Crash/undefined-behavior when opening demo file (heap-use-after-free of material node-tree in Eevee)
Closed, Resolved
Actions

Assigned To

Julian Eisel (Severin)

Authored By

	Julian Eisel (Severin)
	Dec 7 2021, 11:51 AM

Description

Best enable ASan to reproduce this.

Blender Version
Broken: 4312cb854517
Worked: (newest version of Blender that worked as expected)

Short description of error

Heap-use-after-free when opening Cube Diorama demo file from https://www.blender.org/download/demo-files/

Exact steps for others to reproduce the error
Download and open this demo file:

cube_diorama.blend11 MBDownload

==80090==ERROR: AddressSanitizer: heap-use-after-free on address 0x6160009bfab8 at pc 0x00000e827cda bp 0x7ffc8e2b4770 sp 0x7ffc8e2b4760
READ of size 8 at 0x6160009bfab8 thread T0
    #0 0xe827cd9 in localize /home/guest/blender/software/dev/default/src/source/blender/nodes/shader/node_shader_tree.cc:143
    #1 0x8abf0d5 in ntreeLocalize /home/guest/blender/software/dev/default/src/source/blender/blenkernel/intern/node.cc:3448
    #2 0x8abec7b in ntreeLocalize /home/guest/blender/software/dev/default/src/source/blender/blenkernel/intern/node.cc:3432
    #3 0x1807e8b7 in GPU_material_from_nodetree /home/guest/blender/software/dev/default/src/source/blender/gpu/intern/gpu_material.c:640
    #4 0x9f74fda in DRW_shader_create_from_material /home/guest/blender/software/dev/default/src/source/blender/draw/intern/draw_manager_shader.c:523
    #5 0xa05df9a in eevee_material_get_ex /home/guest/blender/software/dev/default/src/source/blender/draw/engines/eevee/eevee_shaders.c:1479
    #6 0xa05e9d5 in EEVEE_material_get /home/guest/blender/software/dev/default/src/source/blender/draw/engines/eevee/eevee_shaders.c:1517
    #7 0xa025584 in material_opaque /home/guest/blender/software/dev/default/src/source/blender/draw/engines/eevee/eevee_materials.c:598
    #8 0xa028ed5 in eevee_material_cache_get /home/guest/blender/software/dev/default/src/source/blender/draw/engines/eevee/eevee_materials.c:755
    #9 0xa028ed5 in EEVEE_materials_cache_populate /home/guest/blender/software/dev/default/src/source/blender/draw/engines/eevee/eevee_materials.c:828
    #10 0x9f9d24a in EEVEE_cache_populate /home/guest/blender/software/dev/default/src/source/blender/draw/engines/eevee/eevee_engine.c:126
    #11 0x9d6ea9f in drw_engines_cache_populate /home/guest/blender/software/dev/default/src/source/blender/draw/intern/draw_manager.c:1096
    #12 0x9d748d9 in DRW_draw_render_loop_ex /home/guest/blender/software/dev/default/src/source/blender/draw/intern/draw_manager.c:1719
    #13 0x9d739c2 in DRW_draw_view /home/guest/blender/software/dev/default/src/source/blender/draw/intern/draw_manager.c:1627
    #14 0xdd5a710 in view3d_draw_view /home/guest/blender/software/dev/default/src/source/blender/editors/space_view3d/view3d_draw.c:1573
    #15 0xdd5a899 in view3d_main_region_draw /home/guest/blender/software/dev/default/src/source/blender/editors/space_view3d/view3d_draw.c:1595
    #16 0xb765847 in ED_region_do_draw /home/guest/blender/software/dev/default/src/source/blender/editors/screen/area.c:564
    #17 0x90972a7 in wm_draw_window_offscreen /home/guest/blender/software/dev/default/src/source/blender/windowmanager/intern/wm_draw.c:730
    #18 0x90984d7 in wm_draw_window /home/guest/blender/software/dev/default/src/source/blender/windowmanager/intern/wm_draw.c:880
    #19 0x9099946 in wm_draw_update /home/guest/blender/software/dev/default/src/source/blender/windowmanager/intern/wm_draw.c:1081
    #20 0x907a490 in WM_main /home/guest/blender/software/dev/default/src/source/blender/windowmanager/intern/wm.c:660
    #21 0x7ef2769 in main /home/guest/blender/software/dev/default/src/source/creator/creator.c:558
    #22 0x7f7cc4037564 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x28564)
    #23 0x7ef1aed in _start (/home/guest/blender/software/dev/default/build/bin/blender+0x7ef1aed)

