Maniphest T54019

Undefined behavior happen by copying objects with Ctrl+C with custom material nodes
Closed, ResolvedPublic
Actions

Description

System Information
Windows 10

Blender Version
Broken: 2.79 5bd8ac9

Short description of error
Copying objects by Ctrl+C with custom material nodes (created in python by class MyCustomSocket(bpy.types.NodeSocket) .... ) produced undefined behavior in Blender, after which Blender crashes.

Raw diff how to fix this bug
Did more deep investigation of this bug inside Blender's source code and found how this could be fixed. Here it is raw diff: https://pastebin.com/SzwwpCnn

Details

Commits
rBb65933e7b313: Fix T54019: copying and linking bugs with custom ID pointer properties.
Type
Bug
mathieu menuet (bliblubli) added a subscriber: mathieu menuet (bliblubli).Feb 23 2018, 1:03 PM

thanks for investigating. Can you please attach a file and the according steps to reproduce the crash?

Bogdan Nagirniak (bnagirniak) added a comment.Feb 26 2018, 12:22 PM

Well, I'm one of the developers of Radeon ProRender plugin for Blender https://pro.radeon.com/en/software/prorender/blender/ and there (inside plugin) we use our custom materials.

Here are the steps to reproduce bug:

  1. Install RadeonRpoRender plugin https://www2.ati.com/other/radeonprorenderforblender.1.5.0.msi
  2. Create new scene and select Radeon ProRender engine
  3. Select any object (box by default).
  4. Assign RPR Diffuse material to this object.
  5. Press Ctrl+C to copy object to buffer -> Blender crashes because of undefined behavior.

Anyway, currently in Blender when we press Ctrl+C in source code we have following:

  • readfile.c: line 9177: expand_doit(fd, mainvar, sock->prop); //where expand_doit is a pointer to function blendfile_write_partial_cb() and sock->prop has type IDProperty*
  • inside blendfile_write_partial_cb(): sock->prop is trying to be cast into ID* and be used as ID*. But IDProperty cannot be cast to ID and this produces undefined behavior.

I'm proposing to fix this bug by changing lines expand_doit(fd, mainvar, sock->prop); into expand_idprops(fd, mainvar, sock->prop); in the expand_nodetree() function where it has to be required in a raw diff link.

Thank you!

LazyDodo (LazyDodo) triaged this task as Incomplete priority.Mar 17 2018, 3:33 AM
LazyDodo (LazyDodo) added a subscriber: LazyDodo (LazyDodo).

i can't seem to reproduce this with the custom nodes template, there has to be an easier way to reproduce this beyond installing a 500mb+ addon.

Brecht Van Lommel (brecht) added a subscriber: Brecht Van Lommel (brecht).EditedMar 19 2018, 10:18 PM

The code here is clearly wrong, we should not be passing an ID property to a function that expects and ID. So I committed the patch.