Page MenuHome

Blender 2.8 crashes when painting with "face selection masking" enabled
Closed, ResolvedPublic

Description

System Information
Operating system and graphics card
Windows 10 / GTX 1080ti

Blender Version
Broken: 27cccaeccd2
Worked: (optional)

Short description of error
Blender crashes when painting with "face selection masking" enabled

Exact steps for others to reproduce the error
-add image texture as Base color for default cube (it also crashes with any other mesh)

  • create new texture
  • go to "Texture paint" workspace
  • choose Rendered display method
  • enable "Face selection masking"
  • go to edit mode select some faces
  • go back to texture paint mode and paint few strokes
  • go back to edit mode select some faces
  • go back to texture paint mode and paint few strokes
  • crash
  • it always crashes on the second time.

Details

Type
Bug

Event Timeline

Bastien Montagne (mont29) triaged this task as Incomplete priority.Thu, Nov 29, 2:51 PM

Please follow our submission template and guidelines, also read these tips about bug reports, and make a complete, valid bug report, with required info, precise description of the issue (only ONE issue per report!), precise steps to reproduce it, small and simple .blend and/or other files to do so if needed, etc.

Also, committed some fixes in that area this morning, which may also fix that one, please re-check with tomorrows' build from buildbot.

Issue was resolved with the latest build. Thanks!

Sorry, but I spoke too soon. It still crashes with other objects (maybe default cube is not complex enough). It still crashes with my own project, or monkey head mesh.


Have attached blend file for referance.
Steps:

  • with "Face selection masking" enabled go to edit mode select few faces
  • go back to paint mode, and do couple of strokes
  • go back to edit mode and select other few faces
  • go back to paint mode, and do couple of strokes and it will crash

It always crashes on the second time.

Bastien Montagne (mont29) raised the priority of this task from Incomplete to Confirmed.

@Sergey Sharybin (sergey) Am gonna need your lights here… Backtrace from ASAN clearly shows that second 'stroke start' call gets same evaluated mesh (from object) as first one, even though we got through EditMode in between, which invalidated/replaced all data inside of the orig mesh (ob->data one).

==25005==ERROR: AddressSanitizer: heap-use-after-free on address 0x7f7a6db24808 at pc 0x5558c0cc1dee bp 0x7ffc1d7f2ab0 sp 0x7ffc1d7f2aa8
READ of size 4 at 0x7f7a6db24808 thread T0
    #0 0x5558c0cc1ded in copy_v3_v3 /home/i74700deb64/blender/__work__/2.8/source/blender/blenlib/intern/math_vector_inline.c:66
    #1 0x5558c0ce26ca in proj_paint_state_screen_coords_init /home/i74700deb64/blender/__work__/2.8/source/blender/editors/sculpt_paint/paint_image_proj.c:3212
    #2 0x5558c0ce8eeb in project_paint_begin /home/i74700deb64/blender/__work__/2.8/source/blender/editors/sculpt_paint/paint_image_proj.c:3859
    #3 0x5558c0cf6fe2 in paint_proj_new_stroke /home/i74700deb64/blender/__work__/2.8/source/blender/editors/sculpt_paint/paint_image_proj.c:5223
    #4 0x5558c0ca22de in texture_paint_init /home/i74700deb64/blender/__work__/2.8/source/blender/editors/sculpt_paint/paint_image.c:475
    #5 0x5558c0ca3606 in paint_stroke_test_start /home/i74700deb64/blender/__work__/2.8/source/blender/editors/sculpt_paint/paint_image.c:636
    #6 0x5558c0d160c1 in paint_stroke_modal /home/i74700deb64/blender/__work__/2.8/source/blender/editors/sculpt_paint/paint_stroke.c:1213
    #7 0x5558c0ca3777 in paint_invoke /home/i74700deb64/blender/__work__/2.8/source/blender/editors/sculpt_paint/paint_image.c:656
    #8 0x5558bfd57106 in wm_operator_invoke /home/i74700deb64/blender/__work__/2.8/source/blender/windowmanager/intern/wm_event_system.c:1327
    #9 0x5558bfd5b2d1 in wm_handler_operator_call /home/i74700deb64/blender/__work__/2.8/source/blender/windowmanager/intern/wm_event_system.c:2045
    #10 0x5558bfd5ce7c in wm_handlers_do_intern /home/i74700deb64/blender/__work__/2.8/source/blender/windowmanager/intern/wm_event_system.c:2347
    #11 0x5558bfd5e95e in wm_handlers_do /home/i74700deb64/blender/__work__/2.8/source/blender/windowmanager/intern/wm_event_system.c:2607
    #12 0x5558bfd61e8e in wm_event_do_handlers /home/i74700deb64/blender/__work__/2.8/source/blender/windowmanager/intern/wm_event_system.c:3082
    #13 0x5558bfd46510 in WM_main /home/i74700deb64/blender/__work__/2.8/source/blender/windowmanager/intern/wm.c:427
    #14 0x5558bfd3bce0 in main /home/i74700deb64/blender/__work__/2.8/source/creator/creator.c:521
    #15 0x7f7aa2d46b16 in __libc_start_main ../csu/libc-start.c:310
    #16 0x5558bfd3b119 in _start (/home/i74700deb64/blender/__work__/build_blender28_debug/bin/blender+0x349b119)

