blender
/
blender
134
398
Fork 580
Code Issues 6.3k Pull Requests 759 Projects 19 Wiki Activity

Crash when sculpting with a texture, deleting the image of the texture and exiting sculpt mode #106872

New Issue
Open
opened 2023-04-12 19:02:17 +02:00 by Robin Hohnsbeen · 6 comments
Robin Hohnsbeen commented 2023-04-12 19:02:17 +02:00
Contributor
Copy Link

System Information
Operating system: Windows 10
Graphics card: RTX 2070 Super

Blender Version
Broken: version: 3.4, 3.5, 3.6
Broken: version: 3.3.3, branch: master, commit date: 2023-01-17 08:40, hash: rB8d94aeb604fa
Broken: 3.1.0
Worked: 3.0.1
Worked: 2.93 LTS

Caused by 9111ea78ac

Short description of error
Blender crashes when a texture image is deleted and you exit sculpt mode.

Exact steps for others to reproduce the error
You can test it inside the attached blend file. I basically just attached an image to a sculpting brush.

  1. Open the blend file below
  2. draw on the surface of the sphere
  3. delete the image inside the outliner
  4. exit sculpt mode

Crash occurs because item->image->runtime.cache_mutex is null inside BKE_image_pool_free

Stack trace:
blender.exe         :0x00007FF713D04C10  pthread_mutex_lock
blender.exe         :0x00007FF70E6EE880  BKE_image_pool_free
blender.exe         :0x00007FF70E6B5CF0  BKE_sculptsession_free
blender.exe         :0x00007FF70F1B67A0  ED_object_sculptmode_exit_ex
blender.exe         :0x00007FF70F1B85F0  sculpt_mode_toggle_exec
blender.exe         :0x00007FF70E953220  wm_operator_invoke
blender.exe         :0x00007FF70E9528D0  wm_operator_call_internal
blender.exe         :0x00007FF70E955880  WM_operator_name_call_ptr
blender.exe         :0x00007FF70F171800  ED_object_mode_set_ex
blender.exe         :0x00007FF70F148710  object_mode_set_exec
blender.exe         :0x00007FF70E953220  wm_operator_invoke
**System Information** Operating system: Windows 10 Graphics card: RTX 2070 Super **Blender Version** Broken: version: 3.4, 3.5, 3.6 Broken: version: 3.3.3, branch: master, commit date: 2023-01-17 08:40, hash: `rB8d94aeb604fa` Broken: 3.1.0 Worked: 3.0.1 Worked: 2.93 LTS Caused by 9111ea78ac **Short description of error** Blender crashes when a texture image is deleted and you exit sculpt mode. **Exact steps for others to reproduce the error** You can test it inside the attached blend file. I basically just attached an image to a sculpting brush. 1. Open the blend file below 2. draw on the surface of the sphere 3. delete the image inside the outliner 4. exit sculpt mode Crash occurs because `item->image->runtime.cache_mutex` is null inside `BKE_image_pool_free` ``` Stack trace: blender.exe :0x00007FF713D04C10 pthread_mutex_lock blender.exe :0x00007FF70E6EE880 BKE_image_pool_free blender.exe :0x00007FF70E6B5CF0 BKE_sculptsession_free blender.exe :0x00007FF70F1B67A0 ED_object_sculptmode_exit_ex blender.exe :0x00007FF70F1B85F0 sculpt_mode_toggle_exec blender.exe :0x00007FF70E953220 wm_operator_invoke blender.exe :0x00007FF70E9528D0 wm_operator_call_internal blender.exe :0x00007FF70E955880 WM_operator_name_call_ptr blender.exe :0x00007FF70F171800 ED_object_mode_set_ex blender.exe :0x00007FF70F148710 object_mode_set_exec blender.exe :0x00007FF70E953220 wm_operator_invoke ```
SculptDeleteImageCrash.blend
2.8 MiB
Robin Hohnsbeen added the
Priority
Normal
Status
Needs Triage
Type
Report
 labels 2023-04-12 19:02:17 +02:00
Jesse Yurkovich commented 2023-04-13 01:09:27 +02:00
Member
Copy Link

Seems like a long standing issue and repros back to at least 3.3 LTS (2.93 LTS is fine).

Seems like a long standing issue and repros back to at least 3.3 LTS (2.93 LTS is fine).
Jesse Yurkovich added
Module
Sculpt, Paint & Texture
Status
Confirmed
 and removed
Status
Needs Triage
 labels 2023-04-13 01:09:55 +02:00
Philipp Oeser commented 2023-04-13 10:26:40 +02:00
Member
Copy Link

Caused by 9111ea78ac

Got a fix.

