==465572==ERROR: AddressSanitizer: heap-use-after-free on address 0x60400141759c at pc 0x7f073a5b3eed bp 0x7fffe597dc20 sp 0x7fffe597dc18 READ of size 2 at 0x60400141759c thread T0 #0 0x7f073a5b3eec in SfxPoolItem::Which() const include/svl/poolitem.hxx:149:53 #1 0x7f073a6bc923 in SfxItemSet::~SfxItemSet() svl/source/items/itemset.cxx:185:36 #2 0x7f06f880d7f4 in SwAttrSet::~SwAttrSet() sw/inc/swatrset.hxx:154:20 #3 0x7f06f880625c in SwFormat::~SwFormat() sw/source/core/attr/format.cxx:223:1 #4 0x7f06f9b9f056 in SwFrameFormat::~SwFrameFormat() sw/source/core/layout/atrfrm.cxx:2568:1 #5 0x7f06f9b9f0c8 in SwFrameFormat::~SwFrameFormat() sw/source/core/layout/atrfrm.cxx:2540:1 #6 0x7f06f9b8634b in lcl_DelHFFormat(SwClient*, SwFrameFormat*) sw/source/core/layout/atrfrm.cxx:157:9 #7 0x7f06f9b86049 in SwFormatHeader::~SwFormatHeader() sw/source/core/layout/atrfrm.cxx:513:9 #8 0x7f06f9b86dc8 in SwFormatHeader::~SwFormatHeader() sw/source/core/layout/atrfrm.cxx:511:1 #9 0x7f073a6162a2 in SfxItemPool::Delete() svl/source/items/itempool.cxx:562:13 #10 0x7f073a615469 in SfxItemPool::~SfxItemPool() svl/source/items/itempool.cxx:404:9 #11 0x7f06f881b572 in SwAttrPool::~SwAttrPool() sw/source/core/attr/swatrset.cxx:93:1 #12 0x7f06f881b5c8 in SwAttrPool::~SwAttrPool() sw/source/core/attr/swatrset.cxx:87:1 #13 0x7f06f88246dc in salhelper::SimpleReferenceObject::release() include/salhelper/simplereferenceobject.hxx:76:49 #14 0x7f06f8effb72 in rtl::Reference::clear() include/rtl/ref.hxx:196:19 #15 0x7f06f8edc229 in SwDoc::~SwDoc() sw/source/core/doc/docnew.cxx:605:16 #16 0x7f06f8be65af in SwDoc::release() sw/source/core/doc/doc.cxx:119:9 #17 0x7f06f95e7de2 in rtl::Reference::clear() include/rtl/ref.hxx:196:19 #18 0x7f06fb60f382 in SwDocShell::RemoveLink() sw/source/uibase/app/docshini.cxx:443:16 #19 0x7f06fb60eebe in SwDocShell::~SwDocShell() sw/source/uibase/app/docshini.cxx:371:5 #20 0x7f06fb60f53f in SwDocShell::~SwDocShell() sw/source/uibase/app/docshini.cxx:361:1 #21 0x7f06fb60f6b8 in SwDocShell::~SwDocShell() sw/source/uibase/app/docshini.cxx:361:1 #22 0x7f073b7c1081 in SvRefBase::ReleaseRef() include/tools/ref.hxx:163:29 #23 0x7f073b7c0c8e in tools::SvRef::~SvRef() include/tools/ref.hxx:56:36 #24 0x7f073ca8b720 in SfxViewFrame::ReleaseObjectShell_Impl() sfx2/source/view/viewfrm.cxx:1149:5 #25 0x7f073ca98ad5 in SfxViewFrame::~SfxViewFrame() sfx2/source/view/viewfrm.cxx:1816:5 #26 0x7f073ca8fc7c in SfxViewFrame::Close() sfx2/source/view/viewfrm.cxx:1171:5 #27 0x7f073c993e6f in SfxFrame::DoClose_Impl() sfx2/source/view/frame.cxx:135:37 #28 0x7f073ca1e11e in SfxBaseController::dispose() sfx2/source/view/sfxbasecontroller.cxx:981:28 #29 0x7f073e9affb0 in (anonymous namespace)::XFrameImpl::setComponent(com::sun::star::uno::Reference const&, com::sun::star::uno::Reference const&) framework/source/services/frame.cxx:1485:33 #30 0x7f073e521cb4 in framework::CloseDispatcher::implts_establishBackingMode() framework/source/dispatch/closedispatcher.cxx:532:13 #31 0x7f073e5201d6 in framework::CloseDispatcher::impl_asyncCallback(LinkParamNone*) framework/source/dispatch/closedispatcher.cxx:400:20 #32 0x7f073e51ded4 