mir/libreoffice
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
ccae1766063670a1e166696e92c8bb4744665df2
libreoffice/sw/source/core/access/accpreview.hxx
Michael Stahl 0c2229dcab tdf#58624 sw: fix ~SwAccessibleContext() use-after-free race 
As seen in JunitTest_toolkit_unoapi_1:

Method doAccessibleAction() finished with state OK
LOG> doAccessibleAction(): COMPLETED.OK
debug:27272:12:  -SwAccessibleParagraph mutexwait 0x3fd9f50
debug:27272:9:  SwAccessibleContext::Dispose 0x3872620 11SwRootFrame
debug:27272:9:  SwAccessibleContext::DisposeChildren 0x4047c80 0x386d600 11SwPageFrame
debug:27272:9:  SwAccessibleContext::DisposeChildren xAcc 0
debug:27272:9:  SwAccessibleContext::DisposeChildren 0x4047c80 0x386cef0 11SwBodyFrame
debug:27272:9:  SwAccessibleContext::DisposeChildren xAcc 0
debug:27272:9:  SwAccessibleContext::DisposeChildren 0x4047c80 0x3878fe0 11SwTextFrame
debug:27272:9:  SwAccessibleContext::DisposeChildren xAcc 0
debug:27272:9:  SwAccessibleMap::RemoveContext erase 0x3872620
debug:27272:9:  ~SwAccessibleMap: frame entry 0x3878fe0
debug:27272:9:  ~SwAccessibleMap: mpFrameMap 0x3eb64a0
debug:27272:9:  ~SwAccessibleMap: mpShapeMap 0
soffice.bin: sw/source/core/access/accmap.cxx:1726: virtual SwAccessibleMap::~SwAccessibleMap(): Assertion `(!mpFrameMap || mpFrameMap->empty()) && "Frame map should be empty after disposing the root frame"'

The problem here is that thread 12 is blocked on SolarMutex in
~SwAccessibleParagraph(), while thread 9 is in ~SwAccessibleMap().

This means that in SwAccessibleContext::DisposeChildren(), the
WeakReference to the SwAccessibleParagraph cannot create a
uno::Reference because its reference count is 0, so
SwAccessibleContext::Dispose() is not called on it and it remains
in the SwAccessibleMap::mpFrameMap.

This triggers the assert and later on ~SwAccessibleContext() would
access the deleted SwAccessibleMap and crash.

To fix this, introduce a weak reference from SwAccessibleContext to
SwAccessibleMap; use a std::weak_ptr because that is not derived from
OWeakObject.

The weak_ptr is only used in the dtor ~SwAccessibleContext(); as
long as the ref-count of SwAccessibleContext is > 0 it is guaranteed
that the SwAccessibleContext::m_pMap is either null or valid
as the recursive Dispose() will work fine.

It is possible that additional temporary owning references could delay
the destruction of SwAccessibleMap, and the order of destruction
of Writer documents is very fragile, so rely on the SolarMutex lock
to prevent that; the only shared_ptr that owns SwAccessibleMap while
SolarMutex is not locked is the one in SwViewShellImp.

(An alternative fix would be to represent the 3 lifecycle stages of
SwAccessibleContext by adding a C++-pointer to the
SwAccessibleMap::mpFrameMap, so that DisposeChildren() can, if
the WeakReference is no longer valid due to ref-count 0, use the
pointer and clear SwAccessibleContext::m_pMap - this and the
corresponding call to SwAccessibleMap::RemoveContext() from
~SwAccessibleContext() under a mutex that is shared_ptr-owned by
SwAccessibleMap and all SwAccessibleContext.)

Change-Id: If2b44c79189e3b3d276491a5c57d5404bb2be71a
2017-03-24 14:35:35 +01:00

69 lines
2.3 KiB
C++
Raw Blame History

/* -*- Mode: C++; tab-width: 4; indent-tabs-mode: nil; c-basic-offset: 4 -*- */
/*
* This file is part of the LibreOffice project.
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
*
* This file incorporates work covered by the following license notice:
*
* Licensed to the Apache Software Foundation (ASF) under one or more
* contributor license agreements. See the NOTICE file distributed
* with this work for additional information regarding copyright
* ownership. The ASF licenses this file to you under the Apache
* License, Version 2.0 (the "License"); you may not use this file
* except in compliance with the License. You may obtain a copy of
* the License at http://www.apache.org/licenses/LICENSE-2.0 .
*/
#ifndef INCLUDED_SW_SOURCE_CORE_ACCESS_ACCPREVIEW_HXX
#define INCLUDED_SW_SOURCE_CORE_ACCESS_ACCPREVIEW_HXX
#include "accdoc.hxx"
/**
* accessibility implementation for the page preview.
* The children of the page preview are the pages that are visible in the
* preview.
*
* The vast majority of the implementation logic is inherited from
* SwAccessibleDocumentBase.
*/
class SwAccessiblePreview : public SwAccessibleDocumentBase
{
virtual ~SwAccessiblePreview() override;
public:
SwAccessiblePreview(std::shared_ptr<SwAccessibleMap> const& pMap);
// XServiceInfo
/** Returns an identifier for the implementation of this object.
*/
virtual OUString SAL_CALL
getImplementationName() override;
/** Return whether the specified service is supported by this class.
*/
virtual sal_Bool SAL_CALL
supportsService (const OUString& sServiceName) override;
/** Returns a list of all supported services. In this case that is just
the AccessibleContext service.
*/
virtual css::uno::Sequence< OUString> SAL_CALL
getSupportedServiceNames() override;
// XTypeProvider
virtual css::uno::Sequence< sal_Int8 > SAL_CALL getImplementationId( ) override;
OUString SAL_CALL getAccessibleDescription() override;
OUString SAL_CALL getAccessibleName() override;
virtual void InvalidateFocus_() override;
};
#endif
/* vim:set shiftwidth=4 softtabstop=4 expandtab: */
Reference in New Issue View Git Blame Copy Permalink