Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Importing Student Art Gallery.glb crashes #57362

Closed
Tracked by #57416
fire opened this issue Jan 28, 2022 · 4 comments
Closed
Tracked by #57416

Importing Student Art Gallery.glb crashes #57362

fire opened this issue Jan 28, 2022 · 4 comments

Comments

@fire
Copy link
Member

fire commented Jan 28, 2022

Godot version

4.0 dev 82d412a

System information

Windows 11, Nvidia 3000 series, Vulkan

Issue description

Importing Student Art Gallery.glb crashes Godot.

My best guess is LOD generation and with the normals array out of bounds usage. @JFonS

================================================================
CrashHandlerException: Program crashed
Engine version: Godot Engine v4.0.alpha.custom_build (82d412a96193e4c3142eb8036b19a38035455135)
Dumping the backtrace. Please include this when reporting the bug on https://github.com/godotengine/godot/issues
[0] oidnUnmapBuffer
[1] oidnUnmapBuffer
[2] oidnUnmapBuffer
[3] oidnUnmapBuffer
[4] oidnUnmapBuffer
[5] oidnUnmapBuffer
[6] oidnUnmapBuffer
[7] oidnUnmapBuffer
[8] oidnUnmapBuffer
[9] oidnUnmapBuffer
[10] oidnUnmapBuffer
[11] oidnUnmapBuffer
[12] oidnUnmapBuffer
[13] <couldn't map PC to fn name>
[14] <couldn't map PC to fn name>
[15] <couldn't map PC to fn name>
[16] <couldn't map PC to fn name>
[17] <couldn't map PC to fn name>
[18] oidnUnmapBuffer
[19] BaseThreadInitThunk
-- END OF BACKTRACE --
================================================================

Steps to reproduce

  1. Open project with the .godot folder deleted.
  2. Wait
  3. Crash

Minimal reproduction project

godot-gltf-sandbox.zip

@fire
Copy link
Member Author

fire commented Jan 28, 2022

https://github.khronos.org/glTF-Validator/ report.

{
    "uri": "Student%20Art%20Gallery.glb",
    "mimeType": "model/gltf-binary",
    "validatorVersion": "2.0.0-dev.3.4",
    "validatedAt": "2022-01-28T16:38:56.550Z",
    "issues": {
        "numErrors": 0,
        "numWarnings": 0,
        "numInfos": 9,
        "numHints": 0,
        "messages": [
            {
                "code": "UNSUPPORTED_EXTENSION",
                "message": "Cannot validate an extension as it is not supported by the validator: 'MOZ_hubs_components'.",
                "severity": 2,
                "pointer": "/extensionsUsed/0"
            },
            {
                "code": "NODE_EMPTY",
                "message": "Empty node encountered.",
                "severity": 2,
                "pointer": "/nodes/0"
            },
            {
                "code": "NODE_EMPTY",
                "message": "Empty node encountered.",
                "severity": 2,
                "pointer": "/nodes/4"
            },
            {
                "code": "NODE_EMPTY",
                "message": "Empty node encountered.",
                "severity": 2,
                "pointer": "/nodes/5"
            },
            {
                "code": "NODE_EMPTY",
                "message": "Empty node encountered.",
                "severity": 2,
                "pointer": "/nodes/15"
            },
            {
                "code": "NODE_EMPTY",
                "message": "Empty node encountered.",
                "severity": 2,
                "pointer": "/nodes/16"
            },
            {
                "code": "NODE_EMPTY",
                "message": "Empty node encountered.",
                "severity": 2,
                "pointer": "/nodes/17"
            },
            {
                "code": "NODE_EMPTY",
                "message": "Empty node encountered.",
                "severity": 2,
                "pointer": "/nodes/18"
            },
            {
                "code": "NODE_EMPTY",
                "message": "Empty node encountered.",
                "severity": 2,
                "pointer": "/nodes/19"
            }
        ],
        "truncated": false
    },
    "info": {
        "version": "2.0",
        "generator": "Mozilla Spoke 1.0.0.20211203163739",
        "extensionsUsed": [
            "MOZ_hubs_components",
            "KHR_materials_unlit"
        ],
        "resources": [
            {
                "pointer": "/buffers/0",
                "mimeType": "application/gltf-buffer",
                "storage": "glb",
                "byteLength": 4849108
            },
            {
                "pointer": "/images/0",
                "mimeType": "image/jpeg",
                "storage": "buffer-view",
                "image": {
                    "width": 2048,
                    "height": 2048,
                    "format": "rgb",
                    "bits": 8
                }
            },
            {
                "pointer": "/images/1",
                "mimeType": "image/jpeg",
                "storage": "buffer-view",
                "image": {
                    "width": 2048,
                    "height": 2048,
                    "format": "rgb",
                    "bits": 8
                }
            }
        ],
        "animationCount": 0,
        "materialCount": 5,
        "hasMorphTargets": false,
        "hasSkins": false,
        "hasTextures": true,
        "hasDefaultScene": true,
        "drawCallCount": 5,
        "totalVertexCount": 35301,
        "totalTriangleCount": 24483,
        "maxUVs": 1,
        "maxInfluences": 0,
        "maxAttributes": 2
    }
}

