Godot aborts with stack trace on editing scene file marked as tool with a timer that frees the node

[chucklepie]

Godot version

v3.4.4.stable.official (419e713a29f20bd3351a54d1e6c4c5af7ef4b253)

System information

Linux PopOS

Issue description

Opening a scene file (in attached project) causes the following hard quit of Godot:

handle_crash: Program crashed with signal 11
Engine version: Godot Engine v3.4.4.stable.official (419e713a29f20bd3351a54d1e6c4c5af7ef4b253)
Dumping the backtrace. Please include this when reporting the bug on https://github.com/godotengine/godot/issues
[1] /lib/x86_64-linux-gnu/libc.so.6(+0x42520) [0x7f6627442520] (??:0)
[2] /opt/godot/Godot() [0x2ae4157] (??:0)
[3] /opt/godot/Godot() [0x2b1cd5c] (??:0)
[4] /opt/godot/Godot() [0x1708a90] (??:0)
[5] /opt/godot/Godot() [0x170ce14] (??:0)
[6] /opt/godot/Godot() [0xb50a45] (??:0)
[7] /opt/godot/Godot() [0x2b77c39] (??:0)
[8] /opt/godot/Godot() [0x2ff86d8] (??:0)
[9] /opt/godot/Godot() [0x2b81bec] (??:0)
[10] /opt/godot/Godot() [0x9d8c5e] (??:0)
[11] /opt/godot/Godot() [0x9471ad] (??:0)
[12] /lib/x86_64-linux-gnu/libc.so.6(+0x29d90) [0x7f6627429d90] (??:0)
[13] /lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0x80) [0x7f6627429e40] (??:0)
[14] /opt/godot/Godot() [0x95ae1e] (??:0)
-- END OF BACKTRACE --

The actual line at fault is this:

func _on_Timer_timeout() -> void:
queue_free()

My code is marked with tool.

If I remove tool or the queue_free() then it doesn't crash.

[Calinou]

@chucklepie Please upload a minimal reproduction project to make this easier to troubleshoot.

[chucklepie]

@chucklepie Please upload a minimal reproduction project to make this easier to troubleshoot.

I did, it seems to have disappeared. I've added it again.

But literally, you create an empty scene with a timer doing a queue free then make the scene a tool :)

[chucklepie]

load_bug.zip

[qarmin]

=================================================================
==101032==ERROR: AddressSanitizer: heap-use-after-free on address 0x617000ebbb90 at pc 0x00000ae0ecec bp 0x7ffce615db80 sp 0x7ffce615db70
READ of size 8 at 0x617000ebbb90 thread T0
    #0 0xae0eceb in CanvasItemEditor::_build_bones_list(Node*) editor/plugins/canvas_item_editor_plugin.cpp:3930
    #1 0xae40cf6 in CanvasItemEditor::_update_bone_list() editor/plugins/canvas_item_editor_plugin.cpp:4369
    #2 0x1d2262a in MethodBind0::call(Object*, Variant const**, int, Variant::CallError&) core/method_bind.gen.inc:59
    #3 0x13789669 in Object::call(StringName const&, Variant const**, int, Variant::CallError&) core/object.cpp:918
    #4 0x13756739 in MessageQueue::_call_function(Object*, StringName const&, Variant const*, int, bool) core/message_queue.cpp:241
    #5 0x137575da in MessageQueue::flush() core/message_queue.cpp:284
    #6 0x1a96a31 in Main::iteration() main/main.cpp:2341
    #7 0x1954523 in OS_X11::run() platform/x11/os_x11.cpp:4035
    #8 0x18a9ea1 in main platform/x11/godot_x11.cpp:59
    #9 0x7f4bdae2350f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
    #10 0x7f4bdae235c8 in __libc_start_main_impl ../csu/libc-start.c:381
    #11 0x18a9a74 in _start (/usr/bin/godots+0x18a9a74)

0x617000ebbb90 is located 16 bytes inside of 744-byte region [0x617000ebbb80,0x617000ebbe68)
freed by thread T0 here:
    #0 0x7f4bdbab4537 in __interceptor_free ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:127
    #1 0x13d78069 in Memory::free_static(void*, bool) core/os/memory.cpp:168
    #2 0x1aa2c19 in void memdelete<Object>(Object*) core/os/memory.h:118
    #3 0xd7b15a7 in SceneTree::_flush_delete_queue() scene/main/scene_tree.cpp:1251
    #4 0xd79dbba in SceneTree::idle(float) scene/main/scene_tree.cpp:653
    #5 0x1a969be in Main::iteration() main/main.cpp:2337
    #6 0x1954523 in OS_X11::run() platform/x11/os_x11.cpp:4035
    #7 0x18a9ea1 in main platform/x11/godot_x11.cpp:59
    #8 0x7f4bdae2350f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58

