diff options
author | Stephan Bergmann <sbergman@redhat.com> | 2020-08-11 06:52:25 +0200 |
---|---|---|
committer | Stephan Bergmann <sbergman@redhat.com> | 2020-08-11 08:32:16 +0200 |
commit | 0de191e1d201d691c2196cf1aef412a98affb66f (patch) | |
tree | d5d54f1475467c477d148029ad33e0001cd864f5 | |
parent | 99dff69b561a8fe2d9437e6aa67a9581a6666f41 (diff) |
Heap use-after-free
...as seen during UITest_writer_tests2:
> ==2548829==ERROR: AddressSanitizer: heap-use-after-free on address 0x60b0002be9d0 at pc 0x7f42be5ddc7f bp 0x7ffe2d26b090 sp 0x7ffe2d26b088
> READ of size 1 at 0x60b0002be9d0 thread T0
> #0 in cppu::WeakComponentImplHelperBase::release() at cppuhelper/source/implbase.cxx:84:9
> #1 in cppu::PartialWeakComponentImplHelper<com::sun::star::lang::XServiceInfo, com::sun::star::beans::XPropertySetInfo>::release() at include/cppuhelper/compbase.hxx:86:36
> #2 in rtl::Reference<UcbPropertiesManager>::~Reference() at include/rtl/ref.hxx:113:22
> #3 in __run_exit_handlers at /usr/src/debug/glibc-2.31-48-g64246fccaf/stdlib/exit.c:108:8
> #4 in exit at /usr/src/debug/glibc-2.31-48-g64246fccaf/stdlib/exit.c:139:3
> #5 in __libc_start_main at /usr/src/debug/glibc-2.31-48-g64246fccaf/csu/../csu/libc-start.c:342:3
> 0x60b0002be9d0 is located 64 bytes inside of 112-byte region [0x60b0002be990,0x60b0002bea00)
> freed by thread T0 here:
> #0 in free at /home/sbergman/github.com/llvm/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:123:3
> #1 in rtl_freeMemory at sal/rtl/alloc_global.cxx:51:5
> #2 in cppu::WeakComponentImplHelperBase::operator delete(void*) at include/cppuhelper/compbase_ex.hxx:66:11
> #3 in UcbPropertiesManager::~UcbPropertiesManager() at ucb/source/core/ucbprops.cxx:197:1
> #4 in cppu::OWeakObject::release() at cppuhelper/source/weak.cxx:233:9
> #5 in cppu::WeakComponentImplHelperBase::release() at cppuhelper/source/implbase.cxx:86:18
> #6 in cppu::PartialWeakComponentImplHelper<com::sun::star::lang::XServiceInfo, com::sun::star::beans::XPropertySetInfo>::release() at include/cppuhelper/compbase.hxx:86:36
> #7 in rtl::Reference<UcbPropertiesManager>::clear() at include/rtl/ref.hxx:180:19
> #8 in UcbPropertiesManager::dispose() at ucb/source/core/ucbprops.cxx:205:16
> #9 in cppu::WeakComponentImplHelperBase::release() at cppuhelper/source/implbase.cxx:79:13
> #10 in cppu::PartialWeakComponentImplHelper<com::sun::star::lang::XServiceInfo, com::sun::star::beans::XPropertySetInfo>::release() at include/cppuhelper/compbase.hxx:86:36
> #11 in rtl::Reference<UcbPropertiesManager>::~Reference() at include/rtl/ref.hxx:113:22
> #12 in __run_exit_handlers at /usr/src/debug/glibc-2.31-48-g64246fccaf/stdlib/exit.c:108:8
The elaborate g_Instance disposal scheme had been introduced with
3d44c6a49b20415616dab7a2de2820da5efab309 "ucb/core: create instances with uno
constructors", but it is unclear to me for what reason.
