Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Usage of freed memory only in release build #46960

Open
qarmin opened this issue Mar 13, 2021 · 6 comments
Open

Usage of freed memory only in release build #46960

qarmin opened this issue Mar 13, 2021 · 6 comments
Labels
bug crash topic:rendering
Milestone
3.x

Comments

@qarmin
Copy link
Contributor

qarmin commented Mar 13, 2021

Godot version:
v3.2.4.rc.custom_build. b169a16
Looks that this may be regression from #46694
CC @JFonS

OS/device including version:
Ubuntu 20.04

Issue description:
Exporting project with export templates compiled with this command(ubsan and CCFLAGS are not neceserry)

scons p=x11 -j6 tools=no target=release debug_symbols=yes use_asan=yes use_ubsan=yes CCFLAGS="-fsanitize=pointer-compare,pointer-subtract,shift,shift-exponent,integer-divide-by-zero,unreachable,vla-bound,null,return,signed-integer-overflow,bounds,float-divide-by-zero,float-cast-overflow,nonnull-attribute,returns-nonnull-attribute,bool,enum,vptr,pointer-overflow,builtin"

and applied this patch to speedup compilation

diff --git a/platform/x11/detect.py b/platform/x11/detect.py
index b8c509ad9b..a985d6bf32 100644
--- a/platform/x11/detect.py
+++ b/platform/x11/detect.py
@@ -88,11 +88,6 @@ def configure(env):
     ## Build type
 
     if env["target"] == "release":
-        if env["optimize"] == "speed":  # optimize for speed (default)
-            env.Prepend(CCFLAGS=["-O3"])
-        else:  # optimize for size
-            env.Prepend(CCFLAGS=["-Os"])
-
         if env["debug_symbols"]:
             env.Prepend(CCFLAGS=["-g2"])

show when running this usage after free

==126208==ERROR: AddressSanitizer: heap-use-after-free on address 0x617000074d80 at pc 0x00000373e666 bp 0x7ffc08b14970 sp 0x7ffc08b14960
READ of size 8 at 0x617000074d80 thread T0
    #0 0x373e665 in RID_OwnerBase::_is_owner(RID const&) const core/rid.h:110
    #1 0x373e665 in RID_Owner<RasterizerSceneGLES3::LightInstance>::owns(RID const&) const core/rid.h:178
    #2 0x373e665 in RasterizerSceneGLES3::_add_geometry_with_material(RasterizerStorageGLES3::Geometry*, RasterizerScene::InstanceBase*, RasterizerStorageGLES3::GeometryOwner*, RasterizerStorageGLES3::Material*, bool, bool) drivers/gles3/rasterizer_scene_gles3.cpp:2387
    #3 0x373e665 in RasterizerSceneGLES3::_add_geometry(RasterizerStorageGLES3::Geometry*, RasterizerScene::InstanceBase*, RasterizerStorageGLES3::GeometryOwner*, int, bool, bool) drivers/gles3/rasterizer_scene_gles3.cpp:2313
    #4 0x373e665 in RasterizerSceneGLES3::_fill_render_list(RasterizerScene::InstanceBase**, int, bool, bool) drivers/gles3/rasterizer_scene_gles3.cpp:3185
    #5 0x38bbf6d in RasterizerSceneGLES3::render_scene(Transform const&, CameraMatrix const&, bool, RasterizerScene::InstanceBase**, int, RID*, int, RID*, int, RID, RID, RID, RID, int) drivers/gles3/rasterizer_scene_gles3.cpp:4236
    #6 0xa338c8f in VisualServerScene::_render_scene(Transform, CameraMatrix const&, bool, RID, RID, RID, RID, int) servers/visual/visual_server_scene.cpp:2367
    #7 0xa27d698 in VisualServerScene::render_camera(RID, RID, Vector2, RID) servers/visual/visual_server_scene.cpp:1937
    #8 0xa4bd9a4 in VisualServerViewport::_draw_3d(VisualServerViewport::Viewport*, ARVRInterface::Eyes) servers/visual/visual_server_viewport.cpp:78
    #9 0xa4c087f in VisualServerViewport::_draw_viewport(VisualServerViewport::Viewport*, ARVRInterface::Eyes) servers/visual/visual_server_viewport.cpp:110
    #10 0xa4d2f06 in VisualServerViewport::draw_viewports() servers/visual/visual_server_viewport.cpp:348
    #11 0xa1cf2a6 in VisualServerRaster::draw(bool, double) servers/visual/visual_server_raster.cpp:108
    #12 0xa5125cc in VisualServerWrapMT::draw(bool, double) servers/visual/visual_server_wrap_mt.cpp:102
    #13 0x654ee1 in Main::iteration() main/main.cpp:2132
    #14 0x50830c in OS_X11::run() platform/x11/os_x11.cpp:3641
    #15 0x466d7b in main platform/x11/godot_x11.cpp:56
    #16 0x7fdf056fb0b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
    #17 0x46699d in _start (/home/rafal/Projekty/Godot/FFF/UnnamedProject.x86_64+0x46699d)

