[4.0 alpha12] Random editor crash when trying to access properties in array returned by function

noidexe commented 2 years ago

Godot version

v4.0.alpha12.official [2c11e6d9e]

System information

Manjaro Linux, RTX 2060 SUPER, Vulkan

Issue description

I have a script that extends a GridMap. Since I expect to swap it by something else in the future I have a small amount of public methods abstracting the functionality I need. One of them, get_voxels() just returns get_used_cells(). If I tried to access the properties of the returned array the editor crashes(not always). If I use get_used_cells() directly it doesn't seem to happen.

The bug is pressent at least in 4.0 alpha 11 and 4.0 alpha 12

Here's a backtrace of one of the crashes

handle_crash: Program crashed with signal 11
Engine version: Godot Engine v4.0.alpha12.official (2c11e6d9efc42370a8d7537eaff8b1ea78a283e5)
Dumping the backtrace. Please include this when reporting the bug to the project developer.
[1] /usr/lib/libc.so.6(+0x3e8e0) [0x7fcf7d1e38e0] (??:0)
[2] /home/noid/.local/share/godot/app_userdata/Godot Version Manager/versions/Godot_v4.0-alpha12_linux.64() [0xe2447d] (??:0)
[3] /home/noid/.local/share/godot/app_userdata/Godot Version Manager/versions/Godot_v4.0-alpha12_linux.64() [0x14dfb1a] (??:0)
[4] /home/noid/.local/share/godot/app_userdata/Godot Version Manager/versions/Godot_v4.0-alpha12_linux.64() [0xf4c802] (??:0)
[5] /home/noid/.local/share/godot/app_userdata/Godot Version Manager/versions/Godot_v4.0-alpha12_linux.64() [0x17b5fcf] (??:0)
[6] /home/noid/.local/share/godot/app_userdata/Godot Version Manager/versions/Godot_v4.0-alpha12_linux.64() [0x17b0971] (??:0)
[7] /home/noid/.local/share/godot/app_userdata/Godot Version Manager/versions/Godot_v4.0-alpha12_linux.64() [0x17b4320] (??:0)
[8] /home/noid/.local/share/godot/app_userdata/Godot Version Manager/versions/Godot_v4.0-alpha12_linux.64() [0x17b3a20] (??:0)
[9] /home/noid/.local/share/godot/app_userdata/Godot Version Manager/versions/Godot_v4.0-alpha12_linux.64() [0x17da3ab] (??:0)
[10] /home/noid/.local/share/godot/app_userdata/Godot Version Manager/versions/Godot_v4.0-alpha12_linux.64() [0x232470a] (??:0)
[11] /home/noid/.local/share/godot/app_userdata/Godot Version Manager/versions/Godot_v4.0-alpha12_linux.64() [0x2668ab7] (??:0)
[12] /home/noid/.local/share/godot/app_userdata/Godot Version Manager/versions/Godot_v4.0-alpha12_linux.64() [0x42025dd] (??:0)
[13] /home/noid/.local/share/godot/app_userdata/Godot Version Manager/versions/Godot_v4.0-alpha12_linux.64() [0x2a701d4] (??:0)
[14] /home/noid/.local/share/godot/app_userdata/Godot Version Manager/versions/Godot_v4.0-alpha12_linux.64() [0x42025dd] (??:0)
[15] /home/noid/.local/share/godot/app_userdata/Godot Version Manager/versions/Godot_v4.0-alpha12_linux.64() [0x29a87a1] (??:0)
[16] /home/noid/.local/share/godot/app_userdata/Godot Version Manager/versions/Godot_v4.0-alpha12_linux.64() [0x41a3b34] (??:0)
[17] /home/noid/.local/share/godot/app_userdata/Godot Version Manager/versions/Godot_v4.0-alpha12_linux.64() [0x29971be] (??:0)
[18] /home/noid/.local/share/godot/app_userdata/Godot Version Manager/versions/Godot_v4.0-alpha12_linux.64() [0x29dcd67] (??:0)
[19] /home/noid/.local/share/godot/app_userdata/Godot Version Manager/versions/Godot_v4.0-alpha12_linux.64() [0xe2ae26] (??:0)
[20] /home/noid/.local/share/godot/app_userdata/Godot Version Manager/versions/Godot_v4.0-alpha12_linux.64() [0xdc1849] (??:0)
[21] /usr/lib/libc.so.6(+0x29290) [0x7fcf7d1ce290] (??:0)
[22] /usr/lib/libc.so.6(__libc_start_main+0x8a) [0x7fcf7d1ce34a] (??:0)
[23] /home/noid/.local/share/godot/app_userdata/Godot Version Manager/versions/Godot_v4.0-alpha12_linux.64() [0xddc51e] (??:0)
-- END OF BACKTRACE --
================================================================

