Crash on Boolean modifier when ob_src->totcol > ob_dst->totcol #91339

New Issue

Jacob Lewallen · 2021-09-11T21:31:38+02:00

Jacob Lewallen commented

2021-09-11 21:31:38 +02:00

System Information
Operating system: Linux-5.4.0-84-generic-x86_64-with-glibc2.31 64 Bits
Graphics card: GeForce GTX 1060 3GB/PCIe/SSE2 NVIDIA Corporation 4.5.0 NVIDIA 460.91.03

Blender Version
Broken: version: 3.0.0 Alpha, branch: Unknown, commit date: Unknown Unknown, hash: rBUnknown
Worked: Unknown
Also Broken: 2.93.2, 2.93.4
Worked: 2.92

Short description of error
In the attached blender file, if you add a Boolean modifier to the Bottom object and then use the object picker to subtract the Top object, Blender will crash.

Patch description
https://developer.blender.org/D12460

I'm very new here so please be kind :) I scanned the tickets and nothing jumped out and me, but that may be due to my inexperience searching here.

Seeing the bug was happening in BKE_object_material_remap_calc I looked there and saw that the comment on the function indicates that remap_src_to_dst should be at least ob_src->totcol entries long, the caller in the stacktrace, get_material_remap (MOD_boolean.c) is allocating an array of size dest_ob->totcol

After changing that call site to pass the larger array, in my case source totcol was 13 and destination totcol was 1, my particular crash goes away.

I've submitted the patch, in spite of its simplicity, absolutely happy to chase this further if necessary.

Test File:
crash-on-boolean-bottom-minus-top.blend

Stacktrace

Read blend: /home/jlewallen/sync/blender/crash-on-boolean-bottom-minus-top.blend
****
## 164015==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7fffbe8835e0 at pc 0x000003561b37 bp 0x7fffbe883340 sp 0x7fffbe883330
WRITE of size 2 at 0x7fffbe8835e0 thread #13
    - 0 0x3561b36 in BKE_object_material_remap_calc /home/jlewallen/oss/blender-git/blender/source/blender/blenkernel/intern/material.c:1112
    - 1 0x671d871 in get_material_remap /home/jlewallen/oss/blender-git/blender/source/blender/modifiers/intern/MOD_boolean.cc:394
    - 2 0x671e24f in exact_boolean_mesh /home/jlewallen/oss/blender-git/blender/source/blender/modifiers/intern/MOD_boolean.cc:425
    - 3 0x671f210 in modifyMesh /home/jlewallen/oss/blender-git/blender/source/blender/modifiers/intern/MOD_boolean.cc:473
    - 4 0x362dc79 in BKE_modifier_modify_mesh /home/jlewallen/oss/blender-git/blender/source/blender/blenkernel/intern/modifier.c:1053
    - 5 0x48ac401 in modifier_modify_mesh_and_geometry_set /home/jlewallen/oss/blender-git/blender/source/blender/blenkernel/intern/DerivedMesh.cc:932
    - 6 0x48b003c in mesh_calc_modifiers /home/jlewallen/oss/blender-git/blender/source/blender/blenkernel/intern/DerivedMesh.cc:1291
    - 7 0x48b7288 in mesh_build_data /home/jlewallen/oss/blender-git/blender/source/blender/blenkernel/intern/DerivedMesh.cc:1914
    - 8 0x48b8ee1 in makeDerivedMesh /home/jlewallen/oss/blender-git/blender/source/blender/blenkernel/intern/DerivedMesh.cc:2061
    - 9 0x3777e54 in BKE_object_handle_data_update /home/jlewallen/oss/blender-git/blender/source/blender/blenkernel/intern/object_update.c:202
    - 10 0x377a95a in BKE_object_eval_uber_data /home/jlewallen/oss/blender-git/blender/source/blender/blenkernel/intern/object_update.c:395
    - 11 0x5c3c384 in operator() /home/jlewallen/oss/blender-git/blender/source/blender/depsgraph/intern/builder/deg_builder_nodes.cc:1484
    - 12 0x5c5fa2e in _M_invoke /usr/include/c++/9/bits/std_function.h:300
    - 13 0x5b990b6 in std::function<void (Depsgraph*)>::operator()(Depsgraph*) const /usr/include/c++/9/bits/std_function.h:688
    - 14 0x5b9449f in evaluate_node /home/jlewallen/oss/blender-git/blender/source/blender/depsgraph/intern/eval/deg_eval.cc:118
    - 15 0x5b944ee in deg_task_run_func /home/jlewallen/oss/blender-git/blender/source/blender/depsgraph/intern/eval/deg_eval.cc:129
    - 16 0x1c073411 in Task::operator()() const /home/jlewallen/oss/blender-git/blender/source/blender/blenlib/intern/task_pool.cc:178
    - 17 0x1c076b2b in tbb::internal::function_task<Task>::execute() /home/jlewallen/oss/blender-git/lib/linux_centos7_x86_64/tbb/include/tbb/task.h:1059
    - 18 0x507bf54 in tbb::internal::custom_scheduler<tbb::internal::IntelSchedulerTraits>::process_bypass_loop(tbb::internal::context_guard_helper<false>&, tbb::task*, long) (/home/jlewallen/oss/blender-git/build_linux_debug/bin/blender+0x507bf54)
    - 19 0x507c20a in tbb::internal::custom_scheduler<tbb::internal::IntelSchedulerTraits>::local_wait_for_all(tbb::task&, tbb::task*) (/home/jlewallen/oss/blender-git/build_linux_debug/bin/blender+0x507c20a)
    - 20 0x506ae06 in tbb::internal::arena::process(tbb::internal::generic_scheduler&) (/home/jlewallen/oss/blender-git/build_linux_debug/bin/blender+0x506ae06)
    - 21 0x5075c3f in tbb::internal::market::process(rml::job&) (/home/jlewallen/oss/blender-git/build_linux_debug/bin/blender+0x5075c3f)
    - 22 0x5077c7b in tbb::internal::rml::private_worker::run() (/home/jlewallen/oss/blender-git/build_linux_debug/bin/blender+0x5077c7b)
    - 23 0x5077e78 in tbb::internal::rml::private_worker::thread_routine(void*) (/home/jlewallen/oss/blender-git/build_linux_debug/bin/blender+0x5077e78)
    - 24 0x7ffff7549608 in start_thread /build/glibc-eX1tMB/glibc-2.31/nptl/pthread_create.c:477
    - 25 0x7ffff6ed2292 in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x122292)

