include/sfx2/objsh.hxx | 6 +++---
sfx2/source/doc/objcont.cxx | 2 +-
sfx2/source/doc/objxtor.cxx | 15 ++++++++-------
sw/source/core/doc/DocumentTimerManager.cxx | 2 ++
4 files changed, 14 insertions(+), 11 deletions(-)
New commits:
commit bc5f1be248c2b4bb305fcb9256f3beeed6c214af
Author: Mike Kaganski <mike.kagan...@collabora.com>
AuthorDate: Wed Aug 14 14:09:30 2024 +0500
Commit: Michael Stahl <michael.st...@allotropia.de>
CommitDate: Tue Aug 20 13:58:21 2024 +0200
Disallow closing document during idle layout
Similar to commit 99c1bd1a4ef5365d8c26a41c8e858c67e673beb4 (Disallow
closing document during generation of preview, 2024-03-11), it may
happen that an external process is closes a document that is being
in the process of the background layout, leading to use-after-free.
The request thread at the crash time, executing XComponent::dispose:
swlo.dll!SwNoTextFrame::~SwNoTextFrame() Line 170
swlo.dll!SwNoTextFrame::`scalar deleting destructor'(unsigned int)
swlo.dll!SwFrame::DestroyFrame(SwFrame * const pFrame) Line 397
swlo.dll!SwFlyFrame::DeleteCnt() Line 424
swlo.dll!SwFlyFrame::DestroyImpl() Line 358
swlo.dll!SwFlyFreeFrame::DestroyImpl() Line 89
swlo.dll!SwFrame::DestroyFrame(SwFrame * const pFrame) Line 396
swlo.dll!SwLayoutFrame::DestroyImpl() Line 516
swlo.dll!SwFrame::DestroyFrame(SwFrame * const pFrame) Line 396
swlo.dll!SwLayoutFrame::DestroyImpl() Line 540
swlo.dll!SwPageFrame::DestroyImpl() Line 317
swlo.dll!SwFrame::DestroyFrame(SwFrame * const pFrame) Line 396
swlo.dll!SwLayoutFrame::DestroyImpl() Line 540
swlo.dll!SwRootFrame::DestroyImpl() Line 570
swlo.dll!SwFrame::DestroyFrame(SwFrame * const pFrame) Line 396
swlo.dll!std::_Ref_count_resource<SwRootFrame *,void (__cdecl*)(SwFrame
*)>::_Destroy() Line 1222
swlo.dll!std::_Ref_count_base::_Decref() Line 1164
swlo.dll!std::_Ptr_base<SwRootFrame>::_Decref() Line 1380
swlo.dll!std::shared_ptr<SwRootFrame>::~shared_ptr<SwRootFrame>() Line 1685
swlo.dll!SwViewShell::~SwViewShell() Line 354
swlo.dll!SwCursorShell::~SwCursorShell() Line 3440
swlo.dll!SwEditShell::~SwEditShell() Line 63
swlo.dll!SwFEShell::~SwFEShell() Line 699
swlo.dll!SwWrtShell::~SwWrtShell() Line 2065
swlo.dll!SwWrtShell::`scalar deleting destructor'(unsigned int)
swlo.dll!std::default_delete<SwWrtShell>::operator()(SwWrtShell * _Ptr)
Line 3302
swlo.dll!std::unique_ptr<SwWrtShell,std::default_delete<SwWrtShell>>::reset(SwWrtShell
* _Ptr) Line 3447
swlo.dll!SwView::~SwView() Line 1196
swlo.dll!SwView::`vector deleting destructor'(unsigned int)
sfxlo.dll!SfxViewFrame::ReleaseObjectShell_Impl() Line 1140
sfxlo.dll!SfxViewFrame::~SfxViewFrame() Line 2059
sfxlo.dll!SfxViewFrame::`scalar deleting destructor'(unsigned int)
sfxlo.dll!SfxViewFrame::Close() Line 1192
