Page MenuHome

Smoothing crash with multiple views
Closed, ResolvedPublic

Description

System Information
Operating system: Windows 10
Graphics card: NVIDIA GeForce RTX 2080 Ti

Blender Version
Broken: 2.8
(example: 2.79b release)
(example: 2.80, edbf15d3c044, blender2.8, 2018-11-28, as found on the splash screen)
Worked: (optional)

Short description of error
When multiple views are open (e.g. front and side view) and then I try to use the smooth tool on an edge loop, it lets me pull out and increase the smoothing but once I let go of the mouse the programme instantly closes. There is no error message that comes up.
When I went back to single view (front on) the smoothing worked fine and didn't crash.

Exact steps for others to reproduce the error
Based on the default startup or an attached .blend file (as simple as possible).
With the basic cube on start up, open a second view box, then select an edge loop in edit mode, select the 'smooth' tool, click and drag the tool out then let go of the mouse, at this point the programme should close.

Event Timeline

Philipp Oeser (lichtwerk) triaged this task as Confirmed, Medium priority.Jan 3 2019, 1:39 PM
Philipp Oeser (lichtwerk) claimed this task.

Confirmed, checking...

This is true for Smooth and Randomize
Seems like these are the only two tools that dont really have an "own" modal [most other editmode tools do, most of them are transform_modal]
And these were made interactive by introducing WM_GGT_value_operator_redo widget (in rB1f1802307f9a), then put in use in rB9e5259b04345

Thus gizmo_value_modal is called but when using more than one 3D view the gizmo is freed on tool finish (but again used for the second view)
ASAN output:

==10321==ERROR: AddressSanitizer: heap-use-after-free on address 0x6140000cc860 at pc 0x000001b3ba54 bp 0x7ffd4b61e560 sp 0x7ffd4b61e550
READ of size 8 at 0x6140000cc860 thread T0
    #0 0x1b3ba53 in gizmo_tweak_modal /blender/source/blender/windowmanager/gizmo/intern/wm_gizmo_group.c:521
    #1 0x1ac597e in wm_handler_operator_call /blender/source/blender/windowmanager/intern/wm_event_system.c:1962
    #2 0x1ac95af in wm_handlers_do_intern /blender/source/blender/windowmanager/intern/wm_event_system.c:2568
    #3 0x1ac97f5 in wm_handlers_do /blender/source/blender/windowmanager/intern/wm_event_system.c:2607
    #4 0x1acc645 in wm_event_do_handlers /blender/source/blender/windowmanager/intern/wm_event_system.c:2997
    #5 0x1ab1bab in WM_main /blender/source/blender/windowmanager/intern/wm.c:427
    #6 0x1aa7331 in main /blender/source/creator/creator.c:521
    #7 0x7f9bcbe95412 in __libc_start_main (/lib64/libc.so.6+0x24412)
    #8 0x1aa676d in _start (/build_28_ASAN/bin/blender+0x1aa676d)

0x6140000cc860 is located 32 bytes inside of 448-byte region [0x6140000cc840,0x6140000cca00)
freed by thread T0 here:
    #0 0x7f9bcf46c480 in free (/lib64/libasan.so.5+0xef480)
    #1 0x50ee246 in MEM_lockfree_freeN /blender/intern/guardedalloc/intern/mallocn_lockfree_impl.c:164
    #2 0x1b59a3d in WM_gizmo_free /blender/source/blender/windowmanager/gizmo/intern/wm_gizmo.c:203
    #3 0x1b390e6 in wm_gizmogroup_free /blender/source/blender/windowmanager/gizmo/intern/wm_gizmo_group.c:112
    #4 0x1b3d5c4 in WM_gizmomaptype_group_unlink /blender/source/blender/windowmanager/gizmo/intern/wm_gizmo_group.c:841
    #5 0x1b44e29 in WM_gizmoconfig_update /blender/source/blender/windowmanager/gizmo/intern/wm_gizmo_map.c:1206
    #6 0x1acbb83 in wm_event_do_handlers /blender/source/blender/windowmanager/intern/wm_event_system.c:2904
    #7 0x1ab1bab in WM_main /blender/source/blender/windowmanager/intern/wm.c:427
    #8 0x1aa7331 in main /blender/source/creator/creator.c:521
    #9 0x7f9bcbe95412 in __libc_start_main (/lib64/libc.so.6+0x24412)

