Crashes with AudioStreamGenerator or c# Theme when game exits

[beicause]

Tested versions

master branch 4.3.dev.

System information

Linux Mint 21.3 (Virginia) - X11 - Vulkan (Mobile) - integrated AMD Unknown (RADV RENOIR) () - AMD Ryzen 7 4800U with Radeon Graphics (16 Threads)

Issue description

When game is closed, there are two heap-use-after-free errors reported by AddressSanitizer that slows down the quiting and prevents shutdown benchmark.

1. AudioStreamGenerator is still used after unref AudioStreamPlayer if it is playing:

   
   =================================================================
   ==110126==ERROR: AddressSanitizer: heap-use-after-free on address 0x6180001acf88 at pc 0x56508ca06eff bp 0x7f1862e59910 sp 0x7f1862e59900
   READ of size 4 at 0x6180001acf88 thread T26
   #0 0x56508ca06efe in AudioStreamGenerator::get_mix_rate() const servers/audio/effects/audio_stream_generator.cpp:38
   #1 0x56508ca08a2d in AudioStreamGeneratorPlayback::get_stream_sampling_rate() servers/audio/effects/audio_stream_generator.cpp:170
   #2 0x56508c9795e0 in AudioStreamPlaybackResampled::mix(AudioFrame*, float, int) servers/audio/audio_stream.cpp:140
   #3 0x56508c13fbba in AudioServer::_mix_step() servers/audio_server.cpp:380
   #4 0x56508c13e897 in AudioServer::_driver_process(int, int*) servers/audio_server.cpp:264
   #5 0x56508c13c3da in AudioDriver::audio_server_process(int, int*, bool) servers/audio_server.cpp:70
   #6 0x56508632681e in AudioDriverPulseAudio::thread_func(void*) drivers/pulseaudio/audio_driver_pulseaudio.cpp:411
   #7 0x56508e63b53d in Thread::callback(unsigned long, Thread::Settings const&, void (*)(void*), void*) core/os/thread.cpp:64
   #8 0x56508e673478 in void std::__invoke_impl<void, void (*)(unsigned long, Thread::Settings const&, void (*)(void*), void*), unsigned long, Thread::Settings, void (*)(void*), void*>(std::__invoke_other, void (*&&)(unsigned long, Thread::Settings const&, void (*)(void*), void*), unsigned long&&, Thread::Settings&&, void (*&&)(void*), void*&&) /usr/include/c++/11/bits/invoke.h:61
   #9 0x56508e67329d in std::__invoke_result<void (*)(unsigned long, Thread::Settings const&, void (*)(void*), void*), unsigned long, Thread::Settings, void (*)(void*), void*>::type std::__invoke<void (*)(unsigned long, Thread::Settings const&, void (*)(void*), void*), unsigned long, Thread::Settings, void (*)(void*), void*>(void (*&&)(unsigned long, Thread::Settings const&, void (*)(void*), void*), unsigned long&&, Thread::Settings&&, void (*&&)(void*), void*&&) /usr/include/c++/11/bits/invoke.h:96
   #10 0x56508e67313c in void std::thread::_Invoker<std::tuple<void (*)(unsigned long, Thread::Settings const&, void (*)(void*), void*), unsigned long, Thread::Settings, void (*)(void*), void*> >::_M_invoke<0ul, 1ul, 2ul, 3ul, 4ul>(std::_Index_tuple<0ul, 1ul, 2ul, 3ul, 4ul>) /usr/include/c++/11/bits/std_thread.h:259
   #11 0x56508e66e0b7 in std::thread::_Invoker<std::tuple<void (*)(unsigned long, Thread::Settings const&, void (*)(void*), void*), unsigned long, Thread::Settings, void (*)(void*), void*> >::operator()() /usr/include/c++/11/bits/std_thread.h:266
   #12 0x56508e66a13f in std::thread::_State_impl<std::thread::_Invoker<std::tuple<void (*)(unsigned long, Thread::Settings const&, void (*)(void*), void*), unsigned long, Thread::Settings, void (*)(void*), void*> > >::_M_run() /usr/include/c++/11/bits/std_thread.h:211
   #13 0x56509038a873 in execute_native_thread_routine (/home/luo/Document/godot/bin/godot.linuxbsd.editor.dev.x86_64.san.mono+0x12e4c873)
   #14 0x7f1895da5ac2 in start_thread nptl/pthread_create.c:442
   #15 0x7f1895e3784f  (/lib/x86_64-linux-gnu/libc.so.6+0x12684f)

0x6180001acf88 is located 776 bytes inside of 784-byte region [0x6180001acc80,0x6180001acf90) freed by thread T0 here:

0 0x7f18960d5537 in __interceptor_free ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:127

