bpy.ops.fluid.free_all() can cause a crash #89063

Open
opened 2021-06-11 18:34:23 +02:00 by James Tomkinson · 14 comments

System Information
Operating system: Windows-10-10.0.19041-SP0 64 Bits
Graphics card: NVIDIA GeForce GTX 1050/PCIe/SSE2 NVIDIA Corporation 4.5.0 NVIDIA 466.77

Blender Version
Broken: version: 2.93.0, branch: master, commit date: 2021-06-02 11:21, hash: 84da05a8b8
Worked: (newest version of Blender that worked as expected)

Short description of error
python script to free and re-bake smoke can cause a crash in 2.9x

Exact steps for others to reproduce the error
The description of this bug is clearly documented along with the example blend file in this blender stackexchange question .
If I comment out the lines that contain:

bpy.ops.fluid.free_all()

in the following script, and instead manually free the bakes, all is fine. Otherwise the application crashes with console messages like:

Unable to remove directory
or
Unable to delete file

even if run from cmd line as Administrator

import bpy

domain =  bpy.data.objects['Smoke Domain Purple']
domain.select_set(True)
print("free Purple")
bpy.ops.fluid.free_all()
print("bake Purple")
bpy.ops.fluid.bake_data()
domain.select_set(False)
domain =  bpy.data.objects['Smoke Domain Blue']
domain.select_set(True)
print("free Blue")
bpy.ops.fluid.free_all()
print("bake Blue")
bpy.ops.fluid.bake_data()
domain.select_set(False)

dual smoke.blend

**System Information** Operating system: Windows-10-10.0.19041-SP0 64 Bits Graphics card: NVIDIA GeForce GTX 1050/PCIe/SSE2 NVIDIA Corporation 4.5.0 NVIDIA 466.77 **Blender Version** Broken: version: 2.93.0, branch: master, commit date: 2021-06-02 11:21, hash: `84da05a8b8` Worked: (newest version of Blender that worked as expected) **Short description of error** python script to free and re-bake smoke can cause a crash in 2.9x **Exact steps for others to reproduce the error** The description of this bug is clearly documented along with the example blend file in [this blender stackexchange question ](https://blender.stackexchange.com/questions/226897/python-script-to-bake-two-fluid-domains-aborting-cmd-line). If I comment out the lines that contain: ``` bpy.ops.fluid.free_all() ``` in the following script, and instead manually free the bakes, all is fine. Otherwise the application crashes with console messages like: ``` Unable to remove directory or Unable to delete file ``` even if run from cmd line as Administrator ``` import bpy domain = bpy.data.objects['Smoke Domain Purple'] domain.select_set(True) print("free Purple") bpy.ops.fluid.free_all() print("bake Purple") bpy.ops.fluid.bake_data() domain.select_set(False) domain = bpy.data.objects['Smoke Domain Blue'] domain.select_set(True) print("free Blue") bpy.ops.fluid.free_all() print("bake Blue") bpy.ops.fluid.bake_data() domain.select_set(False) ``` [dual smoke.blend](https://archive.blender.org/developer/F10167127/dual_smoke.blend)

Added subscriber: @jamestomk

Added subscriber: @jamestomk

Added subscriber: @rjg

Added subscriber: @rjg
Member

Added subscriber: @PratikPB2123

Added subscriber: @PratikPB2123
Member

Changed status from 'Needs Triage' to: 'Confirmed'

Changed status from 'Needs Triage' to: 'Confirmed'
Member

@rjg can you reproduce the crash?

I can replicate this.

blender.exe         :0x00007FF702D38810  wm_window_process_events
blender.exe         :0x00007FF702D2E6A0  WM_main
blender.exe         :0x00007FF7029F1C90  main
blender.exe         :0x00007FF7077D2788  __scrt_common_main_seh
KERNEL32.DLL        :0x00007FFDAC467020  BaseThreadInitThunk
ntdll.dll           :0x00007FFDADFC2630  RtlUserThreadStart```
@rjg can you reproduce the crash? I can replicate this. ```blender.exe :0x00007FF702D38930 wm_window_timer blender.exe :0x00007FF702D38810 wm_window_process_events blender.exe :0x00007FF702D2E6A0 WM_main blender.exe :0x00007FF7029F1C90 main blender.exe :0x00007FF7077D2788 __scrt_common_main_seh KERNEL32.DLL :0x00007FFDAC467020 BaseThreadInitThunk ntdll.dll :0x00007FFDADFC2630 RtlUserThreadStart```

I can also reproduce this in master. There appears to be a use-after-free according to ASAN in 3.0. I haven't had the time to check with an 2.93 LTS + ASAN build yet.

