Crash when Scaling (press S) in Graph Editor #56638

New Issue

Wayne Johnson · 2018-09-01T00:55:15+02:00

Wayne Johnson commented

2018-09-01 00:55:15 +02:00

System Information
Mac OS 10.13.6 (17G65)
4 GHz Intel Core i7
32 GB 1600 MHz DDR3
AMD Radeon R9 M295X 4096 MB

Blender Version
Broken: version: 2.80 (sub 21), branch: blender2.8, commit date: 2018-08-30 20:49, hash: f436e0acab, type: Release
build date: 2018-08-31, 01:29:41
platform: Darwin
Worked: (optional)

Short description of error
Crash when Scaling (press S) in Graph Editor
Exact steps for others to reproduce the errorEyes01_28_4k_01.blend
1.Open file
2. Select all
3. Press S in Graph Editor
4. Crash?

**System Information** Mac OS 10.13.6 (17G65) 4 GHz Intel Core i7 32 GB 1600 MHz DDR3 AMD Radeon R9 M295X 4096 MB **Blender Version** Broken: version: 2.80 (sub 21), branch: blender2.8, commit date: 2018-08-30 20:49, hash: f436e0acab6, type: Release build date: 2018-08-31, 01:29:41 platform: Darwin Worked: (optional) **Short description of error** Crash when Scaling (press S) in Graph Editor **Exact steps for others to reproduce the error**[Eyes01_28_4k_01.blend](https://archive.blender.org/developer/F4491013/Eyes01_28_4k_01.blend) 1.Open file 2. Select all 3. Press S in Graph Editor 4. Crash?

Wayne Johnson commented

2018-09-01 00:55:15 +02:00

Added subscriber: @slowboy

Bastien Montagne commented

2018-09-02 15:57:46 +02:00

Added subscriber: @mont29

Bastien Montagne commented

2018-09-02 15:57:46 +02:00

Crash confirmed :/

=================================================================
==9545==ERROR: AddressSanitizer: heap-use-after-free on address 0x60c00049e898 at pc 0x55df9c75daa7 bp 0x7f5340919210 sp 0x7f5340919208
READ of size 8 at 0x60c00049e898 thread T15
    - 0 0x55df9c75daa6 in animsys_evaluate_fcurves /home/i74700deb64/blender/__work__/src/source/blender/blenkernel/intern/anim_sys.c:1738
    - 1 0x55df9c75e7d3 in animsys_evaluate_action_ex /home/i74700deb64/blender/__work__/src/source/blender/blenkernel/intern/anim_sys.c:1872
    - 2 0x55df9c763976 in BKE_animsys_evaluate_animdata /home/i74700deb64/blender/__work__/src/source/blender/blenkernel/intern/anim_sys.c:2785
    - 3 0x55df9c765fbd in BKE_animsys_eval_animdata /home/i74700deb64/blender/__work__/src/source/blender/blenkernel/intern/anim_sys.c:2968
    - 4 0x55df9d62e899 in void std::__invoke_impl<void, void (*&)(Depsgraph*, ID*), Depsgraph*, ID*&>(std::__invoke_other, void (*&)(Depsgraph*, ID*), Depsgraph*&&, ID*&) /usr/include/c++/8/bits/invoke.h:60
    - 5 0x55df9d62c6b2 in std::__invoke_result<void (*&)(Depsgraph*, ID*), Depsgraph*, ID*&>::type std::__invoke<void (*&)(Depsgraph*, ID*), Depsgraph*, ID*&>(void (*&)(Depsgraph*, ID*), Depsgraph*&&, ID*&) /usr/include/c++/8/bits/invoke.h:95
    - 6 0x55df9d629ef6 in void std::_Bind<void (*(std::_Placeholder<1>, ID*))(Depsgraph*, ID*)>::__call<void, Depsgraph*&&, 0ul, 1ul>(std::tuple<Depsgraph*&&>&&, std::_Index_tuple<0ul, 1ul>) /usr/include/c++/8/functional:400
    - 7 0x55df9d625ee3 in void std::_Bind<void (*(std::_Placeholder<1>, ID*))(Depsgraph*, ID*)>::operator()<Depsgraph*, void>(Depsgraph*&&) /usr/include/c++/8/functional:484
    - 8 0x55df9d620b9b in std::_Function_handler<void (Depsgraph*), std::_Bind<void (*(std::_Placeholder<1>, ID*))(Depsgraph*, ID*)> >::_M_invoke(std::_Any_data const&, Depsgraph*&&) /usr/include/c++/8/bits/std_function.h:297
    - 9 0x55df9d656d7b in std::function<void (Depsgraph*)>::operator()(Depsgraph*) const /usr/include/c++/8/bits/std_function.h:687
    - 10 0x55df9d6552fa in deg_task_run_func /home/i74700deb64/blender/__work__/src/source/blender/depsgraph/intern/eval/deg_eval.cc:94
    - 11 0x55df9d5c156f in handle_local_queue /home/i74700deb64/blender/__work__/src/source/blender/blenlib/intern/task.c:419
    - 12 0x55df9d5c156f in task_scheduler_thread_run /home/i74700deb64/blender/__work__/src/source/blender/blenlib/intern/task.c:448
    - 13 0x7f53751faf29 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x7f29)
    #14 0x7f536ef85ede in __clone (/lib/x86_64-linux-gnu/libc.so.6+0xf7ede)

