heap-use-after-free after assigning a material #94362

New Issue

Closed

opened 2021-12-24 13:37:35 +01:00 by Sybren A. Stüvel · 4 comments

Sybren A. Stüvel commented 2021-12-24 13:37:35 +01:00

Member

Copy Link

System Information
Operating system: Linux-5.4.0-91-generic-x86_64-with-glibc2.31 64 Bits
Graphics card: GeForce RTX 2080/PCIe/SSE2 NVIDIA Corporation 4.5.0 NVIDIA 460.91.03

Blender Version
Broken: version: 3.1.0 Alpha, branch: master, commit date: today, hash: c0db8a9a3b
Worked: 3.0 release

It seems to be caused by 7e712b2d6a

Short description of error
When dragging a material from the asset browser onto an object, Blender (ASAN/debug build) crashes with a heap-use-after-free error.

I've had Blender crash also without ASAN on a release build, but then it was less predictable when the crash would happen.

Exact steps for others to reproduce the error

• Start an ASAN-enabled debug build of Blender.
• Download the Cube Diorama demo file and open it.
• Drag a material from the asset browser onto the floor.

ASAN stack traces:
P2680: (An Untitled Masterwork)

=================================================================
==168340==ERROR: AddressSanitizer: heap-use-after-free on address 0x6190006f0362 at pc 0x000001c6a230 bp 0x7ffe649af2c0 sp 0x7ffe649af2b0
READ of size 2 at 0x6190006f0362 thread T0
    #0 0x1c6a22f in image_get_gpu_texture /home/sybren/workspace/blender-git/blender/source/blender/blenkernel/intern/image_gpu.cc:356
    #1 0x1c6bdce in BKE_image_get_gpu_texture /home/sybren/workspace/blender-git/blender/source/blender/blenkernel/intern/image_gpu.cc:494
    #2 0x46e46d5 in DRW_shgroup_add_material_resources /home/sybren/workspace/blender-git/blender/source/blender/draw/intern/draw_manager_data.c:1374
    #3 0x479c402 in material_opaque /home/sybren/workspace/blender-git/blender/source/blender/draw/engines/eevee/eevee_materials.c:634
    #4 0x479f335 in eevee_material_cache_get /home/sybren/workspace/blender-git/blender/source/blender/draw/engines/eevee/eevee_materials.c:752
    #5 0x479f335 in EEVEE_materials_cache_populate /home/sybren/workspace/blender-git/blender/source/blender/draw/engines/eevee/eevee_materials.c:825
    #6 0x4748748 in EEVEE_cache_populate /home/sybren/workspace/blender-git/blender/source/blender/draw/engines/eevee/eevee_engine.c:126
    #7 0x46bfbda in drw_engines_cache_populate /home/sybren/workspace/blender-git/blender/source/blender/draw/intern/draw_manager.c:1082
    #8 0x46c59e8 in DRW_draw_render_loop_ex /home/sybren/workspace/blender-git/blender/source/blender/draw/intern/draw_manager.c:1697
    #9 0x46c4ace in DRW_draw_view /home/sybren/workspace/blender-git/blender/source/blender/draw/intern/draw_manager.c:1609
    #10 0x915ec91 in view3d_draw_view /home/sybren/workspace/blender-git/blender/source/blender/editors/space_view3d/view3d_draw.c:1560
    #11 0x915ee1a in view3d_main_region_draw /home/sybren/workspace/blender-git/blender/source/blender/editors/space_view3d/view3d_draw.c:1582
    #12 0x640ad5e in ED_region_do_draw /home/sybren/workspace/blender-git/blender/source/blender/editors/screen/area.c:558
    #13 0x3a6ccca in wm_draw_window_offscreen /home/sybren/workspace/blender-git/blender/source/blender/windowmanager/intern/wm_draw.c:731
    #14 0x3a6defc in wm_draw_window /home/sybren/workspace/blender-git/blender/source/blender/windowmanager/intern/wm_draw.c:881
    #15 0x3a6f36c in wm_draw_update /home/sybren/workspace/blender-git/blender/source/blender/windowmanager/intern/wm_draw.c:1082
    #16 0x3a5bb31 in WM_main /home/sybren/workspace/blender-git/blender/source/blender/windowmanager/intern/wm.c:645
    #17 0x1a975ab in main /home/sybren/workspace/blender-git/blender/source/creator/creator.c:561
    #18 0x7fa4169090b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
    #19 0x1a9697d in _start (/home/sybren/workspace/blender-git/build_debug/bin/blender+0x1a9697d)

