Crash wheh changing the mesh datablock used by one object to another mesh #55182

New Issue

Joshua Leung · 2018-05-24T14:53:36+02:00

Joshua Leung commented

2018-05-24 14:53:36 +02:00

Blender Version
Broken: c1361d2651 (2.8)
Worked: (optional)

Short description of error
Using the default file:

Add a Monkey mesh
Select the Cube
Go to Properties Editor -> Mesh Properties
Try to change the mesh datablock used by the Cube Object to the Monkey's Mesh
Crash

Backtrace

BLI_assert failed: /home/guest/aligorith/blenderdev/b28-anim/blender/source/blender/blenkernel/intern/library.c:1444, BKE_libblock_copy_ex(), at 'new_id != ((void *)0)'

Thread 19 "blender" received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x7fffc973c700 (LWP 20625)]
0x0000555557d6de5d in BKE_libblock_copy_ex (bmain=0x0, id=0x7fffcbc32c08, r_newid=0x7fffc973b9c8, flag=259)
    at /home/guest/aligorith/blenderdev/b28-anim/blender/source/blender/blenkernel/intern/library.c:1446
1446		const size_t id_len = BKE_libblock_get_alloc_info(GS(new_id->name), NULL);
(gdb) bt
#0  0x0000555557d6de5d in BKE_libblock_copy_ex (bmain=0x0, id=0x7fffcbc32c08, r_newid=0x7fffc973b9c8, flag=259)
    at /home/guest/aligorith/blenderdev/b28-anim/blender/source/blender/blenkernel/intern/library.c:1446
#1  0x0000555557d67b5f in BKE_id_copy_ex (bmain=0x0, id=0x7fffcbc32c08, r_newid=0x7fffc973b9c8, flag=259, test=false)
    at /home/guest/aligorith/blenderdev/b28-anim/blender/source/blender/blenkernel/intern/library.c:566
#2  0x0000555557c5dbd0 in mesh_calc_modifiers (depsgraph=0x7fffcca7d6c8, scene=0x7fffcc821008, ob=0x7fffcbc32608, inputVertexCos=0x0, useDeform=1, need_mapping=false, dataMask=637747721, index=-1, useCache=true, build_shapekey_layers=false, allow_gpu=true, r_deform_mesh=0x7fffc973b9c8, r_final_mesh=0x7fffc973b9d0)
    at /home/guest/aligorith/blenderdev/b28-anim/blender/source/blender/blenkernel/intern/DerivedMesh.c:2126
#3  0x0000555557c5ec6b in mesh_calc_modifiers_dm (depsgraph=0x7fffcca7d6c8, scene=0x7fffcc821008, ob=0x7fffcbc32608, inputVertexCos=0x0, useDeform=1, need_mapping=false, dataMask=637747721, index=-1, useCache=true, build_shapekey_layers=false, allow_gpu=true, r_deformdm=0x7fffcbc32ac8, r_finaldm=0x7fffcbc32ad0)
    at /home/guest/aligorith/blenderdev/b28-anim/blender/source/blender/blenkernel/intern/DerivedMesh.c:2523
#4  0x0000555557c60c4b in mesh_build_data (depsgraph=0x7fffcca7d6c8, scene=0x7fffcc821008, ob=0x7fffcbc32608, dataMask=637747721, build_shapekey_layers=false, need_mapping=false)
    at /home/guest/aligorith/blenderdev/b28-anim/blender/source/blender/blenkernel/intern/DerivedMesh.c:2934
#5  0x0000555557c61056 in makeDerivedMesh (depsgraph=0x7fffcca7d6c8, scene=0x7fffcc821008, ob=0x7fffcbc32608, em=0x0, dataMask=637747721, build_shapekey_layers=false)
    at /home/guest/aligorith/blenderdev/b28-anim/blender/source/blender/blenkernel/intern/DerivedMesh.c:3034
- 6  0x0000555557e05d05 in BKE_object_handle_data_update (depsgraph=0x7fffcca7d6c8, scene=0x7fffcc821008, ob=0x7fffcbc32608) at /home/guest/aligorith/blenderdev/b28-anim/blender/source/blender/blenkernel/intern/object_update.c:196