0x60c00049e898 is located 24 bytes inside of 128-byte region [0x60c00049e880,0x60c00049e900)
freed by thread T17 here:
    - 0 0x7f5377b99b50 in __interceptor_free (/usr/lib/x86_64-linux-gnu/libasan.so.5+0xe8b50)
    - 1 0x55df9dbb81be in MEM_lockfree_freeN /home/i74700deb64/blender/__work__/src/intern/guardedalloc/intern/mallocn_lockfree_impl.c:164
    - 2 0x55df9c965834 in free_fcurve /home/i74700deb64/blender/__work__/src/source/blender/blenkernel/intern/fcurve.c:101
    - 3 0x55df9c9658b6 in free_fcurves /home/i74700deb64/blender/__work__/src/source/blender/blenkernel/intern/fcurve.c:119
    - 4 0x55df9c746cd7 in BKE_action_free /home/i74700deb64/blender/__work__/src/source/blender/blenkernel/intern/action.c:113
    - 5 0x55df9ca351ba in BKE_libblock_free_datablock /home/i74700deb64/blender/__work__/src/source/blender/blenkernel/intern/library_remap.c:834
    - 6 0x55df9d65bb23 in DEG::deg_free_copy_on_write_datablock(ID*) /home/i74700deb64/blender/__work__/src/source/blender/depsgraph/intern/eval/deg_eval_copy_on_write.cc:1004
    - 7 0x55df9d65b38e in DEG::deg_update_copy_on_write_datablock(DEG::Depsgraph const*, DEG::IDDepsNode const*) /home/i74700deb64/blender/__work__/src/source/blender/depsgraph/intern/eval/deg_eval_copy_on_write.cc:868
    - 8 0x55df9d65bc75 in DEG::deg_evaluate_copy_on_write(Depsgraph*, DEG::IDDepsNode const*) /home/i74700deb64/blender/__work__/src/source/blender/depsgraph/intern/eval/deg_eval_copy_on_write.cc:1021
    - 9 0x55df9d62de2f in void std::__invoke_impl<void, void (*&)(Depsgraph*, DEG::IDDepsNode const*), Depsgraph*, DEG::IDDepsNode*&>(std::__invoke_other, void (*&)(Depsgraph*, DEG::IDDepsNode const*), Depsgraph*&&, DEG::IDDepsNode*&) /usr/include/c++/8/bits/invoke.h:60
    - 10 0x55df9d62b9bc in std::__invoke_result<void (*&)(Depsgraph*, DEG::IDDepsNode const*), Depsgraph*, DEG::IDDepsNode*&>::type std::__invoke<void (*&)(Depsgraph*, DEG::IDDepsNode const*), Depsgraph*, DEG::IDDepsNode*&>(void (*&)(Depsgraph*, DEG::IDDepsNode const*), Depsgraph*&&, DEG::IDDepsNode*&) /usr/include/c++/8/bits/invoke.h:95
    - 11 0x55df9d628e60 in void std::_Bind<void (*(std::_Placeholder<1>, DEG::IDDepsNode*))(Depsgraph*, DEG::IDDepsNode const*)>::__call<void, Depsgraph*&&, 0ul, 1ul>(std::tuple<Depsgraph*&&>&&, std::_Index_tuple<0ul, 1ul>) /usr/include/c++/8/functional:400
    - 12 0x55df9d624697 in void std::_Bind<void (*(std::_Placeholder<1>, DEG::IDDepsNode*))(Depsgraph*, DEG::IDDepsNode const*)>::operator()<Depsgraph*, void>(Depsgraph*&&) /usr/include/c++/8/functional:484
    - 13 0x55df9d61e8ff in std::_Function_handler<void (Depsgraph*), std::_Bind<void (*(std::_Placeholder<1>, DEG::IDDepsNode*))(Depsgraph*, DEG::IDDepsNode const*)> >::_M_invoke(std::_Any_data const&, Depsgraph*&&) /usr/include/c++/8/bits/std_function.h:297
    - 14 0x55df9d656d7b in std::function<void (Depsgraph*)>::operator()(Depsgraph*) const /usr/include/c++/8/bits/std_function.h:687
    - 15 0x55df9d6552fa in deg_task_run_func /home/i74700deb64/blender/__work__/src/source/blender/depsgraph/intern/eval/deg_eval.cc:94
    - 16 0x55df9d5c11ea in task_scheduler_thread_run /home/i74700deb64/blender/__work__/src/source/blender/blenlib/intern/task.c:441
    - 17 0x7f53751faf29 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x7f29)

