Use after free: Baking Rigid Body physics causes instant crash #88113

New Issue

Matthew Belinkie · 2021-05-07T20:01:03+02:00

Matthew Belinkie commented

2021-05-07 20:01:03 +02:00

System Information
Operating system: macOS 10.15.7
Graphics card: AMD Radeon Pro 5500M 4 GB / Intel UHD Graphics 630 1536 MB

Blender Version
Broken: 2.92.0, branch: master, commit date: 2021-02-24 16:25, 2.93.0 Beta, branch: master, commit date: 2021-04-28 22:25,
broken: f7b22fc3d2
Worked:

Baking the Rigid Body world physics causes Blender to crash either instantly, or after baking less than 100 frames (it varies). Interestingly, a friend with the PC version of 2.92 says the project works fine, no crashes whatsoever.

Exact steps for others to reproduce the error
Open the project. Make sure Allow Negative Frames is on under Preferences/Animation. Go to the Rigid Body World and hit bake.

physics test b.blend
Asan report: T88113_asan_report.txt

**System Information** Operating system: macOS 10.15.7 Graphics card: AMD Radeon Pro 5500M 4 GB / Intel UHD Graphics 630 1536 MB **Blender Version** Broken: 2.92.0, branch: master, commit date: 2021-02-24 16:25, 2.93.0 Beta, branch: master, commit date: 2021-04-28 22:25, broken: f7b22fc3d27113715e8726c69ab3264e1d487439 Worked: Baking the Rigid Body world physics causes Blender to crash either instantly, or after baking less than 100 frames (it varies). Interestingly, a friend with the PC version of 2.92 says the project works fine, no crashes whatsoever. **Exact steps for others to reproduce the error** Open the project. Make sure Allow Negative Frames is on under Preferences/Animation. Go to the Rigid Body World and hit bake. [physics test b.blend](https://archive.blender.org/developer/F10060792/physics_test_b.blend) Asan report: [T88113_asan_report.txt](https://archive.blender.org/developer/F10135770/T88113_asan_report.txt)

Matthew Belinkie commented

2021-05-07 20:01:03 +02:00

Added subscriber: @mbelinkie

Matthew Belinkie commented

2021-05-08 18:53:53 +02:00

Here's the log of the crashed thread:

Crashed Thread:        20

Exception Type:        EXC_CRASH (SIGABRT)
Exception Codes:       0x0000000000000000, 0x0000000000000000
Exception Note:        EXC_CORPSE_NOTIFY

Application Specific Information:
abort() called
Blender(617,0x700009548000) malloc: *** error for object 0x7fced1162e00: pointer being freed was not allocated

