Crash when undoing deletion of last shape key. #44439

New Issue

Bastien Montagne · 2015-04-18T09:38:59+02:00

Bastien Montagne commented

2015-04-18 09:38:59 +02:00

System Information
NA

Blender Version
Broken: (example: current master
Worked: no idea (you need a debug build to reproduce the crash it seems)

Short description of error
Undoing deletion of the last shapekeys, asan breaks on freed memory access (from Outliner's tselem->id of the deleted shapekey).

I think what happens is the undo step gets saved after deletion of the skey ID, but before Outliner's get updated? Still investigating...

Exact steps for others to reproduce the error
Just add some shape keys to default cube, remove them, and undo, in debug build with asan crash is 100% reproducible, with following info:

P220: (An Untitled Masterwork)

=================================================================
==10753==ERROR: AddressSanitizer: heap-use-after-free on address 0x6110007d9b68 at pc 0x48db60f bp 0x7ffc4d1b0360 sp 0x7ffc4d1b0358
READ of size 2 at 0x6110007d9b68 thread T0
    #0 0x48db60e in restore_pointer_by_name /home/i74700deb64/blender/__work__/src/source/blender/blenloader/intern/readfile.c:6148
    #1 0x48dd93a in blo_lib_link_screen_restore /home/i74700deb64/blender/__work__/src/source/blender/blenloader/intern/readfile.c:6392
    #2 0x3dd4962 in setup_app_data /home/i74700deb64/blender/__work__/src/source/blender/blenkernel/intern/blender.c:285
    #3 0x3dd628b in BKE_read_file_from_memfile /home/i74700deb64/blender/__work__/src/source/blender/blenkernel/intern/blender.c:574
    #4 0x3dd66d8 in read_undosave /home/i74700deb64/blender/__work__/src/source/blender/blenkernel/intern/blender.c:675
    #5 0x3dd6fd8 in BKE_undo_step /home/i74700deb64/blender/__work__/src/source/blender/blenkernel/intern/blender.c:807
    #6 0x26b1205 in ed_undo_step /home/i74700deb64/blender/__work__/src/source/blender/editors/util/undo.c:207
    #7 0x26b186a in ed_undo_exec /home/i74700deb64/blender/__work__/src/source/blender/editors/util/undo.c:296
    #8 0x219c98d in wm_operator_invoke /home/i74700deb64/blender/__work__/src/source/blender/windowmanager/intern/wm_event_system.c:1048
    #9 0x219faac in wm_handler_operator_call /home/i74700deb64/blender/__work__/src/source/blender/windowmanager/intern/wm_event_system.c:1639
    #10 0x21a117a in wm_handlers_do_intern /home/i74700deb64/blender/__work__/src/source/blender/windowmanager/intern/wm_event_system.c:1904
    #11 0x21a19bd in wm_handlers_do /home/i74700deb64/blender/__work__/src/source/blender/windowmanager/intern/wm_event_system.c:2013
    #12 0x21a3a10 in wm_event_do_handlers /home/i74700deb64/blender/__work__/src/source/blender/windowmanager/intern/wm_event_system.c:2385
    #13 0x2186613 in WM_main /home/i74700deb64/blender/__work__/src/source/blender/windowmanager/intern/wm.c:487
    #14 0x218435d in main /home/i74700deb64/blender/__work__/src/source/creator/creator.c:1864
    #15 0x7fd657cefb44 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b44)
    #16 0x217ec7e (/home/i74700deb64/blender/__work__/build_cmake_dbg/bin/blender+0x217ec7e)

