blender
/
blender
134
398
Fork 579
Code Issues 6.3k Pull Requests 754 Projects 19 Wiki Activity

Make WM_report/WM_timer thread safe (or forbid their usage from non-main thread, and add dedicated API for such usages). #112537

New Issue
Closed
opened 2023-09-18 18:39:12 +02:00 by Bastien Montagne · 6 comments
Bastien Montagne commented 2023-09-18 18:39:12 +02:00
Owner
Copy Link

Essentially, addressing #105369 was only covering the tip of the iceberg - the whole iceberg being that the whole handling of WM_report (in therefore WM_timer) is totally not thread-safe.

This leads to invalid memory accesses (use after free and the like) when flooding reports from worker threads. Both issues described below have been encountered while trying to export a massive production file (040_0050.anim.blend from r3055) to USD, which generates a lot of reports.

use-after-free of wmTimer:

Lost the backtrace...
But what was happening was a use-after-free error in WM_event_timer_remove(), when calling WM_event_timer_free_data. The issue here was likely that that timer had been freed by the main thread after being tagged, but before the call to WM_event_timer_free_data?

Use-after-free when removing timers

9  __asan::__asan_report_store8                      asan_rtl.cpp                127  0x7fd8e6ce2d1f 
10 BLI_remlink                                       listbase.cc                 142  0x13527f0b     
11 wm_window_timers_delete_removed                   wm_window.cc                2016 0x13cf9229     
12 wm_window_timers_process                          wm_window.cc                1681 0x13cf6f27     
13 wm_window_events_process                          wm_window.cc                1700 0x13cf70f1     
14 WM_main                                           wm.cc                       606  0x13ba1c86     
15 main                                              creator.cc                  590  0xf3c332f

This is likely caused by another thread adding a report (and therefore a timer) while 'to-be-freed' timers are being deleted from main thread.

TL; DR:

We cannot keep allowing usage of WM_report API from non-main threads as-is. The code is simply not thread-safe.

Proposal

  1. Poison usage of WM_report and WM_timer from non-main thread (add asserts in main entry points).
  2. 'low-level' threaded code is responsible to use their own ReportList data, and ensure it's properly synced with the WM one from main thread only.
  3. Extend the wmJob API to provide easy-to-use handling of reports (each job would get their private reports list, and job update code would be responsible to ensure proper update with the WM one).

Note that the other 'obvious' solution would be to make the whole WM_report/WM_timer code thread-safe. While possible (probably even relatively easy) to do, think it's better to follow the good pattern of each thread working on its own data as much as possible. It makes code having to be aware of synchronization issues smaller (the sync code between worker and main thread, instead of a whole set of API functions). And although this is not a main concern here, it's also usually better for performances (much less locking needed).

Essentially, addressing #105369 was only covering the tip of the iceberg - the whole iceberg being that the whole handling of WM_report (in therefore WM_timer) is totally not thread-safe. This leads to invalid memory accesses (use after free and the like) when flooding reports from worker threads. Both issues described below have been encountered while trying to export a massive production file (`040_0050.anim.blend` from `r3055`) to USD, which generates _a lot_ of reports. ### use-after-free of wmTimer: *Lost the backtrace...* But what was happening was a use-after-free error in `WM_event_timer_remove()`, when calling `WM_event_timer_free_data`. The issue here was likely that that timer had been freed by the main thread after being tagged, but before the call to `WM_event_timer_free_data`? ### Use-after-free when removing timers ``` 9 __asan::__asan_report_store8 asan_rtl.cpp 127 0x7fd8e6ce2d1f 10 BLI_remlink listbase.cc 142 0x13527f0b 11 wm_window_timers_delete_removed wm_window.cc 2016 0x13cf9229 12 wm_window_timers_process wm_window.cc 1681 0x13cf6f27 13 wm_window_events_process wm_window.cc 1700 0x13cf70f1 14 WM_main wm.cc 606 0x13ba1c86 15 main creator.cc 590 0xf3c332f ``` This is likely caused by another thread adding a report (and therefore a timer) while 'to-be-freed' timers are being deleted from main thread. # TL; DR: We cannot keep allowing usage of `WM_report` API from non-main threads as-is. The code is simply _not_ thread-safe. # Proposal 1. Poison usage of `WM_report` and `WM_timer` from non-main thread (add asserts in main entry points). 2. 'low-level' threaded code is responsible to use their own ReportList data, and ensure it's properly synced with the WM one from main thread only. 3. Extend the wmJob API to provide easy-to-use handling of reports (each job would get their private reports list, and job update code would be responsible to ensure proper update with the WM one). Note that the other 'obvious' solution would be to make the whole WM_report/WM_timer code thread-safe. While possible (probably even relatively easy) to do, think it's better to follow the good pattern of each thread working on its own data as much as possible. It makes code having to be aware of synchronization issues smaller (the sync code between worker and main thread, instead of a whole set of API functions). And although this is not a main concern here, it's also usually better for performances (much less locking needed).
Bastien Montagne added the
Type
Design
Module
Core
Interest
User Interface
 labels 2023-09-18 18:39:12 +02:00
Bastien Montagne commented 2023-09-18 18:43:49 +02:00
Author
Owner
Copy Link

@ideasman42 @brecht @Sergey you guys may be interested/have other ideas?