0x617000074d80 is located 0 bytes inside of 712-byte region [0x617000074d80,0x617000075048)
freed by thread T0 here:
    #0 0x7fdf068741b7 in __interceptor_free (/lib/x86_64-linux-gnu/libasan.so.6+0xb01b7)
    #1 0xe917226 in Memory::free_static(void*, bool) core/os/memory.cpp:181
    #2 0x39392e9 in void memdelete<RasterizerSceneGLES3::LightInstance>(RasterizerSceneGLES3::LightInstance*) (/home/rafal/Projekty/Godot/FFF/UnnamedProject.x86_64+0x39392e9)
    #3 0x3903667 in RasterizerSceneGLES3::free(RID) drivers/gles3/rasterizer_scene_gles3.cpp:4977
    #4 0xa229cfc in VisualServerScene::instance_set_base(RID, RID) servers/visual/visual_server_scene.cpp:496
    #5 0xa2052de in VisualServerRaster::instance_set_base(RID, RID) servers/visual/visual_server_raster.h:546
    #6 0xa5ebd77 in VisualServerWrapMT::instance_set_base(RID, RID) servers/visual/visual_server_wrap_mt.h:468
    #7 0x6386566 in Light::~Light() scene/3d/light.cpp:341
    #8 0x63a9bfa in DirectionalLight::~DirectionalLight() scene/3d/light.h:135
    #9 0x4a28307 in void memdelete<Node>(Node*) core/os/memory.h:117
    #10 0x499e8fd in Node::_notification(int) scene/main/node.cpp:175
    #11 0x68311e in Node::_notificationv(int, bool) scene/main/node.h:46
    #12 0x685a08 in Spatial::_notificationv(int, bool) (/home/rafal/Projekty/Godot/FFF/UnnamedProject.x86_64+0x685a08)
    #13 0xe151187 in Object::notification(int, bool) core/object.cpp:929
    #14 0xe13c6f9 in Object::_predelete() core/object.cpp:387
    #15 0xe17d37c in predelete_handler(Object*) core/object.cpp:2055
    #16 0x4a28149 in void memdelete<Node>(Node*) core/os/memory.h:114
    #17 0x499e8fd in Node::_notification(int) scene/main/node.cpp:175
    #18 0x68311e in Node::_notificationv(int, bool) scene/main/node.h:46
    #19 0xe151187 in Object::notification(int, bool) core/object.cpp:929
    #20 0xe13c6f9 in Object::_predelete() core/object.cpp:387
    #21 0xe17d37c in predelete_handler(Object*) core/object.cpp:2055
    #22 0x65c80c in void memdelete<Object>(Object*) core/os/memory.h:114
    #23 0x4aed9de in SceneTree::_flush_delete_queue() scene/main/scene_tree.cpp:1117
    #24 0x4ad6ace in SceneTree::idle(float) scene/main/scene_tree.cpp:547
    #25 0x654184 in Main::iteration() main/main.cpp:2117
    #26 0x50830c in OS_X11::run() platform/x11/os_x11.cpp:3641
    #27 0x466d7b in main platform/x11/godot_x11.cpp:56
    #28 0x7fdf056fb0b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)