#1 0x56508e62dd70 in Memory::free_static(void*, bool) core/os/memory.cpp:168
#2 0x565084c37959 in void memdelete<AudioStream>(AudioStream*) core/os/memory.h:119
#3 0x565084c3646d in Ref<AudioStream>::unref() core/object/ref_counted.h:210
#4 0x565084c34e21 in Ref<AudioStream>::~Ref() core/object/ref_counted.h:223
#5 0x56508afe0650 in AudioStreamPlayerInternal::~AudioStreamPlayerInternal() scene/audio/audio_stream_player_internal.h:41
#6 0x56508a34b4f9 in void memdelete<AudioStreamPlayerInternal>(AudioStreamPlayerInternal*) core/os/memory.h:116
#7 0x56508afca4c2 in AudioStreamPlayer::~AudioStreamPlayer() scene/audio/audio_stream_player.cpp:268
#8 0x56508540abf7 in void memdelete<Node>(Node*) core/os/memory.h:116
#9 0x565089166821 in Node::_notification(int) scene/main/node.cpp:241
#10 0x5650853f5435 in Node::_notificationv(int, bool) scene/main/node.h:50
#11 0x56508f5e27d6 in Object::notification(int, bool) core/object/object.cpp:917
#12 0x56508f5db147 in Object::_predelete() core/object/object.cpp:198
#13 0x56508f5fb1a0 in predelete_handler(Object*) core/object/object.cpp:2156
#14 0x56508540ab96 in void memdelete<Node>(Node*) core/os/memory.h:112
#15 0x565089166821 in Node::_notification(int) scene/main/node.cpp:241
#16 0x5650853f5435 in Node::_notificationv(int, bool) scene/main/node.h:50
#17 0x56508f5e27d6 in Object::notification(int, bool) core/object/object.cpp:917
#18 0x56508f5db147 in Object::_predelete() core/object/object.cpp:198
#19 0x56508f5fb1a0 in predelete_handler(Object*) core/object/object.cpp:2156
#20 0x56508540ab96 in void memdelete<Node>(Node*) core/os/memory.h:112
#21 0x565089166821 in Node::_notification(int) scene/main/node.cpp:241
#22 0x5650853f5435 in Node::_notificationv(int, bool) scene/main/node.h:50
#23 0x56508599939e in Viewport::_notificationv(int, bool) scene/main/viewport.h:95
#24 0x56508599a01e in Window::_notificationv(int, bool) scene/main/window.h:44
#25 0x56508f5e27d6 in Object::notification(int, bool) core/object/object.cpp:917
#26 0x56508f5db147 in Object::_predelete() core/object/object.cpp:198
#27 0x56508f5fb1a0 in predelete_handler(Object*) core/object/object.cpp:2156
#28 0x565089336731 in void memdelete<Window>(Window*) core/os/memory.h:112
#29 0x5650891ba511 in SceneTree::finalize() scene/main/scene_tree.cpp:644

previously allocated by thread T0 here:

0 0x7f18960d5887 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:145

#1 0x56508e62d25a in Memory::alloc_static(unsigned long, bool) core/os/memory.cpp:75
#2 0x56508e62d170 in operator new(unsigned long, char const*) core/os/memory.cpp:40
#3 0x56508c4bb29a in Object* ClassDB::creator<AudioStreamGenerator>() core/object/class_db.h:145
#4 0x56508f5b6327 in ClassDB::_instantiate_internal(StringName const&, bool) core/object/class_db.cpp:533
#5 0x56508f5b6448 in ClassDB::instantiate(StringName const&) core/object/class_db.cpp:538
#6 0x56508b2b5d18 in ResourceLoaderText::load() scene/resources/resource_format_text.cpp:552
#7 0x56508b2d1298 in ResourceFormatLoaderText::load(String const&, String const&, Error*, bool, float*, ResourceFormatLoader::CacheMode) scene/resources/resource_format_text.cpp:1686
#8 0x56508e9854d8 in ResourceLoader::_load(String const&, String const&, String const&, ResourceFormatLoader::CacheMode, Error*, bool, float*) core/io/resource_loader.cpp:268
#9 0x56508e98640d in ResourceLoader::_thread_load_function(void*) core/io/resource_loader.cpp:326
#10 0x56508e98842a in ResourceLoader::_load_start(String const&, String const&, ResourceLoader::LoadThreadMode, ResourceFormatLoader::CacheMode) core/io/resource_loader.cpp:528
#11 0x56508e98794d in ResourceLoader::load(String const&, String const&, ResourceFormatLoader::CacheMode, Error*) core/io/resource_loader.cpp:445
#12 0x565084b59bb6 in Main::start() main/main.cpp:3836
#13 0x56508496f81e in main platform/linuxbsd/godot_linuxbsd.cpp:84
#14 0x7f1895d3ad8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58

Thread T26 created by T0 here:

0 0x7f1896079685 in __interceptor_pthread_create ../../../../src/libsanitizer/asan/asan_interceptors.cpp:216

#1 0x56509038a948 in std::thread::_M_start_thread(std::unique_ptr<std::thread::_State, std::default_delete<std::thread::_State> >, void (*)()) (/home/luo/Document/godot/bin/godot.linuxbsd.editor.dev.x86_64.san.mono+0x12e4c948)
#2 0x56508e63b7af in Thread::start(void (*)(void*), void*, Thread::Settings const&) core/os/thread.cpp:75
#3 0x565086325fa5 in AudioDriverPulseAudio::init() drivers/pulseaudio/audio_driver_pulseaudio.cpp:367
#4 0x56508c13e163 in AudioDriverManager::initialize(int) servers/audio_server.cpp:211
#5 0x565084b47dcc in Main::setup2() main/main.cpp:2821
#6 0x565084b42119 in Main::setup(char const*, int, char**, bool) main/main.cpp:2432
#7 0x56508496f7dc in main platform/linuxbsd/godot_linuxbsd.cpp:74
#8 0x7f1895d3ad8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58