0x6160009bfab8 is located 56 bytes inside of 536-byte region [0x6160009bfa80,0x6160009bfc98)
freed by thread T0 here:
    #0 0x7f7cc46238f7 in __interceptor_free ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:127
    #1 0x18658f05 in rem_memblock /home/guest/blender/software/dev/default/src/intern/guardedalloc/intern/mallocn_guarded_impl.c:1019
    #2 0x18657ec3 in MEM_guarded_freeN /home/guest/blender/software/dev/default/src/intern/guardedalloc/intern/mallocn_guarded_impl.c:908
    #3 0x8abbdcf in node_free_node /home/guest/blender/software/dev/default/src/source/blender/blenkernel/intern/node.cc:3161
    #4 0x8abbf7f in ntreeFreeLocalNode /home/guest/blender/software/dev/default/src/source/blender/blenkernel/intern/node.cc:3172
    #5 0xe827ca0 in localize /home/guest/blender/software/dev/default/src/source/blender/nodes/shader/node_shader_tree.cc:146
    #6 0x8abf0d5 in ntreeLocalize /home/guest/blender/software/dev/default/src/source/blender/blenkernel/intern/node.cc:3448
    #7 0x8abec7b in ntreeLocalize /home/guest/blender/software/dev/default/src/source/blender/blenkernel/intern/node.cc:3432
    #8 0x1807e8b7 in GPU_material_from_nodetree /home/guest/blender/software/dev/default/src/source/blender/gpu/intern/gpu_material.c:640
    #9 0x9f74fda in DRW_shader_create_from_material /home/guest/blender/software/dev/default/src/source/blender/draw/intern/draw_manager_shader.c:523
    #10 0xa05df9a in eevee_material_get_ex /home/guest/blender/software/dev/default/src/source/blender/draw/engines/eevee/eevee_shaders.c:1479
    #11 0xa05e9d5 in EEVEE_material_get /home/guest/blender/software/dev/default/src/source/blender/draw/engines/eevee/eevee_shaders.c:1517
    #12 0xa025584 in material_opaque /home/guest/blender/software/dev/default/src/source/blender/draw/engines/eevee/eevee_materials.c:598
    #13 0xa028ed5 in eevee_material_cache_get /home/guest/blender/software/dev/default/src/source/blender/draw/engines/eevee/eevee_materials.c:755
    #14 0xa028ed5 in EEVEE_materials_cache_populate /home/guest/blender/software/dev/default/src/source/blender/draw/engines/eevee/eevee_materials.c:828
    #15 0x9f9d24a in EEVEE_cache_populate /home/guest/blender/software/dev/default/src/source/blender/draw/engines/eevee/eevee_engine.c:126
    #16 0x9d6ea9f in drw_engines_cache_populate /home/guest/blender/software/dev/default/src/source/blender/draw/intern/draw_manager.c:1096
    #17 0x9d748d9 in DRW_draw_render_loop_ex /home/guest/blender/software/dev/default/src/source/blender/draw/intern/draw_manager.c:1719
    #18 0x9d739c2 in DRW_draw_view /home/guest/blender/software/dev/default/src/source/blender/draw/intern/draw_manager.c:1627
    #19 0xdd5a710 in view3d_draw_view /home/guest/blender/software/dev/default/src/source/blender/editors/space_view3d/view3d_draw.c:1573
    #20 0xdd5a899 in view3d_main_region_draw /home/guest/blender/software/dev/default/src/source/blender/editors/space_view3d/view3d_draw.c:1595
    #21 0xb765847 in ED_region_do_draw /home/guest/blender/software/dev/default/src/source/blender/editors/screen/area.c:564
    #22 0x90972a7 in wm_draw_window_offscreen /home/guest/blender/software/dev/default/src/source/blender/windowmanager/intern/wm_draw.c:730
    #23 0x90984d7 in wm_draw_window /home/guest/blender/software/dev/default/src/source/blender/windowmanager/intern/wm_draw.c:880
    #24 0x9099946 in wm_draw_update /home/guest/blender/software/dev/default/src/source/blender/windowmanager/intern/wm_draw.c:1081
    #25 0x907a490 in WM_main /home/guest/blender/software/dev/default/src/source/blender/windowmanager/intern/wm.c:660
    #26 0x7ef2769 in main /home/guest/blender/software/dev/default/src/source/creator/creator.c:558
    #27 0x7f7cc4037564 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x28564)