Thread 20 Crashed:
0   libsystem_kernel.dylib        	0x00007fff6c5cb33a __pthread_kill + 10
1   libsystem_pthread.dylib       	0x00007fff6c687e60 pthread_kill + 430
2   libsystem_c.dylib             	0x00007fff6c5528a2 __abort + 139
3   libsystem_c.dylib             	0x00007fff6c552817 abort + 135
4   libsystem_malloc.dylib        	0x00007fff6c64850b malloc_vreport + 548
5   libsystem_malloc.dylib        	0x00007fff6c64b40f malloc_report + 151
6   org.blenderfoundation.blender 	0x000000010e379ecf BKE_curve_bevelList_make + 6159
7   org.blenderfoundation.blender 	0x000000010e39a2bb do_makeDispListCurveTypes + 363
8   org.blenderfoundation.blender 	0x000000010e39a11c BKE_displist_make_curveTypes + 140
9   org.blenderfoundation.blender 	0x000000010e3ac77a add_effector_evaluation + 330
10  org.blenderfoundation.blender 	0x000000010e3ac515 BKE_effectors_create + 101
11  org.blenderfoundation.blender 	0x000000010e4c3cd2 rigidbody_update_simulation + 1522
12  org.blenderfoundation.blender 	0x000000010e4c418c BKE_rigidbody_do_simulation + 460
13  org.blenderfoundation.blender 	0x00000001149a4b06 blender::deg::(anonymous namespace)::deg_task_run_func(TaskPool*, void*) + 134
14  org.blenderfoundation.blender 	0x000000010e717c0b tbb::interface7::internal::isolate_within_arena(tbb::interface7::internal::delegate_base&, long) + 75
15  org.blenderfoundation.blender 	0x0000000116099da2 tbb::internal::function_task<Task>::execute() + 50
16  org.blenderfoundation.blender 	0x000000010e724249 tbb::internal::custom_scheduler<tbb::internal::IntelSchedulerTraits>::process_bypass_loop(tbb::internal::context_guard_helper<false>&, tbb::task*, long) + 377
17  org.blenderfoundation.blender 	0x000000010e723931 tbb::internal::custom_scheduler<tbb::internal::IntelSchedulerTraits>::local_wait_for_all(tbb::task&, tbb::task*) + 257
18  org.blenderfoundation.blender 	0x000000010e714d85 tbb::internal::arena::process(tbb::internal::generic_scheduler&) + 533
19  org.blenderfoundation.blender 	0x000000010e71e0cb tbb::internal::market::process(rml::job&) + 43
20  org.blenderfoundation.blender 	0x000000010e71ef18 tbb::internal::rml::private_worker::run() + 184
21  org.blenderfoundation.blender 	0x000000010e71ee59 tbb::internal::rml::private_worker::thread_routine(void*) + 9
22  libsystem_pthread.dylib       	0x00007fff6c688109 _pthread_start + 148
23  libsystem_pthread.dylib       	0x00007fff6c683b8b thread_start + 15

Here's the log of the crashed thread: ``` Crashed Thread: 20 Exception Type: EXC_CRASH (SIGABRT) Exception Codes: 0x0000000000000000, 0x0000000000000000 Exception Note: EXC_CORPSE_NOTIFY Application Specific Information: abort() called Blender(617,0x700009548000) malloc: *** error for object 0x7fced1162e00: pointer being freed was not allocated Thread 20 Crashed: 0 libsystem_kernel.dylib 0x00007fff6c5cb33a __pthread_kill + 10 1 libsystem_pthread.dylib 0x00007fff6c687e60 pthread_kill + 430 2 libsystem_c.dylib 0x00007fff6c5528a2 __abort + 139 3 libsystem_c.dylib 0x00007fff6c552817 abort + 135 4 libsystem_malloc.dylib 0x00007fff6c64850b malloc_vreport + 548 5 libsystem_malloc.dylib 0x00007fff6c64b40f malloc_report + 151 6 org.blenderfoundation.blender 0x000000010e379ecf BKE_curve_bevelList_make + 6159 7 org.blenderfoundation.blender 0x000000010e39a2bb do_makeDispListCurveTypes + 363 8 org.blenderfoundation.blender 0x000000010e39a11c BKE_displist_make_curveTypes + 140 9 org.blenderfoundation.blender 0x000000010e3ac77a add_effector_evaluation + 330 10 org.blenderfoundation.blender 0x000000010e3ac515 BKE_effectors_create + 101 11 org.blenderfoundation.blender 0x000000010e4c3cd2 rigidbody_update_simulation + 1522 12 org.blenderfoundation.blender 0x000000010e4c418c BKE_rigidbody_do_simulation + 460 13 org.blenderfoundation.blender 0x00000001149a4b06 blender::deg::(anonymous namespace)::deg_task_run_func(TaskPool*, void*) + 134 14 org.blenderfoundation.blender 0x000000010e717c0b tbb::interface7::internal::isolate_within_arena(tbb::interface7::internal::delegate_base&, long) + 75 15 org.blenderfoundation.blender 0x0000000116099da2 tbb::internal::function_task<Task>::execute() + 50 16 org.blenderfoundation.blender 0x000000010e724249 tbb::internal::custom_scheduler<tbb::internal::IntelSchedulerTraits>::process_bypass_loop(tbb::internal::context_guard_helper<false>&, tbb::task*, long) + 377 17 org.blenderfoundation.blender 0x000000010e723931 tbb::internal::custom_scheduler<tbb::internal::IntelSchedulerTraits>::local_wait_for_all(tbb::task&, tbb::task*) + 257 18 org.blenderfoundation.blender 0x000000010e714d85 tbb::internal::arena::process(tbb::internal::generic_scheduler&) + 533 19 org.blenderfoundation.blender 0x000000010e71e0cb tbb::internal::market::process(rml::job&) + 43 20 org.blenderfoundation.blender 0x000000010e71ef18 tbb::internal::rml::private_worker::run() + 184 21 org.blenderfoundation.blender 0x000000010e71ee59 tbb::internal::rml::private_worker::thread_routine(void*) + 9 22 libsystem_pthread.dylib 0x00007fff6c688109 _pthread_start + 148 23 libsystem_pthread.dylib 0x00007fff6c683b8b thread_start + 15 ```