==7122==ERROR: AddressSanitizer: heap-use-after-free on address 0x60b0006afce8 at pc 0x00000569e801 bp 0x7fffffffd810 sp 0x7fffffffd800
READ of size 8 at 0x60b0006afce8 thread T0
    - 0 0x569e800 in wm_window_timer /home/dev/01-data/01-git/blender-git/blender/source/blender/windowmanager/intern/wm_window.c:1512
    - 1 0x569e93e in wm_window_process_events /home/dev/01-data/01-git/blender-git/blender/source/blender/windowmanager/intern/wm_window.c:1562
    - 2 0x559842b in WM_main /home/dev/01-data/01-git/blender-git/blender/source/blender/windowmanager/intern/wm.c:644
    - 3 0x37bf99a in main /home/dev/01-data/01-git/blender-git/blender/source/creator/creator.c:558
    - 4 0x7ffff6e490b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
    - 5 0x37beb4d in _start (/home/dev/01-data/01-git/blender-git/build_linux_debug_full/bin/blender+0x37beb4d)

0x60b0006afce8 is located 8 bytes inside of 104-byte region [0x60b0006afce0,0x60b0006afd48)
freed by thread T0 here:
    - 0 0x7ffff76907cf in __interceptor_free (/lib/x86_64-linux-gnu/libasan.so.5+0x10d7cf)
    - 1 0x1c00e13a in MEM_lockfree_freeN /home/dev/01-data/01-git/blender-git/blender/intern/guardedalloc/intern/mallocn_lockfree_impl.c:130
    - 2 0x569fa5b in WM_event_remove_timer /home/dev/01-data/01-git/blender-git/blender/source/blender/windowmanager/intern/wm_window.c:1696
    - 3 0x55b0c16 in WM_report_banner_show /home/dev/01-data/01-git/blender-git/blender/source/blender/windowmanager/intern/wm_event_system.c:767
    - 4 0x55b119c in wm_add_reports /home/dev/01-data/01-git/blender-git/blender/source/blender/windowmanager/intern/wm_event_system.c:802
    - 5 0x55b1296 in WM_report /home/dev/01-data/01-git/blender-git/blender/source/blender/windowmanager/intern/wm_event_system.c:812
    - 6 0x55b14c8 in WM_reportf /home/dev/01-data/01-git/blender-git/blender/source/blender/windowmanager/intern/wm_event_system.c:827
    - 7 0x94a3a60 in fluid_free_endjob /home/dev/01-data/01-git/blender-git/blender/source/blender/editors/physics/physics_fluid.c:467
    - 8 0x562384c in wm_jobs_timer /home/dev/01-data/01-git/blender-git/blender/source/blender/windowmanager/intern/wm_jobs.c:646
    - 9 0x569e336 in wm_window_timer /home/dev/01-data/01-git/blender-git/blender/source/blender/windowmanager/intern/wm_window.c:1526
    - 10 0x569e93e in wm_window_process_events /home/dev/01-data/01-git/blender-git/blender/source/blender/windowmanager/intern/wm_window.c:1562
    - 11 0x559842b in WM_main /home/dev/01-data/01-git/blender-git/blender/source/blender/windowmanager/intern/wm.c:644
    - 12 0x37bf99a in main /home/dev/01-data/01-git/blender-git/blender/source/creator/creator.c:558
    - 13 0x7ffff6e490b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)

previously allocated by thread T0 here:
    - 0 0x7ffff7690dc6 in calloc (/lib/x86_64-linux-gnu/libasan.so.5+0x10ddc6)
    - 1 0x1c00e829 in MEM_lockfree_callocN /home/dev/01-data/01-git/blender-git/blender/intern/guardedalloc/intern/mallocn_lockfree_impl.c:236
    - 2 0x569edd0 in WM_event_add_timer /home/dev/01-data/01-git/blender-git/blender/source/blender/windowmanager/intern/wm_window.c:1640
    - 3 0x55b0ca6 in WM_report_banner_show /home/dev/01-data/01-git/blender-git/blender/source/blender/windowmanager/intern/wm_event_system.c:770
    - 4 0x55b119c in wm_add_reports /home/dev/01-data/01-git/blender-git/blender/source/blender/windowmanager/intern/wm_event_system.c:802
    - 5 0x55b1296 in WM_report /home/dev/01-data/01-git/blender-git/blender/source/blender/windowmanager/intern/wm_event_system.c:812
    - 6 0x55b14c8 in WM_reportf /home/dev/01-data/01-git/blender-git/blender/source/blender/windowmanager/intern/wm_event_system.c:827
    - 7 0x94a19d1 in fluid_bake_endjob /home/dev/01-data/01-git/blender-git/blender/source/blender/editors/physics/physics_fluid.c:355
    - 8 0x94a483f in fluid_bake_exec /home/dev/01-data/01-git/blender-git/blender/source/blender/editors/physics/physics_fluid.c:549
    - 9 0x55b7219 in wm_operator_invoke /home/dev/01-data/01-git/blender-git/blender/source/blender/windowmanager/intern/wm_event_system.c:1362
    - 10 0x55b8ce5 in wm_operator_call_internal /home/dev/01-data/01-git/blender-git/blender/source/blender/windowmanager/intern/wm_event_system.c:1591
    - 11 0x55b93cc in WM_operator_call_py /home/dev/01-data/01-git/blender-git/blender/source/blender/windowmanager/intern/wm_event_system.c:1663
    - 12 0x81f63b1 in pyop_call /home/dev/01-data/01-git/blender-git/blender/source/blender/python/intern/bpy_operator.c:285
    - 13 0x19a3dc73 in cfunction_call Objects/methodobject.c:548

