Page MenuHome

Crash - going from Edit mode to Particle mode with 'Tab' key
Closed, ResolvedPublic

Description

System Information

win 10 64bit
Intel HD Graphics 520

Blender Version

blender-2.80-bf2d0782bc4-win64

Short description of error

In Particle mode 'Tab' key moves to Edit mode 
(I think it's also a bug it should move to Object mode as everyone would expect)
Pressing it again moves to Particle mode. And thats when crash usually happen.

Crash doesn't occur in every case. Sometimes I need to press tab 2 times sometimes 12.

On default Cube with default Particle system crash doesn't happen, so I am attaching my blend file.

Exact steps for others to reproduce the error

  1. Open the attached blend file
  2. When in Particle mode press 'tab' key several times.

Event Timeline

I'm also attaching a video in case it's anyhow going to help

I can reproduce the crash in 1ee93dc6705 after hitting the Tab key a couple times at most with the above .blend file and:

  • Windows 10 Pro x64 (1803)
  • AMD Radeon RX580 4GB with Radeon Software 18.8.1

Attached console output and backtrace from a debug build.

Bastien Montagne (mont29) lowered the priority of this task from 90 to 50.

Confirmed on linux as well, see ASAN backtrace below, @Sergey Sharybin (sergey) think that one is for you. :)

=================================================================
==5120==ERROR: AddressSanitizer: heap-use-after-free on address 0x60e0000ae2b8 at pc 0x55c5ea30f56d bp 0x7fff3bc5e320 sp 0x7fff3bc5e318
READ of size 8 at 0x60e0000ae2b8 thread T0
    #0 0x55c5ea30f56c in recalc_emitter_field /home/i74700deb64/blender/__work__/src/source/blender/editors/physics/particle_edit.c:1283
    #1 0x55c5ea3322e7 in particle_edit_toggle_exec /home/i74700deb64/blender/__work__/src/source/blender/editors/physics/particle_edit.c:4801
    #2 0x55c5e94ba302 in wm_operator_invoke /home/i74700deb64/blender/__work__/src/source/blender/windowmanager/intern/wm_event_system.c:1331
    #3 0x55c5e94bb2ce in wm_operator_call_internal /home/i74700deb64/blender/__work__/src/source/blender/windowmanager/intern/wm_event_system.c:1516
    #4 0x55c5e94bb551 in WM_operator_name_call_ptr /home/i74700deb64/blender/__work__/src/source/blender/windowmanager/intern/wm_event_system.c:1564
    #5 0x55c5e94bb5a1 in WM_operator_name_call /home/i74700deb64/blender/__work__/src/source/blender/windowmanager/intern/wm_event_system.c:1570
    #6 0x55c5ea1260c8 in ED_object_mode_toggle /home/i74700deb64/blender/__work__/src/source/blender/editors/object/object_modes.c:163
    #7 0x55c5ea123372 in object_mode_set_exec /home/i74700deb64/blender/__work__/src/source/blender/editors/object/object_edit.c:1648
    #8 0x55c5e94ba302 in wm_operator_invoke /home/i74700deb64/blender/__work__/src/source/blender/windowmanager/intern/wm_event_system.c:1331
    #9 0x55c5e94be429 in wm_handler_operator_call /home/i74700deb64/blender/__work__/src/source/blender/windowmanager/intern/wm_event_system.c:2040
    #10 0x55c5e94bfe32 in wm_handlers_do_intern /home/i74700deb64/blender/__work__/src/source/blender/windowmanager/intern/wm_event_system.c:2325
    #11 0x55c5e94c1708 in wm_handlers_do /home/i74700deb64/blender/__work__/src/source/blender/windowmanager/intern/wm_event_system.c:2573
    #12 0x55c5e94c48a0 in wm_event_do_handlers /home/i74700deb64/blender/__work__/src/source/blender/windowmanager/intern/wm_event_system.c:3027
    #13 0x55c5e94aa04d in WM_main /home/i74700deb64/blender/__work__/src/source/blender/windowmanager/intern/wm.c:412
    #14 0x55c5e949fbed in main /home/i74700deb64/blender/__work__/src/source/creator/creator.c:525
    #15 0x7fd45ad0bb16 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x22b16)
    #16 0x55c5e949efc9 in _start (/home/i74700deb64/blender/__work__/build_blender28_debug/bin/blender+0x332ffc9)

