Setting endpoint_u property while creating spline in Python gives strange behavior #38985

Closed
opened 2014-03-06 07:17:04 +01:00 by Garrett · 10 comments

System Information
OS: Ubuntu 13.10
Linux kernel: 3.11.0-15-generic
Graphics:
VGA compatible controller: Intel Corporation 4th Gen Core Processor Integrated Graphics Controller (rev 06)
3D controller: NVIDIA Corporation GK107M [GeForce GT 750M] (rev a1)

Blender Version
Broken: blender-2.70-19f7f9a-linux-glibc211-x86_64 and blender-2.70-testbuild1-linux-glibc211-x86_64

Short description of error

While creating a spline in Python, if the property "endpoint_u" is set before control points are added, it leads to strange behavior.

Exact steps for others to reproduce the error

  1. Open Blender and delete the default cube
  2. Open the text editor and paste in the following script
  import bpy
  
  curve_data = bpy.data.curves.new('myCurveData', type='CURVE')  
  curve = bpy.data.objects.new('myCurve', curve_data)
  bpy.context.scene.objects.link(curve)  
  spline = curve_data.splines.new('NURBS')  
  
  spline.use_endpoint_u = True
  
  spline.points.add(2)  
  spline.points[0].co = (0,0,0,1)
  spline.points[1].co = (1,0,0,1)
  spline.points[2].co = (1,1,1,1)
  1. Hit run script and a curve will appead.
  2. Select curve and hit TAB twice in 3DView (to go in and out of Edit Mode). No problem yet.
  3. In Properties Window, select the Object Data button (but don't change any settings)
  4. Go back to 3DView and hit TAB twice. The curve will disappear.

In this .blend file, I have completed steps 1-5: bug_curve.py

**System Information** OS: Ubuntu 13.10 Linux kernel: 3.11.0-15-generic Graphics: VGA compatible controller: Intel Corporation 4th Gen Core Processor Integrated Graphics Controller (rev 06) 3D controller: NVIDIA Corporation GK107M [GeForce GT 750M] (rev a1) **Blender Version** Broken: blender-2.70-19f7f9a-linux-glibc211-x86_64 and blender-2.70-testbuild1-linux-glibc211-x86_64 **Short description of error** While creating a spline in Python, if the property "endpoint_u" is set before control points are added, it leads to strange behavior. **Exact steps for others to reproduce the error** 1) Open Blender and delete the default cube 2) Open the text editor and paste in the following script ``` import bpy curve_data = bpy.data.curves.new('myCurveData', type='CURVE') curve = bpy.data.objects.new('myCurve', curve_data) bpy.context.scene.objects.link(curve) spline = curve_data.splines.new('NURBS') spline.use_endpoint_u = True spline.points.add(2) spline.points[0].co = (0,0,0,1) spline.points[1].co = (1,0,0,1) spline.points[2].co = (1,1,1,1) ``` 3) Hit run script and a curve will appead. 4) Select curve and hit TAB twice in 3DView (to go in and out of Edit Mode). No problem yet. 5) In Properties Window, select the Object Data button (but don't change any settings) 6) Go back to 3DView and hit TAB twice. The curve will disappear. In this .blend file, I have completed steps 1-5: [bug_curve.py](https://archive.blender.org/developer/F80074/bug_curve.py)
Author

Changed status to: 'Open'

Changed status to: 'Open'
Author

Added subscriber: @Garrett-8

Added subscriber: @Garrett-8
Member

Added subscriber: @LukasTonne

Added subscriber: @LukasTonne
Member

At some point the curve data apparently gets corrupted during this process, i'm getting an error report and crash with address sanitizer.
This should never happen, the curve may not be what you expect, but it should not be possible to create corrupt data from bpy.

