Search Issue Tracker
Won't Fix
Votes
0
Found in
2022.3.20f1
2023.2.10f1
2023.3.0b8
6000.0.0b11
6000.1.0a7
6000.2.0a1
7000.0.0a1
Issue ID
UUM-64823
Regression
No
Crash on tlsf_free when exiting the Play mode in a specific project
Reproduction steps:
1. Open the attached project "CrashRepro"
2. Enter the Play mode
3. Press space a few times
4. Exit the Play mode
Expected result: The Play mode stops
Actual result: Editor crashes
Reproducible with: 2022.3.20f1, 2023.2.10f1, 2023.3.0b8
Couldn’t test with: 2021.3.35f1 - “error CS0234: The type or namespace name 'Properties' does not exist in the namespace 'Unity' “
Reproducible on: Windows 10
Not reproducible on: No other environment tested
First few lines of stack trace:
{noformat}0x00007ff6fb4041b4 (Unity) tlsf_free
0x00007ff6f91d08db (Unity) DynamicHeapAllocator::Deallocate
0x00007ff6f91de4c2 (Unity) DelayedPointerDeletionManager::CleanupPendingMainThreadPointersInternal
0x00007ff6f91ddc44 (Unity) DualThreadAllocator<DynamicHeapAllocator>::Allocate
0x00007ff6f91cf731 (Unity) MemoryManager::Allocate{noformat}
Notes:
Can freeze instead of crash, sometimes crashes silently
Can crash a few seconds after entering the Play mode
Add comment
All about bugs
View bugs we have successfully reproduced, and vote for the bugs you want to see fixed most urgently.
Latest issues
- Animator Controller throws MissingReferenceException after undoing Layer Creation
- Full stack trace is always printed when an exception occurs in an IL2CPP build
- Licensing Client fails to launch when opening Unity Hub (licensing client path is not found)
- Licensing Client fails to launch when opening Unity Hub
- Different custom Shader behavior when GPU Resident Drawer is enabled
Resolution Note:
This is caused by user code trampling memory and thus cannot be fixed on our side. Unity.Collections.LowLevel.Unsafe.UnsafeUtility.WriteArrayElementWithStride performs no bounds checking for performance reasons, using it incorrectly can corrupt memory which depending on what gets overwritten may or may not crash Unity Editor.
The issue here is present in TrainingRoom.cs in EndEpisode
```
if (startingPosition != null)
{
//agent.transform.position = startingPosition.position;
//agent.transform.rotation = Quaternion.Euler(0f, Random.Range(-180f, 180f), 0f);
Vector3 newPos = startingPosition.position;
agent.GetComponent<Obi.ObiSoftbody>().Teleport(newPos, Quaternion.identity);
}
```
I haven't dug too much into the actual cause, but the Teleport() triggers Out Of Bound Writes to Native Allocations (Allocated via UnsafeUtility), these Out Of Bound writes are trampling memory and will cause a variety of problems.
The user can see these writes by modifying ObiNativeList.cs and adding a log and early return (to prevent the write trampling memory) to the array index operator e.g. :
```
public T this[int index]
{
get
{
return UnsafeUtility.ReadArrayElementWithStride<T>(m_AlignedPtr, index, m_Stride);
}
set
{
if (index >= m_Capacity)
{
Debug.Log("OOB Write - Ignoring");
return;
}
UnsafeUtility.WriteArrayElementWithStride<T>(m_AlignedPtr, index, m_Stride, value);
if (m_ComputeBuffer != null)
m_ComputeBuffer.SetData(AsNativeArray<T>(), index, index, 1);
}
}
```