Use after free when using an addon deriving from ShaderNodeCustomGroup #87271

New Issue

Ray molenkamp · 2021-04-07T19:30:12+02:00

Ray molenkamp commented

2021-04-07 19:30:12 +02:00

System Information
Operating system: ALL
Graphics card: N/A

Blender Version (Bisected already)
Broken: fa566157a5
Worked: f40294b2d6

Short description of error

originally found in D10784: Fix: Misisng GeometryNodeCustomGroup but this appears to be a separate issue affecting all custom nodes.

When using an addon deriving from ShaderNodeCustomGroup there is a use after free during blender shutdown, @JacquesLucke has some preliminary findings here

Exact steps for others to reproduce the error
Based on the default startup or an attached .blend file (as simple as possible).

Use an asan build of blender
Install the following addon
BrickTricks-master.zip
Open up the following file
291.blend
Quit blender, use after free at

Stack trace:
blender.exe         :0x00007FF78D134C40  node_free_node k:\blendergit\blender\source\blender\blenkernel\intern\node.c:2667
blender.exe         :0x00007FF78D1305A0  ntree_free_data k:\blendergit\blender\source\blender\blenkernel\intern\node.c:236
blender.exe         :0x00007FF78DAA0490  blender::deg::deg_free_copy_on_write_datablock k:\blendergit\blender\source\blender\depsgraph\intern\eval\deg_eval_copy_on_write.cc:1074
blender.exe         :0x00007FF78DAA1860  blender::deg::IDNode::destroy k:\blendergit\blender\source\blender\depsgraph\intern\node\deg_node_id.cc:142
blender.exe         :0x00007FF78DA92320  blender::deg::Depsgraph::clear_id_nodes k:\blendergit\blender\source\blender\depsgraph\intern\depsgraph.cc:161
blender.exe         :0x00007FF78DA92950  DEG_graph_free k:\blendergit\blender\source\blender\depsgraph\intern\depsgraph.cc:312
blender.exe         :0x00007FF78DACFE00  ghash_free_cb k:\blendergit\blender\source\blender\blenlib\intern\bli_ghash.c:641
blender.exe         :0x00007FF78DACED10  BLI_ghash_free k:\blendergit\blender\source\blender\blenlib\intern\bli_ghash.c:1015
blender.exe         :0x00007FF78D14CF00  scene_free_data k:\blendergit\blender\source\blender\blenkernel\intern\scene.c:404
blender.exe         :0x00007FF78D152BE0  BKE_id_free_ex k:\blendergit\blender\source\blender\blenkernel\intern\lib_id_delete.c:162
blender.exe         :0x00007FF78D15CC90  BKE_main_free k:\blendergit\blender\source\blender\blenkernel\intern\main.c:74
blender.exe         :0x00007FF78D112890  BKE_blender_free k:\blendergit\blender\source\blender\blenkernel\intern\blender.c:84
blender.exe         :0x00007FF78D089E80  WM_exit_ex k:\blendergit\blender\source\blender\windowmanager\intern\wm_init_exit.c:590
blender.exe         :0x00007FF78D089E30  WM_exit k:\blendergit\blender\source\blender\windowmanager\intern\wm_init_exit.c:679
blender.exe         :0x00007FF78D08A6C0  wm_exit_handler k:\blendergit\blender\source\blender\windowmanager\intern\wm_init_exit.c:448
blender.exe         :0x00007FF78D0A0640  wm_handlers_do_intern k:\blendergit\blender\source\blender\windowmanager\intern\wm_event_system.c:2756
blender.exe         :0x00007FF78D09FC70  wm_handlers_do k:\blendergit\blender\source\blender\windowmanager\intern\wm_event_system.c:2870
blender.exe         :0x00007FF78D09D320  wm_event_do_handlers k:\blendergit\blender\source\blender\windowmanager\intern\wm_event_system.c:3294
blender.exe         :0x00007FF78D089400  WM_main k:\blendergit\blender\source\blender\windowmanager\intern\wm.c:484
blender.exe         :0x00007FF78D084E30  main k:\blendergit\blender\source\creator\creator.c:524
blender.exe         :0x00007FF78DBB5DB8  __scrt_common_main_seh d:\agent\_work\2\s\src\vctools\crt\vcstartup\src\startup\exe_common.inl:288
KERNEL32.DLL        :0x00007FF894647020  BaseThreadInitThunk
ntdll.dll           :0x00007FF896402630  RtlUserThreadStart

