search

godotengine / godot

Godot Engine – Multi-platform 2D and 3D game engine
https://godotengine.org
MIT License
89.57k stars 20.73k forks source link

Godot crashes during remove BVH leaf #69258

Closed qarmin closed 4 weeks ago

qarmin commented 1 year ago

Godot version

4.0.beta.custom_build. 0a0e99cad

System information

Ubuntu 22.04 - Nvidia GTX 970, Gnome shell 42 X11

Issue description

When executing

extends Node
func _process(delta):

    var temp_variable4692 = CSGMesh3D.new()
    add_child(temp_variable4692)
    temp_variable4692.set_extra_cull_margin(99.3937611579895)
    temp_variable4692.queue_free()

    var temp_variable4915 = PackedScene.new()
    var temp_argument4915_f1_0 = MultiMeshInstance3D.new()
    temp_variable4915.pack(temp_argument4915_f1_0)
    temp_argument4915_f1_0.queue_free()

Godot crashes with this backtrace

core/math/dynamic_bvh.cpp:105:9: runtime error: member access within null pointer of type 'struct Node'

================================================================
handle_crash: Program crashed with signal 11
Engine version: Godot Engine v4.0.beta.custom_build (7f8ecffa56834dce3ccbd736738b613d51133dea)
Dumping the backtrace. Please include this when reporting the bug on: https://github.com/godotengine/godot/issues
[1] godot4s() [0x26cb01c] (/home/runner/work/GodotBuilds/GodotBuilds/godot/platform/linuxbsd/crash_handler_linuxbsd.cpp:56)
[2] /lib/x86_64-linux-gnu/libc.so.6(+0x42520) [0x7ff2f79db520] (??:0)
[3] DynamicBVH::_remove_leaf(DynamicBVH::Node*) (/home/runner/work/GodotBuilds/GodotBuilds/godot/core/math/dynamic_bvh.cpp:105)
[4] DynamicBVH::remove(DynamicBVH::ID const&) (/home/runner/work/GodotBuilds/GodotBuilds/godot/core/math/dynamic_bvh.cpp:393)
[5] RendererSceneCull::_unpair_instance(RendererSceneCull::Instance*) (/home/runner/work/GodotBuilds/GodotBuilds/godot/servers/rendering/renderer_scene_cull.cpp:1810)
[6] RendererSceneCull::instance_set_base(RID, RID) (/home/runner/work/GodotBuilds/GodotBuilds/godot/servers/rendering/renderer_scene_cull.cpp:509)
[7] RenderingServerDefault::instance_set_base(RID, RID) (/home/runner/work/GodotBuilds/GodotBuilds/godot/servers/rendering/rendering_server_default.h:763)
[8] VisualInstance3D::set_base(RID const&) (/home/runner/work/GodotBuilds/GodotBuilds/godot/scene/3d/visual_instance_3d.cpp:119)
[9] CSGShape3D::_update_shape() (/home/runner/work/GodotBuilds/GodotBuilds/godot/modules/csg/csg_shape.cpp:299)
[10] void call_with_variant_args_helper<__UnexistingClass>(__UnexistingClass*, void (__UnexistingClass::*)(), Variant const**, Callable::CallError&, IndexSequence<>) (/home/runner/work/GodotBuilds/GodotBuilds/godot/./core/variant/binder_common.h:267 (discriminator 4))
[11] void call_with_variant_args_dv<__UnexistingClass>(__UnexistingClass*, void (__UnexistingClass::*)(), Variant const**, int, Callable::CallError&, Vector<Variant> const&) (/home/runner/work/GodotBuilds/GodotBuilds/godot/./core/variant/binder_common.h:380)
[12] MethodBindT<>::call(Object*, Variant const**, int, Callable::CallError&) (/home/runner/work/GodotBuilds/GodotBuilds/godot/./core/object/method_bind.h:320)
[13] Object::callp(StringName const&, Variant const**, int, Callable::CallError&) (/home/runner/work/GodotBuilds/GodotBuilds/godot/core/object/object.cpp:733 (discriminator 1))
[14] Callable::callp(Variant const**, int, Variant&, Callable::CallError&) const (/home/runner/work/GodotBuilds/GodotBuilds/godot/core/variant/callable.cpp:62)
[15] MessageQueue::_call_function(Callable const&, Variant const*, int, bool) (/home/runner/work/GodotBuilds/GodotBuilds/godot/core/object/message_queue.cpp:230)
[16] MessageQueue::flush() (/home/runner/work/GodotBuilds/GodotBuilds/godot/core/object/message_queue.cpp:277)
[17] SceneTree::process(double) (/home/runner/work/GodotBuilds/GodotBuilds/godot/scene/main/scene_tree.cpp:473 (discriminator 4))
[18] Main::iteration() (/home/runner/work/GodotBuilds/GodotBuilds/godot/main/main.cpp:3171)
[19] OS_LinuxBSD::run() (/home/runner/work/GodotBuilds/GodotBuilds/godot/platform/linuxbsd/os_linuxbsd.cpp:799)
[20] godot4s(main+0x58f) [0x26c8205] (/home/runner/work/GodotBuilds/GodotBuilds/godot/platform/linuxbsd/godot_linuxbsd.cpp:75)
[21] /lib/x86_64-linux-gnu/libc.so.6(+0x29d90) [0x7ff2f79c2d90] (??:0)
[22] /lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0x80) [0x7ff2f79c2e40] (??:0)
[23] godot4s(_start+0x25) [0x26c7bb5] (??:?)
-- END OF BACKTRACE --
================================================================

This example was found by Godot fuzzer - Qarminer, so it is quite unlikelly that this code could be used in real project, but still this should be handled gracefully. Memory leaks or asan backtraces are visibe when using Godot build with sanitizers support - https://github.com/qarmin/GodotBuilds/actions (linux -> linux-editor-sanitizers)

Steps to reproduce

Above

Minimal reproduction project

N/A

jsjtxietian commented 7 months ago

I suspect it should related to https://github.com/godotengine/godot/issues/80504