Strange destruction bug

MaxPower42 · October 7, 2016, 3:04pm

Hi, I’m suddenly getting this weird crash when shutting down the editor. This is where it happens:

void FMallocTBB::Free( void* Ptr )
{
	if( !Ptr )
	{
		return;
	}
	MEM_TIME(MemTime -= FPlatformTime::Seconds())
#if UE_BUILD_DEBUG || UE_BUILD_DEVELOPMENT
	FMemory::Memset(Ptr, DEBUG_FILL_FREED, scalable_msize(Ptr));    <-----
#endif
	IncrementTotalFreeCalls();
	scalable_free(Ptr);

	MEM_TIME(MemTime += FPlatformTime::Seconds())
}

This is the log-message:
“Exception thrown at 0x000007FEE22F5700 (UE4Editor-Core.dll) in UE4Editor.exe: 0xC0000005: Access violation reading location 0x00000000FFFFC072.”

Call stack:

 	UE4Editor-Core.dll!rml::internal::Block::findObjectSize(void *)	Unknown
>	UE4Editor-Core.dll!FMallocTBB::Free(void * Ptr) Line 109	C++
 	UE4Editor-Core.dll!FMemory::Free(void * Original) Line 49	C++
 	UE4Editor-Project02.dll!UStratGI::~UStratGI()	C++
 	UE4Editor-Project02.dll!UStratGI::`vector deleting destructor'(unsigned int)	C++
 	UE4Editor-CoreUObject.dll!IncrementalPurgeGarbage(bool bUseTimeLimit, float TimeLimit) Line 1016	C++
 	UE4Editor-CoreUObject.dll!StaticExit() Line 3829	C++
 	UE4Editor-CoreUObject.dll!TBaseStaticDelegateInstance<void __cdecl(void)>::ExecuteIfSafe() Line 1017	C++
 	UE4Editor.exe!TBaseMulticastDelegate<void>::Broadcast() Line 921	C++
 	UE4Editor.exe!FEngineLoop::AppPreExit() Line 3403	C++
 	UE4Editor.exe!FEngineLoop::Exit() Line 2470	C++
 	UE4Editor.exe!GuardedMain(const wchar_t * CmdLine, HINSTANCE__ * hInInstance, HINSTANCE__ * hPrevInstance, int nCmdShow) Line 167	C++
 	UE4Editor.exe!WinMain(HINSTANCE__ * hInInstance, HINSTANCE__ * hPrevInstance, char * __formal, int nCmdShow) Line 191	C++
 	UE4Editor.exe!__scrt_common_main_seh() Line 264	C++
 	kernel32.dll!0000000076d559cd()	Unknown
 	ntdll.dll!0000000076f8a2e1()	Unknown

So, the object type responsible for the crash is my game instance.

What’s funny is that the crash only occurs when I close the editor without ever starting PIE. If I did start PIE in the same session, there’s no crash on closing…
I used the console command “obj list class=GameInstance” to verify that there is no game-instance at all, before exiting the editor. But still UE4 tries to destroy/GC one… why?

MaxPower42 · October 7, 2016, 3:27pm

UStratGI is derivd from GameInstance and I haven’t implemented a destructor for it. I only made an override for BeginDestroy.
I also have a static pointer in the class to the instance, but haven’t had any problems with it before.

anonymous_user_61b4a355 · October 7, 2016, 3:10pm

Hey MaxPower42,

These are the lines that stand out to me:

UE4Editor-Project02.dll!UStratGI::~UStratGI()    C++
UE4Editor-Project02.dll!UStratGI::`vector deleting destructor'(unsigned int)    C++

Do you have a UStratGI object you have a destructor for?

I ask because it feels like a memory management issue.

MaxPower42 · October 7, 2016, 3:35pm

I’ve been using this class for a long time and didn’t have this problem. Only after my most recent changes to the game code this started happening. But I have absolutely no idea how I could have caused it…

edit: when I try to open the destructor line from the callstack, visual studio tells me that the source is not available.

The adress to be freed is Ptr = 0x00000000ffffffff by the way.

MaxPower42 · October 7, 2016, 4:09pm

In an attempt to understand what’s going on, I just implemented an empty destructor for the class. I put a breakpoint and a log-message printing the adress (this) in both the constructor and the destructor.

As it turns out, the editor creates a “Default__UStratGI” during startup, which doesn’t show up by searching for it with console commands, and it’s the same object/adress that causes the destructor crash on exiting.

But why doesn’t it crash when I start PIE before exiting?..

I also checked the static pointer and it’s always NULL (as it should be) before exiting. So I highly doubt it has anything to do with it.

edit: when I hit play, my game instance gets 3 constructor calls at different adresses and with different object names. When I stop PIE, there’s only 1 destructor call however? I won’t even try to understand that, but is it normal?..

edit2: isn’t it strange that both in the constructor and the destructor of the “Default__StratGI” the this-ptr is 00000000374AF900, but right after the empty destructor-call the value of “Ptr” in the function above is 0x00000000ffffffff ?? Shouldn’t it be the same adress?

MaxPower42 · October 7, 2016, 5:14pm

I think I might have found a fix for the crash. I don’t really understand it though, but it must be somehow related to my static pointer after all.

The thing is: inside my game instance derived class’ (UStratGI) constructor, I set the static UStratGI-pointer UStratGI::Instance to “this”. I don’t know why I started having crashes now, and not before. However, I added a check to the constructor that makes sure that the instance is not one of those internal default objects, but the “real thing”. Like I said, I don’t really understand how, but the crashes appear to have stopped. For now…