previously allocated by thread T15 here:
    - 0 0x7f5377b99ed0 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.5+0xe8ed0)
    - 1 0x55df9dbb894e in MEM_lockfree_mallocN /home/i74700deb64/blender/__work__/src/intern/guardedalloc/intern/mallocn_lockfree_impl.c:318
    - 2 0x55df9dbb82fe in MEM_lockfree_dupallocN /home/i74700deb64/blender/__work__/src/intern/guardedalloc/intern/mallocn_lockfree_impl.c:186
    - 3 0x55df9c965987 in copy_fcurve /home/i74700deb64/blender/__work__/src/source/blender/blenkernel/intern/fcurve.c:138
    - 4 0x55df9c746e0b in BKE_action_copy_data /home/i74700deb64/blender/__work__/src/source/blender/blenkernel/intern/action.c:146
    - 5 0x55df9c9f929d in BKE_id_copy_ex /home/i74700deb64/blender/__work__/src/source/blender/blenkernel/intern/library.c:624
    - 6 0x55df9d65899a in id_copy_inplace_no_main /home/i74700deb64/blender/__work__/src/source/blender/depsgraph/intern/eval/deg_eval_copy_on_write.cc:280
    - 7 0x55df9d65a0fc in DEG::deg_expand_copy_on_write_datablock(DEG::Depsgraph const*, DEG::IDDepsNode const*, DEG::DepsgraphNodeBuilder*, bool) /home/i74700deb64/blender/__work__/src/source/blender/depsgraph/intern/eval/deg_eval_copy_on_write.cc:660
    - 8 0x55df9d65b3ae in DEG::deg_update_copy_on_write_datablock(DEG::Depsgraph const*, DEG::IDDepsNode const*) /home/i74700deb64/blender/__work__/src/source/blender/depsgraph/intern/eval/deg_eval_copy_on_write.cc:869
    - 9 0x55df9d65bc75 in DEG::deg_evaluate_copy_on_write(Depsgraph*, DEG::IDDepsNode const*) /home/i74700deb64/blender/__work__/src/source/blender/depsgraph/intern/eval/deg_eval_copy_on_write.cc:1021
    - 10 0x55df9d62de2f in void std::__invoke_impl<void, void (*&)(Depsgraph*, DEG::IDDepsNode const*), Depsgraph*, DEG::IDDepsNode*&>(std::__invoke_other, void (*&)(Depsgraph*, DEG::IDDepsNode const*), Depsgraph*&&, DEG::IDDepsNode*&) /usr/include/c++/8/bits/invoke.h:60
    - 11 0x55df9d62b9bc in std::__invoke_result<void (*&)(Depsgraph*, DEG::IDDepsNode const*), Depsgraph*, DEG::IDDepsNode*&>::type std::__invoke<void (*&)(Depsgraph*, DEG::IDDepsNode const*), Depsgraph*, DEG::IDDepsNode*&>(void (*&)(Depsgraph*, DEG::IDDepsNode const*), Depsgraph*&&, DEG::IDDepsNode*&) /usr/include/c++/8/bits/invoke.h:95
    - 12 0x55df9d628e60 in void std::_Bind<void (*(std::_Placeholder<1>, DEG::IDDepsNode*))(Depsgraph*, DEG::IDDepsNode const*)>::__call<void, Depsgraph*&&, 0ul, 1ul>(std::tuple<Depsgraph*&&>&&, std::_Index_tuple<0ul, 1ul>) /usr/include/c++/8/functional:400
    - 13 0x55df9d624697 in void std::_Bind<void (*(std::_Placeholder<1>, DEG::IDDepsNode*))(Depsgraph*, DEG::IDDepsNode const*)>::operator()<Depsgraph*, void>(Depsgraph*&&) /usr/include/c++/8/functional:484
    - 14 0x55df9d61e8ff in std::_Function_handler<void (Depsgraph*), std::_Bind<void (*(std::_Placeholder<1>, DEG::IDDepsNode*))(Depsgraph*, DEG::IDDepsNode const*)> >::_M_invoke(std::_Any_data const&, Depsgraph*&&) /usr/include/c++/8/bits/std_function.h:297
    - 15 0x55df9d656d7b in std::function<void (Depsgraph*)>::operator()(Depsgraph*) const /usr/include/c++/8/bits/std_function.h:687
    - 16 0x55df9d6552fa in deg_task_run_func /home/i74700deb64/blender/__work__/src/source/blender/depsgraph/intern/eval/deg_eval.cc:94
    - 17 0x55df9d5c11ea in task_scheduler_thread_run /home/i74700deb64/blender/__work__/src/source/blender/blenlib/intern/task.c:441
    #18 0x7f53751faf29 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x7f29)