SUMMARY: AddressSanitizer: heap-use-after-free /home/dev/01-data/01-git/blender-git/blender/source/blender/windowmanager/intern/wm_window.c:1512 in wm_window_timer
Shadow bytes around the buggy address:
  0x0c16800cdf40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c16800cdf50: fa fa fa fa fa fa fa fa fa fa fd fd fd fd fd fd
  0x0c16800cdf60: fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa
  0x0c16800cdf70: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fa fa
  0x0c16800cdf80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c16800cdf90: fa fa fa fa fa fa fa fa fa fa fa fa fd[fd]fd fd
  0x0c16800cdfa0: fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa
  0x0c16800cdfb0: fa fa 00 00 00 00 00 00 00 00 00 00 00 00 00 fa
  0x0c16800cdfc0: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
  0x0c16800cdfd0: 00 00 00 00 00 fa fa fa fa fa fa fa fa fa fa fa
  0x0c16800cdfe0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
I can also reproduce this in master. There appears to be a use-after-free according to ASAN in 3.0. I haven't had the time to check with an 2.93 LTS + ASAN build yet. ``` ==7122==ERROR: AddressSanitizer: heap-use-after-free on address 0x60b0006afce8 at pc 0x00000569e801 bp 0x7fffffffd810 sp 0x7fffffffd800 READ of size 8 at 0x60b0006afce8 thread T0 - 0 0x569e800 in wm_window_timer /home/dev/01-data/01-git/blender-git/blender/source/blender/windowmanager/intern/wm_window.c:1512 - 1 0x569e93e in wm_window_process_events /home/dev/01-data/01-git/blender-git/blender/source/blender/windowmanager/intern/wm_window.c:1562 - 2 0x559842b in WM_main /home/dev/01-data/01-git/blender-git/blender/source/blender/windowmanager/intern/wm.c:644 - 3 0x37bf99a in main /home/dev/01-data/01-git/blender-git/blender/source/creator/creator.c:558 - 4 0x7ffff6e490b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2) - 5 0x37beb4d in _start (/home/dev/01-data/01-git/blender-git/build_linux_debug_full/bin/blender+0x37beb4d) 0x60b0006afce8 is located 8 bytes inside of 104-byte region [0x60b0006afce0,0x60b0006afd48) freed by thread T0 here: - 0 0x7ffff76907cf in __interceptor_free (/lib/x86_64-linux-gnu/libasan.so.5+0x10d7cf) - 1 0x1c00e13a in MEM_lockfree_freeN /home/dev/01-data/01-git/blender-git/blender/intern/guardedalloc/intern/mallocn_lockfree_impl.c:130 - 2 0x569fa5b in WM_event_remove_timer /home/dev/01-data/01-git/blender-git/blender/source/blender/windowmanager/intern/wm_window.c:1696 - 3 0x55b0c16 in WM_report_banner_show /home/dev/01-data/01-git/blender-git/blender/source/blender/windowmanager/intern/wm_event_system.c:767 - 4 0x55b119c in wm_add_reports /home/dev/01-data/01-git/blender-git/blender/source/blender/windowmanager/intern/wm_event_system.c:802 - 5 0x55b1296 in WM_report /home/dev/01-data/01-git/blender-git/blender/source/blender/windowmanager/intern/wm_event_system.c:812 - 6 0x55b14c8 in WM_reportf /home/dev/01-data/01-git/blender-git/blender/source/blender/windowmanager/intern/wm_event_system.c:827 - 7 0x94a3a60 in fluid_free_endjob /home/dev/01-data/01-git/blender-git/blender/source/blender/editors/physics/physics_fluid.c:467 - 8 0x562384c in wm_jobs_timer /home/dev/01-data/01-git/blender-git/blender/source/blender/windowmanager/intern/wm_jobs.c:646 - 9 0x569e336 in wm_window_timer /home/dev/01-data/01-git/blender-git/blender/source/blender/windowmanager/intern/wm_window.c:1526 - 10 0x569e93e in wm_window_process_events /home/dev/01-data/01-git/blender-git/blender/source/blender/windowmanager/intern/wm_window.c:1562 - 11 0x559842b in WM_main /home/dev/01-data/01-git/blender-git/blender/source/blender/windowmanager/intern/wm.c:644 - 12 0x37bf99a in main /home/dev/01-data/01-git/blender-git/blender/source/creator/creator.c:558 - 13 0x7ffff6e490b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2) previously allocated by thread T0 here: - 0 0x7ffff7690dc6 in calloc (/lib/x86_64-linux-gnu/libasan.so.5+0x10ddc6) - 1 0x1c00e829 in MEM_lockfree_callocN /home/dev/01-data/01-git/blender-git/blender/intern/guardedalloc/intern/mallocn_lockfree_impl.c:236 - 2 0x569edd0 in WM_event_add_timer /home/dev/01-data/01-git/blender-git/blender/source/blender/windowmanager/intern/wm_window.c:1640 - 3 0x55b0ca6 in WM_report_banner_show /home/dev/01-data/01-git/blender-git/blender/source/blender/windowmanager/intern/wm_event_system.c:770 - 4 0x55b119c in wm_add_reports /home/dev/01-data/01-git/blender-git/blender/source/blender/windowmanager/intern/wm_event_system.c:802 - 5 0x55b1296 in WM_report /home/dev/01-data/01-git/blender-git/blender/source/blender/windowmanager/intern/wm_event_system.c:812 - 6 0x55b14c8 in WM_reportf /home/dev/01-data/01-git/blender-git/blender/source/blender/windowmanager/intern/wm_event_system.c:827 - 7 0x94a19d1 in fluid_bake_endjob /home/dev/01-data/01-git/blender-git/blender/source/blender/editors/physics/physics_fluid.c:355 - 8 0x94a483f in fluid_bake_exec /home/dev/01-data/01-git/blender-git/blender/source/blender/editors/physics/physics_fluid.c:549 - 9 0x55b7219 in wm_operator_invoke /home/dev/01-data/01-git/blender-git/blender/source/blender/windowmanager/intern/wm_event_system.c:1362 - 10 0x55b8ce5 in wm_operator_call_internal /home/dev/01-data/01-git/blender-git/blender/source/blender/windowmanager/intern/wm_event_system.c:1591 - 11 0x55b93cc in WM_operator_call_py /home/dev/01-data/01-git/blender-git/blender/source/blender/windowmanager/intern/wm_event_system.c:1663 - 12 0x81f63b1 in pyop_call /home/dev/01-data/01-git/blender-git/blender/source/blender/python/intern/bpy_operator.c:285 - 13 0x19a3dc73 in cfunction_call Objects/methodobject.c:548 SUMMARY: AddressSanitizer: heap-use-after-free /home/dev/01-data/01-git/blender-git/blender/source/blender/windowmanager/intern/wm_window.c:1512 in wm_window_timer Shadow bytes around the buggy address: 0x0c16800cdf40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c16800cdf50: fa fa fa fa fa fa fa fa fa fa fd fd fd fd fd fd 0x0c16800cdf60: fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa 0x0c16800cdf70: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fa fa 0x0c16800cdf80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa =>0x0c16800cdf90: fa fa fa fa fa fa fa fa fa fa fa fa fd[fd]fd fd 0x0c16800cdfa0: fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa 0x0c16800cdfb0: fa fa 00 00 00 00 00 00 00 00 00 00 00 00 00 fa 0x0c16800cdfc0: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00 0x0c16800cdfd0: 00 00 00 00 00 fa fa fa fa fa fa fa fa fa fa fa 0x0c16800cdfe0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb Shadow gap: cc ```