0x7f7a6db24808 is located 8 bytes inside of 159168-byte region [0x7f7a6db24800,0x7f7a6db4b5c0)
freed by thread T0 here:
    #0 0x7f7aaf34ab50 in __interceptor_free (/usr/lib/x86_64-linux-gnu/libasan.so.5+0xe8b50)
    #1 0x5558c35d33fc in MEM_lockfree_freeN /home/i74700deb64/blender/__work__/2.8/intern/guardedalloc/intern/mallocn_lockfree_impl.c:164
    #2 0x5558c17ac04b in BM_mesh_bm_to_me /home/i74700deb64/blender/__work__/2.8/source/blender/bmesh/intern/bmesh_mesh_conv.c:943
    #3 0x5558c07a4ffa in EDBM_mesh_load /home/i74700deb64/blender/__work__/2.8/source/blender/editors/mesh/editmesh_utils.c:345
    #4 0x5558c09cb3a7 in ED_object_editmode_load_ex /home/i74700deb64/blender/__work__/2.8/source/blender/editors/object/object_edit.c:436
    #5 0x5558c09cbade in ED_object_editmode_exit_ex /home/i74700deb64/blender/__work__/2.8/source/blender/editors/object/object_edit.c:523
    #6 0x5558c09cbfdb in ED_object_editmode_exit /home/i74700deb64/blender/__work__/2.8/source/blender/editors/object/object_edit.c:570
    #7 0x5558c09cccd0 in editmode_toggle_exec /home/i74700deb64/blender/__work__/2.8/source/blender/editors/object/object_edit.c:711
    #8 0x5558bfd57438 in wm_operator_invoke /home/i74700deb64/blender/__work__/2.8/source/blender/windowmanager/intern/wm_event_system.c:1337
    #9 0x5558bfd58421 in wm_operator_call_internal /home/i74700deb64/blender/__work__/2.8/source/blender/windowmanager/intern/wm_event_system.c:1534
    #10 0x5558bfd586b0 in WM_operator_name_call_ptr /home/i74700deb64/blender/__work__/2.8/source/blender/windowmanager/intern/wm_event_system.c:1582
    #11 0x5558c09d7ba0 in ED_object_mode_toggle /home/i74700deb64/blender/__work__/2.8/source/blender/editors/object/object_modes.c:177
    #12 0x5558c09d4bdd in object_mode_set_exec /home/i74700deb64/blender/__work__/2.8/source/blender/editors/object/object_edit.c:1695
    #13 0x5558bfd57438 in wm_operator_invoke /home/i74700deb64/blender/__work__/2.8/source/blender/windowmanager/intern/wm_event_system.c:1337
    #14 0x5558bfd5b2d1 in wm_handler_operator_call /home/i74700deb64/blender/__work__/2.8/source/blender/windowmanager/intern/wm_event_system.c:2045
    #15 0x5558bfd5ce7c in wm_handlers_do_intern /home/i74700deb64/blender/__work__/2.8/source/blender/windowmanager/intern/wm_event_system.c:2347
    #16 0x5558bfd5e95e in wm_handlers_do /home/i74700deb64/blender/__work__/2.8/source/blender/windowmanager/intern/wm_event_system.c:2607
    #17 0x5558bfd61e8e in wm_event_do_handlers /home/i74700deb64/blender/__work__/2.8/source/blender/windowmanager/intern/wm_event_system.c:3082
    #18 0x5558bfd46510 in WM_main /home/i74700deb64/blender/__work__/2.8/source/blender/windowmanager/intern/wm.c:427
    #19 0x5558bfd3bce0 in main /home/i74700deb64/blender/__work__/2.8/source/creator/creator.c:521
    #20 0x7f7aa2d46b16 in __libc_start_main ../csu/libc-start.c:310

