(An Untitled Masterwork)
ActivePublic
Actions

Authored by Jacques Lucke (JacquesLucke) on Jul 14 2020, 1:43 PM.

Tags

None

Subscribers

None

	==240089==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000039bb8 at pc 0x00000603917c bp 0x7fffffffbcb0 sp 0x7fffffffbca0
	READ of size 8 at 0x602000039bb8 thread T0
	#0 0x603917b in extract_tris_iter_looptri_bm /home/jacques/blender-git/blender/source/blender/draw/intern/draw_cache_extract_mesh.c:856
	#1 0x60efb60 in mesh_extract_iter /home/jacques/blender-git/blender/source/blender/draw/intern/draw_cache_extract_mesh.c:5083
	#2 0x60efb60 in extract_run /home/jacques/blender-git/blender/source/blender/draw/intern/draw_cache_extract_mesh.c:5162
	#3 0x60f1982 in extract_init_and_run /home/jacques/blender-git/blender/source/blender/draw/intern/draw_cache_extract_mesh.c:5183
	#4 0x60f251b in extract_single_threaded_task_node_exec /home/jacques/blender-git/blender/source/blender/draw/intern/draw_cache_extract_mesh.c:5258
	#5 0x1cc2ba67 in TaskNode::run(tbb::flow::interface11::continue_msg)::{lambda()#1}::operator()() const /home/jacques/blender-git/blender/source/blender/blenlib/intern/task_graph.cc:97
	#6 0x1cc3d2c2 in tbb::interface7::internal::delegated_function<TaskNode::run(tbb::flow::interface11::continue_msg)::{lambda()#1} const, void>::operator()() const /home/jacques/blender-git/lib/linux_centos7_x86_64/tbb/include/tbb/task_arena.h:93
	#7 0x499f314 in tbb::interface7::internal::isolate_within_arena(tbb::interface7::internal::delegate_base&, long) (/home/jacques/blender-git/build_linux/bin/blender+0x499f314)
	#8 0x1cc331e6 in void tbb::interface7::internal::isolate_impl<void, TaskNode::run(tbb::flow::interface11::continue_msg)::{lambda()#1} const>(TaskNode::run(tbb::flow::interface11::continue_msg)::{lambda()#1} const&) /home/jacques/blender-git/lib/linux_centos7_x86_64/tbb/include/tbb/task_arena.h:160
	#9 0x1cc2e515 in tbb::interface7::internal::return_type_or_void<TaskNode::run(tbb::flow::interface11::continue_msg)::{lambda()#1}>::type tbb::interface7::this_task_arena::isolate<TaskNode::run(tbb::flow::interface11::continue_msg)::{lambda()#1}>(tbb::interface7::internal::return_type_or_void const&) /home/jacques/blender-git/lib/linux_centos7_x86_64/tbb/include/tbb/task_arena.h:395
	#10 0x1cc2bb69 in TaskNode::run(tbb::flow::interface11::continue_msg) /home/jacques/blender-git/blender/source/blender/blenlib/intern/task_graph.cc:97
	#11 0x1cc46620 in tbb::flow::interface11::continue_msg std::__invoke_impl<tbb::flow::interface11::continue_msg, tbb::flow::interface11::continue_msg (TaskNode::&)(tbb::flow::interface11::continue_msg), TaskNode&, tbb::flow::interface11::continue_msg const&>(std::__invoke_memfun_deref, tbb::flow::interface11::continue_msg (TaskNode::&)(tbb::flow::interface11::continue_msg), TaskNode&, tbb::flow::interface11::continue_msg const&) /usr/include/c++/10.1.0/bits/invoke.h:73
	#12 0x1cc45acb in std::__invoke_result<tbb::flow::interface11::continue_msg (TaskNode::&)(tbb::flow::interface11::continue_msg), TaskNode&, tbb::flow::interface11::continue_msg const&>::type std::__invoke<tbb::flow::interface11::continue_msg (TaskNode::&)(tbb::flow::interface11::continue_msg), TaskNode&, tbb::flow::interface11::continue_msg const&>(tbb::flow::interface11::continue_msg (TaskNode::&)(tbb::flow::interface11::continue_msg), TaskNode&, tbb::flow::interface11::continue_msg const&) /usr/include/c++/10.1.0/bits/invoke.h:95
	#13 0x1cc44cff in tbb::flow::interface11::continue_msg std::_Bind<tbb::flow::interface11::continue_msg (TaskNode::(TaskNode, std::_Placeholder<1>))(tbb::flow::interface11::continue_msg)>::__call<tbb::flow::interface11::continue_msg, tbb::flow::interface11::continue_msg const&, 0ul, 1ul>(std::tuple<tbb::flow::interface11::continue_msg const&>&&, std::_Index_tuple<0ul, 1ul>) /usr/include/c++/10.1.0/functional:416
	#14 0x1cc40e56 in tbb::flow::interface11::continue_msg std::_Bind<tbb::flow::interface11::continue_msg (TaskNode::(TaskNode, std::_Placeholder<1>))(tbb::flow::interface11::continue_msg)>::operator()<tbb::flow::interface11::continue_msg const&, tbb::flow::interface11::continue_msg>(tbb::flow::interface11::continue_msg const&) /usr/include/c++/10.1.0/functional:499
	#15 0x1cc3d39c in tbb::flow::interface11::internal::function_body_leaf<tbb::flow::interface11::continue_msg, tbb::flow::interface11::continue_msg, std::_Bind<tbb::flow::interface11::continue_msg (TaskNode::(TaskNode, std::_Placeholder<1>))(tbb::flow::interface11::continue_msg)> >::operator()(tbb::flow::interface11::continue_msg const&) /home/jacques/blender-git/lib/linux_centos7_x86_64/tbb/include/tbb/internal/_flow_graph_body_impl.h:146
