Open qarmin opened 2 years ago
3.5.beta.custom_build. eae7a5384
Ubuntu 21.10 - Nvidia GTX 970, Gnome shell 40.4 X11
When running test project, then after a while I see this usage after free
==118504==ERROR: AddressSanitizer: heap-use-after-free on address 0x61300017f980 at pc 0x00000300fcc4 bp 0x7ffe850f6230 sp 0x7ffe850f6220 READ of size 8 at 0x61300017f980 thread T0 #0 0x300fcc3 in BulletPhysicsDirectBodyState::get_contact_collider(int) const modules/bullet/rigid_body_bullet.cpp:180 #1 0xe350536 in RigidBody::_direct_state_changed(Object*) scene/3d/physics_body.cpp:394 #2 0x1c55044 in MethodBind1<Object*>::call(Object*, Variant const**, int, Variant::CallError&) core/method_bind.gen.inc:775 #3 0x127cd249 in Object::call(StringName const&, Variant const**, int, Variant::CallError&) core/object.cpp:918 #4 0x301c010 in RigidBodyBullet::dispatch_callbacks() modules/bullet/rigid_body_bullet.cpp:386 #5 0x30cef94 in SpaceBullet::flush_queries() modules/bullet/space_bullet.cpp:372 #6 0x30daa1b in onBulletPreTickCallback(btDynamicsWorld*, float) modules/bullet/space_bullet.cpp:577 #7 0x4435793 in btDiscreteDynamicsWorld::internalSingleStepSimulation(float) thirdparty/bullet/BulletDynamics/Dynamics/btDiscreteDynamicsWorld.cpp:458 #8 0x466bad1 in btSoftRigidDynamicsWorld::internalSingleStepSimulation(float) thirdparty/bullet/BulletSoftBody/btSoftRigidDynamicsWorld.cpp:88 #9 0x4434dd1 in btDiscreteDynamicsWorld::stepSimulation(float, int, float) thirdparty/bullet/BulletDynamics/Dynamics/btDiscreteDynamicsWorld.cpp:434 #10 0x30cf779 in SpaceBullet::step(float) modules/bullet/space_bullet.cpp:378 #11 0x2f91bb0 in BulletPhysicsServer::step(float) modules/bullet/bullet_physics_server.cpp:1538 #12 0x19a0c1e in Main::iteration() main/main.cpp:2168 #13 0x186c309 in OS_X11::run() platform/x11/os_x11.cpp:3639 #14 0x17d0d53 in main platform/x11/godot_x11.cpp:55 #15 0x7f362a556fcf in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58 #16 0x7f362a55707c in __libc_start_main_impl ../csu/libc-start.c:409 #17 0x17d0954 in _start (/usr/bin/godots+0x17d0954) 0x61300017f980 is located 0 bytes inside of 344-byte region [0x61300017f980,0x61300017fad8) freed by thread T0 here: #0 0x7f362b47722f in operator delete(void*, unsigned long) ../../../../src/libsanitizer/asan/asan_new_delete.cpp:172 #1 0x3017b00 in RigidBodyBullet::~RigidBodyBullet() modules/bullet/rigid_body_bullet.cpp:319 #2 0x2f8f47e in BulletPhysicsServer::free(RID) modules/bullet/bullet_physics_server.cpp:1487 #3 0xdfbe662 in CollisionObject::~CollisionObject() scene/3d/collision_object.cpp:590 #4 0xe41776c in PhysicsBody::~PhysicsBody() scene/3d/physics_body.h:40 #5 0xe397f3f in KinematicBody::~KinematicBody() scene/3d/physics_body.cpp:1477 #6 0x19ad674 in void memdelete<Object>(Object*) core/os/memory.h:115 #7 0xcd211a7 in SceneTree::_flush_delete_queue() scene/main/scene_tree.cpp:1094 #8 0xcd0c184 in SceneTree::iteration(float) scene/main/scene_tree.cpp:491 #9 0x19a0a00 in Main::iteration() main/main.cpp:2161 #10 0x186c309 in OS_X11::run() platform/x11/os_x11.cpp:3639 #11 0x17d0d53 in main platform/x11/godot_x11.cpp:55 #12 0x7f362a556fcf in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58 previously allocated by thread T0 here: #0 0x7f362b4761c7 in operator new(unsigned long) ../../../../src/libsanitizer/asan/asan_new_delete.cpp:99 #1 0x2f60b00 in BulletPhysicsServer::body_create(PhysicsServer::BodyMode, bool) modules/bullet/bullet_physics_server.cpp:445 #2 0xe33a533 in PhysicsBody::PhysicsBody(PhysicsServer::BodyMode) scene/3d/physics_body.cpp:102 #3 0xe396550 in