- 7  0x0000555557e062cf in BKE_object_eval_uber_data (depsgraph=0x7fffcca7d6c8, scene=0x7fffcc821008, ob=0x7fffcbc32608)
    at /home/guest/aligorith/blenderdev/b28-anim/blender/source/blender/blenkernel/intern/object_update.c:314
---Type <return> to continue, or q <return> to quit---
#8  0x0000555558200826 in std::__invoke_impl<void, void (*&)(Depsgraph*, Scene*, Object*), Depsgraph*, Scene*&, Object*&>(std::__invoke_other, void (*&)(Depsgraph*, Scene*, Object*), Depsgraph*&&, Scene*&, Object*&) (__f=
    @0x7fffbc746c00: 0x555557e06224 <BKE_object_eval_uber_data>, __args#0=@0x7fffc973bd20: 0x7fffcca7d6c8, __args#1=@0x7fffbc746c10: 0x7fffcc821008, __args#2=@0x7fffbc746c08: 0x7fffcbc32608) at /usr/include/c++/7/bits/invoke.h:60
#9  0x00005555581ff243 in std::__invoke<void (*&)(Depsgraph*, Scene*, Object*), Depsgraph*, Scene*&, Object*&>(void (*&)(Depsgraph*, Scene*, Object*), Depsgraph*&&, Scene*&, Object*&) (__fn=
    @0x7fffbc746c00: 0x555557e06224 <BKE_object_eval_uber_data>, __args#0=@0x7fffc973bd20: 0x7fffcca7d6c8, __args#1=@0x7fffbc746c10: 0x7fffcc821008, __args#2=@0x7fffbc746c08: 0x7fffcbc32608) at /usr/include/c++/7/bits/invoke.h:95
- 10 0x00005555581fdadf in std::_Bind<void (*(std::_Placeholder<1>, Scene*, Object*))(Depsgraph*, Scene*, Object*)>::__call<void, Depsgraph*&&, 0ul, 1ul, 2ul>(std::tuple<Depsgraph*&&>&&, std::_Index_tuple<0ul, 1ul, 2ul>) (this=0x7fffbc746c00, __args=...) at /usr/include/c++/7/functional:467
- 11 0x00005555581fb942 in std::_Bind<void (*(std::_Placeholder<1>, Scene*, Object*))(Depsgraph*, Scene*, Object*)>::operator()<Depsgraph*, void>(Depsgraph*&&) (this=0x7fffbc746c00, __args#0=@0x7fffc973bd20: 0x7fffcca7d6c8)
    at /usr/include/c++/7/functional:551
- 12 0x00005555581f86b2 in std::_Function_handler<void (Depsgraph*), std::_Bind<void (*(std::_Placeholder<1>, Scene*, Object*))(Depsgraph*, Scene*, Object*)> >::_M_invoke(std::_Any_data const&, Depsgraph*&&) (__functor=..., __args#0=@0x7fffc973bd20: 0x7fffcca7d6c8) at /usr/include/c++/7/bits/std_function.h:316
- 13 0x00005555582104f7 in std::function<void (Depsgraph*)>::operator()(Depsgraph*) const (this=0x7fffb9fb99e8, __args#0=0x7fffcca7d6c8) at /usr/include/c++/7/bits/std_function.h:706
- 14 0x000055555820fc35 in DEG::deg_task_run_func(TaskPool*, void*, int) (pool=0x7fffba61e008, taskdata=0x7fffb9fb9988, thread_id=4) at /home/guest/aligorith/blenderdev/b28-anim/blender/source/blender/depsgraph/intern/eval/deg_eval.cc:94
- 15 0x00005555581d4d64 in handle_local_queue (thread_id=4, tls=0x7fffccb470d8)
    at /home/guest/aligorith/blenderdev/b28-anim/blender/source/blender/blenlib/intern/task.c:419
#16 0x00005555581d4d64 in task_scheduler_thread_run (thread_p=0x7fffccb470c8)
    at /home/guest/aligorith/blenderdev/b28-anim/blender/source/blender/blenlib/intern/task.c:448
- 17 0x00007ffff580e7fc in start_thread (arg=0x7fffc973c700) at pthread_create.c:465
- 18 0x00007ffff3918b5f in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95