previously allocated by thread T0 here:
    #0 0x7f7cc4623e17 in __interceptor_calloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:154
    #1 0x18655e97 in MEM_guarded_callocN /home/guest/blender/software/dev/default/src/intern/guardedalloc/intern/mallocn_guarded_impl.c:555
    #2 0x8aaefa4 in BKE_node_copy_ex /home/guest/blender/software/dev/default/src/source/blender/blenkernel/intern/node.cc:2254
    #3 0x8a976fc in ntree_copy_data /home/guest/blender/software/dev/default/src/source/blender/blenkernel/intern/node.cc:157
    #4 0x8750d94 in BKE_id_copy_ex /home/guest/blender/software/dev/default/src/source/blender/blenkernel/intern/lib_id.c:630
    #5 0x8abe98f in ntreeLocalize /home/guest/blender/software/dev/default/src/source/blender/blenkernel/intern/node.cc:3425
    #6 0x8abec7b in ntreeLocalize /home/guest/blender/software/dev/default/src/source/blender/blenkernel/intern/node.cc:3432
    #7 0x1807e8b7 in GPU_material_from_nodetree /home/guest/blender/software/dev/default/src/source/blender/gpu/intern/gpu_material.c:640
    #8 0x9f74fda in DRW_shader_create_from_material /home/guest/blender/software/dev/default/src/source/blender/draw/intern/draw_manager_shader.c:523
    #9 0xa05df9a in eevee_material_get_ex /home/guest/blender/software/dev/default/src/source/blender/draw/engines/eevee/eevee_shaders.c:1479
    #10 0xa05e9d5 in EEVEE_material_get /home/guest/blender/software/dev/default/src/source/blender/draw/engines/eevee/eevee_shaders.c:1517
    #11 0xa025584 in material_opaque /home/guest/blender/software/dev/default/src/source/blender/draw/engines/eevee/eevee_materials.c:598
    #12 0xa028ed5 in eevee_material_cache_get /home/guest/blender/software/dev/default/src/source/blender/draw/engines/eevee/eevee_materials.c:755
    #13 0xa028ed5 in EEVEE_materials_cache_populate /home/guest/blender/software/dev/default/src/source/blender/draw/engines/eevee/eevee_materials.c:828
    #14 0x9f9d24a in EEVEE_cache_populate /home/guest/blender/software/dev/default/src/source/blender/draw/engines/eevee/eevee_engine.c:126
    #15 0x9d6ea9f in drw_engines_cache_populate /home/guest/blender/software/dev/default/src/source/blender/draw/intern/draw_manager.c:1096
    #16 0x9d748d9 in DRW_draw_render_loop_ex /home/guest/blender/software/dev/default/src/source/blender/draw/intern/draw_manager.c:1719
    #17 0x9d739c2 in DRW_draw_view /home/guest/blender/software/dev/default/src/source/blender/draw/intern/draw_manager.c:1627
    #18 0xdd5a710 in view3d_draw_view /home/guest/blender/software/dev/default/src/source/blender/editors/space_view3d/view3d_draw.c:1573
    #19 0xdd5a899 in view3d_main_region_draw /home/guest/blender/software/dev/default/src/source/blender/editors/space_view3d/view3d_draw.c:1595
    #20 0xb765847 in ED_region_do_draw /home/guest/blender/software/dev/default/src/source/blender/editors/screen/area.c:564
    #21 0x90972a7 in wm_draw_window_offscreen /home/guest/blender/software/dev/default/src/source/blender/windowmanager/intern/wm_draw.c:730
    #22 0x90984d7 in wm_draw_window /home/guest/blender/software/dev/default/src/source/blender/windowmanager/intern/wm_draw.c:880
    #23 0x9099946 in wm_draw_update /home/guest/blender/software/dev/default/src/source/blender/windowmanager/intern/wm_draw.c:1081
    #24 0x907a490 in WM_main /home/guest/blender/software/dev/default/src/source/blender/windowmanager/intern/wm.c:660
    #25 0x7ef2769 in main /home/guest/blender/software/dev/default/src/source/creator/creator.c:558
    #26 0x7f7cc4037564 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x28564)

