(An Untitled Masterwork)
ActivePublic
Actions

Authored by Jacques Lucke (JacquesLucke) on Jun 3 2021, 9:58 AM.

Tags

None

Subscribers

None

	==42010==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7fffb0901e5f at pc 0x000008b8f2f2 bp 0x7fffb0901480 sp 0x7fffb0901470
	READ of size 1 at 0x7fffb0901e5f thread T64
	#0 0x8b8f2f1 in ExpressionParser::parse() /home/jacques/blender-git/blender/source/blender/nodes/intern/expression_parser.cc:326
	#1 0x7f84118 in do_math_operation /home/jacques/blender-git/blender/source/blender/nodes/geometry/nodes/node_geo_attribute_expression.cc:108
	#2 0x7f873e4 in attribute_expression_calc /home/jacques/blender-git/blender/source/blender/nodes/geometry/nodes/node_geo_attribute_expression.cc:184
	#3 0x7f87edb in geo_node_attribute_expression_exec /home/jacques/blender-git/blender/source/blender/nodes/geometry/nodes/node_geo_attribute_expression.cc:196
	#4 0x738658f in blender::modifiers::geometry_nodes::GeometryNodesEvaluator::execute_geometry_node(blender::nodes::DNode, blender::modifiers::geometry_nodes::NodeState&) /home/jacques/blender-git/blender/source/blender/modifiers/intern/MOD_nodes_evaluator.cc:822
	#5 0x7385de8 in blender::modifiers::geometry_nodes::GeometryNodesEvaluator::execute_node(blender::nodes::DNode, blender::modifiers::geometry_nodes::NodeState&) /home/jacques/blender-git/blender/source/blender/modifiers/intern/MOD_nodes_evaluator.cc:802
	#6 0x7381338 in blender::modifiers::geometry_nodes::GeometryNodesEvaluator::node_task_run(blender::nodes::DNode, blender::modifiers::geometry_nodes::NodeState&) /home/jacques/blender-git/blender/source/blender/modifiers/intern/MOD_nodes_evaluator.cc:628
	#7 0x7381050 in blender::modifiers::geometry_nodes::GeometryNodesEvaluator::run_node_from_task_pool(TaskPool, void) /home/jacques/blender-git/blender/source/blender/modifiers/intern/MOD_nodes_evaluator.cc:612
	#8 0x229ca5a4 in Task::operator()() const::{lambda()#1}::operator()() const /home/jacques/blender-git/blender/source/blender/blenlib/intern/task_pool.cc:118
	#9 0x229cc3f1 in tbb::interface7::internal::delegated_function<Task::operator()() const::{lambda()#1} const, void>::operator()() const /home/jacques/blender-git/lib/linux_centos7_x86_64/tbb/include/tbb/task_arena.h:96
	#10 0x5c720d4 in tbb::interface7::internal::isolate_within_arena(tbb::interface7::internal::delegate_base&, long) (/home/jacques/blender-git/build_linux/bin/blender+0x5c720d4)
	#11 0x229cb048 in void tbb::interface7::internal::isolate_impl<void, Task::operator()() const::{lambda()#1} const>(Task::operator()() const::{lambda()#1} const&) /home/jacques/blender-git/lib/linux_centos7_x86_64/tbb/include/tbb/task_arena.h:216
	#12 0x229cab40 in tbb::interface7::internal::return_type_or_void<Task::operator()() const::{lambda()#1}>::type tbb::interface7::this_task_arena::isolate<Task::operator()() const::{lambda()#1}>(Task::operator()() const::{lambda()#1} const&) /home/jacques/blender-git/lib/linux_centos7_x86_64/tbb/include/tbb/task_arena.h:472
	#13 0x229ca6a7 in Task::operator()() const /home/jacques/blender-git/blender/source/blender/blenlib/intern/task_pool.cc:118
	#14 0x229c6734 in tbb_task_pool_run /home/jacques/blender-git/blender/source/blender/blenlib/intern/task_pool.cc:229
	#15 0x229c8db1 in BLI_task_pool_push /home/jacques/blender-git/blender/source/blender/blenlib/intern/task_pool.cc:487
	#16 0x7390b3c in blender::modifiers::geometry_nodes::GeometryNodesEvaluator::add_node_to_task_pool(blender::nodes::DNode) /home/jacques/blender-git/blender/source/blender/modifiers/intern/MOD_nodes_evaluator.cc:1131
	#17 0x73618ac in blender::modifiers::geometry_nodes::LockedNode::~LockedNode() /home/jacques/blender-git/blender/source/blender/modifiers/intern/MOD_nodes_evaluator.cc:1381
	#18 0x738fe92 in blender::modifiers::geometry_nodes::GeometryNodesEvaluator::send_output_required_notification(blender::nodes::DOutputSocket) /home/jacques/blender-git/blender/source/blender/modifiers/intern/MOD_nodes_evaluator.cc:1108
	#19 0x736131a in blender::modifiers::geometry_nodes::LockedNode::~LockedNode() /home/jacques/blender-git/blender/source/blender/modifiers/intern/MOD_nodes_evaluator.cc:1375
	#20 0x73805ed in blender::modifiers::geometry_nodes::GeometryNodesEvaluator::schedule_initial_nodes() /home/jacques/blender-git/blender/source/blender/modifiers/intern/MOD_nodes_evaluator.cc:575
	#21 0x7377d28 in blender::modifiers::geometry_nodes::GeometryNodesEvaluator::execute() /home/jacques/blender-git/blender/source/blender/modifiers/intern/MOD_nodes_evaluator.cc:388
	#22 0x736ccf8 in blender::modifiers::geometry_nodes::evaluate_geometry_nodes(blender::modifiers::geometry_nodes::GeometryNodesEvaluationParams&) /home/jacques/blender-git/blender/source/blender/modifiers/intern/MOD_nodes_evaluator.cc:1565
