Disallow closing document during idle layout

Similar to commit 99c1bd1a4ef5365d8c26a41c8e858c67e673beb4 (Disallow
closing document during generation of preview, 2024-03-11), it may
happen that an external process is closes a document that is being
in the process of the background layout, leading to use-after-free.

The request thread at the crash time, executing XComponent::dispose:

swlo.dll!SwNoTextFrame::~SwNoTextFrame() Line 170
swlo.dll!SwNoTextFrame::`scalar deleting destructor'(unsigned int)
swlo.dll!SwFrame::DestroyFrame(SwFrame * const pFrame) Line 397
swlo.dll!SwFlyFrame::DeleteCnt() Line 424
swlo.dll!SwFlyFrame::DestroyImpl() Line 358
swlo.dll!SwFlyFreeFrame::DestroyImpl() Line 89
swlo.dll!SwFrame::DestroyFrame(SwFrame * const pFrame) Line 396
swlo.dll!SwLayoutFrame::DestroyImpl() Line 516
swlo.dll!SwFrame::DestroyFrame(SwFrame * const pFrame) Line 396
swlo.dll!SwLayoutFrame::DestroyImpl() Line 540
swlo.dll!SwPageFrame::DestroyImpl() Line 317
swlo.dll!SwFrame::DestroyFrame(SwFrame * const pFrame) Line 396
swlo.dll!SwLayoutFrame::DestroyImpl() Line 540
swlo.dll!SwRootFrame::DestroyImpl() Line 570
swlo.dll!SwFrame::DestroyFrame(SwFrame * const pFrame) Line 396
swlo.dll!std::_Ref_count_resource<SwRootFrame *,void (__cdecl*)(SwFrame *)>::_Destroy() Line 1222
swlo.dll!std::_Ref_count_base::_Decref() Line 1164
swlo.dll!std::_Ptr_base<SwRootFrame>::_Decref() Line 1380
swlo.dll!std::shared_ptr<SwRootFrame>::~shared_ptr<SwRootFrame>() Line 1685
swlo.dll!SwViewShell::~SwViewShell() Line 354
swlo.dll!SwCursorShell::~SwCursorShell() Line 3440
swlo.dll!SwEditShell::~SwEditShell() Line 63
swlo.dll!SwFEShell::~SwFEShell() Line 699
swlo.dll!SwWrtShell::~SwWrtShell() Line 2065
swlo.dll!SwWrtShell::`scalar deleting destructor'(unsigned int)
swlo.dll!std::default_delete<SwWrtShell>::operator()(SwWrtShell * _Ptr) Line 3302
swlo.dll!std::unique_ptr<SwWrtShell,std::default_delete<SwWrtShell>>::reset(SwWrtShell * _Ptr) Line 3447
swlo.dll!SwView::~SwView() Line 1196
swlo.dll!SwView::`vector deleting destructor'(unsigned int)
sfxlo.dll!SfxViewFrame::ReleaseObjectShell_Impl() Line 1140
sfxlo.dll!SfxViewFrame::~SfxViewFrame() Line 2059
sfxlo.dll!SfxViewFrame::`scalar deleting destructor'(unsigned int)
sfxlo.dll!SfxViewFrame::Close() Line 1192
sfxlo.dll!SfxFrame::DoClose_Impl() Line 138
sfxlo.dll!SfxBaseController::dispose() Line 928
fwklo.dll!`anonymous namespace'::XFrameImpl::setComponent(const com::sun::star::uno::Reference<com::sun::star::awt::XWindow> & xComponentWindow, const com::sun::star::uno::Reference<com::sun::star::frame::XController> & xController) Line 1496
fwklo.dll!`anonymous namespace'::XFrameImpl::close(unsigned char bDeliverOwnership) Line 1707
sfxlo.dll!SfxFrame::DoClose() Line 104
sfxlo.dll!SfxViewFrame::Notify(SfxBroadcaster & __formal, const SfxHint & rHint) Line 1820
svllo.dll!SfxBroadcaster::Broadcast(const SfxHint & rHint) Line 40
sfxlo.dll!`anonymous namespace'::SfxModelListener_Impl::notifyClosing(const com::sun::star::lang::EventObject & __formal) Line 154
sfxlo.dll!SfxBaseModel::close(unsigned char bDeliverOwnership) Line 1511
swlo.dll!SwXTextDocument::close(unsigned char bDeliverOwnership) Line 574
sfxlo.dll!SfxBaseModel::dispose() Line 745
swlo.dll!SwXTextDocument::dispose() Line 561
mscx_uno.dll!`anonymous namespace'::cpp_call(bridges::cpp_uno::shared::UnoInterfaceProxy * pThis, bridges::cpp_uno::shared::VtableSlot aVtableSlot, _typelib_TypeDescriptionReference * pReturnTypeRef, long nParams, _typelib_MethodParameter * pParams, void * pUnoReturn, void * * pUnoArgs, _uno_Any * * ppUnoExc) Line 214
mscx_uno.dll!unoInterfaceProxyDispatch(_uno_Interface * pUnoI, const _typelib_TypeDescription * pMemberTD, void * pReturn, void * * pArgs, _uno_Any * * ppException) Line 430
binaryurplo.dll!binaryurp::IncomingRequest::execute_throw(binaryurp::BinaryAny * returnValue, std::vector<binaryurp::BinaryAny,std::allocator<binaryurp::BinaryAny>> * outArguments) Line 239
binaryurplo.dll!binaryurp::IncomingRequest::execute() Line 79
binaryurplo.dll!request(void * pThreadSpecificData) Line 84
cppu3.dll!cppu_threadpool::JobQueue::enter(const void * nDisposeId, bool bReturnWhenNoJob) Line 101
cppu3.dll!cppu_threadpool::ORequestThread::run() Line 165
cppu3.dll!threadFunc(void * param) Line 190
sal3.dll!oslWorkerWrapperFunction(void * pData) Line 67

