[Libreoffice-bugs] [Bug 153922] memory leak in dedicated memory of graphics card (geforce gt1030)

bugzilla-daemon Fri, 17 Mar 2023 19:04:25 -0700

https://bugs.documentfoundation.org/show_bug.cgi?id=153922


V Stuart Foote <vsfo...@libreoffice.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |vsfo...@libreoffice.org
             Status|NEEDINFO                    |NEW

--- Comment #10 from V Stuart Foote <vsfo...@libreoffice.org> ---
Confirmed, can watch the "leak" as the embedded chart is grabbed and moved
around the slide--usage builds to the 2GB of dedicated memory (16GB shared
available) and then the overflow crash.

Version: 7.5.1.2 (X86_64) / LibreOffice Community
Build ID: fcbaee479e84c6cd81291587d2ee68cba099e129
CPU threads: 8; OS: Windows 10.0 Build 19045; UI render: Skia/Vulkan; VCL: win
Locale: en-US (en_US); UI: en-US
Calc: CL threaded

enderMethod: vulkan
Vendor: 0x10de
Device: 0x1380
API: 1.3.224
Driver: 528.196.0
DeviceType: discrete
DeviceName: NVIDIA GeForce GTX 750 Ti
Denylisted: no


This stacktrace on the buffer overflow:
0:000> g
WARNING: Continuing a non-continuable exception
(36a4.3208): Security check failure or stack buffer overrun - code c0000409
(!!! second chance !!!)
Subcode: 0x7 FAST_FAIL_FATAL_APP_EXIT 
ucrtbase!abort+0x4e:
00007ffd`9d9d286e cd29            int     29h
0:000> !analyze -v
*******************************************************************************
*                                                                             *
*                        Exception Analysis                                   *
*                                                                             *
*******************************************************************************


KEY_VALUES_STRING: 1

    Key  : Analysis.CPU.mSec
    Value: 2796

    Key  : Analysis.DebugAnalysisManager
    Value: Create

    Key  : Analysis.Elapsed.mSec
    Value: 63801

    Key  : Analysis.Init.CPU.mSec
    Value: 30764

    Key  : Analysis.Init.Elapsed.mSec
    Value: 721511

    Key  : Analysis.Memory.CommitPeak.Mb
    Value: 900

    Key  : FailFast.Name
    Value: FATAL_APP_EXIT

    Key  : FailFast.Type
    Value: 7

    Key  : Timeline.OS.Boot.DeltaSec
    Value: 45430

    Key  : Timeline.Process.Start.DeltaSec
    Value: 960

    Key  : WER.OS.Branch
    Value: vb_release

    Key  : WER.OS.Timestamp
    Value: 2019-12-06T14:06:00Z

    Key  : WER.OS.Version
    Value: 10.0.19041.1

    Key  : WER.Process.Version
    Value: 7.5.1.2


NTGLOBALFLAG:  0

PROCESS_BAM_CURRENT_THROTTLED: 0

PROCESS_BAM_PREVIOUS_THROTTLED: 0

APPLICATION_VERIFIER_FLAGS:  0

EXCEPTION_RECORD:  (.exr -1)
ExceptionAddress: 00007ffd9d9d286e (ucrtbase!abort+0x000000000000004e)
   ExceptionCode: c0000409 (Security check failure or stack buffer overrun)
  ExceptionFlags: 00000001
NumberParameters: 1
   Parameter[0]: 0000000000000007
Subcode: 0x7 FAST_FAIL_FATAL_APP_EXIT 

FAULTING_THREAD:  00003208

PROCESS_NAME:  soffice.bin

ERROR_CODE: (NTSTATUS) 0xc0000409 - The system detected an overrun of a
stack-based buffer in this application. This overrun could potentially allow a
malicious user to gain control of this application.