Thread T15 created by T0 here:
    - 0 0x7f5377afaef0 in pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.5+0x49ef0)
    - 1 0x55df9d5c1b52 in BLI_task_scheduler_create /home/i74700deb64/blender/__work__/src/source/blender/blenlib/intern/task.c:504
    - 2 0x55df9d5c8e8a in BLI_task_scheduler_get /home/i74700deb64/blender/__work__/src/source/blender/blenlib/intern/threads.c:176
    - 3 0x55df9d5c78ac in BLI_task_parallel_range /home/i74700deb64/blender/__work__/src/source/blender/blenlib/intern/task.c:1099
    - 4 0x55df9d65d3ed in flush_prepare /home/i74700deb64/blender/__work__/src/source/blender/depsgraph/intern/eval/deg_eval_flush.cc:122
    - 5 0x55df9d65d3ed in DEG::deg_graph_flush_updates(Main*, DEG::Depsgraph*) /home/i74700deb64/blender/__work__/src/source/blender/depsgraph/intern/eval/deg_eval_flush.cc:359
    - 6 0x55df9d60a56e in DEG_graph_flush_update /home/i74700deb64/blender/__work__/src/source/blender/depsgraph/intern/depsgraph_tag.cc:639
    - 7 0x55df9cc9718b in BKE_scene_graph_update_tagged /home/i74700deb64/blender/__work__/src/source/blender/blenkernel/intern/scene.c:1425
    - 8 0x55df9a3ffc9d in wm_event_do_depsgraph /home/i74700deb64/blender/__work__/src/source/blender/windowmanager/intern/wm_event_system.c:336
    - 9 0x55df9a41fddc in wm_file_read_post /home/i74700deb64/blender/__work__/src/source/blender/windowmanager/intern/wm_files.c:493
    - 10 0x55df9a421854 in wm_homefile_read /home/i74700deb64/blender/__work__/src/source/blender/windowmanager/intern/wm_files.c:927
    - 11 0x55df9a432a20 in WM_init /home/i74700deb64/blender/__work__/src/source/blender/windowmanager/intern/wm_init_exit.c:253
    - 12 0x55df9a3ebe24 in main /home/i74700deb64/blender/__work__/src/source/creator/creator.c:438
    - 13 0x7f536eeb0b16 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x22b16)

Thread T17 created by T0 here:
    - 0 0x7f5377afaef0 in pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.5+0x49ef0)
    - 1 0x55df9d5c1b52 in BLI_task_scheduler_create /home/i74700deb64/blender/__work__/src/source/blender/blenlib/intern/task.c:504
    - 2 0x55df9d5c8e8a in BLI_task_scheduler_get /home/i74700deb64/blender/__work__/src/source/blender/blenlib/intern/threads.c:176
    - 3 0x55df9d5c78ac in BLI_task_parallel_range /home/i74700deb64/blender/__work__/src/source/blender/blenlib/intern/task.c:1099
    - 4 0x55df9d65d3ed in flush_prepare /home/i74700deb64/blender/__work__/src/source/blender/depsgraph/intern/eval/deg_eval_flush.cc:122
    - 5 0x55df9d65d3ed in DEG::deg_graph_flush_updates(Main*, DEG::Depsgraph*) /home/i74700deb64/blender/__work__/src/source/blender/depsgraph/intern/eval/deg_eval_flush.cc:359
    - 6 0x55df9d60a56e in DEG_graph_flush_update /home/i74700deb64/blender/__work__/src/source/blender/depsgraph/intern/depsgraph_tag.cc:639
    - 7 0x55df9cc9718b in BKE_scene_graph_update_tagged /home/i74700deb64/blender/__work__/src/source/blender/blenkernel/intern/scene.c:1425
    - 8 0x55df9a3ffc9d in wm_event_do_depsgraph /home/i74700deb64/blender/__work__/src/source/blender/windowmanager/intern/wm_event_system.c:336
    - 9 0x55df9a41fddc in wm_file_read_post /home/i74700deb64/blender/__work__/src/source/blender/windowmanager/intern/wm_files.c:493
    - 10 0x55df9a421854 in wm_homefile_read /home/i74700deb64/blender/__work__/src/source/blender/windowmanager/intern/wm_files.c:927
    - 11 0x55df9a432a20 in WM_init /home/i74700deb64/blender/__work__/src/source/blender/windowmanager/intern/wm_init_exit.c:253
    - 12 0x55df9a3ebe24 in main /home/i74700deb64/blender/__work__/src/source/creator/creator.c:438
    - 13 0x7f536eeb0b16 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x22b16)

SUMMARY: AddressSanitizer: heap-use-after-free /home/i74700deb64/blender/__work__/src/source/blender/blenkernel/intern/anim_sys.c:1738 in animsys_evaluate_fcurves
Shadow bytes around the buggy address:
  0x0c188008bcc0: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
  0x0c188008bcd0: fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa
  0x0c188008bce0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fa
  0x0c188008bcf0: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
  0x0c188008bd00: fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa
=>0x0c188008bd10: fd fd fd[fd]fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c188008bd20: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
  0x0c188008bd30: fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa
  0x0c188008bd40: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c188008bd50: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
  0x0c188008bd60: fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==9545==ABORTING