0x60e0000ae2b8 is located 120 bytes inside of 152-byte region [0x60e0000ae240,0x60e0000ae2d8)
freed by thread T0 here:
    #0 0x7fd46419db50 in __interceptor_free (/usr/lib/x86_64-linux-gnu/libasan.so.5+0xe8b50)
    #1 0x55c5ecbbff1e in MEM_lockfree_freeN /home/i74700deb64/blender/__work__/src/intern/guardedalloc/intern/mallocn_lockfree_impl.c:164
    #2 0x55c5ebb261ad in modifier_free_ex /home/i74700deb64/blender/__work__/src/source/blender/blenkernel/intern/modifier.c:173
    #3 0x55c5ebb81e91 in BKE_object_free_modifiers /home/i74700deb64/blender/__work__/src/source/blender/blenkernel/intern/object.c:196
    #4 0x55c5ebb836e1 in BKE_object_free /home/i74700deb64/blender/__work__/src/source/blender/blenkernel/intern/object.c:471
    #5 0x55c5eba616da in BKE_libblock_free_datablock /home/i74700deb64/blender/__work__/src/source/blender/blenkernel/intern/library_remap.c:771
    #6 0x55c5ec663a13 in DEG::deg_free_copy_on_write_datablock(ID*) /home/i74700deb64/blender/__work__/src/source/blender/depsgraph/intern/eval/deg_eval_copy_on_write.cc:1004
    #7 0x55c5ec66327e in DEG::deg_update_copy_on_write_datablock(DEG::Depsgraph const*, DEG::IDDepsNode const*) /home/i74700deb64/blender/__work__/src/source/blender/depsgraph/intern/eval/deg_eval_copy_on_write.cc:868
    #8 0x55c5ec663b65 in DEG::deg_evaluate_copy_on_write(Depsgraph*, DEG::IDDepsNode const*) /home/i74700deb64/blender/__work__/src/source/blender/depsgraph/intern/eval/deg_eval_copy_on_write.cc:1021
    #9 0x55c5ec635fbd in void std::__invoke_impl<void, void (*&)(Depsgraph*, DEG::IDDepsNode const*), Depsgraph*, DEG::IDDepsNode*&>(std::__invoke_other, void (*&)(Depsgraph*, DEG::IDDepsNode const*), Depsgraph*&&, DEG::IDDepsNode*&) /usr/include/c++/8/bits/invoke.h:60
    #10 0x55c5ec633b4a in std::__invoke_result<void (*&)(Depsgraph*, DEG::IDDepsNode const*), Depsgraph*, DEG::IDDepsNode*&>::type std::__invoke<void (*&)(Depsgraph*, DEG::IDDepsNode const*), Depsgraph*, DEG::IDDepsNode*&>(void (*&)(Depsgraph*, DEG::IDDepsNode const*), Depsgraph*&&, DEG::IDDepsNode*&) /usr/include/c++/8/bits/invoke.h:95
    #11 0x55c5ec630fee in void std::_Bind<void (*(std::_Placeholder<1>, DEG::IDDepsNode*))(Depsgraph*, DEG::IDDepsNode const*)>::__call<void, Depsgraph*&&, 0ul, 1ul>(std::tuple<Depsgraph*&&>&&, std::_Index_tuple<0ul, 1ul>) /usr/include/c++/8/functional:400
    #12 0x55c5ec62c825 in void std::_Bind<void (*(std::_Placeholder<1>, DEG::IDDepsNode*))(Depsgraph*, DEG::IDDepsNode const*)>::operator()<Depsgraph*, void>(Depsgraph*&&) /usr/include/c++/8/functional:484
    #13 0x55c5ec626a8d in std::_Function_handler<void (Depsgraph*), std::_Bind<void (*(std::_Placeholder<1>, DEG::IDDepsNode*))(Depsgraph*, DEG::IDDepsNode const*)> >::_M_invoke(std::_Any_data const&, Depsgraph*&&) /usr/include/c++/8/bits/std_function.h:297
    #14 0x55c5ec65ec6b in std::function<void (Depsgraph*)>::operator()(Depsgraph*) const /usr/include/c++/8/bits/std_function.h:687
    #15 0x55c5ec65d336 in deg_task_run_func /home/i74700deb64/blender/__work__/src/source/blender/depsgraph/intern/eval/deg_eval.cc:94
    #16 0x55c5ec5d45c5 in handle_local_queue /home/i74700deb64/blender/__work__/src/source/blender/blenlib/intern/task.c:419
    #17 0x55c5ec5d45c5 in BLI_task_pool_work_and_wait /home/i74700deb64/blender/__work__/src/source/blender/blenlib/intern/task.c:900
    #18 0x55c5ec65ea20 in DEG::deg_evaluate_on_refresh(DEG::Depsgraph*) /home/i74700deb64/blender/__work__/src/source/blender/depsgraph/intern/eval/deg_eval.cc:276
    #19 0x55c5ec60927e in DEG_evaluate_on_refresh /home/i74700deb64/blender/__work__/src/source/blender/depsgraph/intern/depsgraph_eval.cc:66
    #20 0x55c5ebcbf000 in BKE_scene_graph_update_tagged /home/i74700deb64/blender/__work__/src/source/blender/blenkernel/intern/scene.c:1429
    #21 0x55c5e94b2fdd in wm_event_do_depsgraph /home/i74700deb64/blender/__work__/src/source/blender/windowmanager/intern/wm_event_system.c:336
    #22 0x55c5e94b31b0 in wm_event_do_refresh_wm_and_depsgraph /home/i74700deb64/blender/__work__/src/source/blender/windowmanager/intern/wm_event_system.c:362
    #23 0x55c5e94b424a in wm_event_do_notifiers /home/i74700deb64/blender/__work__/src/source/blender/windowmanager/intern/wm_event_system.c:518
    #24 0x55c5e94aa059 in WM_main /home/i74700deb64/blender/__work__/src/source/blender/windowmanager/intern/wm.c:415
    #25 0x55c5e949fbed in main /home/i74700deb64/blender/__work__/src/source/creator/creator.c:525
    #26 0x7fd45ad0bb16 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x22b16)

