Crash while interacting with Graph Editor
Open, ConfirmedPublic

Description

Moving curve control points in the Graph Editor while auto key is on causes a crash.

How to reproduce:

  • open the simple file attached (a cube with one set of keys on a single frame, with auto key on)
  • move the cursor to the graph, editor
  • press G
  • wiggle the keyframe for a few seconds, until Blender crashes

There are other ways to reproduce the issue. They involve adding some more keys, but require less wiggling (just one or two movements of the mouse). Not sure how this is related, I can provide instructions for that as well.

Details

Type
Bug
Bastien Montagne (mont29) triaged this task as Confirmed priority.

One have to wiggle a lot to make it crash indeed… Looks like yet another COW/threading issue (threaded code from deg evaluation using some COW data already freed from somewhere else)…

=================================================================
==16295==ERROR: AddressSanitizer: heap-use-after-free on address 0x60300045ee70 at pc 0x55c90bb986b9 bp 0x7ff42e72ce00 sp 0x7ff42e72cdf8
READ of size 1 at 0x60300045ee70 thread T18
    #0 0x55c90bb986b8 in rna_path_parse /home/i74700deb64/blender/__work__/src/source/blender/makesrna/intern/rna_access.c:4670
    #1 0x55c90bb98efd in RNA_path_resolve_property /home/i74700deb64/blender/__work__/src/source/blender/makesrna/intern/rna_access.c:4832
    #2 0x55c90b3d89f8 in animsys_store_rna_setting /home/i74700deb64/blender/__work__/src/source/blender/blenkernel/intern/anim_sys.c:1500
    #3 0x55c90b3d9f07 in animsys_evaluate_fcurves /home/i74700deb64/blender/__work__/src/source/blender/blenkernel/intern/anim_sys.c:1746
    #4 0x55c90b3daac6 in animsys_evaluate_action_ex /home/i74700deb64/blender/__work__/src/source/blender/blenkernel/intern/anim_sys.c:1872
    #5 0x55c90b3dfc69 in BKE_animsys_evaluate_animdata /home/i74700deb64/blender/__work__/src/source/blender/blenkernel/intern/anim_sys.c:2785
    #6 0x55c90b3e22b0 in BKE_animsys_eval_animdata /home/i74700deb64/blender/__work__/src/source/blender/blenkernel/intern/anim_sys.c:2968
    #7 0x55c90c2b61a9 in void std::__invoke_impl<void, void (*&)(Depsgraph*, ID*), Depsgraph*, ID*&>(std::__invoke_other, void (*&)(Depsgraph*, ID*), Depsgraph*&&, ID*&) /usr/include/c++/8/bits/invoke.h:60
    #8 0x55c90c2b3fc2 in std::__invoke_result<void (*&)(Depsgraph*, ID*), Depsgraph*, ID*&>::type std::__invoke<void (*&)(Depsgraph*, ID*), Depsgraph*, ID*&>(void (*&)(Depsgraph*, ID*), Depsgraph*&&, ID*&) /usr/include/c++/8/bits/invoke.h:95
    #9 0x55c90c2b1806 in void std::_Bind<void (*(std::_Placeholder<1>, ID*))(Depsgraph*, ID*)>::__call<void, Depsgraph*&&, 0ul, 1ul>(std::tuple<Depsgraph*&&>&&, std::_Index_tuple<0ul, 1ul>) /usr/include/c++/8/functional:400
    #10 0x55c90c2ad7f3 in void std::_Bind<void (*(std::_Placeholder<1>, ID*))(Depsgraph*, ID*)>::operator()<Depsgraph*, void>(Depsgraph*&&) /usr/include/c++/8/functional:484
    #11 0x55c90c2a84ab in std::_Function_handler<void (Depsgraph*), std::_Bind<void (*(std::_Placeholder<1>, ID*))(Depsgraph*, ID*)> >::_M_invoke(std::_Any_data const&, Depsgraph*&&) /usr/include/c++/8/bits/std_function.h:297
    #12 0x55c90c2de641 in std::function<void (Depsgraph*)>::operator()(Depsgraph*) const /usr/include/c++/8/bits/std_function.h:687
    #13 0x55c90c2dcc0a in deg_task_run_func /home/i74700deb64/blender/__work__/src/source/blender/depsgraph/intern/eval/deg_eval.cc:94
    #14 0x55c90c248c17 in handle_local_queue /home/i74700deb64/blender/__work__/src/source/blender/blenlib/intern/task.c:419
    #15 0x55c90c248c17 in task_scheduler_thread_run /home/i74700deb64/blender/__work__/src/source/blender/blenlib/intern/task.c:448
    #16 0x7ff467800f29 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x7f29)
    #17 0x7ff45d286ede in __clone (/lib/x86_64-linux-gnu/libc.so.6+0xf7ede)

