[Bf-blender-cvs] [830150c7b9e] master: Depsgraph: Guarantee order of backup of action and ID using it

Mon Jan 13 12:18:36 CET 2020

Commit: 830150c7b9e07a7e2d464ab16c7b14fd82a6968a
Author: Sergey Sharybin
Date:   Mon Jan 13 12:10:20 2020 +0100
Branches: master
https://developer.blender.org/rB830150c7b9e07a7e2d464ab16c7b14fd82a6968a

Depsgraph: Guarantee order of backup of action and ID using it

It was possible to have object copy-on-write happening during
action's copy-on-write, which was causing access to a freed
memory from animation backup.

Solves crash reported in T73029.

===================================================================

M	source/blender/depsgraph/intern/builder/deg_builder_relations.cc
M	source/blender/depsgraph/intern/eval/deg_eval_runtime_backup_animation.cc

===================================================================

diff --git a/source/blender/depsgraph/intern/builder/deg_builder_relations.cc b/source/blender/depsgraph/intern/builder/deg_builder_relations.cc
index 3e0ab9684da..a3439f80e4b 100644
--- a/source/blender/depsgraph/intern/builder/deg_builder_relations.cc
+++ b/source/blender/depsgraph/intern/builder/deg_builder_relations.cc
@@ -2674,6 +2674,21 @@ void DepsgraphRelationBuilder::build_copy_on_write_relations(IDNode *id_node)
       BLI_assert(object->type == OB_EMPTY);
     }
   }
+
+  /* Copy-on-write of write will iterate over f-curves to store current values corresponding
+   * to their RNA path. This means that action must be copied prior to the ID's copy-on-write,
+   * otherwise depsgraph might try to access freed data. */
+  AnimData *animation_data = BKE_animdata_from_id(id_orig);
+  if (animation_data != NULL) {
+    if (animation_data->action != NULL) {
+      OperationKey action_copy_on_write_key(
+          &animation_data->action->id, NodeType::COPY_ON_WRITE, OperationCode::COPY_ON_WRITE);
+      add_relation(action_copy_on_write_key,
+                   copy_on_write_key,
+                   "Eval Order",
+                   RELATION_FLAG_GODMODE | RELATION_FLAG_NO_FLUSH);
+    }
+  }
 }
 
 /* **** ID traversal callbacks functions **** */
diff --git a/source/blender/depsgraph/intern/eval/deg_eval_runtime_backup_animation.cc b/source/blender/depsgraph/intern/eval/deg_eval_runtime_backup_animation.cc
index ec3ab6edc17..d5f29006434 100644
--- a/source/blender/depsgraph/intern/eval/deg_eval_runtime_backup_animation.cc
+++ b/source/blender/depsgraph/intern/eval/deg_eval_runtime_backup_animation.cc
@@ -114,9 +114,8 @@ void AnimationBackup::restore_to_id(ID *id)
   for (const AnimationValueBackup &value_backup : values_backup) {
     /* Resolve path to the property.
      *
-     * NOTE: Do it again (after storing), since the sub-data [ointers might be
-     * changed after copy-on-write.
-     */
+     * NOTE: Do it again (after storing), since the sub-data pointers might be
+     * changed after copy-on-write. */
     PathResolvedRNA resolved_rna;
     if (!BKE_animsys_store_rna_setting(&id_pointer_rna,
                                        value_backup.rna_path.c_str(),