EXCEPTION_CODE_STR:  c0000409

EXCEPTION_PARAMETER1:  0000000000000007

STACK_TEXT:  
00000077`4378d7a0 00007ffd`1d17b789     : fffffffe`00000003 00000000`00000003
00000000`00000054 00007ffd`1d17b70c : ucrtbase!abort+0x4e
00000077`4378d7d0 00007ffd`1d17c736     : 000001af`ea061800 00000077`4378d8d0
00000077`4378d900 00000000`00000053 :
mergedlo!SkiaSalGraphicsImpl::postDraw+0x89
00000077`4378d800 00007ffd`1d17c79a     : 00000000`00000000 00000000`00000053
00000000`00000014 00007ffd`1cc8897b :
mergedlo!SkiaSalGraphicsImpl::privateDrawAlphaRect+0x2a6
00000077`4378d9a0 00007ffd`1ccc3509     : 000001af`d82af5e0 00000000`00000000
00000000`00000053 00011401`000036a4 :
mergedlo!SkiaSalGraphicsImpl::drawRect+0x2a
00000077`4378d9f0 00007ffd`1cccd475     : 000001af`00202020 000001af`d82af5e0
00000000`00000000 00000000`00000000 : mergedlo!OutputDevice::DrawRect+0x259
00000077`4378da70 00007ffd`1cccd57e     : 000001af`00000000 feffffae`00ffffff
000001af`d82af5e0 00000000`00000001 :
mergedlo!OutputDevice::DrawColorWallpaper+0xe5
00000077`4378dad0 00007ffd`1ce7532d     : 000001af`d82af5e0 00000000`00000000
00000077`4378dd50 000001af`d82af5e0 : mergedlo!OutputDevice::Erase+0xae
00000077`4378db10 00007ffd`1ce75700     : 00007ffd`1e744ab8 00000000`00000000
000001af`d8ab4aa0 00007ffd`1cb712c5 :
mergedlo!VirtualDevice::InnerImplSetOutputSizePixel+0xdd
00000077`4378dbf0 00007ffd`1cb448c0     : 00000000`00000000 00000077`4378dd50
000001af`ea062c00 000001af`e299b2a0 :
mergedlo!VirtualDevice::ImplSetOutputSizePixel+0x30
00000077`4378dc50 00007ffd`1cb45d33     : 00000000`000004ff 000001af`d8ab4aa0
00000000`000004ff 00000000`00000000 : mergedlo!StatusBar::ImplDrawItem+0x120
00000077`4378de10 00007ffd`1ca56375     : 00000000`00000000 000001af`e9f62c60
00000000`00000000 000001af`e9f62f18 : mergedlo!StatusBar::Paint+0x293
00000077`4378de80 00007ffd`1ca57202     : 000001af`94844c70 000001af`cbb10000
000001af`ea062c00 00000000`00000000 : mergedlo!PaintHelper::DoPaint+0x265
00000077`4378e050 00007ffd`1ca5a2ed     : 000001af`ea062c00 000001af`ea062c00
00000000`00000000 000001af`948445b0 : mergedlo!vcl::Window::ImplCallPaint+0x142
00000077`4378e110 00007ffd`1cb4734e     : 000001af`ea062c00 00000000`00000000
00000077`4378e280 000001af`ea010320 :
mergedlo!vcl::Window::PaintImmediately+0x20d
00000077`4378e1b0 00007ffd`1cb478b5     : 00000000`00000003 00000077`4378e280
000001af`ea010320 000001af`ea062c00 :
mergedlo!StatusBar::PaintSelfAndChildrenImmediately+0x2e
00000077`4378e1e0 00007ffd`1c049d10     : 00000077`4378e280 00000000`00000000
000001af`ea062c00 000001af`ea061100 : mergedlo!StatusBar::SetItemData+0xf5
00000077`4378e230 00007ffd`1bb3ae1f     : 000001af`94844c70 000001af`94844c70
00000077`4378e329 fffff826`00000435 :