	#16 0x1cc41b07 in tbb::flow::interface11::internal::continue_input<tbb::flow::interface11::continue_msg, tbb::flow::interface11::internal::Policy<void> >::apply_body_bypass(tbb::flow::interface11::continue_msg) /home/jacques/blender-git/lib/linux_centos7_x86_64/tbb/include/tbb/internal/_flow_graph_node_impl.h:821
	#17 0x1cc47ac5 in tbb::flow::interface11::internal::apply_body_task_bypass<tbb::flow::interface11::internal::continue_input<tbb::flow::interface11::continue_msg, tbb::flow::interface11::internal::Policy<void> >, tbb::flow::interface11::continue_msg>::execute() /home/jacques/blender-git/lib/linux_centos7_x86_64/tbb/include/tbb/internal/_flow_graph_body_impl.h:312
	#18 0x49aca14 in tbb::internal::custom_scheduler<tbb::internal::IntelSchedulerTraits>::process_bypass_loop(tbb::internal::context_guard_helper<false>&, tbb::task*, long) (/home/jacques/blender-git/build_linux/bin/blender+0x49aca14)
	#19 0x49accca in tbb::internal::custom_scheduler<tbb::internal::IntelSchedulerTraits>::local_wait_for_all(tbb::task&, tbb::task*) (/home/jacques/blender-git/build_linux/bin/blender+0x49accca)
	#20 0xdf4bd47 in tbb::task::wait_for_all() /home/jacques/blender-git/lib/linux_centos7_x86_64/tbb/include/tbb/task.h:862
	#21 0xfe36d3b in tbb::flow::interface10::graph::wait_functor::operator()() const /home/jacques/blender-git/lib/linux_centos7_x86_64/tbb/include/tbb/internal/_flow_graph_impl.h:252
	#22 0xfe58627 in tbb::interface7::internal::delegated_function<tbb::flow::interface10::graph::wait_functor const, void>::operator()() const /home/jacques/blender-git/lib/linux_centos7_x86_64/tbb/include/tbb/task_arena.h:93
	#23 0x49a01d1 in tbb::interface7::internal::task_arena_base::internal_execute(tbb::interface7::internal::delegate_base&) const (/home/jacques/blender-git/build_linux/bin/blender+0x49a01d1)
	#24 0xfe4adc8 in void tbb::interface7::task_arena::execute_impl<void, tbb::flow::interface10::graph::wait_functor const>(tbb::flow::interface10::graph::wait_functor const&) /home/jacques/blender-git/lib/linux_centos7_x86_64/tbb/include/tbb/task_arena.h:216
	#25 0xfe44b2c in tbb::interface7::internal::return_type_or_void<tbb::flow::interface10::graph::wait_functor>::type tbb::interface7::task_arena::execute<tbb::flow::interface10::graph::wait_functor>(tbb::flow::interface10::graph::wait_functor const&) /home/jacques/blender-git/lib/linux_centos7_x86_64/tbb/include/tbb/task_arena.h:356
	#26 0xfe375a6 in tbb::flow::interface10::graph::wait_for_all() /home/jacques/blender-git/lib/linux_centos7_x86_64/tbb/include/tbb/internal/_flow_graph_impl.h:345
	#27 0x1cc2069c in BLI_task_graph_work_and_wait /home/jacques/blender-git/blender/source/blender/blenlib/intern/task_graph.cc:128
	#28 0x5f0c958 in DRW_mesh_batch_cache_create_requested /home/jacques/blender-git/blender/source/blender/draw/intern/draw_cache_impl_mesh.c:1527
	#29 0x5e6963b in drw_batch_cache_generate_requested /home/jacques/blender-git/blender/source/blender/draw/intern/draw_cache.c:3569
	#30 0x5b76e81 in drw_engines_cache_populate /home/jacques/blender-git/blender/source/blender/draw/intern/draw_manager.c:1022
	#31 0x5b7d92c in DRW_draw_render_loop_ex /home/jacques/blender-git/blender/source/blender/draw/intern/draw_manager.c:1489
	#32 0x5b7c426 in DRW_draw_view /home/jacques/blender-git/blender/source/blender/draw/intern/draw_manager.c:1404
	#33 0x9f81eca in view3d_draw_view /home/jacques/blender-git/blender/source/blender/editors/space_view3d/view3d_draw.c:1608
	#34 0x9f82135 in view3d_main_region_draw /home/jacques/blender-git/blender/source/blender/editors/space_view3d/view3d_draw.c:1630
	#35 0x73a4d29 in ED_region_do_draw /home/jacques/blender-git/blender/source/blender/editors/screen/area.c:538
	#36 0x49c9147 in wm_draw_window_offscreen /home/jacques/blender-git/blender/source/blender/windowmanager/intern/wm_draw.c:712
	#37 0x49cac99 in wm_draw_window /home/jacques/blender-git/blender/source/blender/windowmanager/intern/wm_draw.c:838
	#38 0x49ccbf9 in wm_draw_update /home/jacques/blender-git/blender/source/blender/windowmanager/intern/wm_draw.c:1041
	#39 0x49b7438 in WM_main /home/jacques/blender-git/blender/source/blender/windowmanager/intern/wm.c:481
	#40 0x2c11e1d in main /home/jacques/blender-git/blender/source/creator/creator.c:532
	#41 0x7ffff708c001 in __libc_start_main (/usr/lib/libc.so.6+0x27001)
	#42 0x2c109fd in _start (/home/jacques/blender-git/build_linux/bin/blender+0x2c109fd)

