crash with generating DataBlockPreviews #46626

New Issue

Philipp Oeser · 2015-10-28T15:46:41+01:00

Philipp Oeser commented

2015-10-28 15:46:41 +01:00

System Information
linux64, Titan

Blender Version
Broken: b0bce65d67
Worked: f375028a25

Short description of error
crash with generating DataBlockPreviews in the default scene

Exact steps for others to reproduce the error
in default startup file [might have to start blender with --factory], goto
File > Data Previews > Refresh DataBlock Previews
should crash

Caused by a broken(freed?) "toggle_brush" pointer on the "SculptDraw" brush.
So you will only get the crash if the "SculptDraw" brush is selected in sculptmode (which I think it is in the default startup scene)
If any other brush is selected, crash wont happen.

this will prevent the crash

diff --git a/source/blender/blenkernel/intern/library_query.c b/source/blender/blenkernel/intern/library_query.c
--- a/source/blender/blenkernel/intern/library_query.c
+++ b/source/blender/blenkernel/intern/library_query.c
@@ -533,7 +533,7 @@ void BKE_library_foreach_ID_link(ID *id, LibraryIDLinkCallback callback, void *u
 		case ID_BR:
 		{
 			Brush *brush = (Brush *) id;
-			CALLBACK_INVOKE(brush->toggle_brush, IDWALK_NOP);
+			//CALLBACK_INVOKE(brush->toggle_brush, IDWALK_NOP);
 			CALLBACK_INVOKE(brush->clone.image, IDWALK_NOP);
 			CALLBACK_INVOKE(brush->paint_curve, IDWALK_USER);
 			library_foreach_mtex(&data, &brush->mtex);

backtrace

Thread 1 (Thread 0x7fffeae25b00 (LWP 30940)):
#0  0x0000000001c9231a in previews_id_ensure_callback (todo_v=0x7fffffffdca0, idptr=0x6f0ef00, UNUSED_cd_flag=0) at /blender/source/blender/windowmanager/intern/wm_operators.c:5043
        todo = 0x7fffffffdca0
        id = 0x7f1eb19a5c08
#1  0x00000000029531ca in BKE_library_foreach_ID_link (id=0x6f0ebe8, callback=0x1c922e5 <previews_id_ensure_callback>, user_data=0x7fffffffdca0, flag=1) at /blender/source/blender/blenkernel/intern/library_query.c:538
        old_id = 0x7f1eb19a5c08
        keep_working = false
        brush = 0x6f0ebe8
        adt = 0x0
        data = {self_id = 0x6f0ebe8, flag = 1, callback = 0x1c922e5 <previews_id_ensure_callback>, user_data = 0x7fffffffdca0}
        i = 0
        __func__ = "BKE_library_foreach_ID_link"

valgrind

==31752== Invalid read of size 2
==31752==    at 0x1C9231A: previews_id_ensure_callback (wm_operators.c:5043)
==31752==    by 0x29531C9: BKE_library_foreach_ID_link (library_query.c:538)
==31752==    by 0x1C924D6: previews_ensure_exec (wm_operators.c:5076)
==31752==    by 0x1C75038: wm_operator_invoke (wm_event_system.c:1103)
==31752==    by 0x1C75603: wm_operator_call_internal (wm_event_system.c:1288)
==31752==    by 0x1C757F3: WM_operator_name_call_ptr (wm_event_system.c:1336)
==31752==    by 0x1FAA00E: ui_apply_but_funcs_after (interface_handlers.c:755)
==31752==    by 0x1FC33F1: ui_handler_region_menu (interface_handlers.c:9816)
==31752==    by 0x1C7365F: wm_handler_ui_call (wm_event_system.c:453)
==31752==    by 0x1C77159: wm_handlers_do_intern (wm_event_system.c:2022)
==31752==    by 0x1C773F5: wm_handlers_do (wm_event_system.c:2106)
==31752==    by 0x1C77F11: wm_event_do_handlers (wm_event_system.c:2389)
==31752==  Address 0x7f1eb19a5c6a is not stack'd, malloc'd or (recently) free'd