Steps to reproduce

Open the reproduction project
Open Node3D.gd in the script editor
At the end of _ready() type "voxel_positions." Expected: The editor should display a drop down with autocomplete options Actual: Sometimes it works as expected, other times the editor freezes for a while then crashes. Couldn't find any pattern to make it crash consistently other than closing and reopening the scene and script.

Minimal reproduction project

PropertyAccessCrash.zip

Chaosus commented 2 years ago

The correct callstack is:

CrashHandlerException: Program crashed
Engine version: Godot Engine v4.0.alpha.custom_build (eea14a0edc3f2a8ab4a91d1e142d48a5348584bb)
Dumping the backtrace. Please include this when reporting the bug to the project developer.
[0] GridMap::get_used_cells (C:\GIT\godot\modules\gridmap\grid_map.cpp:985)
[1] GridMap::get_used_cells (C:\GIT\godot\modules\gridmap\grid_map.cpp:985)
[2] MethodBindTR<Performance,Array>::call (C:\GIT\godot\core\object\method_bind.h:479)
[3] _guess_expression_type (C:\GIT\godot\modules\gdscript\gdscript_editor.cpp:1587)
[4] _guess_method_return_type_from_base (C:\GIT\godot\modules\gdscript\gdscript_editor.cpp:2265)
[5] _guess_expression_type (C:\GIT\godot\modules\gdscript\gdscript_editor.cpp:1601)
[6] _guess_identifier_type (C:\GIT\godot\modules\gdscript\gdscript_editor.cpp:1910)
[7] _guess_expression_type (C:\GIT\godot\modules\gdscript\gdscript_editor.cpp:1377)
[8] GDScriptLanguage::complete_code (C:\GIT\godot\modules\gdscript\gdscript_editor.cpp:2748)
[9] ScriptTextEditor::_code_complete_script (C:\GIT\godot\editor\plugins\script_text_editor.cpp:736)
[10] CodeTextEditor::_complete_request (C:\GIT\godot\editor\code_editor.cpp:914)
[11] Callable::call (C:\GIT\godot\core\variant\callable.cpp:51)
[12] Object::emit_signalp (C:\GIT\godot\core\object\object.cpp:1014)
[13] CodeEdit::request_code_completion (C:\GIT\godot\scene\gui\code_edit.cpp:1862)
[14] Callable::call (C:\GIT\godot\core\variant\callable.cpp:51)
[15] Object::emit_signalp (C:\GIT\godot\core\object\object.cpp:1014)
[16] Object::emit_signal<> (C:\GIT\godot\core\object\object.h:818)
[17] Timer::_notificationv (C:\GIT\godot\scene\main\timer.h:37)
[18] Object::notification (C:\GIT\godot\core\object\object.cpp:743)
[19] SceneTree::_notify_group_pause (C:\GIT\godot\scene\main\scene_tree.cpp:891)
[20] SceneTree::process (C:\GIT\godot\scene\main\scene_tree.cpp:454)
[21] Main::iteration (C:\GIT\godot\main\main.cpp:2854)
[22] OS_Windows::run (C:\GIT\godot\platform\windows\os_windows.cpp:777)
[23] widechar_main (C:\GIT\godot\platform\windows\godot_windows.cpp:179)
[24] _main (C:\GIT\godot\platform\windows\godot_windows.cpp:203)
[25] main (C:\GIT\godot\platform\windows\godot_windows.cpp:215)
[26] __scrt_common_main_seh (D:\a\_work\1\s\src\vctools\crt\vcstartup\src\startup\exe_common.inl:288)
[27] BaseThreadInitThunk
-- END OF BACKTRACE --