sfxlo.dll!SfxFrame::DoClose_Impl() Line 138
sfxlo.dll!SfxBaseController::dispose() Line 928
fwklo.dll!`anonymous namespace'::XFrameImpl::setComponent(const
com::sun::star::uno::Reference<com::sun::star::awt::XWindow> &
xComponentWindow, const
com::sun::star::uno::Reference<com::sun::star::frame::XController> &
xController) Line 1496
fwklo.dll!`anonymous namespace'::XFrameImpl::close(unsigned char
bDeliverOwnership) Line 1707
sfxlo.dll!SfxFrame::DoClose() Line 104
sfxlo.dll!SfxViewFrame::Notify(SfxBroadcaster & __formal, const SfxHint &
rHint) Line 1820
svllo.dll!SfxBroadcaster::Broadcast(const SfxHint & rHint) Line 40
sfxlo.dll!`anonymous
namespace'::SfxModelListener_Impl::notifyClosing(const
com::sun::star::lang::EventObject & __formal) Line 154
sfxlo.dll!SfxBaseModel::close(unsigned char bDeliverOwnership) Line 1511
swlo.dll!SwXTextDocument::close(unsigned char bDeliverOwnership) Line 574
sfxlo.dll!SfxBaseModel::dispose() Line 745
swlo.dll!SwXTextDocument::dispose() Line 561
mscx_uno.dll!`anonymous
namespace'::cpp_call(bridges::cpp_uno::shared::UnoInterfaceProxy * pThis,
bridges::cpp_uno::shared::VtableSlot aVtableSlot,
_typelib_TypeDescriptionReference * pReturnTypeRef, long nParams,
_typelib_MethodParameter * pParams, void * pUnoReturn, void * * pUnoArgs,
_uno_Any * * ppUnoExc) Line 214
mscx_uno.dll!unoInterfaceProxyDispatch(_uno_Interface * pUnoI, const
_typelib_TypeDescription * pMemberTD, void * pReturn, void * * pArgs, _uno_Any
* * ppException) Line 430
binaryurplo.dll!binaryurp::IncomingRequest::execute_throw(binaryurp::BinaryAny
* returnValue,
std::vector<binaryurp::BinaryAny,std::allocator<binaryurp::BinaryAny>> *
outArguments) Line 239
binaryurplo.dll!binaryurp::IncomingRequest::execute() Line 79
binaryurplo.dll!request(void * pThreadSpecificData) Line 84
cppu3.dll!cppu_threadpool::JobQueue::enter(const void * nDisposeId, bool
bReturnWhenNoJob) Line 101
cppu3.dll!cppu_threadpool::ORequestThread::run() Line 165
cppu3.dll!threadFunc(void * param) Line 190
sal3.dll!oslWorkerWrapperFunction(void * pData) Line 67
Main thread, doing an idle layout of the same document:
emboleobj.dll!OleComponent::SetExtent(const com::sun::star::awt::Size &
aVisAreaSize, __int64 nAspect) Line 1099
emboleobj.dll!OleEmbeddedObject::setVisualAreaSize(__int64 nAspect, const
com::sun::star::awt::Size & aSize) Line 138
swlo.dll!SwWrtShell::CalcAndSetScale(svt::EmbeddedObjectRef & xObj, const
SwRect * pFlyPrtRect, const SwRect * pFlyFrameRect, const bool
bNoTextFramePrtAreaChanged) Line 777
swlo.dll!SwContentNotify::ImplDestroy() Line 926
swlo.dll!SwContentNotify::~SwContentNotify() Line 1037
swlo.dll!SwNoTextFrame::MakeAll(OutputDevice * pRenderContext) Line 584
swlo.dll!SwFrame::OptPrepareMake() Line 412