Address 0x7fffbe8835e0 is located in stack of thread #13 at offset 336 in frame
    #0 0x671d8c2 in exact_boolean_mesh /home/jlewallen/oss/blender-git/blender/source/blender/modifiers/intern/MOD_boolean.cc:401

This frame has 12 object(s):
[48, 56) ''
[80, 88) ''
[112, 120) ''
[144, 152) ''
[176, 184) ''
[208, 216) ''
[240, 272) ''
[304, 336) '' <== Memory access at offset 336 overflows this variable
[368, 400) ''
[432, 504) 'meshes' (line 402)
[544, 616) 'obmats' (line 403)
[656, 824) 'material_remaps' (line 404)

HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork

(longjmp and C++ exceptions *are* supported)

Thread #13 created by T0 here:
    - 0 0x7ffff75a2815 in __interceptor_pthread_create ../../../../src/libsanitizer/asan/asan_interceptors.cc:208
    - 1 0x5077b68 in tbb::internal::rml::private_server::wake_some(int) (/home/jlewallen/oss/blender-git/build_linux_debug/bin/blender+0x5077b68)
    #2 0x62d00009e37f  (<unknown module>)

SUMMARY: AddressSanitizer: stack-buffer-overflow /home/jlewallen/oss/blender-git/blender/source/blender/blenkernel/intern/material.c:1112 in BKE_object_material_remap_calc
Shadow bytes around the buggy address:
  0x100077d08660: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100077d08670: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100077d08680: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100077d08690: 00 00 f1 f1 f1 f1 00 00 f8 f2 00 00 f8 f2 00 00
  0x100077d086a0: f8 f2 00 00 f8 f2 00 00 00 f2 00 00 00 f2 f2 f2
# >0x100077d086b0: f8 f8 f8 f8 f2 f2 f2 f2 00 00 00 00[f2]f2 f2 f2
  0x100077d086c0: 00 00 00 00 f2 f2 f2 f2 00 00 00 00 00 00 00 00
  0x100077d086d0: 00 f2 f2 f2 f2 f2 00 00 00 00 00 00 00 00 00 f2
  0x100077d086e0: f2 f2 f2 f2 00 00 00 00 00 00 00 00 00 00 00 00
  0x100077d086f0: 00 00 00 00 00 00 00 00 00 f3 f3 f3 f3 f3 f3 f3
  0x100077d08700: f3 f3 00 00 00 00 00 00 00 00 00 00 00 00 00 00