**Blender Version** Broken: c1361d2651 (2.8) Worked: (optional) **Short description of error** Using the default file: 1) Add a Monkey mesh 2) Select the Cube 3) Go to Properties Editor -> Mesh Properties 4) Try to change the mesh datablock used by the Cube Object to the Monkey's Mesh 5) Crash **Backtrace** ``` BLI_assert failed: /home/guest/aligorith/blenderdev/b28-anim/blender/source/blender/blenkernel/intern/library.c:1444, BKE_libblock_copy_ex(), at 'new_id != ((void *)0)' Thread 19 "blender" received signal SIGSEGV, Segmentation fault. [Switching to Thread 0x7fffc973c700 (LWP 20625)] 0x0000555557d6de5d in BKE_libblock_copy_ex (bmain=0x0, id=0x7fffcbc32c08, r_newid=0x7fffc973b9c8, flag=259) at /home/guest/aligorith/blenderdev/b28-anim/blender/source/blender/blenkernel/intern/library.c:1446 1446 const size_t id_len = BKE_libblock_get_alloc_info(GS(new_id->name), NULL); (gdb) bt #0 0x0000555557d6de5d in BKE_libblock_copy_ex (bmain=0x0, id=0x7fffcbc32c08, r_newid=0x7fffc973b9c8, flag=259) at /home/guest/aligorith/blenderdev/b28-anim/blender/source/blender/blenkernel/intern/library.c:1446 #1 0x0000555557d67b5f in BKE_id_copy_ex (bmain=0x0, id=0x7fffcbc32c08, r_newid=0x7fffc973b9c8, flag=259, test=false) at /home/guest/aligorith/blenderdev/b28-anim/blender/source/blender/blenkernel/intern/library.c:566 #2 0x0000555557c5dbd0 in mesh_calc_modifiers (depsgraph=0x7fffcca7d6c8, scene=0x7fffcc821008, ob=0x7fffcbc32608, inputVertexCos=0x0, useDeform=1, need_mapping=false, dataMask=637747721, index=-1, useCache=true, build_shapekey_layers=false, allow_gpu=true, r_deform_mesh=0x7fffc973b9c8, r_final_mesh=0x7fffc973b9d0) at /home/guest/aligorith/blenderdev/b28-anim/blender/source/blender/blenkernel/intern/DerivedMesh.c:2126 #3 0x0000555557c5ec6b in mesh_calc_modifiers_dm (depsgraph=0x7fffcca7d6c8, scene=0x7fffcc821008, ob=0x7fffcbc32608, inputVertexCos=0x0, useDeform=1, need_mapping=false, dataMask=637747721, index=-1, useCache=true, build_shapekey_layers=false, allow_gpu=true, r_deformdm=0x7fffcbc32ac8, r_finaldm=0x7fffcbc32ad0) at /home/guest/aligorith/blenderdev/b28-anim/blender/source/blender/blenkernel/intern/DerivedMesh.c:2523 #4 0x0000555557c60c4b in mesh_build_data (depsgraph=0x7fffcca7d6c8, scene=0x7fffcc821008, ob=0x7fffcbc32608, dataMask=637747721, build_shapekey_layers=false, need_mapping=false) at /home/guest/aligorith/blenderdev/b28-anim/blender/source/blender/blenkernel/intern/DerivedMesh.c:2934 #5 0x0000555557c61056 in makeDerivedMesh (depsgraph=0x7fffcca7d6c8, scene=0x7fffcc821008, ob=0x7fffcbc32608, em=0x0, dataMask=637747721, build_shapekey_layers=false) at /home/guest/aligorith/blenderdev/b28-anim/blender/source/blender/blenkernel/intern/DerivedMesh.c:3034 - 6 0x0000555557e05d05 in BKE_object_handle_data_update (depsgraph=0x7fffcca7d6c8, scene=0x7fffcc821008, ob=0x7fffcbc32608) at /home/guest/aligorith/blenderdev/b28-anim/blender/source/blender/blenkernel/intern/object_update.c:196 - 7 0x0000555557e062cf in BKE_object_eval_uber_data (depsgraph=0x7fffcca7d6c8, scene=0x7fffcc821008, ob=0x7fffcbc32608) at /home/guest/aligorith/blenderdev/b28-anim/blender/source/blender/blenkernel/intern/object_update.c:314 ---Type <return> to continue, or q <return> to quit--- #8 0x0000555558200826 in std::__invoke_impl<void, void (*&)(Depsgraph*, Scene*, Object*), Depsgraph*, Scene*&, Object*&>(std::__invoke_other, void (*&)(Depsgraph*, Scene*, Object*), Depsgraph*&&, Scene*&, Object*&) (__f= @0x7fffbc746c00: 0x555557e06224 <BKE_object_eval_uber_data>, __args#0=@0x7fffc973bd20: 0x7fffcca7d6c8, __args#1=@0x7fffbc746c10: 0x7fffcc821008, __args#2=@0x7fffbc746c08: 0x7fffcbc32608) at /usr/include/c++/7/bits/invoke.h:60 #9 0x00005555581ff243 in std::__invoke<void (*&)(Depsgraph*, Scene*, Object*), Depsgraph*, Scene*&, Object*&>(void (*&)(Depsgraph*, Scene*, Object*), Depsgraph*&&, Scene*&, Object*&) (__fn= @0x7fffbc746c00: 0x555557e06224 <BKE_object_eval_uber_data>, __args#0=@0x7fffc973bd20: 0x7fffcca7d6c8, __args#1=@0x7fffbc746c10: 0x7fffcc821008, __args#2=@0x7fffbc746c08: 0x7fffcbc32608) at /usr/include/c++/7/bits/invoke.h:95 - 10 0x00005555581fdadf in std::_Bind<void (*(std::_Placeholder<1>, Scene*, Object*))(Depsgraph*, Scene*, Object*)>::__call<void, Depsgraph*&&, 0ul, 1ul, 2ul>(std::tuple<Depsgraph*&&>&&, std::_Index_tuple<0ul, 1ul, 2ul>) (this=0x7fffbc746c00, __args=...) at /usr/include/c++/7/functional:467 - 11 0x00005555581fb942 in std::_Bind<void (*(std::_Placeholder<1>, Scene*, Object*))(Depsgraph*, Scene*, Object*)>::operator()<Depsgraph*, void>(Depsgraph*&&) (this=0x7fffbc746c00, __args#0=@0x7fffc973bd20: 0x7fffcca7d6c8) at /usr/include/c++/7/functional:551 - 12 0x00005555581f86b2 in std::_Function_handler<void (Depsgraph*), std::_Bind<void (*(std::_Placeholder<1>, Scene*, Object*))(Depsgraph*, Scene*, Object*)> >::_M_invoke(std::_Any_data const&, Depsgraph*&&) (__functor=..., __args#0=@0x7fffc973bd20: 0x7fffcca7d6c8) at /usr/include/c++/7/bits/std_function.h:316 - 13 0x00005555582104f7 in std::function<void (Depsgraph*)>::operator()(Depsgraph*) const (this=0x7fffb9fb99e8, __args#0=0x7fffcca7d6c8) at /usr/include/c++/7/bits/std_function.h:706 - 14 0x000055555820fc35 in DEG::deg_task_run_func(TaskPool*, void*, int) (pool=0x7fffba61e008, taskdata=0x7fffb9fb9988, thread_id=4) at /home/guest/aligorith/blenderdev/b28-anim/blender/source/blender/depsgraph/intern/eval/deg_eval.cc:94 - 15 0x00005555581d4d64 in handle_local_queue (thread_id=4, tls=0x7fffccb470d8) at /home/guest/aligorith/blenderdev/b28-anim/blender/source/blender/blenlib/intern/task.c:419 #16 0x00005555581d4d64 in task_scheduler_thread_run (thread_p=0x7fffccb470c8) at /home/guest/aligorith/blenderdev/b28-anim/blender/source/blender/blenlib/intern/task.c:448 - 17 0x00007ffff580e7fc in start_thread (arg=0x7fffc973c700) at pthread_create.c:465 - 18 0x00007ffff3918b5f in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95 ```