0x6190006f0362 is located 994 bytes inside of 1032-byte region [0x6190006eff80,0x6190006f0388)
freed by thread #35 here:
    #0 0x7fa41719e7cf in __interceptor_free (/usr/lib/x86_64-linux-gnu/libasan.so.5+0x10d7cf)
    #1 0xe6fa096 in MEM_lockfree_freeN /home/sybren/workspace/blender-git/blender/intern/guardedalloc/intern/mallocn_lockfree_impl.c:130
    #2 0x57d60ba in node_free_standard_storage /home/sybren/workspace/blender-git/blender/source/blender/nodes/intern/node_util.c:61
    #3 0x1eefc91 in node_free_node /home/sybren/workspace/blender-git/blender/source/blender/blenkernel/intern/node.cc:3101
    #4 0x1ece8fd in ntree_free_data /home/sybren/workspace/blender-git/blender/source/blender/blenkernel/intern/node.cc:287
    #5 0x1cedaef in BKE_libblock_free_datablock /home/sybren/workspace/blender-git/blender/source/blender/blenkernel/intern/lib_id_delete.c:85
    #6 0x45b3413 in blender::deg::deg_free_copy_on_write_datablock(ID*) /home/sybren/workspace/blender-git/blender/source/blender/depsgraph/intern/eval/deg_eval_copy_on_write.cc:1024
    #7 0x45b2b16 in blender::deg::deg_update_copy_on_write_datablock(blender::deg::Depsgraph const*, blender::deg::IDNode const*) /home/sybren/workspace/blender-git/blender/source/blender/depsgraph/intern/eval/deg_eval_copy_on_write.cc:903
    #8 0x45b392a in blender::deg::deg_evaluate_copy_on_write(Depsgraph*, blender::deg::IDNode const*) /home/sybren/workspace/blender-git/blender/source/blender/depsgraph/intern/eval/deg_eval_copy_on_write.cc:1039
    #9 0x462ca68 in operator() /home/sybren/workspace/blender-git/blender/source/blender/depsgraph/intern/builder/deg_builder_nodes.cc:190
    #10 0x466d655 in _M_invoke /usr/include/c++/9/bits/std_function.h:300
    #11 0x45aa4dc in std::function<void (Depsgraph*)>::operator()(Depsgraph*) const /usr/include/c++/9/bits/std_function.h:688
    #12 0x45a58d5 in evaluate_node /home/sybren/workspace/blender-git/blender/source/blender/depsgraph/intern/eval/deg_eval.cc:118
    #13 0x45a5924 in deg_task_run_func /home/sybren/workspace/blender-git/blender/source/blender/depsgraph/intern/eval/deg_eval.cc:129
    #14 0xe6c108f in Task::operator()() const /home/sybren/workspace/blender-git/blender/source/blender/blenlib/intern/task_pool.cc:178
    #15 0xe6c489b in tbb::internal::function_task<Task>::execute() /home/sybren/workspace/blender-git/lib/linux_centos7_x86_64/tbb/include/tbb/task.h:1059
    #16 0x3a4fd54 in tbb::internal::custom_scheduler<tbb::internal::IntelSchedulerTraits>::process_bypass_loop(tbb::internal::context_guard_helper<false>&, tbb::task*, long) (/home/sybren/workspace/blender-git/build_debug/bin/blender+0x3a4fd54)

previously allocated by thread #34 here:
    #0 0x7fa41719ebc8 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.5+0x10dbc8)
    #1 0xe6faaf6 in MEM_lockfree_mallocN /home/sybren/workspace/blender-git/blender/intern/guardedalloc/intern/mallocn_lockfree_impl.c:277
    #2 0xe6fa200 in MEM_lockfree_dupallocN /home/sybren/workspace/blender-git/blender/intern/guardedalloc/intern/mallocn_lockfree_impl.c:146
    #3 0x57d628a in node_copy_standard_storage /home/sybren/workspace/blender-git/blender/source/blender/nodes/intern/node_util.c:74
    #4 0x1ee5058 in BKE_node_copy_ex /home/sybren/workspace/blender-git/blender/source/blender/blenkernel/intern/node.cc:2304
    #5 0x1ecc639 in ntree_copy_data /home/sybren/workspace/blender-git/blender/source/blender/blenkernel/intern/node.cc:159
    #6 0x1cdc059 in BKE_id_copy_ex /home/sybren/workspace/blender-git/blender/source/blender/blenkernel/intern/lib_id.c:630
    #7 0x45ae0e1 in id_copy_inplace_no_main /home/sybren/workspace/blender-git/blender/source/blender/depsgraph/intern/eval/deg_eval_copy_on_write.cc:304
    #8 0x45b25ac in deg_expand_copy_on_write_datablock /home/sybren/workspace/blender-git/blender/source/blender/depsgraph/intern/eval/deg_eval_copy_on_write.cc:861
    #9 0x45b2b2f in blender::deg::deg_update_copy_on_write_datablock(blender::deg::Depsgraph const*, blender::deg::IDNode const*) /home/sybren/workspace/blender-git/blender/source/blender/depsgraph/intern/eval/deg_eval_copy_on_write.cc:904
    #10 0x45b392a in blender::deg::deg_evaluate_copy_on_write(Depsgraph*, blender::deg::IDNode const*) /home/sybren/workspace/blender-git/blender/source/blender/depsgraph/intern/eval/deg_eval_copy_on_write.cc:1039
    #11 0x462ca68 in operator() /home/sybren/workspace/blender-git/blender/source/blender/depsgraph/intern/builder/deg_builder_nodes.cc:190
    #12 0x466d655 in _M_invoke /usr/include/c++/9/bits/std_function.h:300
    #13 0x45aa4dc in std::function<void (Depsgraph*)>::operator()(Depsgraph*) const /usr/include/c++/9/bits/std_function.h:688
    #14 0x45a58d5 in evaluate_node /home/sybren/workspace/blender-git/blender/source/blender/depsgraph/intern/eval/deg_eval.cc:118
    #15 0x45a5924 in deg_task_run_func /home/sybren/workspace/blender-git/blender/source/blender/depsgraph/intern/eval/deg_eval.cc:129
    #16 0xe6c108f in Task::operator()() const /home/sybren/workspace/blender-git/blender/source/blender/blenlib/intern/task_pool.cc:178
    #17 0xe6c489b in tbb::internal::function_task<Task>::execute() /home/sybren/workspace/blender-git/lib/linux_centos7_x86_64/tbb/include/tbb/task.h:1059
    #18 0x3a4fd54 in tbb::internal::custom_scheduler<tbb::internal::IntelSchedulerTraits>::process_bypass_loop(tbb::internal::context_guard_helper<false>&, tbb::task*, long) (/home/sybren/workspace/blender-git/build_debug/bin/blender+0x3a4fd54)