0x6110007d9b68 is located 40 bytes inside of 232-byte region [0x6110007d9b40,0x6110007d9c28)
freed by thread T0 here:
    #0 0x7fd65df1b527 in __interceptor_free (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x54527)
    #1 0x4ef9b35 in MEM_lockfree_freeN /home/i74700deb64/blender/__work__/src/intern/guardedalloc/intern/mallocn_lockfree_impl.c:169
    #2 0x4028807 in BKE_libblock_free_ex /home/i74700deb64/blender/__work__/src/source/blender/blenkernel/intern/library.c:1045
    #3 0x4028831 in BKE_libblock_free /home/i74700deb64/blender/__work__/src/source/blender/blenkernel/intern/library.c:1050
    #4 0x4028a1b in BKE_libblock_free_us /home/i74700deb64/blender/__work__/src/source/blender/blenkernel/intern/library.c:1066
    #5 0x2d1c7c7 in ED_object_shape_key_remove /home/i74700deb64/blender/__work__/src/source/blender/editors/object/object_shapekey.c:171
    #6 0x2d1de69 in shape_key_remove_exec /home/i74700deb64/blender/__work__/src/source/blender/editors/object/object_shapekey.c:368
    #7 0x219c98d in wm_operator_invoke /home/i74700deb64/blender/__work__/src/source/blender/windowmanager/intern/wm_event_system.c:1048
    #8 0x219d69b in wm_operator_call_internal /home/i74700deb64/blender/__work__/src/source/blender/windowmanager/intern/wm_event_system.c:1227
    #9 0x219d8fc in WM_operator_name_call_ptr /home/i74700deb64/blender/__work__/src/source/blender/windowmanager/intern/wm_event_system.c:1275
    #10 0x2968650 in ui_apply_but_funcs_after /home/i74700deb64/blender/__work__/src/source/blender/editors/interface/interface_handlers.c:674
    #11 0x29addc8 in ui_handler_region_menu /home/i74700deb64/blender/__work__/src/source/blender/editors/interface/interface_handlers.c:9309
    #12 0x21986c7 in wm_handler_ui_call /home/i74700deb64/blender/__work__/src/source/blender/windowmanager/intern/wm_event_system.c:426
    #13 0x21a13a3 in wm_handlers_do_intern /home/i74700deb64/blender/__work__/src/source/blender/windowmanager/intern/wm_event_system.c:1929
    #14 0x21a19bd in wm_handlers_do /home/i74700deb64/blender/__work__/src/source/blender/windowmanager/intern/wm_event_system.c:2013
    #15 0x21a32e8 in wm_event_do_handlers /home/i74700deb64/blender/__work__/src/source/blender/windowmanager/intern/wm_event_system.c:2296
    #16 0x2186613 in WM_main /home/i74700deb64/blender/__work__/src/source/blender/windowmanager/intern/wm.c:487
    #17 0x218435d in main /home/i74700deb64/blender/__work__/src/source/creator/creator.c:1864
    #18 0x7fd657cefb44 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b44)

previously allocated by thread T0 here:
    #0 0x7fd65df1b885 in calloc (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x54885)
    #1 0x4efa546 in MEM_lockfree_callocN /home/i74700deb64/blender/__work__/src/intern/guardedalloc/intern/mallocn_lockfree_impl.c:286
    #2 0x40271c6 in alloc_libblock_notest /home/i74700deb64/blender/__work__/src/source/blender/blenkernel/intern/library.c:688
    #3 0x402772c in BKE_libblock_alloc /home/i74700deb64/blender/__work__/src/source/blender/blenkernel/intern/library.c:765
    #4 0x4002f0c in BKE_key_add /home/i74700deb64/blender/__work__/src/source/blender/blenkernel/intern/key.c:105
    #5 0x414b90e in insert_meshkey /home/i74700deb64/blender/__work__/src/source/blender/blenkernel/intern/object.c:3408
    #6 0x414c5a3 in BKE_object_insert_shape_key /home/i74700deb64/blender/__work__/src/source/blender/blenkernel/intern/object.c:3514
    #7 0x2d1bd20 in ED_object_shape_key_add /home/i74700deb64/blender/__work__/src/source/blender/editors/object/object_shapekey.c:81
    #8 0x2d1dc0c in shape_key_add_exec /home/i74700deb64/blender/__work__/src/source/blender/editors/object/object_shapekey.c:333
    #9 0x219c98d in wm_operator_invoke /home/i74700deb64/blender/__work__/src/source/blender/windowmanager/intern/wm_event_system.c:1048
    #10 0x219d69b in wm_operator_call_internal /home/i74700deb64/blender/__work__/src/source/blender/windowmanager/intern/wm_event_system.c:1227
    #11 0x219d8fc in WM_operator_name_call_ptr /home/i74700deb64/blender/__work__/src/source/blender/windowmanager/intern/wm_event_system.c:1275
    #12 0x2968650 in ui_apply_but_funcs_after /home/i74700deb64/blender/__work__/src/source/blender/editors/interface/interface_handlers.c:674
    #13 0x29addc8 in ui_handler_region_menu /home/i74700deb64/blender/__work__/src/source/blender/editors/interface/interface_handlers.c:9309
    #14 0x21986c7 in wm_handler_ui_call /home/i74700deb64/blender/__work__/src/source/blender/windowmanager/intern/wm_event_system.c:426
    #15 0x21a13a3 in wm_handlers_do_intern /home/i74700deb64/blender/__work__/src/source/blender/windowmanager/intern/wm_event_system.c:1929
    #16 0x21a19bd in wm_handlers_do /home/i74700deb64/blender/__work__/src/source/blender/windowmanager/intern/wm_event_system.c:2013
    #17 0x21a32e8 in wm_event_do_handlers /home/i74700deb64/blender/__work__/src/source/blender/windowmanager/intern/wm_event_system.c:2296
    #18 0x2186613 in WM_main /home/i74700deb64/blender/__work__/src/source/blender/windowmanager/intern/wm.c:487
    #19 0x218435d in main /home/i74700deb64/blender/__work__/src/source/creator/creator.c:1864
    #20 0x7fd657cefb44 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b44)

