Regression: BLI_findstring encountering segfault when script calls bpy.ops.wm.save_as_mainfile #97627

New Issue

Jeducious · 2022-04-26T15:33:39+02:00

Jeducious commented

2022-04-26 15:33:39 +02:00

System Information
system-info.txt

Blender Version
Broken: (Blender 3.2, 2882cbe685, Debug, 24th April 2022, built from source on macOS 10.15.7 using VSCode)
Worked: (Blender 2.93 LTS, 31712ce77a, master, 19 April 2022)

Caused by 7a9cfd08a8

Segmentation fault when saving a file using a script rather than the UI, also strange visual glitches, for a recording of the visual glitching, see {F13029978}

Exact steps for others to reproduce the error
Note:
Crash occurs using any blend file including the default scene.
Crash seems to be limited to MacOS only

To reproduce

Open Blender 3.1 or 3.2 with only the default scene loaded
Load this script and run it minimal_test_case.py this is a minimal test case that allows you to recreate the crash
A new panel with the title "Crash Test" should have appeared in the Render properties window, locate it and expand it
Ensure that the default cube is selected in the scene, then go to the "Crash Test" panel, and press the "Kill Switch" button
A props dialog should appear, press the OK button
Repeat the actions, press the Kill Switch button and then the OK button above until Blender crashes. This may take many, many attempts

Investigations done
I have looked into the problem, since the integration of the Cycles X branch, or thereabouts, a new feature came to Blender that allowed the user to save a thumbnail of their Blender UI at the time of saving their blend file and associate it with that particular project. This allowed the thumbnail to be displayed by the OS so the user could search for a project visually. However it also introduced a design flaw (in my opinion).

The problem is that the UI has to be re-drawn to close any open windows, most obviously the File Menu since the user would have to had opened the File menu to reach the save file menu. Also the save file dialog would need to be closed so that the thumbnail did not contain these elements as they would overlap much of the UI, potentially obscuring the recognisable feature of the project and rendering the feature far less useful.

The real issue, however, stems from how the feature has been implemented. In order to call save from a script, external devs can use the bpy.ops.wm.save_xxxxxx operators. However, the save_as_mainfile and save_mainfile versions both trigger a redraw of the UI. Even when called via a script which doesn't have any UI elements open. It is this calling of the redraw of the UI as a side effect of saving a copy of a blend file from a script that causes the crash. Avoiding doing the redraw, avoids the crash.

This wouldn't be the first time this feature has caused similar issues, in [#92704 ]] I had discovered this problem happens when attempting to use bpy.ops.wm.save_xxxxxxx from a thread that is not the main thread. The solution was [[ https:*developer.blender.org/D13140 | D13140 ](https:*developer.blender.org/T92704) which was accepted and is now in master.

Can I say I think it was a mistake to accept that solution? Based on what I'm experiencing now, Blender is randomly crashing even when calling bpy.ops.wm.save_xxxxx from the main thread. I have tried to offer a solution in [D14160 ](https://developer.blender.org/D14160), however I've been asked for a backtrace. soooo

Crash dumps
This crash dump, generated by macOS after blender crashed is typical, it shows the code path from redrawing the UI right down to where the segfault happens - Minimal_test_case_crashdump1.rtf
This crash dump is a stranger version, I don't recognise the code path at all, but it happened on one of many test runs - Minimal_test_case_crashdump2.rtf

The vast majority of crashes are of the first type where the problem is in BLI_findstring, which I have to say is a confusing method at first. There are no comments and one has to really strive to understand what is going on. It certainly doesn't return a string, but rather seems to use them to locate a struct/data block given the input. I've built blender from source on macOS and the debugger has paused on the exception.

void *BLI_findstring(const ListBase *listbase, const char *id, const int offset)
{
  Link *link = NULL;
  const char *id_iter;

  if (id == NULL) {
    return NULL;
  }

  for (link = listbase->first; link; link = link->next) {
    id_iter = ((const char *)link) + offset;

    if (id[0] == id_iter[0] && STREQ(id, id_iter)) {
      return link;
    }
  }

  return NULL;
}

The problem appears to be the id_iter variable, it's pointer is invalid, but not equal to NULL or nullptr. It has a non-zero value which when dereferenced either using the * operator or by using indexing, causes a segmentation fault.

It is very hard for me to offer any explanation of why though. I have looked at whether it is my implementation in python of the UI list, since it is on the UI list where BLI_findstring crashes. But I am no expert and the code is quite opaque to me. I've also used the examples in the blender python API for UI lists to create the minimal test case, which reproduces the crash. I would be so happy if this were a known limitation (or an as yet unknown limitation that could be documented, pretty please wth sugar on top for also providing a workaround?), but I doubt it, that's opinion though.

What to do about this?
My suggestion would be to ensure that it is possible to avoid unnecessary changes to the UI when saving a file from a script. The proper separation of concerns principle makes sense in this use case where scripts want to save a copy of the blend file with no unintended side effects, including unnecessary redraw's of the UI and especially avoiding associated instability. Though I go agree with Brecht that the underlying cause should be fixed, it would serve in the meantime to not force redraws unless the redraw is being done by the user, from the UI, and have a separate code path for scripts.

I've already provided one example of how we could change the call signature of the bpy.ops.wm.save_as_mainfile operator to allow a boolean flag that can be used to avoid redrawing the UI. I am open to other suggestions on how to ensure separation of concerns for this use case other than those in [D14160 ](https://developer.blender.org/D14160).