qarmin commented 2 years ago

Address sanitizer shows that this is buffer overflow

=================================================================
==31751==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61a0008f5e4c at pc 0x000007c41957 bp 0x7ffd5d562ca0 sp 0x7ffd5d562c90
READ of size 4 at 0x61a0008f5e4c thread T0
    #0 0x7c41956 in HashMap<GridMap::IndexKey, GridMap::Cell, GridMap::IndexKey, HashMapComparatorDefault<GridMap::IndexKey>, DefaultTypedAllocator<HashMapElement<GridMap::IndexKey, GridMap::Cell> > >::size() const (/usr/bin/godot4s+0x7c41956)
    #1 0x7c2a45d in GridMap::get_used_cells() const modules/gridmap/grid_map.cpp:982
    #2 0x41c1664 in void call_with_variant_args_retc_helper<__UnexistingClass, Array>(__UnexistingClass*, Array (__UnexistingClass::*)() const, Variant const**, Variant&, Callable::CallError&, IndexSequence<>) core/variant/binder_common.h:728
    #3 0x41a7770 in void call_with_variant_args_retc_dv<__UnexistingClass, Array>(__UnexistingClass*, Array (__UnexistingClass::*)() const, Variant const**, int, Variant&, Callable::CallError&, Vector<Variant> const&) core/variant/binder_common.h:523
    #4 0x418c454 in MethodBindTRC<Array>::call(Object*, Variant const**, int, Callable::CallError&) core/object/method_bind.h:568
    #5 0x9116406 in _guess_expression_type modules/gdscript/gdscript_editor.cpp:1587
    #6 0x913631f in _guess_method_return_type_from_base modules/gdscript/gdscript_editor.cpp:2265
    #7 0x911681d in _guess_expression_type modules/gdscript/gdscript_editor.cpp:1601
    #8 0x912520a in _guess_identifier_type modules/gdscript/gdscript_editor.cpp:1910
    #9 0x9110366 in _guess_expression_type modules/gdscript/gdscript_editor.cpp:1377
    #10 0x914620c in GDScriptLanguage::complete_code(String const&, String const&, Object*, List<ScriptLanguage::CodeCompletionOption, DefaultAllocator>*, bool&, String&) modules/gdscript/gdscript_editor.cpp:2748
    #11 0xed508ab in ScriptTextEditor::_code_complete_script(String const&, List<ScriptLanguage::CodeCompletionOption, DefaultAllocator>*, bool&) editor/plugins/script_text_editor.cpp:736
    #12 0xed4fd27 in ScriptTextEditor::_code_complete_scripts(void*, String const&, List<ScriptLanguage::CodeCompletionOption, DefaultAllocator>*, bool&) editor/plugins/script_text_editor.cpp:724
    #13 0xfff6917 in CodeTextEditor::_complete_request() editor/code_editor.cpp:912
    #14 0x10075177 in void call_with_variant_args_helper<CodeTextEditor>(CodeTextEditor*, void (CodeTextEditor::*)(), Variant const**, Callable::CallError&, IndexSequence<>) core/variant/binder_common.h:259
    #15 0x100737e4 in void call_with_variant_args<CodeTextEditor>(CodeTextEditor*, void (CodeTextEditor::*)(), Variant const**, int, Callable::CallError&) core/variant/binder_common.h:373
    #16 0x1006b07e in CallableCustomMethodPointer<CodeTextEditor>::call(Variant const**, int, Variant&, Callable::CallError&) const core/object/callable_method_pointer.h:104