Caused by 9111ea78acf457c27655dbdd7e7fd9d221db67e0 Got a fix.
Philipp Oeser self-assigned this 2023-04-13 10:26:54 +02:00
Philipp Oeser commented 2023-04-13 11:28:48 +02:00
Member
Copy Link

Since 9111ea78ac, BKE_image_pool_free would access ImagePoolItem image->runtime.cache_mutex [which could be NULL after deleting the Image ID from the Outliner]

It would appear that the following diff fixes it in release builds, but still getting heap-use-after-free in a debug build:

diff --git a/source/blender/blenkernel/intern/image.cc b/source/blender/blenkernel/intern/image.cc
index 205b08deeb7..46150cf448c 100644
--- a/source/blender/blenkernel/intern/image.cc
+++ b/source/blender/blenkernel/intern/image.cc
@@ -4838,7 +4838,7 @@ void BKE_image_pool_free(ImagePool *pool)
   for (ImagePoolItem *item = static_cast<ImagePoolItem *>(pool->image_buffers.first);
        item != nullptr;
        item = item->next) {
-    if (item->ibuf != nullptr) {
+    if (item->image->runtime.cache_mutex != nullptr && item->ibuf != nullptr) {
       BLI_mutex_lock(static_cast<ThreadMutex *>(item->image->runtime.cache_mutex));
       IMB_freeImBuf(item->ibuf);
       BLI_mutex_unlock(static_cast<ThreadMutex *>(item->image->runtime.cache_mutex));

==1360026==ERROR: AddressSanitizer: heap-use-after-free on address 0x61b000194a88 at pc 0x000000cc1775 bp 0x7ffd5a284180 sp 0x7ffd5a284178
READ of size 8 at 0x61b000194a88 thread T0
    #0 0xcc1774 in BKE_image_pool_free /blender/source/blender/blenkernel/intern/image.cc:4841
    #1 0x13c153a in BKE_sculptsession_free /blender/source/blender/blenkernel/intern/paint.cc:1513
    #2 0x9a32852 in ED_object_sculptmode_exit_ex /blender/source/blender/editors/sculpt_paint/sculpt_ops.cc:464
    #3 0x9a32c74 in sculpt_mode_toggle_exec /blender/source/blender/editors/sculpt_paint/sculpt_ops.cc:505
    #4 0x3c63d70 in wm_operator_invoke /blender/source/blender/windowmanager/intern/wm_event_system.cc:1539
    #5 0x3c65465 in wm_operator_call_internal /blender/source/blender/windowmanager/intern/wm_event_system.cc:1727
    #6 0x3c656ca in WM_operator_name_call_ptr /blender/source/blender/windowmanager/intern/wm_event_system.cc:1775
    #7 0x9286744 in ED_object_mode_set_ex /blender/source/blender/editors/object/object_modes.cc:215
    #8 0x9263999 in object_mode_set_exec /blender/source/blender/editors/object/object_edit.cc:1774
    #9 0x3c63d70 in wm_operator_invoke /blender/source/blender/windowmanager/intern/wm_event_system.cc:1539
    #10 0x3c65465 in wm_operator_call_internal /blender/source/blender/windowmanager/intern/wm_event_system.cc:1727
    #11 0x3c656ca in WM_operator_name_call_ptr /blender/source/blender/windowmanager/intern/wm_event_system.cc:1775
    #12 0x3c66bdd in WM_operator_name_call_ptr_with_depends_on_cursor /blender/source/blender/windowmanager/intern/wm_event_system.cc:1968
    #13 0x9ff4ecd in ui_apply_but_funcs_after /blender/source/blender/editors/interface/interface_handlers.cc:1021
    #14 0xa087089 in ui_handler_region_menu /blender/source/blender/editors/interface/interface_handlers.cc:11449
    #15 0x3c5c512 in wm_handler_ui_call /blender/source/blender/windowmanager/intern/wm_event_system.cc:814
    #16 0x3c7620e in wm_handlers_do_intern /blender/source/blender/windowmanager/intern/wm_event_system.cc:3305
    #17 0x3c775c5 in wm_handlers_do /blender/source/blender/windowmanager/intern/wm_event_system.cc:3422
    #18 0x3c81afb in wm_event_do_handlers /blender/source/blender/windowmanager/intern/wm_event_system.cc:4044
    #19 0x3c3a2d6 in WM_main /blender/source/blender/windowmanager/intern/wm.c:646
    #20 0x93fff1 in main /blender/source/creator/creator.c:594
    #21 0x7f9655e4a50f in __libc_start_call_main (/lib64/libc.so.6+0x2750f)
    #22 0x7f9655e4a5c8 in __libc_start_main@GLIBC_2.2.5 (/lib64/libc.so.6+0x275c8)
    #23 0x93eee4 in _start (/build_linux_debug/bin/blender+0x93eee4)