Issues appears to be the same for 2.93.

Edi: Since I currently don't have time to investigate this further and I'm not sure if the physics_fluid.c or WindowManager code is at fault here, I'm tagging both the Physics and UI module.

## 43033==ERROR: AddressSanitizer: heap-use-after-free on address 0x60b000471668 at pc 0x0000053809c8 bp 0x7fffffffd810 sp 0x7fffffffd800
READ of size 8 at 0x60b000471668 thread T0
    - 0 0x53809c7 in wm_window_timer /home/dev/01-data/01-git/blender-git/blender/source/blender/windowmanager/intern/wm_window.c:1509
    - 1 0x5380b04 in wm_window_process_events /home/dev/01-data/01-git/blender-git/blender/source/blender/windowmanager/intern/wm_window.c:1559
    - 2 0x527a77b in WM_main /home/dev/01-data/01-git/blender-git/blender/source/blender/windowmanager/intern/wm.c:644
    - 3 0x369864a in main /home/dev/01-data/01-git/blender-git/blender/source/creator/creator.c:520
    - 4 0x7ffff6e490b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
    - 5 0x36977fd in _start (/home/dev/01-data/01-git/blender-git/build_linux_debug_full/bin/blender+0x36977fd)

0x60b000471668 is located 8 bytes inside of 104-byte region [0x60b000471660,0x60b0004716c8)
freed by thread T0 here:
    - 0 0x7ffff76907cf in __interceptor_free (/lib/x86_64-linux-gnu/libasan.so.5+0x10d7cf)
    - 1 0x1b8daea0 in MEM_lockfree_freeN /home/dev/01-data/01-git/blender-git/blender/intern/guardedalloc/intern/mallocn_lockfree_impl.c:130
    - 2 0x5381b7d in WM_event_remove_timer /home/dev/01-data/01-git/blender-git/blender/source/blender/windowmanager/intern/wm_window.c:1690
    - 3 0x5292d3f in WM_report_banner_show /home/dev/01-data/01-git/blender-git/blender/source/blender/windowmanager/intern/wm_event_system.c:767
    - 4 0x52932c5 in wm_add_reports /home/dev/01-data/01-git/blender-git/blender/source/blender/windowmanager/intern/wm_event_system.c:802
    - 5 0x52933bf in WM_report /home/dev/01-data/01-git/blender-git/blender/source/blender/windowmanager/intern/wm_event_system.c:812
    - 6 0x52935f1 in WM_reportf /home/dev/01-data/01-git/blender-git/blender/source/blender/windowmanager/intern/wm_event_system.c:827
    - 7 0x8ef2567 in fluid_free_endjob /home/dev/01-data/01-git/blender-git/blender/source/blender/editors/physics/physics_fluid.c:467
    - 8 0x5305979 in wm_jobs_timer /home/dev/01-data/01-git/blender-git/blender/source/blender/windowmanager/intern/wm_jobs.c:646
    - 9 0x53804fa in wm_window_timer /home/dev/01-data/01-git/blender-git/blender/source/blender/windowmanager/intern/wm_window.c:1523
    - 10 0x5380b04 in wm_window_process_events /home/dev/01-data/01-git/blender-git/blender/source/blender/windowmanager/intern/wm_window.c:1559
    - 11 0x527a77b in WM_main /home/dev/01-data/01-git/blender-git/blender/source/blender/windowmanager/intern/wm.c:644
    - 12 0x369864a in main /home/dev/01-data/01-git/blender-git/blender/source/creator/creator.c:520
    - 13 0x7ffff6e490b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)