0x60300045ee70 is located 16 bytes inside of 20-byte region [0x60300045ee60,0x60300045ee74)
freed by thread T0 here:
    #0 0x7ff469e41b50 in __interceptor_free (/usr/lib/x86_64-linux-gnu/libasan.so.5+0xe8b50)
    #1 0x55c90c83fbec in MEM_lockfree_freeN /home/i74700deb64/blender/__work__/src/intern/guardedalloc/intern/mallocn_lockfree_impl.c:164
    #2 0x55c90b5e1c66 in free_fcurve /home/i74700deb64/blender/__work__/src/source/blender/blenkernel/intern/fcurve.c:94
    #3 0x55c90b5e1d67 in free_fcurves /home/i74700deb64/blender/__work__/src/source/blender/blenkernel/intern/fcurve.c:119
    #4 0x55c90b3c2fca in BKE_action_free /home/i74700deb64/blender/__work__/src/source/blender/blenkernel/intern/action.c:113
    #5 0x55c90b6b1d20 in BKE_libblock_free_datablock /home/i74700deb64/blender/__work__/src/source/blender/blenkernel/intern/library_remap.c:762
    #6 0x55c90c2e33e9 in DEG::deg_free_copy_on_write_datablock(ID*) /home/i74700deb64/blender/__work__/src/source/blender/depsgraph/intern/eval/deg_eval_copy_on_write.cc:1004
    #7 0x55c90c2e2c54 in DEG::deg_update_copy_on_write_datablock(DEG::Depsgraph const*, DEG::IDDepsNode const*) /home/i74700deb64/blender/__work__/src/source/blender/depsgraph/intern/eval/deg_eval_copy_on_write.cc:868
    #8 0x55c90c2e353b in DEG::deg_evaluate_copy_on_write(Depsgraph*, DEG::IDDepsNode const*) /home/i74700deb64/blender/__work__/src/source/blender/depsgraph/intern/eval/deg_eval_copy_on_write.cc:1021
    #9 0x55c90c2b573f in void std::__invoke_impl<void, void (*&)(Depsgraph*, DEG::IDDepsNode const*), Depsgraph*, DEG::IDDepsNode*&>(std::__invoke_other, void (*&)(Depsgraph*, DEG::IDDepsNode const*), Depsgraph*&&, DEG::IDDepsNode*&) /usr/include/c++/8/bits/invoke.h:60
    #10 0x55c90c2b32cc in std::__invoke_result<void (*&)(Depsgraph*, DEG::IDDepsNode const*), Depsgraph*, DEG::IDDepsNode*&>::type std::__invoke<void (*&)(Depsgraph*, DEG::IDDepsNode const*), Depsgraph*, DEG::IDDepsNode*&>(void (*&)(Depsgraph*, DEG::IDDepsNode const*), Depsgraph*&&, DEG::IDDepsNode*&) /usr/include/c++/8/bits/invoke.h:95
    #11 0x55c90c2b0770 in void std::_Bind<void (*(std::_Placeholder<1>, DEG::IDDepsNode*))(Depsgraph*, DEG::IDDepsNode const*)>::__call<void, Depsgraph*&&, 0ul, 1ul>(std::tuple<Depsgraph*&&>&&, std::_Index_tuple<0ul, 1ul>) /usr/include/c++/8/functional:400
    #12 0x55c90c2abfa7 in void std::_Bind<void (*(std::_Placeholder<1>, DEG::IDDepsNode*))(Depsgraph*, DEG::IDDepsNode const*)>::operator()<Depsgraph*, void>(Depsgraph*&&) /usr/include/c++/8/functional:484
    #13 0x55c90c2a620f in std::_Function_handler<void (Depsgraph*), std::_Bind<void (*(std::_Placeholder<1>, DEG::IDDepsNode*))(Depsgraph*, DEG::IDDepsNode const*)> >::_M_invoke(std::_Any_data const&, Depsgraph*&&) /usr/include/c++/8/bits/std_function.h:297
    #14 0x55c90c2de641 in std::function<void (Depsgraph*)>::operator()(Depsgraph*) const /usr/include/c++/8/bits/std_function.h:687
    #15 0x55c90c2dcc0a in deg_task_run_func /home/i74700deb64/blender/__work__/src/source/blender/depsgraph/intern/eval/deg_eval.cc:94
    #16 0x55c90c24c2cc in BLI_task_pool_work_and_wait /home/i74700deb64/blender/__work__/src/source/blender/blenlib/intern/task.c:893
    #17 0x55c90c2de3f6 in DEG::deg_evaluate_on_refresh(DEG::Depsgraph*) /home/i74700deb64/blender/__work__/src/source/blender/depsgraph/intern/eval/deg_eval.cc:316
    #18 0x55c90c281bf6 in DEG_evaluate_on_refresh /home/i74700deb64/blender/__work__/src/source/blender/depsgraph/intern/depsgraph_eval.cc:66
    #19 0x55c90b9132aa in BKE_scene_graph_update_tagged /home/i74700deb64/blender/__work__/src/source/blender/blenkernel/intern/scene.c:1427
    #20 0x55c909065abb in wm_event_do_depsgraph /home/i74700deb64/blender/__work__/src/source/blender/windowmanager/intern/wm_event_system.c:336
    #21 0x55c909065c8e in wm_event_do_refresh_wm_and_depsgraph /home/i74700deb64/blender/__work__/src/source/blender/windowmanager/intern/wm_event_system.c:362
    #22 0x55c909066d28 in wm_event_do_notifiers /home/i74700deb64/blender/__work__/src/source/blender/windowmanager/intern/wm_event_system.c:518
    #23 0x55c90905c4d2 in WM_main /home/i74700deb64/blender/__work__/src/source/blender/windowmanager/intern/wm.c:415
    #24 0x55c909051fdd in main /home/i74700deb64/blender/__work__/src/source/creator/creator.c:525
    #25 0x7ff45d1b1b16 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x22b16)

