Crash on dynamic cast in SceneState::_parse_node

[andyprice]

Tested versions

• Reproducible in v4.3.dev.custom_build (e92d55bbf417aa9f4592a863cb5b2c7ba0740e21)

System information

Godot v4.3.dev (e92d55bbf) - Fedora Linux 39 (Workstation Edition) - X11 - Vulkan (Forward+) - integrated Intel(R) Xe Graphics (TGL GT2) () - 11th Gen Intel(R) Core(TM) i7-1185G7 @ 3.00GHz (8 Threads)

Issue description

I have encountered this crash a few times recently while testing out the master branch. Stack traces from two of them with p_object contents printed:

#0  0x00007ff9192bd834 in __pthread_kill_implementation () from /lib64/libc.so.6
#1  0x00007ff91926b8ee in raise () from /lib64/libc.so.6
#2  0x00007ff9192538ff in abort () from /lib64/libc.so.6
#3  0x0000000004568683 in handle_crash (sig=11) at platform/linuxbsd/crash_handler_linuxbsd.cpp:145
#4  <signal handler called>
#5  0x00000000044b9082 in __dynamic_cast ()
#6  0x000000000462e0b1 in Object::cast_to<Node> (p_object=0x26c072c0) at ./core/object/object.h:792
#7  0x0000000006fa0f78 in SceneState::_parse_node (this=0x26c65200, p_owner=0x172b6f20, p_node=0x2b86eb10, p_parent_idx=2147483647, name_map=..., variant_map=..., node_map=..., nodepath_map=...)
    at scene/resources/packed_scene.cpp:685
#8  0x0000000006fa19ce in SceneState::_parse_node (this=0x26c65200, p_owner=0x172b6f20, p_node=0x2b93f200, p_parent_idx=3, name_map=..., variant_map=..., node_map=..., nodepath_map=...)
    at scene/resources/packed_scene.cpp:845
#9  0x0000000006fa19ce in SceneState::_parse_node (this=0x26c65200, p_owner=0x172b6f20, p_node=0x2b93eb60, p_parent_idx=0, name_map=..., variant_map=..., node_map=..., nodepath_map=...)
    at scene/resources/packed_scene.cpp:845
#10 0x0000000006fa19ce in SceneState::_parse_node (this=0x26c65200, p_owner=0x172b6f20, p_node=0x172b6f20, p_parent_idx=-1, name_map=..., variant_map=..., node_map=..., nodepath_map=...)
    at scene/resources/packed_scene.cpp:845
#11 0x0000000006fa92b9 in SceneState::pack (this=0x26c65200, p_scene=0x172b6f20) at scene/resources/packed_scene.cpp:1074
#12 0x0000000006fb291c in PackedScene::pack (this=0x7ff8c8011920, p_scene=0x172b6f20) at scene/resources/packed_scene.cpp:1946
#13 0x00000000058bad7e in EditorNode::_save_scene (this=0xe27b4f0, p_file=..., idx=-1) at editor/editor_node.cpp:1799
#14 0x00000000058ae295 in EditorNode::_save_scene_with_preview (this=0xe27b4f0, p_file=..., p_idx=-1) at editor/editor_node.cpp:1668
#15 0x00000000058a9b36 in EditorNode::_menu_option_confirm (this=0xe27b4f0, p_option=3, p_confirmed=false) at editor/editor_node.cpp:2607
#16 0x00000000058cff9d in EditorNode::_menu_option (this=0xe27b4f0, p_option=3) at editor/editor_node.cpp:1379
#17 0x00000000058c1d59 in call_with_variant_args_helper<EditorNode, int, 0ul> (p_instance=0xe27b4f0, p_method=(void (EditorNode::*)(EditorNode * const, int)) 0x58cff80 <EditorNode::_menu_option(int)>, 
    p_args=0x7fff2f885970, r_error=...) at ./core/variant/binder_common.h:304
#18 0x00000000058c1ccb in call_with_variant_args<EditorNode, int> (p_instance=0xe27b4f0, p_method=(void (EditorNode::*)(EditorNode * const, int)) 0x58cff80 <EditorNode::_menu_option(int)>, p_args=0x7fff2f885970, 
    p_argcount=1, r_error=...) at ./core/variant/binder_common.h:418
