blender/blender-addons
19
43
Fork 96
Code Issues 631 Pull Requests 27 Projects 1 Releases Wiki Activity

Segmentation Fault after 2 Undos using linked node tree #48042

New Issue
Closed
opened 2016-04-04 03:15:55 +02:00 by Gabriel Caraballo · 23 comments
Gabriel Caraballo commented 2016-04-04 03:15:55 +02:00
Copy Link

System Information
Ubuntu Linux, Windows

Blender Version
Broken: 2.77
Worked: 2.76b

Segmentation Fault after 2 Undos. Sadly I can't find out the exact reason. But appear to be related with a linked node tree.

I'm trying to create a simpler .blend, without success...

# backtrace
./blender(BLI_system_backtrace+0x1d) [0x1ab790d]
./blender() [0x114455e]
/lib/x86_64-linux-gnu/libc.so.6(+0x36d40) [0x7fb0d8186d40]
./blender() [0x197d38b]
./blender(rna_pointer_inherit_refine+0x56) [0x18f9966]
./blender(ShaderNodeGroup_node_tree_get+0x1b) [0x1990c6b]
./blender(RNA_property_pointer_get+0x94) [0x18fe164]
./blender(pyrna_prop_to_py+0xb0) [0x1520040]
./blender() [0x15203e0]
./blender(PyEval_EvalFrameEx+0x31f8) [0x29a7518]
./blender(PyEval_EvalFrameEx+0x7cb1) [0x29abfd1]
./blender() [0x29adab2]
./blender(PyEval_EvalCodeEx+0x48) [0x29adbb8]
./blender() [0x291a47f]
./blender(PyObject_Call+0x5a) [0x28f103a]
./blender() [0x290ad8d]
./blender(PyObject_Call+0x5a) [0x28f103a]
./blender() [0x151f6f4]
./blender() [0x19f726a]
./blender(ED_region_panels+0x12c) [0x14089cc]
./blender() [0x116f2f3]
./blender(ED_region_do_draw+0xa16) [0x1407d36]
./blender(wm_draw_update+0x637) [0x1149977]
./blender(WM_main+0x28) [0x1145178]
./blender(main+0x372) [0x10ec172]
/lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xf5) [0x7fb0d8171ec5]
./blender() [0x1141759]

Exact steps for others to reproduce the error
Extract the Zip file 0670c0_030_dora_ambulancia_bug_d.zip , open "0670c0_030_dora_ambulancia_bug_d.blend", hide the clip on the sequencer, unhide it, hide it again, Undo, Undo again.

**System Information** Ubuntu Linux, Windows **Blender Version** Broken: 2.77 Worked: 2.76b Segmentation Fault after 2 Undos. Sadly I can't find out the exact reason. But appear to be related with a linked node tree. I'm trying to create a simpler .blend, without success... ``` # backtrace ./blender(BLI_system_backtrace+0x1d) [0x1ab790d] ./blender() [0x114455e] /lib/x86_64-linux-gnu/libc.so.6(+0x36d40) [0x7fb0d8186d40] ./blender() [0x197d38b] ./blender(rna_pointer_inherit_refine+0x56) [0x18f9966] ./blender(ShaderNodeGroup_node_tree_get+0x1b) [0x1990c6b] ./blender(RNA_property_pointer_get+0x94) [0x18fe164] ./blender(pyrna_prop_to_py+0xb0) [0x1520040] ./blender() [0x15203e0] ./blender(PyEval_EvalFrameEx+0x31f8) [0x29a7518] ./blender(PyEval_EvalFrameEx+0x7cb1) [0x29abfd1] ./blender() [0x29adab2] ./blender(PyEval_EvalCodeEx+0x48) [0x29adbb8] ./blender() [0x291a47f] ./blender(PyObject_Call+0x5a) [0x28f103a] ./blender() [0x290ad8d] ./blender(PyObject_Call+0x5a) [0x28f103a] ./blender() [0x151f6f4] ./blender() [0x19f726a] ./blender(ED_region_panels+0x12c) [0x14089cc] ./blender() [0x116f2f3] ./blender(ED_region_do_draw+0xa16) [0x1407d36] ./blender(wm_draw_update+0x637) [0x1149977] ./blender(WM_main+0x28) [0x1145178] ./blender(main+0x372) [0x10ec172] /lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xf5) [0x7fb0d8171ec5] ./blender() [0x1141759] ``` **Exact steps for others to reproduce the error** Extract the Zip file [0670c0_030_dora_ambulancia_bug_d.zip](https://archive.blender.org/developer/F300644/0670c0_030_dora_ambulancia_bug_d.zip) , open "0670c0_030_dora_ambulancia_bug_d.blend", hide the clip on the sequencer, unhide it, hide it again, Undo, Undo again.
Gabriel Caraballo commented 2016-04-04 03:15:55 +02:00
Author
Copy Link

Changed status to: 'Open'

Changed status to: 'Open'
Gabriel Caraballo commented 2016-04-04 03:15:55 +02:00
Author
Copy Link

Added subscriber: @GabrielCaraballo

Added subscriber: @GabrielCaraballo
Campbell Barton commented 2016-04-04 04:57:11 +02:00
Owner
Copy Link

Added subscriber: @ideasman42

Added subscriber: @ideasman42
Campbell Barton commented 2016-04-04 04:57:11 +02:00
Owner
Copy Link

The zip file doesn't contain the wav file, though I changed the reference to a local file and tried to redo the bug and couldn't.

Could you double check that this zip is able to redo the bug (possible some error packing it?).

The zip file doesn't contain the wav file, though I changed the reference to a local file and tried to redo the bug and couldn't. Could you double check that this zip is able to redo the bug (possible some error packing it?).
Gabriel Caraballo commented 2016-04-04 05:17:36 +02:00
Author
Copy Link

Ok, after further testing I learned that you need the Addon "Amaranth" from "Testing" enabled.