Matthew Belinkie commented

2021-05-08 20:59:53 +02:00

After restarting and trying again, the simplified project file linked to in the ticket now works, but my main project file still insta-crashes. Subsequent attempts to bake give me a different crash message. See below.

Crashed Thread:        0  Dispatch queue: com.apple.main-thread

Exception Type:        EXC_CRASH (SIGSEGV)
Exception Codes:       0x0000000000000000, 0x0000000000000000
Exception Note:        EXC_CORPSE_NOTIFY

Termination Signal:    Segmentation fault: 11
Termination Reason:    Namespace SIGNAL, Code 0xb
Terminating Process:   Blender [1052]

Thread 0 Crashed:: Dispatch queue: com.apple.main-thread
0   libsystem_kernel.dylib          0x00007fff6c5c7756 __semwait_signal + 10
1   libsystem_c.dylib               0x00007fff6c54aeea nanosleep + 196
2   libsystem_c.dylib               0x00007fff6c54ade4 usleep + 53
3   org.blenderfoundation.blender   0x000000010a926358 WM_main + 24
4   org.blenderfoundation.blender   0x000000010a504b8b main + 907
5   libdyld.dylib                   0x00007fff6c483cc9 start + 1

Here's another confusing experiment. I deleted the physics objects from my main project file completely until there was nothing in the rigid body world, then deleted and created a new rigid body world. Then I imported the collection of physics object from another project and tried to bake those. Instant crash. SO it seems like there's something in the project file that is not a physics object but still causes rigid body world to crash. I feel like I need to know how to interpret the error messages to say more.

After restarting and trying again, the simplified project file linked to in the ticket now works, but my main project file still insta-crashes. Subsequent attempts to bake give me a different crash message. See below. ``` Crashed Thread: 0 Dispatch queue: com.apple.main-thread Exception Type: EXC_CRASH (SIGSEGV) Exception Codes: 0x0000000000000000, 0x0000000000000000 Exception Note: EXC_CORPSE_NOTIFY Termination Signal: Segmentation fault: 11 Termination Reason: Namespace SIGNAL, Code 0xb Terminating Process: Blender [1052] Thread 0 Crashed:: Dispatch queue: com.apple.main-thread 0 libsystem_kernel.dylib 0x00007fff6c5c7756 __semwait_signal + 10 1 libsystem_c.dylib 0x00007fff6c54aeea nanosleep + 196 2 libsystem_c.dylib 0x00007fff6c54ade4 usleep + 53 3 org.blenderfoundation.blender 0x000000010a926358 WM_main + 24 4 org.blenderfoundation.blender 0x000000010a504b8b main + 907 5 libdyld.dylib 0x00007fff6c483cc9 start + 1 ``` Here's another confusing experiment. I deleted the physics objects from my main project file completely until there was nothing in the rigid body world, then deleted and created a new rigid body world. Then I imported the collection of physics object from another project and tried to bake those. Instant crash. SO it seems like there's something in the project file that is not a physics object but still causes rigid body world to crash. I feel like I need to know how to interpret the error messages to say more.