Thread #35 created by #26 here:
    #0 0x7fa4170cb805 in pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.5+0x3a805)
    #1 0x3a4b968 in tbb::internal::rml::private_server::wake_some(int) (/home/sybren/workspace/blender-git/build_debug/bin/blender+0x3a4b968)
    #2 0x62d00009de7f  (<unknown module>)

Thread #26 created by T22 here:
    #0 0x7fa4170cb805 in pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.5+0x3a805)
    #1 0x3a4b968 in tbb::internal::rml::private_server::wake_some(int) (/home/sybren/workspace/blender-git/build_debug/bin/blender+0x3a4b968)
    #2 0x62d00009e27f  (<unknown module>)

Thread T22 created by T0 here:
    #0 0x7fa4170cb805 in pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.5+0x3a805)
    #1 0x3a4b968 in tbb::internal::rml::private_server::wake_some(int) (/home/sybren/workspace/blender-git/build_debug/bin/blender+0x3a4b968)
    #2 0x60c00000213f  (<unknown module>)

Thread #34 created by #28 here:
    #0 0x7fa4170cb805 in pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.5+0x3a805)
    #1 0x3a4b968 in tbb::internal::rml::private_server::wake_some(int) (/home/sybren/workspace/blender-git/build_debug/bin/blender+0x3a4b968)
    #2 0x7efff  (<unknown module>)

Thread #28 created by T23 here:
    #0 0x7fa4170cb805 in pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.5+0x3a805)
    #1 0x3a4b968 in tbb::internal::rml::private_server::wake_some(int) (/home/sybren/workspace/blender-git/build_debug/bin/blender+0x3a4b968)
    #2 0x62d00009e17f  (<unknown module>)

Thread T23 created by T0 here:
    #0 0x7fa4170cb805 in pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.5+0x3a805)
    #1 0x3a4b968 in tbb::internal::rml::private_server::wake_some(int) (/home/sybren/workspace/blender-git/build_debug/bin/blender+0x3a4b968)
    #2 0x62d00009e37f  (<unknown module>)

SUMMARY: AddressSanitizer: heap-use-after-free /home/sybren/workspace/blender-git/blender/source/blender/blenkernel/intern/image_gpu.cc:356 in image_get_gpu_texture
Shadow bytes around the buggy address:
  0x0c32800d6010: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c32800d6020: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c32800d6030: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c32800d6040: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c32800d6050: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x0c32800d6060: fd fd fd fd fd fd fd fd fd fd fd fd[fd]fd fd fd
  0x0c32800d6070: fd fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c32800d6080: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c32800d6090: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c32800d60a0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c32800d60b0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==168340==ABORTING