(no need to actually relink the .wav file)

Tested from the uploaded .zip file, using 2.77-01ce8d8 build

Ok, after further testing I learned that you need the Addon "Amaranth" from "Testing" enabled. (no need to actually relink the .wav file) Tested from the uploaded .zip file, using 2.77-01ce8d8 build
Lukas Tönne commented 2016-04-04 10:28:42 +02:00
Member
Copy Link

Added subscriber: @LukasTonne

Added subscriber: @LukasTonne
Lukas Tönne commented 2016-04-04 10:28:42 +02:00
Member
Copy Link

Even without Amaranth i get an assert failure right away when opening the test file, here
https://developer.blender.org/diffusion/B/browse/master/source/blender/editors/space_outliner/outliner_tree.c$867

(ID is of type Sound = ID_SO, not supported by outliner it seems)

I don't know the code in detail, but don't see any place before this that would filter valid outliner ID types or so. If so, this would be a bad way to use assert (assert = stuff that should never ever happen)

Even without Amaranth i get an assert failure right away when opening the test file, here https://developer.blender.org/diffusion/B/browse/master/source/blender/editors/space_outliner/outliner_tree.c$867 (ID is of type Sound = ID_SO, not supported by outliner it seems) I don't know the code in detail, but don't see any place before this that would filter valid outliner ID types or so. If so, this would be a bad way to use assert (assert = stuff that should never ever happen)
Campbell Barton commented 2016-04-04 10:57:36 +02:00
Owner
Copy Link

Added subscriber: @mont29

Added subscriber: @mont29
Campbell Barton commented 2016-04-04 10:57:36 +02:00
Owner
Copy Link

@LukasTonne, yes, I get this too, but this only developer builds and doesn't impact releases.
@mont29 added it, and every so often it asserts (maybe should be disabled?), since IIRC it's something shouldn't but can be safely ignored.

@LukasTonne, yes, I get this too, but this only developer builds and doesn't impact releases. @mont29 added it, and every so often it asserts (maybe should be disabled?), since IIRC it's something *shouldn't* but can be safely ignored.
Gabriel Caraballo commented 2016-04-04 12:58:08 +02:00
Author
Copy Link

Notice that hiding and showing the clip is just an example, you can Undo any action and should segfault.

Notice that hiding and showing the clip is just an example, you can Undo any action and should segfault.
Gabriel Caraballo commented 2016-04-06 14:21:12 +02:00
Author
Copy Link

Testing Blender 2.77a I've noticed that the Backtrace is not always the same. What could that mean?:

First time:

./blender(BLI_system_backtrace+0x1d) [0x1aab55d]
./blender() [0x11417be]
/lib/x86_64-linux-gnu/libc.so.6(+0x36d40) [0x7fec21ceed40]
./blender() [0x1793722]
./blender() [0x179377c]
./blender() [0x17936eb]
./blender() [0x1793a5f]
./blender() [0x17945e8]
./blender(build_dag+0xfa) [0x179472a]
./blender(DAG_scene_relations_update+0x5e) [0x17964be]
./blender(BKE_scene_set_background+0x9b) [0x1862beb]
./blender() [0x1749d72]
./blender(BKE_read_file_from_memfile+0x97) [0x174a417]
./blender() [0x174a4bb]
./blender() [0x12b2841]
./blender() [0x1149c82]
./blender() [0x114b09a]
./blender() [0x114b429]
./blender() [0x114b8f6]
./blender(wm_event_do_handlers+0x6ff) [0x114c14f]
./blender(WM_main+0x18) [0x1143098]
./blender(main+0xefa) [0x10eac7a]
/lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xf5) [0x7fec21cd9ec5]
./blender() [0x1140269]

Second time:

./blender(BLI_system_backtrace+0x1d) [0x1aab55d]
./blender() [0x11417be]
/lib/x86_64-linux-gnu/libc.so.6(+0x36d40) [0x7f1dc777ed40]
./blender() [0x19718cb]
./blender(rna_pointer_inherit_refine+0x56) [0x18ee476]
./blender(ShaderNodeGroup_node_tree_get+0x1b) [0x198505b]
./blender(RNA_property_pointer_get+0x94) [0x18f2b74]
./blender(pyrna_prop_to_py+0xb0) [0x151a730]
./blender() [0x151aad0]
./blender(PyEval_EvalFrameEx+0x31f8) [0x29d8808]
./blender(PyEval_EvalFrameEx+0x7cb1) [0x29dd2c1]
./blender() [0x29deda2]
./blender(PyEval_EvalCodeEx+0x48) [0x29deea8]
./blender() [0x294b76f]
./blender(PyObject_Call+0x5a) [0x292232a]
./blender() [0x293c07d]
./blender(PyObject_Call+0x5a) [0x292232a]
./blender() [0x1519de4]
./blender() [0x19eb3aa]
./blender(ED_region_panels+0x124) [0x1404c14]
./blender() [0x116d193]
./blender(ED_region_do_draw+0xa16) [0x1403f86]
./blender(wm_draw_update+0x637) [0x11478a7]
./blender(WM_main+0x28) [0x11430a8]
./blender(main+0xefa) [0x10eac7a]
/lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xf5) [0x7f1dc7769ec5]
./blender() [0x1140269]
Testing Blender 2.77a I've noticed that the Backtrace is not always the same. What could that mean?: First time: ``` ./blender(BLI_system_backtrace+0x1d) [0x1aab55d] ./blender() [0x11417be] /lib/x86_64-linux-gnu/libc.so.6(+0x36d40) [0x7fec21ceed40] ./blender() [0x1793722] ./blender() [0x179377c] ./blender() [0x17936eb] ./blender() [0x1793a5f] ./blender() [0x17945e8] ./blender(build_dag+0xfa) [0x179472a] ./blender(DAG_scene_relations_update+0x5e) [0x17964be] ./blender(BKE_scene_set_background+0x9b) [0x1862beb] ./blender() [0x1749d72] ./blender(BKE_read_file_from_memfile+0x97) [0x174a417] ./blender() [0x174a4bb] ./blender() [0x12b2841] ./blender() [0x1149c82] ./blender() [0x114b09a] ./blender() [0x114b429] ./blender() [0x114b8f6] ./blender(wm_event_do_handlers+0x6ff) [0x114c14f] ./blender(WM_main+0x18) [0x1143098] ./blender(main+0xefa) [0x10eac7a] /lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xf5) [0x7fec21cd9ec5] ./blender() [0x1140269] ``` Second time: ``` ./blender(BLI_system_backtrace+0x1d) [0x1aab55d] ./blender() [0x11417be] /lib/x86_64-linux-gnu/libc.so.6(+0x36d40) [0x7f1dc777ed40] ./blender() [0x19718cb] ./blender(rna_pointer_inherit_refine+0x56) [0x18ee476] ./blender(ShaderNodeGroup_node_tree_get+0x1b) [0x198505b] ./blender(RNA_property_pointer_get+0x94) [0x18f2b74] ./blender(pyrna_prop_to_py+0xb0) [0x151a730] ./blender() [0x151aad0] ./blender(PyEval_EvalFrameEx+0x31f8) [0x29d8808] ./blender(PyEval_EvalFrameEx+0x7cb1) [0x29dd2c1] ./blender() [0x29deda2] ./blender(PyEval_EvalCodeEx+0x48) [0x29deea8] ./blender() [0x294b76f] ./blender(PyObject_Call+0x5a) [0x292232a] ./blender() [0x293c07d] ./blender(PyObject_Call+0x5a) [0x292232a] ./blender() [0x1519de4] ./blender() [0x19eb3aa] ./blender(ED_region_panels+0x124) [0x1404c14] ./blender() [0x116d193] ./blender(ED_region_do_draw+0xa16) [0x1403f86] ./blender(wm_draw_update+0x637) [0x11478a7] ./blender(WM_main+0x28) [0x11430a8] ./blender(main+0xefa) [0x10eac7a] /lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xf5) [0x7f1dc7769ec5] ./blender() [0x1140269] ```
Sergey Sharybin commented 2016-04-12 12:01:55 +02:00
Owner
Copy Link

Added subscriber: @Sergey

Added subscriber: @Sergey
Sergey Sharybin commented 2016-04-12 12:01:55 +02:00
Owner
Copy Link

I can't reproduce the crash.

The backtrace isn't really helpful, since it's created form a release build. Please get a backtrace from a debug build and show what thread apply all bt says (as a file perhaps, since it's gonna to be long).

I can't reproduce the crash. The backtrace isn't really helpful, since it's created form a release build. Please get a backtrace from a debug build and show what `thread apply all bt` says (as a file perhaps, since it's gonna to be long).
Gabriel Caraballo commented 2016-04-12 13:15:18 +02:00
Author
Copy Link

Hi Sergey, probably "you need the Addon "Amaranth" from "Testing" enabled."
( From comment https://developer.blender.org/T48042#368088 , I can't edit the issue to add that update )

Hi Sergey, probably "*you need the Addon "Amaranth" from "Testing" enabled.*" ( From comment https://developer.blender.org/T48042#368088 , I can't edit the issue to add that update )
Lukas Tönne commented 2016-04-12 13:58:53 +02:00
Member
Copy Link

Managed to reproduce it, and get an asan report for "heap use after free":

P348: (An Untitled Masterwork)

=================================================================
==23361==ERROR: AddressSanitizer: heap-use-after-free on address 0x6140069fa4c8 at pc 0x00000327c502 bp 0x7fffffffd1b0 sp 0x7fffffffd1a0
READ of size 8 at 0x6140069fa4c8 thread T0
    #0 0x327c501 in rna_NodeTree_refine /home/lukas/src/bf-blender/blender/source/blender/makesrna/intern/rna_nodetree.c:496
    #1 0x30831f7 in rna_pointer_inherit_refine /home/lukas/src/bf-blender/blender/source/blender/makesrna/intern/rna_access.c:192
    #2 0x32cc466 in ShaderNodeGroup_node_tree_get /home/lukas/src/bf-blender/cmake-debug/source/blender/makesrna/intern/rna_nodetree_gen.c:34286
    #3 0x30972d7 in RNA_property_pointer_get /home/lukas/src/bf-blender/blender/source/blender/makesrna/intern/rna_access.c:2893
    #4 0x2175479 in pyrna_prop_to_py /home/lukas/src/bf-blender/blender/source/blender/python/intern/bpy_rna.c:1473
    #5 0x2181aad in pyrna_struct_getattro /home/lukas/src/bf-blender/blender/source/blender/python/intern/bpy_rna.c:3802
    #6 0x61ab85d in PyEval_EvalFrameEx Python/ceval.c:2692
    #7 0x61af28f in fast_function Python/ceval.c:4754
    #8 0x61af28f in call_function Python/ceval.c:4681
    #9 0x61af28f in PyEval_EvalFrameEx Python/ceval.c:3185
    #10 0x61b176d in _PyEval_EvalCodeWithName Python/ceval.c:3966
    #11 0x61b1842 in PyEval_EvalCodeEx Python/ceval.c:3987
    #12 0x6112ea7 in function_call Objects/funcobject.c:632
    #13 0x60e742f in PyObject_Call Objects/abstract.c:2165
    #14 0x6102123 in method_call Objects/classobject.c:330
    #15 0x60e742f in PyObject_Call Objects/abstract.c:2165
    #16 0x218f4a8 in bpy_class_call /home/lukas/src/bf-blender/blender/source/blender/python/intern/bpy_rna.c:7549
    #17 0x348152e in panel_poll /home/lukas/src/bf-blender/blender/source/blender/makesrna/intern/rna_ui.c:123
    #18 0x1d7ca7b in ED_region_panels /home/lukas/src/bf-blender/blender/source/blender/editors/screen/area.c:1795
    #19 0x10ac1da in buttons_main_region_draw /home/lukas/src/bf-blender/blender/source/blender/editors/space_buttons/space_buttons.c:145
    #20 0x1d6fa8d in ED_region_do_draw /home/lukas/src/bf-blender/blender/source/blender/editors/screen/area.c:518
    #21 0x102c9be in wm_method_draw_triple /home/lukas/src/bf-blender/blender/source/blender/windowmanager/intern/wm_draw.c:557
    #22 0x102f035 in wm_draw_update /home/lukas/src/bf-blender/blender/source/blender/windowmanager/intern/wm_draw.c:959
    #23 0x10202c3 in WM_main /home/lukas/src/bf-blender/blender/source/blender/windowmanager/intern/wm.c:495
    #24 0x1016703 in main /home/lukas/src/bf-blender/blender/source/creator/creator.c:479
    #25 0x7ffff3068a3f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x20a3f)
    #26 0x1015b78 in _start (/home/lukas/src/bf-blender/cmake-debug/bin/blender+0x1015b78)