#19 0x00000000058c1bc5 in CallableCustomMethodPointer<EditorNode, int>::call (this=0x16cc7930, p_arguments=0x7fff2f885970, p_argcount=1, r_return_value=..., r_call_error=...)
    at ./core/object/callable_method_pointer.h:98
#20 0x0000000008062f10 in Callable::callp (this=0x7ff8c8049540, p_arguments=0x7fff2f885970, p_argcount=1, r_return_value=..., r_call_error=...) at core/variant/callable.cpp:56
#21 0x000000000837f904 in Object::emit_signalp (this=0xf597b40, p_name=..., p_args=0x7fff2f885970, p_argcount=1) at core/object/object.cpp:1127
#22 0x00000000064a3ca2 in Node::emit_signalp (this=0xf597b40, p_name=..., p_args=0x7fff2f885970, p_argcount=1) at scene/main/node.cpp:3762
#23 0x00000000048949df in Object::emit_signal<int> (this=0xf597b40, p_name=..., p_args=3) at ./core/object/object.h:922
#24 0x0000000006726277 in PopupMenu::activate_item (this=0xf597b40, p_idx=6) at scene/gui/popup_menu.cpp:2410
#25 0x0000000006739e14 in PopupMenu::activate_item_by_event (this=0xf597b40, p_event=..., p_for_global_only=false) at scene/gui/popup_menu.cpp:2322
#26 0x00000000066fea1a in MenuBar::shortcut_input (this=0xf594b00, p_event=...) at scene/gui/menu_bar.cpp:166
#27 0x0000000006487bc1 in Node::_call_shortcut_input (this=0xf594b00, p_event=...) at scene/main/node.cpp:3276
#28 0x00000000064b334a in SceneTree::_call_input_pause (this=0xe20a930, p_group=..., p_call_type=SceneTree::CALL_INPUT_TYPE_SHORTCUT_INPUT, p_input=..., p_viewport=0xe20ae40) at scene/main/scene_tree.cpp:1231
#29 0x00000000064ec449 in Viewport::_push_unhandled_input_internal (this=0xe20ae40, p_event=...) at scene/main/viewport.cpp:3416
#30 0x00000000064ec34d in Viewport::push_input (this=0xe20ae40, p_event=..., p_local_coords=false) at scene/main/viewport.cpp:3378
#31 0x00000000065238c4 in Window::_window_input (this=0xe20ae40, p_ev=...) at scene/main/window.cpp:1620
#32 0x000000000652548f in call_with_variant_args_helper<Window, Ref<InputEvent> const&, 0ul> (p_instance=0xe20ae40, 
    p_method=(void (Window::*)(Window * const, const Ref<InputEvent> &)) 0x6523580 <Window::_window_input(Ref<InputEvent> const&)>, p_args=0x7fff2f8881d0, r_error=...) at ./core/variant/binder_common.h:304
#33 0x00000000065253fb in call_with_variant_args<Window, Ref<InputEvent> const&> (p_instance=0xe20ae40, 
    p_method=(void (Window::*)(Window * const, const Ref<InputEvent> &)) 0x6523580 <Window::_window_input(Ref<InputEvent> const&)>, p_args=0x7fff2f8881d0, p_argcount=1, r_error=...)
    at ./core/variant/binder_common.h:418
#34 0x00000000065252f5 in CallableCustomMethodPointer<Window, Ref<InputEvent> const&>::call (this=0x1e391900, p_arguments=0x7fff2f8881d0, p_argcount=1, r_return_value=..., r_call_error=...)
    at ./core/object/callable_method_pointer.h:98
#35 0x0000000008062f10 in Callable::callp (this=0x7fff2f888298, p_arguments=0x7fff2f8881d0, p_argcount=1, r_return_value=..., r_call_error=...) at core/variant/callable.cpp:56
#36 0x000000000459df71 in Callable::call<Ref<InputEvent> > (this=0x7fff2f888298, p_args=...) at ./core/variant/variant.h:863
#37 0x000000000459dd47 in DisplayServerX11::_dispatch_input_event (this=0xb068fb0, p_event=...) at platform/linuxbsd/x11/display_server_x11.cpp:4033
#38 0x000000000459db4d in DisplayServerX11::_dispatch_input_events (p_event=...) at platform/linuxbsd/x11/display_server_x11.cpp:4009
#39 0x000000000800ee36 in Input::_parse_input_event_impl (this=0xa824f20, p_event=..., p_is_emulated=false) at core/input/input.cpp:770