@fire
Copy link
Member Author

fire commented Jan 28, 2022

Did a initial test but didn't cover all the cases.

diff --git a/scene/resources/importer_mesh.cpp b/scene/resources/importer_mesh.cpp
index 8af0a5533a..87055a4537 100644
--- a/scene/resources/importer_mesh.cpp
+++ b/scene/resources/importer_mesh.cpp
@@ -290,6 +290,7 @@ void ImporterMesh::generate_lods(float p_normal_merge_angle, float p_normal_spli
 		if (normals.is_empty()) {
 			normals.resize(vertices.size());
 			Vector3 *n_ptr = normals.ptrw();
+			ERR_FAIL_COND(normals.size() % 3);
 			for (unsigned int j = 0; j < index_count; j += 3) {
 				const Vector3 &v0 = vertices_ptr[indices_ptr[j + 0]];
 				const Vector3 &v1 = vertices_ptr[indices_ptr[j + 1]];
@@ -1051,7 +1052,9 @@ Error ImporterMesh::lightmap_unwrap_cached(const Transform3D &p_base_transform,
 		uv_indices.resize(vertex_ofs + vc);
 
 		for (int j = 0; j < vc; j++) {
+			ERR_FAIL_INDEX_V(j, rvertices.size(), ERR_INVALID_DATA);
 			Vector3 v = transform.xform(rvertices[j]);
+			ERR_FAIL_INDEX_V(j, rnormals.size(), ERR_INVALID_DATA);
 			Vector3 n = normal_basis.xform(rnormals[j]).normalized();
 
 			vertices[(j + vertex_ofs) * 3 + 0] = v.x;
@@ -1069,6 +1072,7 @@ Error ImporterMesh::lightmap_unwrap_cached(const Transform3D &p_base_transform,
 		float eps = 1.19209290e-7F; // Taken from xatlas.h
 		if (ic == 0) {
 			for (int j = 0; j < vc / 3; j++) {
+				ERR_FAIL_INDEX_V(j * 3 + 0, rvertices.size(), FAILED);
 				Vector3 p0 = transform.xform(rvertices[j * 3 + 0]);
 				Vector3 p1 = transform.xform(rvertices[j * 3 + 1]);
 				Vector3 p2 = transform.xform(rvertices[j * 3 + 2]);
@@ -1084,6 +1088,9 @@ Error ImporterMesh::lightmap_unwrap_cached(const Transform3D &p_base_transform,
 
