[Windows] Crash caused by Animator::UpdateAvatars

Hi,

We are facing a random crash in a build made with Unity 2019.2.16f1.
With WinDbg, running !analyze -v after setting .sympath+ SRVc:\symbols-cachehttp://symbolserver.unity3d.com revealed this:

************* Path validation summary **************
Response                         Time (ms)     Location
Deferred                                       srv*
Deferred                                       SRV*c:\symbols-cache*http://symbolserver.unity3d.com/
0:000> !analyze -v
*******************************************************************************
*                                                                             *
*                        Exception Analysis                                   *
*                                                                             *
*******************************************************************************

*** WARNING: Unable to verify timestamp for T******.exe
*** WARNING: Unable to verify checksum for mono-2.0-bdwgc.dll
*** WARNING: Unable to verify timestamp for nvwgf2umx.dll

KEY_VALUES_STRING: 1

    Key  : AV.Dereference
    Value: NullClassPtr

    Key  : AV.Fault
    Value: Write

    Key  : Analysis.CPU.mSec
    Value: 7593

    Key  : Analysis.DebugAnalysisManager
    Value: Create

    Key  : Analysis.Elapsed.mSec
    Value: 12858

    Key  : Analysis.Init.CPU.mSec
    Value: 514

    Key  : Analysis.Init.Elapsed.mSec
    Value: 56411

    Key  : Analysis.Memory.CommitPeak.Mb
    Value: 322

    Key  : Timeline.Process.Start.DeltaSec
    Value: 2123

    Key  : WER.OS.Branch
    Value: vb_release

    Key  : WER.OS.Timestamp
    Value: 2019-12-06T14:06:00Z

    Key  : WER.OS.Version
    Value: 10.0.19041.1

    Key  : WER.Process.Version
    Value: 2019.2.16.35214


CONTEXT:  (.ecxr)
rax=0000000000000000 rbx=0000007eda1befe0 rcx=0000000000000001
rdx=0000022ca777d760 rsi=0000000000000001 rdi=0000000000000000
rip=00007ff9c5e90fce rsp=0000007eda1bed40 rbp=0000007eda1bee40
r8=0000022d0c46f800  r9=0000007eda1bec88 r10=0000000000000000
r11=0000007eda1beb80 r12=0000000000000000 r13=0000022ca6dfd278
r14=000000000000006e r15=0000000000000001
iopl=0         nv up ei pl nz na po cy
cs=0033  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010207
UnityPlayer!Animator::UpdateAvatars+0x89e:
00007ff9`c5e90fce c6405201        mov     byte ptr [rax+52h],1 ds:00000000`00000052=??
Resetting default scope

EXCEPTION_RECORD:  (.exr -1)
ExceptionAddress: 00007ff9c5e90fce (UnityPlayer!Animator::UpdateAvatars+0x000000000000089e)
   ExceptionCode: c0000005 (Access violation)
  ExceptionFlags: 00000000
NumberParameters: 2
   Parameter[0]: 0000000000000001
   Parameter[1]: 0000000000000052
Attempt to write to address 0000000000000052

PROCESS_NAME:  T************.exe

WRITE_ADDRESS:  0000000000000052

ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s.

EXCEPTION_CODE_STR:  c0000005

EXCEPTION_PARAMETER1:  0000000000000001

EXCEPTION_PARAMETER2:  0000000000000052

STACK_TEXT:
0000007e`da1bed40 00007ff9`c6626573     : 00000000`0000006e 00000000`00000000 00000000`00000000 00000000`00000000 : UnityPlayer!Animator::UpdateAvatars+0x89e
0000007e`da1bf080 00007ff9`c6528977     : 0000022c`b4d62880 00000000`00000000 0000022c`b4d628e8 0000022c`00000000 : UnityPlayer!DirectorManager::ExecuteStage+0x113
0000007e`da1bf0c0 00007ff9`c6528a19     : 00000000`ff515700 00007ff9`f6f5eb96 00000000`00000001 0000022c`b4d62748 : UnityPlayer!ExecutePlayerLoop+0x57
0000007e`da1bf270 00007ff9`c652aa12     : 00000000`0000097c 00000000`0000000a 00000000`00000000 00000000`0000097c : UnityPlayer!ExecutePlayerLoop+0xf9
0000007e`da1bf420 00007ff9`c62f3155     : 00000000`0000097c 00000000`00000000 00000000`00000000 00000000`0000000a : UnityPlayer!PlayerLoop+0x92
0000007e`da1bf4a0 00007ff9`c62f1bca     : 00000000`0000097c 0000007e`da1bf640 00000000`00000000 00000000`00000000 : UnityPlayer!PerformMainLoop+0x1c5
0000007e`da1bf4d0 00007ff9`c62f5c01     : 00000000`00000001 00000000`00000000 0000007e`da1bf640 00000000`00000000 : UnityPlayer!MainMessageLoop+0xda
0000007e`da1bf540 00007ff9`c62f954b     : 00000000`0000000a 00000000`00000000 00000000`00000000 00007ff7`e34eb278 : UnityPlayer!UnityMainImpl+0xce1
0000007e`da1cf8d0 00007ff7`e34e11f2     : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : UnityPlayer!UnityMain+0xb
0000007e`da1cf900 00000000`00000000     : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : T**********!__scrt_common_main_seh+0x106


FAULTING_SOURCE_LINE:  c:\buildslave\unity\build\modules\animation\animator.cpp

FAULTING_SOURCE_FILE:  c:\buildslave\unity\build\modules\animation\animator.cpp

FAULTING_SOURCE_LINE_NUMBER:  1230

FAULTING_SOURCE_CODE:
No source found for 'c:\buildslave\unity\build\modules\animation\animator.cpp'


SYMBOL_NAME:  UnityPlayer!Animator::UpdateAvatars+89e

MODULE_NAME: UnityPlayer

IMAGE_NAME:  UnityPlayer.dll

STACK_COMMAND:  ~0s ; .ecxr ; kb

FAILURE_BUCKET_ID:  NULL_CLASS_PTR_WRITE_c0000005_UnityPlayer.dll!Animator::UpdateAvatars

OS_VERSION:  10.0.19041.1

BUILDLAB_STR:  vb_release

OSPLATFORM_TYPE:  x64

OSNAME:  Windows 10

IMAGE_VERSION:  2019.2.16.35214

FAILURE_ID_HASH:  {e64e4571-00a2-1996-ee15-5e7807ea6cf9}

Followup:     MachineOwner
---------

What could be the cause of this crash?
Attached the crash.dmp.

7369430–898283–crash.zip (119 KB)

Where similar issues have occurred, they were generally caused by the Animator internal buffers being invalidated through an unexpected code path.

You can look at places where

  • you disable GameObjects with Animators, Animator components
  • you connect Playables outside of Playable.PrepareFrame or MonoBehaviour.Update or MonoBehaviour.LateUpdate,
  • You manually update an Animator, PlayableGraph or Timeline outside of MonoBehaviour.Update or MonoBehaviour.LateUpdate

Assuming the source code line in the crash dump is accurate, I couldn’t find a way for this to happen, so I can’t tell you what caused it without being able to reproduce it.

What I can tell you is that we haven’t received any UpdateAvatars crash report after 2020.1.0b11, but I could not find any release note related to that kind of crash in the 2020.1 release notes, so it was probably fixed as part as another change.