Page MenuHome

Crashes when extruding with snap setting turned on
Closed, DuplicatePublic

Description

System Information
Windows 10 and Nvidia Geforce GTX 960 , AMD FX 8300 3.30 Ghz , 16 gb
Also checked on the same PC with Linux Ubuntu 18.04 , and it have the same bug.
Blender Version
Broken: blender-2.80-5bd731b6730-win64 Aug 24 2018 02:35:49
also blender-2.80-0cf12dfc14f-linux-glibc219-x86_64 Aug 24 2018 01:28:24
Worked: (optional)

Crashes when extruding edges in edit mode with snap setting turned on

  1. Create a sphere, add to it Sub surf modifer, aplly it.
  2. Add new plane .Turn edit mode.
  3. Select 2 vertex or 1 edge .
  4. Turn on snapping ( to faces )
  5. Extrude few or more times edge on the sphere with snapping to the sphere. It will constantly crash.

On the sphere it crashes not so often ( maybe need around 20 times to extrude (to make crash ) . On more dense mesh (complex dynotopo head around 500 000 tris) crash is more often ( almost every extrude , 1 or 2 enough to make a crash).
If I turn off snapping , then all fine, no crashes.
Thanks for your work , you are awesome =) Good luck.
Also here is simple file with an explanation ( Just go in edit mode and extrude)

Details

Type
Bug

Event Timeline

Confirmed after a bit of trial and error, MSVS2017, Windows 10 debug build, this information might help.

Bastien Montagne (mont29) triaged this task as Needs Information from User priority.

Please follow our submission template and guidelines, also read these tips about bug reports, and make a complete, valid bug report, with required info, precise description of the issue (only ONE issue per report!), precise steps to reproduce it, small and simple .blend and/or other files to do so if needed, etc.

Hi, I have changed description a little bit and added small and simple .blend file.
There also notes (grease pencil) in blend file , I hope it will help to reproduce this bug. I do not know what I need to add else to description to help you find error . I hope now you have enough information. Thanks and good luck.

Bastien Montagne (mont29) claimed this task.
Bastien Montagne (mont29) raised the priority of this task from Needs Information from User to Confirmed, Medium.

(painfully) managed to reproduce the crash once, but must admit I’m a bit puzzled by the ASAN backtrace…