in framework::CloseDispatcher::dispatchWithNotification(com::sun::star::util::URL const&, com::sun::star::uno::Sequence const&, com::sun::star::uno::Reference const&) framework/source/dispatch/closedispatcher.cxx:222:9 #33 0x7f073e99ff97 in framework::DispatchHelper::executeDispatch(com::sun::star::uno::Reference const&, com::sun::star::util::URL const&, bool, com::sun::star::uno::Sequence const&) framework/source/services/dispatchhelper.cxx:163:30 #34 0x7f073e99f7a0 in framework::DispatchHelper::executeDispatch(com::sun::star::uno::Reference const&, rtl::OUString const&, rtl::OUString const&, int, com::sun::star::uno::Sequence const&) framework/source/services/dispatchhelper.cxx:120:16 #35 0x7f073e9a04e4 in non-virtual thunk to framework::DispatchHelper::executeDispatch(com::sun::star::uno::Reference const&, rtl::OUString const&, rtl::OUString const&, int, com::sun::star::uno::Sequence const&) framework/source/services/dispatchhelper.cxx #36 0x7f073e854fa0 in framework::LayoutManager::MenuBarClose(void*) framework/source/layoutmanager/layoutmanager.cxx:2549:18 #37 0x7f073e854c0c in framework::LayoutManager::LinkStubMenuBarClose(void*, void*) framework/source/layoutmanager/layoutmanager.cxx:2537:1 #38 0x7f072ec31df0 in Link::Call(void*) const include/tools/link.hxx:111:45 #39 0x7f072ec275de in ImplHandleUserEvent(ImplSVEvent*) vcl/source/window/winproc.cxx:2229:30 #40 0x7f072ec1f410 in ImplWindowFrameProc(vcl::Window*, SalEvent, void const*) vcl/source/window/winproc.cxx:2799:13 #41 0x7f07308ceddd in SalFrame::CallCallback(SalEvent, void const*) const vcl/inc/salframe.hxx:306:29 #42 0x7f073093dd25 in SalGenericDisplay::ProcessEvent(SalUserEventList::SalUserEvent) vcl/unx/generic/app/gendisp.cxx:66:22 #43 0x7f072fdcd2f8 in SalUserEventList::DispatchUserEvents(bool)::$_0::operator()() const vcl/source/app/salusereventlist.cxx:119:58 #44 0x7f072fdccde4 in SalUserEventList::DispatchUserEvents(bool) vcl/source/app/salusereventlist.cxx:120:13 #45 0x7f073093daf4 in SalGenericDisplay::DispatchInternalEvent(bool) vcl/unx/generic/app/gendisp.cxx:51:12 #46 0x7f07126d4569 in call_userEventFn(void*) vcl/unx/gtk3/gtkdata.cxx:824:27 #47 0x7f0734f154ca (/lib64/libglib-2.0.so.0+0x514ca) (BuildId: 8a4c270219135729dff508e4bb3cc03099af40e8) #48 0x7f0734f18fae in g_main_context_dispatch (/lib64/libglib-2.0.so.0+0x54fae) (BuildId: 8a4c270219135729dff508e4bb3cc03099af40e8) #49 0x7f0734f6e2c7 (/lib64/libglib-2.0.so.0+0xaa2c7) (BuildId: 8a4c270219135729dff508e4bb3cc03099af40e8) #50 0x7f0734f1693f in g_main_context_iteration (/lib64/libglib-2.0.so.0+0x5293f) (BuildId: 8a4c270219135729dff508e4bb3cc03099af40e8) #51 0x7f07126d1675 in GtkSalData::Yield(bool, bool) vcl/unx/gtk3/gtkdata.cxx:405:31 #52 0x7f07126de5e2 in GtkInstance::DoYield(bool, bool) vcl/unx/gtk3/gtkinst.cxx:429:29 #53 0x7f072ffee764 in ImplYield(bool, bool) vcl/source/app/svapp.cxx:475:48 #54 0x7f072ffed63c in Application::Yield() vcl/source/app/svapp.cxx:559:5 #55 0x7f072ffed07a in Application::Execute() vcl/source/app/svapp.cxx:453:13 #56 0x7f0743adec60 in desktop::Desktop::Main() desktop/source/app/app.cxx:1604:13 #57 0x7f073003f144 in