P18: address sanitizer report from #38985

=================================================================
==13323==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6030002c8d0b at pc 0x57d4a2b bp 0x7fffffff9110 sp 0x7fffffff9108
READ of size 20 at 0x6030002c8d0b thread T0
    #0 0x57d4a2a in BKE_nurb_duplicate /home/lukas/Development/Blender/bf-blender/blender/source/blender/blenkernel/intern/curve.c:566
    #1 0x24adfb2 in make_editNurb /home/lukas/Development/Blender/bf-blender/blender/source/blender/editors/curve/editcurve.c:1223
    #2 0x2eac7fb in ED_object_editmode_enter /home/lukas/Development/Blender/bf-blender/blender/source/blender/editors/object/object_edit.c:542
    #3 0x2eadb13 in editmode_toggle_exec /home/lukas/Development/Blender/bf-blender/blender/source/blender/editors/object/object_edit.c:574
    #4 0x120e948 in wm_operator_invoke /home/lukas/Development/Blender/bf-blender/blender/source/blender/windowmanager/intern/wm_event_system.c:1042
    #5 0x11d376a in wm_operator_call_internal /home/lukas/Development/Blender/bf-blender/blender/source/blender/windowmanager/intern/wm_event_system.c:1221
    #6 0x11db2f9 in WM_operator_name_call /home/lukas/Development/Blender/bf-blender/blender/source/blender/windowmanager/intern/wm_event_system.c:1270
    #7 0x2eb6e73 in object_mode_set_exec /home/lukas/Development/Blender/bf-blender/blender/source/blender/editors/object/object_edit.c:1627
    #8 0x120e948 in wm_operator_invoke /home/lukas/Development/Blender/bf-blender/blender/source/blender/windowmanager/intern/wm_event_system.c:1042
    #9 0x1208018 in wm_handler_operator_call /home/lukas/Development/Blender/bf-blender/blender/source/blender/windowmanager/intern/wm_event_system.c:1627
    #10 0x1201a46 in wm_handlers_do_intern /home/lukas/Development/Blender/bf-blender/blender/source/blender/windowmanager/intern/wm_event_system.c:1895
    #11 0x11e3b3b in wm_handlers_do /home/lukas/Development/Blender/bf-blender/blender/source/blender/windowmanager/intern/wm_event_system.c:2004
    #12 0x11e0ebd in wm_event_do_handlers /home/lukas/Development/Blender/bf-blender/blender/source/blender/windowmanager/intern/wm_event_system.c:2298
    #13 0x11a0e86 in WM_main /home/lukas/Development/Blender/bf-blender/blender/source/blender/windowmanager/intern/wm.c:492
    #14 0x1187b75 in main /home/lukas/Development/Blender/bf-blender/blender/source/creator/creator.c:1750
    #15 0x7ffff2c01bc4 in __libc_start_main ??:?
    #16 0x11860bc in _start ??:?
0x6030002c8d0b is located 3 bytes to the right of 24-byte region [0x6030002c8cf0,0x6030002c8d08)
allocated by thread T0 here:
    #0 0x1178004 in __interceptor_malloc ??:?
    #1 0x7a598b3 in MEM_lockfree_mallocN /home/lukas/Development/Blender/bf-blender/blender/intern/guardedalloc/intern/mallocn_lockfree_impl.c:243
    #2 0x57d46cb in BKE_nurb_duplicate /home/lukas/Development/Blender/bf-blender/blender/source/blender/blenkernel/intern/curve.c:565
    #3 0x24a6b50 in load_editNurb /home/lukas/Development/Blender/bf-blender/blender/source/blender/editors/curve/editcurve.c:1177
    #4 0x2ea8fc6 in ED_object_editmode_load_ex /home/lukas/Development/Blender/bf-blender/blender/source/blender/editors/object/object_edit.c:351