Matthew Belinkie commented

2021-05-08 21:06:45 +02:00

And here's another error from a rigid body baking insta-crash, a little different this time:

Crashed Thread:        0  Dispatch queue: com.apple.main-thread

Exception Type:        EXC_CRASH (SIGSEGV)
Exception Codes:       0x0000000000000000, 0x0000000000000000
Exception Note:        EXC_CORPSE_NOTIFY

Termination Signal:    Segmentation fault: 11
Termination Reason:    Namespace SIGNAL, Code 0xb
Terminating Process:   Blender [1466]

Thread 0 Crashed:: Dispatch queue: com.apple.main-thread
0   libsystem_platform.dylib      	0x00007fff6c679dc9 _platform_bzero$VARIANT$Haswell + 41
1   com.apple.CoreGraphics        	0x00007fff3280e471 CGBlt_fillBytes + 301
2   com.apple.CoreGraphics        	0x00007fff328b9a17 RGBAf16_mark_inner(BltDepth* const*, BltOp const*) + 35522
3   com.apple.CoreGraphics        	0x00007fff32809824 RIPLayerBltShape + 1349
4   com.apple.CoreGraphics        	0x00007fff32807895 ripc_Render + 328
5   com.apple.CoreGraphics        	0x00007fff32804624 ripc_DrawRects + 462
6   com.apple.CoreGraphics        	0x00007fff328043c2 CGContextFillRects + 96
7   com.apple.CoreGraphics        	0x00007fff3280435b CGContextFillRect + 105
8   com.apple.CoreGraphics        	0x00007fff32803ed2 CGContextClearRect + 48
9   com.apple.AppKit              	0x00007fff2f7d5800 +[NSCGImageSnapshotRep _lockFocusForCreatingSnapshot:withRect:context:hints:flipped:] + 932
10  com.apple.AppKit              	0x00007fff2f7d51a6 -[NSImage _lockFocusOnRepresentation:rect:context:hints:flipped:] + 485
11  com.apple.AppKit              	0x00007fff2f7d4fab __51-[NSImage lockFocusWithRect:context:hints:flipped:]_block_invoke + 66
12  com.apple.AppKit              	0x00007fff2f7b14d5 -[NSImage _usingBestRepresentationForRect:context:hints:body:] + 145
13  com.apple.AppKit              	0x00007fff2f7d4f5f -[NSImage lockFocusWithRect:context:hints:flipped:] + 141
14  com.apple.AppKit              	0x00007fff2f863c63 -[NSImage lockFocusFlipped:] + 111
15  org.blenderfoundation.blender 	0x0000000103b57b75 GHOST_WindowCocoa::setProgressBar(float) + 165
16  org.blenderfoundation.blender 	0x000000010306e318 wm_jobs_timer + 648
17  org.blenderfoundation.blender 	0x0000000103086edd wm_window_timer + 221
18  org.blenderfoundation.blender 	0x0000000103086de2 wm_window_process_events + 50
19  org.blenderfoundation.blender 	0x0000000103055358 WM_main + 24
20  org.blenderfoundation.blender 	0x0000000102c33b8b main + 907
21  libdyld.dylib                 	0x00007fff6c483cc9 start + 1