mergedlo!SvxPosSizeStatusBarControl::StateChangedAtStatusBarControl+0x580
00000077`4378e2c0 00007ffd`1b91e1bb     : 000001af`ea061110 00007ffd`00000020
000001af`94844c70 00007ffd`11e297d8 :
mergedlo!SfxStatusBarControl::statusChanged+0x60f
00000077`4378e390 00007ffd`1b919b5a     : 000001af`ea061110 00000077`4378e438
00000077`4378e530 000001af`ea099e80 :
mergedlo!comphelper::OInterfaceContainerHelper4<com::sun::star::frame::XStatusListener>::forEach<<lambda_0c827e63d585ef0f6aba54468a4303b6>
>+0xbb
00000077`4378e3f0 00007ffd`1b8f0475     : 00000077`4378e470 00000000`00000000
000001af`948445e0 000001af`ea0aad30 :
mergedlo!SfxDispatchController_Impl::StateChanged+0x46a
00000077`4378e530 00007ffd`1b8cdecc     : 00000000`00000001 000001af`948445e0
00000000`00000002 00000000`00000040 :
mergedlo!SfxStateCache::SetState_Impl+0x105
00000077`4378e570 00007ffd`11a74752     : 00000077`4378e639 00000077`4378e6e0
000001af`d8cec9a0 00007ffd`1c451504 : mergedlo!SfxBindings::SetState+0x1bc
00000077`4378e5d0 00007ffd`11a73457     : 000001af`9481c0b0 000001af`d8cb5530
00000077`4378e870 00000000`00000000 :
sdlo!sd::DrawViewShell::ShowMousePosInfo+0x232
00000077`4378e6a0 00007ffd`1cb8bad3     : 000001af`d8abd1e0 000001af`d8abd1e0
000001af`d8abd1e0 000001af`d8abd1e0 : sdlo!sd::DrawViewShell::MouseMove+0x257
00000077`4378e790 00007ffd`1cb90e0a     : 00000000`00000001 00000000`00000000
00000077`4378ed40 00007ffd`1ca56eea : mergedlo!ImplHandleMouseEvent+0x12a3
00000077`4378e9d0 00007ffd`1cb91ac5     : 000001af`d6aca740 00000000`00000001
00000000`00000000 00000000`00000000 : mergedlo!ImplHandleSalMouseMove+0x9a
00000077`4378ea20 00007ffd`1d19260c     : 00000000`00000246 00000000`00000001
00000000`00000200 00000000`00000246 : mergedlo!ImplWindowFrameProc+0x85
00000077`4378ec30 00007ffd`1962cdb2     : 00000000`00000001 00000000`00000409
00000000`00000000 00000000`00000246 : mergedlo!SalFrame::CallCallback+0x1c
00000077`4378ec60 00007ffd`19632df8     : 00000000`04c50615 00000000`00000000
00000000`00000002 00000000`000606fa : vclplug_winlo!ImplHandleMouseMsg+0x242
00000077`4378ed50 00007ffd`1963344d     : 000001af`d1522f08 000001af`d19c81b8
00000000`00000000 00000000`00000246 : vclplug_winlo!SalFrameWndProc+0x1148
00000077`4378eeb0 00007ffd`9f4fe7e8     : 00000000`000606fa 00000000`00000200
00000000`00000001 00000000`04c50615 : vclplug_winlo!SalFrameWndProcW+0x4d
00000077`4378ef40 00007ffd`9f4fe47e     : 000001af`d03af5e0 00007ffd`19633400
00000000`000606fa 00007ffd`00000200 : USER32!UserCallWinProcCheckWow+0x2f8
00000077`4378f0d0 00007ffd`1595f0f0     : 000001af`d8597f70 00000000`00000000
00007ffd`19633400 000001af`00000001 : USER32!CallWindowProcW+0x8e
00000077`4378f120 00007ffd`9f4fe7e8     : 00000000`00000001 00000000`00000001