0x61b000194a88 is located 1544 bytes inside of 1568-byte region [0x61b000194480,0x61b000194aa0)
freed by thread T0 here:
    #0 0x7f965dab9388 in __interceptor_free.part.0 (/lib64/libasan.so.8+0xb9388)
    #1 0x1fd0bc54 in MEM_lockfree_freeN /blender/intern/guardedalloc/intern/mallocn_lockfree_impl.c:102
    #2 0xe69ee8 in BKE_id_free_ex /blender/source/blender/blenkernel/intern/lib_id_delete.c:168
    #3 0xe6bcd1 in id_delete /blender/source/blender/blenkernel/intern/lib_id_delete.c:363
    #4 0xe6c044 in BKE_id_multi_tagged_delete /blender/source/blender/blenkernel/intern/lib_id_delete.c:386
    #5 0xb3d1e66 in outliner_id_operation_exec /blender/source/blender/editors/space_outliner/outliner_tools.cc:2799
    #6 0x3cfe026 in WM_menu_invoke_ex /blender/source/blender/windowmanager/intern/wm_operators.c:1043
    #7 0x3cfe3d8 in WM_menu_invoke /blender/source/blender/windowmanager/intern/wm_operators.c:1063
    #8 0x3c6370b in wm_operator_invoke /blender/source/blender/windowmanager/intern/wm_event_system.cc:1527
    #9 0x3c65465 in wm_operator_call_internal /blender/source/blender/windowmanager/intern/wm_event_system.cc:1727
    #10 0x3c656ca in WM_operator_name_call_ptr /blender/source/blender/windowmanager/intern/wm_event_system.cc:1775
    #11 0x3c66bdd in WM_operator_name_call_ptr_with_depends_on_cursor /blender/source/blender/windowmanager/intern/wm_event_system.cc:1968
    #12 0x9ff4ecd in ui_apply_but_funcs_after /blender/source/blender/editors/interface/interface_handlers.cc:1021
    #13 0xa087cd1 in ui_popup_handler /blender/source/blender/editors/interface/interface_handlers.cc:11539
    #14 0x3c5c512 in wm_handler_ui_call /blender/source/blender/windowmanager/intern/wm_event_system.cc:814
    #15 0x3c7620e in wm_handlers_do_intern /blender/source/blender/windowmanager/intern/wm_event_system.cc:3305
    #16 0x3c775c5 in wm_handlers_do /blender/source/blender/windowmanager/intern/wm_event_system.cc:3422
    #17 0x3c81afb in wm_event_do_handlers /blender/source/blender/windowmanager/intern/wm_event_system.cc:4044
    #18 0x3c3a2d6 in WM_main /blender/source/blender/windowmanager/intern/wm.c:646
    #19 0x93fff1 in main /blender/source/creator/creator.c:594
    #20 0x7f9655e4a50f in __libc_start_call_main (/lib64/libc.so.6+0x2750f)

previously allocated by thread T0 here:
    #0 0x7f965daba097 in calloc (/lib64/libasan.so.8+0xba097)
    #1 0x1fd0c389 in MEM_lockfree_callocN /blender/intern/guardedalloc/intern/mallocn_lockfree_impl.c:208
    #2 0x10934617 in DNA_struct_reconstruct /blender/source/blender/makesdna/intern/dna_genfile.c:1233
    #3 0x3e7f2eb in read_struct /blender/source/blender/blenloader/intern/readfile.cc:1744
    #4 0x3e901db in read_libblock /blender/source/blender/blenloader/intern/readfile.cc:3274
    #5 0x3e98f62 in blo_read_file_internal /blender/source/blender/blenloader/intern/readfile.cc:3885
    #6 0x3e6b37d in BLO_read_from_file /blender/source/blender/blenloader/intern/readblenentry.cc:407
    #7 0x95eabb in BKE_blendfile_read /blender/source/blender/blenkernel/intern/blendfile.cc:588
    #8 0x3ca4fe1 in WM_file_read /blender/source/blender/windowmanager/intern/wm_files.cc:977
    #9 0x3cb1b63 in wm_file_read_opwrap /blender/source/blender/windowmanager/intern/wm_files.cc:2646
    #10 0x3cb2b84 in wm_open_mainfile__open /blender/source/blender/windowmanager/intern/wm_files.cc:2768
    #11 0x3cb1ef5 in operator_state_dispatch /blender/source/blender/windowmanager/intern/wm_files.cc:2682
    #12 0x3cb2de2 in wm_open_mainfile_dispatch /blender/source/blender/windowmanager/intern/wm_files.cc:2792
    #13 0x3cb21b5 in wm_open_mainfile__discard_changes /blender/source/blender/windowmanager/intern/wm_files.cc:2721
    #14 0x3cb1ef5 in operator_state_dispatch /blender/source/blender/windowmanager/intern/wm_files.cc:2682
    #15 0x3cb2de2 in wm_open_mainfile_dispatch /blender/source/blender/windowmanager/intern/wm_files.cc:2792
    #16 0x3cb2e0b in wm_open_mainfile_invoke /blender/source/blender/windowmanager/intern/wm_files.cc:2797
    #17 0x3c6370b in wm_operator_invoke /blender/source/blender/windowmanager/intern/wm_event_system.cc:1527
    #18 0x3c655c5 in wm_operator_call_internal /blender/source/blender/windowmanager/intern/wm_event_system.cc:1761
    #19 0x3c656ca in WM_operator_name_call_ptr /blender/source/blender/windowmanager/intern/wm_event_system.cc:1775
    #20 0x3c66bdd in WM_operator_name_call_ptr_with_depends_on_cursor /blender/source/blender/windowmanager/intern/wm_event_system.cc:1968
    #21 0x9ff4ecd in ui_apply_but_funcs_after /blender/source/blender/editors/interface/interface_handlers.cc:1021
    #22 0xa087cd1 in ui_popup_handler /blender/source/blender/editors/interface/interface_handlers.cc:11539
    #23 0x3c5c512 in wm_handler_ui_call /blender/source/blender/windowmanager/intern/wm_event_system.cc:814
    #24 0x3c7620e in wm_handlers_do_intern /blender/source/blender/windowmanager/intern/wm_event_system.cc:3305
    #25 0x3c775c5 in wm_handlers_do /blender/source/blender/windowmanager/intern/wm_event_system.cc:3422
    #26 0x3c81afb in wm_event_do_handlers /blender/source/blender/windowmanager/intern/wm_event_system.cc:4044
    #27 0x3c3a2d6 in WM_main /blender/source/blender/windowmanager/intern/wm.c:646
    #28 0x93fff1 in main /blender/source/creator/creator.c:594
    #29 0x7f9655e4a50f in __libc_start_call_main (/lib64/libc.so.6+0x2750f)