Joshua Leung commented

2018-05-24 14:53:36 +02:00

Added subscriber: @JoshuaLeung

Bastien Montagne self-assigned this 2018-05-24 16:03:27 +02:00

Bastien Montagne commented

2018-05-24 17:58:00 +02:00

Added subscriber: @Sergey

Bastien Montagne commented

2018-05-24 17:58:01 +02:00

That’s a nasty one… As far as I understand, ASAN claims that in deg_eval_copy_on_write.cc:770, mesh_evaluated->id.orig_id has been freed by depsgraph in main thread… Full backtrace below, but I would assume deg should never free any orig_id ??? Afraid we need Dr @Sergey here, am running into circles without getting anywhere :/

=================================================================
==23478==ERROR: AddressSanitizer: heap-use-after-free on address 0x61b0000388b0 at pc 0x560bbbca7e8e bp 0x7ffefe1a8bd0 sp 0x7ffefe1a8bc8
READ of size 8 at 0x61b0000388b0 thread T0
    - 0 0x560bbbca7e8d in DEG::deg_update_copy_on_write_datablock(DEG::Depsgraph const*, DEG::IDDepsNode const*) /home/guest/blender/blender/source/blender/depsgraph/intern/eval/deg_eval_copy_on_write.cc:770
    - 1 0x560bbbca84fb in DEG::deg_evaluate_copy_on_write(Depsgraph*, DEG::IDDepsNode const*) /home/guest/blender/blender/source/blender/depsgraph/intern/eval/deg_eval_copy_on_write.cc:878
    - 2 0x560bbbc7e953 in void std::__invoke_impl<void, void (*&)(Depsgraph*, DEG::IDDepsNode const*), Depsgraph*, DEG::IDDepsNode*&>(std::__invoke_other, void (*&)(Depsgraph*, DEG::IDDepsNode const*), Depsgraph*&&, DEG::IDDepsNode*&) (/home/guest/blender/build_2.8_debug/bin/blender+0x62f9953)
    - 3 0x560bbbc7c4ea in std::__invoke_result<void (*&)(Depsgraph*, DEG::IDDepsNode const*), Depsgraph*, DEG::IDDepsNode*&>::type std::__invoke<void (*&)(Depsgraph*, DEG::IDDepsNode const*), Depsgraph*, DEG::IDDepsNode*&>(void (*&)(Depsgraph*, DEG::IDDepsNode const*), Depsgraph*&&, DEG::IDDepsNode*&) (/home/guest/blender/build_2.8_debug/bin/blender+0x62f74ea)
    - 4 0x560bbbc79a2c in void std::_Bind<void (*(std::_Placeholder<1>, DEG::IDDepsNode*))(Depsgraph*, DEG::IDDepsNode const*)>::__call<void, Depsgraph*&&, 0ul, 1ul>(std::tuple<Depsgraph*&&>&&, std::_Index_tuple<0ul, 1ul>) (/home/guest/blender/build_2.8_debug/bin/blender+0x62f4a2c)
    - 5 0x560bbbc74e6f in void std::_Bind<void (*(std::_Placeholder<1>, DEG::IDDepsNode*))(Depsgraph*, DEG::IDDepsNode const*)>::operator()<Depsgraph*, void>(Depsgraph*&&) (/home/guest/blender/build_2.8_debug/bin/blender+0x62efe6f)
    - 6 0x560bbbc6e8bb in std::_Function_handler<void (Depsgraph*), std::_Bind<void (*(std::_Placeholder<1>, DEG::IDDepsNode*))(Depsgraph*, DEG::IDDepsNode const*)> >::_M_invoke(std::_Any_data const&, Depsgraph*&&) (/home/guest/blender/build_2.8_debug/bin/blender+0x62e98bb)
    - 7 0x560bbbca4326 in std::function<void (Depsgraph*)>::operator()(Depsgraph*) const /usr/include/c++/7/bits/std_function.h:706
    - 8 0x560bbbca2a7f in deg_task_run_func /home/guest/blender/blender/source/blender/depsgraph/intern/eval/deg_eval.cc:94
    - 9 0x560bbbc22b76 in handle_local_queue /home/guest/blender/blender/source/blender/blenlib/intern/task.c:419
    - 10 0x560bbbc22b76 in BLI_task_pool_work_and_wait /home/guest/blender/blender/source/blender/blenlib/intern/task.c:900
    - 11 0x560bbbca4179 in DEG::deg_evaluate_on_refresh(DEG::Depsgraph*) /home/guest/blender/blender/source/blender/depsgraph/intern/eval/deg_eval.cc:279
    - 12 0x560bbbc534a7 in DEG_evaluate_on_refresh /home/guest/blender/blender/source/blender/depsgraph/intern/depsgraph_eval.cc:66
    - 13 0x560bbb377eb9 in BKE_scene_graph_update_tagged /home/guest/blender/blender/source/blender/blenkernel/intern/scene.c:1367
    - 14 0x560bbb4c73f6 in BKE_workspace_update_tagged /home/guest/blender/blender/source/blender/blenkernel/intern/workspace.c:466
    - 15 0x560bb8cb9886 in wm_event_do_refresh_wm_and_depsgraph /home/guest/blender/blender/source/blender/windowmanager/intern/wm_event_system.c:343
    - 16 0x560bb8cba956 in wm_event_do_notifiers /home/guest/blender/blender/source/blender/windowmanager/intern/wm_event_system.c:501
    - 17 0x560bb8ca7aa1 in WM_main /home/guest/blender/blender/source/blender/windowmanager/intern/wm.c:548
    - 18 0x560bb8c9ccbb in main /home/guest/blender/blender/source/creator/creator.c:514
    - 19 0x7fa8dd249a86 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21a86)
    #20 0x560bb8c9c119 in _start (/home/guest/blender/build_2.8_debug/bin/blender+0x3317119)