previously allocated by thread T16 here:
    #0 0x7ff469e41ed0 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.5+0xe8ed0)
    #1 0x55c90c84037c in MEM_lockfree_mallocN /home/i74700deb64/blender/__work__/src/intern/guardedalloc/intern/mallocn_lockfree_impl.c:318
    #2 0x55c90c83fd2c in MEM_lockfree_dupallocN /home/i74700deb64/blender/__work__/src/intern/guardedalloc/intern/mallocn_lockfree_impl.c:186
    #3 0x55c90b5e204e in copy_fcurve /home/i74700deb64/blender/__work__/src/source/blender/blenkernel/intern/fcurve.c:148
    #4 0x55c90b3c30fe in BKE_action_copy_data /home/i74700deb64/blender/__work__/src/source/blender/blenkernel/intern/action.c:146
    #5 0x55c90b67664f in BKE_id_copy_ex /home/i74700deb64/blender/__work__/src/source/blender/blenkernel/intern/library.c:624
    #6 0x55c90c2e0260 in id_copy_inplace_no_main /home/i74700deb64/blender/__work__/src/source/blender/depsgraph/intern/eval/deg_eval_copy_on_write.cc:280
    #7 0x55c90c2e19c2 in DEG::deg_expand_copy_on_write_datablock(DEG::Depsgraph const*, DEG::IDDepsNode const*, DEG::DepsgraphNodeBuilder*, bool) /home/i74700deb64/blender/__work__/src/source/blender/depsgraph/intern/eval/deg_eval_copy_on_write.cc:660
    #8 0x55c90c2e2c74 in DEG::deg_update_copy_on_write_datablock(DEG::Depsgraph const*, DEG::IDDepsNode const*) /home/i74700deb64/blender/__work__/src/source/blender/depsgraph/intern/eval/deg_eval_copy_on_write.cc:869
    #9 0x55c90c2e353b in DEG::deg_evaluate_copy_on_write(Depsgraph*, DEG::IDDepsNode const*) /home/i74700deb64/blender/__work__/src/source/blender/depsgraph/intern/eval/deg_eval_copy_on_write.cc:1021
    #10 0x55c90c2b573f in void std::__invoke_impl<void, void (*&)(Depsgraph*, DEG::IDDepsNode const*), Depsgraph*, DEG::IDDepsNode*&>(std::__invoke_other, void (*&)(Depsgraph*, DEG::IDDepsNode const*), Depsgraph*&&, DEG::IDDepsNode*&) /usr/include/c++/8/bits/invoke.h:60
    #11 0x55c90c2b32cc in std::__invoke_result<void (*&)(Depsgraph*, DEG::IDDepsNode const*), Depsgraph*, DEG::IDDepsNode*&>::type std::__invoke<void (*&)(Depsgraph*, DEG::IDDepsNode const*), Depsgraph*, DEG::IDDepsNode*&>(void (*&)(Depsgraph*, DEG::IDDepsNode const*), Depsgraph*&&, DEG::IDDepsNode*&) /usr/include/c++/8/bits/invoke.h:95
    #12 0x55c90c2b0770 in void std::_Bind<void (*(std::_Placeholder<1>, DEG::IDDepsNode*))(Depsgraph*, DEG::IDDepsNode const*)>::__call<void, Depsgraph*&&, 0ul, 1ul>(std::tuple<Depsgraph*&&>&&, std::_Index_tuple<0ul, 1ul>) /usr/include/c++/8/functional:400
    #13 0x55c90c2abfa7 in void std::_Bind<void (*(std::_Placeholder<1>, DEG::IDDepsNode*))(Depsgraph*, DEG::IDDepsNode const*)>::operator()<Depsgraph*, void>(Depsgraph*&&) /usr/include/c++/8/functional:484
    #14 0x55c90c2a620f in std::_Function_handler<void (Depsgraph*), std::_Bind<void (*(std::_Placeholder<1>, DEG::IDDepsNode*))(Depsgraph*, DEG::IDDepsNode const*)> >::_M_invoke(std::_Any_data const&, Depsgraph*&&) /usr/include/c++/8/bits/std_function.h:297
    #15 0x55c90c2de641 in std::function<void (Depsgraph*)>::operator()(Depsgraph*) const /usr/include/c++/8/bits/std_function.h:687
    #16 0x55c90c2dcc0a in deg_task_run_func /home/i74700deb64/blender/__work__/src/source/blender/depsgraph/intern/eval/deg_eval.cc:94
    #17 0x55c90c248892 in task_scheduler_thread_run /home/i74700deb64/blender/__work__/src/source/blender/blenlib/intern/task.c:441
    #18 0x7ff467800f29 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x7f29)