SUMMARY: AddressSanitizer: heap-use-after-free /blender/source/blender/blenkernel/intern/image.cc:4841 in BKE_image_pool_free
Shadow bytes around the buggy address:
  0x0c368002a900: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c368002a910: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c368002a920: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c368002a930: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c368002a940: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x0c368002a950: fd[fd]fd fd fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c368002a960: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c368002a970: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c368002a980: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c368002a990: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c368002a9a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==1360026==ABORTING

@Sergey would probably know better

Since 9111ea78acf457c27655dbdd7e7fd9d221db67e0, `BKE_image_pool_free` would access `ImagePoolItem` `image->runtime.cache_mutex` [which could be NULL after deleting the Image ID from the Outliner] It would appear that the following diff fixes it in release builds, but still getting `heap-use-after-free` in a debug build: ```diff diff --git a/source/blender/blenkernel/intern/image.cc b/source/blender/blenkernel/intern/image.cc index 205b08deeb7..46150cf448c 100644 --- a/source/blender/blenkernel/intern/image.cc +++ b/source/blender/blenkernel/intern/image.cc @@ -4838,7 +4838,7 @@ void BKE_image_pool_free(ImagePool *pool) for (ImagePoolItem *item = static_cast<ImagePoolItem *>(pool->image_buffers.first); item != nullptr; item = item->next) { - if (item->ibuf != nullptr) { + if (item->image->runtime.cache_mutex != nullptr && item->ibuf != nullptr) { BLI_mutex_lock(static_cast<ThreadMutex *>(item->image->runtime.cache_mutex)); IMB_freeImBuf(item->ibuf); BLI_mutex_unlock(static_cast<ThreadMutex *>(item->image->runtime.cache_mutex)); ``` ``` ==1360026==ERROR: AddressSanitizer: heap-use-after-free on address 0x61b000194a88 at pc 0x000000cc1775 bp 0x7ffd5a284180 sp 0x7ffd5a284178 READ of size 8 at 0x61b000194a88 thread T0 #0 0xcc1774 in BKE_image_pool_free /blender/source/blender/blenkernel/intern/image.cc:4841 #1 0x13c153a in BKE_sculptsession_free /blender/source/blender/blenkernel/intern/paint.cc:1513 #2 0x9a32852 in ED_object_sculptmode_exit_ex /blender/source/blender/editors/sculpt_paint/sculpt_ops.cc:464 #3 0x9a32c74 in sculpt_mode_toggle_exec /blender/source/blender/editors/sculpt_paint/sculpt_ops.cc:505 #4 0x3c63d70 in wm_operator_invoke /blender/source/blender/windowmanager/intern/wm_event_system.cc:1539 #5 0x3c65465 in wm_operator_call_internal /blender/source/blender/windowmanager/intern/wm_event_system.cc:1727 #6 0x3c656ca in WM_operator_name_call_ptr /blender/source/blender/windowmanager/intern/wm_event_system.cc:1775 #7 0x9286744 in ED_object_mode_set_ex /blender/source/blender/editors/object/object_modes.cc:215 #8 0x9263999 in object_mode_set_exec /blender/source/blender/editors/object/object_edit.cc:1774 #9 0x3c63d70 in wm_operator_invoke /blender/source/blender/windowmanager/intern/wm_event_system.cc:1539 #10 0x3c65465 in wm_operator_call_internal /blender/source/blender/windowmanager/intern/wm_event_system.cc:1727 #11 0x3c656ca in WM_operator_name_call_ptr /blender/source/blender/windowmanager/intern/wm_event_system.cc:1775 #12 0x3c66bdd in WM_operator_name_call_ptr_with_depends_on_cursor /blender/source/blender/windowmanager/intern/wm_event_system.cc:1968 #13 0x9ff4ecd in ui_apply_but_funcs_after /blender/source/blender/editors/interface/interface_handlers.cc:1021 #14 0xa087089 in ui_handler_region_menu /blender/source/blender/editors/interface/interface_handlers.cc:11449 #15 0x3c5c512 in wm_handler_ui_call /blender/source/blender/windowmanager/intern/wm_event_system.cc:814 #16 0x3c7620e in wm_handlers_do_intern /blender/source/blender/windowmanager/intern/wm_event_system.cc:3305 #17 0x3c775c5 in wm_handlers_do /blender/source/blender/windowmanager/intern/wm_event_system.cc:3422 #18 0x3c81afb in wm_event_do_handlers /blender/source/blender/windowmanager/intern/wm_event_system.cc:4044 #19 0x3c3a2d6 in WM_main /blender/source/blender/windowmanager/intern/wm.c:646 #20 0x93fff1 in main /blender/source/creator/creator.c:594 #21 0x7f9655e4a50f in __libc_start_call_main (/lib64/libc.so.6+0x2750f) #22 0x7f9655e4a5c8 in __libc_start_main@GLIBC_2.2.5 (/lib64/libc.so.6+0x275c8) #23 0x93eee4 in _start (/build_linux_debug/bin/blender+0x93eee4) 0x61b000194a88 is located 1544 bytes inside of 1568-byte region [0x61b000194480,0x61b000194aa0) freed by thread T0 here: #0 0x7f965dab9388 in __interceptor_free.part.0 (/lib64/libasan.so.8+0xb9388) #1 0x1fd0bc54 in MEM_lockfree_freeN /blender/intern/guardedalloc/intern/mallocn_lockfree_impl.c:102 #2 0xe69ee8 in BKE_id_free_ex /blender/source/blender/blenkernel/intern/lib_id_delete.c:168 #3 0xe6bcd1 in id_delete /blender/source/blender/blenkernel/intern/lib_id_delete.c:363 #4 0xe6c044 in BKE_id_multi_tagged_delete /blender/source/blender/blenkernel/intern/lib_id_delete.c:386 #5 0xb3d1e66 in outliner_id_operation_exec /blender/source/blender/editors/space_outliner/outliner_tools.cc:2799 #6 0x3cfe026 in WM_menu_invoke_ex /blender/source/blender/windowmanager/intern/wm_operators.c:1043 #7 0x3cfe3d8 in WM_menu_invoke /blender/source/blender/windowmanager/intern/wm_operators.c:1063 #8 0x3c6370b in wm_operator_invoke /blender/source/blender/windowmanager/intern/wm_event_system.cc:1527 #9 0x3c65465 in wm_operator_call_internal /blender/source/blender/windowmanager/intern/wm_event_system.cc:1727 #10 0x3c656ca in WM_operator_name_call_ptr /blender/source/blender/windowmanager/intern/wm_event_system.cc:1775 #11 0x3c66bdd in WM_operator_name_call_ptr_with_depends_on_cursor /blender/source/blender/windowmanager/intern/wm_event_system.cc:1968 #12 0x9ff4ecd in ui_apply_but_funcs_after /blender/source/blender/editors/interface/interface_handlers.cc:1021 #13 0xa087cd1 in ui_popup_handler /blender/source/blender/editors/interface/interface_handlers.cc:11539 #14 0x3c5c512 in wm_handler_ui_call /blender/source/blender/windowmanager/intern/wm_event_system.cc:814 #15 0x3c7620e in wm_handlers_do_intern /blender/source/blender/windowmanager/intern/wm_event_system.cc:3305 #16 0x3c775c5 in wm_handlers_do /blender/source/blender/windowmanager/intern/wm_event_system.cc:3422 #17 0x3c81afb in wm_event_do_handlers /blender/source/blender/windowmanager/intern/wm_event_system.cc:4044 #18 0x3c3a2d6 in WM_main /blender/source/blender/windowmanager/intern/wm.c:646 #19 0x93fff1 in main /blender/source/creator/creator.c:594 #20 0x7f9655e4a50f in __libc_start_call_main (/lib64/libc.so.6+0x2750f) previously allocated by thread T0 here: #0 0x7f965daba097 in calloc (/lib64/libasan.so.8+0xba097) #1 0x1fd0c389 in MEM_lockfree_callocN /blender/intern/guardedalloc/intern/mallocn_lockfree_impl.c:208 #2 0x10934617 in DNA_struct_reconstruct /blender/source/blender/makesdna/intern/dna_genfile.c:1233 #3 0x3e7f2eb in read_struct /blender/source/blender/blenloader/intern/readfile.cc:1744 #4 0x3e901db in read_libblock /blender/source/blender/blenloader/intern/readfile.cc:3274 #5 0x3e98f62 in blo_read_file_internal /blender/source/blender/blenloader/intern/readfile.cc:3885 #6 0x3e6b37d in BLO_read_from_file /blender/source/blender/blenloader/intern/readblenentry.cc:407 #7 0x95eabb in BKE_blendfile_read /blender/source/blender/blenkernel/intern/blendfile.cc:588 #8 0x3ca4fe1 in WM_file_read /blender/source/blender/windowmanager/intern/wm_files.cc:977 #9 0x3cb1b63 in wm_file_read_opwrap /blender/source/blender/windowmanager/intern/wm_files.cc:2646 #10 0x3cb2b84 in wm_open_mainfile__open /blender/source/blender/windowmanager/intern/wm_files.cc:2768 #11 0x3cb1ef5 in operator_state_dispatch /blender/source/blender/windowmanager/intern/wm_files.cc:2682 #12 0x3cb2de2 in wm_open_mainfile_dispatch /blender/source/blender/windowmanager/intern/wm_files.cc:2792 #13 0x3cb21b5 in wm_open_mainfile__discard_changes /blender/source/blender/windowmanager/intern/wm_files.cc:2721 #14 0x3cb1ef5 in operator_state_dispatch /blender/source/blender/windowmanager/intern/wm_files.cc:2682 #15 0x3cb2de2 in wm_open_mainfile_dispatch /blender/source/blender/windowmanager/intern/wm_files.cc:2792 #16 0x3cb2e0b in wm_open_mainfile_invoke /blender/source/blender/windowmanager/intern/wm_files.cc:2797 #17 0x3c6370b in wm_operator_invoke /blender/source/blender/windowmanager/intern/wm_event_system.cc:1527 #18 0x3c655c5 in wm_operator_call_internal /blender/source/blender/windowmanager/intern/wm_event_system.cc:1761 #19 0x3c656ca in WM_operator_name_call_ptr /blender/source/blender/windowmanager/intern/wm_event_system.cc:1775 #20 0x3c66bdd in WM_operator_name_call_ptr_with_depends_on_cursor /blender/source/blender/windowmanager/intern/wm_event_system.cc:1968 #21 0x9ff4ecd in ui_apply_but_funcs_after /blender/source/blender/editors/interface/interface_handlers.cc:1021 #22 0xa087cd1 in ui_popup_handler /blender/source/blender/editors/interface/interface_handlers.cc:11539 #23 0x3c5c512 in wm_handler_ui_call /blender/source/blender/windowmanager/intern/wm_event_system.cc:814 #24 0x3c7620e in wm_handlers_do_intern /blender/source/blender/windowmanager/intern/wm_event_system.cc:3305 #25 0x3c775c5 in wm_handlers_do /blender/source/blender/windowmanager/intern/wm_event_system.cc:3422 #26 0x3c81afb in wm_event_do_handlers /blender/source/blender/windowmanager/intern/wm_event_system.cc:4044 #27 0x3c3a2d6 in WM_main /blender/source/blender/windowmanager/intern/wm.c:646 #28 0x93fff1 in main /blender/source/creator/creator.c:594 #29 0x7f9655e4a50f in __libc_start_call_main (/lib64/libc.so.6+0x2750f) SUMMARY: AddressSanitizer: heap-use-after-free /blender/source/blender/blenkernel/intern/image.cc:4841 in BKE_image_pool_free Shadow bytes around the buggy address: 0x0c368002a900: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c368002a910: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c368002a920: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c368002a930: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c368002a940: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd =>0x0c368002a950: fd[fd]fd fd fa fa fa fa fa fa fa fa fa fa fa fa 0x0c368002a960: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c368002a970: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c368002a980: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c368002a990: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c368002a9a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==1360026==ABORTING ``` @Sergey would probably know better
Philipp Oeser removed their assignment 2023-04-13 11:28:58 +02:00
Sergey Sharybin commented 2023-04-13 12:58:03 +02:00
Owner
Copy Link