Main thread, doing an idle layout of the same document:

emboleobj.dll!OleComponent::SetExtent(const com::sun::star::awt::Size & aVisAreaSize, __int64 nAspect) Line 1099
emboleobj.dll!OleEmbeddedObject::setVisualAreaSize(__int64 nAspect, const com::sun::star::awt::Size & aSize) Line 138
swlo.dll!SwWrtShell::CalcAndSetScale(svt::EmbeddedObjectRef & xObj, const SwRect * pFlyPrtRect, const SwRect * pFlyFrameRect, const bool bNoTextFramePrtAreaChanged) Line 777
swlo.dll!SwContentNotify::ImplDestroy() Line 926
swlo.dll!SwContentNotify::~SwContentNotify() Line 1037
swlo.dll!SwNoTextFrame::MakeAll(OutputDevice * pRenderContext) Line 584
swlo.dll!SwFrame::OptPrepareMake() Line 412
swlo.dll!SwFrame::OptCalc() Line 1110
swlo.dll!SwLayAction::FormatContent_(const SwContentFrame * pContent, const SwPageFrame * pPage) Line 1969
swlo.dll!SwLayAction::FormatFlyContent(const SwFlyFrame * pFly) Line 1994
swlo.dll!SwObjectFormatter::FormatObj_(SwAnchoredObject & _rAnchoredObj) Line 312
swlo.dll!SwObjectFormatterTextFrame::DoFormatObj(SwAnchoredObject & _rAnchoredObj, const bool _bCheckForMovedFwd) Line 133
swlo.dll!SwObjectFormatter::FormatObjsAtFrame_(SwTextFrame * _pMasterTextFrame) Line 414
swlo.dll!SwObjectFormatterTextFrame::DoFormatObjs() Line 348
swlo.dll!SwObjectFormatter::FormatObjsAtFrame(SwFrame & _rAnchorFrame, const SwPageFrame & _rPageFrame, SwLayAction * _pLayAction) Line 160
swlo.dll!SwLayAction::FormatContent(SwPageFrame * pPage) Line 1802
swlo.dll!SwLayAction::InternalAction(OutputDevice * pRenderContext) Line 607
swlo.dll!SwLayAction::Action(OutputDevice * pRenderContext) Line 390
swlo.dll!SwLayIdle::SwLayIdle(SwRootFrame * pRt, SwViewShellImp * pI) Line 2372
swlo.dll!SwViewShell::LayoutIdle() Line 827
swlo.dll!sw::DocumentTimerManager::DoIdleJobs(Timer * __formal) Line 176
swlo.dll!sw::DocumentTimerManager::LinkStubDoIdleJobs(void * instance, Timer * data) Line 156
vcllo.dll!Link<Timer *,void>::Call(Timer * data) Line 111
vcllo.dll!Timer::Invoke() Line 75
vcllo.dll!Scheduler::CallbackTaskScheduling() Line 509
vcllo.dll!SalTimer::CallCallback() Line 53
vclplug_winlo.dll!WinSalTimer::ImplHandleElapsedTimer() Line 169
vclplug_winlo.dll!ImplSalYield(bool bWait, bool bHandleAllCurrentEvents) Line 525
vclplug_winlo.dll!WinSalInstance::DoYield(bool bWait, bool bHandleAllCurrentEvents) Line 581
vcllo.dll!ImplYield(bool i_bWait, bool i_bAllEvents) Line 385
vcllo.dll!Application::Yield() Line 473
vcllo.dll!Application::Execute() Line 361
sofficeapp.dll!desktop::Desktop::Main() Line 1652
vcllo.dll!ImplSVMain() Line 229
vcllo.dll!SVMain() Line 262
sofficeapp.dll!soffice_main() Line 121
soffice.bin!sal_main() Line 51
soffice.bin!main(int argc, char * * argv) Line 49
soffice.bin!invoke_main() Line 79
soffice.bin!__scrt_common_main_seh() Line 288
soffice.bin!__scrt_common_main() Line 331
soffice.bin!mainCRTStartup(void * __formal) Line 17

Change-Id: I92102a9cd11ccde307b070ebc1984eb3d17d65bf
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/171856
Reviewed-by: Mike Kaganski <mike.kaganski@collabora.com>
Tested-by: Jenkins

1 files changed, 3 insertions, 3 deletions

diff --git a/include/sfx2/objsh.hxx b/include/sfx2/objsh.hxx
index d58b87a56664..d8c25e752955 100644
--- a/include/sfx2/objsh.hxx
+++ b/include/sfx2/objsh.hxx
@@ -843,14 +843,14 @@ public:
         }
     };
 
-class SfxCloseVetoLock
+class SFX2_DLLPUBLIC SfxCloseVetoLock
 {
 public:
-    SfxCloseVetoLock(const SfxObjectShell& rDocShell);
+    SfxCloseVetoLock(const SfxObjectShell* pDocShell);
     ~SfxCloseVetoLock();
 
 private:
-    const SfxObjectShell& m_rDocShell;
+    const SfxObjectShell* mpDocShell;
 };
 
 typedef rtl::Reference<SfxObjectShell> SfxObjectShellRef;