Enabling Viewer Border in Compositor Crashes Blender #76277
Labels
No Label
Interest
Alembic
Interest
Animation & Rigging
Interest
Asset Browser
Interest
Asset Browser Project Overview
Interest
Audio
Interest
Automated Testing
Interest
Blender Asset Bundle
Interest
BlendFile
Interest
Collada
Interest
Compatibility
Interest
Compositing
Interest
Core
Interest
Cycles
Interest
Dependency Graph
Interest
Development Management
Interest
EEVEE
Interest
EEVEE & Viewport
Interest
Freestyle
Interest
Geometry Nodes
Interest
Grease Pencil
Interest
ID Management
Interest
Images & Movies
Interest
Import Export
Interest
Line Art
Interest
Masking
Interest
Metal
Interest
Modeling
Interest
Modifiers
Interest
Motion Tracking
Interest
Nodes & Physics
Interest
OpenGL
Interest
Overlay
Interest
Overrides
Interest
Performance
Interest
Physics
Interest
Pipeline, Assets & IO
Interest
Platforms, Builds & Tests
Interest
Python API
Interest
Render & Cycles
Interest
Render Pipeline
Interest
Sculpt, Paint & Texture
Interest
Text Editor
Interest
Translations
Interest
Triaging
Interest
Undo
Interest
USD
Interest
User Interface
Interest
UV Editing
Interest
VFX & Video
Interest
Video Sequencer
Interest
Virtual Reality
Interest
Vulkan
Interest
Wayland
Interest
Workbench
Interest: X11
Legacy
Blender 2.8 Project
Legacy
Milestone 1: Basic, Local Asset Browser
Legacy
OpenGL Error
Meta
Good First Issue
Meta
Papercut
Meta
Retrospective
Meta
Security
Module
Animation & Rigging
Module
Core
Module
Development Management
Module
EEVEE & Viewport
Module
Grease Pencil
Module
Modeling
Module
Nodes & Physics
Module
Pipeline, Assets & IO
Module
Platforms, Builds & Tests
Module
Python API
Module
Render & Cycles
Module
Sculpt, Paint & Texture
Module
Triaging
Module
User Interface
Module
VFX & Video
Platform
FreeBSD
Platform
Linux
Platform
macOS
Platform
Windows
Priority
High
Priority
Low
Priority
Normal
Priority
Unbreak Now!
Status
Archived
Status
Confirmed
Status
Duplicate
Status
Needs Info from Developers
Status
Needs Information from User
Status
Needs Triage
Status
Resolved
Type
Bug
Type
Design
Type
Known Issue
Type
Patch
Type
Report
Type
To Do
No Milestone
No project
No Assignees
10 Participants
Notifications
Due Date
No due date set.
Dependencies
No dependencies set.
Reference: blender/blender#76277
Loading…
Reference in New Issue
No description provided.
Delete Branch "%!s(<nil>)"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
System Information
Operating system: Windows-10 64 Bits
Graphics card: GeForce GTX 1070 442.74
Blender Version
Broken: version: 2.83 (sub 15), branch: master, commit date: 2020-04-26 22:51, hash:
d0d16eb7d3
Working: 2.82a at least. didn't test in between.
Short description of error
Enabling "Viewer Border" under Options>Performance in Compositor Editor type crashes Blender.
Exact steps for others to reproduce the error
1- Launch Blender.
2- Click Compositing workspace tab.
3- Enable Use Nodes.
4- Click Options at the side bar.
5- Enable "Viewer Border" and Blender will crash. (It crashes %90 of the time but not always)
Added subscriber: @filibis
Added subscriber: @ankitm
Changed status from 'Needs Triage' to: 'Confirmed'
Do you happen to have a working version too ?
I just tested an it doesn't crash in this version: 2.82 (sub 7), branch: master, commit date: 2020-02-12 16:20, hash:
77d23b0bd7
Added subscriber: @rjg
Replacing the
"rna_NodeTree_update"
withNULL
for theuse_viewer_border
in rna_nodetree.c property avoids the crash. I haven't found the source of the issue yet, that would explain whyntree->typeinfo
points to the wrong memory location though (use after free?).Added subscriber: @lichtwerk
checking...
For some reason I cannot get it to crash with a debugger attached (or with ASAN), needs more investigation...
Added subscriber: @Alaska
Just adding a comment to say that I've come across this same issue testing with new versions of Blender
Blender 2.83
71298a1da9
(2020-05-13 20:48), Blender 2.90c8060a78fd
(2020-05-13 22:51).Added subscriber: @EAW
Changing Priority to High as it is a crash that occurs in 2.83 but not 2.82.
Added subscriber: @Jeroen-Bakker
I am not able to reproduce this one on linux or windows. on b2.83 release branch. Can someone explain how to reproduce this.