SUMMARY: AddressSanitizer: heap-use-after-free /home/guest/blender/software/dev/default/src/source/blender/nodes/shader/node_shader_tree.cc:143 in localize
Shadow bytes around the buggy address:
  0x0c2c8012ff00: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c2c8012ff10: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c2c8012ff20: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c2c8012ff30: fd fd fd fd fd fa fa fa fa fa fa fa fa fa fa fa
  0x0c2c8012ff40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c2c8012ff50: fd fd fd fd fd fd fd[fd]fd fd fd fd fd fd fd fd
  0x0c2c8012ff60: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c2c8012ff70: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c2c8012ff80: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c2c8012ff90: fd fd fd fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c2c8012ffa0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==80090==ABORTING

Revisions and Commits

rB Blender
	rBae5a89e80af7 Fix T93797, T93809: Crash/undefined-behavior when opening demo file

Related Objects

Mentioned In: rB0f48b37aae02: Revert moving all shader nodes to c++
D13498: Fix: Revert moving shader nodes to C++.
Mentioned Here: T93797: Crash [or faulty eevee render] when opening UDIM_monster
rB4312cb854517: Fix memory leak when loading large asset libraries

Event Timeline

Julian Eisel (Severin) created this task.Dec 7 2021, 11:51 AM

Julian Eisel (Severin) updated the task description.

Jesse Yurkovich (deadpin) added a subscriber: Jesse Yurkovich (deadpin).Dec 7 2021, 11:55 AM

This matches the stack in the ASAN report for T93797

Julian Eisel (Severin) added a project: EEVEE & Viewport.Dec 7 2021, 11:57 AM

The allocation, freeing and heap-use-after-free all seem to be happening in Eevee/DRW/GPU, even in the same function call it seems (eevee_material_get_ex() -> DRW_shader_create_from_material() -> GPU_material_from_nodetree() -> ...). So tagging the project accordingly.

Julian Eisel (Severin) closed this task as Resolved by committing rBae5a89e80af7: Fix T93797, T93809: Crash/undefined-behavior when opening demo file.Dec 7 2021, 12:03 PM

Julian Eisel (Severin) claimed this task.

Julian Eisel (Severin) added a commit: rBae5a89e80af7: Fix T93797, T93809: Crash/undefined-behavior when opening demo file.

Julian Eisel (Severin) mentioned this in D13498: Fix: Revert moving shader nodes to C++..Dec 7 2021, 12:54 PM

Jacques Lucke (JacquesLucke) mentioned this in rB0f48b37aae02: Revert moving all shader nodes to c++.Dec 7 2021, 1:28 PM

Crash/undefined-behavior when opening demo file (heap-use-after-free of material node-tree in Eevee)Closed, ResolvedActions

Description

Revisions and Commits

Related Objects

Event Timeline

Crash/undefined-behavior when opening demo file (heap-use-after-free of material node-tree in Eevee)
Closed, Resolved
Actions