0x61b0000388b0 is located 304 bytes inside of 1536-byte region [0x61b000038780,0x61b000038d80)
freed by thread T0 here:
    - 0 0x7fa8e4faa8c8 in __interceptor_free (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xd98c8)
    - 1 0x560bbc1e5515 in MEM_lockfree_freeN /home/guest/blender/blender/intern/guardedalloc/intern/mallocn_lockfree_impl.c:164
    - 2 0x560bbbc5f3bc in free_copy_on_write_datablock /home/guest/blender/blender/source/blender/depsgraph/intern/builder/deg_builder_nodes.cc:125
    - 3 0x560bbbae314b in ghash_free_cb /home/guest/blender/blender/source/blender/blenlib/intern/BLI_ghash.c:650
    - 4 0x560bbbae68b0 in BLI_ghash_free /home/guest/blender/blender/source/blender/blenlib/intern/BLI_ghash.c:1016
    - 5 0x560bbbc5f565 in DEG::DepsgraphNodeBuilder::~DepsgraphNodeBuilder() /home/guest/blender/blender/source/blender/depsgraph/intern/builder/deg_builder_nodes.cc:147
    - 6 0x560bbbc4f91d in DEG_graph_build_from_view_layer /home/guest/blender/blender/source/blender/depsgraph/intern/depsgraph_build.cc:221
    - 7 0x560bbbc4fbcc in DEG_graph_relations_update /home/guest/blender/blender/source/blender/depsgraph/intern/depsgraph_build.cc:308
    - 8 0x560bbb377e87 in BKE_scene_graph_update_tagged /home/guest/blender/blender/source/blender/blenkernel/intern/scene.c:1357
    - 9 0x560bbb4c73f6 in BKE_workspace_update_tagged /home/guest/blender/blender/source/blender/blenkernel/intern/workspace.c:466
    - 10 0x560bb8cb9886 in wm_event_do_refresh_wm_and_depsgraph /home/guest/blender/blender/source/blender/windowmanager/intern/wm_event_system.c:343
    - 11 0x560bb8cba956 in wm_event_do_notifiers /home/guest/blender/blender/source/blender/windowmanager/intern/wm_event_system.c:501
    - 12 0x560bb8ca7aa1 in WM_main /home/guest/blender/blender/source/blender/windowmanager/intern/wm.c:548
    - 13 0x560bb8c9ccbb in main /home/guest/blender/blender/source/creator/creator.c:514
    #14 0x7fa8dd249a86 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21a86)