Crash confirmed :/ ```lines=20 ================================================================= ==9545==ERROR: AddressSanitizer: heap-use-after-free on address 0x60c00049e898 at pc 0x55df9c75daa7 bp 0x7f5340919210 sp 0x7f5340919208 READ of size 8 at 0x60c00049e898 thread T15 - 0 0x55df9c75daa6 in animsys_evaluate_fcurves /home/i74700deb64/blender/__work__/src/source/blender/blenkernel/intern/anim_sys.c:1738 - 1 0x55df9c75e7d3 in animsys_evaluate_action_ex /home/i74700deb64/blender/__work__/src/source/blender/blenkernel/intern/anim_sys.c:1872 - 2 0x55df9c763976 in BKE_animsys_evaluate_animdata /home/i74700deb64/blender/__work__/src/source/blender/blenkernel/intern/anim_sys.c:2785 - 3 0x55df9c765fbd in BKE_animsys_eval_animdata /home/i74700deb64/blender/__work__/src/source/blender/blenkernel/intern/anim_sys.c:2968 - 4 0x55df9d62e899 in void std::__invoke_impl<void, void (*&)(Depsgraph*, ID*), Depsgraph*, ID*&>(std::__invoke_other, void (*&)(Depsgraph*, ID*), Depsgraph*&&, ID*&) /usr/include/c++/8/bits/invoke.h:60 - 5 0x55df9d62c6b2 in std::__invoke_result<void (*&)(Depsgraph*, ID*), Depsgraph*, ID*&>::type std::__invoke<void (*&)(Depsgraph*, ID*), Depsgraph*, ID*&>(void (*&)(Depsgraph*, ID*), Depsgraph*&&, ID*&) /usr/include/c++/8/bits/invoke.h:95 - 6 0x55df9d629ef6 in void std::_Bind<void (*(std::_Placeholder<1>, ID*))(Depsgraph*, ID*)>::__call<void, Depsgraph*&&, 0ul, 1ul>(std::tuple<Depsgraph*&&>&&, std::_Index_tuple<0ul, 1ul>) /usr/include/c++/8/functional:400 - 7 0x55df9d625ee3 in void std::_Bind<void (*(std::_Placeholder<1>, ID*))(Depsgraph*, ID*)>::operator()<Depsgraph*, void>(Depsgraph*&&) /usr/include/c++/8/functional:484 - 8 0x55df9d620b9b in std::_Function_handler<void (Depsgraph*), std::_Bind<void (*(std::_Placeholder<1>, ID*))(Depsgraph*, ID*)> >::_M_invoke(std::_Any_data const&, Depsgraph*&&) /usr/include/c++/8/bits/std_function.h:297 - 9 0x55df9d656d7b in std::function<void (Depsgraph*)>::operator()(Depsgraph*) const /usr/include/c++/8/bits/std_function.h:687 - 10 0x55df9d6552fa in deg_task_run_func /home/i74700deb64/blender/__work__/src/source/blender/depsgraph/intern/eval/deg_eval.cc:94 - 11 0x55df9d5c156f in handle_local_queue /home/i74700deb64/blender/__work__/src/source/blender/blenlib/intern/task.c:419 - 12 0x55df9d5c156f in task_scheduler_thread_run /home/i74700deb64/blender/__work__/src/source/blender/blenlib/intern/task.c:448 - 13 0x7f53751faf29 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x7f29) #14 0x7f536ef85ede in __clone (/lib/x86_64-linux-gnu/libc.so.6+0xf7ede) 0x60c00049e898 is located 24 bytes inside of 128-byte region [0x60c00049e880,0x60c00049e900) freed by thread T17 here: - 0 0x7f5377b99b50 in __interceptor_free (/usr/lib/x86_64-linux-gnu/libasan.so.5+0xe8b50) - 1 0x55df9dbb81be in MEM_lockfree_freeN /home/i74700deb64/blender/__work__/src/intern/guardedalloc/intern/mallocn_lockfree_impl.c:164 - 2 0x55df9c965834 in free_fcurve /home/i74700deb64/blender/__work__/src/source/blender/blenkernel/intern/fcurve.c:101 - 3 0x55df9c9658b6 in free_fcurves /home/i74700deb64/blender/__work__/src/source/blender/blenkernel/intern/fcurve.c:119 - 4 0x55df9c746cd7 in BKE_action_free /home/i74700deb64/blender/__work__/src/source/blender/blenkernel/intern/action.c:113 - 5 0x55df9ca351ba in BKE_libblock_free_datablock /home/i74700deb64/blender/__work__/src/source/blender/blenkernel/intern/library_remap.c:834 - 6 0x55df9d65bb23 in DEG::deg_free_copy_on_write_datablock(ID*) /home/i74700deb64/blender/__work__/src/source/blender/depsgraph/intern/eval/deg_eval_copy_on_write.cc:1004 - 7 0x55df9d65b38e in DEG::deg_update_copy_on_write_datablock(DEG::Depsgraph const*, DEG::IDDepsNode const*) /home/i74700deb64/blender/__work__/src/source/blender/depsgraph/intern/eval/deg_eval_copy_on_write.cc:868 - 8 0x55df9d65bc75 in DEG::deg_evaluate_copy_on_write(Depsgraph*, DEG::IDDepsNode const*) /home/i74700deb64/blender/__work__/src/source/blender/depsgraph/intern/eval/deg_eval_copy_on_write.cc:1021 - 9 0x55df9d62de2f in void std::__invoke_impl<void, void (*&)(Depsgraph*, DEG::IDDepsNode const*), Depsgraph*, DEG::IDDepsNode*&>(std::__invoke_other, void (*&)(Depsgraph*, DEG::IDDepsNode const*), Depsgraph*&&, DEG::IDDepsNode*&) /usr/include/c++/8/bits/invoke.h:60 - 10 0x55df9d62b9bc in std::__invoke_result<void (*&)(Depsgraph*, DEG::IDDepsNode const*), Depsgraph*, DEG::IDDepsNode*&>::type std::__invoke<void (*&)(Depsgraph*, DEG::IDDepsNode const*), Depsgraph*, DEG::IDDepsNode*&>(void (*&)(Depsgraph*, DEG::IDDepsNode const*), Depsgraph*&&, DEG::IDDepsNode*&) /usr/include/c++/8/bits/invoke.h:95 - 11 0x55df9d628e60 in void std::_Bind<void (*(std::_Placeholder<1>, DEG::IDDepsNode*))(Depsgraph*, DEG::IDDepsNode const*)>::__call<void, Depsgraph*&&, 0ul, 1ul>(std::tuple<Depsgraph*&&>&&, std::_Index_tuple<0ul, 1ul>) /usr/include/c++/8/functional:400 - 12 0x55df9d624697 in void std::_Bind<void (*(std::_Placeholder<1>, DEG::IDDepsNode*))(Depsgraph*, DEG::IDDepsNode const*)>::operator()<Depsgraph*, void>(Depsgraph*&&) /usr/include/c++/8/functional:484 - 13 0x55df9d61e8ff in std::_Function_handler<void (Depsgraph*), std::_Bind<void (*(std::_Placeholder<1>, DEG::IDDepsNode*))(Depsgraph*, DEG::IDDepsNode const*)> >::_M_invoke(std::_Any_data const&, Depsgraph*&&) /usr/include/c++/8/bits/std_function.h:297 - 14 0x55df9d656d7b in std::function<void (Depsgraph*)>::operator()(Depsgraph*) const /usr/include/c++/8/bits/std_function.h:687 - 15 0x55df9d6552fa in deg_task_run_func /home/i74700deb64/blender/__work__/src/source/blender/depsgraph/intern/eval/deg_eval.cc:94 - 16 0x55df9d5c11ea in task_scheduler_thread_run /home/i74700deb64/blender/__work__/src/source/blender/blenlib/intern/task.c:441 - 17 0x7f53751faf29 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x7f29) previously allocated by thread T15 here: - 0 0x7f5377b99ed0 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.5+0xe8ed0) - 1 0x55df9dbb894e in MEM_lockfree_mallocN /home/i74700deb64/blender/__work__/src/intern/guardedalloc/intern/mallocn_lockfree_impl.c:318 - 2 0x55df9dbb82fe in MEM_lockfree_dupallocN /home/i74700deb64/blender/__work__/src/intern/guardedalloc/intern/mallocn_lockfree_impl.c:186 - 3 0x55df9c965987 in copy_fcurve /home/i74700deb64/blender/__work__/src/source/blender/blenkernel/intern/fcurve.c:138 - 4 0x55df9c746e0b in BKE_action_copy_data /home/i74700deb64/blender/__work__/src/source/blender/blenkernel/intern/action.c:146 - 5 0x55df9c9f929d in BKE_id_copy_ex /home/i74700deb64/blender/__work__/src/source/blender/blenkernel/intern/library.c:624 - 6 0x55df9d65899a in id_copy_inplace_no_main /home/i74700deb64/blender/__work__/src/source/blender/depsgraph/intern/eval/deg_eval_copy_on_write.cc:280 - 7 0x55df9d65a0fc in DEG::deg_expand_copy_on_write_datablock(DEG::Depsgraph const*, DEG::IDDepsNode const*, DEG::DepsgraphNodeBuilder*, bool) /home/i74700deb64/blender/__work__/src/source/blender/depsgraph/intern/eval/deg_eval_copy_on_write.cc:660 - 8 0x55df9d65b3ae in DEG::deg_update_copy_on_write_datablock(DEG::Depsgraph const*, DEG::IDDepsNode const*) /home/i74700deb64/blender/__work__/src/source/blender/depsgraph/intern/eval/deg_eval_copy_on_write.cc:869 - 9 0x55df9d65bc75 in DEG::deg_evaluate_copy_on_write(Depsgraph*, DEG::IDDepsNode const*) /home/i74700deb64/blender/__work__/src/source/blender/depsgraph/intern/eval/deg_eval_copy_on_write.cc:1021 - 10 0x55df9d62de2f in void std::__invoke_impl<void, void (*&)(Depsgraph*, DEG::IDDepsNode const*), Depsgraph*, DEG::IDDepsNode*&>(std::__invoke_other, void (*&)(Depsgraph*, DEG::IDDepsNode const*), Depsgraph*&&, DEG::IDDepsNode*&) /usr/include/c++/8/bits/invoke.h:60 - 11 0x55df9d62b9bc in std::__invoke_result<void (*&)(Depsgraph*, DEG::IDDepsNode const*), Depsgraph*, DEG::IDDepsNode*&>::type std::__invoke<void (*&)(Depsgraph*, DEG::IDDepsNode const*), Depsgraph*, DEG::IDDepsNode*&>(void (*&)(Depsgraph*, DEG::IDDepsNode const*), Depsgraph*&&, DEG::IDDepsNode*&) /usr/include/c++/8/bits/invoke.h:95 - 12 0x55df9d628e60 in void std::_Bind<void (*(std::_Placeholder<1>, DEG::IDDepsNode*))(Depsgraph*, DEG::IDDepsNode const*)>::__call<void, Depsgraph*&&, 0ul, 1ul>(std::tuple<Depsgraph*&&>&&, std::_Index_tuple<0ul, 1ul>) /usr/include/c++/8/functional:400 - 13 0x55df9d624697 in void std::_Bind<void (*(std::_Placeholder<1>, DEG::IDDepsNode*))(Depsgraph*, DEG::IDDepsNode const*)>::operator()<Depsgraph*, void>(Depsgraph*&&) /usr/include/c++/8/functional:484 - 14 0x55df9d61e8ff in std::_Function_handler<void (Depsgraph*), std::_Bind<void (*(std::_Placeholder<1>, DEG::IDDepsNode*))(Depsgraph*, DEG::IDDepsNode const*)> >::_M_invoke(std::_Any_data const&, Depsgraph*&&) /usr/include/c++/8/bits/std_function.h:297 - 15 0x55df9d656d7b in std::function<void (Depsgraph*)>::operator()(Depsgraph*) const /usr/include/c++/8/bits/std_function.h:687 - 16 0x55df9d6552fa in deg_task_run_func /home/i74700deb64/blender/__work__/src/source/blender/depsgraph/intern/eval/deg_eval.cc:94 - 17 0x55df9d5c11ea in task_scheduler_thread_run /home/i74700deb64/blender/__work__/src/source/blender/blenlib/intern/task.c:441 #18 0x7f53751faf29 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x7f29) Thread