**System Information** Operating system: Linux-5.4.0-91-generic-x86_64-with-glibc2.31 64 Bits Graphics card: GeForce RTX 2080/PCIe/SSE2 NVIDIA Corporation 4.5.0 NVIDIA 460.91.03 **Blender Version** Broken: version: 3.1.0 Alpha, branch: master, commit date: today, hash: `c0db8a9a3b` Worked: 3.0 release It seems to be caused by 7e712b2d6a **Short description of error** When dragging a material from the asset browser onto an object, Blender (ASAN/debug build) crashes with a heap-use-after-free error. I've had Blender crash also without ASAN on a release build, but then it was less predictable when the crash would happen. **Exact steps for others to reproduce the error** - Start an ASAN-enabled debug build of Blender. - Download [the Cube Diorama demo file](https://www.blender.org/download/demo/bundles/bundles-3.0/asset-demo-bundle-3.0-cube-diorama.zip?x18321) and open it. - Drag a material from the asset browser onto the floor. ASAN stack traces: [P2680: (An Untitled Masterwork)](https://archive.blender.org/developer/P2680.txt) ``` ================================================================= ==168340==ERROR: AddressSanitizer: heap-use-after-free on address 0x6190006f0362 at pc 0x000001c6a230 bp 0x7ffe649af2c0 sp 0x7ffe649af2b0 READ of size 2 at 0x6190006f0362 thread T0 #0 0x1c6a22f in image_get_gpu_texture /home/sybren/workspace/blender-git/blender/source/blender/blenkernel/intern/image_gpu.cc:356 #1 0x1c6bdce in BKE_image_get_gpu_texture /home/sybren/workspace/blender-git/blender/source/blender/blenkernel/intern/image_gpu.cc:494 #2 0x46e46d5 in DRW_shgroup_add_material_resources /home/sybren/workspace/blender-git/blender/source/blender/draw/intern/draw_manager_data.c:1374 #3 0x479c402 in material_opaque /home/sybren/workspace/blender-git/blender/source/blender/draw/engines/eevee/eevee_materials.c:634 #4 0x479f335 in eevee_material_cache_get /home/sybren/workspace/blender-git/blender/source/blender/draw/engines/eevee/eevee_materials.c:752 #5 0x479f335 in EEVEE_materials_cache_populate /home/sybren/workspace/blender-git/blender/source/blender/draw/engines/eevee/eevee_materials.c:825 #6 0x4748748 in EEVEE_cache_populate /home/sybren/workspace/blender-git/blender/source/blender/draw/engines/eevee/eevee_engine.c:126 #7 0x46bfbda in drw_engines_cache_populate /home/sybren/workspace/blender-git/blender/source/blender/draw/intern/draw_manager.c:1082 #8 0x46c59e8 in DRW_draw_render_loop_ex /home/sybren/workspace/blender-git/blender/source/blender/draw/intern/draw_manager.c:1697 #9 0x46c4ace in DRW_draw_view /home/sybren/workspace/blender-git/blender/source/blender/draw/intern/draw_manager.c:1609 #10 0x915ec91 in view3d_draw_view /home/sybren/workspace/blender-git/blender/source/blender/editors/space_view3d/view3d_draw.c:1560 #11 0x915ee1a in view3d_main_region_draw /home/sybren/workspace/blender-git/blender/source/blender/editors/space_view3d/view3d_draw.c:1582 #12 0x640ad5e in ED_region_do_draw /home/sybren/workspace/blender-git/blender/source/blender/editors/screen/area.c:558 #13 0x3a6ccca in wm_draw_window_offscreen /home/sybren/workspace/blender-git/blender/source/blender/windowmanager/intern/wm_draw.c:731 #14 0x3a6defc in wm_draw_window /home/sybren/workspace/blender-git/blender/source/blender/windowmanager/intern/wm_draw.c:881 #15 0x3a6f36c in wm_draw_update /home/sybren/workspace/blender-git/blender/source/blender/windowmanager/intern/wm_draw.c:1082 #16 0x3a5bb31 in WM_main /home/sybren/workspace/blender-git/blender/source/blender/windowmanager/intern/wm.c:645 #17 0x1a975ab in main /home/sybren/workspace/blender-git/blender/source/creator/creator.c:561 #18 0x7fa4169090b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2) #19 0x1a9697d in _start (/home/sybren/workspace/blender-git/build_debug/bin/blender+0x1a9697d) 0x6190006f0362 is located 994 bytes inside of 1032-byte region [0x6190006eff80,0x6190006f0388) freed by thread #35 here: #0 0x7fa41719e7cf in __interceptor_free (/usr/lib/x86_64-linux-gnu/libasan.so.5+0x10d7cf) #1 0xe6fa096 in MEM_lockfree_freeN /home/sybren/workspace/blender-git/blender/intern/guardedalloc/intern/mallocn_lockfree_impl.c:130 #2 0x57d60ba in node_free_standard_storage /home/sybren/workspace/blender-git/blender/source/blender/nodes/intern/node_util.c:61 #3 0x1eefc91 in node_free_node /home/sybren/workspace/blender-git/blender/source/blender/blenkernel/intern/node.cc:3101 #4 0x1ece8fd in ntree_free_data /home/sybren/workspace/blender-git/blender/source/blender/blenkernel/intern/node.cc:287 #5 0x1cedaef in BKE_libblock_free_datablock /home/sybren/workspace/blender-git/blender/source/blender/blenkernel/intern/lib_id_delete.c:85 #6 0x45b3413 in blender::deg::deg_free_copy_on_write_datablock(ID*) /home/sybren/workspace/blender-git/blender/source/blender/depsgraph/intern/eval/deg_eval_copy_on_write.cc:1024 #7 0x45b2b16 in blender::deg::deg_update_copy_on_write_datablock(blender::deg::Depsgraph const*, blender::deg::IDNode const*) /home/sybren/workspace/blender-git/blender/source/blender/depsgraph/intern/eval/deg_eval_copy_on_write.cc:903 #8 0x45b392a in blender::deg::deg_evaluate_copy_on_write(Depsgraph*, blender::deg::IDNode const*) /home/sybren/workspace/blender-git/blender/source/blender/depsgraph/intern/eval/deg_eval_copy_on_write.cc:1039 #9 0x462ca68 in operator() /home/sybren/workspace/blender-git/blender/source/blender/depsgraph/intern/builder/deg_builder_nodes.cc:190 #10 0x466d655 in _M_invoke /usr/include/c++/9/bits/std_function.h:300 #11 0x45aa4dc in std::function<void (Depsgraph*)>::operator()(Depsgraph*) const /usr/include/c++/9/bits/std_function.h:688 #12 0x45a58d5 in evaluate_node /home/sybren/workspace/blender-git/blender/source/blender/depsgraph/intern/eval/deg_eval.cc:118 #13 0x45a5924 in deg_task_run_func /home/sybren/workspace/blender-git/blender/source/blender/depsgraph/intern/eval/deg_eval.cc:129 #14 0xe6c108f in Task::operator()() const /home/sybren/workspace/blender-git/blender/source/blender/blenlib/intern/task_pool.cc:178 #15 0xe6c489b in tbb::internal::function_task<Task>::execute() /home/sybren/workspace/blender-git/lib/linux_centos7_x86_64/tbb/include/tbb/task.h:1059 #16 0x3a4fd54 in tbb::internal::custom_scheduler<tbb::internal::IntelSchedulerTraits>::process_bypass_loop(tbb::internal::context_guard_helper<false>&, tbb::task*, long) (/home/sybren/workspace/blender-git/build_debug/bin/blender+0x3a4fd54) previously allocated by thread #34 here: #0 0x7fa41719ebc8 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.5+0x10dbc8) #1 0xe6faaf6 in MEM_lockfree_mallocN /home/sybren/workspace/blender-git/blender/intern/guardedalloc/intern/mallocn_lockfree_impl.c:277 #2 0xe6fa200 in MEM_lockfree_dupallocN /home/sybren/workspace/blender-git/blender/intern/guardedalloc/intern/mallocn_lockfree_impl.c:146 #3 0x57d628a in node_copy_standard_storage /home/sybren/workspace/blender-git/blender/source/blender/nodes/intern/node_util.c:74 #4 0x1ee5058 in BKE_node_copy_ex /home/sybren/workspace/blender-git/blender/source/blender/blenkernel/intern/node.cc:2304 #5 0x1ecc639 in ntree_copy_data /home/sybren/workspace/blender-git/blender/source/blender/blenkernel/intern/node.cc:159 #6 0x1cdc059 in BKE_id_copy_ex /home/sybren/workspace/blender-git/blender/source/blender/blenkernel/intern/lib_id.c:630 #7 0x45ae0e1 in id_copy_inplace_no_main /home/sybren/workspace/blender-git/blender/source/blender/depsgraph/intern/eval/deg_eval_copy_on_write.cc:304 #8 0x45b25ac in deg_expand_copy_on_write_datablock /home/sybren/workspace/blender-git/blender/source/blender/depsgraph/intern/eval/deg_eval_copy_on_write.cc:861 #9 0x45b2b2f in blender::deg::deg_update_copy_on_write_datablock(blender::deg::Depsgraph const*, blender::deg::IDNode const*) /home/sybren/workspace/blender-git/blender/source/blender/depsgraph/intern/eval/deg_eval_copy_on_write.cc:904 #10 0x45b392a in blender::deg::deg_evaluate_copy_on_write(Depsgraph*, blender::deg::IDNode