previously allocated by thread T0 here:
    - 0 0x7fa8e4faadf8 in calloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xd9df8)
    - 1 0x560bbc1e599a in MEM_lockfree_callocN /home/guest/blender/blender/intern/guardedalloc/intern/mallocn_lockfree_impl.c:282
    - 2 0x560bbb0f02a4 in BKE_libblock_alloc_notest /home/guest/blender/blender/source/blender/blenkernel/intern/library.c:1197
    - 3 0x560bbbcb7097 in DEG::IDDepsNode::init_copy_on_write(ID*) /home/guest/blender/blender/source/blender/depsgraph/intern/nodes/deg_node_id.cc:137
    - 4 0x560bbbc45e41 in DEG::Depsgraph::add_id_node(ID*, ID*) /home/guest/blender/blender/source/blender/depsgraph/intern/depsgraph.cc:328
    - 5 0x560bbbc5f7d4 in DEG::DepsgraphNodeBuilder::add_id_node(ID*) /home/guest/blender/blender/source/blender/depsgraph/intern/builder/deg_builder_nodes.cc:164
    - 6 0x560bbbc662b4 in DEG::DepsgraphNodeBuilder::build_obdata_geom(Object*) /home/guest/blender/blender/source/blender/depsgraph/intern/builder/deg_builder_nodes.cc:1039
    - 7 0x560bbbc6230e in DEG::DepsgraphNodeBuilder::build_object_data(Object*) /home/guest/blender/blender/source/blender/depsgraph/intern/builder/deg_builder_nodes.cc:550
    - 8 0x560bbbc61b0d in DEG::DepsgraphNodeBuilder::build_object(int, Object*, DEG::eDepsNode_LinkedState_Type) /home/guest/blender/blender/source/blender/depsgraph/intern/builder/deg_builder_nodes.cc:481
    - 9 0x560bbbc866e9 in DEG::DepsgraphNodeBuilder::build_view_layer(Scene*, ViewLayer*, DEG::eDepsNode_LinkedState_Type) /home/guest/blender/blender/source/blender/depsgraph/intern/builder/deg_builder_nodes_view_layer.cc:107
    - 10 0x560bbbc4f6bd in DEG_graph_build_from_view_layer /home/guest/blender/blender/source/blender/depsgraph/intern/depsgraph_build.cc:223
    - 11 0x560bbbc4fbcc in DEG_graph_relations_update /home/guest/blender/blender/source/blender/depsgraph/intern/depsgraph_build.cc:308
    - 12 0x560bbb377e87 in BKE_scene_graph_update_tagged /home/guest/blender/blender/source/blender/blenkernel/intern/scene.c:1357
    - 13 0x560bbb4c73f6 in BKE_workspace_update_tagged /home/guest/blender/blender/source/blender/blenkernel/intern/workspace.c:466
    - 14 0x560bb8cb9886 in wm_event_do_refresh_wm_and_depsgraph /home/guest/blender/blender/source/blender/windowmanager/intern/wm_event_system.c:343
    - 15 0x560bb8ca7a7d in WM_main /home/guest/blender/blender/source/blender/windowmanager/intern/wm.c:537
    - 16 0x560bb8c9ccbb in main /home/guest/blender/blender/source/creator/creator.c:514
    - 17 0x7fa8dd249a86 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21a86)

SUMMARY: AddressSanitizer: heap-use-after-free /home/guest/blender/blender/source/blender/depsgraph/intern/eval/deg_eval_copy_on_write.cc:770 in DEG::deg_update_copy_on_write_datablock(DEG::Depsgraph const*, DEG::IDDepsNode const*)
Shadow bytes around the buggy address:
  0x0c367ffff0c0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c367ffff0d0: fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa
  0x0c367ffff0e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c367ffff0f0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c367ffff100: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x0c367ffff110: fd fd fd fd fd fd[fd]fd fd fd fd fd fd fd fd fd
  0x0c367ffff120: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c367ffff130: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c367ffff140: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c367ffff150: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c367ffff160: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==23478==ABORTING