previously allocated by thread T0 here:
    - 0 0x7ffff7690dc6 in calloc (/lib/x86_64-linux-gnu/libasan.so.5+0x10ddc6)
    - 1 0x1b8db58f in MEM_lockfree_callocN /home/dev/01-data/01-git/blender-git/blender/intern/guardedalloc/intern/mallocn_lockfree_impl.c:236
    - 2 0x5380ef2 in WM_event_add_timer /home/dev/01-data/01-git/blender-git/blender/source/blender/windowmanager/intern/wm_window.c:1634
    - 3 0x5292dcf in WM_report_banner_show /home/dev/01-data/01-git/blender-git/blender/source/blender/windowmanager/intern/wm_event_system.c:770
    - 4 0x52932c5 in wm_add_reports /home/dev/01-data/01-git/blender-git/blender/source/blender/windowmanager/intern/wm_event_system.c:802
    - 5 0x5294ac1 in wm_operator_reports /home/dev/01-data/01-git/blender-git/blender/source/blender/windowmanager/intern/wm_event_system.c:958
    - 6 0x529982e in wm_operator_invoke /home/dev/01-data/01-git/blender-git/blender/source/blender/windowmanager/intern/wm_event_system.c:1378
    - 7 0x529acb2 in wm_operator_call_internal /home/dev/01-data/01-git/blender-git/blender/source/blender/windowmanager/intern/wm_event_system.c:1557
    - 8 0x529af11 in WM_operator_name_call_ptr /home/dev/01-data/01-git/blender-git/blender/source/blender/windowmanager/intern/wm_event_system.c:1605
    - 9 0x9651540 in ui_apply_but_funcs_after /home/dev/01-data/01-git/blender-git/blender/source/blender/editors/interface/interface_handlers.c:937
    - 10 0x96db78e in ui_handler_region_menu /home/dev/01-data/01-git/blender-git/blender/source/blender/editors/interface/interface_handlers.c:10863
    - 11 0x52924ff in wm_handler_ui_call /home/dev/01-data/01-git/blender-git/blender/source/blender/windowmanager/intern/wm_event_system.c:693
    - 12 0x52a8b0d in wm_handlers_do_intern /home/dev/01-data/01-git/blender-git/blender/source/blender/windowmanager/intern/wm_event_system.c:2842
    - 13 0x52a9df6 in wm_handlers_do /home/dev/01-data/01-git/blender-git/blender/source/blender/windowmanager/intern/wm_event_system.c:2958
    - 14 0x52aee9a in wm_event_do_handlers /home/dev/01-data/01-git/blender-git/blender/source/blender/windowmanager/intern/wm_event_system.c:3378
    - 15 0x527a787 in WM_main /home/dev/01-data/01-git/blender-git/blender/source/blender/windowmanager/intern/wm.c:647
    - 16 0x369864a in main /home/dev/01-data/01-git/blender-git/blender/source/creator/creator.c:520
    - 17 0x7ffff6e490b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)

SUMMARY: AddressSanitizer: heap-use-after-free /home/dev/01-data/01-git/blender-git/blender/source/blender/windowmanager/intern/wm_window.c:1509 in wm_window_timer
Shadow bytes around the buggy address:
  0x0c1680086270: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c1680086280: 00 00 fa fa fa fa fa fa fa fa 00 00 00 00 00 00
  0x0c1680086290: 00 00 00 00 00 00 00 00 fa fa fa fa fa fa fa fa
  0x0c16800862a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 fa fa fa
  0x0c16800862b0: fa fa fa fa fa fa fd fd fd fd fd fd fd fd fd fd
# >0x0c16800862c0: fd fd fd fd fa fa fa fa fa fa fa fa fd[fd]fd fd
  0x0c16800862d0: fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa
  0x0c16800862e0: fa fa fd fd fd fd fd fd fd fd fd fd fd fd fd fa
  0x0c16800862f0: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
  0x0c1680086300: 00 00 00 00 00 fa fa fa fa fa fa fa fa fa 00 00
  0x0c1680086310: 00 00 00 00 00 00 00 00 00 00 00 fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):

Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc

Issues appears to be the same for 2.93. Edi: Since I currently don't have time to investigate this further and I'm not sure if the `physics_fluid.c` or WindowManager code is at fault here, I'm tagging both the Physics and UI module. ```lines ## 43033==ERROR: AddressSanitizer: heap-use-after-free on address 0x60b000471668 at pc 0x0000053809c8 bp 0x7fffffffd810 sp 0x7fffffffd800 READ of size 8 at 0x60b000471668 thread T0 - 0 0x53809c7 in wm_window_timer /home/dev/01-data/01-git/blender-git/blender/source/blender/windowmanager/intern/wm_window.c:1509 - 1 0x5380b04 in wm_window_process_events /home/dev/01-data/01-git/blender-git/blender/source/blender/windowmanager/intern/wm_window.c:1559 - 2 0x527a77b in WM_main /home/dev/01-data/01-git/blender-git/blender/source/blender/windowmanager/intern/wm.c:644 - 3 0x369864a in main /home/dev/01-data/01-git/blender-git/blender/source/creator/creator.c:520 - 4 0x7ffff6e490b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2) - 5 0x36977fd in _start (/home/dev/01-data/01-git/blender-git/build_linux_debug_full/bin/blender+0x36977fd) 0x60b000471668 is located 8 bytes inside of 104-byte region [0x60b000471660,0x60b0004716c8) freed by thread T0 here: - 0 0x7ffff76907cf in __interceptor_free (/lib/x86_64-linux-gnu/libasan.so.5+0x10d7cf) - 1 0x1b8daea0 in MEM_lockfree_freeN /home/dev/01-data/01-git/blender-git/blender/intern/guardedalloc/intern/mallocn_lockfree_impl.c:130 - 2 0x5381b7d in WM_event_remove_timer /home/dev/01-data/01-git/blender-git/blender/source/blender/windowmanager/intern/wm_window.c:1690 - 3 0x5292d3f in WM_report_banner_show /home/dev/01-data/01-git/blender-git/blender/source/blender/windowmanager/intern/wm_event_system.c:767 - 4 0x52932c5 in wm_add_reports /home/dev/01-data/01-git/blender-git/blender/source/blender/windowmanager/intern/wm_event_system.c:802 - 5 0x52933bf in WM_report /home/dev/01-data/01-git/blender-git/blender/source/blender/windowmanager/intern/wm_event_system.c:812 - 6 0x52935f1 in WM_reportf /home/dev/01-data/01-git/blender-git/blender/source/blender/windowmanager/intern/wm_event_system.c:827 - 7 0x8ef2567 in fluid_free_endjob /home/dev/01-data/01-git/blender-git/blender/source/blender/editors/physics/physics_fluid.c:467 - 8 0x5305979 in wm_jobs_timer /home/dev/01-data/01-git/blender-git/blender/source/blender/windowmanager/intern/wm_jobs.c:646 - 9 0x53804fa in wm_window_timer /home/dev/01-data/01-git/blender-git/blender/source/blender/windowmanager/intern/wm_window.c:1523 - 10 0x5380b04 in wm_window_process_events /home/dev/01-data/01-git/blender-git/blender/source/blender/windowmanager/intern/wm_window.c:1559 - 11 0x527a77b in WM_main /home/dev/01-data/01-git/blender-git/blender/source/blender/windowmanager/intern/wm.c:644 - 12 0x369864a in main /home/dev/01-data/01-git/blender-git/blender/source/creator/creator.c:520 - 13 0x7ffff6e490b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2) previously allocated by thread T0 here: - 0 0x7ffff7690dc6 in calloc (/lib/x86_64-linux-gnu/libasan.so.5+0x10ddc6) - 1 0x1b8db58f in MEM_lockfree_callocN /home/dev/01-data/01-git/blender-git/blender/intern/guardedalloc/intern/mallocn_lockfree_impl.c:236 - 2 0x5380ef2 in WM_event_add_timer /home/dev/01-data/01-git/blender-git/blender/source/blender/windowmanager/intern/wm_window.c:1634 - 3 0x5292dcf in WM_report_banner_show /home/dev/01-data/01-git/blender-git/blender/source/blender/windowmanager/intern/wm_event_system.c:770 - 4 0x52932c5 in wm_add_reports /home/dev/01-data/01-git/blender-git/blender/source/blender/windowmanager/intern/wm_event_system.c:802 - 5 0x5294ac1 in wm_operator_reports /home/dev/01-data/01-git/blender-git/blender/source/blender/windowmanager/intern/wm_event_system.c:958 - 6 0x529982e in wm_operator_invoke /home/dev/01-data/01-git/blender-git/blender/source/blender/windowmanager/intern/wm_event_system.c:1378 - 7 0x529acb2 in wm_operator_call_internal /home/dev/01-data/01-git/blender-git/blender/source/blender/windowmanager/intern/wm_event_system.c:1557 - 8 0x529af11 in WM_operator_name_call_ptr /home/dev/01-data/01-git/blender-git/blender/source/blender/windowmanager/intern/wm_event_system.c:1605 - 9 0x9651540 in ui_apply_but_funcs_after /home/dev/01-data/01-git/blender-git/blender/source/blender/editors/interface/interface_handlers.c:937 - 10 0x96db78e in ui_handler_region_menu /home/dev/01-data/01-git/blender-git/blender/source/blender/editors/interface/interface_handlers.c:10863 - 11 0x52924ff in wm_handler_ui_call /home/dev/01-data/01-git/blender-git/blender/source/blender/windowmanager/intern/wm_event_system.c:693 - 12 0x52a8b0d in wm_handlers_do_intern /home/dev/01-data/01-git/blender-git/blender/source/blender/windowmanager/intern/wm_event_system.c:2842 - 13 0x52a9df6 in wm_handlers_do /home/dev/01-data/01-git/blender-git/blender/source/blender/windowmanager/intern/wm_event_system.c:2958 - 14 0x52aee9a in wm_event_do_handlers /home/dev/01-data/01-git/blender-git/blender/source/blender/windowmanager/intern/wm_event_system.c:3378 - 15 0x527a787 in WM_main /home/dev/01-data/01-git/blender-git/blender/source/blender/windowmanager/intern/wm.c:647 - 16 0x369864a in main /home/dev/01-data/01-git/blender-git/blender/source/creator/creator.c:520 - 17 0x7ffff6e490b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2) SUMMARY: AddressSanitizer: heap-use-after-free /home/dev/01-data/01-git/blender-git/blender/source/blender/windowmanager/intern/wm_window.c:1509 in wm_window_timer Shadow bytes around the buggy address: 0x0c1680086270: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00 0x0c1680086280: 00 00 fa fa fa fa fa fa fa fa 00 00 00 00 00 00 0x0c1680086290: 00 00 00 00 00 00 00 00 fa fa fa fa fa fa fa fa 0x0c16800862a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 fa fa fa 0x0c16800862b0: fa fa fa fa fa fa fd fd fd fd fd fd fd fd fd fd # >0x0c16800862c0: fd fd fd fd fa fa fa fa fa fa fa fa fd[fd]fd fd 0x0c16800862d0: fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa 0x0c16800862e0: fa fa fd fd fd fd fd fd fd fd fd fd fd fd fd fa 0x0c16800862f0: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00 0x0c1680086300: 00 00 00 00 00 fa fa fa fa fa fa fa fa fa 00 00 0x0c1680086310: 00 00 00 00 00 00 00 00 00 00 00 fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): ``` Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb Shadow gap: cc ```

