New Asset Shelf steals temp data from file entry, leads to crash ultimately. #105535

New Issue

Bastien Montagne · 2023-03-07T17:48:00+01:00

Bastien Montagne commented

2023-03-07 17:48:00 +01:00

System Information
Operating system: All
Graphics card: N/A

Blender Version
Broken: Asset Shelf branch
Worked: N/A

Short description of error

uiTemplateAssetShelf/asset_tile_draw directly re-use the content of the given AssetHandle, which is a pointer to a FileDirEntry, generated by filelist_file_ex.

Issue is, filelist_file_ex results are temporary and should never, ever be stored beyond a very limited scope, since they are stored as part of a cache, and old entries get freed once new ones are needed.

Afaik there are plans to replace the AssetHandle, but in the mean time, I think they should at least own their own copy of the FileDirEntry.

Exact steps for others to reproduce the error

Crash happen with test case of the Brush Assets project, when the code tries to draw or select some asset entries in the shelf which underlying FileDirEntry has been freed.

Should be easily reproducible with any All 'repository' listing over a few thousands of file dir entries...

Here is the ASAN report:

=================================================================
==2558554==ERROR: AddressSanitizer: heap-use-after-free on address 0x60e000df5b60 at pc 0x0000116c7293 bp 0x7ffe80d65520 sp 0x7ffe80d65518
READ of size 8 at 0x60e000df5b60 thread T0
    #0 0x116c7292 in CTX_wm_asset_handle /home/guest/blender/src/source/blender/blenkernel/intern/context.cc:1487
    #1 0x1aceae98 in brush_asset_select_exec /home/guest/blender/src/source/blender/editors/sculpt_paint/curves_sculpt_ops.cc:1206
    #2 0x14e82327 in wm_operator_invoke /home/guest/blender/src/source/blender/windowmanager/intern/wm_event_system.cc:1531
    #3 0x14e8c299 in wm_handler_operator_call /home/guest/blender/src/source/blender/windowmanager/intern/wm_event_system.cc:2553
    #4 0x14e908b8 in wm_handlers_do_keymap_with_keymap_handler /home/guest/blender/src/source/blender/windowmanager/intern/wm_event_system.cc:2948
    #5 0x14e94380 in wm_handlers_do_intern /home/guest/blender/src/source/blender/windowmanager/intern/wm_event_system.cc:3277
    #6 0x14e99913 in wm_handlers_do /home/guest/blender/src/source/blender/windowmanager/intern/wm_event_system.cc:3531
    #7 0x14e9cc60 in wm_event_do_region_handlers /home/guest/blender/src/source/blender/windowmanager/intern/wm_event_system.cc:3838
    #8 0x14e9d057 in wm_event_do_handlers_area_regions /home/guest/blender/src/source/blender/windowmanager/intern/wm_event_system.cc:3870
    #9 0x14e9fd32 in wm_event_do_handlers /home/guest/blender/src/source/blender/windowmanager/intern/wm_event_system.cc:4070
    #10 0x14e4e207 in WM_main /home/guest/blender/src/source/blender/windowmanager/intern/wm.c:641
    #11 0x112e6487 in main /home/guest/blender/src/source/creator/creator.c:585
    #12 0x7f6c53e46189 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
    #13 0x7f6c53e46244 in __libc_start_main_impl ../csu/libc-start.c:381
    #14 0x112e55e0 in _start (/home/guest/blender/build_main_debug/bin/blender+0x112e55e0)

