Only search projects.blender.org
Log In
New Account
Home
My Page
Projects
Blender 2.x BF release
Summary
Activity
Tracker
SCM
Files
Blender 2.6 Bug Tracker: Browse
[#32320] Image browser in UV/image Editor makes Blender crash at exit when .dds image is loaded
Date:
2012-08-12 23:38
Priority:
3
State:
Closed
Submitted by:
Christian Monfort (
gulbroz
)
Assigned to:
Mitchell Stokes (moguri)
Category:
Image & Movie I/O
Status:
Fixed / Closed
Relates to:
Duplicates:
Patches:
Summary:
Image browser in UV/image Editor makes Blender crash at exit when .dds image is loaded
Detailed description
Seen on custom build r49831
Bug is in 2.64 testbuild2, but not in official 2.63 release.
=> it was introduced by fix in r48425 where dds data is free() in IMB_freeImBuf()...
1) Start Blender
2) Switch to UV/Image Editor
3) Load a .dds image (DXT compressed)
4) Click on image selector (button with picture icon and up/down button, with tooltip "Browse Image to be linked"), so that icon is created for the .dds image
5) Exit Blender = >crash with double free:
*** glibc detected *** ../build/linux_debug/bin/blender_KO: double free or corruption (out): 0x00000000083d8480 ***
======= Backtrace: =========
/lib/x86_64-linux-gnu/libc.so.6(+0x7e626)[0x7f0182863626]
/usr/lib/nvidia-current/tls/libnvidia-tls.so.295.40(+0x1c01)[0x7f0181ec5c01]
======= Memory map: ========
...etc...
-------------------
This happen when Blender creates icons for the drop down image selector menus:
icon_copy_rect() makes a copy of the ImBuf from the .dds image to create the preview icon, then frees the ImBuf copy before returning.
problem is that dds data buffers are not duplicated in the ImBuf copy and are still pointing to the original ImBuf, thus they are free()
at the end of icon_copy_rect() and when the original ImBuf is freed at exit, that's double free...
the provided patch addresses this by treating dds data buffers the same way as other buffers in ImBuf copy:
pointers to data that was not duplicated are set to NULL.
--------
Linux Ubuntu 12.04 64 / nVidia GTX570
Followup
Message
Date
: 2012-08-13 22:17
Sender
:
Mitchell Stokes
I've committed the patch as r49879. Thanks for the detailed report and the patch!
Attached Files:
Name
Date
Download
allocimbuf.c.patch
2012-08-12 23:38
Download
Changes:
Field
Old Value
Date
By
status_id
Open
2012-08-13 22:17
moguri
close_date
None
2012-08-13 22:17
moguri
Status
Investigate
2012-08-13 22:17
moguri
assigned_to
none
2012-08-13 15:54
campbellbarton
details
Seen on custom build r49831 Bug is in 2.64 testbuild2, but not in official 2.63 release. => it was introduced by fix in r48425 where dds data is free() in IMB_freeImBuf()... 1) Start Blender 2) Switch to UV/Image Editor 3) Load a .dds image (DXT compressed) 4) Click on image selector (button with picture icon and up/down button, with tooltip "Browse Image to be linked"), so that icon is created for the .dds image 5) Exit Blender = >crash with double free: *** glibc detected *** ../build/linux_debug/bin/blender_KO: double free or corruption (out): 0x00000000083d8480 *** ======= Backtrace: ========= /lib/x86_64-linux-gnu/libc.so.6(+0x7e626)[0x7f0182863626] /usr/lib/nvidia-current/tls/libnvidia-tls.so.295.40(+0x1c01)[0x7f0181ec5c01] ======= Memory map: ======== ...etc... ------------------- This happen when Blender creates icons for the drop down image selector menus: icon_copy_rect() makes a copy of the ImBuf from the .dds image to create the preview icon, then frees the ImBuf copy before returning. problem is that dds data buffers are not duplicated in the ImBuf copy and are still pointing to the original ImBuf, thus they are free() at the end of icon_copy_rect() and when the original ImBuf is freed at exit, that\'s double free... the provided patch addresses this by treating dds data buffers the same way as other buffers in ImBuf copy: pointers to data that was not duplicated are set to NULL. -------- Linux Ubuntu 12.04 64 / nVidia GTX570
2012-08-13 15:54
campbellbarton
Status
New
2012-08-13 15:54
campbellbarton
File Added
21734: allocimbuf.c.patch
2012-08-12 23:38
gulbroz