**System Information** [system-info.txt](https://archive.blender.org/developer/F13028548/system-info.txt) **Blender Version** Broken: (Blender 3.2, 2882cbe685e7, Debug, 24th April 2022, built from source on macOS 10.15.7 using VSCode) Worked: (Blender 2.93 LTS, 31712ce77a6a, master, 19 April 2022) Caused by 7a9cfd08a8 **Segmentation fault when saving a file using a script rather than the UI, also strange visual glitches, for a recording of the visual glitching, see {[F13029978](https://archive.blender.org/developer/F13029978/Screen_Recording_2022-04-26_at_11.24.55_pm.mov)}** **Exact steps for others to reproduce the error** Note: Crash occurs using any blend file including the default scene. Crash seems to be limited to MacOS only To reproduce * Open Blender 3.1 or 3.2 with only the default scene loaded * Load this script and run it [minimal_test_case.py](https://archive.blender.org/developer/F13029943/minimal_test_case.py) this is a minimal test case that allows you to recreate the crash * A new panel with the title "Crash Test" should have appeared in the Render properties window, locate it and expand it * Ensure that the default cube is selected in the scene, then go to the "Crash Test" panel, and press the "Kill Switch" button * A props dialog should appear, press the OK button * Repeat the actions, press the Kill Switch button and then the OK button above until Blender crashes. This may take many, many attempts **Investigations done** I have looked into the problem, since the integration of the Cycles X branch, or thereabouts, a new feature came to Blender that allowed the user to save a thumbnail of their Blender UI at the time of saving their blend file and associate it with that particular project. This allowed the thumbnail to be displayed by the OS so the user could search for a project visually. However it also introduced a design flaw (in my opinion). The problem is that the UI has to be re-drawn to close any open windows, most obviously the File Menu since the user would have to had opened the File menu to reach the save file menu. Also the save file dialog would need to be closed so that the thumbnail did not contain these elements as they would overlap much of the UI, potentially obscuring the recognisable feature of the project and rendering the feature far less useful. The real issue, however, stems from how the feature has been implemented. In order to call save from a script, external devs can use the bpy.ops.wm.save_xxxxxx operators. However, the save_as_mainfile and save_mainfile versions both trigger a redraw of the UI. Even when called via a script which doesn't have any UI elements open. It is this calling of the redraw of the UI as a side effect of saving a copy of a blend file from a script that causes the crash. Avoiding doing the redraw, avoids the crash. This wouldn't be the first time this feature has caused similar issues, in [#92704 ]] I had discovered this problem happens when attempting to use bpy.ops.wm.save_xxxxxxx from a thread that is not the main thread. The solution was [[ https:*developer.blender.org/D13140 | [D13140](https://archive.blender.org/developer/D13140) ](https:*developer.blender.org/T92704) which was accepted and is now in master. Can I say I think it was a mistake to accept that solution? Based on what I'm experiencing now, Blender is randomly crashing even when calling bpy.ops.wm.save_xxxxx from the main thread. I have tried to offer a solution in [[D14160](https://archive.blender.org/developer/D14160) ](https://developer.blender.org/D14160), however I've been asked for a backtrace. soooo **Crash dumps** This crash dump, generated by macOS after blender crashed is typical, it shows the code path from redrawing the UI right down to where the segfault happens - [Minimal_test_case_crashdump1.rtf](https://archive.blender.org/developer/F13029964/Minimal_test_case_crashdump1.rtf) This crash dump is a stranger version, I don't recognise the code path at all, but it happened on one of many test runs - [Minimal_test_case_crashdump2.rtf](https://archive.blender.org/developer/F13029965/Minimal_test_case_crashdump2.rtf) The vast majority of crashes are of the first type where the problem is in BLI_findstring, which I have to say is a confusing method at first. There are no comments and one has to really strive to understand what is going on. It certainly doesn't return a string, but rather seems to use them to locate a struct/data block given the input. I've built blender from source on macOS and the debugger has paused on the exception. ``` void *BLI_findstring(const ListBase *listbase, const char *id, const int offset) { Link *link = NULL; const char *id_iter; if (id == NULL) { return NULL; } for (link = listbase->first; link; link = link->next) { id_iter = ((const char *)link) + offset; if (id[0] == id_iter[0] && STREQ(id, id_iter)) { return link; } } return NULL; } ``` The problem appears to be the id_iter variable, it's pointer is invalid, but not equal to NULL or nullptr. It has a non-zero value which when dereferenced either using the * operator or by using indexing, causes a segmentation fault. It is very hard for me to offer any explanation of why though. I have looked at whether it is my implementation in python of the UI list, since it is on the UI list where BLI_findstring crashes. But I am no expert and the code is quite opaque to me. I've also used the examples in the blender python API for UI lists to create the minimal test case, which reproduces the crash. I would be so happy if this were a known limitation (or an as yet unknown limitation that could be documented, pretty please wth sugar on top for also providing a workaround?), but I doubt it, that's opinion though. **What to do about this?** My suggestion would be to ensure that it is possible to avoid unnecessary changes to the UI when saving a file from a script. The proper separation of concerns principle makes sense in this use case where scripts want to save a copy of the blend file with no unintended side effects, including unnecessary redraw's of the UI and especially avoiding associated instability. Though I go agree with Brecht that the underlying cause should be fixed, it would serve in the meantime to not force redraws unless the redraw is being done by the user, from the UI, and have a separate code path for scripts. I've already provided one example of how we could change the call signature of the bpy.ops.wm.save_as_mainfile operator to allow a boolean flag that can be used to avoid redrawing the UI. I am open to other suggestions on how to ensure separation of concerns for this use case other than those in [[D14160](https://archive.blender.org/developer/D14160) ](https://developer.blender.org/D14160).

Jeducious commented

2022-04-26 15:33:39 +02:00

Added subscriber: @JamesCrowther

Robert Guetzkow commented

2022-04-26 20:29:14 +02:00

Added subscriber: @rjg

Robert Guetzkow commented

2022-04-26 21:54:29 +02:00

I can reliably reproduce this issue with an ASAN build:

## 46131==ERROR: AddressSanitizer: heap-use-after-free on address 0x614000060f60 at pc 0x00002062525e bp 0x7fffffff8ae0 sp 0x7fffffff8ad0
READ of size 8 at 0x614000060f60 thread T0
    - 0 0x2062525d in BLI_findstring /home/dev/01-data/01-git/blender-git/blender/source/blender/blenlib/intern/listbase.c:570
    - 1 0xcc3bfca in ui_list_ensure /home/dev/01-data/01-git/blender-git/blender/source/blender/editors/interface/interface_template_list.cc:623
    - 2 0xcc4295a in uiTemplateList_ex /home/dev/01-data/01-git/blender-git/blender/source/blender/editors/interface/interface_template_list.cc:1200
    - 3 0xcc43072 in uiTemplateList /home/dev/01-data/01-git/blender-git/blender/source/blender/editors/interface/interface_template_list.cc:1249
    - 4 0x932a3fa in rna_uiTemplateList /home/dev/01-data/01-git/blender-git/blender/source/blender/makesrna/intern/rna_ui_api.c:540
    - 5 0x934208f in UILayout_template_list_call /home/dev/01-data/01-git/blender-git/build_linux_debug_full/source/blender/makesrna/intern/rna_ui_gen.c:3450
    - 6 0x8a4b362 in RNA_function_call /home/dev/01-data/01-git/blender-git/blender/source/blender/makesrna/intern/rna_access.c:7357
    - 7 0x95a9f49 in pyrna_func_call /home/dev/01-data/01-git/blender-git/blender/source/blender/python/intern/bpy_rna.c:6319
    - 8 0x1ec74327 in _PyObject_MakeTpCall Objects/call.c:215
    - 9 0x411799d in _PyObject_VectorcallTstate Include/cpython/abstract.h:112
    - 10 0x411799d in _PyObject_VectorcallTstate Include/cpython/abstract.h:99
    - 11 0x411799d in PyObject_Vectorcall Include/cpython/abstract.h:123
    - 12 0x411799d in call_function Python/ceval.c:5867
    - 13 0x411799d in _PyEval_EvalFrameDefault Python/ceval.c:4231
    - 14 0x1ed329b3 in _PyEval_EvalFrame Include/internal/pycore_ceval.h:46
    - 15 0x1ed329b3 in _PyEval_Vector Python/ceval.c:5065
    - 16 0x1ec73fae in PyVectorcall_Call Objects/call.c:255
    - 17 0x95b39bb in bpy_class_call /home/dev/01-data/01-git/blender-git/blender/source/blender/python/intern/bpy_rna.c:8607
    - 18 0x931d43c in panel_draw /home/dev/01-data/01-git/blender-git/blender/source/blender/makesrna/intern/rna_ui.c:129
    - 19 0x966ba97 in ed_panel_draw /home/dev/01-data/01-git/blender-git/blender/source/blender/editors/screen/area.c:2784
    - 20 0x966e145 in ED_region_panels_layout_ex /home/dev/01-data/01-git/blender-git/blender/source/blender/editors/screen/area.c:2982
    - 21 0x1b9b7ddc in buttons_main_region_layout_properties /home/dev/01-data/01-git/blender-git/blender/source/blender/editors/space_buttons/space_buttons.c:303
    - 22 0x1b9bb060 in buttons_main_region_layout /home/dev/01-data/01-git/blender-git/blender/source/blender/editors/space_buttons/space_buttons.c:497
    - 23 0x96483df in ED_region_do_layout /home/dev/01-data/01-git/blender-git/blender/source/blender/editors/screen/area.c:507
    - 24 0x700a40a in wm_draw_window_offscreen /home/dev/01-data/01-git/blender-git/blender/source/blender/windowmanager/intern/wm_draw.c:678
    - 25 0x700bd4e in wm_draw_window /home/dev/01-data/01-git/blender-git/blender/source/blender/windowmanager/intern/wm_draw.c:881
    - 26 0x700d1c8 in wm_draw_update /home/dev/01-data/01-git/blender-git/blender/source/blender/windowmanager/intern/wm_draw.c:1086
    - 27 0x700d526 in WM_redraw_windows /home/dev/01-data/01-git/blender-git/blender/source/blender/windowmanager/intern/wm_draw.c:1134
    - 28 0x705bc16 in wm_file_write /home/dev/01-data/01-git/blender-git/blender/source/blender/windowmanager/intern/wm_files.c:1766
    - 29 0x7067330 in wm_save_as_mainfile_exec /home/dev/01-data/01-git/blender-git/blender/source/blender/windowmanager/intern/wm_files.c:3108
    - 30 0x701c6a2 in wm_operator_invoke /home/dev/01-data/01-git/blender-git/blender/source/blender/windowmanager/intern/wm_event_system.c:1400
    - 31 0x701e1bb in wm_operator_call_internal /home/dev/01-data/01-git/blender-git/blender/source/blender/windowmanager/intern/wm_event_system.c:1627
    - 32 0x701e903 in WM_operator_call_py /home/dev/01-data/01-git/blender-git/blender/source/blender/windowmanager/intern/wm_event_system.c:1704
    - 33 0x95e3f88 in pyop_call /home/dev/01-data/01-git/blender-git/blender/source/blender/python/intern/bpy_operator.c:303
    - 34 0x1ecb9ec3 in cfunction_call Objects/methodobject.c:552
    - 35 0x1ec74327 in _PyObject_MakeTpCall Objects/call.c:215
    - 36 0x4117b0a in _PyObject_VectorcallTstate Include/cpython/abstract.h:112
    - 37 0x4117b0a in _PyObject_VectorcallTstate Include/cpython/abstract.h:99
    - 38 0x4117b0a in PyObject_Vectorcall Include/cpython/abstract.h:123
    - 39 0x4117b0a in call_function Python/ceval.c:5867
    - 40 0x4117b0a in _PyEval_EvalFrameDefault Python/ceval.c:4213
    - 41 0x1ed329b3 in _PyEval_EvalFrame Include/internal/pycore_ceval.h:46
    - 42 0x1ed329b3 in _PyEval_Vector Python/ceval.c:5065
    - 43 0x1ec74509 in _PyObject_FastCallDictTstate Objects/call.c:153
    - 44 0x1ec74753 in _PyObject_Call_Prepend Objects/call.c:431
    - 45 0x1ecde5b8 in slot_tp_call Objects/typeobject.c:7486
    - 46 0x1ec74327 in _PyObject_MakeTpCall Objects/call.c:215
    - 47 0x411799d in _PyObject_VectorcallTstate Include/cpython/abstract.h:112
    - 48 0x411799d in _PyObject_VectorcallTstate Include/cpython/abstract.h:99
    - 49 0x411799d in PyObject_Vectorcall Include/cpython/abstract.h:123
    - 50 0x411799d in call_function Python/ceval.c:5867
    - 51 0x411799d in _PyEval_EvalFrameDefault Python/ceval.c:4231
    - 52 0x1ed329b3 in _PyEval_EvalFrame Include/internal/pycore_ceval.h:46
    - 53 0x1ed329b3 in _PyEval_Vector Python/ceval.c:5065
    - 54 0x1ec73fae in PyVectorcall_Call Objects/call.c:255
    - 55 0x95b39bb in bpy_class_call /home/dev/01-data/01-git/blender-git/blender/source/blender/python/intern/bpy_rna.c:8607
    - 56 0x9413427 in rna_operator_invoke_cb /home/dev/01-data/01-git/blender-git/blender/source/blender/makesrna/intern/rna_wm.c:1305
    - 57 0x701c058 in wm_operator_invoke /home/dev/01-data/01-git/blender-git/blender/source/blender/windowmanager/intern/wm_event_system.c:1386
    - 58 0x701e1bb in wm_operator_call_internal /home/dev/01-data/01-git/blender-git/blender/source/blender/windowmanager/intern/wm_event_system.c:1627
    - 59 0x701e903 in WM_operator_call_py /home/dev/01-data/01-git/blender-git/blender/source/blender/windowmanager/intern/wm_event_system.c:1704
    - 60 0x95e3f88 in pyop_call /home/dev/01-data/01-git/blender-git/blender/source/blender/python/intern/bpy_operator.c:303
    - 61 0x1ecb9ec3 in cfunction_call Objects/methodobject.c:552
    - 62 0x1ec74327 in _PyObject_MakeTpCall Objects/call.c:215
    - 63 0x4117b0a in _PyObject_VectorcallTstate Include/cpython/abstract.h:112
    - 64 0x4117b0a in _PyObject_VectorcallTstate Include/cpython/abstract.h:99
    - 65 0x4117b0a in PyObject_Vectorcall Include/cpython/abstract.h:123
    - 66 0x4117b0a in call_function Python/ceval.c:5867
    - 67 0x4117b0a in _PyEval_EvalFrameDefault Python/ceval.c:4213
    - 68 0x1ed329b3 in _PyEval_EvalFrame Include/internal/pycore_ceval.h:46
    - 69 0x1ed329b3 in _PyEval_Vector Python/ceval.c:5065
    - 70 0x1ec74492 in _PyObject_FastCallDictTstate Objects/call.c:142
    - 71 0x1ec74753 in _PyObject_Call_Prepend Objects/call.c:431
    - 72 0x1ecde5b8 in slot_tp_call Objects/typeobject.c:7486
    - 73 0x1ec74327 in _PyObject_MakeTpCall Objects/call.c:215
    - 74 0x4115bbe in _PyObject_VectorcallTstate Include/cpython/abstract.h:112
    - 75 0x4115bbe in _PyObject_VectorcallTstate Include/cpython/abstract.h:99
    - 76 0x4115bbe in PyObject_Vectorcall Include/cpython/abstract.h:123
    - 77 0x4115bbe in call_function Python/ceval.c:5867
    - 78 0x4115bbe in _PyEval_EvalFrameDefault Python/ceval.c:4181
    - 79 0x1ed329b3 in _PyEval_EvalFrame Include/internal/pycore_ceval.h:46
    - 80 0x1ed329b3 in _PyEval_Vector Python/ceval.c:5065
    - 81 0x1ec73fae in PyVectorcall_Call Objects/call.c:255
    - 82 0x95b39bb in bpy_class_call /home/dev/01-data/01-git/blender-git/blender/source/blender/python/intern/bpy_rna.c:8607
    - 83 0x9412ade in rna_operator_execute_cb /home/dev/01-data/01-git/blender-git/blender/source/blender/makesrna/intern/rna_wm.c:1253
    - 84 0x7018716 in wm_operator_exec /home/dev/01-data/01-git/blender-git/blender/source/blender/windowmanager/intern/wm_event_system.c:1102
    - 85 0x7018ccf in WM_operator_call_ex /home/dev/01-data/01-git/blender-git/blender/source/blender/windowmanager/intern/wm_event_system.c:1149
    - 86 0x70ae688 in dialog_exec_cb /home/dev/01-data/01-git/blender-git/blender/source/blender/windowmanager/intern/wm_operators.c:1424
    - 87 0xca9e410 in ui_apply_but_funcs_after /home/dev/01-data/01-git/blender-git/blender/source/blender/editors/interface/interface_handlers.c:1026
    - 88 0xcb2c113 in ui_popup_handler /home/dev/01-data/01-git/blender-git/blender/source/blender/editors/interface/interface_handlers.c:11486
    - 89 0x7015397 in wm_handler_ui_call /home/dev/01-data/01-git/blender-git/blender/source/blender/windowmanager/intern/wm_event_system.c:736
    - 90 0x702d300 in wm_handlers_do_intern /home/dev/01-data/01-git/blender-git/blender/source/blender/windowmanager/intern/wm_event_system.c:3116
    - 91 0x702e39b in wm_handlers_do /home/dev/01-data/01-git/blender-git/blender/source/blender/windowmanager/intern/wm_event_system.c:3235
    - 92 0x703700b in wm_event_do_handlers /home/dev/01-data/01-git/blender-git/blender/source/blender/windowmanager/intern/wm_event_system.c:3825
    - 93 0x6ff92c9 in WM_main /home/dev/01-data/01-git/blender-git/blender/source/blender/windowmanager/intern/wm.c:623
    - 94 0x4118d29 in main /home/dev/01-data/01-git/blender-git/blender/source/creator/creator.c:547
    - 95 0x7ffff6e460b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x240b2)
    #96 0x4117edd in _start (/home/dev/01-data/01-git/blender-git/build_linux_debug_full/bin/blender+0x4117edd)