previously allocated by thread T17 here:
    #0 0x7fd46419e0b8 in calloc (/usr/lib/x86_64-linux-gnu/libasan.so.5+0xe90b8)
    #1 0x55c5ecbc03a3 in MEM_lockfree_callocN /home/i74700deb64/blender/__work__/src/intern/guardedalloc/intern/mallocn_lockfree_impl.c:282
    #2 0x55c5ebb25da6 in modifier_new /home/i74700deb64/blender/__work__/src/source/blender/blenkernel/intern/modifier.c:132
    #3 0x55c5ebb888f0 in BKE_object_copy_data /home/i74700deb64/blender/__work__/src/source/blender/blenkernel/intern/object.c:1257
    #4 0x55c5eba2567e in BKE_id_copy_ex /home/i74700deb64/blender/__work__/src/source/blender/blenkernel/intern/library.c:573
    #5 0x55c5ec66088a in id_copy_inplace_no_main /home/i74700deb64/blender/__work__/src/source/blender/depsgraph/intern/eval/deg_eval_copy_on_write.cc:280
    #6 0x55c5ec661fec in DEG::deg_expand_copy_on_write_datablock(DEG::Depsgraph const*, DEG::IDDepsNode const*, DEG::DepsgraphNodeBuilder*, bool) /home/i74700deb64/blender/__work__/src/source/blender/depsgraph/intern/eval/deg_eval_copy_on_write.cc:660
    #7 0x55c5ec66329e in DEG::deg_update_copy_on_write_datablock(DEG::Depsgraph const*, DEG::IDDepsNode const*) /home/i74700deb64/blender/__work__/src/source/blender/depsgraph/intern/eval/deg_eval_copy_on_write.cc:869
    #8 0x55c5ec663b65 in DEG::deg_evaluate_copy_on_write(Depsgraph*, DEG::IDDepsNode const*) /home/i74700deb64/blender/__work__/src/source/blender/depsgraph/intern/eval/deg_eval_copy_on_write.cc:1021
    #9 0x55c5ec635fbd in void std::__invoke_impl<void, void (*&)(Depsgraph*, DEG::IDDepsNode const*), Depsgraph*, DEG::IDDepsNode*&>(std::__invoke_other, void (*&)(Depsgraph*, DEG::IDDepsNode const*), Depsgraph*&&, DEG::IDDepsNode*&) /usr/include/c++/8/bits/invoke.h:60
    #10 0x55c5ec633b4a in std::__invoke_result<void (*&)(Depsgraph*, DEG::IDDepsNode const*), Depsgraph*, DEG::IDDepsNode*&>::type std::__invoke<void (*&)(Depsgraph*, DEG::IDDepsNode const*), Depsgraph*, DEG::IDDepsNode*&>(void (*&)(Depsgraph*, DEG::IDDepsNode const*), Depsgraph*&&, DEG::IDDepsNode*&) /usr/include/c++/8/bits/invoke.h:95
    #11 0x55c5ec630fee in void std::_Bind<void (*(std::_Placeholder<1>, DEG::IDDepsNode*))(Depsgraph*, DEG::IDDepsNode const*)>::__call<void, Depsgraph*&&, 0ul, 1ul>(std::tuple<Depsgraph*&&>&&, std::_Index_tuple<0ul, 1ul>) /usr/include/c++/8/functional:400
    #12 0x55c5ec62c825 in void std::_Bind<void (*(std::_Placeholder<1>, DEG::IDDepsNode*))(Depsgraph*, DEG::IDDepsNode const*)>::operator()<Depsgraph*, void>(Depsgraph*&&) /usr/include/c++/8/functional:484
    #13 0x55c5ec626a8d in std::_Function_handler<void (Depsgraph*), std::_Bind<void (*(std::_Placeholder<1>, DEG::IDDepsNode*))(Depsgraph*, DEG::IDDepsNode const*)> >::_M_invoke(std::_Any_data const&, Depsgraph*&&) /usr/include/c++/8/bits/std_function.h:297
    #14 0x55c5ec65ec6b in std::function<void (Depsgraph*)>::operator()(Depsgraph*) const /usr/include/c++/8/bits/std_function.h:687
    #15 0x55c5ec65d336 in deg_task_run_func /home/i74700deb64/blender/__work__/src/source/blender/depsgraph/intern/eval/deg_eval.cc:94
    #16 0x55c5ec5d0b5f in handle_local_queue /home/i74700deb64/blender/__work__/src/source/blender/blenlib/intern/task.c:419
    #17 0x55c5ec5d0b5f in task_scheduler_thread_run /home/i74700deb64/blender/__work__/src/source/blender/blenlib/intern/task.c:448
    #18 0x7fd4626ccf29 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x7f29)