0x6140069fa4c8 is located 136 bytes inside of 448-byte region [0x6140069fa440,0x6140069fa600)
freed by thread T0 here:
    #0 0x7ffff6f016aa in __interceptor_free (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x986aa)
    #1 0x3b361dd in MEM_lockfree_freeN /home/lukas/src/bf-blender/blender/intern/guardedalloc/intern/mallocn_lockfree_impl.c:169
    #2 0x2c5bcb7 in BKE_libblock_free_ex /home/lukas/src/bf-blender/blender/source/blender/blenkernel/intern/library.c:1307
    #3 0x2c5c142 in BKE_main_free /home/lukas/src/bf-blender/blender/source/blender/blenkernel/intern/library.c:1366
    #4 0x2a01da6 in clear_global /home/lukas/src/bf-blender/blender/source/blender/blenkernel/intern/blender.c:163
    #5 0x2a0284e in setup_app_data /home/lukas/src/bf-blender/blender/source/blender/blenkernel/intern/blender.c:318
    #6 0x2a03fb2 in BKE_read_file_from_memfile /home/lukas/src/bf-blender/blender/source/blender/blenkernel/intern/blender.c:585
    #7 0x2a04415 in read_undosave /home/lukas/src/bf-blender/blender/source/blender/blenkernel/intern/blender.c:689
    #8 0x2a04d67 in BKE_undo_step /home/lukas/src/bf-blender/blender/source/blender/blenkernel/intern/blender.c:821
    #9 0x156eadb in ed_undo_step /home/lukas/src/bf-blender/blender/source/blender/editors/util/undo.c:202
    #10 0x156f10f in ed_undo_exec /home/lukas/src/bf-blender/blender/source/blender/editors/util/undo.c:291
    #11 0x103693a in wm_operator_invoke /home/lukas/src/bf-blender/blender/source/blender/windowmanager/intern/wm_event_system.c:1105
    #12 0x1039e7e in wm_handler_operator_call /home/lukas/src/bf-blender/blender/source/blender/windowmanager/intern/wm_event_system.c:1747
    #13 0x103b642 in wm_handlers_do_intern /home/lukas/src/bf-blender/blender/source/blender/windowmanager/intern/wm_event_system.c:2028
    #14 0x103be43 in wm_handlers_do /home/lukas/src/bf-blender/blender/source/blender/windowmanager/intern/wm_event_system.c:2137
    #15 0x103de73 in wm_event_do_handlers /home/lukas/src/bf-blender/blender/source/blender/windowmanager/intern/wm_event_system.c:2514
    #16 0x10202ab in WM_main /home/lukas/src/bf-blender/blender/source/blender/windowmanager/intern/wm.c:489
    #17 0x1016703 in main /home/lukas/src/bf-blender/blender/source/creator/creator.c:479
    #18 0x7ffff3068a3f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x20a3f)

previously allocated by thread T0 here:
    #0 0x7ffff6f01b49 in __interceptor_calloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98b49)
    #1 0x3b366e4 in MEM_lockfree_callocN /home/lukas/src/bf-blender/blender/intern/guardedalloc/intern/mallocn_lockfree_impl.c:286
    #2 0x3db3b80 in DNA_struct_reconstruct /home/lukas/src/bf-blender/blender/source/blender/makesdna/intern/dna_genfile.c:1272
    #3 0x3518ebc in read_struct /home/lukas/src/bf-blender/blender/source/blender/blenloader/intern/readfile.c:1855
    #4 0x354d9d8 in read_libblock /home/lukas/src/bf-blender/blender/source/blender/blenloader/intern/readfile.c:7925
    #5 0x355a0a3 in link_id_part /home/lukas/src/bf-blender/blender/source/blender/blenloader/intern/readfile.c:9831
    #6 0x355bebd in read_libraries /home/lukas/src/bf-blender/blender/source/blender/blenloader/intern/readfile.c:10112
    #7 0x3550e82 in blo_read_file_internal /home/lukas/src/bf-blender/blender/source/blender/blenloader/intern/readfile.c:8414
    #8 0x350daf7 in BLO_read_from_file /home/lukas/src/bf-blender/blender/source/blender/blenloader/intern/readblenentry.c:328
    #9 0x2a03bb9 in BKE_read_file /home/lukas/src/bf-blender/blender/source/blender/blenkernel/intern/blender.c:531
    #10 0x1046851 in WM_file_read /home/lukas/src/bf-blender/blender/source/blender/windowmanager/intern/wm_files.c:551
    #11 0x1068b39 in wm_file_read_opwrap /home/lukas/src/bf-blender/blender/source/blender/windowmanager/intern/wm_operators.c:2202
    #12 0x10690d2 in wm_open_mainfile_exec /home/lukas/src/bf-blender/blender/source/blender/windowmanager/intern/wm_operators.c:2261
    #13 0x103a478 in wm_handler_fileselect_do /home/lukas/src/bf-blender/blender/source/blender/windowmanager/intern/wm_event_system.c:1849
    #14 0x103ae08 in wm_handler_fileselect_call /home/lukas/src/bf-blender/blender/source/blender/windowmanager/intern/wm_event_system.c:1933
    #15 0x103b900 in wm_handlers_do_intern /home/lukas/src/bf-blender/blender/source/blender/windowmanager/intern/wm_event_system.c:2059
    #16 0x103be43 in wm_handlers_do /home/lukas/src/bf-blender/blender/source/blender/windowmanager/intern/wm_event_system.c:2137
    #17 0x103d700 in wm_event_do_handlers /home/lukas/src/bf-blender/blender/source/blender/windowmanager/intern/wm_event_system.c:2420
    #18 0x10202ab in WM_main /home/lukas/src/bf-blender/blender/source/blender/windowmanager/intern/wm.c:489
    #19 0x1016703 in main /home/lukas/src/bf-blender/blender/source/creator/creator.c:479
    #20 0x7ffff3068a3f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x20a3f)