const*) /home/sybren/workspace/blender-git/blender/source/blender/depsgraph/intern/eval/deg_eval_copy_on_write.cc:1039 #11 0x462ca68 in operator() /home/sybren/workspace/blender-git/blender/source/blender/depsgraph/intern/builder/deg_builder_nodes.cc:190 #12 0x466d655 in _M_invoke /usr/include/c++/9/bits/std_function.h:300 #13 0x45aa4dc in std::function<void (Depsgraph*)>::operator()(Depsgraph*) const /usr/include/c++/9/bits/std_function.h:688 #14 0x45a58d5 in evaluate_node /home/sybren/workspace/blender-git/blender/source/blender/depsgraph/intern/eval/deg_eval.cc:118 #15 0x45a5924 in deg_task_run_func /home/sybren/workspace/blender-git/blender/source/blender/depsgraph/intern/eval/deg_eval.cc:129 #16 0xe6c108f in Task::operator()() const /home/sybren/workspace/blender-git/blender/source/blender/blenlib/intern/task_pool.cc:178 #17 0xe6c489b in tbb::internal::function_task<Task>::execute() /home/sybren/workspace/blender-git/lib/linux_centos7_x86_64/tbb/include/tbb/task.h:1059 #18 0x3a4fd54 in tbb::internal::custom_scheduler<tbb::internal::IntelSchedulerTraits>::process_bypass_loop(tbb::internal::context_guard_helper<false>&, tbb::task*, long) (/home/sybren/workspace/blender-git/build_debug/bin/blender+0x3a4fd54) Thread #35 created by #26 here: #0 0x7fa4170cb805 in pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.5+0x3a805) #1 0x3a4b968 in tbb::internal::rml::private_server::wake_some(int) (/home/sybren/workspace/blender-git/build_debug/bin/blender+0x3a4b968) #2 0x62d00009de7f (<unknown module>) Thread #26 created by T22 here: #0 0x7fa4170cb805 in pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.5+0x3a805) #1 0x3a4b968 in tbb::internal::rml::private_server::wake_some(int) (/home/sybren/workspace/blender-git/build_debug/bin/blender+0x3a4b968) #2 0x62d00009e27f (<unknown module>) Thread T22 created by T0 here: #0 0x7fa4170cb805 in pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.5+0x3a805) #1 0x3a4b968 in tbb::internal::rml::private_server::wake_some(int) (/home/sybren/workspace/blender-git/build_debug/bin/blender+0x3a4b968) #2 0x60c00000213f (<unknown module>) Thread #34 created by #28 here: #0 0x7fa4170cb805 in pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.5+0x3a805) #1 0x3a4b968 in tbb::internal::rml::private_server::wake_some(int) (/home/sybren/workspace/blender-git/build_debug/bin/blender+0x3a4b968) #2 0x7efff (<unknown module>) Thread #28 created by T23 here: #0 0x7fa4170cb805 in pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.5+0x3a805) #1 0x3a4b968 in tbb::internal::rml::private_server::wake_some(int) (/home/sybren/workspace/blender-git/build_debug/bin/blender+0x3a4b968) #2 0x62d00009e17f (<unknown module>) Thread T23 created by T0 here: #0 0x7fa4170cb805 in pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.5+0x3a805) #1 0x3a4b968 in tbb::internal::rml::private_server::wake_some(int) (/home/sybren/workspace/blender-git/build_debug/bin/blender+0x3a4b968) #2 0x62d00009e37f (<unknown module>) SUMMARY: AddressSanitizer: heap-use-after-free /home/sybren/workspace/blender-git/blender/source/blender/blenkernel/intern/image_gpu.cc:356 in image_get_gpu_texture Shadow bytes around the buggy address: 0x0c32800d6010: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c32800d6020: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c32800d6030: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c32800d6040: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c32800d6050: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd =>0x0c32800d6060: fd fd fd fd fd fd fd fd fd fd fd fd[fd]fd fd fd 0x0c32800d6070: fd fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c32800d6080: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c32800d6090: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c32800d60a0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c32800d60b0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb Shadow gap: cc ==168340==ABORTING ```