    #17 0x1afa5c37 in Callable::call(Variant const**, int, Variant&, Callable::CallError&) const core/variant/callable.cpp:50
    #18 0x1b98a8d1 in Object::emit_signalp(StringName const&, Variant const**, int) core/object/object.cpp:1013
    #19 0x3af6b88 in Error Object::emit_signal<>(StringName const&) core/object/object.h:825
    #20 0x11dec7ae in CodeEdit::request_code_completion(bool) scene/gui/code_edit.cpp:1862
    #21 0xfff603c in CodeTextEditor::_code_complete_timer_timeout() editor/code_editor.cpp:903
    #22 0x10075177 in void call_with_variant_args_helper<CodeTextEditor>(CodeTextEditor*, void (CodeTextEditor::*)(), Variant const**, Callable::CallError&, IndexSequence<>) core/variant/binder_common.h:259
    #23 0x100737e4 in void call_with_variant_args<CodeTextEditor>(CodeTextEditor*, void (CodeTextEditor::*)(), Variant const**, int, Callable::CallError&) core/variant/binder_common.h:373
    #24 0x1006b07e in CallableCustomMethodPointer<CodeTextEditor>::call(Variant const**, int, Variant&, Callable::CallError&) const core/object/callable_method_pointer.h:104
    #25 0x1afa5c37 in Callable::call(Variant const**, int, Variant&, Callable::CallError&) const core/variant/callable.cpp:50
    #26 0x1b98a8d1 in Object::emit_signalp(StringName const&, Variant const**, int) core/object/object.cpp:1013
    #27 0x3af6b88 in Error Object::emit_signal<>(StringName const&) core/object/object.h:825
    #28 0x119515e7 in Timer::_notification(int) scene/main/timer.cpp:60
    #29 0x1195ebed in Timer::_notificationv(int, bool) scene/main/timer.h:37
    #30 0x1b980177 in Object::notification(int, bool) core/object/object.cpp:741
    #31 0x118b0ffe in SceneTree::_notify_group_pause(StringName const&, int) scene/main/scene_tree.cpp:903
    #32 0x118a1fbb in SceneTree::process(double) scene/main/scene_tree.cpp:452
    #33 0x264f63f in Main::iteration() main/main.cpp:2854
    #34 0x24ad0e4 in OS_LinuxBSD::run() platform/linuxbsd/os_linuxbsd.cpp:441
    #35 0x2495c43 in main platform/linuxbsd/godot_linuxbsd.cpp:72
    #36 0x7fc9a92e9d8f  (/lib/x86_64-linux-gnu/libc.so.6+0x29d8f)
    #37 0x7fc9a92e9e3f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x29e3f)
    #38 0x24956ed in _start (/usr/bin/godot4s+0x24956ed)

0x61a0008f5e4c is located 52 bytes to the left of 1280-byte region [0x61a0008f5e80,0x61a0008f6380)
allocated by thread T0 here:
    #0 0x7fc9a9f88a66 in __interceptor_calloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cc:153
    #1 0x7fc9992b9c7f  (/lib/x86_64-linux-gnu/libnvidia-glcore.so.515.48.07+0xeb9c7f)

SUMMARY: AddressSanitizer: heap-buffer-overflow (/usr/bin/godot4s+0x7c41956) in HashMap<GridMap::IndexKey, GridMap::Cell, GridMap::IndexKey, HashMapComparatorDefault<GridMap::IndexKey>, DefaultTypedAllocator<HashMapElement<GridMap::IndexKey, GridMap::Cell> > >::size() const

akien-mga commented 1 year ago

Is this still reproducible in the latest betas?

noidexe commented 1 year ago

Couldn't reproduce the crash on betas 14 through 16

akien-mga commented 1 year ago

Great, closing then.

godotengine / godot