    #5 0x2ea9a62 in ED_object_editmode_exit /home/lukas/Development/Blender/bf-blender/blender/source/blender/editors/object/object_edit.c:385
    #6 0x2eadb53 in editmode_toggle_exec /home/lukas/Development/Blender/bf-blender/blender/source/blender/editors/object/object_edit.c:576
    #7 0x120e948 in wm_operator_invoke /home/lukas/Development/Blender/bf-blender/blender/source/blender/windowmanager/intern/wm_event_system.c:1042
    #8 0x11d376a in wm_operator_call_internal /home/lukas/Development/Blender/bf-blender/blender/source/blender/windowmanager/intern/wm_event_system.c:1221
    #9 0x11db2f9 in WM_operator_name_call /home/lukas/Development/Blender/bf-blender/blender/source/blender/windowmanager/intern/wm_event_system.c:1270
    #10 0x2eb6e73 in object_mode_set_exec /home/lukas/Development/Blender/bf-blender/blender/source/blender/editors/object/object_edit.c:1627
    #11 0x120e948 in wm_operator_invoke /home/lukas/Development/Blender/bf-blender/blender/source/blender/windowmanager/intern/wm_event_system.c:1042
    #12 0x1208018 in wm_handler_operator_call /home/lukas/Development/Blender/bf-blender/blender/source/blender/windowmanager/intern/wm_event_system.c:1627
    #13 0x1201a46 in wm_handlers_do_intern /home/lukas/Development/Blender/bf-blender/blender/source/blender/windowmanager/intern/wm_event_system.c:1895
    #14 0x11e3b3b in wm_handlers_do /home/lukas/Development/Blender/bf-blender/blender/source/blender/windowmanager/intern/wm_event_system.c:2004
    #15 0x11e0ebd in wm_event_do_handlers /home/lukas/Development/Blender/bf-blender/blender/source/blender/windowmanager/intern/wm_event_system.c:2298
    #16 0x11a0e86 in WM_main /home/lukas/Development/Blender/bf-blender/blender/source/blender/windowmanager/intern/wm.c:492
    #17 0x1187b75 in main /home/lukas/Development/Blender/bf-blender/blender/source/creator/creator.c:1750
    #18 0x7ffff2c01bc4 in __libc_start_main ??:?
Shadow bytes around the buggy address:
  0x0c0680051150: fd fd fd fa fa fa fd fd fd fa fa fa fd fd fd fa
  0x0c0680051160: fa fa fd fd fd fa fa fa fd fd fd fa fa fa fd fd
  0x0c0680051170: fd fa fa fa fd fd fd fa fa fa fd fd fd fd fa fa
  0x0c0680051180: fd fd fd fd fa fa fd fd fd fd fa fa fd fd fd fd
  0x0c0680051190: fa fa fd fd fd fd fa fa fd fd fd fd fa fa 00 00
=>0x0c06800511a0: 00[fa]fa fa fd fd fd fd fa fa fd fd fd fd fa fa
  0x0c06800511b0: fd fd fd fd fa fa fd fd fd fd fa fa fd fd fd fd
  0x0c06800511c0: fa fa fd fd fd fd fa fa 00 00 00 00 fa fa fd fd
  0x0c06800511d0: fd fd fa fa fd fd fd fd fa fa fd fd fd fd fa fa
  0x0c06800511e0: fd fd fd fd fa fa fd fd fd fd fa fa fd fd fd fd
  0x0c06800511f0: fa fa fd fd fd fd fa fa fd fd fd fa fa fa fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:     fa
  Heap right redzone:    fb
  Freed heap region:     fd
  Stack left redzone:    f1
  Stack mid redzone:     f2
  Stack right redzone:   f3
  Stack partial redzone: f4
  Stack after return:    f5
  Stack use after scope: f8
  Global redzone:        f9
  Global init order:     f6
  Poisoned by user:      f7
  ASan internal:         fe
==13323==ABORTING