**System Information** Operating system: Linux-5.4.0-84-generic-x86_64-with-glibc2.31 64 Bits Graphics card: GeForce GTX 1060 3GB/PCIe/SSE2 NVIDIA Corporation 4.5.0 NVIDIA 460.91.03 **Blender Version** Broken: version: 3.0.0 Alpha, branch: Unknown, commit date: Unknown Unknown, hash: `rBUnknown` Worked: Unknown Also Broken: 2.93.2, 2.93.4 Worked: 2.92 **Short description of error** In the attached blender file, if you add a Boolean modifier to the Bottom object and then use the object picker to subtract the Top object, Blender will crash. **Patch description** https://developer.blender.org/D12460 I'm very new here so please be kind :) I scanned the tickets and nothing jumped out and me, but that may be due to my inexperience searching here. Seeing the bug was happening in BKE_object_material_remap_calc I looked there and saw that the comment on the function indicates that remap_src_to_dst should be at least ob_src->totcol entries long, the caller in the stacktrace, get_material_remap (MOD_boolean.c) is allocating an array of size dest_ob->totcol After changing that call site to pass the larger array, in my case source totcol was 13 and destination totcol was 1, my particular crash goes away. I've submitted the patch, in spite of its simplicity, absolutely happy to chase this further if necessary. Test File: [crash-on-boolean-bottom-minus-top.blend](https://archive.blender.org/developer/F10399153/crash-on-boolean-bottom-minus-top.blend) --- **Stacktrace** ```lines Read blend: /home/jlewallen/sync/blender/crash-on-boolean-bottom-minus-top.blend **** ## 164015==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7fffbe8835e0 at pc 0x000003561b37 bp 0x7fffbe883340 sp 0x7fffbe883330 WRITE of size 2 at 0x7fffbe8835e0 thread #13 - 0 0x3561b36 in BKE_object_material_remap_calc /home/jlewallen/oss/blender-git/blender/source/blender/blenkernel/intern/material.c:1112 - 1 0x671d871 in get_material_remap /home/jlewallen/oss/blender-git/blender/source/blender/modifiers/intern/MOD_boolean.cc:394 - 2 0x671e24f in exact_boolean_mesh /home/jlewallen/oss/blender-git/blender/source/blender/modifiers/intern/MOD_boolean.cc:425 - 3 0x671f210 in modifyMesh /home/jlewallen/oss/blender-git/blender/source/blender/modifiers/intern/MOD_boolean.cc:473 - 4 0x362dc79 in BKE_modifier_modify_mesh /home/jlewallen/oss/blender-git/blender/source/blender/blenkernel/intern/modifier.c:1053 - 5 0x48ac401 in modifier_modify_mesh_and_geometry_set /home/jlewallen/oss/blender-git/blender/source/blender/blenkernel/intern/DerivedMesh.cc:932 - 6 0x48b003c in mesh_calc_modifiers /home/jlewallen/oss/blender-git/blender/source/blender/blenkernel/intern/DerivedMesh.cc:1291 - 7 0x48b7288 in mesh_build_data /home/jlewallen/oss/blender-git/blender/source/blender/blenkernel/intern/DerivedMesh.cc:1914 - 8 0x48b8ee1 in makeDerivedMesh /home/jlewallen/oss/blender-git/blender/source/blender/blenkernel/intern/DerivedMesh.cc:2061 - 9 0x3777e54 in BKE_object_handle_data_update /home/jlewallen/oss/blender-git/blender/source/blender/blenkernel/intern/object_update.c:202 - 10 0x377a95a in BKE_object_eval_uber_data /home/jlewallen/oss/blender-git/blender/source/blender/blenkernel/intern/object_update.c:395 - 11 0x5c3c384 in operator() /home/jlewallen/oss/blender-git/blender/source/blender/depsgraph/intern/builder/deg_builder_nodes.cc:1484 - 12 0x5c5fa2e in _M_invoke /usr/include/c++/9/bits/std_function.h:300 - 13 0x5b990b6 in std::function<void (Depsgraph*)>::operator()(Depsgraph*) const /usr/include/c++/9/bits/std_function.h:688 - 14 0x5b9449f in evaluate_node /home/jlewallen/oss/blender-git/blender/source/blender/depsgraph/intern/eval/deg_eval.cc:118 - 15 0x5b944ee in deg_task_run_func /home/jlewallen/oss/blender-git/blender/source/blender/depsgraph/intern/eval/deg_eval.cc:129 - 16 0x1c073411 in Task::operator()() const /home/jlewallen/oss/blender-git/blender/source/blender/blenlib/intern/task_pool.cc:178 - 17 0x1c076b2b in tbb::internal::function_task<Task>::execute() /home/jlewallen/oss/blender-git/lib/linux_centos7_x86_64/tbb/include/tbb/task.h:1059 - 18 0x507bf54 in tbb::internal::custom_scheduler<tbb::internal::IntelSchedulerTraits>::process_bypass_loop(tbb::internal::context_guard_helper<false>&, tbb::task*, long) (/home/jlewallen/oss/blender-git/build_linux_debug/bin/blender+0x507bf54) - 19 0x507c20a in tbb::internal::custom_scheduler<tbb::internal::IntelSchedulerTraits>::local_wait_for_all(tbb::task&, tbb::task*) (/home/jlewallen/oss/blender-git/build_linux_debug/bin/blender+0x507c20a) - 20 0x506ae06 in tbb::internal::arena::process(tbb::internal::generic_scheduler&) (/home/jlewallen/oss/blender-git/build_linux_debug/bin/blender+0x506ae06) - 21 0x5075c3f in tbb::internal::market::process(rml::job&) (/home/jlewallen/oss/blender-git/build_linux_debug/bin/blender+0x5075c3f) - 22 0x5077c7b in tbb::internal::rml::private_worker::run() (/home/jlewallen/oss/blender-git/build_linux_debug/bin/blender+0x5077c7b) - 23 0x5077e78 in tbb::internal::rml::private_worker::thread_routine(void*) (/home/jlewallen/oss/blender-git/build_linux_debug/bin/blender+0x5077e78) - 24 0x7ffff7549608 in start_thread /build/glibc-eX1tMB/glibc-2.31/nptl/pthread_create.c:477 - 25 0x7ffff6ed2292 in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x122292) Address 0x7fffbe8835e0 is located in stack of thread #13 at offset 336 in frame #0 0x671d8c2 in exact_boolean_mesh /home/jlewallen/oss/blender-git/blender/source/blender/modifiers/intern/MOD_boolean.cc:401 ``` This frame has 12 object(s): [48, 56) '<unknown>' [80, 88) '<unknown>' [112, 120) '<unknown>' [144, 152) '<unknown>' [176, 184) '<unknown>' [208, 216) '<unknown>' [240, 272) '<unknown>' [304, 336) '<unknown>' <== Memory access at offset 336 overflows this variable [368, 400) '<unknown>' [432, 504) 'meshes' (line 402) [544, 616) 'obmats' (line 403) [656, 824) 'material_remaps' (line 404) ``` HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork ``` (longjmp and C++ exceptions *are* supported) ``` Thread #13 created by T0 here: - 0 0x7ffff75a2815 in __interceptor_pthread_create ../../../../src/libsanitizer/asan/asan_interceptors.cc:208 - 1 0x5077b68 in tbb::internal::rml::private_server::wake_some(int) (/home/jlewallen/oss/blender-git/build_linux_debug/bin/blender+0x5077b68) #2 0x62d00009e37f (<unknown module>) SUMMARY: AddressSanitizer: stack-buffer-overflow /home/jlewallen/oss/blender-git/blender/source/blender/blenkernel/intern/material.c:1112 in BKE_object_material_remap_calc Shadow bytes around the buggy address: 0x100077d08660: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x100077d08670: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x100077d08680: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x100077d08690: 00 00 f1 f1 f1 f1 00 00 f8 f2 00 00 f8 f2 00 00 0x100077d086a0: f8 f2 00 00 f8 f2 00 00 00 f2 00 00 00 f2 f2 f2 # >0x100077d086b0: f8 f8 f8 f8 f2 f2 f2 f2 00 00 00 00[f2]f2 f2 f2 0x100077d086c0: 00 00 00 00 f2 f2 f2 f2 00 00 00 00 00 00 00 00 0x100077d086d0: 00 f2 f2 f2 f2 f2 00 00 00 00 00 00 00 00 00 f2 0x100077d086e0: f2 f2 f2 f2 00 00 00 00 00 00 00 00 00 00 00 00 0x100077d086f0: 00 00 00 00 00 00 00 00 00 f3 f3 f3 f3 f3 f3 f3 0x100077d08700: f3 f3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ```

Jacob Lewallen commented

2021-09-11 21:31:38 +02:00

Added subscriber: @Jacob-Lewallen

Jacob Lewallen commented

2021-09-11 21:35:51 +02:00

Attaching Blender file.

crash-on-boolean-bottom-minus-top.blend

Attaching Blender file. [crash-on-boolean-bottom-minus-top.blend](https://archive.blender.org/developer/F10399153/crash-on-boolean-bottom-minus-top.blend)

Pratik Borhade commented

2021-09-12 14:56:29 +02:00

Added subscriber: @PratikPB2123