previously allocated by thread T0 here:
    #0 0x7f7aaf34aed0 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.5+0xe8ed0)
    #1 0x5558c35d3b8c in MEM_lockfree_mallocN /home/i74700deb64/blender/__work__/2.8/intern/guardedalloc/intern/mallocn_lockfree_impl.c:318
    #2 0x5558c1e3b74d in read_struct /home/i74700deb64/blender/__work__/2.8/source/blender/blenloader/intern/readfile.c:1983
    #3 0x5558c1e72a80 in read_data_into_oldnewmap /home/i74700deb64/blender/__work__/2.8/source/blender/blenloader/intern/readfile.c:8480
    #4 0x5558c1e736ea in read_libblock /home/i74700deb64/blender/__work__/2.8/source/blender/blenloader/intern/readfile.c:8598
    #5 0x5558c1e76c33 in blo_read_file_internal /home/i74700deb64/blender/__work__/2.8/source/blender/blenloader/intern/readfile.c:9085
    #6 0x5558c1e2eea7 in BLO_read_from_file /home/i74700deb64/blender/__work__/2.8/source/blender/blenloader/intern/readblenentry.c:332
    #7 0x5558c213291e in BKE_blendfile_read /home/i74700deb64/blender/__work__/2.8/source/blender/blenkernel/intern/blendfile.c:391
    #8 0x5558bfd71054 in WM_file_read /home/i74700deb64/blender/__work__/2.8/source/blender/windowmanager/intern/wm_files.c:601
    #9 0x5558bfd77447 in wm_file_read_opwrap /home/i74700deb64/blender/__work__/2.8/source/blender/windowmanager/intern/wm_files.c:1864
    #10 0x5558bfd779c1 in wm_open_mainfile_exec /home/i74700deb64/blender/__work__/2.8/source/blender/windowmanager/intern/wm_files.c:1924
    #11 0x5558bfd57438 in wm_operator_invoke /home/i74700deb64/blender/__work__/2.8/source/blender/windowmanager/intern/wm_event_system.c:1337
    #12 0x5558bfd58587 in wm_operator_call_internal /home/i74700deb64/blender/__work__/2.8/source/blender/windowmanager/intern/wm_event_system.c:1570
    #13 0x5558bfd586b0 in WM_operator_name_call_ptr /home/i74700deb64/blender/__work__/2.8/source/blender/windowmanager/intern/wm_event_system.c:1582
    #14 0x5558c0564da4 in ui_apply_but_funcs_after /home/i74700deb64/blender/__work__/2.8/source/blender/editors/interface/interface_handlers.c:767
    #15 0x5558c05aee88 in ui_popup_handler /home/i74700deb64/blender/__work__/2.8/source/blender/editors/interface/interface_handlers.c:9910
    #16 0x5558bfd51854 in wm_handler_ui_call /home/i74700deb64/blender/__work__/2.8/source/blender/windowmanager/intern/wm_event_system.c:573
    #17 0x5558bfd5d5c2 in wm_handlers_do_intern /home/i74700deb64/blender/__work__/2.8/source/blender/windowmanager/intern/wm_event_system.c:2374
    #18 0x5558bfd5e95e in wm_handlers_do /home/i74700deb64/blender/__work__/2.8/source/blender/windowmanager/intern/wm_event_system.c:2607
    #19 0x5558bfd61790 in wm_event_do_handlers /home/i74700deb64/blender/__work__/2.8/source/blender/windowmanager/intern/wm_event_system.c:2997
    #20 0x5558bfd46510 in WM_main /home/i74700deb64/blender/__work__/2.8/source/blender/windowmanager/intern/wm.c:427
    #21 0x5558bfd3bce0 in main /home/i74700deb64/blender/__work__/2.8/source/creator/creator.c:521
    #22 0x7f7aa2d46b16 in __libc_start_main ../csu/libc-start.c:310

SUMMARY: AddressSanitizer: heap-use-after-free /home/i74700deb64/blender/__work__/2.8/source/blender/blenlib/intern/math_vector_inline.c:66 in copy_v3_v3
Shadow bytes around the buggy address:
  0x0fefcdb5c8b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0fefcdb5c8c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0fefcdb5c8d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0fefcdb5c8e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0fefcdb5c8f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0fefcdb5c900: fd[fd]fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0fefcdb5c910: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0fefcdb5c920: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0fefcdb5c930: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0fefcdb5c940: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0fefcdb5c950: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==25005==ABORTING

I tried adding some obdata DEG tagging in ED_object_editmode_exit_ex(), in addition to the one already done on object, but that did not change anything. ob.runtime.me_eval remains the same (which might be OK, I don't remember how depsgraph handles its memory for evaluated datablocks), but its content also remains unchanged... This could be related to the fact that we pass along data from origmesh to evaluated one, when it's totally unmodified, iirc? Or maybe a missing flush of the caches?

proj_paint_state_mesh_eval_init: Got me_eval 0x61b0000c4e88 for new paint stroke

<paint, then switch to editmode, then back to paint mode>

ED_object_editmode_exit_ex: Tagging MESuzanne as needing COW flushing (current me_eval for OBSuzanne: 0x61b0000c4e88)

ED_object_mode_toggle: Updating depsgraph before calling PAINT_OT_texture_paint_toggle (current me_eval for OBSuzanne: 0x61b0000c4e88)
ED_object_mode_toggle: DONE Updating depsgraph before calling PAINT_OT_texture_paint_toggle (current me_eval for OBSuzanne: 0x61b0000c4e88)

proj_paint_state_mesh_eval_init: Got me_eval 0x61b0000c4e88 for new paint stroke

It was getting the evaluated mesh from the original instance, which isn't really supposed to happen.