search

NVIDIAGameWorks / PhysX-3.4

NVIDIA PhysX SDK 3.4
https://www.nvidia.com/
2.35k stars 273 forks source link

Crash in Gu::RTree::traverseOBB in iOS Builds of PhysX 3.4.1 #58

Closed WombatZilla closed 6 years ago

WombatZilla commented 6 years ago

Hi,

I grabbed the latest version of PhysX (3.4.1 Release @2313170) because I was interested in using PxContactModifyCallback to modify friction and restitution. However when I use this version of PhysX on iOS ARM64 devices (I tried both iPad Air 2 and iPhone6) I get an EXC_BAD_ACCESS crash in Gu::RTree::traverseOBB() inside the loop that is incrementing stackPtr and storing PxU32's to the memory location that it points to.

My test case involves a triangle mesh and a thousand rigid bodies with compound shapes (each composed of a box, sphere and capsule) falling onto the triangle mesh. When I run this test in debug the function above throws a lot of asserts before finally crashing.

The following asserts are triggered:

PX_ASSERT((uintptr_t(mPages) & 127) == 0);

PX_ASSERT(mPageSize == 4 || mPageSize == 8);

The data in the RTree looks very wrong - mTotalNodes, mPageSize, mNumLevels and mNumRootPages are all 1065353216 (which is 0x3f800000 in hex or 1.0f as a float). As a result the loop that walks the 128 element sized stack will walk off the end of the stack and stomp memory because mNumRootRages is so large.

I've attached a symbolicated crash log from one of the devices.

When I run the same test case on android, win32 or win64 the simulation runs without crashing and the RTree structure contains what looks like sensible data (mTotalNodes = 9528, mTotalPages = 2382, mPageSize = 4, mNumRootPages = 1).

Regards,

Richard Hunton Senior Programmer EA Firemonkeys

sandbox_debug_crash_log.txt sandbox_release_crash_log.txt

AlesBorovicka commented 6 years ago

Hi Richard, Not sure what is going on here. I have tried quickly to modify our snippet triangle mesh create and run it locally on my Ipad 2017 and all seems to work correctly (a BVH33 (rtree) midphase triangle mesh and some boxes falling on the mesh). Could you please try the attached modified snippet, if that works for you?

Additionally you can try to change the midphase to newer BVH34 midphase: PxCookingParams params = gCooking->getParams();

// Create BVH34 midphase
params.midphaseDesc = PxMeshMidPhase::eBVH34;

Do you use some custom allocate in your project?

Regards, Ales

SnippetTriangleMeshCreate.zip

WombatZilla commented 6 years ago

Hi Ales,

Thanks for that. We are using BVH33, 16 bit indices and a custom allocator. Your modified snippet doesn't crash for me either. So I'll have a go at reproducing my situation by extending the snippet code and send it back if I can repro my crash.

Regards,

Richard Hunton Senior Programmer EA Firemonkeys

WombatZilla commented 6 years ago

Hi,

It turned out that the crash I was seeing with 3.4.1 on iOS was probably due to a mistake on my part to do with how I built the iOS libraries, With a fresh checkout and build of 3.4.1 the issue I was seeing has gone away. Thanks for the help.

Regards,

Richard Hunton Senior Programmer EA Firemonkeys