	0x602000039bb8 is located 0 bytes to the right of 8-byte region [0x602000039bb0,0x602000039bb8)
	allocated by thread T0 here:
	#0 0x7ffff766d459 in __interceptor_malloc /build/gcc/src/gcc/libsanitizer/asan/asan_malloc_linux.cpp:145
	#1 0x1cca5d55 in MEM_lockfree_mallocN /home/jacques/blender-git/blender/intern/guardedalloc/intern/mallocn_lockfree_impl.c:273
	#2 0x466c536 in editmesh_tessface_calc_intern /home/jacques/blender-git/blender/source/blender/blenkernel/intern/editmesh.c:126
	#3 0x466c74a in BKE_editmesh_looptri_calc /home/jacques/blender-git/blender/source/blender/blenkernel/intern/editmesh.c:137
	#4 0x897162c in ED_object_editmode_enter_ex /home/jacques/blender-git/blender/source/blender/editors/object/object_edit.c:633
	#5 0x84eb36b in make_prim_init /home/jacques/blender-git/blender/source/blender/editors/mesh/editmesh_add.c:73
	#6 0x84f1f66 in add_primitive_uvsphere_exec /home/jacques/blender-git/blender/source/blender/editors/mesh/editmesh_add.c:627
	#7 0x49dfa77 in wm_operator_invoke /home/jacques/blender-git/blender/source/blender/windowmanager/intern/wm_event_system.c:1296
	#8 0x49e22c5 in wm_operator_call_internal /home/jacques/blender-git/blender/source/blender/windowmanager/intern/wm_event_system.c:1532
	#9 0x49e2c92 in WM_operator_call_py /home/jacques/blender-git/blender/source/blender/windowmanager/intern/wm_event_system.c:1632
	#10 0x72dad08 in pyop_call /home/jacques/blender-git/blender/source/blender/python/intern/bpy_operator.c:268
	#11 0x1b2bbe88 in _PyMethodDef_RawFastCallKeywords Objects/call.c:698

