Page MenuHome

crash with generating DataBlockPreviews
Closed, ResolvedPublic

Description

System Information
linux64, Titan

Blender Version
Broken: b0bce65d67ac65bef114cdf22e66f997b4028269
Worked: f375028a2542981732aef6ce4700aa951325e63d

Short description of error
crash with generating DataBlockPreviews in the default scene

Exact steps for others to reproduce the error
in default startup file [might have to start blender with --factory], goto
File > Data Previews > Refresh DataBlock Previews
should crash

Caused by a broken(freed?) "toggle_brush" pointer on the "SculptDraw" brush.
So you will only get the crash if the "SculptDraw" brush is selected in sculptmode (which I think it is in the default startup scene)
If any other brush is selected, crash wont happen.

this will prevent the crash

diff --git a/source/blender/blenkernel/intern/library_query.c b/source/blender/blenkernel/intern/library_query.c
--- a/source/blender/blenkernel/intern/library_query.c
+++ b/source/blender/blenkernel/intern/library_query.c
@@ -533,7 +533,7 @@ void BKE_library_foreach_ID_link(ID *id, LibraryIDLinkCallback callback, void *u
 		case ID_BR:
 		{
 			Brush *brush = (Brush *) id;
-			CALLBACK_INVOKE(brush->toggle_brush, IDWALK_NOP);
+			//CALLBACK_INVOKE(brush->toggle_brush, IDWALK_NOP);
 			CALLBACK_INVOKE(brush->clone.image, IDWALK_NOP);
 			CALLBACK_INVOKE(brush->paint_curve, IDWALK_USER);
 			library_foreach_mtex(&data, &brush->mtex);

backtrace

Thread 1 (Thread 0x7fffeae25b00 (LWP 30940)):
#0  0x0000000001c9231a in previews_id_ensure_callback (todo_v=0x7fffffffdca0, idptr=0x6f0ef00, UNUSED_cd_flag=0) at /blender/source/blender/windowmanager/intern/wm_operators.c:5043
        todo = 0x7fffffffdca0
        id = 0x7f1eb19a5c08
#1  0x00000000029531ca in BKE_library_foreach_ID_link (id=0x6f0ebe8, callback=0x1c922e5 <previews_id_ensure_callback>, user_data=0x7fffffffdca0, flag=1) at /blender/source/blender/blenkernel/intern/library_query.c:538
        old_id = 0x7f1eb19a5c08
        keep_working = false
        brush = 0x6f0ebe8
        adt = 0x0
        data = {self_id = 0x6f0ebe8, flag = 1, callback = 0x1c922e5 <previews_id_ensure_callback>, user_data = 0x7fffffffdca0}
        i = 0
        __func__ = "BKE_library_foreach_ID_link"

valgrind

==31752== Invalid read of size 2
==31752==    at 0x1C9231A: previews_id_ensure_callback (wm_operators.c:5043)
==31752==    by 0x29531C9: BKE_library_foreach_ID_link (library_query.c:538)
==31752==    by 0x1C924D6: previews_ensure_exec (wm_operators.c:5076)
==31752==    by 0x1C75038: wm_operator_invoke (wm_event_system.c:1103)
==31752==    by 0x1C75603: wm_operator_call_internal (wm_event_system.c:1288)
==31752==    by 0x1C757F3: WM_operator_name_call_ptr (wm_event_system.c:1336)
==31752==    by 0x1FAA00E: ui_apply_but_funcs_after (interface_handlers.c:755)
==31752==    by 0x1FC33F1: ui_handler_region_menu (interface_handlers.c:9816)
==31752==    by 0x1C7365F: wm_handler_ui_call (wm_event_system.c:453)
==31752==    by 0x1C77159: wm_handlers_do_intern (wm_event_system.c:2022)
==31752==    by 0x1C773F5: wm_handlers_do (wm_event_system.c:2106)
==31752==    by 0x1C77F11: wm_event_do_handlers (wm_event_system.c:2389)
==31752==  Address 0x7f1eb19a5c6a is not stack'd, malloc'd or (recently) free'd

Event Timeline

Philipp Oeser (lichtwerk) updated the task description. (Show Details)
Philipp Oeser (lichtwerk) raised the priority of this task from to Needs Triage by Developer.
Philipp Oeser (lichtwerk) set Type to Bug.
Sergey Sharybin (sergey) triaged this task as Confirmed, Medium priority.Oct 28 2015, 4:25 PM

@Bastien Montagne (mont29), it is possible that brush->toggle_brush pointer is becoming invalid. For example, you toggle brush then you remove original one. Also, not really sure you really want to go into toggle brush itself in the walker, so leaving it up to you.

I do not see how we can accept an invalid pointer here? It may crash in many other cases I guess? Even worse in default startup, this should be fixed in factory .blend…

And the walker shall return all ID pointers, with no exceptions - otherwise you'll end up with even more 'invalid pointers' like that in the future.

Think this is a good demo of how bad our 'remove ID' code is currently :|

That said, will have a look around to try to understand how toggle_brush can become invalid - and tease Campbell to fix startup file.