SUMMARY: AddressSanitizer: heap-use-after-free /home/i74700deb64/blender/__work__/src/source/blender/blenloader/intern/readfile.c:6148 restore_pointer_by_name
Shadow bytes around the buggy address:
  0x0c22800f3310: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
  0x0c22800f3320: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c22800f3330: fd fd fd fd fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c22800f3340: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c22800f3350: fd fd fd fd fd fd fd fd fd fd fd fd fa fa fa fa
=>0x0c22800f3360: fa fa fa fa fa fa fa fa fd fd fd fd fd[fd]fd fd
  0x0c22800f3370: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c22800f3380: fd fd fd fd fd fa fa fa fa fa fa fa fa fa fa fa
  0x0c22800f3390: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c22800f33a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c22800f33b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Contiguous container OOB:fc
  ASan internal:           fe
==10753==ABORTING

**System Information** NA **Blender Version** Broken: (example: current master Worked: no idea (you need a debug build to reproduce the crash it seems) **Short description of error** Undoing deletion of the last shapekeys, asan breaks on freed memory access (from Outliner's tselem->id of the deleted shapekey). I think what happens is the undo step gets saved after deletion of the skey ID, but before Outliner's get updated? Still investigating... **Exact steps for others to reproduce the error** Just add some shape keys to default cube, remove them, and undo, in debug build with asan crash is 100% reproducible, with following info: [P220: (An Untitled Masterwork)](https://archive.blender.org/developer/P220.txt) ``` ================================================================= ==10753==ERROR: AddressSanitizer: heap-use-after-free on address 0x6110007d9b68 at pc 0x48db60f bp 0x7ffc4d1b0360 sp 0x7ffc4d1b0358 READ of size 2 at 0x6110007d9b68 thread T0 #0 0x48db60e in restore_pointer_by_name /home/i74700deb64/blender/__work__/src/source/blender/blenloader/intern/readfile.c:6148 #1 0x48dd93a in blo_lib_link_screen_restore /home/i74700deb64/blender/__work__/src/source/blender/blenloader/intern/readfile.c:6392 #2 0x3dd4962 in setup_app_data /home/i74700deb64/blender/__work__/src/source/blender/blenkernel/intern/blender.c:285 #3 0x3dd628b in BKE_read_file_from_memfile /home/i74700deb64/blender/__work__/src/source/blender/blenkernel/intern/blender.c:574 #4 0x3dd66d8 in read_undosave /home/i74700deb64/blender/__work__/src/source/blender/blenkernel/intern/blender.c:675 #5 0x3dd6fd8 in BKE_undo_step /home/i74700deb64/blender/__work__/src/source/blender/blenkernel/intern/blender.c:807 #6 0x26b1205 in ed_undo_step /home/i74700deb64/blender/__work__/src/source/blender/editors/util/undo.c:207 #7 0x26b186a in ed_undo_exec /home/i74700deb64/blender/__work__/src/source/blender/editors/util/undo.c:296 #8 0x219c98d in wm_operator_invoke /home/i74700deb64/blender/__work__/src/source/blender/windowmanager/intern/wm_event_system.c:1048 #9 0x219faac in wm_handler_operator_call /home/i74700deb64/blender/__work__/src/source/blender/windowmanager/intern/wm_event_system.c:1639 #10 0x21a117a in wm_handlers_do_intern /home/i74700deb64/blender/__work__/src/source/blender/windowmanager/intern/wm_event_system.c:1904 #11 0x21a19bd