=================================================================
==28350==ERROR: AddressSanitizer: heap-use-after-free on address 0x61d0008b7488 at pc 0x555d1da4f094 bp 0x7ffc77d5e990 sp 0x7ffc77d5e988
READ of size 8 at 0x61d0008b7488 thread T0
    #0 0x555d1da4f093 in bvhtree_from_editmesh_looptri_create_tree /home/i74700deb64/blender/__work__/src/source/blender/blenkernel/intern/bvhutils.c:876
    #1 0x555d1da4ff35 in bvhtree_from_editmesh_looptri_ex /home/i74700deb64/blender/__work__/src/source/blender/blenkernel/intern/bvhutils.c:988
    #2 0x555d1bc0c46d in raycastEditMesh /home/i74700deb64/blender/__work__/src/source/blender/editors/transform/transform_snap_object.c:595
    #3 0x555d1bc0d494 in raycastObj /home/i74700deb64/blender/__work__/src/source/blender/editors/transform/transform_snap_object.c:741
    #4 0x555d1bc0d7e8 in raycast_obj_cb /home/i74700deb64/blender/__work__/src/source/blender/editors/transform/transform_snap_object.c:792
    #5 0x555d1bc0989e in iter_snap_objects /home/i74700deb64/blender/__work__/src/source/blender/editors/transform/transform_snap_object.c:229
    #6 0x555d1bc0dbc7 in raycastObjects /home/i74700deb64/blender/__work__/src/source/blender/editors/transform/transform_snap_object.c:857
    #7 0x555d1bc1b687 in transform_snap_context_project_view3d_mixed_impl /home/i74700deb64/blender/__work__/src/source/blender/editors/transform/transform_snap_object.c:2619
    #8 0x555d1bc1c1fe in ED_transform_snap_object_project_view3d_ex /home/i74700deb64/blender/__work__/src/source/blender/editors/transform/transform_snap_object.c:2726
    #9 0x555d1bc1c25b in ED_transform_snap_object_project_view3d /home/i74700deb64/blender/__work__/src/source/blender/editors/transform/transform_snap_object.c:2752
    #10 0x555d1bbfac9e in applyProject /home/i74700deb64/blender/__work__/src/source/blender/editors/transform/transform_snap.c:301
    #11 0x555d1bbb992a in recalcData_objects /home/i74700deb64/blender/__work__/src/source/blender/editors/transform/transform_generics.c:813
    #12 0x555d1bbbc536 in recalcData /home/i74700deb64/blender/__work__/src/source/blender/editors/transform/transform_generics.c:1110
    #13 0x555d1baf3fee in applyTranslation /home/i74700deb64/blender/__work__/src/source/blender/editors/transform/transform.c:4909
    #14 0x555d1badfecd in transformApply /home/i74700deb64/blender/__work__/src/source/blender/editors/transform/transform.c:2612
    #15 0x555d1bbe40e5 in transform_modal /home/i74700deb64/blender/__work__/src/source/blender/editors/transform/transform_ops.c:415
    #16 0x555d1b6d8cf5 in wm_macro_modal /home/i74700deb64/blender/__work__/src/source/blender/windowmanager/intern/wm_operator_type.c:397
    #17 0x555d1b69eebe in wm_handler_operator_call /home/i74700deb64/blender/__work__/src/source/blender/windowmanager/intern/wm_event_system.c:1960
    #18 0x555d1b6a292e in wm_handlers_do_intern /home/i74700deb64/blender/__work__/src/source/blender/windowmanager/intern/wm_event_system.c:2546
    #19 0x555d1b6a2b74 in wm_handlers_do /home/i74700deb64/blender/__work__/src/source/blender/windowmanager/intern/wm_event_system.c:2585
    #20 0x555d1b6a560e in wm_event_do_handlers /home/i74700deb64/blender/__work__/src/source/blender/windowmanager/intern/wm_event_system.c:2954
    #21 0x555d1b68ab88 in WM_main /home/i74700deb64/blender/__work__/src/source/blender/windowmanager/intern/wm.c:412
    #22 0x555d1b68061d in main /home/i74700deb64/blender/__work__/src/source/creator/creator.c:525
    #23 0x7f7397d08b16 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x22b16)
    #24 0x555d1b67f9f9 in _start (/home/i74700deb64/blender/__work__/build_blender28_debug/bin/blender+0x33519f9)

0x61d0008b7488 is located 8 bytes inside of 1976-byte region [0x61d0008b7480,0x61d0008b7c38)
freed by thread T0 here:
    #0 0x7f73a09f1b50 in __interceptor_free (/usr/lib/x86_64-linux-gnu/libasan.so.5+0xe8b50)
    #1 0x555d1ee4dd7e in MEM_lockfree_freeN /home/i74700deb64/blender/__work__/src/intern/guardedalloc/intern/mallocn_lockfree_impl.c:164
    #2 0x555d1dbe2f4a in editmesh_tessface_calc_intern /home/i74700deb64/blender/__work__/src/source/blender/blenkernel/intern/editmesh.c:138
    #3 0x555d1dbe302d in BKE_editmesh_tessface_calc /home/i74700deb64/blender/__work__/src/source/blender/blenkernel/intern/editmesh.c:153
    #4 0x555d1c12d1be in EDBM_update_generic /home/i74700deb64/blender/__work__/src/source/blender/editors/mesh/editmesh_utils.c:1340
    #5 0x555d1c1750d8 in edbm_extrude_region_exec /home/i74700deb64/blender/__work__/src/source/blender/editors/mesh/editmesh_extrude.c:753
    #6 0x555d1b6d87fc in wm_macro_invoke_internal /home/i74700deb64/blender/__work__/src/source/blender/windowmanager/intern/wm_operator_type.c:364
    #7 0x555d1b6d8a3f in wm_macro_invoke /home/i74700deb64/blender/__work__/src/source/blender/windowmanager/intern/wm_operator_type.c:385
    #8 0x555d1b69b17a in wm_operator_invoke /home/i74700deb64/blender/__work__/src/source/blender/windowmanager/intern/wm_event_system.c:1321
    #9 0x555d1b69c483 in wm_operator_call_internal /home/i74700deb64/blender/__work__/src/source/blender/windowmanager/intern/wm_event_system.c:1516
    #10 0x555d1b69c9a8 in WM_operator_call_py /home/i74700deb64/blender/__work__/src/source/blender/windowmanager/intern/wm_event_system.c:1630
    #11 0x555d1c8b6134 in pyop_call /home/i74700deb64/blender/__work__/src/source/blender/python/intern/bpy_operator.c:245
    #12 0x7f739ff6875a in _PyCFunction_FastCallDict (/usr/lib/x86_64-linux-gnu/libpython3.6m.so.1.0+0x21375a)