**System Information** linux64, Titan **Blender Version** Broken: b0bce65d67ac65bef114cdf22e66f997b4028269 Worked: f375028a2542981732aef6ce4700aa951325e63d **Short description of error** crash with generating DataBlockPreviews in the default scene **Exact steps for others to reproduce the error** in default startup file [might have to start blender with --factory], goto File > Data Previews > Refresh DataBlock Previews should crash Caused by a broken(freed?) "toggle_brush" pointer on the "SculptDraw" brush. So you will only get the crash if the "SculptDraw" brush is selected in sculptmode (which I think it is in the default startup scene) If any other brush is selected, crash wont happen. this will prevent the crash ``` diff --git a/source/blender/blenkernel/intern/library_query.c b/source/blender/blenkernel/intern/library_query.c --- a/source/blender/blenkernel/intern/library_query.c +++ b/source/blender/blenkernel/intern/library_query.c @@ -533,7 +533,7 @@ void BKE_library_foreach_ID_link(ID *id, LibraryIDLinkCallback callback, void *u case ID_BR: { Brush *brush = (Brush *) id; - CALLBACK_INVOKE(brush->toggle_brush, IDWALK_NOP); + //CALLBACK_INVOKE(brush->toggle_brush, IDWALK_NOP); CALLBACK_INVOKE(brush->clone.image, IDWALK_NOP); CALLBACK_INVOKE(brush->paint_curve, IDWALK_USER); library_foreach_mtex(&data, &brush->mtex); ``` backtrace ``` Thread 1 (Thread 0x7fffeae25b00 (LWP 30940)): #0 0x0000000001c9231a in previews_id_ensure_callback (todo_v=0x7fffffffdca0, idptr=0x6f0ef00, UNUSED_cd_flag=0) at /blender/source/blender/windowmanager/intern/wm_operators.c:5043 todo = 0x7fffffffdca0 id = 0x7f1eb19a5c08 #1 0x00000000029531ca in BKE_library_foreach_ID_link (id=0x6f0ebe8, callback=0x1c922e5 <previews_id_ensure_callback>, user_data=0x7fffffffdca0, flag=1) at /blender/source/blender/blenkernel/intern/library_query.c:538 old_id = 0x7f1eb19a5c08 keep_working = false brush = 0x6f0ebe8 adt = 0x0 data = {self_id = 0x6f0ebe8, flag = 1, callback = 0x1c922e5 <previews_id_ensure_callback>, user_data = 0x7fffffffdca0} i = 0 __func__ = "BKE_library_foreach_ID_link" ``` valgrind ``` ==31752== Invalid read of size 2 ==31752== at 0x1C9231A: previews_id_ensure_callback (wm_operators.c:5043) ==31752== by 0x29531C9: BKE_library_foreach_ID_link (library_query.c:538) ==31752== by 0x1C924D6: previews_ensure_exec (wm_operators.c:5076) ==31752== by 0x1C75038: wm_operator_invoke (wm_event_system.c:1103) ==31752== by 0x1C75603: wm_operator_call_internal (wm_event_system.c:1288) ==31752== by 0x1C757F3: WM_operator_name_call_ptr (wm_event_system.c:1336) ==31752== by 0x1FAA00E: ui_apply_but_funcs_after (interface_handlers.c:755) ==31752== by 0x1FC33F1: ui_handler_region_menu (interface_handlers.c:9816) ==31752== by 0x1C7365F: wm_handler_ui_call (wm_event_system.c:453) ==31752== by 0x1C77159: wm_handlers_do_intern (wm_event_system.c:2022) ==31752== by 0x1C773F5: wm_handlers_do (wm_event_system.c:2106) ==31752== by 0x1C77F11: wm_event_do_handlers (wm_event_system.c:2389) ==31752== Address 0x7f1eb19a5c6a is not stack'd, malloc'd or (recently) free'd ```

Philipp Oeser commented

2015-10-28 15:46:41 +01:00

Changed status to: 'Open'

Philipp Oeser commented

2015-10-28 15:46:41 +01:00

Added subscriber: @lichtwerk

Sergey Sharybin commented

2015-10-28 16:25:45 +01:00

Added subscribers: @mont29, @Sergey

Sergey Sharybin commented

2015-10-28 16:25:45 +01:00

@mont29, it is possible that brush->toggle_brush pointer is becoming invalid. For example, you toggle brush then you remove original one. Also, not really sure you really want to go into toggle brush itself in the walker, so leaving it up to you.

@mont29, it is possible that `brush->toggle_brush` pointer is becoming invalid. For example, you toggle brush then you remove original one. Also, not really sure you really want to go into toggle brush itself in the walker, so leaving it up to you.

Bastien Montagne was assigned by Sergey Sharybin

2015-10-28 16:25:54 +01:00

Bastien Montagne commented

2015-11-01 15:01:16 +01:00

Added subscriber: @afdave14

Bastien Montagne commented

2015-11-01 15:01:17 +01:00

I do not see how we can accept an invalid pointer here? It may crash in many other cases I guess? Even worse in default startup, this should be fixed in factory .blend…

And the walker shall return all ID pointers, with no exceptions - otherwise you'll end up with even more 'invalid pointers' like that in the future.

Think this is a good demo of how bad our 'remove ID' code is currently :|

That said, will have a look around to try to understand how toggle_brush can become invalid - and tease Campbell to fix startup file.

I do not see how we can accept an invalid pointer here? It may crash in many other cases I guess? Even worse in default startup, this should be fixed in factory .blend… And the walker shall return all ID pointers, with no exceptions - otherwise you'll end up with even more 'invalid pointers' like that in the future. Think this is a good demo of how bad our 'remove ID' code is currently :| That said, will have a look around to try to understand how toggle_brush can become invalid - and tease Campbell to fix startup file.

Bastien Montagne commented

2015-11-01 15:01:36 +01:00

Added subscriber: @ideasman42
Removed subscriber: @afdave14

Added subscriber: @ideasman42 Removed subscriber: @afdave14

blender-admin commented

2015-11-02 11:42:47 +01:00

This issue was referenced by 7b7aba31f2

This issue was referenced by 7b7aba31f24d51c904c76a17ee50608b770e1bc9

Campbell Barton commented

2015-11-02 11:49:07 +01:00

Changed status from 'Open' to: 'Resolved'

Campbell Barton closed this issue

2015-11-02 11:49:07 +01:00

Sign in to join this conversation.

No Label

Download

What's New

Blender Studio

Manual

Developers Blog

Documentation

Benchmark

Blender Conference

Development Fund

One-time Donations

crash with generating DataBlockPreviews #46626