KinematicBody::KinematicBody() scene/3d/physics_body.cpp:1458 #4 0xcb451fc in Object* ClassDB::creator<KinematicBody>() core/class_db.h:140 #5 0x125399d0 in ClassDB::instance(StringName const&) core/class_db.cpp:520 #6 0x134963ac in _ClassDB::instance(StringName const&) const core/bind/core_bind.cpp:2795 #7 0x25d78d9 in MethodBind1RC<Variant, StringName const&>::call(Object*, Variant const**, int, Variant::CallError&) core/method_bind.gen.inc:1333 #8 0x127cd249 in Object::call(StringName const&, Variant const**, int, Variant::CallError&) core/object.cpp:918 #9 0x12a71161 in Variant::call_ptr(StringName const&, Variant const**, int, Variant*, Variant::CallError&) core/variant_call.cpp:1175 #10 0x1eafe08 in GDScriptFunction::call(GDScriptInstance*, Variant const**, int, Variant::CallError&, GDScriptFunction::CallState*) modules/gdscript/gdscript_function.cpp:1044 #11 0x1ccd2a4 in GDScriptInstance::call(StringName const&, Variant const**, int, Variant::CallError&) modules/gdscript/gdscript.cpp:1169 #12 0x127ccd9e in Object::call(StringName const&, Variant const**, int, Variant::CallError&) core/object.cpp:899 #13 0x12a71161 in Variant::call_ptr(StringName const&, Variant const**, int, Variant*, Variant::CallError&) core/variant_call.cpp:1175 #14 0x1eafe92 in GDScriptFunction::call(GDScriptInstance*, Variant const**, int, Variant::CallError&, GDScriptFunction::CallState*) modules/gdscript/gdscript_function.cpp:1046 #15 0x1ccd2a4 in GDScriptInstance::call(StringName const&, Variant const**, int, Variant::CallError&) modules/gdscript/gdscript.cpp:1169 #16 0x127ccd9e in Object::call(StringName const&, Variant const**, int, Variant::CallError&) core/object.cpp:899 #17 0x12a71161 in Variant::call_ptr(StringName const&, Variant const**, int, Variant*, Variant::CallError&) core/variant_call.cpp:1175 #18 0x1eafe92 in GDScriptFunction::call(GDScriptInstance*, Variant const**, int, Variant::CallError&, GDScriptFunction::CallState*) modules/gdscript/gdscript_function.cpp:1046 #19 0x1ccd7db in GDScriptInstance::call_multilevel(StringName const&, Variant const**, int) modules/gdscript/gdscript.cpp:1184 #20 0xcbe04cc in Node::_notification(int) scene/main/node.cpp:63 #21 0x1b6c861 in Node::_notificationv(int, bool) scene/main/node.h:45 #22 0x127cd6fb in Object::notification(int, bool) core/object.cpp:927 #23 0xcd1e2cd in SceneTree::_notify_group_pause(StringName const&, int) scene/main/scene_tree.cpp:977 #24 0xcd0b6da in SceneTree::iteration(float) scene/main/scene_tree.cpp:484 #25 0x19a0a00 in Main::iteration() main/main.cpp:2161 #26 0x186c309 in OS_X11::run() platform/x11/os_x11.cpp:3639 #27 0x17d0d53 in main platform/x11/godot_x11.cpp:55 #28 0x7f362a556fcf in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58 SUMMARY: AddressSanitizer: heap-use-after-free modules/bullet/rigid_body_bullet.cpp:180 in BulletPhysicsDirectBodyState::get_contact_collider(int) const
I can't find exact steps to reproduce crash, but it always happens even when running project only max 1 minute
https://github.com/qarmin/Qarminer/archive/refs/heads/3.x.zip
CC @godotengine/physics
akien-mga
commented
2 years ago akien-mga
commented
2 years ago
Godot version
3.5.beta.custom_build. eae7a5384
System information
Ubuntu 21.10 - Nvidia GTX 970, Gnome shell 40.4 X11
Issue description
When running test project, then after a while I see this usage after free
I can't find exact steps to reproduce crash, but it always happens even when running project only max 1 minute
Steps to reproduce
Minimal reproduction project
https://github.com/qarmin/Qarminer/archive/refs/heads/3.x.zip