previously allocated by thread T0 here:
    #0 0x7fdf06874517 in malloc (/lib/x86_64-linux-gnu/libasan.so.6+0xb0517)
    #1 0xe916d35 in Memory::alloc_static(unsigned long, bool) core/os/memory.cpp:82
    #2 0xe916cd2 in operator new(unsigned long, char const*) core/os/memory.cpp:42
    #3 0x3645ec8 in RasterizerSceneGLES3::light_instance_create(RID) drivers/gles3/rasterizer_scene_gles3.cpp:1001
    #4 0xa22ee53 in VisualServerScene::instance_set_base(RID, RID) servers/visual/visual_server_scene.cpp:572
    #5 0xa2052de in VisualServerRaster::instance_set_base(RID, RID) servers/visual/visual_server_raster.h:546
    #6 0xa5ebd77 in VisualServerWrapMT::instance_set_base(RID, RID) servers/visual/visual_server_wrap_mt.h:468
    #7 0x6383785 in Light::Light(VisualServer::LightType) scene/3d/light.cpp:305
    #8 0x638c952 in DirectionalLight::DirectionalLight() scene/3d/light.cpp:411
    #9 0x48eb933 in Object* ClassDB::creator<DirectionalLight>() (/home/rafal/Projekty/Godot/FFF/UnnamedProject.x86_64+0x48eb933)
    #10 0xdeb1226 in ClassDB::instance(StringName const&) core/class_db.cpp:559
    #11 0x1673f4a in GDScriptNativeClass::instance() modules/gdscript/gdscript.cpp:82
    #12 0x1673bee in GDScriptNativeClass::_new() modules/gdscript/gdscript.cpp:69
    #13 0x16f51e4 in MethodBind0R<Variant>::call(Object*, Variant const**, int, Variant::CallError&) core/method_bind.gen.inc:237
    #14 0xe150b35 in Object::call(StringName const&, Variant const**, int, Variant::CallError&) core/object.cpp:919
    #15 0xe51cd9a in Variant::call_ptr(StringName const&, Variant const**, int, Variant*, Variant::CallError&) core/variant_call.cpp:1148
    #16 0x1818e18 in GDScriptFunction::call(GDScriptInstance*, Variant const**, int, Variant::CallError&, GDScriptFunction::CallState*) modules/gdscript/gdscript_function.cpp:1083
    #17 0x169acf6 in GDScriptInstance::call(StringName const&, Variant const**, int, Variant::CallError&) modules/gdscript/gdscript.cpp:1208
    #18 0xe150188 in Object::call(StringName const&, Variant const**, int, Variant::CallError&) core/object.cpp:898
    #19 0xe51cd9a in Variant::call_ptr(StringName const&, Variant const**, int, Variant*, Variant::CallError&) core/variant_call.cpp:1148
    #20 0x1818e99 in GDScriptFunction::call(GDScriptInstance*, Variant const**, int, Variant::CallError&, GDScriptFunction::CallState*) modules/gdscript/gdscript_function.cpp:1086
    #21 0x169bb4f in GDScriptInstance::_ml_call_reversed(GDScript*, StringName const&, Variant const**, int) modules/gdscript/gdscript.cpp:1239
    #22 0x169beed in GDScriptInstance::call_multilevel_reversed(StringName const&, Variant const**, int) modules/gdscript/gdscript.cpp:1246
    #23 0x499ced7 in Node::_notification(int) scene/main/node.cpp:149
    #24 0x68311e in Node::_notificationv(int, bool) scene/main/node.h:46
    #25 0x685552 in Spatial::_notificationv(int, bool) (/home/rafal/Projekty/Godot/FFF/UnnamedProject.x86_64+0x685552)
    #26 0xe151187 in Object::notification(int, bool) core/object.cpp:929
    #27 0x49a05f3 in Node::_propagate_ready() scene/main/node.cpp:196
    #28 0x499fe59 in Node::_propagate_ready() scene/main/node.cpp:188
    #29 0x4a0c75e in Node::_set_tree(SceneTree*) scene/main/node.cpp:2637