@ideasman42 @brecht @Sergey you guys may be interested/have other ideas?
Sergey Sharybin commented 2023-09-18 21:17:01 +02:00
Owner
Copy Link

I didn't really dig into the roots of the code yet, but feeling is: having two ways to report warnings from operations sounds error-prone. If some operation is refactored and moved to a thread it adds an extra point of failure. In reality I do not really see that all cases of reporting will be tested during development/review.

For being a good API you need to have a single point of entry for it, and require passing something that is intrinsicly local to the thread (to the main thread included).

What I am not sure about is that it feels that the WM_report should be less coupled to the timer reset. That'd need to be done anyway for the codepath which allows to report from threads anyway though.

I didn't really dig into the roots of the code yet, but feeling is: having two ways to report warnings from operations sounds error-prone. If some operation is refactored and moved to a thread it adds an extra point of failure. In reality I do not really see that all cases of reporting will be tested during development/review. For being a good API you need to have a single point of entry for it, and require passing something that is intrinsicly local to the thread (to the main thread included). What I am not sure about is that it feels that the `WM_report` should be less coupled to the timer reset. That'd need to be done anyway for the codepath which allows to report from threads anyway though.
Bastien Montagne commented 2023-09-25 16:30:34 +02:00
Author
Owner
Copy Link

I do not really see the issue with multiple API entry points here? We already have dedicated report API for generic, low-level BKE, WM, operators, modifiers... Don't really see why Jobs could not have their own report system as well.

And wmTimer is not the only issue here, nothing is threadsafe in WM_report or BKE_report either. I don't think having UI/WM-related API threadsafe should even be a goal at all tbh.

I do not really see the issue with multiple API entry points here? We already have dedicated report API for generic, low-level BKE, WM, operators, modifiers... Don't really see why Jobs could not have their own report system as well. And `wmTimer` is not the only issue here, nothing is threadsafe in `WM_report` or `BKE_report` either. I don't think having UI/WM-related API threadsafe should even be a goal at all tbh.
Sergey Sharybin commented 2023-10-02 12:20:16 +02:00
Owner
Copy Link

The operators don't really have own way of reporting things: they use BKE_report(), it is just the reports which comes from the op. If the job has its own job->report and BKE_report(job->reports, ...) is used then things are rather clear.

The operators don't really have own way of reporting things: they use `BKE_report()`, it is just the `reports` which comes from the `op`. If the job has its own `job->report` and `BKE_report(job->reports, ...)` is used then things are rather clear.
Bastien Montagne commented 2023-10-07 16:17:30 +02:00
Author
Owner
Copy Link

@Sergey that's exactly what I want to do - although it will require some 'smartness' to be thread-safe (enough) while not requiring any locking...

@Sergey that's exactly what I want to do - although it will require some 'smartness' to be thread-safe (enough) while not requiring any locking...
👍 1
Bastien Montagne commented 2023-10-18 13:12:46 +02:00
Author
Owner
Copy Link

Committed core parts of the change as 9727373821 and c5a408f5a1. USD part is being reviewed in !113883.