#40 0x000000000800d71e in Input::flush_buffered_events (this=0xa824f20) at core/input/input.cpp:1041
#41 0x00000000045a16d4 in DisplayServerX11::process_events (this=0xb068fb0) at platform/linuxbsd/x11/display_server_x11.cpp:5134
#42 0x000000000457129b in OS_LinuxBSD::run (this=0x7fff2f888d88) at platform/linuxbsd/os_linuxbsd.cpp:941
#43 0x0000000004567da0 in main (argc=4, argv=0x7fff2f8893a8) at platform/linuxbsd/godot_linuxbsd.cpp:86
(gdb) frame 6
#6  0x000000000462e0b1 in Object::cast_to<Node> (p_object=0x26c072c0) at ./core/object/object.h:792
792         return dynamic_cast<T *>(p_object);
(gdb) p *p_object
$1 = {
  _vptr$Object = 0x265acfd0,
  _extension = 0x28ea56c0,
  _extension_instance = 0x40,
  signal_map = {
    static MIN_CAPACITY_INDEX = 2,
    static MAX_OCCUPANCY = 0.75,
    static EMPTY_HASH = 0,
    element_alloc = {<No data fields>},
    elements = 0x1b8,
    hashes = 0x0,
    head_element = 0x39473e0 <vtable for TextLine+16>,
    tail_element = 0x0,
    capacity_index = 0,
    num_elements = 0
  },
  connections = {
    _data = 0x0
  },
  _lock_index = {
    count = {
      value = std::atomic<unsigned int> = { 0 }
    }
  },
  _block_signals = false,
  _predelete_ok = 0,
  _instance_id = {
    id = 0
  },
  _can_translate = false,
  _emitting = false,
  _edited = false,
  _edited_version = 0,
  editor_section_folding = {
    static MIN_CAPACITY_INDEX = 2,
    static MAX_OCCUPANCY = 0.75,
    static EMPTY_HASH = 0,
    keys = 0x2,
    hash_to_key = 0x0,
    key_to_hash = 0x1,
    hashes = 0x0,
    capacity_index = 3053516372,
    num_elements = 2147484133
  },
  script_instance = 0x1,
  script = {
    type = Variant::NIL,
    _data = {
      _bool = false,
      _int = 0,
      _float = 0,
      _transform2d = 0x0,
      _aabb = 0x0,
      _basis = 0x0,
      _transform3d = 0x0,
      _projection = 0x0,
      packed_array = 0x0,
      _ptr = 0x0,
      _mem = '\000' <repeats 15 times>
    }
  },
  metadata = {
    static MIN_CAPACITY_INDEX = 2,
    static MAX_OCCUPANCY = 0.75,
    static EMPTY_HASH = 0,
    element_alloc = {<No data fields>},
    elements = 0x2,
    hashes = 0x0,
    head_element = 0x0,
    tail_element = 0x0,
    capacity_index = 0,
    num_elements = 0
  },
  metadata_properties = {
    static MIN_CAPACITY_INDEX = 2,
    static MAX_OCCUPANCY = 0.75,
    static EMPTY_HASH = 0,
    element_alloc = {<No data fields>},
    elements = 0x0,
    hashes = 0x0,
    head_element = 0x0,
    tail_element = 0x0,
    capacity_index = 2,
    num_elements = 0
  },
  _class_name_ptr = 0x0,
  type_is_reference = false,
  _instance_binding_mutex = {
    mutex = {
      <std::__mutex_base> = {
        _M_mutex = {
          __data = {
            __lock = 0,
            __count = 0,
            __owner = 0,
            __nusers = 0,
            __kind = 0,
            __spins = 0,
            __elision = 0,
            __list = {
              __prev = 0x2,
              __next = 0x0
            }
          },
          __size = '\000' <repeats 24 times>, "\002", '\000' <repeats 14 times>,
          __align = 0
        }
      }, <No data fields>}
  },
  _instance_bindings = 0x1,
  _instance_binding_count = 0,
  virtual_method_list = 0x0,
  static _class_is_enabled = true,
  _is_queued_for_deletion = false
}