	#23 0x73090b5 in compute_geometry /home/jacques/blender-git/blender/source/blender/modifiers/intern/MOD_nodes.cc:983
	#24 0x730b802 in modifyGeometry /home/jacques/blender-git/blender/source/blender/modifiers/intern/MOD_nodes.cc:1078
	#25 0x730c8b6 in modifyGeometrySet /home/jacques/blender-git/blender/source/blender/modifiers/intern/MOD_nodes.cc:1104
	#26 0x51dc376 in modifier_modify_mesh_and_geometry_set /home/jacques/blender-git/blender/source/blender/blenkernel/intern/DerivedMesh.cc:954
	#27 0x51e0e86 in mesh_calc_modifiers /home/jacques/blender-git/blender/source/blender/blenkernel/intern/DerivedMesh.cc:1306
	#28 0x51ec83d in mesh_build_data /home/jacques/blender-git/blender/source/blender/blenkernel/intern/DerivedMesh.cc:1932
	#29 0x51ef328 in makeDerivedMesh /home/jacques/blender-git/blender/source/blender/blenkernel/intern/DerivedMesh.cc:2080
	#30 0x37fe299 in BKE_object_handle_data_update /home/jacques/blender-git/blender/source/blender/blenkernel/intern/object_update.c:202
	#31 0x380262f in BKE_object_eval_uber_data /home/jacques/blender-git/blender/source/blender/blenkernel/intern/object_update.c:388
	#32 0x1ff78c9b in operator() /home/jacques/blender-git/blender/source/blender/depsgraph/intern/builder/deg_builder_nodes.cc:1456
	#33 0x1ffc0c5d in __invoke_impl<void, blender::deg::DepsgraphNodeBuilder::build_object_data_geometry(Object, bool)::<lambda(Depsgraph)>&, Depsgraph*> /usr/include/c++/11.1.0/bits/invoke.h:61
	#34 0x1ffb3ee4 in __invoke_r<void, blender::deg::DepsgraphNodeBuilder::build_object_data_geometry(Object, bool)::<lambda(Depsgraph)>&, Depsgraph*> /usr/include/c++/11.1.0/bits/invoke.h:111
	#35 0x1ffa7a57 in _M_invoke /usr/include/c++/11.1.0/bits/std_function.h:291
	#36 0x1fee589c in std::function<void (Depsgraph)>::operator()(Depsgraph) const /usr/include/c++/11.1.0/bits/std_function.h:560
	#37 0x1fedeb9a in evaluate_node /home/jacques/blender-git/blender/source/blender/depsgraph/intern/eval/deg_eval.cc:113
	#38 0x1fedec1a in deg_task_run_func /home/jacques/blender-git/blender/source/blender/depsgraph/intern/eval/deg_eval.cc:124
	#39 0x229ca5a4 in Task::operator()() const::{lambda()#1}::operator()() const /home/jacques/blender-git/blender/source/blender/blenlib/intern/task_pool.cc:118
	#40 0x229cc3f1 in tbb::interface7::internal::delegated_function<Task::operator()() const::{lambda()#1} const, void>::operator()() const /home/jacques/blender-git/lib/linux_centos7_x86_64/tbb/include/tbb/task_arena.h:96
	#41 0x5c720d4 in tbb::interface7::internal::isolate_within_arena(tbb::interface7::internal::delegate_base&, long) (/home/jacques/blender-git/build_linux/bin/blender+0x5c720d4)
	#42 0x229cb048 in void tbb::interface7::internal::isolate_impl<void, Task::operator()() const::{lambda()#1} const>(Task::operator()() const::{lambda()#1} const&) /home/jacques/blender-git/lib/linux_centos7_x86_64/tbb/include/tbb/task_arena.h:216
	#43 0x229cab40 in tbb::interface7::internal::return_type_or_void<Task::operator()() const::{lambda()#1}>::type tbb::interface7::this_task_arena::isolate<Task::operator()() const::{lambda()#1}>(Task::operator()() const::{lambda()#1} const&) /home/jacques/blender-git/lib/linux_centos7_x86_64/tbb/include/tbb/task_arena.h:472
	#44 0x229ca6a7 in Task::operator()() const /home/jacques/blender-git/blender/source/blender/blenlib/intern/task_pool.cc:118
	#45 0x229cc208 in tbb::internal::function_task<Task>::execute() /home/jacques/blender-git/lib/linux_centos7_x86_64/tbb/include/tbb/task.h:1059
	#46 0x5c82f34 in tbb::internal::custom_scheduler<tbb::internal::IntelSchedulerTraits>::process_bypass_loop(tbb::internal::context_guard_helper<false>&, tbb::task*, long) (/home/jacques/blender-git/build_linux/bin/blender+0x5c82f34)
	#47 0x5c831ea in tbb::internal::custom_scheduler<tbb::internal::IntelSchedulerTraits>::local_wait_for_all(tbb::task&, tbb::task*) (/home/jacques/blender-git/build_linux/bin/blender+0x5c831ea)
	#48 0x5c71de6 in tbb::internal::arena::process(tbb::internal::generic_scheduler&) (/home/jacques/blender-git/build_linux/bin/blender+0x5c71de6)
	#49 0x5c7cc1f in tbb::internal::market::process(rml::job&) (/home/jacques/blender-git/build_linux/bin/blender+0x5c7cc1f)
	#50 0x5c7ec5b in tbb::internal::rml::private_worker::run() (/home/jacques/blender-git/build_linux/bin/blender+0x5c7ec5b)
	#51 0x5c7ee58 in tbb::internal::rml::private_worker::thread_routine(void*) (/home/jacques/blender-git/build_linux/bin/blender+0x5c7ee58)
	#52 0x7ffff7594258 in start_thread (/usr/lib/libpthread.so.0+0x9258)
	#53 0x7ffff71005e2 in __GI___clone (/usr/lib/libc.so.6+0xfe5e2)