0x60e000df5b60 is located 128 bytes inside of 152-byte region [0x60e000df5ae0,0x60e000df5b78)
freed by thread T0 here:
    #0 0x7f6c638b76a8 in __interceptor_free ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:52
    #1 0x2e4f19d2 in MEM_lockfree_freeN /home/guest/blender/src/intern/guardedalloc/intern/mallocn_lockfree_impl.c:102
    #2 0x1c57a11f in filelist_entry_free /home/guest/blender/src/source/blender/editors/space_file/filelist.cc:1401
    #3 0x1c5833c0 in filelist_file_release_entry /home/guest/blender/src/source/blender/editors/space_file/filelist.cc:2096
    #4 0x1c583c5a in filelist_file_ex /home/guest/blender/src/source/blender/editors/space_file/filelist.cc:2132
    #5 0x1c584099 in filelist_file /home/guest/blender/src/source/blender/editors/space_file/filelist.cc:2151
    #6 0x1a145311 in blender::ed::asset::AssetList::iterate(blender::FunctionRef<bool (AssetHandle)>) const /home/guest/blender/src/source/blender/editors/asset/intern/asset_list.cc:200
    #7 0x1a1473d2 in ED_assetlist_iterate(AssetLibraryReference const&, blender::FunctionRef<bool (AssetHandle)>) /home/guest/blender/src/source/blender/editors/asset/intern/asset_list.cc:461
    #8 0x1b99df86 in uiTemplateAssetShelf /home/guest/blender/src/source/blender/editors/interface/interface_template_asset_shelf.cc:171
    #9 0x1a15ccd6 in asset_shelf_region_draw /home/guest/blender/src/source/blender/editors/asset/intern/asset_shelf.cc:109
    #10 0x17a37caf in ED_region_header_layout /home/guest/blender/src/source/blender/editors/screen/area.cc:3345
    #11 0x17a386a5 in ED_region_header /home/guest/blender/src/source/blender/editors/screen/area.cc:3412
    #12 0x1a15cb30 in ED_asset_shelf_region_draw /home/guest/blender/src/source/blender/editors/asset/intern/asset_shelf.cc:101
    #13 0x17a0bec2 in ED_region_do_draw /home/guest/blender/src/source/blender/editors/screen/area.cc:537
    #14 0x14e67ccb in wm_draw_window_offscreen /home/guest/blender/src/source/blender/windowmanager/intern/wm_draw.c:960
    #15 0x14e69380 in wm_draw_window /home/guest/blender/src/source/blender/windowmanager/intern/wm_draw.c:1125
    #16 0x14e6b08f in wm_draw_update /home/guest/blender/src/source/blender/windowmanager/intern/wm_draw.c:1385
    #17 0x14e4e21f in WM_main /home/guest/blender/src/source/blender/windowmanager/intern/wm.c:647
    #18 0x112e6487 in main /home/guest/blender/src/source/creator/creator.c:585
    #19 0x7f6c53e46189 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58

previously allocated by thread T0 here:
    #0 0x7f6c638b83b7 in __interceptor_calloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:77
    #1 0x2e4f2107 in MEM_lockfree_callocN /home/guest/blender/src/intern/guardedalloc/intern/mallocn_lockfree_impl.c:208
    #2 0x1c598c4b in FileDirEntry* MEM_cnew<FileDirEntry>(char const*) /home/guest/blender/src/intern/guardedalloc/MEM_guardedalloc.h:304
    #3 0x1c582292 in filelist_file_create_entry /home/guest/blender/src/source/blender/editors/space_file/filelist.cc:2056
    #4 0x1c583930 in filelist_file_ex /home/guest/blender/src/source/blender/editors/space_file/filelist.cc:2127
    #5 0x1c584099 in filelist_file /home/guest/blender/src/source/blender/editors/space_file/filelist.cc:2151
    #6 0x1a145311 in blender::ed::asset::AssetList::iterate(blender::FunctionRef<bool (AssetHandle)>) const /home/guest/blender/src/source/blender/editors/asset/intern/asset_list.cc:200
    #7 0x1a1473d2 in ED_assetlist_iterate(AssetLibraryReference const&, blender::FunctionRef<bool (AssetHandle)>) /home/guest/blender/src/source/blender/editors/asset/intern/asset_list.cc:461
    #8 0x1b99df86 in uiTemplateAssetShelf /home/guest/blender/src/source/blender/editors/interface/interface_template_asset_shelf.cc:171
    #9 0x1a15ccd6 in asset_shelf_region_draw /home/guest/blender/src/source/blender/editors/asset/intern/asset_shelf.cc:109
    #10 0x17a37caf in ED_region_header_layout /home/guest/blender/src/source/blender/editors/screen/area.cc:3345
    #11 0x17a386a5 in ED_region_header /home/guest/blender/src/source/blender/editors/screen/area.cc:3412
    #12 0x1a15cb30 in ED_asset_shelf_region_draw /home/guest/blender/src/source/blender/editors/asset/intern/asset_shelf.cc:101
    #13 0x17a0bec2 in ED_region_do_draw /home/guest/blender/src/source/blender/editors/screen/area.cc:537
    #14 0x14e67ccb in wm_draw_window_offscreen /home/guest/blender/src/source/blender/windowmanager/intern/wm_draw.c:960
    #15 0x14e69380 in wm_draw_window /home/guest/blender/src/source/blender/windowmanager/intern/wm_draw.c:1125
    #16 0x14e6b08f in wm_draw_update /home/guest/blender/src/source/blender/windowmanager/intern/wm_draw.c:1385
    #17 0x14e4e21f in WM_main /home/guest/blender/src/source/blender/windowmanager/intern/wm.c:647
    #18 0x112e6487 in main /home/guest/blender/src/source/creator/creator.c:585
    #19 0x7f6c53e46189 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58