T15 created by T0 here: - 0 0x7f5377afaef0 in pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.5+0x49ef0) - 1 0x55df9d5c1b52 in BLI_task_scheduler_create /home/i74700deb64/blender/__work__/src/source/blender/blenlib/intern/task.c:504 - 2 0x55df9d5c8e8a in BLI_task_scheduler_get /home/i74700deb64/blender/__work__/src/source/blender/blenlib/intern/threads.c:176 - 3 0x55df9d5c78ac in BLI_task_parallel_range /home/i74700deb64/blender/__work__/src/source/blender/blenlib/intern/task.c:1099 - 4 0x55df9d65d3ed in flush_prepare /home/i74700deb64/blender/__work__/src/source/blender/depsgraph/intern/eval/deg_eval_flush.cc:122 - 5 0x55df9d65d3ed in DEG::deg_graph_flush_updates(Main*, DEG::Depsgraph*) /home/i74700deb64/blender/__work__/src/source/blender/depsgraph/intern/eval/deg_eval_flush.cc:359 - 6 0x55df9d60a56e in DEG_graph_flush_update /home/i74700deb64/blender/__work__/src/source/blender/depsgraph/intern/depsgraph_tag.cc:639 - 7 0x55df9cc9718b in BKE_scene_graph_update_tagged /home/i74700deb64/blender/__work__/src/source/blender/blenkernel/intern/scene.c:1425 - 8 0x55df9a3ffc9d in wm_event_do_depsgraph /home/i74700deb64/blender/__work__/src/source/blender/windowmanager/intern/wm_event_system.c:336 - 9 0x55df9a41fddc in wm_file_read_post /home/i74700deb64/blender/__work__/src/source/blender/windowmanager/intern/wm_files.c:493 - 10 0x55df9a421854 in wm_homefile_read /home/i74700deb64/blender/__work__/src/source/blender/windowmanager/intern/wm_files.c:927 - 11 0x55df9a432a20 in WM_init /home/i74700deb64/blender/__work__/src/source/blender/windowmanager/intern/wm_init_exit.c:253 - 12 0x55df9a3ebe24 in main /home/i74700deb64/blender/__work__/src/source/creator/creator.c:438 - 13 0x7f536eeb0b16 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x22b16) Thread T17 created by T0 here: - 0 0x7f5377afaef0 in pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.5+0x49ef0) - 1 0x55df9d5c1b52 in BLI_task_scheduler_create /home/i74700deb64/blender/__work__/src/source/blender/blenlib/intern/task.c:504 - 2 0x55df9d5c8e8a in BLI_task_scheduler_get /home/i74700deb64/blender/__work__/src/source/blender/blenlib/intern/threads.c:176 - 3 0x55df9d5c78ac in BLI_task_parallel_range /home/i74700deb64/blender/__work__/src/source/blender/blenlib/intern/task.c:1099 - 4 0x55df9d65d3ed in flush_prepare /home/i74700deb64/blender/__work__/src/source/blender/depsgraph/intern/eval/deg_eval_flush.cc:122 - 5 0x55df9d65d3ed in DEG::deg_graph_flush_updates(Main*, DEG::Depsgraph*) /home/i74700deb64/blender/__work__/src/source/blender/depsgraph/intern/eval/deg_eval_flush.cc:359 - 6 0x55df9d60a56e in DEG_graph_flush_update /home/i74700deb64/blender/__work__/src/source/blender/depsgraph/intern/depsgraph_tag.cc:639 - 7 0x55df9cc9718b in BKE_scene_graph_update_tagged /home/i74700deb64/blender/__work__/src/source/blender/blenkernel/intern/scene.c:1425 - 8 0x55df9a3ffc9d in wm_event_do_depsgraph /home/i74700deb64/blender/__work__/src/source/blender/windowmanager/intern/wm_event_system.c:336 - 9 0x55df9a41fddc in wm_file_read_post /home/i74700deb64/blender/__work__/src/source/blender/windowmanager/intern/wm_files.c:493 - 10 0x55df9a421854 in wm_homefile_read /home/i74700deb64/blender/__work__/src/source/blender/windowmanager/intern/wm_files.c:927 - 11 0x55df9a432a20 in WM_init /home/i74700deb64/blender/__work__/src/source/blender/windowmanager/intern/wm_init_exit.c:253 - 12 0x55df9a3ebe24 in main /home/i74700deb64/blender/__work__/src/source/creator/creator.c:438 - 13 0x7f536eeb0b16 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x22b16) SUMMARY: AddressSanitizer: heap-use-after-free /home/i74700deb64/blender/__work__/src/source/blender/blenkernel/intern/anim_sys.c:1738 in animsys_evaluate_fcurves Shadow bytes around the buggy address: 0x0c188008bcc0: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd 0x0c188008bcd0: fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa 0x0c188008bce0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fa 0x0c188008bcf0: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd 0x0c188008bd00: fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa =>0x0c188008bd10: fd fd fd[fd]fd fd fd fd fd fd fd fd fd fd fd fd 0x0c188008bd20: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd 0x0c188008bd30: fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa 0x0c188008bd40: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c188008bd50: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd 0x0c188008bd60: fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==9545==ABORTING ```