SUMMARY: AddressSanitizer: heap-use-after-free /home/lukas/src/bf-blender/blender/source/blender/makesrna/intern/rna_nodetree.c:496 rna_NodeTree_refine
Shadow bytes around the buggy address:
  0x0c2880d37440: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
  0x0c2880d37450: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c2880d37460: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c2880d37470: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c2880d37480: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
=>0x0c2880d37490: fd fd fd fd fd fd fd fd fd[fd]fd fd fd fd fd fd
  0x0c2880d374a0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c2880d374b0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c2880d374c0: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
  0x0c2880d374d0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c2880d374e0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
==23361==ABORTING
Managed to reproduce it, and get an asan report for "heap use after free": [P348: (An Untitled Masterwork)](https://archive.blender.org/developer/P348.txt) ``` ================================================================= ==23361==ERROR: AddressSanitizer: heap-use-after-free on address 0x6140069fa4c8 at pc 0x00000327c502 bp 0x7fffffffd1b0 sp 0x7fffffffd1a0 READ of size 8 at 0x6140069fa4c8 thread T0 #0 0x327c501 in rna_NodeTree_refine /home/lukas/src/bf-blender/blender/source/blender/makesrna/intern/rna_nodetree.c:496 #1 0x30831f7 in rna_pointer_inherit_refine /home/lukas/src/bf-blender/blender/source/blender/makesrna/intern/rna_access.c:192 #2 0x32cc466 in ShaderNodeGroup_node_tree_get /home/lukas/src/bf-blender/cmake-debug/source/blender/makesrna/intern/rna_nodetree_gen.c:34286 #3 0x30972d7 in RNA_property_pointer_get /home/lukas/src/bf-blender/blender/source/blender/makesrna/intern/rna_access.c:2893 #4 0x2175479 in pyrna_prop_to_py /home/lukas/src/bf-blender/blender/source/blender/python/intern/bpy_rna.c:1473 #5 0x2181aad in pyrna_struct_getattro /home/lukas/src/bf-blender/blender/source/blender/python/intern/bpy_rna.c:3802 #6 0x61ab85d in PyEval_EvalFrameEx Python/ceval.c:2692 #7 0x61af28f in fast_function Python/ceval.c:4754 #8 0x61af28f in call_function Python/ceval.c:4681 #9 0x61af28f in PyEval_EvalFrameEx Python/ceval.c:3185 #10 0x61b176d in _PyEval_EvalCodeWithName Python/ceval.c:3966 #11 0x61b1842 in PyEval_EvalCodeEx Python/ceval.c:3987 #12 0x6112ea7 in function_call Objects/funcobject.c:632 #13 0x60e742f in PyObject_Call Objects/abstract.c:2165 #14 0x6102123 in method_call Objects/classobject.c:330 #15 0x60e742f in PyObject_Call Objects/abstract.c:2165 #16 0x218f4a8 in bpy_class_call /home/lukas/src/bf-blender/blender/source/blender/python/intern/bpy_rna.c:7549 #17 0x348152e in panel_poll /home/lukas/src/bf-blender/blender/source/blender/makesrna/intern/rna_ui.c:123 #18 0x1d7ca7b in ED_region_panels /home/lukas/src/bf-blender/blender/source/blender/editors/screen/area.c:1795 #19 0x10ac1da in buttons_main_region_draw /home/lukas/src/bf-blender/blender/source/blender/editors/space_buttons/space_buttons.c:145 #20 0x1d6fa8d in ED_region_do_draw /home/lukas/src/bf-blender/blender/source/blender/editors/screen/area.c:518 #21 0x102c9be in wm_method_draw_triple /home/lukas/src/bf-blender/blender/source/blender/windowmanager/intern/wm_draw.c:557 #22 0x102f035 in wm_draw_update /home/lukas/src/bf-blender/blender/source/blender/windowmanager/intern/wm_draw.c:959 #23 0x10202c3 in WM_main /home/lukas/src/bf-blender/blender/source/blender/windowmanager/intern/wm.c:495 #24 0x1016703 in main /home/lukas/src/bf-blender/blender/source/creator/creator.c:479 #25 0x7ffff3068a3f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x20a3f) #26 0x1015b78 in _start (/home/lukas/src/bf-blender/cmake-debug/bin/blender+0x1015b78) 0x6140069fa4c8 is located 136 bytes inside of 448-byte region [0x6140069fa440,0x6140069fa600) freed by thread T0 here: #0 0x7ffff6f016aa in __interceptor_free (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x986aa) #1 0x3b361dd in MEM_lockfree_freeN /home/lukas/src/bf-blender/blender/intern/guardedalloc/intern/mallocn_lockfree_impl.c:169 #2 0x2c5bcb7 in BKE_libblock_free_ex /home/lukas/src/bf-blender/blender/source/blender/blenkernel/intern/library.c:1307 #3 0x2c5c142 in BKE_main_free /home/lukas/src/bf-blender/blender/source/blender/blenkernel/intern/library.c:1366 #4 0x2a01da6 in clear_global /home/lukas/src/bf-blender/blender/source/blender/blenkernel/intern/blender.c:163 #5 0x2a0284e in setup_app_data /home/lukas/src/bf-blender/blender/source/blender/blenkernel/intern/blender.c:318 #6 0x2a03fb2 in BKE_read_file_from_memfile /home/lukas/src/bf-blender/blender/source/blender/blenkernel/intern/blender.c:585 #7 0x2a04415 in read_undosave /home/lukas/src/bf-blender/blender/source/blender/blenkernel/intern/blender.c:689 #8 0x2a04d67 in BKE_undo_step /home/lukas/src/bf-blender/blender/source/blender/blenkernel/intern/blender.c:821 #9 0x156eadb in ed_undo_step /home/lukas/src/bf-blender/blender/source/blender/editors/util/undo.c:202 #10 0x156f10f in ed_undo_exec /home/lukas/src/bf-blender/blender/source/blender/editors/util/undo.c:291 #11 0x103693a in wm_operator_invoke /home/lukas/src/bf-blender/blender/source/blender/windowmanager/intern/wm_event_system.c:1105 #12 0x1039e7e in wm_handler_operator_call /home/lukas/src/bf-blender/blender/source/blender/windowmanager/intern/wm_event_system.c:1747 #13 0x103b642 in wm_handlers_do_intern /home/lukas/src/bf-blender/blender/source/blender/windowmanager/intern/wm_event_system.c:2028 #14 0x103be43 in wm_handlers_do /home/lukas/src/bf-blender/blender/source/blender/windowmanager/intern/wm_event_system.c:2137 #15 0x103de73 in wm_event_do_handlers /home/lukas/src/bf-blender/blender/source/blender/windowmanager/intern/wm_event_system.c:2514 #16 0x10202ab in WM_main /home/lukas/src/bf-blender/blender/source/blender/windowmanager/intern/wm.c:489 #17 0x1016703 in main /home/lukas/src/bf-blender/blender/source/creator/creator.c:479 #18 0x7ffff3068a3f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x20a3f) previously allocated by thread T0 here: #0 0x7ffff6f01b49 in __interceptor_calloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98b49) #1 0x3b366e4 in MEM_lockfree_callocN /home/lukas/src/bf-blender/blender/intern/guardedalloc/intern/mallocn_lockfree_impl.c:286 #2 0x3db3b80 in DNA_struct_reconstruct /home/lukas/src/bf-blender/blender/source/blender/makesdna/intern/dna_genfile.c:1272 #3 0x3518ebc in read_struct /home/lukas/src/bf-blender/blender/source/blender/blenloader/intern/readfile.c:1855 #4 0x354d9d8 in read_libblock /home/lukas/src/bf-blender/blender/source/blender/blenloader/intern/readfile.c:7925 #5 0x355a0a3 in link_id_part /home/lukas/src/bf-blender/blender/source/blender/blenloader/intern/readfile.c:9831 #6 0x355bebd in read_libraries /home/lukas/src/bf-blender/blender/source/blender/blenloader/intern/readfile.c:10112 #7 0x3550e82 in blo_read_file_internal /home/lukas/src/bf-blender/blender/source/blender/blenloader/intern/readfile.c:8414 #8 0x350daf7 in BLO_read_from_file /home/lukas/src/bf-blender/blender/source/blender/blenloader/intern/readblenentry.c:328 #9 0x2a03bb9 in BKE_read_file /home/lukas/src/bf-blender/blender/source/blender/blenkernel/intern/blender.c:531 #10 0x1046851 in WM_file_read /home/lukas/src/bf-blender/blender/source/blender/windowmanager/intern/wm_files.c:551 #11 0x1068b39 in wm_file_read_opwrap /home/lukas/src/bf-blender/blender/source/blender/windowmanager/intern/wm_operators.c:2202 #12 0x10690d2 in wm_open_mainfile_exec /home/lukas/src/bf-blender/blender/source/blender/windowmanager/intern/wm_operators.c:2261 #13 0x103a478 in wm_handler_fileselect_do /home/lukas/src/bf-blender/blender/source/blender/windowmanager/intern/wm_event_system.c:1849 #14 0x103ae08 in wm_handler_fileselect_call /home/lukas/src/bf-blender/blender/source/blender/windowmanager/intern/wm_event_system.c:1933 #15 0x103b900 in wm_handlers_do_intern /home/lukas/src/bf-blender/blender/source/blender/windowmanager/intern/wm_event_system.c:2059 #16 0x103be43 in wm_handlers_do /home/lukas/src/bf-blender/blender/source/blender/windowmanager/intern/wm_event_system.c:2137 #17 0x103d700 in wm_event_do_handlers /home/lukas/src/bf-blender/blender/source/blender/windowmanager/intern/wm_event_system.c:2420 #18 0x10202ab in WM_main /home/lukas/src/bf-blender/blender/source/blender/windowmanager/intern/wm.c:489 #19 0x1016703 in main /home/lukas/src/bf-blender/blender/source/creator/creator.c:479 #20 0x7ffff3068a3f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x20a3f) SUMMARY: AddressSanitizer: heap-use-after-free /home/lukas/src/bf-blender/blender/source/blender/makesrna/intern/rna_nodetree.c:496 rna_NodeTree_refine Shadow bytes around the buggy address: 0x0c2880d37440: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd 0x0c2880d37450: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c2880d37460: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c2880d37470: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c2880d37480: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd =>0x0c2880d37490: fd fd fd fd fd fd fd fd fd[fd]fd fd fd fd fd fd 0x0c2880d374a0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c2880d374b0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c2880d374c0: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd 0x0c2880d374d0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c2880d374e0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe ==23361==ABORTING ```
Lukas Tönne commented 2016-04-12 14:21:05 +02:00
Member
Copy Link

