Page MenuHome

Crash when copying object with PointerProperty pointing to custom node tree
Closed, ResolvedPublic

Description

Blender Version
Broken: 2.79b

Short description of error

In our addon, materials have a PointerProperty that points to a custom node tree.
When this node tree contains nodes with custom sockets and a property of the socket was changed, Blender crashes when Ctrl+C is used to copy an object using the material in the 3D view.
It does not matter if the socket property was changed via script or manually.

Exact steps for others to reproduce the error

  • Load factory settings
  • Open user preferences, install and enable the attached addon:
  • Open a node editor
  • Switch to the "Custom Nodes" tree type that was added by the addon
  • Create a new node tree
  • Create a new node
  • In the properties area, open the material properties and scroll down to the "Datablock ID Props Test" panel
  • Select the created custom node tree
  • In the 3D view, press Ctrl+C to copy the default cube. Blender crashes.

GDB session with Blender debug build:

Program received signal SIGSEGV, Segmentation fault.
0x0000000002b694d3 in blendfile_write_partial_cb (UNUSED_handle=0x0, UNUSED_bmain=0x7fffdebed608, vid=0x7fffd8b06a68) at /home/simon/programs/blender-git/blender/source/blender/blenkernel/intern/blendfile.c:569
569			if (id->lib && (id->lib->id.tag & LIB_TAG_DOIT) == 0)
(gdb) backtrace
#0  0x0000000002b694d3 in blendfile_write_partial_cb (UNUSED_handle=0x0, UNUSED_bmain=0x7fffdebed608, vid=0x7fffd8b06a68) at /home/simon/programs/blender-git/blender/source/blender/blenkernel/intern/blendfile.c:569
#1  0x0000000002a5b062 in expand_nodetree (fd=0x0, mainvar=0x7fffdebed608, ntree=0x7fffd8a27208) at /home/simon/programs/blender-git/blender/source/blender/blenloader/intern/readfile.c:9210
#2  0x0000000002a5d7c5 in BLO_expand_main (fdhandle=0x0, mainvar=0x7fffdebed608) at /home/simon/programs/blender-git/blender/source/blender/blenloader/intern/readfile.c:9908
#3  0x0000000002b695cb in BKE_blendfile_write_partial (bmain_src=0x7fffdebed608, filepath=0x7fffffffd840 "/tmp/copybuffer.blend", write_flags=16777216, reports=0x7fffc7701408)
    at /home/simon/programs/blender-git/blender/source/blender/blenkernel/intern/blendfile.c:596
#4  0x0000000002b6768d in BKE_copybuffer_save (bmain_src=0x7fffdebed608, filename=0x7fffffffd840 "/tmp/copybuffer.blend", reports=0x7fffc7701408)
    at /home/simon/programs/blender-git/blender/source/blender/blenkernel/intern/blender_copybuffer.c:81
#5  0x0000000001f96775 in view3d_copybuffer_exec (C=0x7fffe0087d38, op=0x7fffc7811e48) at /home/simon/programs/blender-git/blender/source/blender/editors/space_view3d/view3d_ops.c:95
#6  0x0000000001e4f71e in wm_operator_invoke (C=0x7fffe0087d38, ot=0x7fffd9db9488, event=0x7fffc7890288, properties=0x7fffcdac8f28, reports=0x0, poll_only=false)
    at /home/simon/programs/blender-git/blender/source/blender/windowmanager/intern/wm_event_system.c:1140
#7  0x0000000001e50e25 in wm_handler_operator_call (C=0x7fffe0087d38, handlers=0x7fffd89dea10, handler=0x7fffd8f64748, event=0x7fffc7890288, properties=0x7fffcdac8f28)
    at /home/simon/programs/blender-git/blender/source/blender/windowmanager/intern/wm_event_system.c:1782
#8  0x0000000001e5177c in wm_handlers_do_intern (C=0x7fffe0087d38, event=0x7fffc7890288, handlers=0x7fffd89dea10) at /home/simon/programs/blender-git/blender/source/blender/windowmanager/intern/wm_event_system.c:2062
#9  0x0000000001e51b3a in wm_handlers_do (C=0x7fffe0087d38, event=0x7fffc7890288, handlers=0x7fffd89dea10) at /home/simon/programs/blender-git/blender/source/blender/windowmanager/intern/wm_event_system.c:2173
#10 0x0000000001e5297c in wm_event_do_handlers (C=0x7fffe0087d38) at /home/simon/programs/blender-git/blender/source/blender/windowmanager/intern/wm_event_system.c:2508
#11 0x0000000001e462c7 in WM_main (C=0x7fffe0087d38) at /home/simon/programs/blender-git/blender/source/blender/windowmanager/intern/wm.c:504
#12 0x0000000001e41295 in main (argc=1, argv=0x7fffffffe0a8) at /home/simon/programs/blender-git/blender/source/creator/creator.c:527
(gdb) print id
$1 = (ID *) 0x7fffd8b06a68
(gdb) print vid
$2 = (void *) 0x7fffd8b06a68
(gdb) print id->tag
$3 = 32767
(gdb) print id->lib
$4 = (struct Library *) 0x6b636f5365646f4e
(gdb) print id->lib->id
Cannot access memory at address 0x6b636f5365646f4e
(gdb) print id->lib->id.tag
Cannot access memory at address 0x6b636f5365646fb2

The code where it crashes:
blender/source/blender/blenkernel/intern/blendfile.c:569

static void blendfile_write_partial_cb(void *UNUSED(handle), Main *UNUSED(bmain), void *vid)
{
	if (vid) {
		ID *id = vid;
		/* only tag for need-expand if not done, prevents eternal loops */
		if ((id->tag & LIB_TAG_DOIT) == 0)
			id->tag |= LIB_TAG_NEED_EXPAND | LIB_TAG_DOIT;

		if (id->lib && (id->lib->id.tag & LIB_TAG_DOIT) == 0)  // <- the crashing line
			id->lib->id.tag |= LIB_TAG_DOIT;
	}
}

I suspect that id->lib is freed or not initialized, but not set to NULL.

Event Timeline

Philipp Oeser (lichtwerk) lowered the priority of this task from 90 to 30.May 2 2018, 1:30 PM

Thx for the report.

Could you try a new master build from buildbot?

I havent checked code, but could confirm this issue in 2.79b. However in current master this seems to be resolved already?

Marking as incomplete for now...

Could you try a new master build from buildbot?
I havent checked code, but could confirm this issue in 2.79b. However in current master this seems to be resolved already?

I can confirm this, it is fixed in latest master.
I apologize for not checking earlier.

Will there be a 2.79c where fixes like this are backported?

Philipp Oeser (lichtwerk) changed the task status from Unknown Status to Resolved.Jun 20 2018, 3:19 PM
Philipp Oeser (lichtwerk) claimed this task.

not sure if 2.79c will see the light, but closing this as it seems resolved