Committed core parts of the change as 9727373821 and c5a408f5a1. USD part is being reviewed in !113883.
Blender Bot added the
Status
Archived
 label 2023-10-18 13:12:51 +02:00
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
main
brush-assets-project
universal-scene-description
fix-121021
blender-v4.1-release
blender-v3.3-release
blender-v3.6-release
blender-v3.6-temp_wmoss_animrig_public
temp-sculpt-dyntopo
gpencil-next
anim/animation-id-113594
blender-v4.0-release
blender-projects-basics
bridge-curves
sculpt-blender
asset-browser-frontend-split
asset-shelf
tmp-usd-python-mtl
tmp-usd-3.6
blender-v3.5-release
blender-v2.93-release
realtime-clock
sculpt-dev
bevelv2
xr-dev
v4.1.1
v3.6.11
v3.3.18
v4.1.0
v3.3.17
v3.6.10
v3.6.9
v3.3.16
v3.6.8
v3.6.7
v3.3.14
v4.0.2
v4.0.1
v4.0.0
v3.6.5
v3.3.12
v3.6.4
v3.6.3
v3.3.11
v3.6.2
v3.3.10
v3.6.1
v3.3.9
v3.6.0
v3.3.8
v3.3.7
v2.93.18
v3.5.1
v3.3.6
v2.93.17
v3.5.0
v2.93.16
v3.3.5
v3.3.4
v2.93.15
v2.93.14
v3.3.3
v2.93.13
v2.93.12
v3.4.1
v3.3.2
v3.4.0
v3.3.1
v2.93.11
v3.3.0
v3.2.2
v2.93.10
v3.2.1
v3.2.0
v2.83.20
v2.93.9
v3.1.2
v3.1.1
v3.1.0
v2.83.19
v2.93.8
v3.0.1
v2.93.7
v3.0.0
v2.93.6
v2.93.5
v2.83.18
v2.93.4
v2.93.3
v2.83.17
v2.93.2
v2.93.1
v2.83.16
v2.93.0
v2.83.15
v2.83.14
v2.83.13
v2.92.0
v2.83.12
v2.91.2
v2.83.10
v2.91.0
v2.83.9
v2.83.8
v2.83.7
v2.90.1
v2.83.6.1
v2.83.6
v2.90.0
v2.83.5
v2.83.4
v2.83.3
v2.83.2
v2.83.1
v2.83
v2.82a
v2.82
v2.81a
v2.81
v2.80
v2.80-rc3
v2.80-rc2
v2.80-rc1
v2.79b
v2.79a
v2.79
v2.79-rc2
v2.79-rc1
v2.78c
v2.78b
v2.78a
v2.78
v2.78-rc2
v2.78-rc1
v2.77a
v2.77
v2.77-rc2
v2.77-rc1
v2.76b
v2.76a
v2.76
v2.76-rc3
v2.76-rc2
v2.76-rc1
v2.75a
v2.75
v2.75-rc2
v2.75-rc1
v2.74
v2.74-rc4
v2.74-rc3
v2.74-rc2
v2.74-rc1
v2.73a
v2.73
v2.73-rc1
v2.72b
2.72b
v2.72a
v2.72
v2.72-rc1
v2.71
v2.71-rc2
v2.71-rc1
v2.70a
v2.70
v2.70-rc2
v2.70-rc
v2.69
v2.68a
v2.68
v2.67b
v2.67a
v2.67
v2.66a
v2.66
v2.65a
v2.65
v2.64a
v2.64
v2.63a
v2.63
v2.61
v2.60a
v2.60
v2.59
v2.58a
v2.58
v2.57b
v2.57a
v2.57
v2.56a
v2.56
v2.55
v2.54
v2.53
v2.52
v2.51
v2.50
v2.49b
v2.49a
v2.49
v2.48a
v2.48
v2.47
v2.46
v2.45
v2.44
v2.43
v2.42a
v2.42
v2.41
v2.40
v2.37a
v2.37
v2.36
v2.35a
v2.35
v2.34
v2.33a
v2.33
v2.32
v2.31a
v2.31
v2.30
v2.28c
v2.28a
v2.28
v2.27
v2.26
v2.25
Labels
Clear labels   
Interest
Alembic

  
Interest
Animation & Rigging

  
Interest
Asset Browser

  
Interest
Asset Browser Project Overview

  
Interest
Audio

  
Interest
Automated Testing

  
Interest
Blender Asset Bundle

  
Interest
BlendFile

  
Interest
Collada

  
Interest
Compatibility
This issue affects/is about backward or forward compatibility

  
Interest
Compositing

  
Interest
Core

  
Interest
Cycles

  
Interest
Dependency Graph

  
Interest
Development Management

  
Interest
EEVEE

  
Interest
EEVEE & Viewport

  
Interest
Freestyle

  
Interest
Geometry Nodes

  
Interest
Grease Pencil

  
Interest
ID Management

  
Interest
Images & Movies

  
Interest
Import Export

  
Interest
Line Art

  
Interest
Masking

  
Interest
Metal

  
Interest
Modeling

  
Interest
Modifiers

  
Interest
Motion Tracking

  
Interest
Nodes & Physics

  
Interest
OpenGL

  
Interest
Overlay

  
Interest
Overrides

  
Interest
Performance

  
Interest
Physics

  
Interest
Pipeline, Assets & IO

  
Interest
Platforms, Builds & Tests

  
Interest
Python API

  
Interest
Render & Cycles

  
Interest
Render Pipeline

  
Interest
Sculpt, Paint & Texture

  
Interest
Text Editor

  
Interest
Translations

  
Interest
Triaging

  
Interest
Undo

  
Interest
USD

  
Interest
User Interface

  
Interest
UV Editing

  
Interest
VFX & Video

  
Interest
Video Sequencer

  
Interest
Virtual Reality

  
Interest
Vulkan

  
Interest
Wayland
Issues relating to Wayland windowing support.