Change-Id: I768bc3a8674e0e81cf89adae58e4a67d14509985
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/100456
Tested-by: Jenkins
Reviewed-by: Stephan Bergmann <sbergman@redhat.com>
-rw-r--r-- | ucb/source/core/ucbprops.cxx | 18 | ||||
-rw-r--r-- | ucb/source/core/ucbprops.hxx | 11 |
2 files changed, 5 insertions, 24 deletions
diff --git a/ucb/source/core/ucbprops.cxx b/ucb/source/core/ucbprops.cxx index 19a42e653883..fe64bfad6cfe 100644 --- a/ucb/source/core/ucbprops.cxx +++ b/ucb/source/core/ucbprops.cxx @@ -45,12 +45,8 @@ using namespace com::sun::star::uno; #define ATTR_DEFAULT ( PropertyAttribute::BOUND | PropertyAttribute::MAYBEVOID | PropertyAttribute::MAYBEDEFAULT ) -static osl::Mutex g_InstanceGuard; -static rtl::Reference<UcbPropertiesManager> g_Instance; - UcbPropertiesManager::UcbPropertiesManager() -: UcbPropertiesManager_Base(m_aMutex), - m_pProps({ +: m_pProps({ { "Account", -1, cppu::UnoType<OUString>::get(), ATTR_DEFAULT }, { "AutoUpdateInterval", -1, cppu::UnoType<sal_Int32>::get(), ATTR_DEFAULT }, { "ConfirmEmpty", -1, cppu::UnoType<bool>::get(), ATTR_DEFAULT }, @@ -197,14 +193,6 @@ UcbPropertiesManager::~UcbPropertiesManager() { } -// XComponent -void SAL_CALL UcbPropertiesManager::dispose() -{ - UcbPropertiesManager_Base::dispose(); - osl::MutexGuard aGuard(g_InstanceGuard); - g_Instance.clear(); -} - // XServiceInfo methods. OUString SAL_CALL UcbPropertiesManager::getImplementationName() @@ -228,9 +216,7 @@ extern "C" SAL_DLLPUBLIC_EXPORT css::uno::XInterface* ucb_UcbPropertiesManager_get_implementation( css::uno::XComponentContext* , css::uno::Sequence<css::uno::Any> const&) { - osl::MutexGuard aGuard(g_InstanceGuard); - if (!g_Instance) - g_Instance.set(new UcbPropertiesManager()); + static rtl::Reference<UcbPropertiesManager> g_Instance(new UcbPropertiesManager()); g_Instance->acquire(); return static_cast<cppu::OWeakObject*>(g_Instance.get()); } diff --git a/ucb/source/core/ucbprops.hxx b/ucb/source/core/ucbprops.hxx index 6ef4e5a5bfcb..89e31a389e9f 100644 --- a/ucb/source/core/ucbprops.hxx +++ b/ucb/source/core/ucbprops.hxx @@ -24,15 +24,13 @@ #include <com/sun/star/lang/XSingleServiceFactory.hpp> #include <com/sun/star/lang/XServiceInfo.hpp> #include <com/sun/star/beans/XPropertySetInfo.hpp> -#include <cppuhelper/compbase.hxx> -#include <cppuhelper/basemutex.hxx> +#include <cppuhelper/implbase.hxx> - -using UcbPropertiesManager_Base = cppu::WeakComponentImplHelper < +using UcbPropertiesManager_Base = cppu::WeakImplHelper < css::lang::XServiceInfo, css::beans::XPropertySetInfo >; -class UcbPropertiesManager : public cppu::BaseMutex, public UcbPropertiesManager_Base +class UcbPropertiesManager : public UcbPropertiesManager_Base { css::uno::Sequence< css::beans::Property > m_pProps; @@ -44,9 +42,6 @@ public: explicit UcbPropertiesManager(); virtual ~UcbPropertiesManager() override; - // XComponent - virtual void SAL_CALL dispose() override; - // XServiceInfo virtual OUString SAL_CALL getImplementationName() override; virtual sal_Bool SAL_CALL supportsService( const OUString& ServiceName ) override; |