Search Issue Tracker
Won't Fix
Votes
0
Found in
2022.3.20f1
2023.2.10f1
2023.3.0b8
6000.0.0b11
6000.1.0a7
6000.2.0a1
Issue ID
UUM-64823
Regression
No
Crash on tlsf_free when exiting the Play mode in a specific project
Reproduction steps:
1. Open the attached project "CrashRepro"
2. Enter the Play mode
3. Press space a few times
4. Exit the Play mode
Expected result: The Play mode stops
Actual result: Editor crashes
Reproducible with: 2022.3.20f1, 2023.2.10f1, 2023.3.0b8
Couldn’t test with: 2021.3.35f1 - “error CS0234: The type or namespace name 'Properties' does not exist in the namespace 'Unity' “
Reproducible on: Windows 10
Not reproducible on: No other environment tested
First few lines of stack trace:
{noformat}0x00007ff6fb4041b4 (Unity) tlsf_free
0x00007ff6f91d08db (Unity) DynamicHeapAllocator::Deallocate
0x00007ff6f91de4c2 (Unity) DelayedPointerDeletionManager::CleanupPendingMainThreadPointersInternal
0x00007ff6f91ddc44 (Unity) DualThreadAllocator<DynamicHeapAllocator>::Allocate
0x00007ff6f91cf731 (Unity) MemoryManager::Allocate{noformat}
Notes:
Can freeze instead of crash, sometimes crashes silently
Can crash a few seconds after entering the Play mode
Add comment
All about bugs
View bugs we have successfully reproduced, and vote for the bugs you want to see fixed most urgently.
Latest issues
- Out-of-bounds memory access with multiple CanvasRenderers under a Canvas when using Mesh API
- Inspector tries to access file after it was deleted when the file was locked in Inspector window
- Changing Transform values in Search window Inspector loses focus while dragging and stopping mouse without releasing dragging action
- Saving changes on the dirty VFX Graph during the Play mode throws "The referenced script (Unknown) on this Behaviour is missing!" warnings
- VFX Graph Debug Info overlaps the "Initialize" block debug info by default
Resolution Note:
This is caused by user code trampling memory and thus cannot be fixed on our side. Unity.Collections.LowLevel.Unsafe.UnsafeUtility.WriteArrayElementWithStride performs no bounds checking for performance reasons, using it incorrectly can corrupt memory which depending on what gets overwritten may or may not crash Unity Editor.
The issue here is present in TrainingRoom.cs in EndEpisode
```
if (startingPosition != null)
{
//agent.transform.position = startingPosition.position;
//agent.transform.rotation = Quaternion.Euler(0f, Random.Range(-180f, 180f), 0f);
Vector3 newPos = startingPosition.position;
agent.GetComponent<Obi.ObiSoftbody>().Teleport(newPos, Quaternion.identity);
}
```
I haven't dug too much into the actual cause, but the Teleport() triggers Out Of Bound Writes to Native Allocations (Allocated via UnsafeUtility), these Out Of Bound writes are trampling memory and will cause a variety of problems.
The user can see these writes by modifying ObiNativeList.cs and adding a log and early return (to prevent the write trampling memory) to the array index operator e.g. :
```
public T this[int index]
{
get
{
return UnsafeUtility.ReadArrayElementWithStride<T>(m_AlignedPtr, index, m_Stride);
}
set
{
if (index >= m_Capacity)
{
Debug.Log("OOB Write - Ignoring");
return;
}
UnsafeUtility.WriteArrayElementWithStride<T>(m_AlignedPtr, index, m_Stride, value);
if (m_ComputeBuffer != null)
m_ComputeBuffer.SetData(AsNativeArray<T>(), index, index, 1);
}
}
```
Resolution Note:
This is caused by user code trampling memory and thus cannot be fixed on our side. Unity.Collections.LowLevel.Unsafe.UnsafeUtility.WriteArrayElementWithStride performs no bounds checking for performance reasons, using it incorrectly can corrupt memory which depending on what gets overwritten may or may not crash Unity Editor.
The issue here is present in TrainingRoom.cs in EndEpisode
```
if (startingPosition != null)
{
//agent.transform.position = startingPosition.position;
//agent.transform.rotation = Quaternion.Euler(0f, Random.Range(-180f, 180f), 0f);
Vector3 newPos = startingPosition.position;
agent.GetComponent<Obi.ObiSoftbody>().Teleport(newPos, Quaternion.identity);
}
```
I haven't dug too much into the actual cause, but the Teleport() triggers Out Of Bound Writes to Native Allocations (Allocated via UnsafeUtility), these Out Of Bound writes are trampling memory and will cause a variety of problems.
The user can see these writes by modifying ObiNativeList.cs and adding a log and early return (to prevent the write trampling memory) to the array index operator e.g. :
```
public T this[int index]
{
get
{
return UnsafeUtility.ReadArrayElementWithStride<T>(m_AlignedPtr, index, m_Stride);
}
set
{
if (index >= m_Capacity)
{
Debug.Log("OOB Write - Ignoring");
return;
}
UnsafeUtility.WriteArrayElementWithStride<T>(m_AlignedPtr, index, m_Stride, value);
if (m_ComputeBuffer != null)
m_ComputeBuffer.SetData(AsNativeArray<T>(), index, index, 1);
}
}
```