 		} else {
 			for (int j = 0; j < ic / 3; j++) {
+				ERR_FAIL_INDEX_V(j * 3 + 0, rindices.size(), FAILED);
+				ERR_FAIL_INDEX_V(j * 3 + 1, rindices.size(), FAILED);
+				ERR_FAIL_INDEX_V(j * 3 + 2, rindices.size(), FAILED);
 				Vector3 p0 = transform.xform(rvertices[rindices[j * 3 + 0]]);
 				Vector3 p1 = transform.xform(rvertices[rindices[j * 3 + 1]]);
 				Vector3 p2 = transform.xform(rvertices[rindices[j * 3 + 2]]);
@@ -1091,7 +1098,6 @@ Error ImporterMesh::lightmap_unwrap_cached(const Transform3D &p_base_transform,
 				if ((p0 - p1).length_squared() < eps || (p1 - p2).length_squared() < eps || (p2 - p0).length_squared() < eps) {
 					continue;
 				}
-
 				indices.push_back(vertex_ofs + rindices[j * 3 + 0]);
 				indices.push_back(vertex_ofs + rindices[j * 3 + 1]);
 				indices.push_back(vertex_ofs + rindices[j * 3 + 2]);

@qarmin
Copy link
Contributor

qarmin commented Jan 29, 2022

thirdparty/embree/kernels/bvh/../common/alloc.h:823:16: runtime error: index 1024 out of bounds for type 'char [1]'
=================================================================
==33742==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7fe2bb78c808 at pc 0x0000139e741c bp 0x7ffdf926fbe0 sp 0x7ffdf926fbd0
WRITE of size 12 at 0x7fe2bb78c808 thread T0
    #0 0x139e741b in ImporterMesh::generate_lods(float, float) scene/resources/importer_mesh.cpp:298
    #1 0xc9fefec in ResourceImporterScene::_generate_meshes(Node*, Dictionary const&, bool, bool, ResourceImporterScene::LightBakeMode, float, Vector<unsigned char> const&, Vector<Vector<unsigned char> >&) editor/import/resource_importer_scene.cpp:1550
    #2 0xca015df in ResourceImporterScene::_generate_meshes(Node*, Dictionary const&, bool, bool, ResourceImporterScene::LightBakeMode, float, Vector<unsigned char> const&, Vector<Vector<unsigned char> >&) editor/import/resource_importer_scene.cpp:1635
    #3 0xca015df in ResourceImporterScene::_generate_meshes(Node*, Dictionary const&, bool, bool, ResourceImporterScene::LightBakeMode, float, Vector<unsigned char> const&, Vector<Vector<unsigned char> >&) editor/import/resource_importer_scene.cpp:1635
    #4 0xca015df in ResourceImporterScene::_generate_meshes(Node*, Dictionary const&, bool, bool, ResourceImporterScene::LightBakeMode, float, Vector<unsigned char> const&, Vector<Vector<unsigned char> >&) editor/import/resource_importer_scene.cpp:1635
    #5 0xca0cb84 in ResourceImporterScene::import(String const&, String const&, Map<StringName, Variant, Comparator<StringName>, DefaultAllocator> const&, List<String, DefaultAllocator>*, List<String, DefaultAllocator>*, Variant*) editor/import/resource_importer_scene.cpp:1971
    #6 0xaf1c3f6 in EditorFileSystem::_reimport_file(String const&, Map<StringName, Variant, Comparator<StringName>, DefaultAllocator> const*, String const&) editor/editor_file_system.cpp:1878
    #7 0xaf2a8c6 in EditorFileSystem::reimport_files(Vector<String> const&) editor/editor_file_system.cpp:2127
    #8 0xaedf9c8 in EditorFileSystem::_update_scan_actions() editor/editor_file_system.cpp:626
    #9 0xaefadfa in EditorFileSystem::_notification(int) editor/editor_file_system.cpp:1214
    #10 0xaf416cb in EditorFileSystem::_notificationv(int, bool) (/usr/bin/godot4s+0xaf416cb)
    #11 0x199319c1 in Object::notification(int, bool) core/object/object.cpp:846
    #12 0x107b3df1 in SceneTree::_notify_group_pause(StringName const&, int) scene/main/scene_tree.cpp:855
    #13 0x107a6215 in SceneTree::process(double) scene/main/scene_tree.cpp:453
    #14 0x2445d1f in Main::iteration() main/main.cpp:2680
    #15 0x22beb8c in OS_LinuxBSD::run() platform/linuxbsd/os_linuxbsd.cpp:342
    #16 0x22acc39 in main platform/linuxbsd/godot_linuxbsd.cpp:58
    #17 0x7fe31ef96fcf in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
    #18 0x7fe31ef9707c in __libc_start_main_impl ../csu/libc-start.c:409
    #19 0x22ac76d in _start (/usr/bin/godot4s+0x22ac76d)