ImplSVMain() vcl/source/app/svmain.cxx:203:35 #58 0x7f0730042d48 in SVMain() vcl/source/app/svmain.cxx:235:12 #59 0x7f0743c07902 in soffice_main desktop/source/app/sofficemain.cxx:94:12 #60 0x515d2c in sal_main desktop/source/app/main.c:51:15 #61 0x515d06 in main desktop/source/app/main.c:49:1 #62 0x7f074322954f in __libc_start_call_main (/lib64/libc.so.6+0x2954f) (BuildId: 6f5ce514a9e7f51e0247a527c3a41ed981c04458) #63 0x7f0743229608 in __libc_start_main@GLIBC_2.2.5 (/lib64/libc.so.6+0x29608) (BuildId: 6f5ce514a9e7f51e0247a527c3a41ed981c04458) #64 0x41dcd4 in _start (instdir/program/soffice.bin+0x41dcd4) 0x60400141759c is located 12 bytes inside of 48-byte region [0x604001417590,0x6040014175c0) freed by thread T0 here: #0 0x513908 in operator delete(void*) (instdir/program/soffice.bin+0x513908) #1 0x7f06f9bb1f21 in SwFormatFrameSize::~SwFormatFrameSize() sw/inc/fmtfsize.hxx:43:20 #2 0x7f073a6162a2 in SfxItemPool::Delete() svl/source/items/itempool.cxx:562:13 #3 0x7f073a615469 in SfxItemPool::~SfxItemPool() svl/source/items/itempool.cxx:404:9 #4 0x7f06f881b572 in SwAttrPool::~SwAttrPool() sw/source/core/attr/swatrset.cxx:93:1 #5 0x7f06f881b5c8 in SwAttrPool::~SwAttrPool() sw/source/core/attr/swatrset.cxx:87:1 #6 0x7f06f88246dc in salhelper::SimpleReferenceObject::release() include/salhelper/simplereferenceobject.hxx:76:49 #7 0x7f06f8effb72 in rtl::Reference::clear() include/rtl/ref.hxx:196:19 #8 0x7f06f8edc229 in SwDoc::~SwDoc() sw/source/core/doc/docnew.cxx:605:16 #9 0x7f06f8be65af in SwDoc::release() sw/source/core/doc/doc.cxx:119:9 #10 0x7f06f95e7de2 in rtl::Reference::clear() include/rtl/ref.hxx:196:19 #11 0x7f06fb60f382 in SwDocShell::RemoveLink() sw/source/uibase/app/docshini.cxx:443:16 #12 0x7f06fb60eebe in SwDocShell::~SwDocShell() sw/source/uibase/app/docshini.cxx:371:5 #13 0x7f06fb60f53f in SwDocShell::~SwDocShell() sw/source/uibase/app/docshini.cxx:361:1 #14 0x7f06fb60f6b8 in SwDocShell::~SwDocShell() sw/source/uibase/app/docshini.cxx:361:1 #15 0x7f073b7c1081 in SvRefBase::ReleaseRef() include/tools/ref.hxx:163:29 #16 0x7f073b7c0c8e in tools::SvRef::~SvRef() include/tools/ref.hxx:56:36 #17 0x7f073ca8b720 in SfxViewFrame::ReleaseObjectShell_Impl() sfx2/source/view/viewfrm.cxx:1149:5 #18 0x7f073ca98ad5 in SfxViewFrame::~SfxViewFrame() sfx2/source/view/viewfrm.cxx:1816:5 #19 0x7f073ca8fc7c in SfxViewFrame::Close() sfx2/source/view/viewfrm.cxx:1171:5 #20 0x7f073c993e6f in SfxFrame::DoClose_Impl() sfx2/source/view/frame.cxx:135:37 #21 0x7f073ca1e11e in SfxBaseController::dispose() sfx2/source/view/sfxbasecontroller.cxx:981:28 #22 0x7f073e9affb0 in (anonymous namespace)::XFrameImpl::setComponent(com::sun::star::uno::Reference const&, com::sun::star::uno::Reference const&) framework/source/services/frame.cxx:1485:33 #23 0x7f073e521cb4 in framework::CloseDispatcher::implts_establishBackingMode() framework/source/dispatch/closedispatcher.cxx:532:13 #24 0x7f073e5201d6 in framework::CloseDispatcher::impl_asyncCallback(LinkParamNone*) framework/source/dispatch/closedispatcher.cxx:400:20 #25 0x7f073e51ded4 in framework::CloseDispatcher::dispatchWithNotification(com::sun::star::util::URL