swlo.dll!SwFrame::OptCalc() Line 1110
swlo.dll!SwLayAction::FormatContent_(const SwContentFrame * pContent,
const SwPageFrame * pPage) Line 1969
swlo.dll!SwLayAction::FormatFlyContent(const SwFlyFrame * pFly) Line 1994
swlo.dll!SwObjectFormatter::FormatObj_(SwAnchoredObject & _rAnchoredObj)
Line 312
swlo.dll!SwObjectFormatterTextFrame::DoFormatObj(SwAnchoredObject &
_rAnchoredObj, const bool _bCheckForMovedFwd) Line 133
swlo.dll!SwObjectFormatter::FormatObjsAtFrame_(SwTextFrame *
_pMasterTextFrame) Line 414
swlo.dll!SwObjectFormatterTextFrame::DoFormatObjs() Line 348
swlo.dll!SwObjectFormatter::FormatObjsAtFrame(SwFrame & _rAnchorFrame,
const SwPageFrame & _rPageFrame, SwLayAction * _pLayAction) Line 160
swlo.dll!SwLayAction::FormatContent(SwPageFrame * pPage) Line 1802
swlo.dll!SwLayAction::InternalAction(OutputDevice * pRenderContext) Line
607
swlo.dll!SwLayAction::Action(OutputDevice * pRenderContext) Line 390
swlo.dll!SwLayIdle::SwLayIdle(SwRootFrame * pRt, SwViewShellImp * pI) Line
2372
swlo.dll!SwViewShell::LayoutIdle() Line 827
swlo.dll!sw::DocumentTimerManager::DoIdleJobs(Timer * __formal) Line 176
swlo.dll!sw::DocumentTimerManager::LinkStubDoIdleJobs(void * instance,
Timer * data) Line 156
vcllo.dll!Link<Timer *,void>::Call(Timer * data) Line 111
vcllo.dll!Timer::Invoke() Line 75
vcllo.dll!Scheduler::CallbackTaskScheduling() Line 509
vcllo.dll!SalTimer::CallCallback() Line 53
vclplug_winlo.dll!WinSalTimer::ImplHandleElapsedTimer() Line 169
vclplug_winlo.dll!ImplSalYield(bool bWait, bool bHandleAllCurrentEvents)
Line 525
vclplug_winlo.dll!WinSalInstance::DoYield(bool bWait, bool
bHandleAllCurrentEvents) Line 581
vcllo.dll!ImplYield(bool i_bWait, bool i_bAllEvents) Line 385
vcllo.dll!Application::Yield() Line 473
vcllo.dll!Application::Execute() Line 361
sofficeapp.dll!desktop::Desktop::Main() Line 1652
vcllo.dll!ImplSVMain() Line 229
vcllo.dll!SVMain() Line 262
sofficeapp.dll!soffice_main() Line 121
soffice.bin!sal_main() Line 51
soffice.bin!main(int argc, char * * argv) Line 49
soffice.bin!invoke_main() Line 79
soffice.bin!__scrt_common_main_seh() Line 288
soffice.bin!__scrt_common_main() Line 331
soffice.bin!mainCRTStartup(void * __formal) Line 17
Change-Id: I92102a9cd11ccde307b070ebc1984eb3d17d65bf
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/171856
Reviewed-by: Mike Kaganski <mike.kagan...@collabora.com>
Tested-by: Jenkins
(cherry picked from commit 8fc13f7d54e8cabd655afb6e04281ed5a58f5d95)
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/171995
Reviewed-by: Michael Stahl <michael.st...@allotropia.de>
diff --git a/include/sfx2/objsh.hxx b/include/sfx2/objsh.hxx
index eececb850bd9..ab8540bf86fa 100644
--- a/include/sfx2/objsh.hxx