	Address 0x7fffb0901e5f is located in stack of thread T64 at offset 1055 in frame
	#0 0x7f8624b in attribute_expression_calc /home/jacques/blender-git/blender/source/blender/nodes/geometry/nodes/node_geo_attribute_expression.cc:149

	This frame has 16 object(s):
	[48, 52) '<unknown>'
	[64, 68) '<unknown>'
	[80, 84) '<unknown>'
	[96, 104) 'result_name' (line 157)
	[128, 144) '<unknown>'
	[160, 176) '<unknown>'
	[192, 208) '<unknown>'
	[224, 240) '<unknown>'
	[256, 272) 'result_span' (line 172)
	[288, 304) '<unknown>'
	[320, 336) '<unknown>'
	[352, 464) 'attribute_a' (line 169)
	[496, 608) 'attribute_b' (line 174)
	[640, 752) 'attribute_c' (line 179)
	[784, 992) 'attribute_result' (line 163)
	[1056, 1184) 'expression_text' (line 152) <== Memory access at offset 1055 underflows this variable
	HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork
	(longjmp and C++ exceptions are supported)
	Thread T64 created by T62 here:
	#0 0x7ffff7609fa7 in __interceptor_pthread_create /build/gcc/src/gcc/libsanitizer/asan/asan_interceptors.cpp:216
	#1 0x5c7eb48 in tbb::internal::rml::private_server::wake_some(int) (/home/jacques/blender-git/build_linux/bin/blender+0x5c7eb48)
	#2 0x60c0000bbfbf (<unknown module>)

