Page MenuHome

Blender becomes unstable/crashes after using "Reload Scripts" if using any "ShaderNodeCustomGroup" nodes.
Confirmed, NormalPublicBUG

Description

System Information
Operating system: Windows 10
Graphics card: NVIDIA

Blender Version
Broken: 2.81

Short description of error
If you manipulate a "ShaderNodeCustomGroup" node after having used the "Reload Scripts" operator (F8) Blender will become unstable.

Exact steps for others to reproduce the error
Attached is a small addon that implements a minimal custom node group.

  1. Enable the addon and switch to the shader editor.
  2. Create the custom node (Add->Test Category->TestNodeCustomGroup)
  3. Trigger 'Reload Scripts' (F8 key).
  4. Adjust the color input of the custom node.
  5. Repeat steps 3/4 until you crash (usually crashes on first or second try for me)

Event Timeline

Jacques Lucke (JacquesLucke) changed the task status from Needs Triage to Confirmed.Tue, Jan 14, 12:42 PM

I can reproduce the issue.

ASAN provides some details. Looks like the bNodeType is freed when the class is unregistered, but there is a dangling pointer still.

==16115==ERROR: AddressSanitizer: heap-use-after-free on address 0x618000113f28 at pc 0x556f191af17d bp 0x7ffc50013790 sp 0x7ffc50013780
READ of size 8 at 0x618000113f28 thread T0
    #0 0x556f191af17c in BKE_node_copy_ex /home/jacques/blender-git/blender/source/blender/blenkernel/intern/node.c:1143
    #1 0x556f191b4299 in BKE_node_tree_copy_data /home/jacques/blender-git/blender/source/blender/blenkernel/intern/node.c:1519
    #2 0x556f18fc1c79 in BKE_id_copy_ex /home/jacques/blender-git/blender/source/blender/blenkernel/intern/library.c:726
    #3 0x556f191be166 in ntreeLocalize /home/jacques/blender-git/blender/source/blender/blenkernel/intern/node.c:2333
    #4 0x556f2fd3b23a in GPU_material_from_nodetree /home/jacques/blender-git/blender/source/blender/gpu/intern/gpu_material.c:676
    #5 0x556f1aa233ad in DRW_shader_create_from_material /home/jacques/blender-git/blender/source/blender/draw/intern/draw_manager_shader.c:443
    #6 0x556f1a8138b6 in EEVEE_material_mesh_get /home/jacques/blender-git/blender/source/blender/draw/engines/eevee/eevee_materials.c:726
    #7 0x556f1a818920 in material_opaque /home/jacques/blender-git/blender/source/blender/draw/engines/eevee/eevee_materials.c:1165
    #8 0x556f1a81d6d7 in EEVEE_materials_cache_populate /home/jacques/blender-git/blender/source/blender/draw/engines/eevee/eevee_materials.c:1498
    #9 0x556f1a7c8f8a in EEVEE_cache_populate /home/jacques/blender-git/blender/source/blender/draw/engines/eevee/eevee_engine.c:127
    #10 0x556f1a75cefd in drw_engines_cache_populate /home/jacques/blender-git/blender/source/blender/draw/intern/draw_manager.c:1145
    #11 0x556f1a7613f7 in DRW_draw_render_loop_ex /home/jacques/blender-git/blender/source/blender/draw/intern/draw_manager.c:1569
    #12 0x556f1a7603bf in DRW_draw_view /home/jacques/blender-git/blender/source/blender/draw/intern/draw_manager.c:1485
    #13 0x556f1d658e9e in view3d_draw_view /home/jacques/blender-git/blender/source/blender/editors/space_view3d/view3d_draw.c:1532
    #14 0x556f1d659025 in view3d_main_region_draw /home/jacques/blender-git/blender/source/blender/editors/space_view3d/view3d_draw.c:1556
    #15 0x556f1b848937 in ED_region_do_draw /home/jacques/blender-git/blender/source/blender/editors/screen/area.c:534
    #16 0x556f19b613c3 in wm_draw_window_offscreen /home/jacques/blender-git/blender/source/blender/windowmanager/intern/wm_draw.c:627
    #17 0x556f19b62689 in wm_draw_window /home/jacques/blender-git/blender/source/blender/windowmanager/intern/wm_draw.c:763
    #18 0x556f19b63a5b in wm_draw_update /home/jacques/blender-git/blender/source/blender/windowmanager/intern/wm_draw.c:945
    #19 0x556f19b5483e in WM_main /home/jacques/blender-git/blender/source/blender/windowmanager/intern/wm.c:423
    #20 0x556f18dd84cd in main /home/jacques/blender-git/blender/source/creator/creator.c:518
    #21 0x7fbb497881e2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x271e2)
    #22 0x556f18dd780d in _start (/home/jacques/blender-git/build_linux/bin/blender+0x30cab80d)

0x618000113f28 is located 680 bytes inside of 816-byte region [0x618000113c80,0x618000113fb0)
freed by thread T0 here:
    #0 0x7fbb4a08a6ef in __interceptor_free (/lib/x86_64-linux-gnu/libasan.so.5+0x10d6ef)
    #1 0x556f306b606b in rem_memblock /home/jacques/blender-git/blender/intern/guardedalloc/intern/mallocn_guarded_impl.c:1097
    #2 0x556f306b4e5f in MEM_guarded_freeN /home/jacques/blender-git/blender/intern/guardedalloc/intern/mallocn_guarded_impl.c:983
    #3 0x556f191a9011 in node_free_type /home/jacques/blender-git/blender/source/blender/blenkernel/intern/node.c:416
    #4 0x556f303d3697 in ghash_remove_ex /home/jacques/blender-git/blender/source/blender/blenlib/intern/BLI_ghash.c:594
    #5 0x556f303d9644 in BLI_ghash_remove /home/jacques/blender-git/blender/source/blender/blenlib/intern/BLI_ghash.c:915
    #6 0x556f191a9397 in nodeUnregisterType /home/jacques/blender-git/blender/source/blender/blenkernel/intern/node.c:435
    #7 0x556f1b2208b7 in rna_Node_unregister /home/jacques/blender-git/blender/source/blender/makesrna/intern/rna_nodetree.c:1580
    #8 0x556f1b79629d in pyrna_unregister_class /home/jacques/blender-git/blender/source/blender/python/intern/bpy_rna.c:8846
    #9 0x556f31cba1b8 in _PyMethodDef_RawFastCallKeywords Objects/call.c:648

previously allocated by thread T0 here:
    #0 0x7fbb4a08ace6 in calloc (/lib/x86_64-linux-gnu/libasan.so.5+0x10dce6)
    #1 0x556f306b3032 in MEM_guarded_callocN /home/jacques/blender-git/blender/intern/guardedalloc/intern/mallocn_guarded_impl.c:613
    #2 0x556f1b220c58 in rna_Node_register_base /home/jacques/blender-git/blender/source/blender/makesrna/intern/rna_nodetree.c:1635
    #3 0x556f1b22e176 in rna_ShaderNodeCustomGroup_register /home/jacques/blender-git/blender/source/blender/makesrna/intern/rna_nodetree.c:2837
    #4 0x556f1b794cdc in pyrna_register_class /home/jacques/blender-git/blender/source/blender/python/intern/bpy_rna.c:8642
    #5 0x556f31cba1b8 in _PyMethodDef_RawFastCallKeywords Objects/call.c:648
Bastien Montagne (mont29) changed the subtype of this task from "Report" to "Bug".Wed, Jan 15, 10:53 AM