00000000`00000000 00000000`00000000 : opengl32!wglWndProc+0x2a0
00000077`4378f190 00007ffd`9f4fe229     : 00000000`00000001 00007ffd`1595ee50
00000000`000606fa 000001af`00000200 : USER32!UserCallWinProcCheckWow+0x2f8
00000077`4378f320 00007ffd`195c15e6     : 00007ffd`1595ee50 00000077`4378f420
000001af`d0ce6640 00000000`00000000 : USER32!DispatchMessageWorker+0x249
00000077`4378f3a0 00007ffd`195c1855     : 00000000`00000000 00000000`00000000
000001af`d0ce6640 000001af`d6062a60 : vclplug_winlo!ImplSalDispatchMessage+0x46
00000077`4378f3f0 00007ffd`195c1a01     : 00000000`00000001 00000000`00000001
00000000`00000000 00007ffd`195c198a : vclplug_winlo!ImplSalYield+0x95
00000077`4378f470 00007ffd`1cf91d9a     : 00007ffd`00000001 00000000`00000001
00000077`4378f630 00000000`00000000 :
vclplug_winlo!WinSalInstance::DoYield+0x91
00000077`4378f4a0 00007ffd`1cf91d05     : 00007ffd`1f685660 00007ffd`98e5369b
00007ffd`1f78a200 00000000`00000000 : mergedlo!ImplYield+0x5a
00000077`4378f4d0 00007ffd`1bbadf95     : 00007ffd`00000000 00007ffd`00000000
00000077`4378f630 000001af`d69c8f80 : mergedlo!Application::Execute+0x175
00000077`4378f530 00007ffd`1cfa0cc2     : 000001af`d0ad6c50 00007ffd`1f76c120
00000000`00000000 00007ffd`1f78a200 : mergedlo!desktop::Desktop::Main+0x1235
00000077`4378f800 00007ffd`1bbd00cd     : 00000077`00000000 000001af`cbbca2b0
00007ffd`1f76c120 000001af`cbb4c8c0 : mergedlo!ImplSVMain+0x62
00000077`4378f840 00007ff6`043c101b     : 000001af`cbbc9aa0 000001af`cbb4c8c0
00000077`4378f910 000001af`cbb4c8c0 : mergedlo!soffice_main+0x26d
00000077`4378f950 00007ff6`043c12d4     : 00000000`00000000 00000000`00000000
00000000`00000000 00000000`00000000 : soffice!main+0x1b
00000077`4378f980 00007ffd`9e117614     : 00000000`00000000 00000000`00000000
00000000`00000000 00000000`00000000 : soffice!__scrt_common_main_seh+0x10c
00000077`4378f9c0 00007ffd`9fca26a1     : 00000000`00000000 00000000`00000000
00000000`00000000 00000000`00000000 : KERNEL32!BaseThreadInitThunk+0x14
00000077`4378f9f0 00000000`00000000     : 00000000`00000000 00000000`00000000
00000000`00000000 00000000`00000000 : ntdll!RtlUserThreadStart+0x21


STACK_COMMAND:  ~0s ; .cxr ; kb

SYMBOL_NAME:  ucrtbase!abort+4e

MODULE_NAME: ucrtbase

IMAGE_NAME:  ucrtbase.dll

FAILURE_BUCKET_ID:  FAIL_FAST_FATAL_APP_EXIT_c0000409_ucrtbase.dll!abort

OS_VERSION:  10.0.19041.1

BUILDLAB_STR:  vb_release

OSPLATFORM_TYPE:  x64

OSNAME:  Windows 10

IMAGE_VERSION:  10.0.19041.789

FAILURE_ID_HASH:  {e31753ac-c98a-8055-3663-47e707543d20}

Followup:     MachineOwner
---------

-- 
You are receiving this mail because:
You are the assignee for the bug.

[Libreoffice-bugs] [Bug 153922] memory leak in dedicated memory of graphics card (geforce gt1030)

Reply via email to