Added subscriber: @hal9000

Added subscriber: @hal9000

Added subscriber: @Tiok

Added subscriber: @Tiok

Added subscriber: @dfelinto

Added subscriber: @dfelinto

Thanks for the report. Marking this as known issue since it depends on the old particle settings which is end of life .

Thanks for the report. Marking this as known issue since it depends on the [old particle settings which is end of life ](https://developer.blender.org/tag/nodes_physics/).
Thomas Dinges added this to the 2.93 LTS milestone 2023-02-07 18:40:56 +01:00
Philipp Oeser removed the
Interest
Nodes & Physics
label 2023-02-10 08:44:48 +01:00
Pratik Borhade removed this from the 2.93 LTS milestone 2023-07-31 11:38:30 +02:00
Member

Just noting this still crashes in current main (maybe for other reasons because I had a different stacktrace), but it still crashes.

bpy.ops.fluid.bake_data() from the Interface locks the UI, doing this from a script [the operator I mean] should probably poll if jobs are running.

Just noting this still crashes in current main (maybe for other reasons because I had a different stacktrace), but it still crashes. `bpy.ops.fluid.bake_data()` from the Interface locks the UI, doing this from a script [the operator I mean] should probably poll if jobs are running.

Just noting this still crashes in current main (maybe for other reasons because I had a different stacktrace), but it still crashes.

bpy.ops.fluid.bake_data() from the Interface locks the UI, doing this from a script [the operator I mean] should probably poll if jobs are running.

eureka -- gracias Philipp! sure enough, and oddly the following code is_job_running('COMPOSITE') works, even though "job is running" isn't printed (is_job_running returns False):

#if bpy.app.is_job_running('OBJECT_BAKE'):
#    print('job is running')

#elif bpy.app.is_job_running('RENDER'):
#    print('job is running')

#elif bpy.app.is_job_running('RENDER_PREVIEW'):
#    print('job is running')

if bpy.app.is_job_running('COMPOSITE'):
    print('job is running')

#elif bpy.app.is_job_running('SHADER_COMPILATION'):
#    print('job is running')

