search

godotengine / godot

Godot Engine – Multi-platform 2D and 3D game engine
https://godotengine.org
MIT License
91.22k stars 21.22k forks source link

Executing `AcceptDialog.call_deferred_thread_group` crashes Godot #77029

Closed qarmin closed 1 year ago

qarmin commented 1 year ago

Godot version

4.1.dev.custom_build. c64afeb01

System information

Ubuntu 23.04 - AMD RX 470, Gnome shell 43 X11

Issue description

When executing

extends Node
func _process(delta):

    var temp_variable125 = AcceptDialog.new()
    add_child(temp_variable125)
    temp_variable125.call_deferred_thread_group(StringName(""))
    temp_variable125.queue_free()

Godot crashes:

==72172==ERROR: AddressSanitizer: heap-use-after-free on address 0x631001603810 at pc 0x7f95cc43a2c3 bp 0x7ffd05c74bd0 sp 0x7ffd05c74378
WRITE of size 24 at 0x631001603810 thread T0
    #0 0x7f95cc43a2c2 in __interceptor_memcpy ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:827
    #1 0x1f40f524 in CallQueue::flush() core/object/message_queue.cpp:239
    #2 0x13bce6d9 in SceneTree::_process_group(SceneTree::ProcessGroup*, bool) scene/main/scene_tree.cpp:950
    #3 0x13bd1858 in SceneTree::_process(bool) scene/main/scene_tree.cpp:1022
    #4 0x13bbf585 in SceneTree::process(double) scene/main/scene_tree.cpp:504
    #5 0x2d04bcc in Main::iteration() main/main.cpp:3334
    #6 0x2a46d53 in OS_LinuxBSD::run() platform/linuxbsd/os_linuxbsd.cpp:899
    #7 0x2a222a8 in main platform/linuxbsd/godot_linuxbsd.cpp:73
    #8 0x7f95cb823a8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
    #9 0x7f95cb823b48 in __libc_start_main_impl ../csu/libc-start.c:360
    #10 0x2a21c64 in _start (/usr/bin/godot4s+0x2a21c64)

0x631001603810 is located 61456 bytes inside of 65552-byte region [0x6310015f4800,0x631001604810)
freed by thread T0 here:
    #0 0x7f95cc4b4537 in __interceptor_free ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:127
    #1 0x1db7f2f9 in Memory::free_static(void*, bool) core/os/memory.cpp:168
    #2 0x2bb29cf in CowData<unsigned char>::_unref(void*) core/templates/cowdata.h:218
    #3 0x2b99f16 in CowData<unsigned char>::~CowData() core/templates/cowdata.h:412
    #4 0x2b7be19 in Vector<unsigned char>::~Vector() core/templates/vector.h:290
    #5 0x4a8df8a in CowData<Vector<unsigned char> >::_unref(void*) core/templates/cowdata.h:213
    #6 0x4a8c25c in CowData<Vector<unsigned char> >::~CowData() core/templates/cowdata.h:412
    #7 0x4a8978f in Vector<Vector<unsigned char> >::~Vector() core/templates/vector.h:290
    #8 0xc25894f in RenderingDeviceVulkan::shader_create_from_bytecode(Vector<unsigned char> const&) drivers/vulkan/rendering_device_vulkan.cpp:4940
    #9 0x1b090f3a in ShaderRD::_load_from_cache(ShaderRD::Version*) servers/rendering/renderer_rd/shader_rd.cpp:431
    #10 0x1b0937dd in ShaderRD::_compile_version(ShaderRD::Version*) servers/rendering/renderer_rd/shader_rd.cpp:478
    #11 0x1b095df5 in ShaderRD::version_set_code(RID, HashMap<String, String, HashMapHasherDefault, HashMapComparatorDefault<String>, DefaultTypedAllocator<HashMapElement<String, String> > > const&, String const&, String const&, String const&, Vector<String> const&) servers/rendering/renderer_rd/shader_rd.cpp:553
    #12 0x1d38b7ff in RendererCanvasRenderRD::CanvasShaderData::set_code(String const&) servers/rendering/renderer_rd/renderer_canvas_render_rd.cpp:2085
    #13 0x1b76cdfb in RendererRD::MaterialStorage::shader_set_code(RID, String const&) servers/rendering/renderer_rd/storage_rd/material_storage.cpp:2534
    #14 0x1aa28ed4 in RenderingServerDefault::shader_set_code(RID, String const&) servers/rendering/rendering_server_default.h:229
    #15 0x1832c1eb in Shader::set_code(String const&) scene/resources/shader.cpp:107
    #16 0x1424c416 in ColorPicker::init_shaders() scene/gui/color_picker.cpp:179
    #17 0x135a546b in register_scene_types() scene/register_scene_types.cpp:1150
    #18 0x2ce1001 in Main::setup2() main/main.cpp:2407
    #19 0x2cce801 in Main::setup(char const*, int, char**, bool) main/main.cpp:1943
    #20 0x2a220c9 in main platform/linuxbsd/godot_linuxbsd.cpp:61
    #21 0x7f95cb823a8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58

