Gltf-viewer: SegFault when reading .glb files

Scripting Issues
1

Testing on Linux (Mint/Ubuntu Xenial), gltf-viewer crashes when loading some .glb files. I investigated with an debug enabled build and the backtrace is :

#0  Extension::extract_bytes (this=this@entry=0x7fffffffc240, size=size@entry=12676) at dtool/src/prc/streamReader_ext.cxx:25
#1  0x00007ffff45bc438 in Dtool_StreamReader_extract_bytes_436 (self=, arg=) at built/tmp/libp3prc_igate.cxx:14038
#2  0x0000000000528af6 in PyEval_EvalFrameEx ()
#3  0x000000000052d2b9 in ?? ()
#4  0x0000000000528ee2 in PyEval_EvalFrameEx ()
#5  0x00000000005287c4 in PyEval_EvalFrameEx ()
#6  0x000000000052d2b9 in ?? ()
#7  0x0000000000528ee2 in PyEval_EvalFrameEx ()
#8  0x000000000052d2b9 in ?? ()
#9  0x0000000000528ee2 in PyEval_EvalFrameEx ()
#10 0x000000000052e10b in PyEval_EvalCodeEx ()
#11 0x00000000004ec3e8 in ?? ()
#12 0x00000000005bc037 in PyObject_Call ()
#13 0x00007ffff4a7e4ed in PythonThread::call_python_func (function=0x7fffed710488, args=args@entry=0x7fffe5bfbea0) at panda/src/pipeline/pythonThread.cxx:137
#14 0x00007ffff4a8dcb6 in PythonLoaderFileType::load_file (this=0x18e7380, path=..., options=..., record=0x0) at panda/src/pgraph/pythonLoaderFileType.cxx:349
#15 0x00007ffff3918000 in Loader::try_load_file (this=this@entry=0x17cb6a0, pathname=..., options=..., requested_type=requested_type@entry=0x18e7380) at panda/src/pgraph/loader.cxx:354
#16 0x00007ffff3919057 in Loader::load_file (this=0x17cb6a0, filename=..., options=...) at panda/src/pgraph/loader.cxx:248
#17 0x00007ffff46b8231 in Loader::load_sync (options=..., filename=..., this=) at built/include/loader.I:156
#18 Dtool_Loader_load_sync_1637 (self=, args=, kwds=) at built/tmp/libp3pgraph_igate.cxx:1047
#19 0x00000000004ea117 in PyCFunction_Call ()
#20 0x00000000005243f4 in PyEval_EvalFrameEx ()
#21 0x000000000052d2b9 in ?? ()
#22 0x0000000000528ee2 in PyEval_EvalFrameEx ()
#23 0x000000000052e84a in PyEval_EvalCodeEx ()
#24 0x00000000004ec373 in ?? ()
#25 0x00000000005bc037 in PyObject_Call ()
#26 0x00000000004f489e in ?? ()
#27 0x00000000005bc037 in PyObject_Call ()
#28 0x000000000054e9b9 in ?? ()
#29 0x000000000055851c in ?? ()
#30 0x00000000005bc037 in PyObject_Call ()
#31 0x0000000000528cef in PyEval_EvalFrameEx ()
#32 0x00000000005287c4 in PyEval_EvalFrameEx ()
#33 0x000000000052d2b9 in ?? ()
#34 0x000000000052dfbf in PyEval_EvalCode ()
#35 0x00000000005fc652 in ?? ()
#36 0x00000000005feafa in PyRun_FileExFlags ()
#37 0x00000000005fecec in PyRun_SimpleFileExFlags ()
#38 0x000000000063ec96 in Py_Main ()
#39 0x00000000004d02e1 in main ()

It seems that in Extension<StreamReader>::extract_bytes the variable buffer, a pointer to an allocated buffer from alloca(size) is corrupted or the heap itself is corrupted, in any case gdb can’t dump the memory at that location. The size variable seems ok, it looks like the size of the buffer being read.

Reading the same model as .gltf works though (but it’s extremely slow, I’ll make another post about that problem)

Model used for test : https://github.com/KhronosGroup/glTF-Sample-Models/tree/master/2.0/MetalRoughSpheres

2

I think we might just have exceeded the amount of memory we can safely allocate using alloca.

When you find issues, please report them on the bug tracker; otherwise it’s too easy to lose track of them.

3

Here it is https://github.com/panda3d/panda3d/issues/754

Usually I start a post here when I’m not confident it’s an actual problem in Panda or not sure what exactly the problem is (though here my intuition was wrong…)