SUMMARY: AddressSanitizer: heap-use-after-free core/rid.h:110 in RID_OwnerBase::_is_owner(RID const&) const

Minimal reproduction project:
https://github.com/qarmin/RegressionTestProject/archive/3.2.zip
@qarmin qarmin added this to the 3.2 milestone Mar 13, 2021
@JFonS JFonS self-assigned this Mar 13, 2021
@JFonS JFonS mentioned this issue Mar 15, 2021
Merged
@JFonS
Copy link
Contributor

JFonS commented Mar 15, 2021

I opened #47038 that should (I hope) fix this issue.

@qarmin If you have the tests at hand and can check if it worked that would be great, otherwise I will do it soon-ish.

@qarmin
Copy link
Contributor Author

qarmin commented Mar 15, 2021

Looks that this usage after free is fixed with this patch, but still there is another similar error with OmniLight

=================================================================
==34464==ERROR: AddressSanitizer: heap-use-after-free on address 0x617000233880 at pc 0x00000364d8f9 bp 0x7ffc010b5990 sp 0x7ffc010b5980
READ of size 8 at 0x617000233880 thread T0
    #0 0x364d8f8 in RID_Owner<RasterizerSceneGLES3::LightInstance>::getornull(RID const&) core/rid.h:163
    #1 0x364d8f8 in RasterizerSceneGLES3::_setup_light(RasterizerSceneGLES3::RenderList::Element*, Transform const&) drivers/gles3/rasterizer_scene_gles3.cpp:1851
    #2 0x36b2233 in RasterizerSceneGLES3::_render_list(RasterizerSceneGLES3::RenderList::Element**, int, Transform const&, CameraMatrix const&, RasterizerStorageGLES3::Sky*, bool, bool, bool, bool, bool) drivers/gles3/rasterizer_scene_gles3.cpp:2232
    #3 0x38e2bf2 in RasterizerSceneGLES3::render_scene(Transform const&, CameraMatrix const&, bool, RasterizerScene::InstanceBase**, int, RID*, int, RID*, int, RID, RID, RID, RID, int) drivers/gles3/rasterizer_scene_gles3.cpp:4536
    #4 0xa334f65 in VisualServerScene::_render_scene(Transform, CameraMatrix const&, bool, RID, RID, RID, RID, int) servers/visual/visual_server_scene.cpp:2367
    #5 0xa27996e in VisualServerScene::render_camera(RID, RID, Vector2, RID) servers/visual/visual_server_scene.cpp:1937
    #6 0xa4b9c7a in VisualServerViewport::_draw_3d(VisualServerViewport::Viewport*, ARVRInterface::Eyes) servers/visual/visual_server_viewport.cpp:78
    #7 0xa4bcb55 in VisualServerViewport::_draw_viewport(VisualServerViewport::Viewport*, ARVRInterface::Eyes) servers/visual/visual_server_viewport.cpp:110
    #8 0xa4cf1dc in VisualServerViewport::draw_viewports() servers/visual/visual_server_viewport.cpp:348
    #9 0xa1cb57c in VisualServerRaster::draw(bool, double) servers/visual/visual_server_raster.cpp:108
    #10 0xa50e8a2 in VisualServerWrapMT::draw(bool, double) servers/visual/visual_server_wrap_mt.cpp:102
    #11 0x654ee1 in Main::iteration() main/main.cpp:2132
    #12 0x50830c in OS_X11::run() platform/x11/os_x11.cpp:3641
    #13 0x466d7b in main platform/x11/godot_x11.cpp:56
    #14 0x7f00f042f0b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
    #15 0x46699d in _start (/home/rafal/Projekty/Godot/FFF/New.x86_64+0x46699d)