And here's another error from a rigid body baking insta-crash, a little different this time: ``` Crashed Thread: 0 Dispatch queue: com.apple.main-thread Exception Type: EXC_CRASH (SIGSEGV) Exception Codes: 0x0000000000000000, 0x0000000000000000 Exception Note: EXC_CORPSE_NOTIFY Termination Signal: Segmentation fault: 11 Termination Reason: Namespace SIGNAL, Code 0xb Terminating Process: Blender [1466] Thread 0 Crashed:: Dispatch queue: com.apple.main-thread 0 libsystem_platform.dylib 0x00007fff6c679dc9 _platform_bzero$VARIANT$Haswell + 41 1 com.apple.CoreGraphics 0x00007fff3280e471 CGBlt_fillBytes + 301 2 com.apple.CoreGraphics 0x00007fff328b9a17 RGBAf16_mark_inner(BltDepth* const*, BltOp const*) + 35522 3 com.apple.CoreGraphics 0x00007fff32809824 RIPLayerBltShape + 1349 4 com.apple.CoreGraphics 0x00007fff32807895 ripc_Render + 328 5 com.apple.CoreGraphics 0x00007fff32804624 ripc_DrawRects + 462 6 com.apple.CoreGraphics 0x00007fff328043c2 CGContextFillRects + 96 7 com.apple.CoreGraphics 0x00007fff3280435b CGContextFillRect + 105 8 com.apple.CoreGraphics 0x00007fff32803ed2 CGContextClearRect + 48 9 com.apple.AppKit 0x00007fff2f7d5800 +[NSCGImageSnapshotRep _lockFocusForCreatingSnapshot:withRect:context:hints:flipped:] + 932 10 com.apple.AppKit 0x00007fff2f7d51a6 -[NSImage _lockFocusOnRepresentation:rect:context:hints:flipped:] + 485 11 com.apple.AppKit 0x00007fff2f7d4fab __51-[NSImage lockFocusWithRect:context:hints:flipped:]_block_invoke + 66 12 com.apple.AppKit 0x00007fff2f7b14d5 -[NSImage _usingBestRepresentationForRect:context:hints:body:] + 145 13 com.apple.AppKit 0x00007fff2f7d4f5f -[NSImage lockFocusWithRect:context:hints:flipped:] + 141 14 com.apple.AppKit 0x00007fff2f863c63 -[NSImage lockFocusFlipped:] + 111 15 org.blenderfoundation.blender 0x0000000103b57b75 GHOST_WindowCocoa::setProgressBar(float) + 165 16 org.blenderfoundation.blender 0x000000010306e318 wm_jobs_timer + 648 17 org.blenderfoundation.blender 0x0000000103086edd wm_window_timer + 221 18 org.blenderfoundation.blender 0x0000000103086de2 wm_window_process_events + 50 19 org.blenderfoundation.blender 0x0000000103055358 WM_main + 24 20 org.blenderfoundation.blender 0x0000000102c33b8b main + 907 21 libdyld.dylib 0x00007fff6c483cc9 start + 1 ```

Matthew Belinkie commented

2021-05-08 21:59:57 +02:00

One more update, then I'll stop for a while. I tried to import all the collections into a new project and set up new physics. And now that new project won't even open. It crashes instantly on 2.92 and 2.93 beta.

I am putting this new, cursed file here.
01_SJP_5-8c.blend

Here is the error log of this new crash on opening the file.

Crashed Thread:        0  Dispatch queue: com.apple.main-thread

Exception Type:        EXC_BAD_ACCESS (SIGSEGV)
Exception Codes:       KERN_INVALID_ADDRESS at 0x0000000000000030
Exception Note:        EXC_CORPSE_NOTIFY

Termination Signal:    Segmentation fault: 11
Termination Reason:    Namespace SIGNAL, Code 0xb
Terminating Process:   exc handler [712]

VM Regions Near 0x30:
--> 
    __TEXT                 000000010cf36000-0000000118d4e000 [190.1M] r-x/r-x SM=COW  /Users/USER/Downloads/Blender 2.93.app/Contents/MacOS/Blender

Thread 0 Crashed:: Dispatch queue: com.apple.main-thread
0   org.blenderfoundation.blender 	0x000000010d72fbca OVERLAY_extra_cache_populate + 1274
1   org.blenderfoundation.blender 	0x000000010d72c1cf OVERLAY_cache_populate + 1503
2   org.blenderfoundation.blender 	0x000000010d6dc3cd drw_engines_cache_populate + 173
3   org.blenderfoundation.blender 	0x000000010d6dae73 DRW_draw_render_loop_ex + 1123
4   org.blenderfoundation.blender 	0x000000010e010ed8 view3d_main_region_draw + 136
5   org.blenderfoundation.blender 	0x000000010db828f1 ED_region_do_draw + 337
6   org.blenderfoundation.blender 	0x000000010d5b2bdd wm_draw_update + 1757
7   org.blenderfoundation.blender 	0x000000010d5b0160 WM_main + 48
8   org.blenderfoundation.blender 	0x000000010d09ef1b main + 907
9   libdyld.dylib                 	0x00007fff677fecc9 start + 1