previously allocated by thread T0 here:
    #0 0x7f73a09f1ed0 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.5+0xe8ed0)
    #1 0x555d1ee4e50e in MEM_lockfree_mallocN /home/i74700deb64/blender/__work__/src/intern/guardedalloc/intern/mallocn_lockfree_impl.c:318
    #2 0x555d1dbe2f97 in editmesh_tessface_calc_intern /home/i74700deb64/blender/__work__/src/source/blender/blenkernel/intern/editmesh.c:139
    #3 0x555d1dbe302d in BKE_editmesh_tessface_calc /home/i74700deb64/blender/__work__/src/source/blender/blenkernel/intern/editmesh.c:153
    #4 0x555d1c12d1be in EDBM_update_generic /home/i74700deb64/blender/__work__/src/source/blender/editors/mesh/editmesh_utils.c:1340
    #5 0x555d1c1750d8 in edbm_extrude_region_exec /home/i74700deb64/blender/__work__/src/source/blender/editors/mesh/editmesh_extrude.c:753
    #6 0x555d1b6d87fc in wm_macro_invoke_internal /home/i74700deb64/blender/__work__/src/source/blender/windowmanager/intern/wm_operator_type.c:364
    #7 0x555d1b6d8a3f in wm_macro_invoke /home/i74700deb64/blender/__work__/src/source/blender/windowmanager/intern/wm_operator_type.c:385
    #8 0x555d1b69b17a in wm_operator_invoke /home/i74700deb64/blender/__work__/src/source/blender/windowmanager/intern/wm_event_system.c:1321
    #9 0x555d1b69c483 in wm_operator_call_internal /home/i74700deb64/blender/__work__/src/source/blender/windowmanager/intern/wm_event_system.c:1516
    #10 0x555d1b69c9a8 in WM_operator_call_py /home/i74700deb64/blender/__work__/src/source/blender/windowmanager/intern/wm_event_system.c:1630
    #11 0x555d1c8b6134 in pyop_call /home/i74700deb64/blender/__work__/src/source/blender/python/intern/bpy_operator.c:245
    #12 0x7f739ff6875a in _PyCFunction_FastCallDict (/usr/lib/x86_64-linux-gnu/libpython3.6m.so.1.0+0x21375a)

SUMMARY: AddressSanitizer: heap-use-after-free /home/i74700deb64/blender/__work__/src/source/blender/blenkernel/intern/bvhutils.c:876 in bvhtree_from_editmesh_looptri_create_tree
Shadow bytes around the buggy address:
  0x0c3a8010ee40: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c3a8010ee50: fd fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c3a8010ee60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c3a8010ee70: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c3a8010ee80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c3a8010ee90: fd[fd]fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c3a8010eea0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c3a8010eeb0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c3a8010eec0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c3a8010eed0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c3a8010eee0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==28350==ABORTING

Smelling some COW issue again, as if BMEditMesh used in raycasting code was not the same as the one used to generate the looptris, but rather shallow COW-py of it... Still investigating.

Uh, this is actually same as T56167