0x617000233880 is located 0 bytes inside of 712-byte region [0x617000233880,0x617000233b48)
freed by thread T0 here:
    #0 0x7f00f15a81b7 in __interceptor_free (/lib/x86_64-linux-gnu/libasan.so.6+0xb01b7)
    #1 0xe91573c in Memory::free_static(void*, bool) core/os/memory.cpp:181
    #2 0x393952f in void memdelete<RasterizerSceneGLES3::LightInstance>(RasterizerSceneGLES3::LightInstance*) (/home/rafal/Projekty/Godot/FFF/New.x86_64+0x393952f)
    #3 0x39038a8 in RasterizerSceneGLES3::free(RID) drivers/gles3/rasterizer_scene_gles3.cpp:4982
    #4 0xa225fd2 in VisualServerScene::instance_set_base(RID, RID) servers/visual/visual_server_scene.cpp:496
    #5 0xa2015b4 in VisualServerRaster::instance_set_base(RID, RID) servers/visual/visual_server_raster.h:546
    #6 0xa5e804d in VisualServerWrapMT::instance_set_base(RID, RID) servers/visual/visual_server_wrap_mt.h:468
    #7 0x638553a in Light::~Light() scene/3d/light.cpp:341
    #8 0x63a8972 in OmniLight::~OmniLight() scene/3d/light.h:175
    #9 0x4a27159 in void memdelete<Node>(Node*) core/os/memory.h:117
    #10 0x499ebbf in Node::_notification(int) scene/main/node.cpp:175
    #11 0x68311e in Node::_notificationv(int, bool) scene/main/node.h:46
    #12 0x4735562 in CanvasItem::_notificationv(int, bool) scene/2d/canvas_item.h:166
    #13 0x6c24e1c in Node2D::_notificationv(int, bool) scene/2d/node_2d.h:38
    #14 0x6fb5b3d in Joint2D::_notificationv(int, bool) scene/2d/joints_2d.h:40
    #15 0x6fbddb8 in DampedSpringJoint2D::_notificationv(int, bool) scene/2d/joints_2d.h:123
    #16 0xe14d45d in Object::notification(int, bool) core/object.cpp:929
    #17 0xe1389cf in Object::_predelete() core/object.cpp:387
    #18 0xe179652 in predelete_handler(Object*) core/object.cpp:2055
    #19 0x4a26f9b in void memdelete<Node>(Node*) core/os/memory.h:114
    #20 0x499ebbf in Node::_notification(int) scene/main/node.cpp:175
    #21 0x68311e in Node::_notificationv(int, bool) scene/main/node.h:46
    #22 0x4735562 in CanvasItem::_notificationv(int, bool) scene/2d/canvas_item.h:166
    #23 0x4747bbc in Control::_notificationv(int, bool) scene/gui/control.h:48
    #24 0x474a366 in Container::_notificationv(int, bool) scene/gui/container.h:38
    #25 0x474cbb4 in BoxContainer::_notificationv(int, bool) (/home/rafal/Projekty/Godot/FFF/New.x86_64+0x474cbb4)
    #26 0x474f76c in HBoxContainer::_notificationv(int, bool) (/home/rafal/Projekty/Godot/FFF/New.x86_64+0x474f76c)
    #27 0xe14d45d in Object::notification(int, bool) core/object.cpp:929
    #28 0xe1389cf in Object::_predelete() core/object.cpp:387
    #29 0xe179652 in predelete_handler(Object*) core/object.cpp:2055