One more update, then I'll stop for a while. I tried to import all the collections into a new project and set up new physics. And now that new project won't even open. It crashes instantly on 2.92 and 2.93 beta. I am putting this new, cursed file here. [01_SJP_5-8c.blend](https://archive.blender.org/developer/F10066440/01_SJP_5-8c.blend) Here is the error log of this new crash on opening the file. ``` Crashed Thread: 0 Dispatch queue: com.apple.main-thread Exception Type: EXC_BAD_ACCESS (SIGSEGV) Exception Codes: KERN_INVALID_ADDRESS at 0x0000000000000030 Exception Note: EXC_CORPSE_NOTIFY Termination Signal: Segmentation fault: 11 Termination Reason: Namespace SIGNAL, Code 0xb Terminating Process: exc handler [712] VM Regions Near 0x30: --> __TEXT 000000010cf36000-0000000118d4e000 [190.1M] r-x/r-x SM=COW /Users/USER/Downloads/Blender 2.93.app/Contents/MacOS/Blender Thread 0 Crashed:: Dispatch queue: com.apple.main-thread 0 org.blenderfoundation.blender 0x000000010d72fbca OVERLAY_extra_cache_populate + 1274 1 org.blenderfoundation.blender 0x000000010d72c1cf OVERLAY_cache_populate + 1503 2 org.blenderfoundation.blender 0x000000010d6dc3cd drw_engines_cache_populate + 173 3 org.blenderfoundation.blender 0x000000010d6dae73 DRW_draw_render_loop_ex + 1123 4 org.blenderfoundation.blender 0x000000010e010ed8 view3d_main_region_draw + 136 5 org.blenderfoundation.blender 0x000000010db828f1 ED_region_do_draw + 337 6 org.blenderfoundation.blender 0x000000010d5b2bdd wm_draw_update + 1757 7 org.blenderfoundation.blender 0x000000010d5b0160 WM_main + 48 8 org.blenderfoundation.blender 0x000000010d09ef1b main + 907 9 libdyld.dylib 0x00007fff677fecc9 start + 1 ```

Ankit Meel changed title from ~~Baking Rigid Body physics causes instant crash, but only on the Mac version~~ to Use after free: Baking Rigid Body physics causes instant crash

2021-05-22 10:50:15 +02:00

Ankit Meel commented

2021-05-22 10:50:15 +02:00

Changed status from 'Needs Triage' to: 'Confirmed'

Ankit Meel commented

2021-05-22 10:50:58 +02:00

Added subscriber: @ankitm

Ankit Meel commented

2021-05-22 10:50:58 +02:00

I'm confirming the description as of now: allowing negative frames, and hitting bake. Added the asan report too. macOS 10.14, f7b22fc3d2
following crashes like in appending etc look like symptoms and might be investigated after the use after free is fixed.

I'm confirming the description as of now: allowing negative frames, and hitting bake. Added the asan report too. macOS 10.14, f7b22fc3d27113715e8726c69ab3264e1d487439 following crashes like in appending etc look like symptoms and might be investigated after the use after free is fixed.

Dalai Felinto commented

2022-05-09 15:28:32 +02:00

Added subscribers: @sreich, @dfelinto

Dalai Felinto commented

2022-05-09 15:28:32 +02:00

Thanks for the report. Marking this as known issue since it depends on the rigid body system which at the moment has no active developer. I'm tagging Sergej here anyways in case he wants to tackle any of those. Anyone wlse interested on that can also join the geometry nodes meetings to get onboarded.

Philipp Oeser removed the

Download

What's New

Blender Studio

Manual

Developers Blog

Documentation

Benchmark

Blender Conference

Development Fund

One-time Donations

Use after free: Baking Rigid Body physics causes instant crash #88113