Jacques Lucke commented

2018-09-20 12:57:30 +02:00

Added subscriber: @JacquesLucke

Jacques Lucke commented

2018-09-20 12:57:30 +02:00

Can't reproduce it for some reason. No even when using f436e0acab.
I'm using Ubuntu 18.04.

Can't reproduce it for some reason. No even when using f436e0acab. I'm using Ubuntu 18.04. ![Peek 2018-09-20 12-54.gif](https://archive.blender.org/developer/F4763933/Peek_2018-09-20_12-54.gif)

Bastien Montagne commented

2018-09-20 14:23:08 +02:00

Crash is still present, just "insist" a bit more, does not always happen in the first second (and ensure you have enough threads, you can use -t 8 or -t 16 to force more threads in case your CPU only has 2 or 4…). ;)

Crash is still present, just "insist" a bit more, does not always happen in the first second (and ensure you have enough threads, you can use `-t 8` or `-t 16` to force more threads in case your CPU only has 2 or 4…). ;)

Brecht Van Lommel commented

2018-09-20 17:31:14 +02:00

Added subscriber: @brecht

Brecht Van Lommel commented

2018-09-20 17:31:14 +02:00

@JacquesLucke, you can enable WITH_COMPILER_ASAN in CMake, to gets use-after-free detection as in the log above. Even if it doesn't always crash, those ASAN warnings will often show up reliably.

This file is using NLA tracks. Looking at the BKE_animdata_free and BKE_animdata_copy, it's not using do_id_users for the NLA tracks. Not sure if that's related to this crash, but should be fixed anyway.

@JacquesLucke, you can enable `WITH_COMPILER_ASAN` in CMake, to gets use-after-free detection as in the log above. Even if it doesn't always crash, those ASAN warnings will often show up reliably. This file is using NLA tracks. Looking at the `BKE_animdata_free` and `BKE_animdata_copy`, it's not using `do_id_users` for the NLA tracks. Not sure if that's related to this crash, but should be fixed anyway.

Brecht Van Lommel commented

2019-03-14 19:34:15 +01:00

Changed status from 'Open' to: 'Resolved'

Brecht Van Lommel closed this issue

2019-03-14 19:34:15 +01:00

Brecht Van Lommel self-assigned this 2019-03-14 19:34:15 +01:00

Brecht Van Lommel commented

2019-03-14 19:34:15 +01:00

We fixed a similar bug at some point after this report, appears to be fixed now.

Sign in to join this conversation.

No Label

Download

What's New

Blender Studio

Manual

Developers Blog

Documentation

Benchmark

Blender Conference

Development Fund

One-time Donations

Crash when Scaling (press S) in Graph Editor #56638