Fix (unreported) crash when undoing after ID deletion.

Yes, we do can undo an ID deletion now.

However, this requires extra care in UI 'remapping' to new IDs step
(when undoing, we do not fully reload the UI from saved .blend).
Otherwise, new UI (i.e. one from saved .blend file) might reference
IDs that where freed in old bmain (the one before the undo), we cannot
use those to get ID name then, that would be a nasty use-after-free!

To prevent this, we generate a GSet of all valid ID pointers at that
time (i.e. those found in both old and new Main's), and ensure any ID
we try to remap by its name is in that GSet. Otherwise, there is no
possible remapping, just return NULL.

1 files changed, 38 insertions, 2 deletions

diff --git a/source/blender/blenkernel/intern/library_idmap.c b/source/blender/blenkernel/intern/library_idmap.c
index 2745a1fe275..3ab5cbaeef3 100644
--- a/source/blender/blenkernel/intern/library_idmap.c
+++ b/source/blender/blenkernel/intern/library_idmap.c
@@ -65,6 +65,7 @@ struct IDNameLib_TypeMap {
 struct IDNameLib_Map {
 	struct IDNameLib_TypeMap type_maps[MAX_LIBARRAY];
 	struct Main *bmain;
+	struct GSet *valid_id_pointers;
 };
 
 static struct IDNameLib_TypeMap *main_idmap_from_idcode(struct IDNameLib_Map *id_map, short id_type)
@@ -77,7 +78,20 @@ static struct IDNameLib_TypeMap *main_idmap_from_idcode(struct IDNameLib_Map *id
 	return NULL;
 }
 
-struct IDNameLib_Map *BKE_main_idmap_create(struct Main *bmain)
+/**
+ * Generate mapping from ID type/name to ID pointer for given \a bmain.
+ *
+ * \note When used during undo/redo, there is no guaranty that ID pointers from UI area
+ *       are not pointing to freed memory (when some IDs have been deleted). To avoid crashes
+ *       in those cases, one can provide the 'old' (aka current) Main databse as reference.
+ *       #BKE_main_idmap_lookup_id will then check that given ID does exist in \a old_bmain
+ *       before trying to use it.
+ *
+ * \param create_valid_ids_set If \a true, generate a reference to prevent freed memory accesses.
+ * \param old_bmain If not NULL, its IDs will be added the the valid references set.
+ */
+struct IDNameLib_Map *BKE_main_idmap_create(
+        struct Main *bmain, const bool create_valid_ids_set, struct Main *old_bmain)
 {
 	struct IDNameLib_Map *id_map = MEM_mallocN(sizeof(*id_map), __func__);
 
@@ -92,6 +106,16 @@ struct IDNameLib_Map *BKE_main_idmap_create(struct Main *bmain)
 
 	id_map->bmain = bmain;
 
+	if (create_valid_ids_set) {
+		id_map->valid_id_pointers = BKE_main_gset_create(bmain, NULL);
+		if (old_bmain != NULL) {
+			id_map->valid_id_pointers = BKE_main_gset_create(old_bmain, id_map->valid_id_pointers);
+		}
+	}
+	else {
+		id_map->valid_id_pointers = NULL;
+	}
+
 	return id_map;
 }
 
@@ -151,7 +175,15 @@ ID *BKE_main_idmap_lookup(struct IDNameLib_Map *id_map, short id_type, const cha
 
 ID *BKE_main_idmap_lookup_id(struct IDNameLib_Map *id_map, const ID *id)
 {
-	return BKE_main_idmap_lookup(id_map, GS(id->name), id->name + 2, id->lib);
+	/* When used during undo/redo, this function cannot assume that given id points to valid memory
+	 * (i.e. has not been freed), so it has to check that it does exist in 'old' (aka current) Main database.
+	 * Otherwise, we cannot provide new ID pointer that way (would crash accessing freed memory
+	 * when trying to get ID name).
+	 */
+	if (id_map->valid_id_pointers == NULL || BLI_gset_haskey(id_map->valid_id_pointers, id)) {
+		return BKE_main_idmap_lookup(id_map, GS(id->name), id->name + 2, id->lib);
+	}
+	return NULL;
 }
 
 void BKE_main_idmap_destroy(struct IDNameLib_Map *id_map)
@@ -165,6 +197,10 @@ void BKE_main_idmap_destroy(struct IDNameLib_Map *id_map)
 		}
 	}
 
+	if (id_map->valid_id_pointers != NULL) {
+		BLI_gset_free(id_map->valid_id_pointers, NULL);
+	}
+
 	MEM_freeN(id_map);
 }