0x614000060f60 is located 288 bytes inside of 432-byte region [0x614000060e40,0x614000060ff0)
freed by thread T0 here:
    - 0 0x7ffff769040f in __interceptor_free ../../../../src/libsanitizer/asan/asan_malloc_linux.cc:122
    - 1 0x20aab48e in MEM_lockfree_freeN /home/dev/01-data/01-git/blender-git/blender/intern/guardedalloc/intern/mallocn_lockfree_impl.c:116
    - 2 0x2061db76 in BLI_freelinkN /home/dev/01-data/01-git/blender-git/blender/source/blender/blenlib/intern/listbase.c:238
    - 3 0xcc29bcc in ui_region_temp_remove /home/dev/01-data/01-git/blender-git/blender/source/blender/editors/interface/interface_regions.cc:49
    - 4 0xcbff55c in ui_popup_block_remove /home/dev/01-data/01-git/blender-git/blender/source/blender/editors/interface/interface_region_popup.cc:521
    - 5 0xcc04174 in ui_popup_block_free /home/dev/01-data/01-git/blender-git/blender/source/blender/editors/interface/interface_region_popup.cc:831
    - 6 0xcbf20e5 in UI_popup_block_close /home/dev/01-data/01-git/blender-git/blender/source/blender/editors/interface/interface_region_menu_popup.cc:652
    - 7 0x70ae670 in dialog_exec_cb /home/dev/01-data/01-git/blender-git/blender/source/blender/windowmanager/intern/wm_operators.c:1422
    - 8 0xca9e410 in ui_apply_but_funcs_after /home/dev/01-data/01-git/blender-git/blender/source/blender/editors/interface/interface_handlers.c:1026
    - 9 0xcb2c113 in ui_popup_handler /home/dev/01-data/01-git/blender-git/blender/source/blender/editors/interface/interface_handlers.c:11486
    - 10 0x7015397 in wm_handler_ui_call /home/dev/01-data/01-git/blender-git/blender/source/blender/windowmanager/intern/wm_event_system.c:736
    - 11 0x702d300 in wm_handlers_do_intern /home/dev/01-data/01-git/blender-git/blender/source/blender/windowmanager/intern/wm_event_system.c:3116
    - 12 0x702e39b in wm_handlers_do /home/dev/01-data/01-git/blender-git/blender/source/blender/windowmanager/intern/wm_event_system.c:3235
    - 13 0x703700b in wm_event_do_handlers /home/dev/01-data/01-git/blender-git/blender/source/blender/windowmanager/intern/wm_event_system.c:3825
    - 14 0x6ff92c9 in WM_main /home/dev/01-data/01-git/blender-git/blender/source/blender/windowmanager/intern/wm.c:623
    - 15 0x4118d29 in main /home/dev/01-data/01-git/blender-git/blender/source/creator/creator.c:547
    #16 0x7ffff6e460b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x240b2)

