sc/qa/unit/subsequent_export_test2.cxx | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
New commits:
commit 2eeda7e20b14357e22e5948186d613a15bbf6e81
Author: Stephan Bergmann <sberg...@redhat.com>
AuthorDate: Wed Jan 18 09:32:09 2023 +0100
Commit: Stephan Bergmann <sberg...@redhat.com>
CommitDate: Wed Jan 18 10:01:52 2023 +0000
Fix use-after-free
...introduced with 18f1e7ae9d57e888e316e9134ea321be98bf705a "sc: Use
FormulaGrammarSwitch" (which gets partially reverted here),
> ==7079==ERROR: AddressSanitizer: heap-use-after-free on address
0x61d0002d6cac at pc 0x7f3635905f9e bp 0x7ffdd2107b60 sp 0x7ffdd2107b58
> WRITE of size 4 at 0x61d0002d6cac thread T0
> #0 0x7f3635905f9d in
ScDocument::SetGrammar(formula::FormulaGrammar::Grammar)
/sc/source/core/data/documen3.cxx:507:14
> #1 0x7f362ce3da0c in FormulaGrammarSwitch::~FormulaGrammarSwitch()
/sc/qa/unit/helper/qahelper.cxx:56:12
> #2 0x7f36529ad332 in ScExportTest2::testRefStringUnspecified()
/sc/qa/unit/subsequent_export_test2.cxx:436:1
>
> 0x61d0002d6cac is located 2092 bytes inside of 2280-byte region
[0x61d0002d6480,0x61d0002d6d68)
> freed by thread T0 here:
> #0 0x4fe180 in operator delete(void*)
/home/tdf/lode/packages/llvm-llvmorg-12.0.1.src/compiler-rt/lib/asan/asan_new_delete.cpp:160
> #1 0x7f36398e1b9e in
__gnu_cxx::new_allocator<std::_Sp_counted_ptr_inplace<ScDocument,
std::allocator<ScDocument>, (__gnu_cxx::_Lock_policy)2>
>::deallocate(std::_Sp_counted_ptr_inplace<ScDocument,
std::allocator<ScDocument>, (__gnu_cxx::_Lock_policy)2>*, unsigned long)
/opt/rh/devtoolset-7/root/usr/lib/gcc/x86_64-redhat-linux/7/../../../../include/c++/7/ext/new_allocator.h:125:2
> #2 0x7f36398e1b4e in
std::allocator_traits<std::allocator<std::_Sp_counted_ptr_inplace<ScDocument,
std::allocator<ScDocument>, (__gnu_cxx::_Lock_policy)2> >
>::deallocate(std::allocator<std::_Sp_counted_ptr_inplace<ScDocument,
std::allocator<ScDocument>, (__gnu_cxx::_Lock_policy)2> >&,
std::_Sp_counted_ptr_inplace<ScDocument, std::allocator<ScDocument>,
(__gnu_cxx::_Lock_policy)2>*, unsigned long)
/opt/rh/devtoolset-7/root/usr/lib/gcc/x86_64-redhat-linux/7/../../../../include/c++/7/bits/alloc_traits.h:462:13
> #3 0x7f36398e0691 in
std::__allocated_ptr<std::allocator<std::_Sp_counted_ptr_inplace<ScDocument,
std::allocator<ScDocument>, (__gnu_cxx::_Lock_policy)2> > >::~__allocated_ptr()
/opt/rh/devtoolset-7/root/usr/lib/gcc/x86_64-redhat-linux/7/../../../../include/c++/7/bits/allocated_ptr.h:73:4
> #4 0x7f36398e12b3 in std::_Sp_counted_ptr_inplace<ScDocument,
std::allocator<ScDocument>, (__gnu_cxx::_Lock_policy)2>::_M_destroy()
/opt/rh/devtoolset-7/root/usr/lib/gcc/x86_64-redhat-linux/7/../../../../include/c++/7/bits/shared_ptr_base.h:545:7
> #5 0x7f3635077f59 in
std::_Sp_counted_base<(__gnu_cxx::_Lock_policy)2>::_M_release()
/opt/rh/devtoolset-7/root/usr/lib/gcc/x86_64-redhat-linux/7/../../../../include/c++/7/bits/shared_ptr_base.h:170:10
> #6 0x7f3635077bf9 in
std::__shared_count<(__gnu_cxx::_Lock_policy)2>::~__shared_count()
/opt/rh/devtoolset-7/root/usr/lib/gcc/x86_64-redhat-linux/7/../../../../include/c++/7/bits/shared_ptr_base.h:684:11
> #7 0x7f36388ea06c in std::__shared_ptr<ScDocument,
(__gnu_cxx::_Lock_policy)2>::~__shared_ptr()
/opt/rh/devtoolset-7/root/usr/lib/gcc/x86_64-redhat-linux/7/../../../../include/c++/7/bits/shared_ptr_base.h:1123:31
> #8 0x7f36388e02b8 in std::shared_ptr<ScDocument>::~shared_ptr()
/opt/rh/devtoolset-7/root/usr/lib/gcc/x86_64-redhat-linux/7/../../../../include/c++/7/bits/shared_ptr.h:93:11
> #9 0x7f36398a45c7 in ScDocShell::~ScDocShell()
/sc/source/ui/docshell/docsh.cxx:2941:1
> #10 0x7f36398a475f in ScDocShell::~ScDocShell()
