Page MenuHome

Clearing followed by setting a listbox created by UILayout.prop_search while keeping the mouse on the listbox crashes Blender
Open, Confirmed, MediumPublic

Description

System Information
OS: Ubuntu 16.04 x86_64
Gfx: Intel HD Graphics 530 (Skylake GT2) (driver: GL 4.5 (Core Profile) Mesa 17.3.0-devel)

Blender Version
Broken:

  • 2.79-42a562496b5-linux-glibc219-x86_64 (latest build)
  • 2.79-5bd8ac9abfa-linux-glibc219-x86_64
  • 2.76b

Short description of error
Clearing followed by setting a listbox created by UILayout.prop_search while keeping the mouse on the listbox either crashes Blender or leads to unexpected behaviour.

Exact steps for others to reproduce the error
Consistently reproducible.

  1. Open the default startup blender file
  2. Open a textblock and paste and run the code provided in Appendix A
  3. In the 3D viewport, press SPACE and type "Crashable", then select "Crashable Operator" => at the right an operator panel will be drawn
  4. In the operator panel, click on the field next to "Obj:" and select e.g., "Camera" from the list
  5. Click the X sign right to "Camera" while keeping the mouse pointer pointed at the field
  6. Click again on the field

Expected behaviour of step 6.
Step 6 should be able to behave as step 4, i.e., one should be able to again select something from a non-empty list

Observed behaviour after step 6
One of following, probably depending on how Blender's memory was allocated:

  • Crash
  • The list is empty

Appendix A

import bpy


class CrashableOperator(bpy.types.Operator):
    bl_idname = "object.crashable_operator"
    bl_label = "Crashable Operator"
    bl_options = {'REGISTER', 'UNDO'}

    obj = bpy.props.StringProperty(name="Obj")

    def draw(self, context):
        self.layout.prop_search(self, "obj", context.scene, "objects")

    def execute(self, context):
        return {'FINISHED'}


def register():
    bpy.utils.register_class(CrashableOperator)


def unregister():
    bpy.utils.unregister_class(CrashableOperator)


if __name__ == "__main__":
    register()

Terminal output upon crash

$ blender
Read new prefs: /home/elias/.config/blender/2.76/config/userpref.blend
Writing: /tmp/blender.crash.txt
Segmentation fault (core dumped)

Contents of "blender.crash.txt"

# Blender 2.76 (sub 0), Commit date: 1970-01-01 00:00, Hash unknown
bpy.context.area.type = 'TEXT_EDITOR'  # Property
bpy.ops.text.run_script()  # Operator
bpy.ops.object.crashable_operator()  # Operator
bpy.ops.object.crashable_operator(obj="Camera")  # Operator
bpy.ops.object.crashable_operator(obj="")  # Operator
bpy.ops.object.crashable_operator(obj="")  # Operator

# backtrace
blender(BLI_system_backtrace+0x30) [0x1361b10]
blender() [0x97a98e]
/lib/x86_64-linux-gnu/libc.so.6(+0x354b0) [0x7f242a7894b0]
blender(rna_ID_refine+0x4) [0x11bac84]
blender(rna_pointer_inherit_refine+0x66) [0x11a9af6]
blender() [0x1273ae2]
blender(RNA_property_collection_begin+0x15c) [0x11b161c]
blender() [0xb654ae]
blender(ui_searchbox_update+0x6a) [0xb7514a]
blender() [0xb57089]
blender() [0xb59f6d]
blender() [0xb5a027]
blender() [0xb5d7ad]
blender() [0xb5ebe6]
blender() [0xb5f433]
blender() [0x985e81]
blender() [0x986251]
blender(wm_event_do_handlers+0x5f6) [0x9868e6]
blender(WM_main+0x18) [0x97cfd8]
blender(main+0xef4) [0x95ce04]
/lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xf0) [0x7f242a774830]
blender(_start+0x29) [0x97a2b9]

Details

Type
Bug

Event Timeline

Philipp Oeser (lichtwerk) lowered the priority of this task from Needs Triage by Developer to Confirmed, Medium.Jan 20 2018, 5:35 PM

can confirm list is empty in master (cant get it to crash here), sometimes theres an entry with a garbled name [accessing bad memory?]
2.79 and below crash. will have a closer look later.

@Philipp Oeser (lichtwerk) do you have address sanitizer setup? - it shows the cause fairly clearly the cause of the error, though exactly how to fix isn't obvious.

@Campbell Barton (campbellbarton) : thx for the tip, will do in 3hrs and check again

OK, that ASAN is really useful! (already have a couple of other reports in mind on where to use it...)
In this particular case/report I'm still examining those two codepaths (where allocated and where freed) in more depth. Lots of (new) stuff to read for me and wrap my head around, but I'm on it...