in wm_handlers_do /home/i74700deb64/blender/__work__/src/source/blender/windowmanager/intern/wm_event_system.c:2013 #12 0x21a3a10 in wm_event_do_handlers /home/i74700deb64/blender/__work__/src/source/blender/windowmanager/intern/wm_event_system.c:2385 #13 0x2186613 in WM_main /home/i74700deb64/blender/__work__/src/source/blender/windowmanager/intern/wm.c:487 #14 0x218435d in main /home/i74700deb64/blender/__work__/src/source/creator/creator.c:1864 #15 0x7fd657cefb44 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b44) #16 0x217ec7e (/home/i74700deb64/blender/__work__/build_cmake_dbg/bin/blender+0x217ec7e) 0x6110007d9b68 is located 40 bytes inside of 232-byte region [0x6110007d9b40,0x6110007d9c28) freed by thread T0 here: #0 0x7fd65df1b527 in __interceptor_free (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x54527) #1 0x4ef9b35 in MEM_lockfree_freeN /home/i74700deb64/blender/__work__/src/intern/guardedalloc/intern/mallocn_lockfree_impl.c:169 #2 0x4028807 in BKE_libblock_free_ex /home/i74700deb64/blender/__work__/src/source/blender/blenkernel/intern/library.c:1045 #3 0x4028831 in BKE_libblock_free /home/i74700deb64/blender/__work__/src/source/blender/blenkernel/intern/library.c:1050 #4 0x4028a1b in BKE_libblock_free_us /home/i74700deb64/blender/__work__/src/source/blender/blenkernel/intern/library.c:1066 #5 0x2d1c7c7 in ED_object_shape_key_remove /home/i74700deb64/blender/__work__/src/source/blender/editors/object/object_shapekey.c:171 #6 0x2d1de69 in shape_key_remove_exec /home/i74700deb64/blender/__work__/src/source/blender/editors/object/object_shapekey.c:368 #7 0x219c98d in wm_operator_invoke /home/i74700deb64/blender/__work__/src/source/blender/windowmanager/intern/wm_event_system.c:1048 #8 0x219d69b in wm_operator_call_internal /home/i74700deb64/blender/__work__/src/source/blender/windowmanager/intern/wm_event_system.c:1227 #9 0x219d8fc in WM_operator_name_call_ptr /home/i74700deb64/blender/__work__/src/source/blender/windowmanager/intern/wm_event_system.c:1275 #10 0x2968650 in ui_apply_but_funcs_after /home/i74700deb64/blender/__work__/src/source/blender/editors/interface/interface_handlers.c:674 #11 0x29addc8 in ui_handler_region_menu /home/i74700deb64/blender/__work__/src/source/blender/editors/interface/interface_handlers.c:9309 #12 0x21986c7 in wm_handler_ui_call /home/i74700deb64/blender/__work__/src/source/blender/windowmanager/intern/wm_event_system.c:426 #13 0x21a13a3 in wm_handlers_do_intern /home/i74700deb64/blender/__work__/src/source/blender/windowmanager/intern/wm_event_system.c:1929 #14 0x21a19bd in wm_handlers_do /home/i74700deb64/blender/__work__/src/source/blender/windowmanager/intern/wm_event_system.c:2013 #15 0x21a32e8 in wm_event_do_handlers /home/i74700deb64/blender/__work__/src/source/blender/windowmanager/intern/wm_event_system.c:2296 #16 0x2186613 in WM_main /home/i74700deb64/blender/__work__/src/source/blender/windowmanager/intern/wm.c:487 #17 0x218435d in main /home/i74700deb64/blender/__work__/src/source/creator/creator.c:1864 #18 0x7fd657cefb44 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b44) previously allocated by thread T0 here: #0 0x7fd65df1b885 in calloc (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x54885) #1 0x4efa546 in MEM_lockfree_callocN /home/i74700deb64/blender/__work__/src/intern/guardedalloc/intern/mallocn_lockfree_impl.c:286 #2 0x40271c6 in alloc_libblock_notest /home/i74700deb64/blender/__work__/src/source/blender/blenkernel/intern/library.c:688 #3 0x402772c in BKE_libblock_alloc /home/i74700deb64/blender/__work__/src/source/blender/blenkernel/intern/library.c:765 #4 0x4002f0c in BKE_key_add /home/i74700deb64/blender/__work__/src/source/blender/blenkernel/intern/key.c:105 #5 0x414b90e in insert_meshkey /home/i74700deb64/blender/__work__/src/source/blender/blenkernel/intern/object.c:3408 #6 0x414c5a3 in BKE_object_insert_shape_key /home/i74700deb64/blender/__work__/src/source/blender/blenkernel/intern/object.c:3514 #7 0x2d1bd20 in ED_object_shape_key_add /home/i74700deb64/blender/__work__/src/source/blender/editors/object/object_shapekey.c:81 #8 0x2d1dc0c in shape_key_add_exec /home/i74700deb64/blender/__work__/src/source/blender/editors/object/object_shapekey.c:333 #9 0x219c98d in wm_operator_invoke /home/i74700deb64/blender/__work__/src/source/blender/windowmanager/intern/wm_event_system.c:1048 #10 0x219d69b in wm_operator_call_internal /home/i74700deb64/blender/__work__/src/source/blender/windowmanager/intern/wm_event_system.c:1227 #11 0x219d8fc in WM_operator_name_call_ptr /home/i74700deb64/blender/__work__/src/source/blender/windowmanager/intern/wm_event_system.c:1275 #12 0x2968650 in ui_apply_but_funcs_after /home/i74700deb64/blender/__work__/src/source/blender/editors/interface/interface_handlers.c:674 #13 0x29addc8 in ui_handler_region_menu /home/i74700deb64/blender/__work__/src/source/blender/editors/interface/interface_handlers.c:9309 #14 0x21986c7 in wm_handler_ui_call /home/i74700deb64/blender/__work__/src/source/blender/windowmanager/intern/wm_event_system.c:426 #15 0x21a13a3 in wm_handlers_do_intern /home/i74700deb64/blender/__work__/src/source/blender/windowmanager/intern/wm_event_system.c:1929 #16 0x21a19bd in wm_handlers_do /home/i74700deb64/blender/__work__/src/source/blender/windowmanager/intern/wm_event_system.c:2013 #17 0x21a32e8 in wm_event_do_handlers /home/i74700deb64/blender/__work__/src/source/blender/windowmanager/intern/wm_event_system.c:2296 #18 0x2186613 in WM_main /home/i74700deb64/blender/__work__/src/source/blender/windowmanager/intern/wm.c:487 #19 0x218435d in main /home/i74700deb64/blender/__work__/src/source/creator/creator.c:1864 #20 0x7fd657cefb44 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b44) SUMMARY: AddressSanitizer: heap-use-after-free /home/i74700deb64/blender/__work__/src/source/blender/blenloader/intern/readfile.c:6148 restore_pointer_by_name Shadow bytes around the buggy address: 0x0c22800f3310: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd 0x0c22800f3320: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c22800f3330: fd fd fd fd fa fa fa fa fa fa fa fa fa fa fa fa 0x0c22800f3340: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c22800f3350: fd fd fd fd fd fd fd fd fd fd fd fd fa fa fa fa =>0x0c22800f3360: fa fa fa fa fa fa fa fa fd fd fd fd fd[fd]fd fd 0x0c22800f3370: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c22800f3380: fd fd fd fd fd fa fa fa fa fa fa fa fa fa fa fa 0x0c22800f3390: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c22800f33a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c22800f33b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Contiguous container OOB:fc ASan internal: fe ==10753==ABORTING ```

