Unreal Engine Issues

UE-160303

AnimMontage notify callback destroying owning actor causes crash

AnimMontage notify callback destroying owning actor causes crash

Description

Destroying the owning actor as a response to an anim montage's anim notify causes unsafe access of the current anim montage. See repro steps.

Steps to Reproduce
  • Create an anim montage
  • Add an Montage Anim Notify to the montage's notify track with anim notify name Test
  • In blueprint, call Play Montage on a skeletal mesh component to play the montage
  • Destroy the owning actor in the Play Montage node's Begin Notify exec pin

Before testing, put a breakpoint in UAnimInstance::UninitializeAnimation()

When playing the montage and the actor is destroyed, notice that the breakpoint in UninitializeAnimation is hit and inspect the callstack. UninitializeAnimation() is called while executing the blueprint as a result of the anim notify. This happens in MontageInstance->Advance().

UninitializeAnimation() deletes all MontageInstances and clears the array that is currently being iterated in UAnimInstance::UpdateMontage(). This may or may not result in a crash because the memory being accessed may or may not have been overwritten yet, but further access of the current array element is definitely unsafe since it has been deleted.

Callstack

[Image Removed]

Have Comments or More Details?

There's no existing public thread on this issue, so head over to Questions & Answers just mention UE-160303 in the post.

0
Login to Vote
Fixed
ComponentUE - Anim - Runtime
Affects Versions5.0
Target Fix5.1
Fix Commit21244344
Main Commit21244344
CreatedJul 28, 2022
ResolvedAug 8, 2022
UpdatedAug 13, 2022
View Jira Issue