GPencil: Blender crashes after Malloc returns null while drawing a line when use lot of points #71260

New Issue

Stefan Pasteiner · 2019-11-01T11:25:22+01:00

Stefan Pasteiner commented

2019-11-01 11:25:22 +01:00

System Information
Operating system: Debian GNU/Linux stable
Graphics card: Intel Corporation HD Graphics 5500

Blender Version
Broken: v 2.81 Beta Date: 2019-10-30 21:42 Hash: ed079850cb

Short description of error
Blender crashes after Malloc returns null while drawing a line in "Edit Mode" on a "Greace Pencil" object

Exact steps for others to reproduce the error
Open a new "2D Animation" file just draw a very long line.

After a while blender will crash. If you opened it in a terminal it states:
Malloc returns null: len=18446744073708109824 in recalloc, total 327907528

The crash report states the following:

Blender 2.81 (sub 16), Commit date: 2019-10-30 21:42, Hash `ed079850cb`

backtrace

./blender(BLI_system_backtrace+0x1d) [0x14ee30d]
./blender() [0x12cb7b9]
/lib/x86_64-linux-gnu/libc.so.6(+0x37840) [0x7fefa93bc840]
./blender() [0x2e7b430]
./blender() [0x2e7d036]
./blender() [0x2e7d79c]
./blender() [0x2e7eaf4]
./blender() [0x16a505c]
./blender() [0x16a6216]
./blender() [0x16a795c]
./blender(wm_event_do_handlers+0x312) [0x16a8032]
./blender(WM_main+0x20) [0x169d750]
./blender(main+0x2fe) [0x1237bbe]
/lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xeb) [0x7fefa93a909b]
./blender() [0x12c80dc]

**System Information** Operating system: Debian GNU/Linux stable Graphics card: Intel Corporation HD Graphics 5500 **Blender Version** Broken: v 2.81 Beta Date: 2019-10-30 21:42 Hash: ed079850cb55 **Short description of error** Blender crashes after Malloc returns null while drawing a line in "Edit Mode" on a "Greace Pencil" object **Exact steps for others to reproduce the error** Open a new "2D Animation" file just draw a very long line. After a while blender will crash. If you opened it in a terminal it states: Malloc returns null: len=18446744073708109824 in recalloc, total 327907528 The crash report states the following: # Blender 2.81 (sub 16), Commit date: 2019-10-30 21:42, Hash ed079850cb55 # backtrace ./blender(BLI_system_backtrace+0x1d) [0x14ee30d] ./blender() [0x12cb7b9] /lib/x86_64-linux-gnu/libc.so.6(+0x37840) [0x7fefa93bc840] ./blender() [0x2e7b430] ./blender() [0x2e7d036] ./blender() [0x2e7d79c] ./blender() [0x2e7eaf4] ./blender() [0x16a505c] ./blender() [0x16a6216] ./blender() [0x16a795c] ./blender(wm_event_do_handlers+0x312) [0x16a8032] ./blender(WM_main+0x20) [0x169d750] ./blender(main+0x2fe) [0x1237bbe] /lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xeb) [0x7fefa93a909b] ./blender() [0x12c80dc]

Stefan Pasteiner commented

2019-11-01 11:25:22 +01:00

Added subscriber: @cybercow

Germano Cavalcante commented

2019-11-01 22:44:41 +01:00

Added subscribers: @antoniov, @mano-wii

Germano Cavalcante commented

2019-11-01 22:44:41 +01:00

@antoniov, do you know what might be happening?

Antonio Vazquez commented

2019-11-01 23:02:25 +01:00

It looks is not expading the buffer allocation, but I cannot reproduce it drawing a very long stroke...never had this issue.

Antonio Vazquez commented

2019-11-01 23:03:03 +01:00

And...how draw a line in Edit Mode?

And...how draw a line in `Edit Mode`?