	SUMMARY: AddressSanitizer: heap-buffer-overflow /home/jacques/blender-git/blender/source/blender/draw/intern/draw_cache_extract_mesh.c:856 in extract_tris_iter_looptri_bm
	Shadow bytes around the buggy address:
	0x0c047ffff320: fa fa 00 00 fa fa fd fd fa fa fd fd fa fa 00 00
	0x0c047ffff330: fa fa 00 00 fa fa fd fd fa fa fd fd fa fa fd fa
	0x0c047ffff340: fa fa fd fd fa fa 00 00 fa fa fd fd fa fa 00 00
	0x0c047ffff350: fa fa fd fd fa fa fd fa fa fa 00 00 fa fa 00 00
	0x0c047ffff360: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 00 00
	=>0x0c047ffff370: fa fa fd fa fa fa 00[fa]fa fa fd fa fa fa 00 00
	0x0c047ffff380: fa fa 00 00 fa fa fd fa fa fa fd fa fa fa fd fa
	0x0c047ffff390: fa fa fd fd fa fa fd fd fa fa fd fa fa fa fd fa
	0x0c047ffff3a0: fa fa fd fa fa fa fa fa fa fa fd fa fa fa fa fa
	0x0c047ffff3b0: fa fa fa fa fa fa fd fa fa fa fa fa fa fa fa fa
	0x0c047ffff3c0: fa fa fa fa fa fa fd fd fa fa fd fa fa fa fd fa
	Shadow byte legend (one shadow byte represents 8 application bytes):
	Addressable: 00
	Partially addressable: 01 02 03 04 05 06 07
	Heap left redzone: fa
	Freed heap region: fd
	Stack left redzone: f1
	Stack mid redzone: f2
	Stack right redzone: f3
	Stack after return: f5
	Stack use after scope: f8
	Global redzone: f9
	Global init order: f6
	Poisoned by user: f7
	Container overflow: fc
	Array cookie: ac
	Intra object redzone: bb
	ASan internal: fe
	Left alloca redzone: ca
	Right alloca redzone: cb
	Shadow gap: cc
	==240089==ABORTING

Event Timeline

Jacques Lucke (JacquesLucke) created this paste.Jul 14 2020, 1:43 PM

Jacques Lucke (JacquesLucke) mentioned this in D7812: Python: Support for calling operators in timers..

(An Untitled Masterwork)ActivePublicActions

Event Timeline

(An Untitled Masterwork)
ActivePublic
Actions