The image itself is removed, so the item->image can not be de-referenced.

One of the options is to limit the image pool to only be available during a stroke, and dispose it at the end of the stroke. It will solve those dangling pointers problem. The downside is that technically it causes extra lookup at the first pixel of the step of a stroke. I am not sure artists will notice a difference, but it needs to be tested. The testing can be done by clearing the tex_pool in the sculpt_stroke_done().

Alternatively maybe it is possible to forbid deletion of ID when in painting mode.

Or somehow maintain a list of pools and remove entries from them when image datablock is removed. But such complex solution is something I'd try to avoid.

The image itself is removed, so the `item->image` can not be de-referenced. One of the options is to limit the image pool to only be available during a stroke, and dispose it at the end of the stroke. It will solve those dangling pointers problem. The downside is that technically it causes extra lookup at the first pixel of the step of a stroke. I am not sure artists will notice a difference, but it needs to be tested. The testing can be done by clearing the `tex_pool` in the `sculpt_stroke_done()`. Alternatively maybe it is possible to forbid deletion of ID when in painting mode. Or somehow maintain a list of pools and remove entries from them when image datablock is removed. But such complex solution is something I'd try to avoid.
Bastien Montagne commented 2023-04-18 14:46:14 +02:00
Owner
Copy Link

Shouldn't SculptSession data be handled as part of object_foreach_id anyway? This struct stores other ID pointers too, like the scene one...

Shouldn't `SculptSession` data be handled as part of `object_foreach_id` anyway? This struct stores other ID pointers too, like the `scene` one...
Bastien Montagne added
Type
Bug
 and removed
Type
Report
 labels 2023-04-18 15:19:42 +02:00
Sergey Sharybin commented 2023-04-18 15:28:27 +02:00
Owner
Copy Link

The SculptSession perhaps. It is a bit confusing how bad things are w.r.t removed IDs as many of them are re-assigned at the beginning of a stroke.

That being said, I don't think ImagePool should be covered by any of foreach-id.