Thread T18 created by T0 here:
    #0 0x7ff469da2ef0 in pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.5+0x49ef0)
    #1 0x55c90c2491fa in BLI_task_scheduler_create /home/i74700deb64/blender/__work__/src/source/blender/blenlib/intern/task.c:504
    #2 0x55c90c250532 in BLI_task_scheduler_get /home/i74700deb64/blender/__work__/src/source/blender/blenlib/intern/threads.c:176
    #3 0x55c90c24ef54 in BLI_task_parallel_range /home/i74700deb64/blender/__work__/src/source/blender/blenlib/intern/task.c:1099
    #4 0x55c90c2e4cb3 in flush_prepare /home/i74700deb64/blender/__work__/src/source/blender/depsgraph/intern/eval/deg_eval_flush.cc:122
    #5 0x55c90c2e4cb3 in DEG::deg_graph_flush_updates(Main*, DEG::Depsgraph*) /home/i74700deb64/blender/__work__/src/source/blender/depsgraph/intern/eval/deg_eval_flush.cc:359
    #6 0x55c90c291ba4 in DEG_graph_flush_update /home/i74700deb64/blender/__work__/src/source/blender/depsgraph/intern/depsgraph_tag.cc:656
    #7 0x55c90b91329e in BKE_scene_graph_update_tagged /home/i74700deb64/blender/__work__/src/source/blender/blenkernel/intern/scene.c:1423
    #8 0x55c909065abb in wm_event_do_depsgraph /home/i74700deb64/blender/__work__/src/source/blender/windowmanager/intern/wm_event_system.c:336
    #9 0x55c909085bfa in wm_file_read_post /home/i74700deb64/blender/__work__/src/source/blender/windowmanager/intern/wm_files.c:493
    #10 0x55c909087672 in wm_homefile_read /home/i74700deb64/blender/__work__/src/source/blender/windowmanager/intern/wm_files.c:927
    #11 0x55c90909883e in WM_init /home/i74700deb64/blender/__work__/src/source/blender/windowmanager/intern/wm_init_exit.c:253
    #12 0x55c909051cc4 in main /home/i74700deb64/blender/__work__/src/source/creator/creator.c:438
    #13 0x7ff45d1b1b16 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x22b16)