	Thread T62 created by T59 here:
	#0 0x7ffff7609fa7 in __interceptor_pthread_create /build/gcc/src/gcc/libsanitizer/asan/asan_interceptors.cpp:216
	#1 0x5c7eb48 in tbb::internal::rml::private_server::wake_some(int) (/home/jacques/blender-git/build_linux/bin/blender+0x5c7eb48)
	#2 0x60c0000abfff (<unknown module>)

	Thread T59 created by T57 here:
	#0 0x7ffff7609fa7 in __interceptor_pthread_create /build/gcc/src/gcc/libsanitizer/asan/asan_interceptors.cpp:216
	#1 0x5c7eb48 in tbb::internal::rml::private_server::wake_some(int) (/home/jacques/blender-git/build_linux/bin/blender+0x5c7eb48)
	#2 0x60c00009ffff (<unknown module>)

	Thread T57 created by T0 here:
	#0 0x7ffff7609fa7 in __interceptor_pthread_create /build/gcc/src/gcc/libsanitizer/asan/asan_interceptors.cpp:216
	#1 0x5c7eb48 in tbb::internal::rml::private_server::wake_some(int) (/home/jacques/blender-git/build_linux/bin/blender+0x5c7eb48)
	#2 0x60c00008c73f (<unknown module>)

	SUMMARY: AddressSanitizer: stack-buffer-overflow /home/jacques/blender-git/blender/source/blender/nodes/intern/expression_parser.cc:326 in ExpressionParser::parse()
	Shadow bytes around the buggy address:
	0x100076118370: f8 f8 f2 f2 00 00 00 00 00 00 00 00 00 00 00 00
	0x100076118380: 00 00 f2 f2 f2 f2 00 00 00 00 00 00 00 00 00 00
	0x100076118390: 00 00 00 00 f2 f2 f2 f2 00 00 00 00 00 00 00 00
	0x1000761183a0: 00 00 00 00 00 00 f2 f2 f2 f2 00 00 00 00 00 00
	0x1000761183b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
	=>0x1000761183c0: 00 00 00 00 f2 f2 f2 f2 f2 f2 f2[f2]00 00 00 00
	0x1000761183d0: 00 00 00 00 00 00 00 00 00 00 00 00 f3 f3 f3 f3
	0x1000761183e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1
	0x1000761183f0: f1 f1 00 f2 f2 f2 f8 f8 f2 f2 00 00 f2 f2 00 00
	0x100076118400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
	0x100076118410: 00 00 00 00 00 00 f2 f2 f2 f2 f2 f2 f2 f2 f8 f8
	Shadow byte legend (one shadow byte represents 8 application bytes):
	Addressable: 00
	Partially addressable: 01 02 03 04 05 06 07
	Heap left redzone: fa
	Freed heap region: fd
	Stack left redzone: f1
	Stack mid redzone: f2
	Stack right redzone: f3
	Stack after return: f5
	Stack use after scope: f8
	Global redzone: f9
	Global init order: f6
	Poisoned by user: f7
	Container overflow: fc
	Array cookie: ac
	Intra object redzone: bb
	ASan internal: fe
	Left alloca redzone: ca
	Right alloca redzone: cb
	Shadow gap: cc
	==42010==ABORTING

Event Timeline

Jacques Lucke (JacquesLucke) created this paste.Jun 3 2021, 9:58 AM

Jacques Lucke (JacquesLucke) mentioned this in D11465: Adding Attribute Math Expression Node.Jun 3 2021, 10:31 AM

(An Untitled Masterwork)ActivePublicActions

Event Timeline

(An Untitled Masterwork)
ActivePublic
Actions