previously allocated by thread T0 here:
    - 0 0x7ffff7690a06 in __interceptor_calloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cc:153
    - 1 0x20aabb7d in MEM_lockfree_callocN /home/dev/01-data/01-git/blender-git/blender/intern/guardedalloc/intern/mallocn_lockfree_impl.c:222
    - 2 0xcbe868a in ARegion* MEM_cnew<ARegion>(char const*) /home/dev/01-data/01-git/blender-git/blender/intern/guardedalloc/MEM_guardedalloc.h:278
    - 3 0xcc29830 in ui_region_temp_add /home/dev/01-data/01-git/blender-git/blender/source/blender/editors/interface/interface_regions.cc:28
    - 4 0xcc03a59 in ui_popup_block_create /home/dev/01-data/01-git/blender-git/blender/source/blender/editors/interface/interface_region_popup.cc:790
    - 5 0xcbf1a73 in UI_popup_block_ex /home/dev/01-data/01-git/blender-git/blender/source/blender/editors/interface/interface_region_menu_popup.cc:606
    - 6 0x70b0048 in WM_operator_props_dialog_popup /home/dev/01-data/01-git/blender-git/blender/source/blender/windowmanager/intern/wm_operators.c:1603
    - 7 0x9434ac9 in WindowManager_invoke_props_dialog_call /home/dev/01-data/01-git/blender-git/build_linux_debug_full/source/blender/makesrna/intern/rna_wm_gen.c:3469
    - 8 0x8a4b362 in RNA_function_call /home/dev/01-data/01-git/blender-git/blender/source/blender/makesrna/intern/rna_access.c:7357
    - 9 0x95a9f49 in pyrna_func_call /home/dev/01-data/01-git/blender-git/blender/source/blender/python/intern/bpy_rna.c:6319
    #10 0x1ec74327 in _PyObject_MakeTpCall Objects/call.c:215

SUMMARY: AddressSanitizer: heap-use-after-free /home/dev/01-data/01-git/blender-git/blender/source/blender/blenlib/intern/listbase.c:570 in BLI_findstring
Shadow bytes around the buggy address:
  0x0c2880004190: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c28800041a0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c28800041b0: fd fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa
  0x0c28800041c0: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
  0x0c28800041d0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
# >0x0c28800041e0: fd fd fd fd fd fd fd fd fd fd fd fd[fd]fd fd fd
  0x0c28800041f0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fa fa
  0x0c2880004200: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
  0x0c2880004210: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c2880004220: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c2880004230: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):

Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc

I can reliably reproduce this issue with an ASAN build: ```lines ## 46131==ERROR: AddressSanitizer: heap-use-after-free on address 0x614000060f60 at pc 0x00002062525e bp 0x7fffffff8ae0 sp 0x7fffffff8ad0 READ of size 8 at 0x614000060f60 thread T0 - 0 0x2062525d in BLI_findstring /home/dev/01-data/01-git/blender-git/blender/source/blender/blenlib/intern/listbase.c:570 - 1 0xcc3bfca in ui_list_ensure /home/dev/01-data/01-git/blender-git/blender/source/blender/editors/interface/interface_template_list.cc:623 - 2 0xcc4295a in uiTemplateList_ex /home/dev/01-data/01-git/blender-git/blender/source/blender/editors/interface/interface_template_list.cc:1200 - 3 0xcc43072 in uiTemplateList /home/dev/01-data/01-git/blender-git/blender/source/blender/editors/interface/interface_template_list.cc:1249 - 4 0x932a3fa in rna_uiTemplateList /home/dev/01-data/01-git/blender-git/blender/source/blender/makesrna/intern/rna_ui_api.c:540 - 5 0x934208f in UILayout_template_list_call /home/dev/01-data/01-git/blender-git/build_linux_debug_full/source/blender/makesrna/intern/rna_ui_gen.c:3450 - 6 0x8a4b362 in RNA_function_call /home/dev/01-data/01-git/blender-git/blender/source/blender/makesrna/intern/rna_access.c:7357 - 7 0x95a9f49 in pyrna_func_call /home/dev/01-data/01-git/blender-git/blender/source/blender/python/intern/bpy_rna.c:6319 - 8 0x1ec74327 in _PyObject_MakeTpCall Objects/call.c:215 - 9 0x411799d in _PyObject_VectorcallTstate Include/cpython/abstract.h:112 - 10 0x411799d in _PyObject_VectorcallTstate Include/cpython/abstract.h:99 - 11 0x411799d in PyObject_Vectorcall Include/cpython/abstract.h:123 - 12 0x411799d in call_function Python/ceval.c:5867 - 13 0x411799d in _PyEval_EvalFrameDefault Python/ceval.c:4231 - 14 0x1ed329b3 in _PyEval_EvalFrame Include/internal/pycore_ceval.h:46 - 15 0x1ed329b3 in _PyEval_Vector Python/ceval.c:5065 - 16 0x1ec73fae in PyVectorcall_Call Objects/call.c:255 - 17 0x95b39bb in bpy_class_call /home/dev/01-data/01-git/blender-git/blender/source/blender/python/intern/bpy_rna.c:8607 - 18 0x931d43c in panel_draw /home/dev/01-data/01-git/blender-git/blender/source/blender/makesrna/intern/rna_ui.c:129 - 19 0x966ba97 in ed_panel_draw /home/dev/01-data/01-git/blender-git/blender/source/blender/editors/screen/area.c:2784 - 20 0x966e145 in ED_region_panels_layout_ex /home/dev/01-data/01-git/blender-git/blender/source/blender/editors/screen/area.c:2982 - 21 0x1b9b7ddc in buttons_main_region_layout_properties /home/dev/01-data/01-git/blender-git/blender/source/blender/editors/space_buttons/space_buttons.c:303 - 22 0x1b9bb060 in buttons_main_region_layout /home/dev/01-data/01-git/blender-git/blender/source/blender/editors/space_buttons/space_buttons.c:497 - 23 0x96483df in ED_region_do_layout /home/dev/01-data/01-git/blender-git/blender/source/blender/editors/screen/area.c:507 - 24 0x700a40a in wm_draw_window_offscreen /home/dev/01-data/01-git/blender-git/blender/source/blender/windowmanager/intern/wm_draw.c:678 - 25 0x700bd4e in wm_draw_window /home/dev/01-data/01-git/blender-git/blender/source/blender/windowmanager/intern/wm_draw.c:881 - 26 0x700d1c8 in wm_draw_update /home/dev/01-data/01-git/blender-git/blender/source/blender/windowmanager/intern/wm_draw.c:1086 - 27 0x700d526 in WM_redraw_windows /home/dev/01-data/01-git/blender-git/blender/source/blender/windowmanager/intern/wm_draw.c:1134 - 28 0x705bc16 in wm_file_write /home/dev/01-data/01-git/blender-git/blender/source/blender/windowmanager/intern/wm_files.c:1766 - 29 0x7067330 in wm_save_as_mainfile_exec /home/dev/01-data/01-git/blender-git/blender/source/blender/windowmanager/intern/wm_files.c:3108 - 30 0x701c6a2 in wm_operator_invoke /home/dev/01-data/01-git/blender-git/blender/source/blender/windowmanager/intern/wm_event_system.c:1400 - 31 0x701e1bb in wm_operator_call_internal /home/dev/01-data/01-git/blender-git/blender/source/blender/windowmanager/intern/wm_event_system.c:1627 - 32 0x701e903 in WM_operator_call_py /home/dev/01-data/01-git/blender-git/blender/source/blender/windowmanager/intern/wm_event_system.c:1704 - 33 0x95e3f88 in pyop_call /home/dev/01-data/01-git/blender-git/blender/source/blender/python/intern/bpy_operator.c:303 - 34 0x1ecb9ec3 in cfunction_call Objects/methodobject.c:552 - 35 0x1ec74327 in _PyObject_MakeTpCall Objects/call.c:215 - 36 0x4117b0a in _PyObject_VectorcallTstate Include/cpython/abstract.h:112 - 37 0x4117b0a in _PyObject_VectorcallTstate Include/cpython/abstract.h:99 - 38 0x4117b0a in PyObject_Vectorcall Include/cpython/abstract.h:123 - 39 0x4117b0a in call_function Python/ceval.c:5867 - 40 0x4117b0a in _PyEval_EvalFrameDefault Python/ceval.c:4213 - 41 0x1ed329b3 in _PyEval_EvalFrame Include/internal/pycore_ceval.h:46 - 42 0x1ed329b3 in _PyEval_Vector Python/ceval.c:5065 - 43 0x1ec74509 in _PyObject_FastCallDictTstate Objects/call.c:153 - 44 0x1ec74753 in _PyObject_Call_Prepend Objects/call.c:431 - 45 0x1ecde5b8 in slot_tp_call Objects/typeobject.c:7486 - 46 0x1ec74327 in _PyObject_MakeTpCall Objects/call.c:215 - 47 0x411799d in _PyObject_VectorcallTstate Include/cpython/abstract.h:112 - 48 0x411799d in _PyObject_VectorcallTstate Include/cpython/abstract.h:99 - 49 0x411799d in PyObject_Vectorcall Include/cpython/abstract.h:123 - 50 0x411799d in call_function Python/ceval.c:5867 - 51 0x411799d in _PyEval_EvalFrameDefault Python/ceval.c:4231 - 52 0x1ed329b3 in _PyEval_EvalFrame Include/internal/pycore_ceval.h:46 - 53 0x1ed329b3 in _PyEval_Vector Python/ceval.c:5065 - 54 0x1ec73fae in PyVectorcall_Call Objects/call.c:255 - 55 0x95b39bb in bpy_class_call /home/dev/01-data/01-git/blender-git/blender/source/blender/python/intern/bpy_rna.c:8607 - 56 0x9413427 in rna_operator_invoke_cb /home/dev/01-data/01-git/blender-git/blender/source/blender/makesrna/intern/rna_wm.c:1305 - 57 0x701c058 in wm_operator_invoke /home/dev/01-data/01-git/blender-git/blender/source/blender/windowmanager/intern/wm_event_system.c:1386 - 58 0x701e1bb in wm_operator_call_internal /home/dev/01-data/01-git/blender-git/blender/source/blender/windowmanager/intern/wm_event_system.c:1627 - 59 0x701e903 in WM_operator_call_py /home/dev/01-data/01-git/blender-git/blender/source/blender/windowmanager/intern/wm_event_system.c:1704 - 60 0x95e3f88 in pyop_call /home/dev/01-data/01-git/blender-git/blender/source/blender/python/intern/bpy_operator.c:303 - 61 0x1ecb9ec3 in cfunction_call Objects/methodobject.c:552 - 62 0x1ec74327 in _PyObject_MakeTpCall Objects/call.c:215 - 63 0x4117b0a in _PyObject_VectorcallTstate Include/cpython/abstract.h:112 - 64 0x4117b0a in _PyObject_VectorcallTstate Include/cpython/abstract.h:99 - 65 0x4117b0a in PyObject_Vectorcall Include/cpython/abstract.h:123 - 66 0x4117b0a in call_function Python/ceval.c:5867 - 67 0x4117b0a in _PyEval_EvalFrameDefault Python/ceval.c:4213 - 68 0x1ed329b3 in _PyEval_EvalFrame Include/internal/pycore_ceval.h:46 - 69 0x1ed329b3 in _PyEval_Vector Python/ceval.c:5065 - 70 0x1ec74492 in _PyObject_FastCallDictTstate Objects/call.c:142 - 71 0x1ec74753 in _PyObject_Call_Prepend Objects/call.c:431 - 72 0x1ecde5b8 in slot_tp_call Objects/typeobject.c:7486 - 73 0x1ec74327 in _PyObject_MakeTpCall Objects/call.c:215 - 74 0x4115bbe in _PyObject_VectorcallTstate Include/cpython/abstract.h:112 - 75 0x4115bbe in _PyObject_VectorcallTstate Include/cpython/abstract.h:99 - 76 0x4115bbe in PyObject_Vectorcall Include/cpython/abstract.h:123 - 77 0x4115bbe in call_function Python/ceval.c:5867 - 78 0x4115bbe in _PyEval_EvalFrameDefault Python/ceval.c:4181 - 79 0x1ed329b3 in _PyEval_EvalFrame Include/internal/pycore_ceval.h:46 - 80 0x1ed329b3 in _PyEval_Vector Python/ceval.c:5065 - 81 0x1ec73fae in PyVectorcall_Call Objects/call.c:255 - 82 0x95b39bb in bpy_class_call /home/dev/01-data/01-git/blender-git/blender/source/blender/python/intern/bpy_rna.c:8607 - 83 0x9412ade in rna_operator_execute_cb /home/dev/01-data/01-git/blender-git/blender/source/blender/makesrna/intern/rna_wm.c:1253 - 84 0x7018716 in wm_operator_exec /home/dev/01-data/01-git/blender-git/blender/source/blender/windowmanager/intern/wm_event_system.c:1102 - 85 0x7018ccf in WM_operator_call_ex /home/dev/01-data/01-git/blender-git/blender/source/blender/windowmanager/intern/wm_event_system.c:1149 - 86 0x70ae688 in dialog_exec_cb /home/dev/01-data/01-git/blender-git/blender/source/blender/windowmanager/intern/wm_operators.c:1424 - 87 0xca9e410 in ui_apply_but_funcs_after /home/dev/01-data/01-git/blender-git/blender/source/blender/editors/interface/interface_handlers.c:1026 - 88 0xcb2c113 in ui_popup_handler /home/dev/01-data/01-git/blender-git/blender/source/blender/editors/interface/interface_handlers.c:11486 - 89 0x7015397 in wm_handler_ui_call /home/dev/01-data/01-git/blender-git/blender/source/blender/windowmanager/intern/wm_event_system.c:736 - 90 0x702d300 in wm_handlers_do_intern /home/dev/01-data/01-git/blender-git/blender/source/blender/windowmanager/intern/wm_event_system.c:3116 - 91 0x702e39b in wm_handlers_do /home/dev/01-data/01-git/blender-git/blender/source/blender/windowmanager/intern/wm_event_system.c:3235 - 92 0x703700b in wm_event_do_handlers /home/dev/01-data/01-git/blender-git/blender/source/blender/windowmanager/intern/wm_event_system.c:3825 - 93 0x6ff92c9 in WM_main /home/dev/01-data/01-git/blender-git/blender/source/blender/windowmanager/intern/wm.c:623 - 94 0x4118d29 in main /home/dev/01-data/01-git/blender-git/blender/source/creator/creator.c:547 - 95 0x7ffff6e460b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x240b2) #96 0x4117edd in _start (/home/dev/01-data/01-git/blender-git/build_linux_debug_full/bin/blender+0x4117edd) 0x614000060f60 is located 288 bytes inside of 432-byte region [0x614000060e40,0x614000060ff0) freed by thread T0 here: - 0 0x7ffff769040f in __interceptor_free ../../../../src/libsanitizer/asan/asan_malloc_linux.cc:122 - 1 0x20aab48e in MEM_lockfree_freeN /home/dev/01-data/01-git/blender-git/blender/intern/guardedalloc/intern/mallocn_lockfree_impl.c:116 - 2 0x2061db76 in BLI_freelinkN /home/dev/01-data/01-git/blender-git/blender/source/blender/blenlib/intern/listbase.c:238 - 3 0xcc29bcc in ui_region_temp_remove /home/dev/01-data/01-git/blender-git/blender/source/blender/editors/interface/interface_regions.cc:49 - 4 0xcbff55c in ui_popup_block_remove /home/dev/01-data/01-git/blender-git/blender/source/blender/editors/interface/interface_region_popup.cc:521 - 5 0xcc04174 in ui_popup_block_free /home/dev/01-data/01-git/blender-git/blender/source/blender/editors/interface/interface_region_popup.cc:831 - 6 0xcbf20e5 in UI_popup_block_close /home/dev/01-data/01-git/blender-git/blender/source/blender/editors/interface/interface_region_menu_popup.cc:652 - 7 0x70ae670 in dialog_exec_cb /home/dev/01-data/01-git/blender-git/blender/source/blender/windowmanager/intern/wm_operators.c:1422 - 8 0xca9e410 in ui_apply_but_funcs_after /home/dev/01-data/01-git/blender-git/blender/source/blender/editors/interface/interface_handlers.c:1026 - 9 0xcb2c113 in ui_popup_handler /home/dev/01-data/01-git/blender-git/blender/source/blender/editors/interface/interface_handlers.c:11486 - 10 0x7015397 in wm_handler_ui_call /home/dev/01-data/01-git/blender-git/blender/source/blender/windowmanager/intern/wm_event_system.c:736 - 11 0x702d300 in wm_handlers_do_intern /home/dev/01-data/01-git/blender-git/blender/source/blender/windowmanager/intern/wm_event_system.c:3116 - 12 0x702e39b in wm_handlers_do /home/dev/01-data/01-git/blender-git/blender/source/blender/windowmanager/intern/wm_event_system.c:3235 - 13 0x703700b in wm_event_do_handlers /home/dev/01-data/01-git/blender-git/blender/source/blender/windowmanager/intern/wm_event_system.c:3825 - 14 0x6ff92c9 in WM_main /home/dev/01-data/01-git/blender-git/blender/source/blender/windowmanager/intern/wm.c:623 - 15 0x4118d29 in main /home/dev/01-data/01-git/blender-git/blender/source/creator/creator.c:547 #16 0x7ffff6e460b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x240b2) previously allocated by thread T0 here: - 0 0x7ffff7690a06 in __interceptor_calloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cc:153 - 1 0x20aabb7d in MEM_lockfree_callocN /home/dev/01-data/01-git/blender-git/blender/intern/guardedalloc/intern/mallocn_lockfree_impl.c:222 - 2 0xcbe868a in ARegion* MEM_cnew<ARegion>(char const*) /home/dev/01-data/01-git/blender-git/blender/intern/guardedalloc/MEM_guardedalloc.h:278 - 3 0xcc29830 in ui_region_temp_add /home/dev/01-data/01-git/blender-git/blender/source/blender/editors/interface/interface_regions.cc:28 - 4 0xcc03a59 in ui_popup_block_create /home/dev/01-data/01-git/blender-git/blender/source/blender/editors/interface/interface_region_popup.cc:790 - 5 0xcbf1a73 in UI_popup_block_ex /home/dev/01-data/01-git/blender-git/blender/source/blender/editors/interface/interface_region_menu_popup.cc:606 - 6 0x70b0048 in WM_operator_props_dialog_popup /home/dev/01-data/01-git/blender-git/blender/source/blender/windowmanager/intern/wm_operators.c:1603 - 7 0x9434ac9 in WindowManager_invoke_props_dialog_call /home/dev/01-data/01-git/blender-git/build_linux_debug_full/source/blender/makesrna/intern/rna_wm_gen.c:3469 - 8 0x8a4b362 in RNA_function_call /home/dev/01-data/01-git/blender-git/blender/source/blender/makesrna/intern/rna_access.c:7357 - 9 0x95a9f49 in pyrna_func_call /home/dev/01-data/01-git/blender-git/blender/source/blender/python/intern/bpy_rna.c:6319 #10 0x1ec74327 in _PyObject_MakeTpCall Objects/call.c:215 SUMMARY: AddressSanitizer: heap-use-after-free /home/dev/01-data/01-git/blender-git/blender/source/blender/blenlib/intern/listbase.c:570 in BLI_findstring Shadow bytes around the buggy address: 0x0c2880004190: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c28800041a0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c28800041b0: fd fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa 0x0c28800041c0: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd 0x0c28800041d0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd # >0x0c28800041e0: fd fd fd fd fd fd fd fd fd fd fd fd[fd]fd fd fd 0x0c28800041f0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fa fa 0x0c2880004200: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00 0x0c2880004210: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c2880004220: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c2880004230: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fa fa Shadow byte legend (one shadow byte represents 8 application bytes): ``` Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb Shadow gap: cc ```