That’s a nasty one… As far as I understand, ASAN claims that in `deg_eval_copy_on_write.cc:770`, `mesh_evaluated->id.orig_id` has been freed by depsgraph in main thread… Full backtrace below, but I would assume deg should never free any `orig_id` ??? Afraid we need Dr @Sergey here, am running into circles without getting anywhere :/ ``` ================================================================= ==23478==ERROR: AddressSanitizer: heap-use-after-free on address 0x61b0000388b0 at pc 0x560bbbca7e8e bp 0x7ffefe1a8bd0 sp 0x7ffefe1a8bc8 READ of size 8 at 0x61b0000388b0 thread T0 - 0 0x560bbbca7e8d in DEG::deg_update_copy_on_write_datablock(DEG::Depsgraph const*, DEG::IDDepsNode const*) /home/guest/blender/blender/source/blender/depsgraph/intern/eval/deg_eval_copy_on_write.cc:770 - 1 0x560bbbca84fb in DEG::deg_evaluate_copy_on_write(Depsgraph*, DEG::IDDepsNode const*) /home/guest/blender/blender/source/blender/depsgraph/intern/eval/deg_eval_copy_on_write.cc:878 - 2 0x560bbbc7e953 in void std::__invoke_impl<void, void (*&)(Depsgraph*, DEG::IDDepsNode const*), Depsgraph*, DEG::IDDepsNode*&>(std::__invoke_other, void (*&)(Depsgraph*, DEG::IDDepsNode const*), Depsgraph*&&, DEG::IDDepsNode*&) (/home/guest/blender/build_2.8_debug/bin/blender+0x62f9953) - 3 0x560bbbc7c4ea in std::__invoke_result<void (*&)(Depsgraph*, DEG::IDDepsNode const*), Depsgraph*, DEG::IDDepsNode*&>::type std::__invoke<void (*&)(Depsgraph*, DEG::IDDepsNode const*), Depsgraph*, DEG::IDDepsNode*&>(void (*&)(Depsgraph*, DEG::IDDepsNode const*), Depsgraph*&&, DEG::IDDepsNode*&) (/home/guest/blender/build_2.8_debug/bin/blender+0x62f74ea) - 4 0x560bbbc79a2c in void std::_Bind<void (*(std::_Placeholder<1>, DEG::IDDepsNode*))(Depsgraph*, DEG::IDDepsNode const*)>::__call<void, Depsgraph*&&, 0ul, 1ul>(std::tuple<Depsgraph*&&>&&, std::_Index_tuple<0ul, 1ul>) (/home/guest/blender/build_2.8_debug/bin/blender+0x62f4a2c) - 5 0x560bbbc74e6f in void std::_Bind<void (*(std::_Placeholder<1>, DEG::IDDepsNode*))(Depsgraph*, DEG::IDDepsNode const*)>::operator()<Depsgraph*, void>(Depsgraph*&&) (/home/guest/blender/build_2.8_debug/bin/blender+0x62efe6f) - 6 0x560bbbc6e8bb in std::_Function_handler<void (Depsgraph*), std::_Bind<void (*(std::_Placeholder<1>, DEG::IDDepsNode*))(Depsgraph*, DEG::IDDepsNode const*)> >::_M_invoke(std::_Any_data const&, Depsgraph*&&) (/home/guest/blender/build_2.8_debug/bin/blender+0x62e98bb) - 7 0x560bbbca4326 in std::function<void (Depsgraph*)>::operator()(Depsgraph*) const /usr/include/c++/7/bits/std_function.h:706 - 8 0x560bbbca2a7f in deg_task_run_func /home/guest/blender/blender/source/blender/depsgraph/intern/eval/deg_eval.cc:94 - 9 0x560bbbc22b76 in handle_local_queue /home/guest/blender/blender/source/blender/blenlib/intern/task.c:419 - 10 0x560bbbc22b76 in BLI_task_pool_work_and_wait /home/guest/blender/blender/source/blender/blenlib/intern/task.c:900 - 11 0x560bbbca4179 in DEG::deg_evaluate_on_refresh(DEG::Depsgraph*) /home/guest/blender/blender/source/blender/depsgraph/intern/eval/deg_eval.cc:279 - 12 0x560bbbc534a7 in DEG_evaluate_on_refresh /home/guest/blender/blender/source/blender/depsgraph/intern/depsgraph_eval.cc:66 - 13 0x560bbb377eb9 in BKE_scene_graph_update_tagged /home/guest/blender/blender/source/blender/blenkernel/intern/scene.c:1367 - 14 0x560bbb4c73f6 in BKE_workspace_update_tagged /home/guest/blender/blender/source/blender/blenkernel/intern/workspace.c:466 - 15 0x560bb8cb9886 in wm_event_do_refresh_wm_and_depsgraph /home/guest/blender/blender/source/blender/windowmanager/intern/wm_event_system.c:343 - 16 0x560bb8cba956 in wm_event_do_notifiers /home/guest/blender/blender/source/blender/windowmanager/intern/wm_event_system.c:501 - 17 0x560bb8ca7aa1 in WM_main /home/guest/blender/blender/source/blender/windowmanager/intern/wm.c:548 - 18 0x560bb8c9ccbb in main /home/guest/blender/blender/source/creator/creator.c:514 - 19 0x7fa8dd249a86 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21a86) #20 0x560bb8c9c119 in _start (/home/guest/blender/build_2.8_debug/bin/blender+0x3317119) 0x61b0000388b0 is located 304 bytes inside of 1536-byte region [0x61b000038780,0x61b000038d80) freed by thread T0 here: - 0 0x7fa8e4faa8c8 in __interceptor_free (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xd98c8) - 1 0x560bbc1e5515 in MEM_lockfree_freeN /home/guest/blender/blender/intern/guardedalloc/intern/mallocn_lockfree_impl.c:164 - 2 0x560bbbc5f3bc in free_copy_on_write_datablock /home/guest/blender/blender/source/blender/depsgraph/intern/builder/deg_builder_nodes.cc:125 - 3 0x560bbbae314b in ghash_free_cb /home/guest/blender/blender/source/blender/blenlib/intern/BLI_ghash.c:650 - 4 0x560bbbae68b0 in BLI_ghash_free /home/guest/blender/blender/source/blender/blenlib/intern/BLI_ghash.c:1016 - 5 0x560bbbc5f565 in DEG::DepsgraphNodeBuilder::~DepsgraphNodeBuilder() /home/guest/blender/blender/source/blender/depsgraph/intern/builder/deg_builder_nodes.cc:147 - 6 0x560bbbc4f91d in DEG_graph_build_from_view_layer /home/guest/blender/blender/source/blender/depsgraph/intern/depsgraph_build.cc:221 - 7 0x560bbbc4fbcc in DEG_graph_relations_update /home/guest/blender/blender/source/blender/depsgraph/intern/depsgraph_build.cc:308 - 8 0x560bbb377e87 in BKE_scene_graph_update_tagged /home/guest/blender/blender/source/blender/blenkernel/intern/scene.c:1357 - 9 0x560bbb4c73f6 in BKE_workspace_update_tagged /home/guest/blender/blender/source/blender/blenkernel/intern/workspace.c:466 - 10 0x560bb8cb9886 in wm_event_do_refresh_wm_and_depsgraph /home/guest/blender/blender/source/blender/windowmanager/intern/wm_event_system.c:343 - 11 0x560bb8cba956 in wm_event_do_notifiers /home/guest/blender/blender/source/blender/windowmanager/intern/wm_event_system.c:501 - 12 0x560bb8ca7aa1 in WM_main /home/guest/blender/blender/source/blender/windowmanager/intern/wm.c:548 - 13 0x560bb8c9ccbb in main /home/guest/blender/blender/source/creator/creator.c:514 #14 0x7fa8dd249a86 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21a86) previously allocated by thread T0 here: - 0 0x7fa8e4faadf8 in calloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xd9df8) - 1 0x560bbc1e599a in MEM_lockfree_callocN /home/guest/blender/blender/intern/guardedalloc/intern/mallocn_lockfree_impl.c:282 - 2 0x560bbb0f02a4 in BKE_libblock_alloc_notest /home/guest/blender/blender/source/blender/blenkernel/intern/library.c:1197 - 3 0x560bbbcb7097 in DEG::IDDepsNode::init_copy_on_write(ID*) /home/guest/blender/blender/source/blender/depsgraph/intern/nodes/deg_node_id.cc:137 - 4 0x560bbbc45e41 in DEG::Depsgraph::add_id_node(ID*, ID*) /home/guest/blender/blender/source/blender/depsgraph/intern/depsgraph.cc:328 - 5 0x560bbbc5f7d4 in DEG::DepsgraphNodeBuilder::add_id_node(ID*) /home/guest/blender/blender/source/blender/depsgraph/intern/builder/deg_builder_nodes.cc:164 - 6 0x560bbbc662b4 in DEG::DepsgraphNodeBuilder::build_obdata_geom(Object*) /home/guest/blender/blender/source/blender/depsgraph/intern/builder/deg_builder_nodes.cc:1039 - 7 0x560bbbc6230e in DEG::DepsgraphNodeBuilder::build_object_data(Object*) /home/guest/blender/blender/source/blender/depsgraph/intern/builder/deg_builder_nodes.cc:550 - 8 0x560bbbc61b0d in DEG::DepsgraphNodeBuilder::build_object(int, Object*, DEG::eDepsNode_LinkedState_Type) /home/guest/blender/blender/source/blender/depsgraph/intern/builder/deg_builder_nodes.cc:481 - 9 0x560bbbc866e9 in DEG::DepsgraphNodeBuilder::build_view_layer(Scene*, ViewLayer*, DEG::eDepsNode_LinkedState_Type) /home/guest/blender/blender/source/blender/depsgraph/intern/builder/deg_builder_nodes_view_layer.cc:107 - 10 0x560bbbc4f6bd in DEG_graph_build_from_view_layer /home/guest/blender/blender/source/blender/depsgraph/intern/depsgraph_build.cc:223 - 11 0x560bbbc4fbcc in DEG_graph_relations_update /home/guest/blender/blender/source/blender/depsgraph/intern/depsgraph_build.cc:308 - 12 0x560bbb377e87 in BKE_scene_graph_update_tagged /home/guest/blender/blender/source/blender/blenkernel/intern/scene.c:1357 - 13 0x560bbb4c73f6 in BKE_workspace_update_tagged /home/guest/blender/blender/source/blender/blenkernel/intern/workspace.c:466 - 14 0x560bb8cb9886 in wm_event_do_refresh_wm_and_depsgraph /home/guest/blender/blender/source/blender/windowmanager/intern/wm_event_system.c:343 - 15 0x560bb8ca7a7d in WM_main /home/guest/blender/blender/source/blender/windowmanager/intern/wm.c:537 - 16 0x560bb8c9ccbb in main /home/guest/blender/blender/source/creator/creator.c:514 - 17 0x7fa8dd249a86 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21a86) SUMMARY: AddressSanitizer: heap-use-after-free /home/guest/blender/blender/source/blender/depsgraph/intern/eval/deg_eval_copy_on_write.cc:770 in DEG::deg_update_copy_on_write_datablock(DEG::Depsgraph const*, DEG::IDDepsNode const*) Shadow bytes around the buggy address: 0x0c367ffff0c0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c367ffff0d0: fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa 0x0c367ffff0e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c367ffff0f0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c367ffff100: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd =>0x0c367ffff110: fd fd fd fd fd fd[fd]fd fd fd fd fd fd fd fd fd 0x0c367ffff120: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c367ffff130: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c367ffff140: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c367ffff150: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c367ffff160: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==23478==ABORTING ```

Bastien Montagne removed their assignment 2018-05-24 17:58:18 +02:00

Sergey Sharybin was assigned by Bastien Montagne

2018-05-24 17:58:18 +02:00

Bastien Montagne commented

2018-05-24 17:58:18 +02:00

Added subscriber: @mont29

Sergey Sharybin commented

2018-06-05 11:00:34 +02:00

Changed status from 'Open' to: 'Resolved'

Sergey Sharybin closed this issue

2018-06-05 11:00:34 +02:00

Sergey Sharybin commented

2018-06-05 11:00:34 +02:00

I believe it is fixed in latest blender2.8 branch.

Sign in to join this conversation.

No Label

Download

What's New

Blender Studio

Manual

Developers Blog

Documentation

Benchmark

Blender Conference

Development Fund

One-time Donations

Crash wheh changing the mesh datablock used by one object to another mesh #55182