else:
    domain =  bpy.data.objects['Smoke Domain Purple']
    domain.select_set(True)
    bpy.context.view_layer.objects.active = domain
    print("free Purple")
    bpy.ops.fluid.free_all()
    print("bake Purple")
    bpy.ops.fluid.bake_data()
    bpy.ops.fluid.bake_noise()
    domain.select_set(False)
    domain =  bpy.data.objects['Smoke Domain Blue']
    bpy.context.view_layer.objects.active = domain
    domain.select_set(True)
    print("free Blue")
    bpy.ops.fluid.free_all()
    print("bake Blue")
    bpy.ops.fluid.bake_data()
    bpy.ops.fluid.bake_noise()
    domain.select_set(False)
> Just noting this still crashes in current main (maybe for other reasons because I had a different stacktrace), but it still crashes. > > `bpy.ops.fluid.bake_data()` from the Interface locks the UI, doing this from a script [the operator I mean] should probably poll if jobs are running. eureka -- gracias Philipp! sure enough, and oddly the following code ```is_job_running('COMPOSITE')``` works, even though "job is running" isn't printed (is_job_running returns False): ``` #if bpy.app.is_job_running('OBJECT_BAKE'): # print('job is running') #elif bpy.app.is_job_running('RENDER'): # print('job is running') #elif bpy.app.is_job_running('RENDER_PREVIEW'): # print('job is running') if bpy.app.is_job_running('COMPOSITE'): print('job is running') #elif bpy.app.is_job_running('SHADER_COMPILATION'): # print('job is running') else: domain = bpy.data.objects['Smoke Domain Purple'] domain.select_set(True) bpy.context.view_layer.objects.active = domain print("free Purple") bpy.ops.fluid.free_all() print("bake Purple") bpy.ops.fluid.bake_data() bpy.ops.fluid.bake_noise() domain.select_set(False) domain = bpy.data.objects['Smoke Domain Blue'] bpy.context.view_layer.objects.active = domain domain.select_set(True) print("free Blue") bpy.ops.fluid.free_all() print("bake Blue") bpy.ops.fluid.bake_data() bpy.ops.fluid.bake_noise() domain.select_set(False) ```

UPDATE: Stranger still, if I just use the code:

bpy.app.is_job_running('COMPOSITE')
#
#
#
bpy.ops.fluid.free_all()

which is what the previous effectively does, the program again crashes.

and in fact what works is actually all in how fast this script calls free(), by a delay before calling free_all():

print('about to bake')
time.sleep(10)
domain =  bpy.data.objects['Smoke Domain Purple']
domain.select_set(True)
bpy.context.view_layer.objects.active = domain
print("free Purple")
bpy.ops.fluid.free_all()
print("bake Purple")
bpy.ops.fluid.bake_data()
bpy.ops.fluid.bake_noise()
UPDATE: Stranger still, if I just use the code: ``` bpy.app.is_job_running('COMPOSITE') # # # bpy.ops.fluid.free_all() ``` which is what the previous effectively does, the program again crashes. and in fact what works is actually all in how fast this script calls free(), by a delay before calling free_all(): ``` print('about to bake') time.sleep(10) domain = bpy.data.objects['Smoke Domain Purple'] domain.select_set(True) bpy.context.view_layer.objects.active = domain print("free Purple") bpy.ops.fluid.free_all() print("bake Purple") bpy.ops.fluid.bake_data() bpy.ops.fluid.bake_noise() ```
Sign in to join this conversation.
No Label
Interest
Alembic
Interest
Animation & Rigging
Interest
Asset Browser
Interest
Asset Browser Project Overview
Interest
Audio
Interest
Automated Testing
Interest
Blender Asset Bundle
Interest
BlendFile
Interest
Collada
Interest
Compatibility
Interest
Compositing
Interest
Core
Interest
Cycles
Interest
Dependency Graph
Interest
Development Management
Interest
EEVEE
Interest
EEVEE & Viewport
Interest
Freestyle
Interest
Geometry Nodes
Interest
Grease Pencil
Interest
ID Management
Interest
Images & Movies
Interest
Import Export
Interest
Line Art
Interest
Masking
Interest
Metal
Interest
Modeling
Interest
Modifiers
Interest
Motion Tracking
Interest
Nodes & Physics
Interest
OpenGL
Interest
Overlay
Interest
Overrides
Interest
Performance
Interest
Physics
Interest
Pipeline, Assets & IO
Interest
Platforms, Builds & Tests
Interest
Python API
Interest
Render & Cycles
Interest
Render Pipeline
Interest
Sculpt, Paint & Texture
Interest
Text Editor
Interest
Translations
Interest
Triaging
Interest
Undo
Interest
USD
Interest
User Interface
Interest
UV Editing
Interest
VFX & Video
Interest
Video Sequencer
Interest
Virtual Reality
Interest
Vulkan
Interest
Wayland
Interest
Workbench
Interest: X11
Legacy
Blender 2.8 Project
Legacy
Milestone 1: Basic, Local Asset Browser
Legacy
OpenGL Error
Meta
Good First Issue
Meta
Papercut
Meta
Retrospective
Meta
Security
Module
Animation & Rigging
Module
Core
Module
Development Management
Module
EEVEE & Viewport
Module
Grease Pencil
Module
Modeling
Module
Nodes & Physics
Module
Pipeline, Assets & IO
Module
Platforms, Builds & Tests
Module
Python API
Module
Render & Cycles
Module
Sculpt, Paint & Texture
Module
Triaging
Module
User Interface
Module
VFX & Video
Platform
FreeBSD
Platform
Linux
Platform
macOS
Platform
Windows
Priority
High
Priority
Low
Priority
Normal
Priority
Unbreak Now!
Status
Archived
Status
Confirmed
Status
Duplicate
Status
Needs Info from Developers
Status
Needs Information from User
Status
Needs Triage
Status
Resolved
Type
Bug
Type
Design
Type
Known Issue
Type
Patch
Type
Report
Type
To Do
No Milestone
No project
No Assignees
7 Participants
Notifications
Due Date
The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Dependencies

No dependencies set.

Reference: blender/blender#89063
No description provided.