blf_kerning/blf_unscaled_F26Dot6_to_pixels heap-use-after-free #100242
Labels
No Label
Interest
Alembic
Interest
Animation & Rigging
Interest
Asset Browser
Interest
Asset Browser Project Overview
Interest
Audio
Interest
Automated Testing
Interest
Blender Asset Bundle
Interest
BlendFile
Interest
Collada
Interest
Compatibility
Interest
Compositing
Interest
Core
Interest
Cycles
Interest
Dependency Graph
Interest
Development Management
Interest
EEVEE
Interest
EEVEE & Viewport
Interest
Freestyle
Interest
Geometry Nodes
Interest
Grease Pencil
Interest
ID Management
Interest
Images & Movies
Interest
Import Export
Interest
Line Art
Interest
Masking
Interest
Metal
Interest
Modeling
Interest
Modifiers
Interest
Motion Tracking
Interest
Nodes & Physics
Interest
OpenGL
Interest
Overlay
Interest
Overrides
Interest
Performance
Interest
Physics
Interest
Pipeline, Assets & IO
Interest
Platforms, Builds & Tests
Interest
Python API
Interest
Render & Cycles
Interest
Render Pipeline
Interest
Sculpt, Paint & Texture
Interest
Text Editor
Interest
Translations
Interest
Triaging
Interest
Undo
Interest
USD
Interest
User Interface
Interest
UV Editing
Interest
VFX & Video
Interest
Video Sequencer
Interest
Virtual Reality
Interest
Vulkan
Interest
Wayland
Interest
Workbench
Interest: X11
Legacy
Blender 2.8 Project
Legacy
Milestone 1: Basic, Local Asset Browser
Legacy
OpenGL Error
Meta
Good First Issue
Meta
Papercut
Meta
Retrospective
Meta
Security
Module
Animation & Rigging
Module
Core
Module
Development Management
Module
EEVEE & Viewport
Module
Grease Pencil
Module
Modeling
Module
Nodes & Physics
Module
Pipeline, Assets & IO
Module
Platforms, Builds & Tests
Module
Python API
Module
Render & Cycles
Module
Sculpt, Paint & Texture
Module
Triaging
Module
User Interface
Module
VFX & Video
Platform
FreeBSD
Platform
Linux
Platform
macOS
Platform
Windows
Priority
High
Priority
Low
Priority
Normal
Priority
Unbreak Now!
Status
Archived
Status
Confirmed
Status
Duplicate
Status
Needs Info from Developers
Status
Needs Information from User
Status
Needs Triage
Status
Resolved
Type
Bug
Type
Design
Type
Known Issue
Type
Patch
Type
Report
Type
To Do
No Milestone
No project
No Assignees
5 Participants
Notifications
Due Date
No due date set.
Dependencies
No dependencies set.
Reference: blender/blender#100242
Loading…
Reference in New Issue
No description provided.
Delete Branch "%!s(<nil>)"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
System Information
Operating system: Ubuntu 22.04.1 LTS
Graphics card: GeForce RTX 2070 SUPER
Blender Version
Broken: master branch from github (
8f915f0efb
)Worked: N/A
Seems to happen randomly. Sometimes a second after I start Blender jus moving cursor around. Sometimes I get to work for a bit.
Blender gets killed as ASAN aborts when the error happens. Possibly this doesn't get noticed much without ASAN build.
Added subscriber: @elmo
Changed status from 'Needs Triage' to: 'Confirmed'
Added subscriber: @Harley
I managed to get a crash with fast unwind disabled:
Looking at stacktrace I can see
ui_but_tooltip_init
and that hinted me on how to reliably reproduce issue. On splash screen I just move cursor over one of last open file names and wait. It seems that it crashes when it tries to show tooltip.I have tried some other tooltip areas and oddly some work. I.e. thing in the properties panel seem to work. But hovering over "eye" icon or "camera" icon causes an ASAN crash.
The following might have wrong assumptions, so feel free to chine in, help out, and correct.
Fairly certain that In
blf_unscaled_F26Dot6_to_pixels
the only thing that could be used after feeing is the "ft_size" member of the font. I'm guessing that this is just a normal result of the newly-added FreeType caching system that I am not dealing with correctly. I am adding an ft_size to the font when we size it, but the cache is removing sizes whenever it wants or needs to.First, I really need to set that ft_size member of the font to NULL when the cache removes it. Then I think I need to add an "ensure_size" that can be called only when I need to get at that thing. That way the font can continue to work without face and without size unless absolutely needed.
Timing of a fix might be problematic. I think anyone that could/should review would be in Vancouver now for Siggraph. Will see what I can do.
Added subscriber: @LazyDodo
If landing a fix is problematic, reverting the caching commit that caused the issue should require much less approval?
@elmo - It would be great if I could get your assistance with this. I might submit a patch and initially add just you as reviewer so that you can compile and confirm that it fixes this issue. Then I'd remove you and add a technical code reviewer. Does that sound like something you could do?
I can definitely try to compile with patch and see if it helps.
As for helping with understanding an issue and/or reviewing I am not sure how much I can help as I have very little familiarity with Blender source code and I have never before today looked at FreeType library.
Your explanation as to what is going wrong is what I was guessing from what I could see in code. I am not sure how you'd discover that FT decided to free something from cache (again, I'm not familiar with that at all).
Actually that is all I'd need since you have been able to see/recreate this error it would be wonderful for you to confirm it fixes it (or does not).
FreeType has a callback for this. You'll see that in the patch when I submit it. But again, just compiling and seeing that it does not cause the error is a big help.
@elmo - I wasn't able to add your name as reviewer to my diff (this interface doesn't seem to like your nick or name).
So can you apply, compile and test the following?
https://developer.blender.org/D15639
There is
BLI_assert_unreachable();
at the end of that function. Not sure how other places do not fail/warn on this.All other places are followed by some kind of return, so I guess that answer that question. I think we want
return false
after the assert.With your patch and the extra
return false
it no longer crashes and I get a tooltip to appear both on the splash/greeting window and when hovering over icons in outliner.@elmo - Yes, added a
return false
after thatBLI_assert_unreachable
; I forgot that compilers might complain about that. LOLThanks for testing!
I'll see what I can do with this weird timing. We might just revert the caching commit until Brecht is back, or wait for review of this fix, or (possibly) commit fix early and review again later.
This issue was referenced by
8b3e3c1810
Changed status from 'Confirmed' to: 'Resolved'