#0  0x00007f33180b7834 in __pthread_kill_implementation () from /lib64/libc.so.6
#1  0x00007f33180658ee in raise () from /lib64/libc.so.6
#2  0x00007f331804d8ff in abort () from /lib64/libc.so.6
#3  0x0000000004568683 in handle_crash (sig=11) at platform/linuxbsd/crash_handler_linuxbsd.cpp:145
#4  <signal handler called>
#5  0x00000000044b9052 in __dynamic_cast ()
#6  0x000000000462e0b1 in Object::cast_to<Node> (p_object=0x2740f430) at ./core/object/object.h:792
#7  0x0000000006fa0f78 in SceneState::_parse_node (this=0x267eb370, p_owner=0x298940a0, p_node=0x2acb1270, p_parent_idx=2147483647, name_map=..., variant_map=..., node_map=..., nodepath_map=...)
    at scene/resources/packed_scene.cpp:685
#8  0x0000000006fa19ce in SceneState::_parse_node (this=0x267eb370, p_owner=0x298940a0, p_node=0x2a859ff0, p_parent_idx=3, name_map=..., variant_map=..., node_map=..., nodepath_map=...)
    at scene/resources/packed_scene.cpp:845
#9  0x0000000006fa19ce in SceneState::_parse_node (this=0x267eb370, p_owner=0x298940a0, p_node=0x2b17b620, p_parent_idx=0, name_map=..., variant_map=..., node_map=..., nodepath_map=...)
    at scene/resources/packed_scene.cpp:845
#10 0x0000000006fa19ce in SceneState::_parse_node (this=0x267eb370, p_owner=0x298940a0, p_node=0x298940a0, p_parent_idx=-1, name_map=..., variant_map=..., node_map=..., nodepath_map=...)
    at scene/resources/packed_scene.cpp:845
#11 0x0000000006fa92b9 in SceneState::pack (this=0x267eb370, p_scene=0x298940a0) at scene/resources/packed_scene.cpp:1074
#12 0x0000000006fb291c in PackedScene::pack (this=0x2bd84a00, p_scene=0x298940a0) at scene/resources/packed_scene.cpp:1946
#13 0x00000000058bad7e in EditorNode::_save_scene (this=0xd326700, p_file=..., idx=1) at editor/editor_node.cpp:1799
#14 0x00000000058aecee in EditorNode::_save_all_scenes (this=0xd326700) at editor/editor_node.cpp:1926
#15 0x00000000058aa422 in EditorNode::_menu_option_confirm (this=0xd326700, p_option=5, p_confirmed=false) at editor/editor_node.cpp:2680
#16 0x00000000058cff9d in EditorNode::_menu_option (this=0xd326700, p_option=5) at editor/editor_node.cpp:1379
#17 0x00000000058d0358 in EditorNode::try_autosave (this=0xd326700) at editor/editor_node.cpp:1883
#18 0x0000000005c76b18 in EditorRunBar::_run_scene (this=0x129d66d0, p_scene_path=...) at editor/gui/editor_run_bar.cpp:229
#19 0x0000000005c771be in EditorRunBar::play_main_scene (this=0x129d66d0, p_from_native=false) at editor/gui/editor_run_bar.cpp:271
#20 0x0000000005c7a2fd in call_with_variant_args_helper<EditorRunBar, bool, 0ul> (p_instance=0x129d66d0, 
    p_method=(void (EditorRunBar::*)(EditorRunBar * const, bool)) 0x5c77160 <EditorRunBar::play_main_scene(bool)>, p_args=0x7fff50443320, r_error=...) at ./core/variant/binder_common.h:304
#21 0x0000000005c7a26b in call_with_variant_args<EditorRunBar, bool> (p_instance=0x129d66d0, p_method=(void (EditorRunBar::*)(EditorRunBar * const, bool)) 0x5c77160 <EditorRunBar::play_main_scene(bool)>, 
    p_args=0x7fff50443320, p_argcount=1, r_error=...) at ./core/variant/binder_common.h:418
#22 0x0000000005c7a165 in CallableCustomMethodPointer<EditorRunBar, bool>::call (this=0x129de470, p_arguments=0x7fff50443320, p_argcount=1, r_return_value=..., r_call_error=...)
    at ./core/object/callable_method_pointer.h:98
#23 0x0000000008062f10 in Callable::callp (this=0x129de4e0, p_arguments=0x7fff50443320, p_argcount=1, r_return_value=..., r_call_error=...) at core/variant/callable.cpp:56
#24 0x0000000008066b20 in CallableCustomBind::call (this=0x129de4d0, p_arguments=0x0, p_argcount=0, r_return_value=..., r_call_error=...) at core/variant/callable_bind.cpp:144
#25 0x0000000008062f10 in Callable::callp (this=0x2afc7e40, p_arguments=0x0, p_argcount=0, r_return_value=..., r_call_error=...) at core/variant/callable.cpp:56