**System Information** Operating system: All Graphics card: N/A **Blender Version** Broken: Asset Shelf branch Worked: N/A **Short description of error** `uiTemplateAssetShelf`/`asset_tile_draw` directly re-use the content of the given `AssetHandle`, which is a pointer to a `FileDirEntry`, generated by `filelist_file_ex`. Issue is, `filelist_file_ex` results are temporary and should never, ever be stored beyond a very limited scope, since they are stored as part of a cache, and old entries get freed once new ones are needed. Afaik there are plans to replace the `AssetHandle`, but in the mean time, I think they should at least own their own copy of the `FileDirEntry`. **Exact steps for others to reproduce the error** Crash happen with test case of the Brush Assets project, when the code tries to draw or select some asset entries in the shelf which underlying `FileDirEntry` has been freed. Should be easily reproducible with any `All` 'repository' listing over a few thousands of file dir entries... Here is the ASAN report: ```lines=10 ================================================================= ==2558554==ERROR: AddressSanitizer: heap-use-after-free on address 0x60e000df5b60 at pc 0x0000116c7293 bp 0x7ffe80d65520 sp 0x7ffe80d65518 READ of size 8 at 0x60e000df5b60 thread T0 #0 0x116c7292 in CTX_wm_asset_handle /home/guest/blender/src/source/blender/blenkernel/intern/context.cc:1487 #1 0x1aceae98 in brush_asset_select_exec /home/guest/blender/src/source/blender/editors/sculpt_paint/curves_sculpt_ops.cc:1206 #2 0x14e82327 in wm_operator_invoke /home/guest/blender/src/source/blender/windowmanager/intern/wm_event_system.cc:1531 #3 0x14e8c299 in wm_handler_operator_call /home/guest/blender/src/source/blender/windowmanager/intern/wm_event_system.cc:2553 #4 0x14e908b8 in wm_handlers_do_keymap_with_keymap_handler /home/guest/blender/src/source/blender/windowmanager/intern/wm_event_system.cc:2948 #5 0x14e94380 in wm_handlers_do_intern /home/guest/blender/src/source/blender/windowmanager/intern/wm_event_system.cc:3277 #6 0x14e99913 in wm_handlers_do /home/guest/blender/src/source/blender/windowmanager/intern/wm_event_system.cc:3531 #7 0x14e9cc60 in wm_event_do_region_handlers /home/guest/blender/src/source/blender/windowmanager/intern/wm_event_system.cc:3838 #8 0x14e9d057 in wm_event_do_handlers_area_regions /home/guest/blender/src/source/blender/windowmanager/intern/wm_event_system.cc:3870 #9 0x14e9fd32 in wm_event_do_handlers /home/guest/blender/src/source/blender/windowmanager/intern/wm_event_system.cc:4070 #10 0x14e4e207 in WM_main /home/guest/blender/src/source/blender/windowmanager/intern/wm.c:641 #11 0x112e6487 in main /home/guest/blender/src/source/creator/creator.c:585 #12 0x7f6c53e46189 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58 #13 0x7f6c53e46244 in __libc_start_main_impl ../csu/libc-start.c:381 #14 0x112e55e0 in _start (/home/guest/blender/build_main_debug/bin/blender+0x112e55e0) 0x60e000df5b60 is located 128 bytes inside of 152-byte region [0x60e000df5ae0,0x60e000df5b78) freed by thread T0 here: #0 0x7f6c638b76a8 in __interceptor_free ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:52 #1 0x2e4f19d2 in MEM_lockfree_freeN /home/guest/blender/src/intern/guardedalloc/intern/mallocn_lockfree_impl.c:102 #2 0x1c57a11f in filelist_entry_free /home/guest/blender/src/source/blender/editors/space_file/filelist.cc:1401 #3 0x1c5833c0 in filelist_file_release_entry /home/guest/blender/src/source/blender/editors/space_file/filelist.cc:2096 #4 0x1c583c5a in filelist_file_ex /home/guest/blender/src/source/blender/editors/space_file/filelist.cc:2132 #5 0x1c584099 in filelist_file /home/guest/blender/src/source/blender/editors/space_file/filelist.cc:2151 #6 0x1a145311 in blender::ed::asset::AssetList::iterate(blender::FunctionRef<bool (AssetHandle)>) const /home/guest/blender/src/source/blender/editors/asset/intern/asset_list.cc:200 #7 0x1a1473d2 in ED_assetlist_iterate(AssetLibraryReference const&, blender::FunctionRef<bool (AssetHandle)>) /home/guest/blender/src/source/blender/editors/asset/intern/asset_list.cc:461 #8 0x1b99df86 in uiTemplateAssetShelf /home/guest/blender/src/source/blender/editors/interface/interface_template_asset_shelf.cc:171 #9 0x1a15ccd6 in asset_shelf_region_draw /home/guest/blender/src/source/blender/editors/asset/intern/asset_shelf.cc:109 #10 0x17a37caf in ED_region_header_layout /home/guest/blender/src/source/blender/editors/screen/area.cc:3345 #11 0x17a386a5 in ED_region_header /home/guest/blender/src/source/blender/editors/screen/area.cc:3412 #12 0x1a15cb30 in ED_asset_shelf_region_draw /home/guest/blender/src/source/blender/editors/asset/intern/asset_shelf.cc:101 #13 0x17a0bec2 in ED_region_do_draw /home/guest/blender/src/source/blender/editors/screen/area.cc:537 #14 0x14e67ccb in wm_draw_window_offscreen /home/guest/blender/src/source/blender/windowmanager/intern/wm_draw.c:960 #15 0x14e69380 in wm_draw_window /home/guest/blender/src/source/blender/windowmanager/intern/wm_draw.c:1125 #16 0x14e6b08f in wm_draw_update /home/guest/blender/src/source/blender/windowmanager/intern/wm_draw.c:1385 #17 0x14e4e21f in WM_main /home/guest/blender/src/source/blender/windowmanager/intern/wm.c:647 #18 0x112e6487 in main /home/guest/blender/src/source/creator/creator.c:585 #19 0x7f6c53e46189 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58 previously allocated by thread T0 here: #0 0x7f6c638b83b7 in __interceptor_calloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:77 #1 0x2e4f2107 in MEM_lockfree_callocN /home/guest/blender/src/intern/guardedalloc/intern/mallocn_lockfree_impl.c:208 #2 0x1c598c4b in FileDirEntry* MEM_cnew<FileDirEntry>(char const*) /home/guest/blender/src/intern/guardedalloc/MEM_guardedalloc.h:304 #3 0x1c582292 in filelist_file_create_entry /home/guest/blender/src/source/blender/editors/space_file/filelist.cc:2056 #4 0x1c583930 in filelist_file_ex /home/guest/blender/src/source/blender/editors/space_file/filelist.cc:2127 #5 0x1c584099 in filelist_file /home/guest/blender/src/source/blender/editors/space_file/filelist.cc:2151 #6 0x1a145311 in blender::ed::asset::AssetList::iterate(blender::FunctionRef<bool (AssetHandle)>) const /home/guest/blender/src/source/blender/editors/asset/intern/asset_list.cc:200 #7 0x1a1473d2 in ED_assetlist_iterate(AssetLibraryReference const&, blender::FunctionRef<bool (AssetHandle)>) /home/guest/blender/src/source/blender/editors/asset/intern/asset_list.cc:461 #8 0x1b99df86 in uiTemplateAssetShelf /home/guest/blender/src/source/blender/editors/interface/interface_template_asset_shelf.cc:171 #9 0x1a15ccd6 in asset_shelf_region_draw /home/guest/blender/src/source/blender/editors/asset/intern/asset_shelf.cc:109 #10 0x17a37caf in ED_region_header_layout /home/guest/blender/src/source/blender/editors/screen/area.cc:3345 #11 0x17a386a5 in ED_region_header /home/guest/blender/src/source/blender/editors/screen/area.cc:3412 #12 0x1a15cb30 in ED_asset_shelf_region_draw /home/guest/blender/src/source/blender/editors/asset/intern/asset_shelf.cc:101 #13 0x17a0bec2 in ED_region_do_draw /home/guest/blender/src/source/blender/editors/screen/area.cc:537 #14 0x14e67ccb in wm_draw_window_offscreen /home/guest/blender/src/source/blender/windowmanager/intern/wm_draw.c:960 #15 0x14e69380 in wm_draw_window /home/guest/blender/src/source/blender/windowmanager/intern/wm_draw.c:1125 #16 0x14e6b08f in wm_draw_update /home/guest/blender/src/source/blender/windowmanager/intern/wm_draw.c:1385 #17 0x14e4e21f in WM_main /home/guest/blender/src/source/blender/windowmanager/intern/wm.c:647 #18 0x112e6487 in main /home/guest/blender/src/source/creator/creator.c:585 #19 0x7f6c53e46189 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58 ```

Bastien Montagne added the

Download

What's New

Blender Studio

Manual

Developers Blog

Documentation

Benchmark

Blender Conference

Development Fund

One-time Donations

New Asset Shelf steals temp data from file entry, leads to crash ultimately. #105535