Sybren A. Stüvel commented 2021-12-24 13:37:35 +01:00

Author

Member

Copy Link

Added subscriber: @dr.sybren

Added subscriber: @dr.sybren

Jesse Yurkovich commented 2021-12-24 22:22:59 +01:00

Member

Copy Link

Changed status from 'Needs Triage' to: 'Confirmed'

Changed status from 'Needs Triage' to: 'Confirmed'

blender-admin commented 2021-12-25 11:14:02 +01:00

Copy Link

This issue was referenced by 28df0107d4

This issue was referenced by 28df0107d4a83dd7ce62781bef821092db1e0835

Jacques Lucke commented 2021-12-25 11:15:46 +01:00

Member

Copy Link

Changed status from 'Confirmed' to: 'Resolved'

Changed status from 'Confirmed' to: 'Resolved'

Jacques Lucke closed this issue 2021-12-25 11:15:46 +01:00

Jacques Lucke self-assigned this 2021-12-25 11:15:46 +01:00

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

blender-v4.4-release

manifold

npr-prototype

blender-v4.2-release

blender-v3.6-release

remote-asset-library-monolithic

blender-v4.3-release

temp-sculpt-dyntopo

blender-v3.3-release

brush-assets-project

pr-extensions-tidy-space

blender-v4.0-release

universal-scene-description

blender-v4.1-release

blender-v3.6-temp_wmoss_animrig_public

gpencil-next

blender-projects-basics

sculpt-blender

asset-browser-frontend-split

asset-shelf

blender-v3.5-release

blender-v2.93-release

sculpt-dev

bevelv2

xr-dev

v4.4.1

v4.2.9

v3.6.22

v4.4.0

v4.2.8

v4.2.7

v3.6.21

v4.2.6

v3.6.20

v4.2.5

v3.6.19

v4.3.2

v4.3.1

v4.3.0

v4.2.4

v3.6.18

v4.2.3

v3.6.17

v4.2.2

v3.6.16

v4.2.1

v3.6.15

v4.2.0

v3.6.14

v3.3.21

v3.6.13

v3.3.20

v3.6.12

v3.3.19

v4.1.1

v3.6.11

v3.3.18

v4.1.0

v3.3.17

v3.6.10

v3.6.9

v3.3.16

v3.6.8

v3.6.7

v3.3.14

v4.0.2

v4.0.1

v4.0.0

v3.6.5

v3.3.12

v3.6.4

v3.6.3

v3.3.11

v3.6.2

v3.3.10

v3.6.1

v3.3.9

v3.6.0

v3.3.8

v3.3.7

v2.93.18

v3.5.1

v3.3.6

v2.93.17

v3.5.0

v2.93.16

v3.3.5

v3.3.4

v2.93.15

v2.93.14

v3.3.3

v2.93.13

v2.93.12

v3.4.1

v3.3.2

v3.4.0

v3.3.1

v2.93.11

v3.3.0

v3.2.2

v2.93.10

v3.2.1

v3.2.0

v2.83.20

v2.93.9

v3.1.2

v3.1.1

v3.1.0

v2.83.19

v2.93.8

v3.0.1

v2.93.7

v3.0.0

v2.93.6

v2.93.5

v2.83.18

v2.93.4

v2.93.3

v2.83.17

v2.93.2

v2.93.1

v2.83.16

v2.93.0

v2.83.15

v2.83.14

v2.83.13

v2.92.0

v2.83.12

v2.91.2

v2.83.10

v2.91.0

v2.83.9

v2.83.8

v2.83.7

v2.90.1

v2.83.6.1

v2.83.6

v2.90.0

v2.83.5

v2.83.4

v2.83.3

v2.83.2

v2.83.1

v2.83

v2.82a

v2.82

v2.81a

v2.81

v2.80

v2.80-rc3

v2.80-rc2

v2.80-rc1

v2.79b

v2.79a

v2.79

v2.79-rc2

v2.79-rc1

v2.78c

v2.78b

v2.78a

v2.78

v2.78-rc2

v2.78-rc1

v2.77a

v2.77

v2.77-rc2

v2.77-rc1

v2.76b

v2.76a

v2.76

v2.76-rc3

v2.76-rc2

v2.76-rc1

v2.75a

v2.75

v2.75-rc2

v2.75-rc1

v2.74

v2.74-rc4

v2.74-rc3

v2.74-rc2

v2.74-rc1

v2.73a

v2.73

v2.73-rc1

v2.72b

2.72b

v2.72a

v2.72

v2.72-rc1

v2.71

v2.71-rc2

v2.71-rc1

v2.70a

v2.70

v2.70-rc2

v2.70-rc

v2.69

v2.68a

v2.68

v2.67b

v2.67a

v2.67

v2.66a

v2.66

v2.65a

v2.65

v2.64a

v2.64

v2.63a

v2.63

v2.61

v2.60a

v2.60

v2.59

v2.58a

v2.58

v2.57b

v2.57a

v2.57

v2.56a

v2.56

v2.55

v2.54

v2.53

v2.52

v2.51

v2.50

v2.49b

v2.49a

v2.49

v2.48a

v2.48

v2.47

v2.46

v2.45

v2.44

v2.43

v2.42a

v2.42

v2.41

v2.40

v2.37a

v2.37

v2.36

v2.35a

v2.35

v2.34

v2.33a

v2.33

v2.32

v2.31a

v2.31

v2.30

v2.28c

v2.28a

v2.28

v2.27

v2.26

v2.25

Labels

Clear labels

Interest

Alembic

Interest

Animation & Rigging

Interest

Asset System

Asset datablocks, libraries, browser and shelf

Interest

Audio

Interest

Automated Testing

Interest

BlendFile

Interest

Blender Asset Bundle

Interest

Code Documentation

Code comments, Python/RNA API descriptions

Interest

Collada

Interest

Compatibility

Backward and forward compatibility

Interest

Compositing

Interest

Core

Interest

Cycles

Interest

Dependency Graph

Interest

Development Management

Interest

EEVEE

Interest

FBX

FBX I/O related topics

Interest

Freestyle

Interest

Geometry Nodes

Interest

Grease Pencil

Interest

ID Management

Interest

Images & Movies

Interest

Import Export

Interest

Line Art

Interest

Masking

Interest

Metal

Interest

Modeling

Interest

Modifiers

Interest

Motion Tracking

Interest

Nodes & Physics

Interest

OpenGL

Interest

Overlay

Interest

Overrides

Interest

Performance

Interest

Physics

Interest

Pipeline & IO

Interest

Platforms & Builds

Interest

Python API

Interest

Render & Cycles

Interest

Render Pipeline

Interest

Sculpt, Paint & Texture

Interest

Text Editor

Interest

Translations

Interest

Triaging

Interest

USD

Interest

UV Editing

Interest

Undo

Interest

User Interface

Interest

VFX & Video

Interest

Video Sequencer

Interest

Viewport & EEVEE

Interest

Virtual Reality

Interest

Vulkan

Interest

Wayland

Wayland windowing on Unix

Interest

Workbench

Interest

glTF

glTF format I/O topics

Interest: X11

Xorg/X11 windowing

Legacy

Asset Browser Project

Archived

Legacy

Blender 2.8 Project

Archived

Legacy

Milestone 1: Basic, Local Asset Browser

Archived

Legacy

OpenGL Error

Archived

Meta

Good First Issue

Meta

Papercut

Meta

Retrospective

Meta

Security

Related to security, see policy: https://developer.blender.org/docs/handbook/bug_reports/vulnerability_reports/

Module

Animation & Rigging

Module

Asset System

Module

Core

Module

Development Management

Module

Grease Pencil

Module

Modeling

Module

Nodes & Physics

Module

Pipeline & IO

Module

Platforms & Builds

Module

Python API

Module

Render & Cycles

Module

Sculpt, Paint & Texture

Module

Triaging

Module

User Interface

Module

VFX & Video

Module

Viewport & EEVEE

Platform

FreeBSD

Platform

Linux

Platform

Windows

Platform

macOS

Severity

High

Severity

Low

Severity

Normal

Severity

Unbreak Now!

