Page MenuHome

Collection Instance Crash when instancing collections with disabled subcollections
Confirmed, HighPublicBUG

Description

System Information
Operating system: Linux-5.8.0-2-amd64-x86_64-with-glibc2.31 64 Bits
Graphics card: GeForce GTX 1070/PCIe/SSE2 NVIDIA Corporation 4.5.0 NVIDIA 450.66

Blender Version
Broken: version: 2.93.0 Alpha, branch: master, commit date: 2021-02-17 19:34, hash: rBeeeb85baf8ab
Worked: never (tested 2.80)

Short description of error
Blender (sometimes (see below)) crashes when trying to create a collection instance of a collection that contains a disabled collection

Exact steps for others to reproduce the error
Based on default startup:

  1. create a subcollection to Collection
  2. disable it with "Exclude from View Layer" (the checkmark)
  3. (you can also enable it again here! Very unexpected!)
  4. create a new Collection Instance of "Collection"
  5. crash

Now vary the procedure and get no crash:

  1. create a subcollection to Collection
  2. create a new Collection Instance of "Collection"
  3. no crash
  4. disable it with "Exclude from View Layer"
  5. (you can also enable it again here! Very unexpected!)
  6. create a new Collection Instance of "Collection"
  7. still no crash

Event Timeline

Philipp Oeser (lichtwerk) changed the task status from Needs Triage to Confirmed.Fri, Feb 19, 11:26 AM
Philipp Oeser (lichtwerk) changed the subtype of this task from "Report" to "Bug".

Makes me wonder why this has not been reported before, but yes, can confirm, will check on this.

Philipp Oeser (lichtwerk) triaged this task as High priority.Fri, Feb 19, 12:08 PM

Not sure if we should enter collection_object_cache_fill a second time at all?
After all the LayerCollection is excluded, but not familiar enough with the mechanisms that sync flags between Collections and LayerCollections (or whether they should be checked here)
If we enter a second time, child collection related memory is garbled

1  collection_object_cache_fill                     collection.c            780  0x3903be7 
2  collection_object_cache_fill                     collection.c            780  0x3903bfd 
3  BKE_collection_object_cache_get                  collection.c            791  0x3903c70 
4  make_duplis_collection                           object_dupli.c          379  0x3532bdb 
5  object_duplilist                                 object_dupli.c          1601 0x3536f66 
6  (anonymous namespace)::deg_iterator_duplis_init  depsgraph_query_iter.cc 231  0xcbc08a1 
7  (anonymous namespace)::deg_iterator_objects_step depsgraph_query_iter.cc 355  0xcbc0e2f 
8  DEG_iterator_objects_next                        depsgraph_query_iter.cc 407  0xcbc0fec 
9  DRW_draw_render_loop_ex                          draw_manager.c          1594 0x3cce6ca 
10 DRW_draw_view                                    draw_manager.c          1511 0x3cce272 
11 view3d_draw_view                                 view3d_draw.c           1606 0x4a2f868 
12 view3d_main_region_draw                          view3d_draw.c           1628 0x4a2f90f 
13 ED_region_do_draw                                area.c                  558  0x434b8e7 
14 wm_draw_window_offscreen                         wm_draw.c               731  0x39f5ac2 
15 wm_draw_window                                   wm_draw.c               872  0x39f607b 
16 wm_draw_update                                   wm_draw.c               1073 0x39f66b3 
17 WM_main                                          wm.c                    643  0x39f2db1 
18 main                                             creator.c               522  0x34342f2

This sounds like something users would run into often? (even though it has not been reported often).
Will set to High prio for the time being.

you can also enable it again here! Very unexpected!

Why is this so unexpected?

you can also enable it again here! Very unexpected!

Why is this so unexpected?

Since disabling it caused the crash after adding the instance and not touching it didn't crash when adding the instance, I though disabling then enabling would be as if it was never disabled (expected). But instead if that thing is touched once, no matter in what state it is when adding the colection instance, it still cause the crash.
Usually when things go wrong it is caused by an unexpected state of the file that didn't get handled correctly, but here the visible state didn't seem to matter.
(Talking about how things are expected to go wrong is weird, sorry.. ;D )

Also I might say, I found this bug in a more complicated file, so yes you can encounter it in reallife scenarios when using the collection instance.

Another interesting ASAN crash report:

==110720==ERROR: AddressSanitizer: heap-use-after-free on address 0x612000235930 at pc 0x000010a07b10 bp 0x7ffd87418ca0 sp 0x7ffd87418c98
READ of size 2 at 0x612000235930 thread T0
    #0 0x10a07b0f in collection_object_cache_fill /home/guest/blender/src/source/blender/blenkernel/intern/collection.c:757
    #1 0x10a08047 in collection_object_cache_fill /home/guest/blender/src/source/blender/blenkernel/intern/collection.c:780
    #2 0x10a08228 in BKE_collection_object_cache_get /home/guest/blender/src/source/blender/blenkernel/intern/collection.c:791
    #3 0x10ef90a3 in make_duplis_collection /home/guest/blender/src/source/blender/blenkernel/intern/object_dupli.c:379
    #4 0x10f0ba06 in object_duplilist /home/guest/blender/src/source/blender/blenkernel/intern/object_dupli.c:1601
    #5 0x296d3a7a in deg_iterator_duplis_init /home/guest/blender/src/source/blender/depsgraph/intern/depsgraph_query_iter.cc:231
    #6 0x296d5e18 in deg_iterator_objects_step /home/guest/blender/src/source/blender/depsgraph/intern/depsgraph_query_iter.cc:355
    #7 0x296d66e1 in DEG_iterator_objects_next /home/guest/blender/src/source/blender/depsgraph/intern/depsgraph_query_iter.cc:407
    #8 0x1293277b in DRW_draw_render_loop_ex /home/guest/blender/src/source/blender/draw/intern/draw_manager.c:1596
    #9 0x12931844 in DRW_draw_view /home/guest/blender/src/source/blender/draw/intern/draw_manager.c:1513
    #10 0x16e4bb3b in view3d_draw_view /home/guest/blender/src/source/blender/editors/space_view3d/view3d_draw.c:1606
    #11 0x16e4bcbc in view3d_main_region_draw /home/guest/blender/src/source/blender/editors/space_view3d/view3d_draw.c:1628
    #12 0x14c7209e in ED_region_do_draw /home/guest/blender/src/source/blender/editors/screen/area.c:558
    #13 0x11f55af9 in wm_draw_window_offscreen /home/guest/blender/src/source/blender/windowmanager/intern/wm_draw.c:731
    #14 0x11f56d11 in wm_draw_window /home/guest/blender/src/source/blender/windowmanager/intern/wm_draw.c:872
    #15 0x11f5816c in wm_draw_update /home/guest/blender/src/source/blender/windowmanager/intern/wm_draw.c:1073
    #16 0x11f3fd14 in WM_main /home/guest/blender/src/source/blender/windowmanager/intern/wm.c:643
    #17 0x104e4ba3 in main /home/guest/blender/src/source/creator/creator.c:522
    #18 0x7f3715ac4d09 in __libc_start_main ../csu/libc-start.c:308
    #19 0x104e3db9 in _start (/home/guest/blender/build_master_debug/bin/blender+0x104e3db9)

0x612000235930 is located 240 bytes inside of 296-byte region [0x612000235840,0x612000235968)
freed by thread T0 here:
    #0 0x7f371f896b6f in __interceptor_free ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:123
    #1 0x29e593d2 in MEM_lockfree_freeN /home/guest/blender/src/intern/guardedalloc/intern/mallocn_lockfree_impl.c:129
    #2 0x29547d52 in blender::deg::DepsgraphNodeBuilder::~DepsgraphNodeBuilder() /home/guest/blender/src/source/blender/depsgraph/intern/builder/deg_builder_nodes.cc:148
    #3 0x295480c1 in blender::deg::DepsgraphNodeBuilder::~DepsgraphNodeBuilder() /home/guest/blender/src/source/blender/depsgraph/intern/builder/deg_builder_nodes.cc:152
    #4 0x29691ce6 in std::default_delete<blender::deg::DepsgraphNodeBuilder>::operator()(blender::deg::DepsgraphNodeBuilder*) const /usr/include/c++/10/bits/unique_ptr.h:85
    #5 0x2969140e in std::unique_ptr<blender::deg::DepsgraphNodeBuilder, std::default_delete<blender::deg::DepsgraphNodeBuilder> >::~unique_ptr() /usr/include/c++/10/bits/unique_ptr.h:361
    #6 0x2968f945 in blender::deg::AbstractBuilderPipeline::build_step_nodes() /home/guest/blender/src/source/blender/depsgraph/intern/builder/pipeline.cc:74
    #7 0x2968e8ad in blender::deg::AbstractBuilderPipeline::build() /home/guest/blender/src/source/blender/depsgraph/intern/builder/pipeline.cc:55
    #8 0x295f0fb6 in DEG_graph_build_from_view_layer /home/guest/blender/src/source/blender/depsgraph/intern/depsgraph_build.cc:228
    #9 0x295f2507 in DEG_graph_relations_update /home/guest/blender/src/source/blender/depsgraph/intern/depsgraph_build.cc:281
    #10 0x111bed97 in scene_graph_update_tagged /home/guest/blender/src/source/blender/blenkernel/intern/scene.c:2633
    #11 0x111beeb5 in BKE_scene_graph_update_tagged /home/guest/blender/src/source/blender/blenkernel/intern/scene.c:2679
    #12 0x11f5b6f9 in wm_event_do_depsgraph /home/guest/blender/src/source/blender/windowmanager/intern/wm_event_system.c:364
    #13 0x11f5ba4f in wm_event_do_refresh_wm_and_depsgraph /home/guest/blender/src/source/blender/windowmanager/intern/wm_event_system.c:389
    #14 0x11f5df65 in wm_event_do_notifiers /home/guest/blender/src/source/blender/windowmanager/intern/wm_event_system.c:591
    #15 0x11f3fd08 in WM_main /home/guest/blender/src/source/blender/windowmanager/intern/wm.c:640
    #16 0x104e4ba3 in main /home/guest/blender/src/source/creator/creator.c:522
    #17 0x7f3715ac4d09 in __libc_start_main ../csu/libc-start.c:308