+++ b/include/sfx2/objsh.hxx
@@ -842,14 +842,14 @@ public:
}
};
-class SfxCloseVetoLock
+class SFX2_DLLPUBLIC SfxCloseVetoLock
{
public:
- SfxCloseVetoLock(const SfxObjectShell& rDocShell);
+ SfxCloseVetoLock(const SfxObjectShell* pDocShell);
~SfxCloseVetoLock();
private:
- const SfxObjectShell& m_rDocShell;
+ const SfxObjectShell* mpDocShell;
};
typedef rtl::Reference<SfxObjectShell> SfxObjectShellRef;
diff --git a/sfx2/source/doc/objcont.cxx b/sfx2/source/doc/objcont.cxx
index 7c1f6b72014c..ba4864fa9a7b 100644
--- a/sfx2/source/doc/objcont.cxx
+++ b/sfx2/source/doc/objcont.cxx
@@ -105,7 +105,7 @@ SfxObjectShell::GetPreviewMetaFile( bool bFullContent )
const
BitmapEx SfxObjectShell::GetPreviewBitmap() const
{
- SfxCloseVetoLock lock(*this);
+ SfxCloseVetoLock lock(this);
ScopedVclPtrInstance< VirtualDevice > pDevice;
pDevice->SetAntialiasing(AntialiasingFlags::Enable |
pDevice->GetAntialiasing());
if(!CreatePreview_Impl(/*bFullContent*/false, pDevice, nullptr))
diff --git a/sfx2/source/doc/objxtor.cxx b/sfx2/source/doc/objxtor.cxx
index 592b1e7468a5..453cc379f60b 100644
--- a/sfx2/source/doc/objxtor.cxx
+++ b/sfx2/source/doc/objxtor.cxx
@@ -346,20 +346,21 @@ SfxObjectShell::~SfxObjectShell()
}
}
-SfxCloseVetoLock::SfxCloseVetoLock(const SfxObjectShell& rDocShell)
- : m_rDocShell(rDocShell)
+SfxCloseVetoLock::SfxCloseVetoLock(const SfxObjectShell* pDocShell)
+ : mpDocShell(pDocShell)
{
- osl_atomic_increment(&m_rDocShell.Get_Impl()->m_nClosingLockLevel);
+ if (mpDocShell)
+ osl_atomic_increment(&mpDocShell->Get_Impl()->m_nClosingLockLevel);
}
SfxCloseVetoLock::~SfxCloseVetoLock()
{
- if (osl_atomic_decrement(&m_rDocShell.Get_Impl()->m_nClosingLockLevel) ==
0)
+ if (mpDocShell &&
osl_atomic_decrement(&mpDocShell->Get_Impl()->m_nClosingLockLevel) == 0)
{
- if (m_rDocShell.Get_Impl()->m_bCloseModelScheduled)
+ if (mpDocShell->Get_Impl()->m_bCloseModelScheduled)
{
- m_rDocShell.Get_Impl()->m_bCloseModelScheduled = false; // pass
ownership
- if (rtl::Reference model =
static_cast<SfxBaseModel*>(m_rDocShell.GetBaseModel().get()))
+ mpDocShell->Get_Impl()->m_bCloseModelScheduled = false; // pass
ownership
+ if (rtl::Reference model =
static_cast<SfxBaseModel*>(mpDocShell->GetBaseModel().get()))
{
try
{
diff --git a/sw/source/core/doc/DocumentTimerManager.cxx
b/sw/source/core/doc/DocumentTimerManager.cxx
index 13f85a2026c8..44df4c33729d 100644
--- a/sw/source/core/doc/DocumentTimerManager.cxx
+++ b/sw/source/core/doc/DocumentTimerManager.cxx
@@ -158,6 +158,8 @@ IMPL_LINK_NOARG( DocumentTimerManager, DoIdleJobs, Timer*,
void )
#ifdef TIMELOG
static ::rtl::Logfile* pModLogFile = new ::rtl::Logfile( "First
DoIdleJobs" );
#endif
+ SfxCloseVetoLock lock(m_rDoc.GetDocShell());
+
BlockIdling();
StopIdling();