Status

Archived

Status

Confirmed

Status

Duplicate

Status

Needs Info from Developers

Status

Needs Information from User

Status

Needs Triage

Status

Resolved

Type

Bug

Type

Design

Type

Known Issue

Type

Patch

Archived

Type

Report

Archived

Type

To Do

No Label

Interest

Nodes & Physics

Module

Nodes & Physics

Severity

Normal

Status

Resolved

Type

Report

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

Hoshinova James-McCarthy-4 Sebastian-Herholz casey-bianco-davis gandalf3 Blendify Aaron Carlisle quantimoney Aditya Y Jeppu Alaska Alaska angavrilov Alexander Gavrilov frogstomp Aleš Jelovčan amelief Amélie Fondevilla elubie Andrea Weikert Andy_Goralczyk Andy Goralczyk ankitm Ankit Meel Anthony-Roberts Anthony Roberts antoniov Antonio Vazquez aras_p Aras Pranckevicius Arnd Arnd Marijnissen bartvdbraak Bart van der Braak mont29 Bastien Montagne blender-bot Blender Bot bnagirniak Bogdan Nagirniak BClark Brad Clark brecht Brecht Van Lommel BrianSavery Brian Savery (AMD) ideasman42 Campbell Barton CharlesWardlaw Charles Wardlaw CharlieJolly Charlie Jolly Chris_Blackbourn Chris Blackbourn lateasusual Chris Clyne (Lateasusual) ChrisLend Christoph Lendenfeld HobbesOS Cian Jinks fclem Clément Foucault cmbasnett Colin Basnett Kdaf Colin Marmond dfelinto Dalai Felinto pioverfour Damien Picard DanielBystedt Daniel Bystedt pepe-school-land Daniel Martinez Lara zanqdo Daniel Salazar Mets Demeter Dzadik erik85 Erik Abrahamsson EAW Evan Wilson filedescriptor Falk David fsiddi Francesco Siddi GaiaClary Gaia Clary DagerD Georgiy Markelov mano-wii Germano Cavalcante zazizizou Habib Gahbiche HooglyBoogly Hans Goudey Harley Harley Acheson weasel Henrik D. Hjalti Hjalti Hjálmarsson howardt Howard Trickey nirved-1 Hristo Gueorguiev mod_moder Iliya Katushenock brita Inês Almeida JacquesLucke Jacques Lucke Jason-Fielder Jason Fielder JasonSchleifer Jason schleifer Jebbly Jeffrey Liu Jeroen-Bakker Jeroen Bakker deadpin Jesse Yurkovich neXyon Joerg Mueller eliphaz John Kiril Swenson guitargeek Johnny Matthews Brainzman Jonas Holzman JoniMercado Jonatan Mercado JorgeBernalMartinez Jorge Bernal JosephEagar Joseph Eagar JoshuaLeung Joshua Leung Bone-Studio Juan Gea jpbouza-4 Juan Pablo Bouza JulianEisel Julian Eisel JulienDuroure Julien Duroure JulienKaspar Julien Kaspar kevindietrich Kévin Dietrich lone_noel Leon Schittek LucianoMunoz Luciano Muñoz Sessarego LukasStockner Lukas Stockner LukasTonne Lukas Tönne LunaRood Luna Rood MaiLavelle Mai Lavelle EosFoxx Marion Stalke Baardaap Martijn Versteegh scorpion81 Martin Felke mendio Matias Mendiola Matt-McLin Matt McLin MetinSeven Metin Seven wave Michael B Johnson Michael-Jones Michael Jones (Apple) makowalski Michael Kowalski pragma37 Miguel Pozo nrupsis Nate Rupsis jesterking Nathan Letwory nathanvegdahl Nathan Vegdahl PrototypeNM1 Nicholas Rishel nickberckley Nika Kutsniashvili Sirgienko Nikita Sirgienko OmarEmaraDev Omar Emara pablovazquez Pablo Vazquez PaoloAcampora Paolo Acampora PascalSchon Pascal Schön pmoursnv Patrick Mours muxed-reality Peter Kim lichtwerk Philipp Oeser P2design Pierrick PICAUT PratikPB2123 Pratik Borhade Limarest Ramil Roosileht farsthary Raul Fernandez Hernandez LazyDodo Ray molenkamp iss Richard Antalik rjg Robert Guetzkow salipour Sahar A. Kashi Sayak-Biswas Sayak Biswas Sean-Kim Sean Kim sherholz Sebastian Herholz sebastian_k Sebastian Koenig ZedDB Sebastian Parborg sebbas Sebastián Barschkis Sergey Sergey Sharybin IRIEShinsuke Shinsuke Irie sidd017 Siddhartha Jejurkar SietseB Sietse Brouwer SimonThommes Simon Thommes SonnyCampbell_Unity Sonny Campbell Stefan_Werner Stefan Werner Lockal Sv. Lockal dr.sybren Sybren A. Stüvel ThomasDinges Thomas Dinges Ton Ton Roosendaal BassamKurdali Ursula kurdali Vasyl-Pidhirskyi Vasyl Pidhirskyi WannesMalfait Wannes Malfait wbmoss_dev Wayde Moss weizhen Weizhen Huang leesonw William Leeson xavierh Xavier Hallade jenkm Yevgeny Makarov ChengduLittleA YimingWu gfxcoder jon denning

No Assignees Jacques Lucke

4 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: blender/blender#94362

No description provided.