Search Issue Tracker
Won't Fix
Votes
0
Found in
2022.3.20f1
2023.2.10f1
2023.3.0b8
6000.0.0b11
6000.1.0a7
6000.2.0a1
7000.0.0a1
Issue ID
UUM-64823
Regression
No
Crash on tlsf_free when exiting the Play mode in a specific project
Reproduction steps:
1. Open the attached project "CrashRepro"
2. Enter the Play mode
3. Press space a few times
4. Exit the Play mode
Expected result: The Play mode stops
Actual result: Editor crashes
Reproducible with: 2022.3.20f1, 2023.2.10f1, 2023.3.0b8
Couldn’t test with: 2021.3.35f1 - “error CS0234: The type or namespace name 'Properties' does not exist in the namespace 'Unity' “
Reproducible on: Windows 10
Not reproducible on: No other environment tested
First few lines of stack trace:
{noformat}0x00007ff6fb4041b4 (Unity) tlsf_free
0x00007ff6f91d08db (Unity) DynamicHeapAllocator::Deallocate
0x00007ff6f91de4c2 (Unity) DelayedPointerDeletionManager::CleanupPendingMainThreadPointersInternal
0x00007ff6f91ddc44 (Unity) DualThreadAllocator<DynamicHeapAllocator>::Allocate
0x00007ff6f91cf731 (Unity) MemoryManager::Allocate{noformat}
Notes:
Can freeze instead of crash, sometimes crashes silently
Can crash a few seconds after entering the Play mode
Add comment
All about bugs
View bugs we have successfully reproduced, and vote for the bugs you want to see fixed most urgently.
Latest issues
- Volume numeric fields allows adding unlimited number in numeric field which breaks UI, no character limit
- WebGL build dependencies are not refreshed until the Editor is restarted
- “Audio Random Container” allows adding unlimited number in “Audio Clips” numeric field, causing Editor to freeze
- In Deferred rendering path, mixed lights don't render when enabling "Use Rendering Layers" in the Decal renderer feature
- [Windows] Special characters in file names are sorted to the end of the alphabet in the Project window
Resolution Note:
This is caused by user code trampling memory and thus cannot be fixed on our side. Unity.Collections.LowLevel.Unsafe.UnsafeUtility.WriteArrayElementWithStride performs no bounds checking for performance reasons, using it incorrectly can corrupt memory which depending on what gets overwritten may or may not crash Unity Editor.
The issue here is present in TrainingRoom.cs in EndEpisode
```
if (startingPosition != null)
{
//agent.transform.position = startingPosition.position;
//agent.transform.rotation = Quaternion.Euler(0f, Random.Range(-180f, 180f), 0f);
Vector3 newPos = startingPosition.position;
agent.GetComponent<Obi.ObiSoftbody>().Teleport(newPos, Quaternion.identity);
}
```
I haven't dug too much into the actual cause, but the Teleport() triggers Out Of Bound Writes to Native Allocations (Allocated via UnsafeUtility), these Out Of Bound writes are trampling memory and will cause a variety of problems.
The user can see these writes by modifying ObiNativeList.cs and adding a log and early return (to prevent the write trampling memory) to the array index operator e.g. :
```
public T this[int index]
{
get
{
return UnsafeUtility.ReadArrayElementWithStride<T>(m_AlignedPtr, index, m_Stride);
}
set
{
if (index >= m_Capacity)
{
Debug.Log("OOB Write - Ignoring");
return;
}
UnsafeUtility.WriteArrayElementWithStride<T>(m_AlignedPtr, index, m_Stride, value);
if (m_ComputeBuffer != null)
m_ComputeBuffer.SetData(AsNativeArray<T>(), index, index, 1);
}
}
```