Page MenuHome

Multi-Objects: MESH_OT_select_similar_region
Needs ReviewPublic

Authored by Dalai Felinto (dfelinto) on Sep 3 2018, 5:52 PM.



It works in some cases, but in others it crashes.
I suspect it has to do with mixing regions from different objects.

More specifically in BM_mesh_region_match, where I'm passing bm_iter from one
object, and fg from a different one.

Diff Detail

rB Blender
temp-multi-similar-region (branched from blender2.8)
Build Status
Buildable 2133
Build 2133: arc lint + arc unit

Event Timeline

How to reproduce a crash:

  • [Select Similar] Shift + G > Face Regions

SUMMARY: AddressSanitizer: heap-use-after-free //bmesh/tools/bmesh_region_match.c:1342 in bm_vert_fasthash_edge_order

#0 0x5618ebe50252 in bm_vert_fasthash_edge_order /home/dfelinto/src/blender/blender/source/blender/bmesh/tools/bmesh_region_match.c:1342     
#1 0x5618ebe504da in bm_vert_fasthash_edge_is_match /home/dfelinto/src/blender/blender/source/blender/bmesh/tools/bmesh_region_match.c:1356
#2 0x5618ebe52a2e in BM_mesh_region_match /home/dfelinto/src/blender/blender/source/blender/bmesh/tools/bmesh_region_match.c:1467       
#3 0x5618ead4dae5 in edbm_select_similar_region_exec /home/dfelinto/src/blender/blender/source/blender/editors/mesh/editmesh_select.c:1465

I even tried to ensure more data was valid for all the bmeshes (P777)

valgrind gives the following:

==10406== Conditional jump or move depends on uninitialised value(s)
==10406==    at 0x178DCCE: bm_face_len_cmp (bmesh_region_match.c:586)
==10406==    by 0x6CC41F1: msort_with_tmp.part.0 (msort.c:83)
==10406==    by 0x6CC4595: msort_with_tmp (msort.c:45)
==10406==    by 0x6CC4595: qsort_r (msort.c:297)
==10406==    by 0x178DE79: bm_uuidwalk_init_from_edge (bmesh_region_match.c:608)
==10406==    by 0x178E48E: bm_mesh_region_match_pair (bmesh_region_match.c:774)
==10406==    by 0x17975D4: BM_mesh_region_match (bmesh_region_match.c:1476)
==10406==    by 0x10C2465: edbm_select_similar_region_exec (editmesh_select.c:1422)
==10406==    by 0xCCCA35: wm_operator_invoke (wm_event_system.c:1331)
==10406==    by 0xCCD0B9: wm_operator_call_internal (wm_event_system.c:1516)
==10406==    by 0xCCD2D7: WM_operator_name_call_ptr (wm_event_system.c:1564)
==10406==    by 0x102259D: ui_apply_but_funcs_after (interface_handlers.c:767)
==10406==    by 0x103B3FC: ui_popup_handler (interface_handlers.c:9860)
==10406==  Uninitialised value was created by a stack allocation
==10406==    at 0x178DD2E: bm_uuidwalk_init_from_edge (bmesh_region_match.c:595)

But it also produces no crash (unlike without valgrind).

Updating to latest blender2.8, same issues are still there