At some point the curve data apparently gets corrupted during this process, i'm getting an error report and crash with address sanitizer. This should never happen, the curve may not be what you expect, but it should not be possible to create corrupt data from bpy. [P18: address sanitizer report from #38985](https://archive.blender.org/developer/P18.txt) ``` ================================================================= ==13323==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6030002c8d0b at pc 0x57d4a2b bp 0x7fffffff9110 sp 0x7fffffff9108 READ of size 20 at 0x6030002c8d0b thread T0 #0 0x57d4a2a in BKE_nurb_duplicate /home/lukas/Development/Blender/bf-blender/blender/source/blender/blenkernel/intern/curve.c:566 #1 0x24adfb2 in make_editNurb /home/lukas/Development/Blender/bf-blender/blender/source/blender/editors/curve/editcurve.c:1223 #2 0x2eac7fb in ED_object_editmode_enter /home/lukas/Development/Blender/bf-blender/blender/source/blender/editors/object/object_edit.c:542 #3 0x2eadb13 in editmode_toggle_exec /home/lukas/Development/Blender/bf-blender/blender/source/blender/editors/object/object_edit.c:574 #4 0x120e948 in wm_operator_invoke /home/lukas/Development/Blender/bf-blender/blender/source/blender/windowmanager/intern/wm_event_system.c:1042 #5 0x11d376a in wm_operator_call_internal /home/lukas/Development/Blender/bf-blender/blender/source/blender/windowmanager/intern/wm_event_system.c:1221 #6 0x11db2f9 in WM_operator_name_call /home/lukas/Development/Blender/bf-blender/blender/source/blender/windowmanager/intern/wm_event_system.c:1270 #7 0x2eb6e73 in object_mode_set_exec /home/lukas/Development/Blender/bf-blender/blender/source/blender/editors/object/object_edit.c:1627 #8 0x120e948 in wm_operator_invoke /home/lukas/Development/Blender/bf-blender/blender/source/blender/windowmanager/intern/wm_event_system.c:1042 #9 0x1208018 in wm_handler_operator_call /home/lukas/Development/Blender/bf-blender/blender/source/blender/windowmanager/intern/wm_event_system.c:1627 #10 0x1201a46 in wm_handlers_do_intern /home/lukas/Development/Blender/bf-blender/blender/source/blender/windowmanager/intern/wm_event_system.c:1895 #11 0x11e3b3b in wm_handlers_do /home/lukas/Development/Blender/bf-blender/blender/source/blender/windowmanager/intern/wm_event_system.c:2004 #12 0x11e0ebd in wm_event_do_handlers /home/lukas/Development/Blender/bf-blender/blender/source/blender/windowmanager/intern/wm_event_system.c:2298 #13 0x11a0e86 in WM_main /home/lukas/Development/Blender/bf-blender/blender/source/blender/windowmanager/intern/wm.c:492 #14 0x1187b75 in main /home/lukas/Development/Blender/bf-blender/blender/source/creator/creator.c:1750 #15 0x7ffff2c01bc4 in __libc_start_main ??:? #16 0x11860bc in _start ??:? 0x6030002c8d0b is located 3 bytes to the right of 24-byte region [0x6030002c8cf0,0x6030002c8d08) allocated by thread T0 here: #0 0x1178004 in __interceptor_malloc ??:? #1 0x7a598b3 in MEM_lockfree_mallocN /home/lukas/Development/Blender/bf-blender/blender/intern/guardedalloc/intern/mallocn_lockfree_impl.c:243 #2 0x57d46cb in BKE_nurb_duplicate /home/lukas/Development/Blender/bf-blender/blender/source/blender/blenkernel/intern/curve.c:565 #3 0x24a6b50 in load_editNurb /home/lukas/Development/Blender/bf-blender/blender/source/blender/editors/curve/editcurve.c:1177 #4 0x2ea8fc6 in ED_object_editmode_load_ex /home/lukas/Development/Blender/bf-blender/blender/source/blender/editors/object/object_edit.c:351 #5 0x2ea9a62 in ED_object_editmode_exit /home/lukas/Development/Blender/bf-blender/blender/source/blender/editors/object/object_edit.c:385 #6 0x2eadb53 in editmode_toggle_exec /home/lukas/Development/Blender/bf-blender/blender/source/blender/editors/object/object_edit.c:576 #7 0x120e948 in wm_operator_invoke /home/lukas/Development/Blender/bf-blender/blender/source/blender/windowmanager/intern/wm_event_system.c:1042 #8 0x11d376a in wm_operator_call_internal /home/lukas/Development/Blender/bf-blender/blender/source/blender/windowmanager/intern/wm_event_system.c:1221 #9 0x11db2f9 in WM_operator_name_call /home/lukas/Development/Blender/bf-blender/blender/source/blender/windowmanager/intern/wm_event_system.c:1270 #10 0x2eb6e73 in object_mode_set_exec /home/lukas/Development/Blender/bf-blender/blender/source/blender/editors/object/object_edit.c:1627 #11 0x120e948 in wm_operator_invoke /home/lukas/Development/Blender/bf-blender/blender/source/blender/windowmanager/intern/wm_event_system.c:1042 #12 0x1208018 in wm_handler_operator_call /home/lukas/Development/Blender/bf-blender/blender/source/blender/windowmanager/intern/wm_event_system.c:1627 #13 0x1201a46 in wm_handlers_do_intern /home/lukas/Development/Blender/bf-blender/blender/source/blender/windowmanager/intern/wm_event_system.c:1895 #14 0x11e3b3b in wm_handlers_do /home/lukas/Development/Blender/bf-blender/blender/source/blender/windowmanager/intern/wm_event_system.c:2004 #15 0x11e0ebd in wm_event_do_handlers /home/lukas/Development/Blender/bf-blender/blender/source/blender/windowmanager/intern/wm_event_system.c:2298 #16 0x11a0e86 in WM_main /home/lukas/Development/Blender/bf-blender/blender/source/blender/windowmanager/intern/wm.c:492 #17 0x1187b75 in main /home/lukas/Development/Blender/bf-blender/blender/source/creator/creator.c:1750 #18 0x7ffff2c01bc4 in __libc_start_main ??:? Shadow bytes around the buggy address: 0x0c0680051150: fd fd fd fa fa fa fd fd fd fa fa fa fd fd fd fa 0x0c0680051160: fa fa fd fd fd fa fa fa fd fd fd fa fa fa fd fd 0x0c0680051170: fd fa fa fa fd fd fd fa fa fa fd fd fd fd fa fa 0x0c0680051180: fd fd fd fd fa fa fd fd fd fd fa fa fd fd fd fd 0x0c0680051190: fa fa fd fd fd fd fa fa fd fd fd fd fa fa 00 00 =>0x0c06800511a0: 00[fa]fa fa fd fd fd fd fa fa fd fd fd fd fa fa 0x0c06800511b0: fd fd fd fd fa fa fd fd fd fd fa fa fd fd fd fd 0x0c06800511c0: fa fa fd fd fd fd fa fa 00 00 00 00 fa fa fd fd 0x0c06800511d0: fd fd fa fa fd fd fd fd fa fa fd fd fd fd fa fa 0x0c06800511e0: fd fd fd fd fa fa fd fd fd fd fa fa fd fd fd fd 0x0c06800511f0: fa fa fd fd fd fd fa fa fd fd fd fa fa fa fd fd Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 ASan internal: fe ==13323==ABORTING ```
Sergey Sharybin was assigned by Lukas Tönne 2014-03-06 18:04:14 +01:00
Member

