Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix buffer overflow in 2D BVH #53230

Merged
merged 1 commit into from
Sep 30, 2021
Merged

Fix buffer overflow in 2D BVH #53230

merged 1 commit into from
Sep 30, 2021

Conversation

pouleyKetchoupp
Copy link
Contributor

@pouleyKetchoupp pouleyKetchoupp commented Sep 29, 2021
edited
Loading

Some areas of code were missed in #48314 for 2D support and still assumed Vector3.

@lawnjelly I searched for other places which refer to Vector3 or iterate over 3 coordinates and didn't find any other problematic cases (with the exception of convex culling which is meant to be supported only in 3D). But it would be good to double check on your side whenever you have time.

Fixes #53203

@pouleyKetchoupp pouleyKetchoupp added bug topic:core topic:physics cherrypick:3.x Considered for cherry-picking into a future 3.x release topic:2d labels Sep 29, 2021
@pouleyKetchoupp pouleyKetchoupp added this to the 4.0 milestone Sep 29, 2021
@pouleyKetchoupp pouleyKetchoupp requested a review from a team as a code owner September 29, 2021 17:39
@lawnjelly
Copy link
Member

lawnjelly commented Sep 29, 2021
edited
Loading

I notice also that in _split_leaf_sort_groups I think it's actually trying splitting by the minimum axis first, rather than the maximum (the opposite to what the comments suggest). I can't remember why I did this, whether this actually worked better for some reason, or whether it's a typo... something to investigate at a later date lol. 😀

BTW It will work even if the first choice is "wrong" because it will try the other axes. But I have a vague memory that empirically the results were counter-intuitive here, so it may have been intentional.

lawnjelly
lawnjelly reviewed Sep 29, 2021
View reviewed changes
core/math/bvh_debug.inc Outdated
@@ -22,7 +22,7 @@ String _debug_aabb_to_string(const BVHABB_CLASS &aabb) const {
sz += itos(-aabb.neg_max.z);
sz += ") ";

Vector3 size = aabb.calculate_size();
Point size = aabb.calculate_size();
float vol = size.x * size.y * size.z;
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Presumably this bit below won't work either for 2d, as there is no size.z. This function is likely not compiled in and only used for debugging .. it's not absolutely necessary to have it 2d / 3d aware.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good catch! It shouldn't be too hard to fix, just for the sake of having a 2D version of the debug stuff.

@lawnjelly
Copy link
Member

I'm not absolutely sure this is correct because there's an order[3] which is set earlier in the function, which assumes 3d (so order [1] may be nonsense in 2d). I'll have a proper look tomorrow.

@pouleyKetchoupp
Copy link
Contributor Author

I'm not absolutely sure this is correct because there's an order[3] which is set earlier in the function, which assumes 3d (so order [1] may be nonsense in 2d). I'll have a proper look tomorrow.

Ah yes, you're right. I missed that min and max are not set to order[0] and order[1] so it doesn't work in 2d. I'll try something and you'll check if you want to do a better fix tomorrow.

@lawnjelly
Copy link
Member

lawnjelly commented Sep 29, 2021
edited
Loading

Just to make it clear what the function is doing .. when splitting a leaf (with say 256 objects) it is choosing an axis to split into 2 leaf nodes (a and b) and the groups a & b are the objects that will be placed in the respective leaf a & b.

So it first tries what it thinks is the most likely axis for splitting. If it doesn't split group a & b equally enough, it then tries the other axes, and chooses the best of the three. If all of them fail, it has a fallback at the bottom.

So in the case of 2d, there are only 2 axes, so if it doesn't work for the first, there is only one more to check, and if those fail, the fallbacks.

@pouleyKetchoupp
Fix buffer overflow in 2D BVH
d3c6395 
Some areas of code were missed and assumed Vector3.
lawnjelly
lawnjelly approved these changes Sep 30, 2021
View reviewed changes
Copy link
Member

@lawnjelly lawnjelly left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah I think this looks good now. I'd have done the same. The if (Point::AXIS_COUNT == 3) should compile out in 2d because it's a template.

@akien-mga akien-mga merged commit 4a9a231 into godotengine:master Sep 30, 2021
@akien-mga
Copy link
Member

Thanks!

@pouleyKetchoupp pouleyKetchoupp deleted the fix-2d-bvh-overflow branch September 30, 2021 14:29
@lawnjelly
Copy link
Member

Just to remind, this needs cherry picking / converting to 3.x I think because the issue was in 3.x.

@akien-mga
Copy link
Member

Cherry-picked for 3.4.

@akien-mga akien-mga removed the cherrypick:3.x Considered for cherry-picking into a future 3.x release label Oct 4, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@lawnjelly lawnjelly lawnjelly approved these changes

Assignees
No one assigned
Labels
bug topic:core topic:physics topic:2d
Projects
None yet
Milestone
4.0
Development

Successfully merging this pull request may close these issues.

stack-buffer-overflow related to BVH
3 participants
@pouleyKetchoupp @lawnjelly @akien-mga