From 2e29dc20b96f2d96f5b64e9ed5efb79e342b3f54 Mon Sep 17 00:00:00 2001 From: Stephan Bergmann Date: Fri, 15 Jan 2021 13:46:12 +0100 Subject: Revert "Move SwFntCache link from SwModify down to SwFormat" This reverts commit 8dd78873a9de028c0d9f1f1aee537e85f74d2300, as it caused heap-use-after-free during CppunitTest_sw_uiwriter: > ==864890==ERROR: AddressSanitizer: heap-use-after-free on address 0x604000e6a89c at pc 0x7f92775c8dd9 bp 0x7ffeb01b18d0 sp 0x7ffeb01b18c8 > READ of size 2 at 0x604000e6a89c thread T0 > #0 in SfxPoolItem::Which() const at include/svl/poolitem.hxx:151:53 > #1 in SwAttrHandler::FontChg(SfxPoolItem const&, SwFont&, bool) at sw/source/core/text/atrstck.cxx:571:20 > #2 in SwAttrHandler::ActivateTop(SwFont&, unsigned short) at sw/source/core/text/atrstck.cxx:515:9 > #3 in SwAttrHandler::PopAndChg(SwTextAttr const&, SwFont&) at sw/source/core/text/atrstck.cxx:450:17 > #4 in SwAttrIter::Rst(SwTextAttr const*) at sw/source/core/text/itratr.cxx:113:24 > #5 in SwAttrIter::SeekFwd(int, int) at sw/source/core/text/itratr.cxx:275:52 > #6 in SwAttrIter::Seek(o3tl::strong_int) at sw/source/core/text/itratr.cxx:418:13 > #7 in SwAttrIter::SeekAndChgAttrIter(o3tl::strong_int, OutputDevice*) at sw/source/core/text/itratr.cxx:158:11 > #8 in SwTextIter::SeekAndChg(SwTextSizeInfo&) at sw/source/core/text/itrtxt.hxx:312:12 > #9 in SwTextFormatter::CalcAscent(SwTextFormatInfo&, SwLinePortion*) at sw/source/core/text/itrform2.cxx:815:24 > #10 in SwTextFormatter::NewPortion(SwTextFormatInfo&) at sw/source/core/text/itrform2.cxx:1537:9 > #11 in SwTextFormatter::BuildPortions(SwTextFormatInfo&) at sw/source/core/text/itrform2.cxx:707:16 [...] > 0x604000e6a89c is located 12 bytes inside of 48-byte region [0x604000e6a890,0x604000e6a8c0) > freed by thread T0 here: > #0 in operator delete(void*, unsigned long) at ~/llvm/llvm-project/compiler-rt/lib/asan/asan_new_delete.cpp:172:3 > #1 in SvxFontItem::~SvxFontItem() at include/editeng/fontitem.hxx:29:25 > #2 in SfxItemPool::SetPoolDefaultItem(SfxPoolItem const&) at svl/source/items/itempool.cxx:543:13 > #3 in SwDoc::SetDefault(SfxItemSet const&) at sw/source/core/doc/docfmt.cxx:550:23 > #4 in SwDoc::SetDefault(SfxPoolItem const&) at sw/source/core/doc/docfmt.cxx:531:5 > #5 in SwXTextDefaults::setPropertyValue(rtl::OUString const&, com::sun::star::uno::Any const&) at sw/source/core/unocore/SwXTextDefaults.cxx:118:17 > #6 in writerfilter::dmapper::DomainMapper::DomainMapper(com::sun::star::uno::Reference const&, com::sun::star::uno::Reference const&, com::sun::star::uno::Reference const&, bool, writerfilter::dmapper::SourceDocumentType, utl::MediaDescriptor const&) at writerfilter/source/dmapper/DomainMapper.cxx:161:24 > #7 in writerfilter::dmapper::DomainMapperFactory::createMapper(com::sun::star::uno::Reference const&, com::sun::star::uno::Reference const&, com::sun::star::uno::Reference const&, bool, writerfilter::dmapper::SourceDocumentType, utl::MediaDescriptor const&) at writerfilter/source/dmapper/domainmapperfactory.cxx:33:34 > #8 in (anonymous namespace)::WriterFilter::filter(com::sun::star::uno::Sequence const&) at writerfilter/source/filter/WriterFilter.cxx:185:13 > #9 in SwDOCXReader::Read(SwDoc&, rtl::OUString const&, SwPaM&, rtl::OUString const&) at sw/source/filter/docx/swdocxreader.cxx:86:18 > #10 in SwReader::Read(Reader const&) at sw/source/filter/basflt/shellio.cxx:191:22 > #11 in SwView::InsertMedium(unsigned short, std::unique_ptr >, short) at sw/source/uibase/uiview/view2.cxx:2309:40 [...] > previously allocated by thread T0 here: > #0 in operator new(unsigned long) at ~/llvm/llvm-project/compiler-rt/lib/asan/asan_new_delete.cpp:99:3 > #1 in SvxFontItem::Clone(SfxItemPool*) const at editeng/source/items/textitem.cxx:297:12 > #2 in SfxItemPool::SetPoolDefaultItem(SfxPoolItem const&) at svl/source/items/itempool.cxx:538:42 > #3 in SwDoc::SetDefault(SfxItemSet const&) at sw/source/core/doc/docfmt.cxx:550:23 > #4 in SwDoc::SetDefault(SfxPoolItem const&) at sw/source/core/doc/docfmt.cxx:531:5 > #5 in SwXTextDefaults::setPropertyValue(rtl::OUString const&, com::sun::star::uno::Any const&) at sw/source/core/unocore/SwXTextDefaults.cxx:118:17 > #6 in SvXMLImportPropertyMapper::FillPropertySet_(std::__debug::vector > const&, com::sun::star::uno::Reference const&, com::sun::star::uno::Reference const&, rtl::Reference const&, SvXMLImport&, ContextID_Index_Pair*) at xmloff/source/style/xmlimppr.cxx:509:27 > #7 in SvXMLImportPropertyMapper::FillPropertySet(std::__debug::vector > const&, com::sun::star::uno::Reference const&, ContextID_Index_Pair*) const at xmloff/source/style/xmlimppr.cxx:466:20 > #8 in XMLTextStyleContext::FillPropertySet(com::sun::star::uno::Reference const&) at xmloff/source/text/txtstyli.cxx:456:20 > #9 in XMLTextStyleContext::SetDefaults() at xmloff/source/text/txtstyli.cxx:234:17 > #10 in SvXMLStylesContext::CopyStylesToDoc(bool, bool) at xmloff/source/style/xmlstyle.cxx:752:37 > #11 in SwXMLImport::InsertStyles(bool) at sw/source/filter/xml/xmlfmt.cxx:999:22 [...] Change-Id: I4df8db29054da3eb543e5524fec6cb79e8568b66 Reviewed-on: https://gerrit.libreoffice.org/c/core/+/109363 Tested-by: Jenkins Reviewed-by: Stephan Bergmann --- sw/inc/calbck.hxx | 5 ++++- sw/inc/format.hxx | 23 +---------------------- 2 files changed, 5 insertions(+), 23 deletions(-) (limited to 'sw/inc') diff --git a/sw/inc/calbck.hxx b/sw/inc/calbck.hxx index b5b6ff9a3e30..31df9791291b 100644 --- a/sw/inc/calbck.hxx +++ b/sw/inc/calbck.hxx @@ -178,6 +178,7 @@ class SW_DLLPUBLIC SwModify: public SwClient sw::WriterListener* m_pWriterListeners; // the start of the linked list of clients bool m_bModifyLocked : 1; // don't broadcast changes now bool m_bInCache : 1; + bool m_bInSwFntCache : 1; SwModify(SwModify const &) = delete; SwModify &operator =(const SwModify&) = delete; @@ -185,7 +186,7 @@ protected: virtual void SwClientNotify(const SwModify&, const SfxHint& rHint) override; public: SwModify() - : SwClient(), m_pWriterListeners(nullptr), m_bModifyLocked(false), m_bInCache(false) + : SwClient(), m_pWriterListeners(nullptr), m_bModifyLocked(false), m_bInCache(false), m_bInSwFntCache(false) {} // broadcasting mechanism @@ -203,9 +204,11 @@ public: void LockModify() { m_bModifyLocked = true; } void UnlockModify() { m_bModifyLocked = false; } void SetInCache( bool bNew ) { m_bInCache = bNew; } + void SetInSwFntCache( bool bNew ) { m_bInSwFntCache = bNew; } void SetInDocDTOR(); bool IsModifyLocked() const { return m_bModifyLocked; } bool IsInCache() const { return m_bInCache; } + bool IsInSwFntCache() const { return m_bInSwFntCache; } void CheckCaching( const sal_uInt16 nWhich ); bool HasOnlyOneListener() const { return m_pWriterListeners && m_pWriterListeners->IsLast(); } diff --git a/sw/inc/format.hxx b/sw/inc/format.hxx index 96e03b342eec..e596a26bb882 100644 --- a/sw/inc/format.hxx +++ b/sw/inc/format.hxx @@ -22,7 +22,6 @@ #include "swdllapi.h" #include "swatrset.hxx" #include "calbck.hxx" -#include "hintids.hxx" #include class IDocumentSettingAccess; @@ -60,25 +59,7 @@ class SW_DLLPUBLIC SwFormat : public sw::BroadcastingModify bool m_bAutoUpdateFormat : 1;/**< TRUE: Set attributes of a whole paragraph at format (UI-side!). */ bool m_bHidden : 1; - bool m_bInSwFntCache : 1; std::shared_ptr m_pGrabBagItem; ///< Style InteropGrabBag. - void InvalidateInSwFntCache(sal_uInt16 nWhich) - { - if(isCHRATR(nWhich)) - { - m_bInSwFntCache = false; - } - else - { - switch(nWhich) - { - case RES_OBJECTDYING: - case RES_FMT_CHG: - case RES_ATTRSET_CHG: - m_bInSwFntCache = false; - } - } - }; protected: SwFormat( SwAttrPool& rPool, const char* pFormatNm, @@ -94,9 +75,7 @@ public: SwFormat &operator=(const SwFormat&); /// for Querying of Writer-functions. - sal_uInt16 Which() const { return m_nWhichId; }; - bool IsInSwFntCache() const { return m_bInSwFntCache; }; - void SetInSwFntCache() { m_bInSwFntCache = true; }; + sal_uInt16 Which() const { return m_nWhichId; } /// Copy attributes even among documents. void CopyAttrs( const SwFormat& ); -- cgit