/sc/source/ui/docshell/docsh.cxx:2910:1
> #11 0x7f36398a4908 in ScDocShell::~ScDocShell()
/sc/source/ui/docshell/docsh.cxx:2910:1
> #12 0x7f3627bd3f11 in SvRefBase::ReleaseRef()
/include/tools/ref.hxx:163:29
> #13 0x7f3627bd350c in tools::SvRef<SfxObjectShell>::~SvRef()
/include/tools/ref.hxx:56:36
> #14 0x7f3629662ce1 in
IMPL_SfxBaseModel_DataContainer::~IMPL_SfxBaseModel_DataContainer()
/sfx2/source/doc/sfxbasemodel.cxx:249:5
> #15 0x7f362966598a in void
__gnu_cxx::new_allocator<IMPL_SfxBaseModel_DataContainer>::destroy<IMPL_SfxBaseModel_DataContainer>(IMPL_SfxBaseModel_DataContainer*)
/opt/rh/devtoolset-7/root/usr/lib/gcc/x86_64-redhat-linux/7/../../../../include/c++/7/ext/new_allocator.h:140:28
> #16 0x7f3629665746 in void
std::allocator_traits<std::allocator<IMPL_SfxBaseModel_DataContainer>
>::destroy<IMPL_SfxBaseModel_DataContainer>(std::allocator<IMPL_SfxBaseModel_DataContainer>&,
IMPL_SfxBaseModel_DataContainer*)
/opt/rh/devtoolset-7/root/usr/lib/gcc/x86_64-redhat-linux/7/../../../../include/c++/7/bits/alloc_traits.h:487:8
> #17 0x7f3629660583 in
std::_Sp_counted_ptr_inplace<IMPL_SfxBaseModel_DataContainer,
std::allocator<IMPL_SfxBaseModel_DataContainer>,
(__gnu_cxx::_Lock_policy)2>::_M_dispose()
/opt/rh/devtoolset-7/root/usr/lib/gcc/x86_64-redhat-linux/7/../../../../include/c++/7/bits/shared_ptr_base.h:535:2
> #18 0x7f3627b7b1fc in
std::_Sp_counted_base<(__gnu_cxx::_Lock_policy)2>::_M_release()
/opt/rh/devtoolset-7/root/usr/lib/gcc/x86_64-redhat-linux/7/../../../../include/c++/7/bits/shared_ptr_base.h:154:6
> #19 0x7f3627b7b029 in
std::__shared_count<(__gnu_cxx::_Lock_policy)2>::~__shared_count()
/opt/rh/devtoolset-7/root/usr/lib/gcc/x86_64-redhat-linux/7/../../../../include/c++/7/bits/shared_ptr_base.h:684:11
> #20 0x7f362966a9cc in
std::__shared_ptr<IMPL_SfxBaseModel_DataContainer,
(__gnu_cxx::_Lock_policy)2>::~__shared_ptr()
/opt/rh/devtoolset-7/root/usr/lib/gcc/x86_64-redhat-linux/7/../../../../include/c++/7/bits/shared_ptr_base.h:1123:31
> #21 0x7f362962f893 in
std::__shared_ptr<IMPL_SfxBaseModel_DataContainer,
(__gnu_cxx::_Lock_policy)2>::reset()
/opt/rh/devtoolset-7/root/usr/lib/gcc/x86_64-redhat-linux/7/../../../../include/c++/7/bits/shared_ptr_base.h:1235:9
> #22 0x7f3629572b96 in SfxBaseModel::dispose()
/sfx2/source/doc/sfxbasemodel.cxx:765:13
> #23 0x7f3629591550 in SfxBaseModel::close(unsigned char)
/sfx2/source/doc/sfxbasemodel.cxx:1496:5
> #24 0x7f36295702fd in SfxBaseModel::dispose()
/sfx2/source/doc/sfxbasemodel.cxx:722:13
> #25 0x7f36247062aa in UnoApiTest::load(rtl::OUString const&, char
const*) /test/source/unoapi_test.cxx:87:22
> #26 0x7f362470bb09 in UnoApiTest::saveAndReload(rtl::OUString const&,
char const*) /test/source/unoapi_test.cxx:207:5
> #27 0x7f36529ad04f in ScExportTest2::testRefStringUnspecified()
/sc/qa/unit/subsequent_export_test2.cxx:428:5
(<https://ci.libreoffice.org/job/lo_ubsan/2653/>)
Change-Id: I34adf135a4ec79935295a21b34277324c531291b
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/145706
Reviewed-by: Xisco Fauli <xiscofa...@libreoffice.org>
Tested-by: Jenkins
Reviewed-by: Stephan Bergmann <sberg...@redhat.com>
diff --git a/sc/qa/unit/subsequent_export_test2.cxx
b/sc/qa/unit/subsequent_export_test2.cxx
index ab57145096a5..16188c90bbfa 100644
--- a/sc/qa/unit/subsequent_export_test2.cxx
+++ b/sc/qa/unit/subsequent_export_test2.cxx
@@ -423,7 +423,7 @@ void ScExportTest2::testRefStringUnspecified()
aConfig.meStringRefAddressSyntax);
// change formula syntax (i.e. not string ref syntax) to ExcelA1
- FormulaGrammarSwitch aFGSwitch(pDoc,
formula::FormulaGrammar::GRAM_NATIVE_XL_A1);
+ pDoc->SetGrammar(formula::FormulaGrammar::GRAM_NATIVE_XL_A1);
saveAndReload("calc8");