previously allocated by thread T0 here:
    #0 0x7f4bdbab4887 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:145
    #1 0x13d76fa3 in Memory::alloc_static(unsigned long, bool) core/os/memory.cpp:75
    #2 0x13d76eb4 in operator new(unsigned long, char const*) core/os/memory.cpp:40
    #3 0xd5a428b in Object* ClassDB::creator<Node2D>() core/class_db.h:137
    #4 0x134eb36c in ClassDB::instance(StringName const&) core/class_db.cpp:520
    #5 0x10a883e6 in SceneState::instance(SceneState::GenEditState) const scene/resources/packed_scene.cpp:182
    #6 0x10abe35b in PackedScene::instance(PackedScene::GenEditState) const scene/resources/packed_scene.cpp:1598
    #7 0x94eb38a in EditorNode::load_scene(String const&, bool, bool, bool, bool, bool) editor/editor_node.cpp:3679
    #8 0x94ee66e in EditorNode::open_request(String const&) editor/editor_node.cpp:3739
    #9 0x9ccda81 in FileSystemDock::_select_file(String const&, bool) editor/filesystem_dock.cpp:959
    #10 0x9ccf040 in FileSystemDock::_tree_activate_file() editor/filesystem_dock.cpp:978
    #11 0x1d2262a in MethodBind0::call(Object*, Variant const**, int, Variant::CallError&) core/method_bind.gen.inc:59
    #12 0x13789669 in Object::call(StringName const&, Variant const**, int, Variant::CallError&) core/object.cpp:918
    #13 0x13794178 in Object::emit_signal(StringName const&, Variant const**, int) core/object.cpp:1230
    #14 0x13796344 in Object::emit_signal(StringName const&, Variant const&, Variant const&, Variant const&, Variant const&, Variant const&, Variant const&, Variant const&, Variant const&) core/object.cpp:1285
    #15 0xe77ac0c in Tree::_gui_input(Ref<InputEvent>) scene/gui/tree.cpp:2633
    #16 0x9d991e2 in MethodBind1<Ref<InputEvent> >::call(Object*, Variant const**, int, Variant::CallError&) core/method_bind.gen.inc:759
    #17 0x13784d08 in Object::call_multilevel(StringName const&, Variant const**, int) core/object.cpp:766
    #18 0x137881a5 in Object::call_multilevel(StringName const&, Variant const&, Variant const&, Variant const&, Variant const&, Variant const&, Variant const&, Variant const&, Variant const&) core/object.cpp:863
    #19 0xd8ca166 in Viewport::_gui_call_input(Control*, Ref<InputEvent> const&) scene/main/viewport.cpp:1669
    #20 0xd8d6cb8 in Viewport::_gui_input_event(Ref<InputEvent>) scene/main/viewport.cpp:1985
    #21 0xd9050ec in Viewport::input(Ref<InputEvent> const&) scene/main/viewport.cpp:2871
    #22 0xd8bcbbb in Viewport::_vp_input(Ref<InputEvent> const&) scene/main/viewport.cpp:1435
    #23 0x2a8fe01 in MethodBind1<Ref<InputEvent> const&>::call(Object*, Variant const**, int, Variant::CallError&) core/method_bind.gen.inc:759
    #24 0x13789669 in Object::call(StringName const&, Variant const**, int, Variant::CallError&) core/object.cpp:918
    #25 0x13787b26 in Object::call(StringName const&, Variant const&, Variant const&, Variant const&, Variant const&, Variant const&, Variant const&, Variant const&, Variant const&) core/object.cpp:847
    #26 0xd78d443 in SceneTree::call_group_flags(unsigned int, StringName const&, StringName const&, Variant const&, Variant const&, Variant const&, Variant const&, Variant const&, Variant const&, Variant const&, Variant const&) scene/main/scene_tree.cpp:306
    #27 0xd792fcf in SceneTree::input_event(Ref<InputEvent> const&) scene/main/scene_tree.cpp:465
    #28 0x19e19ca in InputDefault::_parse_input_event_impl(Ref<InputEvent> const&, bool) main/input_default.cpp:498
    #29 0x19ebdb5 in InputDefault::flush_buffered_events() main/input_default.cpp:725

SUMMARY: AddressSanitizer: heap-use-after-free editor/plugins/canvas_item_editor_plugin.cpp:3930 in CanvasItemEditor::_build_bones_list(Node*)

[hankedan000]

81320 is a similar issue