[Sketcher] Crash in "Convert to NURBS"

About the development of the Part Design module/workbench. PLEASE DO NOT POST HELP REQUESTS HERE!
Forum rules
Be nice to others! Respect the FreeCAD code of conduct!
TheMarkster
Veteran
Posts: 5505
Joined: Thu Apr 05, 2018 1:53 am

Re: [Sketcher] Crash in "Convert to NURBS"

Post by TheMarkster »

I think it happens here in this destructor when removing all the children:

https://github.com/FreeCAD/FreeCAD/blob ... r.cpp#L379

Code: Select all

EditModeCoinManager::~EditModeCoinManager()
{
    Gui::coinRemoveAllChildren(editModeScenegraphNodes.EditRoot);
    ViewProviderSketchCoinAttorney::removeNodeFromRoot(viewProvider, editModeScenegraphNodes.EditRoot);
    editModeScenegraphNodes.EditRoot->unref();
}
But I couldn't work out a way to prevent the crash. I thought it might be removing non-existent children, but that is not it, or maybe it is. It counts the number of children, and then removes them in a loop. Maybe the count is wrong or something else is deleting them in a different thread. I tried adding some test code in the loop to count the children again each iteration, but this just crashes things.

Maybe this will help someone more familiar with the code to solve the issue.
wmayer
Founder
Posts: 20243
Joined: Thu Feb 19, 2009 10:32 am
Contact:

Re: [Sketcher] Crash in "Convert to NURBS"

Post by wmayer »

Confirmed. Please open a bug report.

When running it in a debugger then this is the call stack I get:

Code: Select all

1  __GI_raise                                                                                                                             raise.c                 51   0x7fffecffbfb7 
2  __GI_abort                                                                                                                             abort.c                 79   0x7fffecffd921 
3  __libc_message                                                                                                                         libc_fatal.c            181  0x7fffed046967 
4  malloc_printerr                                                                                                                        malloc.c                5342 0x7fffed04d9da 
5  munmap_chunk                                                                                                                           malloc.c                2846 0x7fffed054fbc 
6  __GI___libc_free                                                                                                                       malloc.c                3127 0x7fffed054fbc 
7  SoMFColor::allocValues(int)                                                                                                                                         0x7ffff1ce614a 
8  SoMField::deleteValues(int, int)                                                                                                                                    0x7ffff1d027a7 
9  SoMFColor::~SoMFColor()                                                                                                                                             0x7ffff1ce6091 
10 SoMaterial::~SoMaterial()                                                                                                                                           0x7ffff1dc7560 
11 SoMaterial::~SoMaterial()                                                                                                                                           0x7ffff1dc7589 
12 SoBase::destroy()                                                                                                                                                   0x7ffff1d6af7a 
13 SoBaseList::truncate(int)                                                                                                                                           0x7ffff1d604a2 
14 SoChildList::~SoChildList()                                                                                                                                         0x7ffff1d70c1b 
15 SoGroup::~SoGroup()                                                                                                                                                 0x7ffff1dbfe48 
16 SoSeparator::~SoSeparator()                                                                                                                                         0x7ffff1dda929 
17 SoBase::destroy()                                                                                                                                                   0x7ffff1d6af7a 
18 SoBaseList::truncate(int)                                                                                                                                           0x7ffff1d604a2 
19 SoChildList::~SoChildList()                                                                                                                                         0x7ffff1d70c1b 
20 SoGroup::~SoGroup()                                                                                                                                                 0x7ffff1dbfe48 
21 SmSwitchboard::~SmSwitchboard                                                                                                          SmSwitchboard.cpp       120  0x7ffff6242c2f 
22 SmSwitchboard::~SmSwitchboard                                                                                                          SmSwitchboard.cpp       119  0x7ffff6242c59 
23 SoBase::destroy()                                                                                                                                                   0x7ffff1d6af7a 
24 SoBaseList::remove(int)                                                                                                                                             0x7ffff1d60418 
25 SoGroup::removeChild(int)                                                                                                                                           0x7ffff1dc0c9a 
26 Gui::coinRemoveAllChildren                                                                                                             ViewProvider.cpp        83   0x7ffff6418c95 
27 SketcherGui::EditModeCoinManager::~EditModeCoinManager                                                                                 EditModeCoinManager.cpp 379  0x7fff7c904e53 
28 std::default_delete<SketcherGui::EditModeCoinManager>::operator()                                                                      unique_ptr.h            78   0x7fff7c96c2bb 
29 std::unique_ptr<SketcherGui::EditModeCoinManager, std::default_delete<SketcherGui::EditModeCoinManager>>::reset                        unique_ptr.h            371  0x7fff7c973746 
30 std::unique_ptr<SketcherGui::EditModeCoinManager, std::default_delete<SketcherGui::EditModeCoinManager>>::operator=(decltype(nullptr)) unique_ptr.h            307  0x7fff7c964e17 
31 SketcherGui::ViewProviderSketch::unsetEdit                                                                                             ViewProviderSketch.cpp  2904 0x7fff7c958a3b 
32 Gui::ViewProvider::finishEditing                                                                                                       ViewProvider.cpp        165  0x7ffff6419516 
33 Gui::Document::_resetEdit                                                                                                              Document.cpp            463  0x7ffff5d91162 
34 Gui::Application::setEditDocument                                                                                                      Application.cpp         1071 0x7ffff5cd365d 
35 Gui::Document::resetEdit                                                                                                               Document.cpp            450  0x7ffff5d91e1f 
36 Gui::DocumentPy::resetEdit                                                                                                             DocumentPyImp.cpp       169  0x7ffff5e18037 
37 Gui::DocumentPy::staticCallback_resetEdit                                                                                              DocumentPy.cpp          537  0x7ffff5e131e4 
38 _PyCFunction_FastCallDict                                                                                                                                           0x7ffff2bdb53b 
39 ??                                                                                                                                                                  0x7ffff2b441ec 
40 _PyEval_EvalFrameDefault                                                                                                                                            0x7ffff2b4a303 
41 ??                                                                                                                                                                  0x7ffff2b43a0f 
42 PyEval_EvalCodeEx                                                                                                                                                   0x7ffff2b444ce 
43 PyEval_EvalCode                                                                                                                                                     0x7ffff2b4524b 
44 PyRun_StringFlags                                                                                                                                                   0x7ffff2b1684b 
45 Base::InterpreterSingleton::runString[abi:cxx11](const char *)                                                                         Interpreter.cpp         252  0x7ffff39b0277 
46 Gui::Command::_runCommand                                                                                                              Command.cpp             687  0x7ffff5eae70f 
47 Gui::Command::_doCommand                                                                                                               Command.cpp             646  0x7ffff5eae588 
48 SketcherGui::TaskDlgEditSketch::reject                                                                                                 TaskDlgEditSketch.cpp   114  0x7fff7c9b6a4d 
49 Gui::TaskView::TaskView::reject                                                                                                        TaskView.cpp            813  0x7ffff63228ab 
50 Gui::TaskView::TaskView::qt_static_metacall                                                                                            moc_TaskView.cpp        355  0x7ffff632313d 
51 QMetaObject::activate(QObject *, int, int, void * *)                                                                                                                0x7fffee3ff525 
52 ??                                                                                                                                                                  0x7fffef2e0698 
53 QMetaObject::activate(QObject *, int, int, void * *)                                                                                                                0x7fffee3ff525 
54 QAbstractButton::clicked(bool)                                                                                                                                      0x7fffef23fb12 
55 ??                                                                                                                                                                  0x7fffef23fd2a 
56 ??                                                                                                                                                                  0x7fffef24110a 
57 QAbstractButton::mouseReleaseEvent(QMouseEvent *)                                                                                                                   0x7fffef2412fd 
58 QWidget::event(QEvent *)                                                                                                                                            0x7fffef18d038 
59 QApplicationPrivate::notify_helper(QObject *, QEvent *)                                                                                                             0x7fffef14e83c 
60 QApplication::notify(QObject *, QEvent *)                                                                                                                           0x7fffef15665f 
61 Gui::GUIApplication::notify                                                                                                            GuiApplication.cpp      89   0x7ffff5e4a38f 
62 QCoreApplication::notifyInternal2(QObject *, QEvent *)                                                                                                              0x7fffee3d08a8 
63 QApplicationPrivate::sendMouseEvent(QWidget *, QMouseEvent *, QWidget *, QWidget *, QWidget * *, QPointer<QWidget>&, bool)                                          0x7fffef155632 
64 ??                                                                                                                                                                  0x7fffef1a815b 
65 ??                                                                                                                                                                  0x7fffef1aa7ca 
66 QApplicationPrivate::notify_helper(QObject *, QEvent *)                                                                                                             0x7fffef14e83c 
67 QApplication::notify(QObject *, QEvent *)                                                                                                                           0x7fffef156104 
68 Gui::GUIApplication::notify                                                                                                            GuiApplication.cpp      89   0x7ffff5e4a38f 
69 QCoreApplication::notifyInternal2(QObject *, QEvent *)                                                                                                              0x7fffee3d08a8 
70 QGuiApplicationPrivate::processMouseEvent(QWindowSystemInterfacePrivate::MouseEvent *)                                                                              0x7fffee9925eb 
71 QGuiApplicationPrivate::processWindowSystemEvent(QWindowSystemInterfacePrivate::WindowSystemEvent *)                                                                0x7fffee9940b5 
72 QWindowSystemInterface::sendWindowSystemEvents(QFlags<QEventLoop::ProcessEventsFlag>)                                                                               0x7fffee96b33b 
73 ??                                                                                                                                                                  0x7fffe0a86260 
74 g_main_context_dispatch                                                                                                                                             0x7fffea89d537 
75 ??                                                                                                                                                                  0x7fffea89d770 
76 g_main_context_iteration                                                                                                                                            0x7fffea89d7fc 
77 QEventDispatcherGlib::processEvents(QFlags<QEventLoop::ProcessEventsFlag>)                                                                                          0x7fffee42985f 
78 QEventLoop::exec(QFlags<QEventLoop::ProcessEventsFlag>)                                                                                                             0x7fffee3ce8da 
79 QCoreApplication::exec()                                                                                                                                            0x7fffee3d7984 
80 Gui::Application::runApplication                                                                                                       Application.cpp         2268 0x7ffff5cdc5d9 
81 main                                                                                                                                   MainGui.cpp             293  0x40ad3b       
User avatar
jnxd
Posts: 951
Joined: Mon Mar 30, 2015 2:30 pm
Contact:

Re: [Sketcher] Crash in "Convert to NURBS"

Post by jnxd »

I believe PR #6403 fixes this, at least for this case.

When looking in gdb I noticed that a larger set of entities are selected than when we select one at a time (even the vertices). Clearing the selection before making any changes makes both the cases same. So as such the clearSelection() doesn't solve the bug directly but indirectly.
My latest (or last) project: B-spline Construction Project.
User avatar
jnxd
Posts: 951
Joined: Mon Mar 30, 2015 2:30 pm
Contact:

Re: [Sketcher] Crash in "Convert to NURBS"

Post by jnxd »

wmayer wrote: Mon Feb 21, 2022 9:10 pm Confirmed. Please open a bug report.
Thanks for confirming. Here you go: https://github.com/FreeCAD/FreeCAD/issues/6424.
My latest (or last) project: B-spline Construction Project.
wmayer
Founder
Posts: 20243
Joined: Thu Feb 19, 2009 10:32 am
Contact:

Re: [Sketcher] Crash in "Convert to NURBS"

Post by wmayer »

jnxd wrote: Mon Feb 21, 2022 9:51 pm I believe PR #6403 fixes this, at least for this case.

When looking in gdb I noticed that a larger set of entities are selected than when we select one at a time (even the vertices). Clearing the selection before making any changes makes both the cases same.
When doing the procedure with an address-sanitizer build we get much more details about the crash. The summary of the report is:
==12246==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6100001e8d34 at pc 0x00000049d94a bp 0x7ffcb64839d0 sp 0x7ffcb6483198
#0 0x4ce1ed in operator new[](unsigned long) (/home/werner/Projects/build_asan/bin/FreeCAD+0x4ce1ed)
#1 0x7f80c8eb2216 in SoMFColor::allocValues(int) (/usr/lib/x86_64-linux-gnu/libCoin.so.80c+0x36e216)

SUMMARY: AddressSanitizer: heap-buffer-overflow (/home/werner/Projects/build_asan/bin/FreeCAD+0x49d949) in __asan_memcpy
The callstack is:

Code: Select all

    #0 0x49d949 in __asan_memcpy (/home/werner/Projects/build_asan/bin/FreeCAD+0x49d949)
    #1 0x7f806ec71012 in SketcherGui::EditModeGeometryCoinManager::updateGeometryColor(Sketcher::GeoListModel<std::unique_ptr<Sketcher::GeometryFacade const, std::default_delete<Sketcher::GeometryFacade const> > > const&, bool)::$_4::operator()(int) const /home/werner/Projects/FreeCAD/src/Mod/Sketcher/Gui/EditModeGeometryCoinManager.cpp:314:51
    #2 0x7f806ec709d5 in std::_Function_handler<void (int), SketcherGui::EditModeGeometryCoinManager::updateGeometryColor(Sketcher::GeoListModel<std::unique_ptr<Sketcher::GeometryFacade const, std::default_delete<Sketcher::GeometryFacade const> > > const&, bool)::$_4>::_M_invoke(std::_Any_data const&, int&&) /usr/bin/../lib/gcc/x86_64-linux-gnu/7.5.0/../../../../include/c++/7.5.0/bits/std_function.h:316:2
    #3 0x7f806ed43fa2 in std::function<void (int)>::operator()(int) const /usr/bin/../lib/gcc/x86_64-linux-gnu/7.5.0/../../../../include/c++/7.5.0/bits/std_function.h:706:14
    #4 0x7f806ed30598 in SketcherGui::ViewProviderSketch::executeOnSelectionPointSet(std::function<void (int)>&&) const /home/werner/Projects/FreeCAD/src/Mod/Sketcher/Gui/ViewProviderSketch.cpp:3557:9
    #5 0x7f806ec71f4f in SketcherGui::ViewProviderSketchCoinAttorney::executeOnSelectionPointSet(SketcherGui::ViewProviderSketch const&, std::function<void (int)>&&) /home/werner/Projects/FreeCAD/src/Mod/Sketcher/Gui/ViewProviderSketchCoinAttorney.h:248:8
    #6 0x7f806ec68f88 in SketcherGui::EditModeGeometryCoinManager::updateGeometryColor(Sketcher::GeoListModel<std::unique_ptr<Sketcher::GeometryFacade const, std::default_delete<Sketcher::GeometryFacade const> > > const&, bool) /home/werner/Projects/FreeCAD/src/Mod/Sketcher/Gui/EditModeGeometryCoinManager.cpp:310:9
    #7 0x7f806ec457d2 in SketcherGui::EditModeCoinManager::updateColor(Sketcher::GeoListModel<std::unique_ptr<Sketcher::GeometryFacade const, std::default_delete<Sketcher::GeometryFacade const> > > const&) /home/werner/Projects/FreeCAD/src/Mod/Sketcher/Gui/EditModeCoinManager.cpp:618:35
    #8 0x7f806ed1185b in SketcherGui::ViewProviderSketch::draw(bool, bool) /home/werner/Projects/FreeCAD/src/Mod/Sketcher/Gui/ViewProviderSketch.cpp:2548:25
    #9 0x7f806ed203d9 in SketcherGui::ViewProviderSketch::updateData(App::Property const*) /home/werner/Projects/FreeCAD/src/Mod/Sketcher/Gui/ViewProviderSketch.cpp:2606:17
    #10 0x7f80cf0b6677 in Gui::ViewProvider::update(App::Property const*) /home/werner/Projects/FreeCAD/src/Gui/ViewProvider.cpp:312:5
    #11 0x7f80cf116e63 in Gui::ViewProviderDocumentObject::update(App::Property const*) /home/werner/Projects/FreeCAD/src/Gui/ViewProviderDocumentObject.cpp:397:23
    #12 0x7f80cdf33052 in Gui::Document::slotChangedObject(App::DocumentObject const&, App::Property const&) /home/werner/Projects/FreeCAD/src/Gui/Document.cpp:804:27
    #13 0x7f80cdf995a1 in boost::_mfi::mf2<void, Gui::Document, App::DocumentObject const&, App::Property const&>::operator()(Gui::Document*, App::DocumentObject const&, App::Property const&) const /usr/include/boost/bind/mem_fn_template.hpp:280:29
<snip>
...
   #28 0x7f80cb45012d in App::Document::onChangedProperty(App::DocumentObject const*, App::Property const*) /home/werner/Projects/FreeCAD/src/App/Document.cpp:1525:5