Added subscriber: @Sergey

Added subscriber: @Sergey
Member

This is ancient stuff:

Apparently the Nurb->knotsu array is allocated with different length in the basic makeknots function and in the make_editNurb/BKE_nurb_duplicate functions:

https://developer.blender.org/diffusion/B/browse/master/source/blender/blenkernel/intern/curve.c$964
vs.
https://developer.blender.org/diffusion/B/browse/master/source/blender/blenkernel/intern/curve.c$565

These arrays are memcpy'd into each other, which works fine as long as the source array is larger, but at some point the reverse case happens and leads to memory corruption. I have no idea if that "4 + " part is intentional, it seems plain wrong. Dates back to the very first SVN commit it seems (2002) ...

@Sergey: i have assigned it to you since iirc you (reluctantly) worked with curve code - feel free to unassign or poke me for discussing.

This is *ancient* stuff: Apparently the `Nurb->knotsu` array is allocated with different length in the basic `makeknots` function and in the `make_editNurb`/`BKE_nurb_duplicate` functions: https://developer.blender.org/diffusion/B/browse/master/source/blender/blenkernel/intern/curve.c$964 vs. https://developer.blender.org/diffusion/B/browse/master/source/blender/blenkernel/intern/curve.c$565 These arrays are memcpy'd into each other, which works fine as long as the source array is larger, but at some point the reverse case happens and leads to memory corruption. I have no idea if that "4 + " part is intentional, it seems plain wrong. Dates back to the very first SVN commit it seems (2002) ... @Sergey: i have assigned it to you since iirc you (reluctantly) worked with curve code - feel free to unassign or poke me for discussing.

This issue was referenced by blender/blender-addons-contrib@b839fb9bb7

This issue was referenced by blender/blender-addons-contrib@b839fb9bb7256ed8e2b519c6bdd725129cc26261

This issue was referenced by blender/blender@b839fb9bb7

This issue was referenced by blender/blender@b839fb9bb7256ed8e2b519c6bdd725129cc26261

Changed status from 'Open' to: 'Resolved'

Changed status from 'Open' to: 'Resolved'

Closed by commit blender/blender@b839fb9bb7.

Closed by commit blender/blender@b839fb9bb7.
Sign in to join this conversation.
No Milestone
No project
No Assignees
4 Participants
Notifications
Due Date
The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Dependencies

No dependencies set.

Reference: blender/blender-addons#38985
No description provided.