[Crash] Variable Link causes SIGSEGV in _LinkBaseExtension::extensionExecute()_

[FlachyJoe]

Is there an existing issue for this?

• I have searched the existing issues

Problem description

With the file below, setting Caisson001.LinkCopyOnChange to Tracking causes a segmentation error at L330

FreeCAD/src/App/Link.cpp

Lines 322 to 332 in 0dcfe94

	PropertyPythonObject *proxy = nullptr;
	if(getLinkExecuteProperty()
	&& !boost::iequals(getLinkExecuteValue(), "none")
	&& (!_LinkOwner.getValue()
	|| !container->getDocument()->getObjectByID(_LinkOwner.getValue())))
	{
	// Check if this is an element link. Do not invoke appLinkExecute()
	// if so, because it will be called from the link array.
	proxy = Base::freecad_dynamic_cast<PropertyPythonObject>(
	linked->getPropertyByName("Proxy"));
	}

It seems linked doesn't point to a valid DocumentObject

Ping @realthunder

Full version info

OS: Debian GNU/Linux trixie/sid (XFCE/xfce)
Word size of FreeCAD: 64-bit
Version: 0.22.0dev.35823 (Git)
Build type: Release
Branch: main
Hash: 087263547dedb4d58ee31a54d96b8db1509eb44f
Python 3.11.7, Qt 5.15.10, Coin 4.0.2, Vtk 9.1.0, OCC 7.6.3
Locale: English/United States (en_US)

Subproject(s) affected?

Core

Anything else?

Steps to reproduce:

1. Open VariableLink_CrashTest.zip
2. Set the LinkCopyOnChange property of Caisson001 object to Tracking
3. Recompute twice (because of hidden references some objects are still touched after the first)
4. FreeCAD crash

Code of Conduct

• I agree to follow this project's Code of Conduct

[wwmayer]

It's a typical heap-use-after-free crash.

Inside LinkBaseExtension::extensionExecute() there is the pointer linked and it's checked whether it's null. The call of syncCopyOnChange() removes and deletes many objects -- including the object linked points to. So, at this time it has become a dangling pointer. Since it's used further down it causes undefined behaviour and usually leads to a crash.

A fix would be to replace
DocumentObject* linked = getTrueLinkedObject(true);
with
App::WeakPtrT<DocumentObject> linked(getTrueLinkedObject(true));
and do the necessary changes. After the call of syncCopyOnChange() it must be re-checked if the object is still valid.