**System Information** Operating system: ALL Graphics card: N/A **Blender Version** (Bisected already) Broken: fa566157a5 Worked: f40294b2d6 **Short description of error** originally found in [D10784: Fix: Misisng GeometryNodeCustomGroup](https://archive.blender.org/developer/D10784) but this appears to be a separate issue affecting all custom nodes. When using an addon deriving from ShaderNodeCustomGroup there is a use after free during blender shutdown, @JacquesLucke has some preliminary findings [here](https://developer.blender.org/D10784#278006) **Exact steps for others to reproduce the error** Based on the default startup or an attached .blend file (as simple as possible). 1) Use an asan build of blender 2) Install the following addon [BrickTricks-master.zip](https://archive.blender.org/developer/F9923124/BrickTricks-master.zip) 3) Open up the following file [291.blend](https://archive.blender.org/developer/F9923130/291.blend) 4) Quit blender, use after free at ``` Stack trace: blender.exe :0x00007FF78D134C40 node_free_node k:\blendergit\blender\source\blender\blenkernel\intern\node.c:2667 blender.exe :0x00007FF78D1305A0 ntree_free_data k:\blendergit\blender\source\blender\blenkernel\intern\node.c:236 blender.exe :0x00007FF78DAA0490 blender::deg::deg_free_copy_on_write_datablock k:\blendergit\blender\source\blender\depsgraph\intern\eval\deg_eval_copy_on_write.cc:1074 blender.exe :0x00007FF78DAA1860 blender::deg::IDNode::destroy k:\blendergit\blender\source\blender\depsgraph\intern\node\deg_node_id.cc:142 blender.exe :0x00007FF78DA92320 blender::deg::Depsgraph::clear_id_nodes k:\blendergit\blender\source\blender\depsgraph\intern\depsgraph.cc:161 blender.exe :0x00007FF78DA92950 DEG_graph_free k:\blendergit\blender\source\blender\depsgraph\intern\depsgraph.cc:312 blender.exe :0x00007FF78DACFE00 ghash_free_cb k:\blendergit\blender\source\blender\blenlib\intern\bli_ghash.c:641 blender.exe :0x00007FF78DACED10 BLI_ghash_free k:\blendergit\blender\source\blender\blenlib\intern\bli_ghash.c:1015 blender.exe :0x00007FF78D14CF00 scene_free_data k:\blendergit\blender\source\blender\blenkernel\intern\scene.c:404 blender.exe :0x00007FF78D152BE0 BKE_id_free_ex k:\blendergit\blender\source\blender\blenkernel\intern\lib_id_delete.c:162 blender.exe :0x00007FF78D15CC90 BKE_main_free k:\blendergit\blender\source\blender\blenkernel\intern\main.c:74 blender.exe :0x00007FF78D112890 BKE_blender_free k:\blendergit\blender\source\blender\blenkernel\intern\blender.c:84 blender.exe :0x00007FF78D089E80 WM_exit_ex k:\blendergit\blender\source\blender\windowmanager\intern\wm_init_exit.c:590 blender.exe :0x00007FF78D089E30 WM_exit k:\blendergit\blender\source\blender\windowmanager\intern\wm_init_exit.c:679 blender.exe :0x00007FF78D08A6C0 wm_exit_handler k:\blendergit\blender\source\blender\windowmanager\intern\wm_init_exit.c:448 blender.exe :0x00007FF78D0A0640 wm_handlers_do_intern k:\blendergit\blender\source\blender\windowmanager\intern\wm_event_system.c:2756 blender.exe :0x00007FF78D09FC70 wm_handlers_do k:\blendergit\blender\source\blender\windowmanager\intern\wm_event_system.c:2870 blender.exe :0x00007FF78D09D320 wm_event_do_handlers k:\blendergit\blender\source\blender\windowmanager\intern\wm_event_system.c:3294 blender.exe :0x00007FF78D089400 WM_main k:\blendergit\blender\source\blender\windowmanager\intern\wm.c:484 blender.exe :0x00007FF78D084E30 main k:\blendergit\blender\source\creator\creator.c:524 blender.exe :0x00007FF78DBB5DB8 __scrt_common_main_seh d:\agent\_work\2\s\src\vctools\crt\vcstartup\src\startup\exe_common.inl:288 KERNEL32.DLL :0x00007FF894647020 BaseThreadInitThunk ntdll.dll :0x00007FF896402630 RtlUserThreadStart ````

Ray molenkamp commented

2021-04-07 19:30:12 +02:00

Added subscribers: @JacquesLucke, @LazyDodo

Germano Cavalcante commented

2021-04-08 16:46:09 +02:00

Changed status from 'Needs Triage' to: 'Confirmed'

Germano Cavalcante commented

2021-04-08 16:46:09 +02:00

Added subscriber: @mano-wii

Pedro A. commented

2021-07-06 00:05:01 +02:00

Added subscriber: @povmaniac

Pedro A. commented

2021-07-06 00:05:01 +02:00

Hi..
After review the addon code and fix an small error with the node inputs..