previously allocated by thread T0 here:
    #0 0x7f95cc4b4887 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:145
    #1 0x1db7e21b in Memory::alloc_static(unsigned long, bool) core/os/memory.cpp:75
    #2 0x46eaf00 in Error CowData<unsigned char>::resize<false>(int) core/templates/cowdata.h:288
    #3 0x45beb81 in Vector<unsigned char>::resize(int) core/templates/vector.h:94
    #4 0xc254f42 in RenderingDeviceVulkan::shader_create_from_bytecode(Vector<unsigned char> const&) drivers/vulkan/rendering_device_vulkan.cpp:4969
    #5 0x1b090f3a in ShaderRD::_load_from_cache(ShaderRD::Version*) servers/rendering/renderer_rd/shader_rd.cpp:431
    #6 0x1b0937dd in ShaderRD::_compile_version(ShaderRD::Version*) servers/rendering/renderer_rd/shader_rd.cpp:478
    #7 0x1b095df5 in ShaderRD::version_set_code(RID, HashMap<String, String, HashMapHasherDefault, HashMapComparatorDefault<String>, DefaultTypedAllocator<HashMapElement<String, String> > > const&, String const&, String const&, String const&, Vector<String> const&) servers/rendering/renderer_rd/shader_rd.cpp:553
    #8 0x1d38b7ff in RendererCanvasRenderRD::CanvasShaderData::set_code(String const&) servers/rendering/renderer_rd/renderer_canvas_render_rd.cpp:2085
    #9 0x1b76cdfb in RendererRD::MaterialStorage::shader_set_code(RID, String const&) servers/rendering/renderer_rd/storage_rd/material_storage.cpp:2534
    #10 0x1aa28ed4 in RenderingServerDefault::shader_set_code(RID, String const&) servers/rendering/rendering_server_default.h:229
    #11 0x1832c1eb in Shader::set_code(String const&) scene/resources/shader.cpp:107
    #12 0x1424c416 in ColorPicker::init_shaders() scene/gui/color_picker.cpp:179
    #13 0x135a546b in register_scene_types() scene/register_scene_types.cpp:1150
    #14 0x2ce1001 in Main::setup2() main/main.cpp:2407
    #15 0x2cce801 in Main::setup(char const*, int, char**, bool) main/main.cpp:1943
    #16 0x2a220c9 in main platform/linuxbsd/godot_linuxbsd.cpp:61
    #17 0x7f95cb823a8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58

This example was found by Godot fuzzer - Qarminer, so it is quite unlikelly that this code could be used in real project, but still this should be handled gracefully.

Memory leaks or asan backtraces are visibe when using Godot build with sanitizers support - https://github.com/qarmin/GodotBuilds/actions (linux -> linux-editor-sanitizers)

Steps to reproduce

Above

Minimal reproduction project

Above

AThousandShips commented 1 year ago

Doesn't seem safe to to call deferred on a deleted object, but if it is on a debug build it should throw an error

Also does this happen with the ordinary call_deferred or just group?

qarmin commented 1 year ago

Cannot reproduce crash