The `SculptSession` perhaps. It is a bit confusing how bad things are w.r.t removed IDs as many of them are re-assigned at the beginning of a stroke. That being said, I don't think `ImagePool` should be covered by any of foreach-id.
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
main
blender-v3.3-release
partial-write-refactor
brush-assets-project
universal-scene-description
fix-121021
blender-v4.1-release
blender-v3.6-release
blender-v3.6-temp_wmoss_animrig_public
temp-sculpt-dyntopo
gpencil-next
anim/animation-id-113594
blender-v4.0-release
blender-projects-basics
bridge-curves
sculpt-blender
asset-browser-frontend-split
asset-shelf
tmp-usd-python-mtl
tmp-usd-3.6
blender-v3.5-release
blender-v2.93-release
realtime-clock
sculpt-dev
bevelv2
xr-dev
v4.1.1
v3.6.11
v3.3.18
v4.1.0
v3.3.17
v3.6.10
v3.6.9
v3.3.16
v3.6.8
v3.6.7
v3.3.14
v4.0.2
v4.0.1
v4.0.0
v3.6.5
v3.3.12
v3.6.4
v3.6.3
v3.3.11
v3.6.2
v3.3.10
v3.6.1
v3.3.9
v3.6.0
v3.3.8
v3.3.7
v2.93.18
v3.5.1
v3.3.6
v2.93.17
v3.5.0
v2.93.16
v3.3.5
v3.3.4
v2.93.15
v2.93.14
v3.3.3
v2.93.13
v2.93.12
v3.4.1
v3.3.2
v3.4.0
v3.3.1
v2.93.11
v3.3.0
v3.2.2
v2.93.10
v3.2.1
v3.2.0
v2.83.20
v2.93.9
v3.1.2
v3.1.1
v3.1.0
v2.83.19
v2.93.8
v3.0.1
v2.93.7
v3.0.0
v2.93.6
v2.93.5
v2.83.18
v2.93.4
v2.93.3
v2.83.17
v2.93.2
v2.93.1
v2.83.16
v2.93.0
v2.83.15
v2.83.14
v2.83.13
v2.92.0
v2.83.12
v2.91.2
v2.83.10
v2.91.0
v2.83.9
v2.83.8
v2.83.7
v2.90.1
v2.83.6.1
v2.83.6
v2.90.0
v2.83.5
v2.83.4
v2.83.3
v2.83.2
v2.83.1
v2.83
v2.82a
v2.82
v2.81a
v2.81
v2.80
v2.80-rc3
v2.80-rc2
v2.80-rc1
v2.79b
v2.79a
v2.79
v2.79-rc2
v2.79-rc1
v2.78c
v2.78b
v2.78a
v2.78
v2.78-rc2
v2.78-rc1
v2.77a
v2.77
v2.77-rc2
v2.77-rc1
v2.76b
v2.76a
v2.76
v2.76-rc3
v2.76-rc2
v2.76-rc1
v2.75a
v2.75
v2.75-rc2
v2.75-rc1
v2.74
v2.74-rc4
v2.74-rc3
v2.74-rc2
v2.74-rc1
v2.73a
v2.73
v2.73-rc1
v2.72b
2.72b
v2.72a
v2.72
v2.72-rc1
v2.71
v2.71-rc2
v2.71-rc1
v2.70a
v2.70
v2.70-rc2
v2.70-rc
v2.69
v2.68a
v2.68
v2.67b
v2.67a
v2.67
v2.66a
v2.66
v2.65a
v2.65
v2.64a
v2.64
v2.63a
v2.63
v2.61
v2.60a
v2.60
v2.59
v2.58a
v2.58
v2.57b
v2.57a
v2.57
v2.56a
v2.56
v2.55
v2.54
v2.53
v2.52
v2.51
v2.50
v2.49b
v2.49a
v2.49
v2.48a
v2.48
v2.47
v2.46
v2.45
v2.44
v2.43
v2.42a
v2.42
v2.41
v2.40
v2.37a
v2.37
v2.36
v2.35a
v2.35
v2.34
v2.33a
v2.33
v2.32
v2.31a
v2.31
v2.30
v2.28c
v2.28a
v2.28
v2.27
v2.26
v2.25
Labels
Clear labels   
Interest
Alembic

  
Interest
Animation & Rigging

  
Interest
Asset Browser

  
Interest
Asset Browser Project Overview

  
Interest
Audio

  
Interest
Automated Testing

  
Interest
Blender Asset Bundle

  
Interest
BlendFile

  
Interest
Collada

  
Interest
Compatibility
This issue affects/is about backward or forward compatibility