Python: Traceback (most recent call last):
  File "D:\BLENDER\2.93\scripts\addons\BrickTricks\uv_map_tile_pattern_1_addin.py", line 18, in update
    self.inputs['HAS_Vector'].default_value=0
KeyError: 'bpy_prop_collection[key]: key "HAS_Vector" not found'

This are the fix ( I think that we can remove the 'pass' sentence too..).

    def update(self):
        if self.inputs['Vector'].is_linked:
            self.inputs['HAS_Vector'].default_value=1
        else:    
            if 'HAS_Vector' in self.inputs.keys(): # add check..
                self.inputs['HAS_Vector'].default_value=0
            pass

Now, the crash seems gone or, at least, I can't reproduce here under 2.93.1 official release. I added the fix code for the addon and maybe is a good idea if anyone can make a more test to confirm.
The steps are:
1: open Blender with the addon enabled. ( I used 2.93.1 here)
2: using the default startup scene, add a material with one of the Bricks pattern nodes
3: launch a render
4: close Blender after render finish to check for the crash
5: repeat the steps from 1 to 4 for each of the Bricks pattern. Confirm if the Blender crash happen or not.

This are the fixed code for the addon:
BrickTricks.7z

I think the explanation for why this crash occurred could be that errors in the addon code prevented it from unregistering correctly.
Cheers..

Hi.. After review the addon code and fix an small error with the node inputs.. ``` Python: Traceback (most recent call last): File "D:\BLENDER\2.93\scripts\addons\BrickTricks\uv_map_tile_pattern_1_addin.py", line 18, in update self.inputs['HAS_Vector'].default_value=0 KeyError: 'bpy_prop_collection[key]: key "HAS_Vector" not found' ``` This are the fix ( I think that we can remove the 'pass' sentence too..). ``` def update(self): if self.inputs['Vector'].is_linked: self.inputs['HAS_Vector'].default_value=1 else: if 'HAS_Vector' in self.inputs.keys(): # add check.. self.inputs['HAS_Vector'].default_value=0 pass ``` Now, the crash seems gone or, at least, I can't reproduce here under 2.93.1 official release. I added the fix code for the addon and maybe is a good idea if anyone can make a more test to confirm. The steps are: 1: open Blender with the addon enabled. ( I used 2.93.1 here) 2: using the default startup scene, add a material with one of the Bricks pattern nodes 3: launch a render 4: close Blender after render finish to check for the crash 5: repeat the steps from 1 to 4 for each of the Bricks pattern. Confirm if the Blender crash happen or not. This are the fixed code for the addon: [BrickTricks.7z](https://archive.blender.org/developer/F10212683/BrickTricks.7z) I think the explanation for why this crash occurred could be that errors in the addon code prevented it from unregistering correctly. Cheers..

Pedro A. commented

2021-07-06 00:37:01 +02:00

Checked also under Blender 3.0.0 master branch build from yesterday ( not asan build..): no crash.

Ray molenkamp commented

2021-07-20 16:40:19 +02:00

Changed status from 'Confirmed' to: 'Resolved'

Ray molenkamp closed this issue

2021-07-20 16:40:19 +02:00

Ray molenkamp self-assigned this 2021-07-20 16:40:19 +02:00

Ray molenkamp commented

2021-07-20 16:40:19 +02:00

the "fixed" script above, still crashes the version this bug was reported on, however recent versions test ok even with the original scripts. so someone fixed it, but i don't have to time to bisect and see who it was, thank you @povmaniac for looking into it and Stanger for fixing it somewhere along the way! :)

Sign in to join this conversation.

No Label

Download

What's New

Blender Studio

Manual

Developers Blog

Documentation

Benchmark

Blender Conference

Development Fund

One-time Donations

Use after free when using an addon deriving from ShaderNodeCustomGroup #87271