Thread T16 created by T0 here:
    #0 0x7ff469da2ef0 in pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.5+0x49ef0)
    #1 0x55c90c2491fa in BLI_task_scheduler_create /home/i74700deb64/blender/__work__/src/source/blender/blenlib/intern/task.c:504
    #2 0x55c90c250532 in BLI_task_scheduler_get /home/i74700deb64/blender/__work__/src/source/blender/blenlib/intern/threads.c:176
    #3 0x55c90c24ef54 in BLI_task_parallel_range /home/i74700deb64/blender/__work__/src/source/blender/blenlib/intern/task.c:1099
    #4 0x55c90c2e4cb3 in flush_prepare /home/i74700deb64/blender/__work__/src/source/blender/depsgraph/intern/eval/deg_eval_flush.cc:122
    #5 0x55c90c2e4cb3 in DEG::deg_graph_flush_updates(Main*, DEG::Depsgraph*) /home/i74700deb64/blender/__work__/src/source/blender/depsgraph/intern/eval/deg_eval_flush.cc:359
    #6 0x55c90c291ba4 in DEG_graph_flush_update /home/i74700deb64/blender/__work__/src/source/blender/depsgraph/intern/depsgraph_tag.cc:656
    #7 0x55c90b91329e in BKE_scene_graph_update_tagged /home/i74700deb64/blender/__work__/src/source/blender/blenkernel/intern/scene.c:1423
    #8 0x55c909065abb in wm_event_do_depsgraph /home/i74700deb64/blender/__work__/src/source/blender/windowmanager/intern/wm_event_system.c:336
    #9 0x55c909085bfa in wm_file_read_post /home/i74700deb64/blender/__work__/src/source/blender/windowmanager/intern/wm_files.c:493
    #10 0x55c909087672 in wm_homefile_read /home/i74700deb64/blender/__work__/src/source/blender/windowmanager/intern/wm_files.c:927
    #11 0x55c90909883e in WM_init /home/i74700deb64/blender/__work__/src/source/blender/windowmanager/intern/wm_init_exit.c:253
    #12 0x55c909051cc4 in main /home/i74700deb64/blender/__work__/src/source/creator/creator.c:438
    #13 0x7ff45d1b1b16 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x22b16)

SUMMARY: AddressSanitizer: heap-use-after-free /home/i74700deb64/blender/__work__/src/source/blender/makesrna/intern/rna_access.c:4670 in rna_path_parse
Shadow bytes around the buggy address:
  0x0c0680083d70: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0680083d80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0680083d90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0680083da0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0680083db0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c0680083dc0: fd fd fd fa fa fa fd fd fd fa fa fa fd fd[fd]fa
  0x0c0680083dd0: fa fa fd fd fd fa fa fa fd fd fd fa fa fa fd fd
  0x0c0680083de0: fd fa fa fa fd fd fd fa fa fa fd fd fd fa fa fa
  0x0c0680083df0: fd fd fd fa fa fa fd fd fd fa fa fa fd fd fd fa
  0x0c0680083e00: fa fa fd fd fd fa fa fa fd fd fd fa fa fa fd fd
  0x0c0680083e10: fd fa fa fa fd fd fd fa fa fa fd fd fd fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==16295==ABORTING