Maniphest T66991

Crash when deleting edit bones when pchan is referenced by bendybone
Closed, ResolvedBUG
Actions

Assigned To
Clément Foucault (fclem)
Authored By
Clément Foucault (fclem)
Jul 15 2019, 2:26 PM
Tags
  • BF Blender
Subscribers
Clément Foucault (fclem)

Description

To reproduce:

Trace from ASAN:

==23269==ERROR: AddressSanitizer: heap-use-after-free on address 0x6190028db6e0 at pc 0x5576bf071c63 bp 0x7fff843ac020 sp 0x7fff843ac010
READ of size 1 at 0x6190028db6e0 thread T0
    #0 0x5576bf071c62 in BLI_findstring /home/clement/Blender/blender/source/blender/blenlib/intern/listbase.c:649
    #1 0x5576c04bc7f1 in ED_armature_ebone_find_name /home/clement/Blender/blender/source/blender/editors/armature/armature_utils.c:270
    #2 0x5576c049d047 in armature_delete_ebone_cb /home/clement/Blender/blender/source/blender/editors/armature/armature_edit.c:1417
    #3 0x5576be8dd96b in BKE_pose_channels_remove /home/clement/Blender/blender/source/blender/blenkernel/intern/action.c:785
    #4 0x5576c049d44f in armature_delete_selected_exec /home/clement/Blender/blender/source/blender/editors/armature/armature_edit.c:1444
    #5 0x5576bf8eb1a5 in wm_operator_invoke /home/clement/Blender/blender/source/blender/windowmanager/intern/wm_event_system.c:1450
    #6 0x5576bf8ec1d3 in wm_operator_call_internal /home/clement/Blender/blender/source/blender/windowmanager/intern/wm_event_system.c:1664
    #7 0x5576bf8ec3fa in WM_operator_name_call_ptr /home/clement/Blender/blender/source/blender/windowmanager/intern/wm_event_system.c:1699
    #8 0x5576c032a5fd in ui_apply_but_funcs_after /home/clement/Blender/blender/source/blender/editors/interface/interface_handlers.c:827
    #9 0x5576c0372123 in ui_popup_handler /home/clement/Blender/blender/source/blender/editors/interface/interface_handlers.c:10264
    #10 0x5576bf8e51fe in wm_handler_ui_call /home/clement/Blender/blender/source/blender/windowmanager/intern/wm_event_system.c:623
    #11 0x5576bf8f1fae in wm_handlers_do_intern /home/clement/Blender/blender/source/blender/windowmanager/intern/wm_event_system.c:2699
    #12 0x5576bf8f3e05 in wm_handlers_do /home/clement/Blender/blender/source/blender/windowmanager/intern/wm_event_system.c:2945
    #13 0x5576bf8f677e in wm_event_do_handlers /home/clement/Blender/blender/source/blender/windowmanager/intern/wm_event_system.c:3319
    #14 0x5576bf8d7185 in WM_main /home/clement/Blender/blender/source/blender/windowmanager/intern/wm.c:417
    #15 0x5576be7f78db in main /home/clement/Blender/blender/source/creator/creator.c:500
    #16 0x7f62dab0cee2 in __libc_start_main (/usr/lib/libc.so.6+0x26ee2)
    #17 0x5576be7f6e2d in _start (/home/clement/Blender/build_linux/bin/blender+0x2392e2d)

0x6190028db6e0 is located 96 bytes inside of 960-byte region [0x6190028db680,0x6190028dba40)
freed by thread T0 here:
    #0 0x7f62dd75c6c0 in __interceptor_free /build/gcc/src/gcc/libsanitizer/asan/asan_malloc_linux.cc:122
    #1 0x5576bf2b39df in rem_memblock /home/clement/Blender/blender/intern/guardedalloc/intern/mallocn_guarded_impl.c:1094
    #2 0x5576bf2b30c3 in MEM_guarded_freeN /home/clement/Blender/blender/intern/guardedalloc/intern/mallocn_guarded_impl.c:980
    #3 0x5576bf06d299 in BLI_freelinkN /home/clement/Blender/blender/source/blender/blenlib/intern/listbase.c:291
    #4 0x5576be8dd569 in BKE_pose_channels_remove /home/clement/Blender/blender/source/blender/blenkernel/intern/action.c:755
    #5 0x5576c049d44f in armature_delete_selected_exec /home/clement/Blender/blender/source/blender/editors/armature/armature_edit.c:1444
    #6 0x5576bf8eb1a5 in wm_operator_invoke /home/clement/Blender/blender/source/blender/windowmanager/intern/wm_event_system.c:1450
    #7 0x5576bf8ec1d3 in wm_operator_call_internal /home/clement/Blender/blender/source/blender/windowmanager/intern/wm_event_system.c:1664
    #8 0x5576bf8ec3fa in WM_operator_name_call_ptr /home/clement/Blender/blender/source/blender/windowmanager/intern/wm_event_system.c:1699
    #9 0x5576c032a5fd in ui_apply_but_funcs_after /home/clement/Blender/blender/source/blender/editors/interface/interface_handlers.c:827
    #10 0x5576c0372123 in ui_popup_handler /home/clement/Blender/blender/source/blender/editors/interface/interface_handlers.c:10264
    #11 0x5576bf8e51fe in wm_handler_ui_call /home/clement/Blender/blender/source/blender/windowmanager/intern/wm_event_system.c:623
    #12 0x5576bf8f1fae in wm_handlers_do_intern /home/clement/Blender/blender/source/blender/windowmanager/intern/wm_event_system.c:2699
    #13 0x5576bf8f3e05 in wm_handlers_do /home/clement/Blender/blender/source/blender/windowmanager/intern/wm_event_system.c:2945
    #14 0x5576bf8f677e in wm_event_do_handlers /home/clement/Blender/blender/source/blender/windowmanager/intern/wm_event_system.c:3319
    #15 0x5576bf8d7185 in WM_main /home/clement/Blender/blender/source/blender/windowmanager/intern/wm.c:417
    #16 0x5576be7f78db in main /home/clement/Blender/blender/source/creator/creator.c:500
    #17 0x7f62dab0cee2 in __libc_start_main (/usr/lib/libc.so.6+0x26ee2)

Revisions and Commits

rB Blender
D5258rB9db772fe9afe Fix T66991 Crash when deleting edit bones when pchan is referenced by bendybone

Related Objects

Event Timeline

Clément Foucault (fclem) lowered the priority of this task from 90 to High.Jul 15 2019, 2:26 PM
Clément Foucault (fclem) created this task.

I already have a fix, uploading the diff

Brecht Van Lommel (brecht) added a project: BF Blender.Jul 15 2019, 2:45 PM
Clément Foucault (fclem) changed the task status from Unknown Status to Resolved by committing rB9db772fe9afe: Fix T66991 Crash when deleting edit bones when pchan is referenced by bendybone.Jul 15 2019, 3:15 PM
Clément Foucault (fclem) added a commit: rB9db772fe9afe: Fix T66991 Crash when deleting edit bones when pchan is referenced by bendybone.