const&, com::sun::star::uno::Sequence const&, com::sun::star::uno::Reference const&) framework/source/dispatch/closedispatcher.cxx:222:9 #26 0x7f073e99ff97 in framework::DispatchHelper::executeDispatch(com::sun::star::uno::Reference const&, com::sun::star::util::URL const&, bool, com::sun::star::uno::Sequence const&) framework/source/services/dispatchhelper.cxx:163:30 #27 0x7f073e99f7a0 in framework::DispatchHelper::executeDispatch(com::sun::star::uno::Reference const&, rtl::OUString const&, rtl::OUString const&, int, com::sun::star::uno::Sequence const&) framework/source/services/dispatchhelper.cxx:120:16 #28 0x7f073e9a04e4 in non-virtual thunk to framework::DispatchHelper::executeDispatch(com::sun::star::uno::Reference const&, rtl::OUString const&, rtl::OUString const&, int, com::sun::star::uno::Sequence const&) framework/source/services/dispatchhelper.cxx #29 0x7f073e854fa0 in framework::LayoutManager::MenuBarClose(void*) framework/source/layoutmanager/layoutmanager.cxx:2549:18 previously allocated by thread T0 here: #0 0x512ec8 in operator new(unsigned long) (instdir/program/soffice.bin+0x512ec8) #1 0x7f06f9b82f11 in SwFormatFrameSize::Clone(SfxItemPool*) const sw/source/core/layout/atrfrm.cxx:256:12 #2 0x7f073a619801 in SfxItemPool::PutImpl(SfxPoolItem const&, unsigned short, bool) svl/source/items/itempool.cxx:729:26 #3 0x7f073a6c1025 in SfxItemSet::PutImpl(SfxPoolItem const&, unsigned short, bool) svl/source/items/itemset.cxx:494:56 #4 0x7f06f8693c9c in SfxItemSet::Put(SfxPoolItem const&, unsigned short) include/svl/itemset.hxx:185:14 #5 0x7f06f8687a78 in SfxItemSet::Put(SfxPoolItem const&) include/svl/itemset.hxx:189:42 #6 0x7f06fc2e67a2 in FillHdFt(SwFrameFormat*, SfxItemSet const&) sw/source/uibase/utlui/uitool.cxx:241:10 #7 0x7f06fc2e5529 in ItemSetToPageDesc(SfxItemSet const&, SwPageDesc&) sw/source/uibase/utlui/uitool.cxx:340:13 #8 0x7f06fb6493bb in SwDocStyleSheet::SetItemSet(SfxItemSet const&, bool) sw/source/uibase/app/docstyle.cxx:1700:13 #9 0x7f06fada1be5 in (anonymous namespace)::SwXPageStyle::SetPropertyValues_Impl(com::sun::star::uno::Sequence const&, com::sun::star::uno::Sequence const&) sw/source/core/unocore/unostyle.cxx:3065:33 #10 0x7f06fad9d6d2 in (anonymous namespace)::SwXPageStyle::setPropertyValue(rtl::OUString const&, com::sun::star::uno::Any const&) sw/source/core/unocore/unostyle.cxx:3365:5 #11 0x7f06f2ca1846 in writerfilter::dmapper::DomainMapper_Impl::PushPageHeaderFooter(bool, writerfilter::dmapper::SectionPropertyMap::PageType) writerfilter/source/dmapper/DomainMapper_Impl.cxx:3170:25 #12 0x7f06f2ca28af in writerfilter::dmapper::DomainMapper_Impl::PushPageHeader(writerfilter::dmapper::SectionPropertyMap::PageType) writerfilter/source/dmapper/DomainMapper_Impl.cxx:3197:5 #13 0x7f06f2d1ea26 in writerfilter::dmapper::DomainMapper_Impl::substream(unsigned int, tools::SvRef > const&) writerfilter/source/dmapper/DomainMapper_Impl.cxx:8548:13 #14 0x7f06f2b732c1 in writerfilter::dmapper::DomainMapper::lcl_substream(unsigned int, tools::SvRef >) writerfilter/source/dmapper/DomainMapper.cxx:4071:14 #15 0x7f06f2ed403e in writerfilter::LoggedStream::substream(unsigned int, tools::SvRef >) writerfilter/source/dmapper/LoggedResources.cxx:272:5 #16 0x7f06f3162aaa in writerfilter::ooxml::OOXMLDocumentImpl::resolveFastSubStreamWithId(writerfilter::Stream&, tools::SvRef > const&, unsigned int) writerfilter/source/ooxml/OOXMLDocumentImpl.cxx:124:13 #17 0x7f06f3167e89 in writerfilter::ooxml::OOXMLDocumentImpl::resolveHeader(writerfilter::Stream&, int, rtl::OUString const&) writerfilter/source/ooxml/OOXMLDocumentImpl.cxx:380:10 #18 0x7f06f3190661 in writerfilter::ooxml::OOXMLFastContextHandler::resolveHeader(int, rtl::OUString const&) writerfilter/source/ooxml/OOXMLFastContextHandler.cxx:888:35 #19 0x7f06f3154ab8 in writerfilter::ooxml::OOXMLHeaderHandler::finalize() writerfilter/source/ooxml/Handler.cxx:214:20 #20 0x7f06f3193795 in writerfilter::ooxml::OOXMLFastContextHandlerProperties::handleHdrFtr() writerfilter/source/ooxml/OOXMLFastContextHandler.cxx:1113:28 #21 0x7f06f33a511c in writerfilter::ooxml::OOXMLFactory_wml::endAction(writerfilter::ooxml::OOXMLFastContextHandler*) workdir/CustomTarget/writerfilter/source/ooxml/OOXMLFactory_wml.cxx:7448:26 #22 0x7f06f31840eb in writerfilter::ooxml::OOXMLFactory::endAction(writerfilter::ooxml::OOXMLFastContextHandler*) writerfilter/source/ooxml/OOXMLFactory.cxx:157:19 #23 0x7f06f318a4b4 in writerfilter::ooxml::OOXMLFastContextHandler::endAction() writerfilter/source/ooxml/OOXMLFastContextHandler.cxx:316:5 #24 0x7f06f3192970 in writerfilter::ooxml::OOXMLFastContextHandlerProperties::lcl_endFastElement(int) writerfilter/source/ooxml/OOXMLFastContextHandler.cxx:1034:9 #25 0x7f06f3189b55 in writerfilter::ooxml::OOXMLFastContextHandler::endFastElement(int) writerfilter/source/ooxml/OOXMLFastContextHandler.cxx:222:9 #26 0x7f0701cc7570 in (anonymous namespace)::Entity::endElement() sax/source/fastparser/fastparser.cxx:515:27 #27 0x7f0701cc7217 in sax_fastparser::FastSaxParserImpl::callbackEndElement() sax/source/fastparser/fastparser.cxx:1344:17 #28 0x7f0701cbec78 in (anonymous namespace)::call_callbackEndElement(void*, unsigned char const*, unsigned char const*, unsigned char const*) sax/source/fastparser/fastparser.cxx:339:18 #29 0x7f0741faa6f4 (/lib64/libxml2.so.2+0x1346f4) (BuildId: aadf5879c68f117634a6bd13135e48749e846fc9) SUMMARY: AddressSanitizer: heap-use-after-free include/svl/poolitem.hxx:149:53 in SfxPoolItem::Which() const Shadow bytes around the buggy address: 0x0c088027ae60: fa fa 00 00 00 00 00 fa fa fa 00 00 00 00 02 fa 0x0c088027ae70: fa fa 00 00 00 00 00 02 fa fa 00 00 00 00 00 fa 0x0c088027ae80: fa fa 00 00 00 00 00 00 fa fa 00 00 00 00 02 fa 0x0c088027ae90: fa fa 00 00 00 00 00 fa fa fa 00 00 00 00 05 fa 0x0c088027aea0: fa fa 00 00 00 00 00 fa fa fa fd fd fd fd fd fa =>0x0c088027aeb0: fa fa fd[fd]fd fd fd fd fa fa fd fd fd fd fd fd 0x0c088027aec0: fa fa 00 00 00 00 00 04 fa fa 00 00 00 00 00 04 0x0c088027aed0: fa fa fd fd fd fd fd fd fa fa 00 00 00 00 02 fa 0x0c088027aee0: fa fa 00 00 00 00 00 fa fa fa 00 00 00 00 00 02 0x0c088027aef0: fa fa 00 00 00 00 00 00 fa fa 00 00 00 00 00 fa 0x0c088027af00: fa fa 00 00 00 00 00 fa fa fa 00 00 00 00 06 fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==465572==ABORTING