  
Interest
Compositing

  
Interest
Core

  
Interest
Cycles

  
Interest
Dependency Graph

  
Interest
Development Management

  
Interest
EEVEE

  
Interest
EEVEE & Viewport

  
Interest
Freestyle

  
Interest
Geometry Nodes

  
Interest
Grease Pencil

  
Interest
ID Management

  
Interest
Images & Movies

  
Interest
Import Export

  
Interest
Line Art

  
Interest
Masking

  
Interest
Metal

  
Interest
Modeling

  
Interest
Modifiers

  
Interest
Motion Tracking

  
Interest
Nodes & Physics

  
Interest
OpenGL

  
Interest
Overlay

  
Interest
Overrides

  
Interest
Performance

  
Interest
Physics

  
Interest
Pipeline, Assets & IO

  
Interest
Platforms, Builds & Tests

  
Interest
Python API

  
Interest
Render & Cycles

  
Interest
Render Pipeline

  
Interest
Sculpt, Paint & Texture

  
Interest
Text Editor

  
Interest
Translations

  
Interest
Triaging

  
Interest
Undo

  
Interest
USD

  
Interest
User Interface

  
Interest
UV Editing

  
Interest
VFX & Video

  
Interest
Video Sequencer

  
Interest
Virtual Reality

  
Interest
Vulkan

  
Interest
Wayland
Issues relating to Wayland windowing support.

  
Interest
Workbench

  
Interest: X11

Issues relating to Xorg/X11 support.

  
Legacy
Blender 2.8 Project

  
Legacy
Milestone 1: Basic, Local Asset Browser

  
Legacy
OpenGL Error

  
Meta
Good First Issue

  
Meta
Papercut

  
Meta
Retrospective

  
Meta
Security
Issues relating to security: https://wiki.blender.org/wiki/Process/Vulnerability_Reports

  
Module
Animation & Rigging

  
Module
Core

  
Module
Development Management

  
Module
EEVEE & Viewport

  
Module
Grease Pencil

  
Module
Modeling

  
Module
Nodes & Physics

  
Module
Pipeline, Assets & IO

  
Module
Platforms, Builds & Tests

  
Module
Python API

  
Module
Render & Cycles

  
Module
Sculpt, Paint & Texture

  
Module
Triaging

  
Module
User Interface

  
Module
VFX & Video

  
Platform
FreeBSD

  
Platform
Linux

  
Platform
macOS

  
Platform
Windows

  
Priority
High

  
Priority
Low

  
Priority
Normal

  
Priority
Unbreak Now!

  
Status
Archived

  
Status
Confirmed

  
Status
Duplicate

  
Status
Needs Info from Developers

  
Status
Needs Information from User

  
Status
Needs Triage

  
Status
Resolved

  
Type
Bug

  
Type
Design

  
Type
Known Issue

  
Type
Patch

  
Type
Report

  
Type
To Do

No Label
Interest
Alembic
Interest
Animation & Rigging
Interest
Asset Browser
Interest
Asset Browser Project Overview
Interest
Audio
Interest
Automated Testing
Interest
Blender Asset Bundle
Interest
BlendFile
Interest
Collada
Interest
Compatibility
Interest
Compositing
Interest
Core
Interest
Cycles
Interest
Dependency Graph
Interest
Development Management
Interest
EEVEE
Interest
EEVEE & Viewport
Interest
Freestyle
Interest
Geometry Nodes
Interest
Grease Pencil
Interest
ID Management
Interest
Images & Movies
Interest
Import Export
Interest
Line Art
Interest
Masking
Interest
Metal
Interest
Modeling
Interest
Modifiers
Interest
Motion Tracking
Interest
Nodes & Physics
Interest
OpenGL
Interest
Overlay
Interest
Overrides
Interest
Performance
Interest
Physics
Interest
Pipeline, Assets & IO
Interest
Platforms, Builds & Tests
Interest
Python API
Interest
Render & Cycles
Interest
Render Pipeline
Interest
Sculpt, Paint & Texture
Interest
Text Editor
Interest
Translations
Interest
Triaging
Interest
Undo
Interest
USD
Interest
User Interface
Interest
UV Editing
Interest
VFX & Video
Interest
Video Sequencer
Interest
Virtual Reality
Interest
Vulkan
Interest
Wayland
Interest
Workbench
Interest: X11
Legacy
Blender 2.8 Project
Legacy
Milestone 1: Basic, Local Asset Browser
Legacy
OpenGL Error
Meta
Good First Issue
Meta
Papercut
Meta
Retrospective
Meta
Security
Module
Animation & Rigging
Module
Core
Module
Development Management
Module
EEVEE & Viewport
Module
Grease Pencil
Module
Modeling
Module
Nodes & Physics
Module
Pipeline, Assets & IO
Module
Platforms, Builds & Tests
Module
Python API
Module
Render & Cycles
Module
Sculpt, Paint & Texture
Module
Triaging
Module
User Interface
Module
VFX & Video
Platform
FreeBSD
Platform
Linux
Platform
macOS
Platform
Windows
Priority
High
Priority
Low
Priority
Normal
Priority
Unbreak Now!
Status
Archived
Status
Confirmed
Status
Duplicate
Status
Needs Info from Developers
Status
Needs Information from User
Status
Needs Triage
Status
Resolved
Type
Bug
Type
Design
Type
Known Issue
Type
Patch
Type
Report
Type
To Do
Milestone
Clear milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
No Assignees
5 Participants
Notifications
Due Date
The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Dependencies

No dependencies set.

Reference: blender/blender#106872
No description provided.
Delete Branch "%!s(<nil>)"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?