  
Interest
Workbench

  
Interest: X11

Issues relating to Xorg/X11 support.

  
Legacy
Blender 2.8 Project

  
Legacy
Milestone 1: Basic, Local Asset Browser

  
Legacy
OpenGL Error

  
Meta
Good First Issue

  
Meta
Papercut

  
Meta
Retrospective

  
Meta
Security
Issues relating to security: https://wiki.blender.org/wiki/Process/Vulnerability_Reports

  
Module
Animation & Rigging

  
Module
Core

  
Module
Development Management

  
Module
EEVEE & Viewport

  
Module
Grease Pencil

  
Module
Modeling

  
Module
Nodes & Physics

  
Module
Pipeline, Assets & IO

  
Module
Platforms, Builds & Tests

  
Module
Python API

  
Module
Render & Cycles

  
Module
Sculpt, Paint & Texture

  
Module
Triaging

  
Module
User Interface

  
Module
VFX & Video

  
Platform
FreeBSD

  
Platform
Linux

  
Platform
macOS

  
Platform
Windows

  
Priority
High

  
Priority
Low

  
Priority
Normal

  
Priority
Unbreak Now!

  
Status
Archived

  
Status
Confirmed

  
Status
Duplicate

  
Status
Needs Info from Developers

  
Status
Needs Information from User

  
Status
Needs Triage

  
Status
Resolved

  
Type
Bug

  
Type
Design

  
Type
Known Issue

  
Type
Patch

  
Type
Report

  
Type
To Do

No Label
Interest
Alembic
Interest
Animation & Rigging
Interest
Asset Browser
Interest
Asset Browser Project Overview
Interest
Audio
Interest
Automated Testing
Interest
Blender Asset Bundle
Interest
BlendFile
Interest
Collada
Interest
Compatibility
Interest
Compositing
Interest
Core
Interest
Cycles
Interest
Dependency Graph
Interest
Development Management
Interest
EEVEE
Interest
EEVEE & Viewport
Interest
Freestyle
Interest
Geometry Nodes
Interest
Grease Pencil
Interest
ID Management
Interest
Images & Movies
Interest
Import Export
Interest
Line Art
Interest
Masking
Interest
Metal
Interest
Modeling
Interest
Modifiers
Interest
Motion Tracking
Interest
Nodes & Physics
Interest
OpenGL
Interest
Overlay
Interest
Overrides
Interest
Performance
Interest
Physics
Interest
Pipeline, Assets & IO
Interest
Platforms, Builds & Tests
Interest
Python API
Interest
Render & Cycles
Interest
Render Pipeline
Interest
Sculpt, Paint & Texture
Interest
Text Editor
Interest
Translations
Interest
Triaging
Interest
Undo
Interest
USD
Interest
User Interface
Interest
UV Editing
Interest
VFX & Video
Interest
Video Sequencer
Interest
Virtual Reality
Interest
Vulkan
Interest
Wayland
Interest
Workbench
Interest: X11
Legacy
Blender 2.8 Project
Legacy
Milestone 1: Basic, Local Asset Browser
Legacy
OpenGL Error
Meta
Good First Issue
Meta
Papercut
Meta
Retrospective
Meta
Security
Module
Animation & Rigging
Module
Core
Module
Development Management
Module
EEVEE & Viewport
Module
Grease Pencil
Module
Modeling
Module
Nodes & Physics
Module
Pipeline, Assets & IO
Module
Platforms, Builds & Tests
Module
Python API
Module
Render & Cycles
Module
Sculpt, Paint & Texture
Module
Triaging
Module
User Interface
Module
VFX & Video
Platform
FreeBSD
Platform
Linux
Platform
macOS
Platform
Windows
Priority
High
Priority
Low
Priority
Normal
Priority
Unbreak Now!
Status
Archived
Status
Confirmed
Status
Duplicate
Status
Needs Info from Developers
Status
Needs Information from User
Status
Needs Triage
Status
Resolved
Type
Bug
Type
Design
Type
Known Issue
Type
Patch
Type
Report
Type
To Do
Milestone
Clear milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
No Assignees
2 Participants
Notifications
Due Date
The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Dependencies

No dependencies set.

Reference: blender/blender#112537
No description provided.
Delete Branch "%!s(<nil>)"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?