#26 0x000000000837f904 in Object::emit_signalp (this=0x129dad10, p_name=..., p_args=0x0, p_argcount=0) at core/object/object.cpp:1127
#27 0x00000000064a3ca2 in Node::emit_signalp (this=0x129dad10, p_name=..., p_args=0x0, p_argcount=0) at scene/main/node.cpp:3762
#28 0x0000000004d0dedb in Object::emit_signal<>(StringName const&) (this=0x129dad10, p_name=...) at ./core/object/object.h:922
#29 0x000000000655aae0 in BaseButton::_pressed (this=0x129dad10) at scene/gui/base_button.cpp:138
#30 0x000000000655a89c in BaseButton::on_action_event (this=0x129dad10, p_event=...) at scene/gui/base_button.cpp:168
#31 0x000000000655a687 in BaseButton::gui_input (this=0x129dad10, p_event=...) at scene/gui/base_button.cpp:69
#32 0x00000000065fb962 in Control::_call_gui_input (this=0x129dad10, p_event=...) at scene/gui/control.cpp:1797
#33 0x00000000064e307d in Viewport::_gui_call_input (this=0xd012d20, p_control=0x129dad10, p_input=...) at scene/main/viewport.cpp:1603
#34 0x00000000064e4267 in Viewport::_gui_input_event (this=0xd012d20, p_event=...) at scene/main/viewport.cpp:1872
#35 0x00000000064ec308 in Viewport::push_input (this=0xd012d20, p_event=..., p_local_coords=false) at scene/main/viewport.cpp:3371
#36 0x00000000065238c4 in Window::_window_input (this=0xd012d20, p_ev=...) at scene/main/window.cpp:1620
#37 0x000000000652548f in call_with_variant_args_helper<Window, Ref<InputEvent> const&, 0ul> (p_instance=0xd012d20, 
    p_method=(void (Window::*)(Window * const, const Ref<InputEvent> &)) 0x6523580 <Window::_window_input(Ref<InputEvent> const&)>, p_args=0x7fff50446870, r_error=...) at ./core/variant/binder_common.h:304
#38 0x00000000065253fb in call_with_variant_args<Window, Ref<InputEvent> const&> (p_instance=0xd012d20, 
    p_method=(void (Window::*)(Window * const, const Ref<InputEvent> &)) 0x6523580 <Window::_window_input(Ref<InputEvent> const&)>, p_args=0x7fff50446870, p_argcount=1, r_error=...)
    at ./core/variant/binder_common.h:418
#39 0x00000000065252f5 in CallableCustomMethodPointer<Window, Ref<InputEvent> const&>::call (this=0x1cfad8d0, p_arguments=0x7fff50446870, p_argcount=1, r_return_value=..., r_call_error=...)
    at ./core/object/callable_method_pointer.h:98
#40 0x0000000008062f10 in Callable::callp (this=0x7fff50446938, p_arguments=0x7fff50446870, p_argcount=1, r_return_value=..., r_call_error=...) at core/variant/callable.cpp:56
#41 0x000000000459df71 in Callable::call<Ref<InputEvent> > (this=0x7fff50446938, p_args=...) at ./core/variant/variant.h:863
#42 0x000000000459dd47 in DisplayServerX11::_dispatch_input_event (this=0xab0f550, p_event=...) at platform/linuxbsd/x11/display_server_x11.cpp:4033
#43 0x000000000459db4d in DisplayServerX11::_dispatch_input_events (p_event=...) at platform/linuxbsd/x11/display_server_x11.cpp:4009
#44 0x000000000800ee36 in Input::_parse_input_event_impl (this=0xa2caf20, p_event=..., p_is_emulated=false) at core/input/input.cpp:770
#45 0x000000000800d71e in Input::flush_buffered_events (this=0xa2caf20) at core/input/input.cpp:1041
#46 0x00000000045a16d4 in DisplayServerX11::process_events (this=0xab0f550) at platform/linuxbsd/x11/display_server_x11.cpp:5134
#47 0x000000000457129b in OS_LinuxBSD::run (this=0x7fff50447428) at platform/linuxbsd/os_linuxbsd.cpp:941
#48 0x0000000004567da0 in main (argc=4, argv=0x7fff50447a48) at platform/linuxbsd/godot_linuxbsd.cpp:86
(gdb) frame 6
#6  0x000000000462e0b1 in Object::cast_to<Node> (p_object=0x2740f430) at ./core/object/object.h:792
792         return dynamic_cast<T *>(p_object);
(gdb) p *p_object
$1 = {
  _vptr$Object = 0x0,
  _extension = 0x0,
  _extension_instance = 0x0,
  signal_map = {
    static MIN_CAPACITY_INDEX = 2,
    static MAX_OCCUPANCY = 0.75,
    static EMPTY_HASH = 0,