Thread T17 created by T0 here:
    #0 0x7fd4640feef0 in pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.5+0x49ef0)
    #1 0x55c5ec5d1142 in BLI_task_scheduler_create /home/i74700deb64/blender/__work__/src/source/blender/blenlib/intern/task.c:504
    #2 0x55c5ec5d847a in BLI_task_scheduler_get /home/i74700deb64/blender/__work__/src/source/blender/blenlib/intern/threads.c:176
    #3 0x55c5ec5d6e9c in BLI_task_parallel_range /home/i74700deb64/blender/__work__/src/source/blender/blenlib/intern/task.c:1099
    #4 0x55c5ec6652dd in flush_prepare /home/i74700deb64/blender/__work__/src/source/blender/depsgraph/intern/eval/deg_eval_flush.cc:122
    #5 0x55c5ec6652dd in DEG::deg_graph_flush_updates(Main*, DEG::Depsgraph*) /home/i74700deb64/blender/__work__/src/source/blender/depsgraph/intern/eval/deg_eval_flush.cc:359
    #6 0x55c5ec613bf8 in DEG_graph_flush_update /home/i74700deb64/blender/__work__/src/source/blender/depsgraph/intern/depsgraph_tag.cc:635
    #7 0x55c5ebcbeff4 in BKE_scene_graph_update_tagged /home/i74700deb64/blender/__work__/src/source/blender/blenkernel/intern/scene.c:1425
    #8 0x55c5e94b2fdd in wm_event_do_depsgraph /home/i74700deb64/blender/__work__/src/source/blender/windowmanager/intern/wm_event_system.c:336
    #9 0x55c5e94d2d86 in wm_file_read_post /home/i74700deb64/blender/__work__/src/source/blender/windowmanager/intern/wm_files.c:493
    #10 0x55c5e94d4757 in wm_homefile_read /home/i74700deb64/blender/__work__/src/source/blender/windowmanager/intern/wm_files.c:897
    #11 0x55c5e94e5a57 in WM_init /home/i74700deb64/blender/__work__/src/source/blender/windowmanager/intern/wm_init_exit.c:253
    #12 0x55c5e949f8d4 in main /home/i74700deb64/blender/__work__/src/source/creator/creator.c:438
    #13 0x7fd45ad0bb16 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x22b16)

SUMMARY: AddressSanitizer: heap-use-after-free /home/i74700deb64/blender/__work__/src/source/blender/editors/physics/particle_edit.c:1283 in recalc_emitter_field
Shadow bytes around the buggy address:
  0x0c1c8000dc00: fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa fa
  0x0c1c8000dc10: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c1c8000dc20: fd fd fd fa fa fa fa fa fa fa fa fa fd fd fd fd
  0x0c1c8000dc30: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fa
  0x0c1c8000dc40: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
=>0x0c1c8000dc50: fd fd fd fd fd fd fd[fd]fd fd fd fa fa fa fa fa
  0x0c1c8000dc60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c1c8000dc70: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c1c8000dc80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c1c8000dc90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c1c8000dca0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==5120==ABORTING

I realised this crash happens only if the particle system was modified before with the Particle edit mode.
You can reproduce this crash on the startup scene by doing the following:

  1. add particle system to the default cube.
  2. switch particle type to hair.
  3. go to Particle Edit Mode.
  4. anyhow modify the hair (comb, add, cut, anything really)
  5. hit Tab key several times
Sergey Sharybin (sergey) changed the task status from Unknown Status to Resolved.Nov 16 2018, 4:52 PM

This is the same as T57566, and is fixed in rBbe405495a9c. Thanks for the report, closing it now.