    #29 0x7f80cb7a9df4 in App::DocumentObject::onChanged(App::Property const*) /home/werner/Projects/FreeCAD/src/App/DocumentObject.cpp:791:16
    #30 0x7f807dc966f0 in Part::Feature::onChanged(App::Property const*) /home/werner/Projects/FreeCAD/src/Mod/Part/App/PartFeature.cpp:563:17
    #31 0x7f8070788967 in Sketcher::SketchObject::onChanged(App::Property const*) /home/werner/Projects/FreeCAD/src/Mod/Sketcher/App/SketchObject.cpp:7945:25
    #32 0x7f80cbb72be9 in App::Property::hasSetValue() /home/werner/Projects/FreeCAD/src/App/Property.cpp:229:17
    #33 0x7f8070bcf324 in Sketcher::PropertyConstraintList::acceptGeometry(std::vector<Part::Geometry*, std::allocator<Part::Geometry*> > const&) /home/werner/Projects/FreeCAD/src/Mod/Sketcher/App/PropertyConstraintList.cpp:379:5
    #34 0x7f80706fc163 in Sketcher::SketchObject::acceptGeometry() /home/werner/Projects/FreeCAD/src/Mod/Sketcher/App/SketchObject.cpp:853:17
    #35 0x7f8070788479 in Sketcher::SketchObject::onChanged(App::Property const*) /home/werner/Projects/FreeCAD/src/Mod/Sketcher/App/SketchObject.cpp:7883:25
    #36 0x7f80cbb7273e in App::Property::touch() /home/werner/Projects/FreeCAD/src/App/Property.cpp:216:17
    #37 0x7f807076cd1d in Sketcher::SketchObject::convertToNURBS(int) /home/werner/Projects/FreeCAD/src/Mod/Sketcher/App/SketchObject.cpp:5651:14
    #38 0x7f8070b69869 in Sketcher::SketchObjectPy::convertToNURBS(_object*) /home/werner/Projects/FreeCAD/src/Mod/Sketcher/App/SketchObjectPyImp.cpp:1495:37
    #39 0x7f8070b3dfc5 in Sketcher::SketchObjectPy::staticCallback_convertToNURBS(_object*, _object*) /home/werner/Projects/build_asan/src/Mod/Sketcher/App/SketchObjectPy.cpp:3101:61
    #40 0x7f80cc85253a in _PyCFunction_FastCallDict (/usr/lib/x86_64-linux-gnu/libpython3.6m.so.1.0+0x21353a)
    #41 0x7f80cc7bb1eb  (/usr/lib/x86_64-linux-gnu/libpython3.6m.so.1.0+0x17c1eb)
    #42 0x7f80cc7c1302 in _PyEval_EvalFrameDefault (/usr/lib/x86_64-linux-gnu/libpython3.6m.so.1.0+0x182302)
    #43 0x7f80cc7baa0e  (/usr/lib/x86_64-linux-gnu/libpython3.6m.so.1.0+0x17ba0e)
    #44 0x7f80cc7bb4cd in PyEval_EvalCodeEx (/usr/lib/x86_64-linux-gnu/libpython3.6m.so.1.0+0x17c4cd)
    #45 0x7f80cc7bc24a in PyEval_EvalCode (/usr/lib/x86_64-linux-gnu/libpython3.6m.so.1.0+0x17d24a)
    #46 0x7f80cc78d84a in PyRun_StringFlags (/usr/lib/x86_64-linux-gnu/libpython3.6m.so.1.0+0x14e84a)
    #47 0x7f80ca5b6c10 in Base::InterpreterSingleton::runString[abi:cxx11](char const*) /home/werner/Projects/FreeCAD/src/Base/Interpreter.cpp:252:15
    #48 0x7f80ce254a73 in Gui::Command::_runCommand(char const*, int, Gui::Command::DoCmd_Type, char const*) /home/werner/Projects/FreeCAD/src/Gui/Command.cpp:691:29
    #49 0x7f80ce254649 in Gui::Command::_doCommand(char const*, int, Gui::Command::DoCmd_Type, char const*, ...) /home/werner/Projects/FreeCAD/src/Gui/Command.cpp:650:5
    #50 0x7f806e94cc6d in void Gui::cmdAppObjectArgs<int&>(App::DocumentObject const*, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, int&) /home/werner/Projects/FreeCAD/src/Gui/CommandT.h:312:9
    #51 0x7f806eaa1fe4 in CmdSketcherConvertToNURB::activated(int) /home/werner/Projects/FreeCAD/src/Mod/Sketcher/Gui/CommandSketcherBSpline.cpp:409:13
So as such the clearSelection() doesn't solve the bug directly but indirectly.
It cures the symptoms but the question is what's the actual bug underneath.
wmayer
Founder
Posts: 20243
Joined: Thu Feb 19, 2009 10:32 am
Contact:

Re: [Sketcher] Crash in "Convert to NURBS"

Post by wmayer »

The report is very helpful because it directly points to the problematic code part: EditModeGeometryCoinManager.cpp:314
The code block there is:

Code: Select all

                auto pointindex = coinMapping.getIndexLayer(i);
                if (layerId == pointindex.layerId && pointindex.fieldIndex < PtNum) {
                    pcolor[pointindex.fieldIndex] = (preselectpointmfid == pointindex)
                        ? drawingParameters.PreselectSelectedColor : drawingParameters.SelectColor;
                }
When replacing the selected arc with a B-Spline then it happens that "pointindex.fieldIndex" becomes -1 and using a negative value to access an array is not a good idea.

So, the crash is fixed with git commit 86c91d71a1
User avatar
jnxd
Posts: 951
Joined: Mon Mar 30, 2015 2:30 pm
Contact:

Re: [Sketcher] Crash in "Convert to NURBS"

Post by jnxd »

wmayer wrote: Thu Feb 24, 2022 11:32 am
When doing the procedure with an address-sanitizer build we get much more details about the crash.
This sounds like a useful tool.
So as such the clearSelection() doesn't solve the bug directly but indirectly.
It cures the symptoms but the question is what's the actual bug underneath.
Indeed, I did realize it only cures the symptom. But the selection would have to be cleared at some point before the tool finishes, so I decided to keep it. With the bugfix the line is no longer needed so I removed it again.
wmayer wrote: Thu Feb 24, 2022 11:52 am When replacing the selected arc with a B-Spline then it happens that "pointindex.fieldIndex" becomes -1 and using a negative value to access an array is not a good idea.
More like "is a recipe for disaster". Thanks for fixing the issue!
My latest (or last) project: B-spline Construction Project.
wmayer
Founder
Posts: 20243
Joined: Thu Feb 19, 2009 10:32 am
Contact:

Re: [Sketcher] Crash in "Convert to NURBS"

Post by wmayer »

jnxd wrote: Thu Feb 24, 2022 4:34 pm But the selection would have to be cleared at some point before the tool finishes, so I decided to keep it. With the bugfix the line is no longer needed so I removed it again.
It probably makes sense to clear the selection but at least the comment should be changed because it's not true any more.
User avatar
jnxd
Posts: 951
Joined: Mon Mar 30, 2015 2:30 pm
Contact:

Re: [Sketcher] Crash in "Convert to NURBS"

Post by jnxd »

wmayer wrote: Thu Feb 24, 2022 5:39 pm
jnxd wrote: Thu Feb 24, 2022 4:34 pm But the selection would have to be cleared at some point before the tool finishes, so I decided to keep it. With the bugfix the line is no longer needed so I removed it again.
It probably makes sense to clear the selection but at least the comment should be changed because it's not true any more.
As I mentioned I removed the line entirely since the selection is cleared somewhere down the line.
My latest (or last) project: B-spline Construction Project.
Post Reply