previously allocated by thread T0 here:
    #0 0x7f371f897037 in __interceptor_calloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:154
    #1 0x29e59ab0 in MEM_lockfree_callocN /home/guest/blender/src/intern/guardedalloc/intern/mallocn_lockfree_impl.c:235
    #2 0x10afb23b in BKE_libblock_alloc_notest /home/guest/blender/src/source/blender/blenkernel/intern/lib_id.c:1044
    #3 0x2951a573 in blender::deg::IDNode::init_copy_on_write(ID*) /home/guest/blender/src/source/blender/depsgraph/intern/node/deg_node_id.cc:113
    #4 0x295e01b0 in blender::deg::Depsgraph::add_id_node(ID*, ID*) /home/guest/blender/src/source/blender/depsgraph/intern/depsgraph.cc:123
    #5 0x29548951 in blender::deg::DepsgraphNodeBuilder::add_id_node(ID*) /home/guest/blender/src/source/blender/depsgraph/intern/builder/deg_builder_nodes.cc:173
    #6 0x29551dd0 in blender::deg::DepsgraphNodeBuilder::build_collection(LayerCollection*, Collection*) /home/guest/blender/src/source/blender/depsgraph/intern/builder/deg_builder_nodes.cc:553
    #7 0x295a71aa in blender::deg::DepsgraphNodeBuilder::build_layer_collections(ListBase*) /home/guest/blender/src/source/blender/depsgraph/intern/builder/deg_builder_nodes_view_layer.cc:71
    #8 0x295a736b in blender::deg::DepsgraphNodeBuilder::build_layer_collections(ListBase*) /home/guest/blender/src/source/blender/depsgraph/intern/builder/deg_builder_nodes_view_layer.cc:73
    #9 0x295a736b in blender::deg::DepsgraphNodeBuilder::build_layer_collections(ListBase*) /home/guest/blender/src/source/blender/depsgraph/intern/builder/deg_builder_nodes_view_layer.cc:73
    #10 0x295a88af in blender::deg::DepsgraphNodeBuilder::build_view_layer(Scene*, ViewLayer*, blender::deg::eDepsNode_LinkedState_Type) /home/guest/blender/src/source/blender/depsgraph/intern/builder/deg_builder_nodes_view_layer.cc:121
    #11 0x2969940a in blender::deg::ViewLayerBuilderPipeline::build_nodes(blender::deg::DepsgraphNodeBuilder&) /home/guest/blender/src/source/blender/depsgraph/intern/builder/pipeline_view_layer.cc:35
    #12 0x2968f7c2 in blender::deg::AbstractBuilderPipeline::build_step_nodes() /home/guest/blender/src/source/blender/depsgraph/intern/builder/pipeline.cc:76
    #13 0x2968e8ad in blender::deg::AbstractBuilderPipeline::build() /home/guest/blender/src/source/blender/depsgraph/intern/builder/pipeline.cc:55
    #14 0x295f0fb6 in DEG_graph_build_from_view_layer /home/guest/blender/src/source/blender/depsgraph/intern/depsgraph_build.cc:228
    #15 0x295f2507 in DEG_graph_relations_update /home/guest/blender/src/source/blender/depsgraph/intern/depsgraph_build.cc:281
    #16 0x111bed97 in scene_graph_update_tagged /home/guest/blender/src/source/blender/blenkernel/intern/scene.c:2633
    #17 0x111beeb5 in BKE_scene_graph_update_tagged /home/guest/blender/src/source/blender/blenkernel/intern/scene.c:2679
    #18 0x11f5b6f9 in wm_event_do_depsgraph /home/guest/blender/src/source/blender/windowmanager/intern/wm_event_system.c:364
    #19 0x11f5ba4f in wm_event_do_refresh_wm_and_depsgraph /home/guest/blender/src/source/blender/windowmanager/intern/wm_event_system.c:389
    #20 0x11f5df65 in wm_event_do_notifiers /home/guest/blender/src/source/blender/windowmanager/intern/wm_event_system.c:591
    #21 0x11f3fd08 in WM_main /home/guest/blender/src/source/blender/windowmanager/intern/wm.c:640
    #22 0x104e4ba3 in main /home/guest/blender/src/source/creator/creator.c:522
    #23 0x7f3715ac4d09 in __libc_start_main ../csu/libc-start.c:308

@Sergey Sharybin (sergey) or @Sybren A. Stüvel (sybren) may have an insight here? Looks like`DEG_graph_relations_update` builds then frees some data that is later being accessed by draw code?

@Bastien Montagne (mont29), the builder frees IDs which are no longer in the depsgraph, so this is kind of expected I think.

I guess the issue is caused by SOME of the collections in the depsgraph still pointing to collection which is removed from depsgraph. This shouldn't really happen. We do have some special magic in scene_remove_unused_view_layers and view_layer_remove_disabled_bases, so perhaps need to do a special treatment of collections as well (since they can be ignored by the buidler).