Bastien Montagne commented

2015-04-18 09:38:59 +02:00

Changed status to: 'Open'

Bastien Montagne self-assigned this 2015-04-18 09:38:59 +02:00

Bastien Montagne commented

2015-04-18 09:38:59 +02:00

Added subscriber: @mont29

Bastien Montagne commented

2015-04-18 09:39:56 +02:00

Added subscribers: @Sergey, @ideasman42

Bastien Montagne commented

2015-04-18 09:39:56 +02:00

Sergey, Campbell, working on this one, but if you have some quick and obvious idea about what happens exactly and how to fix it… ;)

Bastien Montagne commented

2015-04-28 22:46:44 +02:00

So so far, here is the issue as I understand it:

outliner keeps 'persistent' data for its treeelements, which includes ID pointer.
outliner does not systematically clear those persistent data, it can just mark them as 'unused' but keep them in its mempool/ghash.
During undo, UI is kept, which means any data pointers in UI data needs to be remapped to new data 'generated' from undo.
When deleting last shapekey, relevant ID is freed, tselem pointing to it is no more used, but remains in outliner.
So on next undo, blender tries to restore that no-more valid pointer and… crash.

I tried not restoring pointers of 'unused' tselem, it seems to work, but not quite sure it's desired… this means all 'stored' unused tselem become useless then. Still trying to understand what goes on here and how to fix it properly.

So so far, here is the issue as I understand it: * outliner keeps 'persistent' data for its treeelements, which includes ID pointer. * outliner does not systematically clear those persistent data, it can just mark them as 'unused' but keep them in its mempool/ghash. * During undo, UI is kept, which means any data pointers in UI data needs to be remapped to new data 'generated' from undo. * When deleting last shapekey, relevant ID is freed, tselem pointing to it is no more used, but remains in outliner. * So on next undo, blender tries to restore that no-more valid pointer and… crash. I tried not restoring pointers of 'unused' tselem, it seems to work, but not quite sure it's desired… this means all 'stored' unused tselem become useless then. Still trying to understand what goes on here and how to fix it properly.

Bastien Montagne commented

2015-04-29 12:16:20 +02:00

OK, so learning further, seems that tselem->used is not to be used at all here - unused (free) tselem shall have a NULL id value (used seems to be used just to tag newly created tselem or something like that :/ ).

Now, as far as I follow outliner code, tselems do not seem to be ever actually released (except by big nuke BLI_mempool_destroy)? And only object seem to care to set tselem->id to NULL (in BKE_object_unlink)… Soooo… do we end up having tons of invalid pointers dangling like that in unused tselems? and if so, why does it not crash more often? Because we rather seldomly actually free IDs?

OK, so learning further, seems that tselem->used is not to be used at all here - unused (free) tselem shall have a NULL id value (used seems to be used just to tag newly created tselem or something like that :/ ). Now, as far as I follow outliner code, tselems do not seem to be ever actually released (except by big nuke BLI_mempool_destroy)? And only object seem to care to set tselem->id to NULL (in BKE_object_unlink)… Soooo… do we end up having tons of invalid pointers dangling like that in unused tselems? and if so, why does it not crash more often? Because we rather seldomly actually free IDs?

Bastien Montagne commented

2015-04-29 16:17:33 +02:00

Actually, found we could get same crash in other cases (e.g. shift-click on a material ID selector of a matslot, delete material from py console (bpy.data.materials.remove(bpy.data.materials['my_mat'])), and undo -> crash).

Proposed patch: D1272

Actually, found we could get same crash in other cases (e.g. shift-click on a material ID selector of a matslot, delete material from py console (`bpy.data.materials.remove(bpy.data.materials['my_mat'])`), and undo -> crash). Proposed patch: [D1272](https://archive.blender.org/developer/D1272)

blender-admin commented

2015-04-30 14:28:22 +02:00

This issue was referenced by f271d85b86

This issue was referenced by f271d85b865cb5e82b50a29f91d2cabbbede6a9a

Bastien Montagne commented

2015-04-30 14:29:08 +02:00

Changed status from 'Open' to: 'Resolved'

Bastien Montagne closed this issue

2015-04-30 14:29:08 +02:00

Bastien Montagne commented

2015-04-30 14:29:08 +02:00

Closed by commit f271d85b86.

Closed by commit f271d85b86.

Sign in to join this conversation.

No Label

Download

What's New

Blender Studio

Manual

Developers Blog

Documentation

Benchmark

Blender Conference

Development Fund

One-time Donations

Crash when undoing deletion of last shape key. #44439