Germano Cavalcante commented

2019-11-02 00:02:33 +01:00

I can reproduce the problem by quickly scribbling until the value of bufer_size in the ED_gpencil_sbuffer_ensure reaches 26624.
This problem is easily solved by changing the position of this line:

diff --git a/source/blender/editors/gpencil/gpencil_paint.c b/source/blender/editors/gpencil/gpencil_paint.c
index f29e782c618..bebdcb34326 100644
--- a/source/blender/editors/gpencil/gpencil_paint.c
+++ b/source/blender/editors/gpencil/gpencil_paint.c
@@ -3660,7 +3660,6 @@ static int gpencil_draw_modal(bContext *C, wmOperator *op, const wmEvent *event)
   tGPsdata *p = op->customdata;
   ToolSettings *ts = CTX_data_tool_settings(C);
   GP_Sculpt_Guide *guide = &p->scene->toolsettings->gp_sculpt.guide;
-  tGPspoint *points = (tGPspoint *)p->gpd->runtime.sbuffer;
 
   /* default exit state - pass through to support MMB view nav, etc. */
   int estate = OPERATOR_PASS_THROUGH;
@@ -3969,6 +3968,7 @@ static int gpencil_draw_modal(bContext *C, wmOperator *op, const wmEvent *event)
       int size_after = p->gpd->runtime.sbuffer_used;
 
       /* Last point of the event is always real (not fake). */
+      tGPspoint *points = (tGPspoint *)p->gpd->runtime.sbuffer;
       tGPspoint *pt = &points[size_after - 1];
       pt->tflag &= ~GP_TPOINT_FAKE;

But as I continue I run into another problem. gpd->runtime.sbuffer_size is a short and soon the value will be clamped turning negative.
Negative buff_size is problematic.
I recommend using unsigned and preferably int.

I can reproduce the problem by quickly scribbling until the value of `bufer_size` in the `ED_gpencil_sbuffer_ensure` reaches `26624`. This problem is easily solved by changing the position of this line: ``` diff --git a/source/blender/editors/gpencil/gpencil_paint.c b/source/blender/editors/gpencil/gpencil_paint.c index f29e782c618..bebdcb34326 100644 --- a/source/blender/editors/gpencil/gpencil_paint.c +++ b/source/blender/editors/gpencil/gpencil_paint.c @@ -3660,7 +3660,6 @@ static int gpencil_draw_modal(bContext *C, wmOperator *op, const wmEvent *event) tGPsdata *p = op->customdata; ToolSettings *ts = CTX_data_tool_settings(C); GP_Sculpt_Guide *guide = &p->scene->toolsettings->gp_sculpt.guide; - tGPspoint *points = (tGPspoint *)p->gpd->runtime.sbuffer; /* default exit state - pass through to support MMB view nav, etc. */ int estate = OPERATOR_PASS_THROUGH; @@ -3969,6 +3968,7 @@ static int gpencil_draw_modal(bContext *C, wmOperator *op, const wmEvent *event) int size_after = p->gpd->runtime.sbuffer_used; /* Last point of the event is always real (not fake). */ + tGPspoint *points = (tGPspoint *)p->gpd->runtime.sbuffer; tGPspoint *pt = &points[size_after - 1]; pt->tflag &= ~GP_TPOINT_FAKE; ``` But as I continue I run into another problem. `gpd->runtime.sbuffer_size` is a `short` and soon the value will be clamped turning negative. Negative `buff_size` is problematic. I recommend using `unsigned` and preferably `int`.

Antonio Vazquez commented

2019-11-02 10:07:45 +01:00

This comment was removed by @antoniov

*This comment was removed by @antoniov*

Antonio Vazquez self-assigned this 2019-11-02 10:19:59 +01:00

Antonio Vazquez changed title from ~~Blender crashes after Malloc returns null while drawing a line in "Edit Mode" on a "Greace Pencil" object~~ to GPencil: Blender crashes after Malloc returns null while drawing a line when use lot of points

2019-11-02 10:24:51 +01:00

blender-admin commented

2019-11-02 10:28:08 +01:00

This issue was referenced by 782f36d6a8

This issue was referenced by 782f36d6a87eb622f6052be8ce49c380a6c78e84

Antonio Vazquez commented

2019-11-02 10:29:17 +01:00

Changed status from 'Open' to: 'Resolved'

Antonio Vazquez closed this issue

2019-11-02 10:29:17 +01:00

Sign in to join this conversation.

No Label

Download

What's New

Blender Studio

Manual

Developers Blog

Documentation

Benchmark

Blender Conference

Development Fund

One-time Donations

GPencil: Blender crashes after Malloc returns null while drawing a line when use lot of points #71260

Blender 2.81 (sub 16), Commit date: 2019-10-30 21:42, Hash ed079850cb

backtrace

Blender 2.81 (sub 16), Commit date: 2019-10-30 21:42, Hash `ed079850cb`