Cause for the bug is indeed on Amaranth's side:

https://developer.blender.org/diffusion/BAC/browse/master/amaranth/scene/debug.py;4dc84d67773154f08f8c2c670c88e4f76f855be4$120

This is evil! It keeps pointers stored in the panel type (!) and these become invalid when undoing.

Cause for the bug is indeed on Amaranth's side: https://developer.blender.org/diffusion/BAC/browse/master/amaranth/scene/debug.py;4dc84d67773154f08f8c2c670c88e4f76f855be4$120 This is evil! It keeps pointers stored in the panel *type* (!) and these become invalid when undoing.
Pablo Vazquez was assigned by Lukas Tönne 2016-04-12 14:22:13 +02:00
Bastien Montagne commented 2016-04-12 14:30:27 +02:00
Owner
Copy Link

Looks like a panel poll func (from amaranth addon?) is using a stored pointer instead of storing only local data (usually a string)… Note here I can reproduce crash too, but seems to happen in AMTH_SCENE_PT_scene_debug drawing func.

Anyway, this is amaranth issue - it’s doing many complex and not-so-great things (like using op class to 'cache' data…).

Looks like a panel poll func (from amaranth addon?) is using a stored pointer instead of storing only local data (usually a string)… Note here I can reproduce crash too, but seems to happen in `AMTH_SCENE_PT_scene_debug` drawing func. Anyway, this is amaranth issue - it’s doing many complex and not-so-great things (like using op class to 'cache' data…).
Bastien Montagne commented 2016-04-12 14:31:55 +02:00
Owner
Copy Link

@LukasTonne that materials list actually only stores strings, afaict, so should not be direct cause of issue (but again, code here is a maze, hard to to follow).

@LukasTonne that `materials` list actually only stores strings, afaict, so should not be direct cause of issue (but again, code here is a maze, hard to to follow).
Lukas Tönne commented 2016-04-12 14:33:29 +02:00
Member
Copy Link

@mont29 Yes, @GabrielCaraballo pointed out that it's just a string list. But the error comes from somewhere within the "Lighter's Corner" panel.

@mont29 Yes, @GabrielCaraballo pointed out that it's just a string list. But the error comes from somewhere within the "Lighter's Corner" panel.
Vuk Gardašević commented 2016-09-04 00:06:17 +02:00
Member
Copy Link

Added subscriber: @VukGardasevic

Added subscriber: @VukGardasevic
Vuk Gardašević commented 2016-09-04 00:06:17 +02:00
Member
Copy Link

Like it was said before, the problem is the draw part.

The function AMTH_SCENE_PT_scene_debug is in the panel which means every time the cursor is over it gets redrawn.

            if list_users:
                empty = True
                col = box.column(align=True)
                for t in list_users:
                    if list_users[t]:
                        empty = False
                        for ma in list_users[t]:
                            print("ma is {}".format(ma))
                            row = col.row(align=True)
                            row.alignment = "LEFT"
                            if t == 'OBJECT_DATA':
                                row.operator(
                                    AMTH_SCENE_OT_amaranth_object_select.bl_idname,
                                    text="%s %s%s" %
                                    (" [L] " if ma.library else "",
                                     ma.name,
                                     "" if ma.name in context.scene.objects else " [Not in Scene]"),
                                    icon=t,
                                    emboss=False).object = ma.name
                            else:
                                row.label(text=ma,
                                          icon=t)

This code should start around line 1133.

list_users in a simple scene of one material and the default cube would be:

{'MESH_DATA': - [ ], 'MODIFIER': - [ ], 'LAMP': - [ ], 'NODETREE': - [ ], 'TEXTURE': - [ ], 'VIEW3D'
  • , 'WORLD': - [ ], 'OBJECT_DATA': [bpy.data.objects['Cube']], 'MATERIAL': []}

t is "OBJECT_DATA" and finally list_users- [x] is bpy.data.objects['Cube'].

I've added a print to see what ma is and it returns something like :
ma is <bpy_struct, Object("some name here")>

The problem is the List Users for Datablock panel specifically. If there is a list of labels, (for instance a search for users of a material was done) it gets redrawn.
After Undo the string passed as a key gets replaced with gibberish.

ma is <bpy_struct, Object("
O・ス")>
Which leads to:
UnicodeDecodeError: 'utf-8' codec can't decode byte 0xff in position 64: invalid start byte>

when trying to access the name of the object.

