com::sun::star::ui::ContextChangeEventObject const&, com::sun::star::uno::Reference const&) core/framework/source/services/ContextChangeEventMultiplexer.cxx:237:5 #23 0x7fcc1ac67170 in sfx2::sidebar::ContextChangeBroadcaster::BroadcastContextChange(com::sun::star::uno::Reference const&, rtl::OUString const&, rtl::OUString const&) core/sfx2/source/sidebar/ContextChangeBroadcaster.cxx:108:23 #24 0x7fcc1ac66021 in sfx2::sidebar::ContextChangeBroadcaster::Activate(com::sun::star::uno::Reference const&) core/sfx2/source/sidebar/ContextChangeBroadcaster.cxx:53:9 #25 0x7fcc19838064 in SfxShell::BroadcastContextForActivation(bool) core/sfx2/source/control/shell.cxx:713:47 #26 0x7fcc19837b2a in SfxShell::Activate(bool) core/sfx2/source/control/shell.cxx:361:5 #27 0x7fcc19836442 in SfxShell::DoActivate_Impl(SfxViewFrame*, bool) core/sfx2/source/control/shell.cxx:314:5 #28 0x7fcc19647b7e in SfxDispatcher::DoActivate_Impl(bool) core/sfx2/source/control/dispatch.cxx:702:42 #29 0x7fcc1b125692 in SfxViewFrame::DoActivate(bool) core/sfx2/source/view/viewfrm.cxx:1173:20 #30 0x7fcc18ed323d in SfxApplication::SetViewFrame_Impl(SfxViewFrame*) core/sfx2/source/appl/app.cxx:311:21 #31 0x7fcc1b1254f7 in SfxViewFrame::SetViewFrame(SfxViewFrame*) core/sfx2/source/view/viewfrm.cxx:3266:19 #32 0x7fcc1b1412fb in SfxViewFrame::MakeActive_Impl(bool) core/sfx2/source/view/viewfrm.cxx:1877:9 #33 0x7fcc1b06d6f4 in SfxLokHelper::setView(int) core/sfx2/source/view/lokhelper.cxx:85:25

freed by thread T0 (loolkit) here: #0 0x610150 in operator delete(void*) _asan_rtl_:0 #1 0x7fcbb32e2560 in ScTabViewShell::~ScTabViewShell() core/sc/source/ui/view/tabvwsh4.cxx:1709:1 #2 0x7fcc1b121be5 in SfxViewFrame::ReleaseObjectShell_Impl() core/sfx2/source/view/viewfrm.cxx:1116:9 #3 0x7fcc1b13caf9 in SfxViewFrame::~SfxViewFrame() core/sfx2/source/view/viewfrm.cxx:1615:5 #4 0x7fcc1b13e234 in SfxViewFrame::~SfxViewFrame() core/sfx2/source/view/viewfrm.cxx:1609:1 #5 0x7fcc1b125143 in SfxViewFrame::Close() core/sfx2/source/view/viewfrm.cxx:1168:5 #6 0x7fcc1afc6a92 in SfxFrame::DoClose_Impl() core/sfx2/source/view/frame.cxx:159:35 #7 0x7fcc1b0bb60d in SfxBaseController::dispose() core/sfx2/source/view/sfxbasecontroller.cxx:983:28 #8 0x7fcb469d1e9b in (anonymous namespace)::XFrameImpl::setComponent(com::sun::star::uno::Reference const&, com::sun::star::uno::Reference const&) core/framework/source/services/frame.cxx:1492:33 #9 0x7fcb469dd0c0 in (anonymous namespace)::XFrameImpl::close(unsigned char) core/framework/source/services/frame.cxx:1699:12 #10 0x7fcc1b185d84 in SfxViewFrame::Exec_Impl(SfxRequest&) core/sfx2/source/view/viewfrm2.cxx:246:32 #11 0x7fcc1b06c967 in SfxLokHelper::destroyView(int) core/sfx2/source/view/lokhelper.cxx:59:25 #12 0x7fcc2bf0a551 in doc_destroyView(_LibreOfficeKitDocument*, int) core/desktop/source/lib/init.cxx:4473:5 #13 0x980e57 in lok::Document::destroyView(int) core/include/LibreOfficeKit/LibreOfficeKit.hxx:512:9 #14 0x9310e4 in Document::onUnload(ChildSession const&) online/kit/Kit.cpp:1555:29 #15 0x6175e8 in ChildSession::disconnect() online/kit/ChildSession.cpp:98:30 #16 0x616c85 in ChildSession::~ChildSession() online/kit/ChildSession.cpp:85:5

I.e. normally first the vcl::Window is deleted, and only then the view shell, and the lifecycle handled in vcl::Window::ReleaseLOKNotifier().

But at least with DockingWindow, it can happen that the vcl::Window outlives its view shell, so we need to decouple the vcl::Window and its
view shell (lok notifier) in both cases, no matter which object is deleted first.

Change-Id: I49701817827f8b7545d07a1d74514781551db7e9 Reviewed-on: https://gerrit.libreoffice.org/78105

9f399fd26fda vcl lok: fix UB when lok notifier is deleted before its window
include/vcl/IDialogRenderable.hxx | 2 +-
vcl/source/window/window.cxx | 22 ++++++++++++++++++++++
2 files changed, 23 insertions(+), 1 deletion(-)

Upstream: cgit.freedesktop.org


  • Share