previously allocated by thread T0 here:
    #0 0x7f9bcf46ca50 in __interceptor_calloc (/lib64/libasan.so.5+0xefa50)
    #1 0x50ee6cb in MEM_lockfree_callocN /blender/intern/guardedalloc/intern/mallocn_lockfree_impl.c:282
    #2 0x1b58dbf in wm_gizmo_create /blender/source/blender/windowmanager/gizmo/intern/wm_gizmo.c:82
    #3 0x1b591eb in WM_gizmo_new_ptr /blender/source/blender/windowmanager/gizmo/intern/wm_gizmo.c:112
    #4 0x1b592d5 in WM_gizmo_new /blender/source/blender/windowmanager/gizmo/intern/wm_gizmo.c:133
    #5 0x24272e5 in WIDGETGROUP_value_operator_redo_setup /blender/source/blender/editors/gizmo_library/gizmo_group_types/value2d_gizmo_group.c:109
    #6 0x1b39cc1 in wm_gizmogroup_ensure_initialized /blender/source/blender/windowmanager/gizmo/intern/wm_gizmo_group.c:204
    #7 0x1b40300 in gizmomap_prepare_drawing /blender/source/blender/windowmanager/gizmo/intern/wm_gizmo_map.c:366
    #8 0x1b40943 in WM_gizmomap_draw /blender/source/blender/windowmanager/gizmo/intern/wm_gizmo_map.c:452
    #9 0x395d652 in DRW_draw_gizmo_3d /blender/source/blender/draw/intern/draw_view.c:261
    #10 0x39390a6 in DRW_draw_render_loop_ex /blender/source/blender/draw/intern/draw_manager.c:1566
    #11 0x393830d in DRW_draw_view /blender/source/blender/draw/intern/draw_manager.c:1409
    #12 0x1dcc649 in view3d_draw_view /blender/source/blender/editors/space_view3d/view3d_draw.c:1333
    #13 0x1dcc741 in view3d_main_region_draw /blender/source/blender/editors/space_view3d/view3d_draw.c:1354
    #14 0x29d649d in ED_region_do_draw /blender/source/blender/editors/screen/area.c:567
    #15 0x1ab844a in wm_draw_window_offscreen /blender/source/blender/windowmanager/intern/wm_draw.c:580
    #16 0x1ab8f6d in wm_draw_window /blender/source/blender/windowmanager/intern/wm_draw.c:712
    #17 0x1ab99ae in wm_draw_update /blender/source/blender/windowmanager/intern/wm_draw.c:866
    #18 0x1ab1bc3 in WM_main /blender/source/blender/windowmanager/intern/wm.c:433
    #19 0x1aa7331 in main /blender/source/creator/creator.c:521
    #20 0x7f9bcbe95412 in __libc_start_main (/lib64/libc.so.6+0x24412)

SUMMARY: AddressSanitizer: heap-use-after-free /blender/source/blender/windowmanager/gizmo/intern/wm_gizmo_group.c:521 in gizmo_tweak_modal
Shadow bytes around the buggy address:
  0x0c28800118b0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fa
  0x0c28800118c0: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
  0x0c28800118d0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c28800118e0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c28800118f0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fa
=>0x0c2880011900: fa fa fa fa fa fa fa fa fd fd fd fd[fd]fd fd fd
  0x0c2880011910: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c2880011920: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c2880011930: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c2880011940: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
  0x0c2880011950: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==10321==ABORTING

Bandaid fix in D4161 (@Campbell Barton (campbellbarton) : mind having a look?)

The issue is it's running a tool in each view, when it should run it in the region the tool is activated in. Quick workaround P892.

Looking into a better fix that explicitly links tool gizmos.