Robert Guetzkow commented

2022-04-26 21:56:09 +02:00

Changed status from 'Needs Triage' to: 'Confirmed'

Eyad Ahmed self-assigned this 2022-04-26 22:19:12 +02:00

Robert Guetzkow commented

2022-04-26 23:26:23 +02:00

Edit: The &region->ui_lists.first and &region->ui_lists.last are nullptr in ui_list_ensure().

Edit: The `&region->ui_lists.first` and `&region->ui_lists.last` are `nullptr` in `ui_list_ensure()`.

Eyad Ahmed commented

2022-04-27 01:58:36 +02:00

Indeed tracked it down to this 🙏

Eyad Ahmed commented

2022-04-27 03:00:56 +02:00

it is null before the button is clicked indeed
but it is worse, it gets freed before usage

it seems that region gets freed by BKE_area_region_free before ui_list_ensure gets called

these are the value of ui_lists pointers when this happens in debug build (the kill switch ok button is clicked, memory is freed by BKE_area_region_free, then accessed after free in ui_list_ensure)

discussing with Jamesy from Crowd Render on Discord

@rjg

it is null before the button is clicked indeed but it is worse, it gets freed before usage it seems that region gets freed by `BKE_area_region_free` before `ui_list_ensure` gets called these are the value of ui_lists pointers when this happens in debug build (the kill switch ok button is clicked, memory is freed by `BKE_area_region_free`, then accessed after free in `ui_list_ensure`) discussing with Jamesy from Crowd Render on Discord @rjg ![image.png](https://archive.blender.org/developer/F13030992/image.png)

Eyad Ahmed commented

2022-04-27 04:07:06 +02:00

this is the call stack right after clicking the button, it calls free, then afterwards ui_list_ensure accesses that freed memory

it seems that closing the pop up leads to free, but then the operator is executed, which leads to access after free

this is the call stack right after clicking the button, it calls free, then afterwards `ui_list_ensure` accesses that freed memory it seems that closing the pop up leads to free, but then the operator is executed, which leads to access after free ![image.png](https://archive.blender.org/developer/F13031077/image.png)

Jeducious commented

2022-04-27 04:12:36 +02:00

this is the call stack right after clicking the button, it calls free, then afterwards ui_list_ensure accesses that freed memory

Looks like the pop-up handler is incorrectly freeing the template list? The preceding stack frames show some operations related to a "popup" which I assume to be the props dialog that we use (both in our addon and I included it in the minimal test case script).

Willing to bet that if I remove the pop-up, the crash will disappear. Going to try that and report back. I'll modify the script so that we don't generate a props dialog and save the blend file directly from a button located in the render properties panel.

> this is the call stack right after clicking the button, it calls free, then afterwards ui_list_ensure accesses that freed memory Looks like the pop-up handler is incorrectly freeing the template list? The preceding stack frames show some operations related to a "popup" which I assume to be the props dialog that we use (both in our addon and I included it in the minimal test case script). Willing to bet that if I remove the pop-up, the crash will disappear. Going to try that and report back. I'll modify the script so that we don't generate a props dialog and save the blend file directly from a button located in the render properties panel.

Jeducious commented

2022-04-27 04:29:44 +02:00

Confirmed! If I modify the script to allow the bpy.ops.wm.save_as_mainfile operator to be called from a button located within a sub panel in the render properties area of the Blender UI, I can't crash blender no matter how hard I try. So it seems the popup handler is somehow freeing the UI list incorrectly?! The UI list is instantiated in the panel, not the popup so could maybe @rjg let us know why this is happening? I would imagine it makes sense to free the popup, but not the UI_List from which the button was pressed to generate the popup! Its still supposed to be there after the popup is gone!

Philipp Oeser commented

2022-04-27 09:27:09 +02:00

Added subscriber: @lichtwerk

Philipp Oeser commented

2022-04-27 09:27:09 +02:00

Marking as High prio since it is a regression.

Philipp Oeser changed title from ~~BLI_findstring encountering segfault when script calls bpy.ops.wm.save_as_mainfile~~ to Regression: BLI_findstring encountering segfault when script calls bpy.ops.wm.save_as_mainfile

2022-04-27 09:27:23 +02:00

Robert Guetzkow commented

2022-04-27 10:31:31 +02:00

In #97627#1347196, @IyadAhmed wrote:
it is null before the button is clicked indeed
but it is worse, it gets freed before usage

@IyadAhmed Yes. I thought that was obvious from the ASAN report, hence I didn't point that out specifically. The allocation is done by ui_region_temp_add and ui_region_temp_remove frees it, before the call to ui_list_ensure happens.

> In #97627#1347196, @IyadAhmed wrote: > it is null before the button is clicked indeed > but it is worse, it gets freed before usage @IyadAhmed Yes. I thought that was obvious from the ASAN report, hence I didn't point that out specifically. The allocation is done by `ui_region_temp_add` and `ui_region_temp_remove` frees it, before the call to `ui_list_ensure` happens.

Campbell Barton commented

2022-04-27 16:24:26 +02:00

Added subscribers: @Harley, @ideasman42

Campbell Barton commented

2022-04-27 16:24:26 +02:00

Looked into this it looks to be caused by 7a9cfd08a8 (CC'ing @Harley).

I think it's only practical to redraw when this operator is called in the main event loop.

Suggest to revert, longer term we could have a way for operators to detect if they're running in the main event loop.

Looked into this it looks to be caused by 7a9cfd08a8 (CC'ing @Harley). I think it's only practical to redraw when this operator is called in the main event loop. Suggest to revert, longer term we could have a way for operators to detect if they're running in the main event loop.

Eyad Ahmed was unassigned by Harley Acheson

2022-04-27 16:49:26 +02:00

Harley Acheson self-assigned this 2022-04-27 16:49:26 +02:00

Harley Acheson commented

2022-04-27 16:49:26 +02:00

Added subscriber: @IyadAhmed

Harley Acheson commented

2022-04-27 16:49:26 +02:00

@ideasman42 - Looked into this it looks to be caused by 7a9cfd08a8 (CC'ing @Harley)...Suggest to revert...

Will do.

> @ideasman42 - Looked into this it looks to be caused by 7a9cfd08a8 (CC'ing @Harley)...Suggest to revert... Will do.

Eyad Ahmed commented

2022-04-27 19:30:05 +02:00

In #97627#1347406, @rjg wrote:

In #97627#1347196, @IyadAhmed wrote:
it is null before the button is clicked indeed
but it is worse, it gets freed before usage

@IyadAhmed Yes. I thought that was obvious from the ASAN report, hence I didn't point that out specifically. The allocation is done by ui_region_temp_add and ui_region_temp_remove frees it, before the call to ui_list_ensure happens.

Ah ok

> In #97627#1347406, @rjg wrote: >> In #97627#1347196, @IyadAhmed wrote: >> it is null before the button is clicked indeed >> but it is worse, it gets freed before usage > > @IyadAhmed Yes. I thought that was obvious from the ASAN report, hence I didn't point that out specifically. The allocation is done by `ui_region_temp_add` and `ui_region_temp_remove` frees it, before the call to `ui_list_ensure` happens. Ah ok

blender-admin commented

2022-04-28 00:07:34 +02:00

This issue was referenced by c6ce2be496

This issue was referenced by c6ce2be4962de62415fadd8f4f38e5a9e12b5f64

Harley Acheson commented

2022-04-28 00:08:39 +02:00

Changed status from 'Confirmed' to: 'Resolved'

Harley Acheson closed this issue

2022-04-28 00:08:39 +02:00

Campbell Barton referenced this issue

2023-09-21 05:00:10 +02:00

UI: File Loading Waiting Feedback #112636