That's a sign that the list_users and/or list_users- [x] has gone corrupted - the combination of redrawing with the access to the objects and undo doesn't end up well.
Basically, the list starts accessing random stuff in the memory like in these cases:

ma is <bpy_struct, Object("nd\Blender_Bugs\Blends\amaranth.blend")>
ma is <bpy_struct, Object("Cycles Material using X shader
Where X is any shader type you w")>

After the next undo or selection/action or trying to print list_users list as a debug, it's time for reminiscence about the choice of desktop wallpaper :)

Like it was said before, the problem is the draw part. The function **AMTH_SCENE_PT_scene_debug** is in the panel which means every time the cursor is over it gets redrawn. ``` if list_users: empty = True col = box.column(align=True) for t in list_users: if list_users[t]: empty = False for ma in list_users[t]: print("ma is {}".format(ma)) row = col.row(align=True) row.alignment = "LEFT" if t == 'OBJECT_DATA': row.operator( AMTH_SCENE_OT_amaranth_object_select.bl_idname, text="%s %s%s" % (" [L] " if ma.library else "", ma.name, "" if ma.name in context.scene.objects else " [Not in Scene]"), icon=t, emboss=False).object = ma.name else: row.label(text=ma, icon=t) ``` This code should start around line 1133. **list_users** in a simple scene of one material and the default cube would be: > {'MESH_DATA': - [ ], 'MODIFIER': - [ ], 'LAMP': - [ ], 'NODETREE': - [ ], 'TEXTURE': - [ ], 'VIEW3D' > : - [ ], 'WORLD': - [ ], 'OBJECT_DATA': [bpy.data.objects['Cube']], 'MATERIAL': []} **t** is "OBJECT_DATA" and finally **list_users- [x]** is bpy.data.objects['Cube']. I've added a print to see what ma is and it returns something like : *ma is <bpy_struct, Object("some name here")>* The problem is the **List Users for Datablock** panel specifically. If there is a list of labels, (for instance a search for users of a material was done) it gets redrawn. After Undo the string passed as a key gets replaced with gibberish. > ma is <bpy_struct, Object(" O・ス")> Which leads to: > UnicodeDecodeError: 'utf-8' codec can't decode byte 0xff in position 64: invalid start byte> when trying to access the name of the object. That's a sign that the list_users and/or list_users- [x] has gone corrupted - the combination of redrawing with the access to the objects and undo doesn't end up well. Basically, the list starts accessing random stuff in the memory like in these cases: > ma is <bpy_struct, Object("nd\Blender_Bugs\Blends\amaranth.blend")> > ma is <bpy_struct, Object("Cycles Material using X shader > Where X is any shader type you w")> After the next undo or selection/action or trying to print list_users list as a debug, it's time for reminiscence about the choice of desktop wallpaper :)
Vuk Gardašević commented 2017-12-25 05:33:37 +01:00
Member
Copy Link

Changed status from 'Open' to: 'Resolved'

Changed status from 'Open' to: 'Resolved'
Vuk Gardašević commented 2017-12-25 05:33:37 +01:00
Member
Copy Link

Committed a refactor of the scene debug script - the major change is moving storage to a separate class and the usage of UI lists for the Lighter's corner and Images. Also object data was stored in the dictionary before - now only strings are contained.

The issue with the supplied file cannot be recreated with the current master or 2.79, however it was related to accessing nested node groups in the linked files in 2.76.10 build.

Closing as resolved for now.

Committed a refactor of the scene debug script - the major change is moving storage to a separate class and the usage of UI lists for the Lighter's corner and Images. Also object data was stored in the dictionary before - now only strings are contained. The issue with the supplied file cannot be recreated with the current master or 2.79, however it was related to accessing nested node groups in the linked files in 2.76.10 build. Closing as resolved for now.
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels   
Interest
Animation & Rigging

  
Interest
Blender Cloud

  
Interest
Collada

  
Interest
Core

  
Interest
Documentation

  
Interest
Eevee & Viewport

  
Interest
Geometry Nodes

  
Interest
Grease Pencil

  
Interest
Import and Export

  
Interest
Modeling

  
Interest
Modifiers

  
Interest
Nodes & Physics

  
Interest
Pipeline, Assets & IO

  
Interest
Platforms, Builds, Tests & Devices

  
Interest
Python API

  
Interest
Rendering & Cycles

  
Interest
Sculpt, Paint & Texture

  
Interest
Translations

  
Interest
User Interface

  
Interest
UV Editing

  
Interest
VFX & Video

  
Meta
Good First Issue

  
Meta
Papercut

  
Module
Add-ons (BF-Blender)

  
Module
Add-ons (Community)

  
Platform
Linux

  
Platform
macOS

  
Platform
Windows

  
Priority
High

  
Priority
Low

  
Priority
Normal

  
Priority
Unbreak Now!

  
Status
Archived

  
Status
Confirmed

  
Status
Duplicate

  
Status
Needs Info from Developers

  
Status
Needs Information from User

  
Status
Needs Triage

  
Status
Resolved

  
Type
Bug

  
Type
Design

  
Type
Known Issue

  
Type
Patch

  
Type
Report

  
Type
To Do

No Label
Interest
Animation & Rigging
Interest
Blender Cloud
Interest
Collada
Interest
Core
Interest
Documentation
Interest
Eevee & Viewport
Interest
Geometry Nodes
Interest
Grease Pencil
Interest
Import and Export
Interest
Modeling
Interest
Modifiers
Interest
Nodes & Physics
Interest
Pipeline, Assets & IO
Interest
Platforms, Builds, Tests & Devices
Interest
Python API
Interest
Rendering & Cycles
Interest
Sculpt, Paint & Texture
Interest
Translations
Interest
User Interface
Interest
UV Editing
Interest
VFX & Video
Meta
Good First Issue
Meta
Papercut
Module
Add-ons (BF-Blender)
Module
Add-ons (Community)
Platform
Linux
Platform
macOS
Platform
Windows
Priority
High
Priority
Low
Priority
Normal
Priority
Unbreak Now!
Status
Archived
Status
Confirmed
Status
Duplicate
Status
Needs Info from Developers
Status
Needs Information from User
Status
Needs Triage
Status
Resolved
Type
Bug
Type
Design
Type
Known Issue
Type
Patch
Type
Report
Type
To Do
Milestone
Clear milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
No Assignees
Pablo Vazquez
6 Participants
Notifications
Due Date
The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Dependencies

No dependencies set.

Reference: blender/blender-addons#48042
No description provided.
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?