I can still get it to crash in
236794d07a
linux (but only in a debug build without debugger -- with debugger doesnt crash, neither does with ASAN...)note it then cannot draw the panel anymore for some reason and spits out (if that helps)
Added subscriber: @dfelinto
@Jeroen-Bakker ASAN crash: P1393 (on master -
236794d07a
)I can also still reproduce this in 2.90
236794d07a
on Windows in debug build.@Jeroen-Bakker I can only reproduce it in master, not in 2.83
a260d1cd69
is not crashing for me, neither is throwing thoserna_uiItemR: property not found: NodeTree.use_opencl
in the console.Just previous build
236794d07a
crashes, which is already verified by Robert, Philipp & Dalai.Just confirming, using Blender 2.83 build
71298a1da9
(2020-05-13 20:48) it still crashes. I will need to test with a newer build. I just don't have time at the moment and the build bot hasn't created a new build.@Jeroen-Bakker The steps I used to reproduce the crash are as follows:
Note that creating a viewer border with Ctrl+B does not cause Blender to crash.
dc4983dfdd
(from 13 minutes ago) crashes again.Decided to learn how to build Blender (actually quite quick) and my build
dc4983dfdd
(the same @ankitm just tested) doesn't crash. It's odd.dc4983dfdddc
is master, not theblender-v2.83-release
branch.It seems that the data structure
PointerRNA *ptr
points to is ~~already broken when calling ~~ wrongly cast insiderna_NodeTree_update
.For instance the node retrieved throughptr->data
has the cutoffidname
"iting Nodetree" instead of "NTCompositing Nodetree" because the address the pointer points to is 0x08 higher than the start of the string.Edit: The pointer is definitely in the wrong place, since "NTCompositing Nodetree" is not for a node. It should either be "CompositorNodeComposite" or "CompositorNodeRLayers".
The
ptr->owner_id
andptr->data
are pointing to the same memory address, hence the correct type would bebNodeTree
for the cast.@Jeroen-Bakker I can confirm that using @Alaska's steps above, that I can crash blender-v2.83-release
71298a1da9
. However, it doesn't happen every time. For me it crashed on the first, third, and fourth attempt, but not the second. Previously, I had an additional step of rendering.About 30 to 60 minutes ago, I couldn't get
71298a1da9
to crash with the rendering step included. I estimate that I tried 4 or 5 times. However,ce76e17584
(May 9th) crashed 4 out of 5 tries. Until I saw @Alaska's post above, I thought maybe I was mistaken, and had tested with the May 9 build on accident, before raising the priority to High and tagging 2.83 earlier. Retesting71298a1da9
just now with the rendering step, it crashed on the second attempt. I am not sure if rendering makes it less likely to crash, or if I was just being a superstitious pigeon.Note: I am on Windows, so I am starting blender with: blender_factory_startup.cmd
2.83_5.13.2020_71298a1da971_third_try_blender_debug_output.txt
2.83_5.13.2020_71298a1da971_first_try_blender_debug_output.txt
blender_system_info.txt
@EAW When I discovered the issue I tested with a few tests:
In all three cases, it was consistent in that it would crash the first time everytime.
Note: I may step out of this conversation. It's getting quite late where I am and I don't know enough technical information about Blender to offer anything of use. So my messages will probably just clutter things up.
Here is the Windows MSVC debug build call stack when using 2.83 (sub 16), branch: master, commit date: 2020-05-14 14:47, hash:
78e3b7c28d
2.83_May14_2020_78e3b7c28d85_MSVC_Debug_call_stack.txt
Since
ptr->owner_id
andptr->data
are pointing to the same memory address, it makes no sense to interpret this as a node, since it's the address of the node tree. Unless there is a need to include a node in the update, this could work as a fix:This of course assumes that
ptr->owner_id
andptr->data
are allowed to be equal. If that's not the case, the actual bug is in the assignment of these pointers.Thank you all for your input but I was able to reproduce it (but only on master on linux). I tried multiple machines, os, compilers. I will try to find a fix for master and backport it to blender-v2.83-release. branch.
Something that is curious is that the tree type is set to an unallocated memory with faulty memory pointers. This happens during the first and second compositor job.
fails for me in master, but is successful in blender-v2.83-release. but it is successful in master when not built with ASAN.
@Jeroen-Bakker Thank you for looking into this. When the patch becomes available, I will happily test the 2.83 branch to see if the issue persists.
Bisecting showed my this commit that made ASAN compiles fail on the assert above.
e7acf17b74
@JacquesLucke Mind joining the discussion? I don't see anything wrong with the commit.
Added subscriber: @JacquesLucke
Added subscriber: @Sergey
@jbackker, the bisect and different branch is a red herring here. Is just memory allocations, memory placement and things like that are different, and hence memory corruption is less of more likely to happen.
Long story short: the conclusion and patch from @rjg are correct here.
More detailed explanation:
PointerRNA::owner_id
points to an ID which owns changed property, so this is node tree in this case. ThePointerRNA::data
points to a structure which property did change. For example, if you click on node setting it will point to node, if you click on tree setting it will point to tree. So far so good.The
rna_NodeTree_update
is used byuse_viewer_border
, which is a property of node tree, so thePointerRNA::data
will be the tree and can not be cast to node (well, it can, as the code shows, but that doesn't make it correct :).But why the crash happens? Well, this is because the node passed to
ED_node_tag_update_nodetree
is being checked for connection to output. This involves setting node's flag, so when one passes node tree as a node it will become corrupted.This callback RNA function is used in a single place, and we do want re-composite in the property change anyway. So to me it seems totally safe for 2.83.
@rjg, please go ahead and commit your patch (the one from #76277#931809)
P.S. This is a mistake in
83824947ba
, which makes it 4 years old.This issue was referenced by
001d70eb2b
Changed status from 'Confirmed' to: 'Resolved'
@rjg Testing with the latest 2.83 nightly build and can confirm your fix has worked.