previously allocated by thread T0 here:
    #0 0x7f00f15a8517 in malloc (/lib/x86_64-linux-gnu/libasan.so.6+0xb0517)
    #1 0xe91524b in Memory::alloc_static(unsigned long, bool) core/os/memory.cpp:82
    #2 0xe9151e8 in operator new(unsigned long, char const*) core/os/memory.cpp:42
    #3 0x3645dca in RasterizerSceneGLES3::light_instance_create(RID) drivers/gles3/rasterizer_scene_gles3.cpp:1001
    #4 0xa22b129 in VisualServerScene::instance_set_base(RID, RID) servers/visual/visual_server_scene.cpp:572
    #5 0xa2015b4 in VisualServerRaster::instance_set_base(RID, RID) servers/visual/visual_server_raster.h:546
    #6 0xa5e804d in VisualServerWrapMT::instance_set_base(RID, RID) servers/visual/visual_server_wrap_mt.h:468
    #7 0x6382759 in Light::Light(VisualServer::LightType) scene/3d/light.cpp:305
    #8 0x638f8d3 in OmniLight::OmniLight() scene/3d/light.cpp:466
    #9 0x48ebc5a in Object* ClassDB::creator<OmniLight>() (/home/rafal/Projekty/Godot/FFF/New.x86_64+0x48ebc5a)
    #10 0xdead4fc in ClassDB::instance(StringName const&) core/class_db.cpp:559
    #11 0xf276a9c in _ClassDB::instance(StringName const&) const core/bind/core_bind.cpp:2900
    #12 0x98d7ef in MethodBind1RC<Variant, StringName const&>::call(Object*, Variant const**, int, Variant::CallError&) core/method_bind.gen.inc:1333
    #13 0xe14ce0b in Object::call(StringName const&, Variant const**, int, Variant::CallError&) core/object.cpp:919
    #14 0xe51a726 in Variant::call_ptr(StringName const&, Variant const**, int, Variant*, Variant::CallError&) core/variant_call.cpp:1149
    #15 0x1818cbc in GDScriptFunction::call(GDScriptInstance*, Variant const**, int, Variant::CallError&, GDScriptFunction::CallState*) modules/gdscript/gdscript_function.cpp:1083
    #16 0x169b160 in GDScriptInstance::call_multilevel(StringName const&, Variant const**, int) modules/gdscript/gdscript.cpp:1224
    #17 0x4993ebd in Node::_notification(int) scene/main/node.cpp:60
    #18 0x68311e in Node::_notificationv(int, bool) scene/main/node.h:46
    #19 0xe14d45d in Object::notification(int, bool) core/object.cpp:929
    #20 0x4ae702f in SceneTree::_notify_group_pause(StringName const&, int) scene/main/scene_tree.cpp:992
    #21 0x4ad3baf in SceneTree::idle(float) scene/main/scene_tree.cpp:529
    #22 0x654184 in Main::iteration() main/main.cpp:2117
    #23 0x50830c in OS_X11::run() platform/x11/os_x11.cpp:3641
    #24 0x466d7b in main platform/x11/godot_x11.cpp:56
    #25 0x7f00f042f0b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)

SUMMARY: AddressSanitizer: heap-use-after-free core/rid.h:163 in RID_Owner<RasterizerSceneGLES3::LightInstance>::getornull(RID const&)

@JFonS
Copy link
Contributor

JFonS commented Mar 16, 2021

That's weird... that part of the code doesn't seem related to my changes in #46694.

Did you spot any similar issues with rendering and multithreading before merging #46694? I think the RID system in 3.x has issues when ruining release builds in multithread mode.

@qarmin
Copy link
Contributor Author

qarmin commented Mar 16, 2021
edited
Loading

I haven't checked if second error has occurred before, but in my opinion it's quite likely that it existed some time in Godot.
I don't think that this is problem of multithreading, because address sanitizer shows that allocation, deletion and usage after free are done all in thread 0.

@akien-mga akien-mga modified the milestones: 3.2, 3.3 Mar 17, 2021
@qarmin
Copy link
Contributor Author

qarmin commented Mar 24, 2021

If anyone want to work on this issue without needing to test it on own computer, I prepared CI(works on 3.x branch) - https://github.com/qarmin/RegressionTestProject/pull/24/checks?check_run_id=2178045514

I think that due to very similar address sanitizer logs, OmniLight needs similar fix with invalidating RID.

@qarmin
Copy link
Contributor Author

qarmin commented Mar 26, 2021

CI https://github.com/qarmin/RegressionTestProject/runs/2199440090 crashes now also with SpotLight, so probably all types of lights needs to be fixed

@akien-mga akien-mga modified the milestones: 3.3, 3.4 Sep 25, 2021
@akien-mga akien-mga modified the milestones: 3.4, 3.5 Nov 8, 2021
@KoBeWi KoBeWi modified the milestones: 3.5, 3.x Apr 23, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug crash topic:rendering
Projects
None yet
Milestone
3.x
Development

No branches or pull requests
4 participants
@KoBeWi @JFonS @akien-mga @qarmin