    element_alloc = {<No data fields>},
    elements = 0x40,
    hashes = 0x40,
    head_element = 0x222296af,
    tail_element = 0x7f33181ffb20 <main_arena+96>,
    capacity_index = 742265472,
    num_elements = 0
  },
  connections = {
    _data = 0x25408760
  },
  _lock_index = {
    count = {
      value = std::atomic<unsigned int> = { 0 }
    }
  },
  _block_signals = false,
  _predelete_ok = 659466240,
  _instance_id = {
    id = 128
  },
  _can_translate = 64,
  _emitting = false,
  _edited = false,
  _edited_version = 0,
  editor_section_folding = {
    static MIN_CAPACITY_INDEX = 2,
    static MAX_OCCUPANCY = 0.75,
    static EMPTY_HASH = 0,
    keys = 0x222296ef,
    hash_to_key = 0x7f33181ffb20 <main_arena+96>,
    key_to_hash = 0x2c3e1280,
    hashes = 0x254087a0,
    capacity_index = 0,
    num_elements = 0
  },
  script_instance = 0x274ea870,
  script = {
    type = 192,
    _data = {
      _bool = 64,
      _int = 64,
      _float = 3.1620201333839779e-322,
      _transform2d = 0x40,
      _aabb = 0x40,
      _basis = 0x40,
      _transform3d = 0x40,
      _projection = 0x40,
      packed_array = 0x40,
      _ptr = 0x40,
      _mem = "@\000\000\000\000\000\000\000/\227\"\"\000\000\000"
    }
  },
  metadata = {
    static MIN_CAPACITY_INDEX = 2,
    static MAX_OCCUPANCY = 0.75,
    static EMPTY_HASH = 0,
    element_alloc = {<No data fields>},
    elements = 0x2c3e1280,
    hashes = 0x254087e0,
    head_element = 0x0,
    tail_element = 0x274ea8e0,
    capacity_index = 256,
    num_elements = 0
  },
  metadata_properties = {
    static MIN_CAPACITY_INDEX = 2,
    static MAX_OCCUPANCY = 0.75,
    static EMPTY_HASH = 0,
    element_alloc = {<No data fields>},
    elements = 0x2222976f,
    hashes = 0x7f33181ffb20 <main_arena+96>,
    head_element = 0x2c3e1280,
    tail_element = 0x25408820,
    capacity_index = 0,
    num_elements = 0
  },
  _class_name_ptr = 0x1ecdb450,
  type_is_reference = 64,
  _instance_binding_mutex = {
    mutex = {
      <std::__mutex_base> = {
        _M_mutex = {
          __data = {
            __lock = 64,
            __count = 0,
            __owner = 572692399,
            __nusers = 0,
            __kind = 404749088,
            __spins = 32563,
            __elision = 0,
            __list = {
              __prev = 0x2c3e1280,
              __next = 0x25408860
            }
          },
          __size = "@\000\000\000\000\000\000\000\257\227\"\"\000\000\000\000 \373\037\0303\177\000\000\200\022>,\000\000\000\000`\210@%\000\000\000",
          __align = 64
        }
      }, <No data fields>}
  },
  _instance_bindings = 0x0,
  _instance_binding_count = 516797632,
  virtual_method_list = 0x180,
  static _class_is_enabled = true,
  _is_queued_for_deletion = 64
}

In case it's relevant: my project features a 3D scene inheriting from an imported .blend file containing multiple meshes. Another 3D scene (the game level) has an instance of the inherited scene in its tree.

Steps to reproduce

I'm unable to reproduce it at will but it occurs maybe once or twice a day.

Minimal reproduction project (MRP)

(No MRP)

[jsjtxietian]

It looks like the second p_object is corrupted already, its vtable is _vptr$Object = 0x0 and other values are garbage too. Give the reproduction probability, could it be a thread issue where the pointer that has been freed at another thread?

[andyprice]

I'm unable to reproduce it at will but it occurs maybe once or twice a day.

I actually haven't seen this crash in a while now. I suspect it was a specific large inherited scene (of a 3D model) in my project that was triggering it and it stopped crashing after I removed the scene to redesign part of the project, but I can't be certain. I'll report back if it starts crashing again.