0x7fe2bb78c810 is located 0 bytes to the right of 524304-byte region [0x7fe2bb70c800,0x7fe2bb78c810)
allocated by thread T0 here:
    #0 0x7fe31ff67808 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cc:144
    #1 0x1847e423 in Memory::alloc_static(unsigned long, bool) core/os/memory.cpp:75
    #2 0x2fa58bf in CowData<Vector3>::resize(int) core/templates/cowdata.h:292
    #3 0x2ef1ce6 in Vector<Vector3>::resize(int) core/templates/vector.h:90
    #4 0x139e6a14 in ImporterMesh::generate_lods(float, float) scene/resources/importer_mesh.cpp:290
    #5 0xc9fefec in ResourceImporterScene::_generate_meshes(Node*, Dictionary const&, bool, bool, ResourceImporterScene::LightBakeMode, float, Vector<unsigned char> const&, Vector<Vector<unsigned char> >&) editor/import/resource_importer_scene.cpp:1550
    #6 0xca015df in ResourceImporterScene::_generate_meshes(Node*, Dictionary const&, bool, bool, ResourceImporterScene::LightBakeMode, float, Vector<unsigned char> const&, Vector<Vector<unsigned char> >&) editor/import/resource_importer_scene.cpp:1635
    #7 0xca015df in ResourceImporterScene::_generate_meshes(Node*, Dictionary const&, bool, bool, ResourceImporterScene::LightBakeMode, float, Vector<unsigned char> const&, Vector<Vector<unsigned char> >&) editor/import/resource_importer_scene.cpp:1635
    #8 0xca015df in ResourceImporterScene::_generate_meshes(Node*, Dictionary const&, bool, bool, ResourceImporterScene::LightBakeMode, float, Vector<unsigned char> const&, Vector<Vector<unsigned char> >&) editor/import/resource_importer_scene.cpp:1635
    #9 0xca0cb84 in ResourceImporterScene::import(String const&, String const&, Map<StringName, Variant, Comparator<StringName>, DefaultAllocator> const&, List<String, DefaultAllocator>*, List<String, DefaultAllocator>*, Variant*) editor/import/resource_importer_scene.cpp:1971
    #10 0xaf1c3f6 in EditorFileSystem::_reimport_file(String const&, Map<StringName, Variant, Comparator<StringName>, DefaultAllocator> const*, String const&) editor/editor_file_system.cpp:1878
    #11 0xaf2a8c6 in EditorFileSystem::reimport_files(Vector<String> const&) editor/editor_file_system.cpp:2127
    #12 0xaedf9c8 in EditorFileSystem::_update_scan_actions() editor/editor_file_system.cpp:626
    #13 0xaefadfa in EditorFileSystem::_notification(int) editor/editor_file_system.cpp:1214
    #14 0xaf416cb in EditorFileSystem::_notificationv(int, bool) (/usr/bin/godot4s+0xaf416cb)
    #15 0x199319c1 in Object::notification(int, bool) core/object/object.cpp:846
    #16 0x107b3df1 in SceneTree::_notify_group_pause(StringName const&, int) scene/main/scene_tree.cpp:855
    #17 0x107a6215 in SceneTree::process(double) scene/main/scene_tree.cpp:453
    #18 0x2445d1f in Main::iteration() main/main.cpp:2680
    #19 0x22beb8c in OS_LinuxBSD::run() platform/linuxbsd/os_linuxbsd.cpp:342
    #20 0x22acc39 in main platform/linuxbsd/godot_linuxbsd.cpp:58
    #21 0x7fe31ef96fcf in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58

SUMMARY: AddressSanitizer: heap-buffer-overflow scene/resources/importer_mesh.cpp:298 in ImporterMesh::generate_lods(float, float)

@fire
Copy link
Member Author

fire commented Sep 23, 2022

I cannot reproduce this crash anymore in Godot Engine beta 1.

@fire fire closed this as completed Sep 23, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

3 participants