SUMMARY: AddressSanitizer: heap-use-after-free servers/audio/effects/audio_stream_generator.cpp:38 in AudioStreamGenerator::get_mix_rate() const Shadow bytes around the buggy address: 0x0c308002d9a0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c308002d9b0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c308002d9c0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c308002d9d0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c308002d9e0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd =>0x0c308002d9f0: fd[fd]fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c308002da00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c308002da10: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c308002da20: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c308002da30: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c308002da40: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb Shadow gap: cc ==110126==ABORTING

2. if a c# class extends Theme and merges with ThemeDB's default theme, the c# theme instance will double free.

================================================================= ==191560==ERROR: AddressSanitizer: heap-use-after-free on address 0x60b00069c478 at pc 0x561c682783e3 bp 0x7ffe493c2060 sp 0x7ffe493c2050 READ of size 8 at 0x60b00069c478 thread T0

0 0x561c682783e2 in CSharpLanguage::_instance_binding_reference_callback(void, void, unsigned char) modules/mono/csharp_script.cpp:1244

#1 0x561c71ea6c9f in Object::_instance_binding_reference(bool) core/object/object.h:686
#2 0x561c71e72d5f in RefCounted::unreference() core/object/ref_counted.cpp:89
#3 0x561c6835e283 in Ref<Theme>::unref() core/object/ref_counted.h:209
#4 0x561c6835e1f9 in Ref<Theme>::~Ref() core/object/ref_counted.h:223
#5 0x561c69a6c999 in List<Ref<Theme>, DefaultAllocator>::Element::~Element() core/templates/list.h:51
#6 0x561c69a6c9cc in void memdelete_allocator<List<Ref<Theme>, DefaultAllocator>::Element, DefaultAllocator>(List<Ref<Theme>, DefaultAllocator>::Element*) core/os/memory.h:128
#7 0x561c69a627b7 in List<Ref<Theme>, DefaultAllocator>::_Data::erase(List<Ref<Theme>, DefaultAllocator>::Element const*) core/templates/list.h:247
#8 0x561c69a3f781 in List<Ref<Theme>, DefaultAllocator>::erase(List<Ref<Theme>, DefaultAllocator>::Element const*) core/templates/list.h:435
#9 0x561c699f33f1 in List<Ref<Theme>, DefaultAllocator>::clear() core/templates/list.h:468
#10 0x561c6997def9 in List<Ref<Theme>, DefaultAllocator>::~List() core/templates/list.h:767
#11 0x561c6e94fa5a in ThemeContext::~ThemeContext() scene/theme/theme_db.h:183
#12 0x561c6e94fb15 in void memdelete<ThemeContext>(ThemeContext*) core/os/memory.h:116
#13 0x561c6e9473d4 in ThemeDB::_finalize_theme_contexts() scene/theme/theme_db.cpp:291
#14 0x561c6e94bb10 in ThemeDB::~ThemeDB() scene/theme/theme_db.cpp:462
#15 0x561c673e1c68 in void memdelete<ThemeDB>(ThemeDB*) core/os/memory.h:116
#16 0x561c6738ccb4 in finalize_theme_db() main/main.cpp:387
#17 0x561c673cea58 in Main::cleanup(bool) main/main.cpp:4241
#18 0x561c671e0a16 in main platform/linuxbsd/godot_linuxbsd.cpp:89
#19 0x7ffabbc5bd8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
#20 0x7ffabbc5be3f in __libc_start_main_impl ../csu/libc-start.c:392
#21 0x561c671e05e4 in _start (/home/luo/Document/godot/bin/godot.linuxbsd.editor.dev.x86_64.san.mono+0x74325e4)

0x60b00069c478 is located 104 bytes inside of 112-byte region [0x60b00069c410,0x60b00069c480) freed by thread T0 here:

0 0x7ffabbff6537 in __interceptor_free ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:127

#1 0x561c70ea14f0 in Memory::free_static(void*, bool) core/os/memory.cpp:168
#2 0x561c671e2332 in DefaultAllocator::free(void*) core/os/memory.h:73
#3 0x561c682a4212 in void memdelete_allocator<RBMap<Object*, CSharpScriptBinding, Comparator<Object*>, DefaultAllocator>::Element, DefaultAllocator>(RBMap<Object*, CSharpScriptBinding, Comparator<Object*>, DefaultAllocator>::Element*) core/os/memory.h:131
#4 0x561c682a779e in RBMap<Object*, CSharpScriptBinding, Comparator<Object*>, DefaultAllocator>::_cleanup_tree(RBMap<Object*, CSharpScriptBinding, Comparator<Object*>, DefaultAllocator>::Element*) core/templates/rb_map.h:588
#5 0x561c682a7792 in RBMap<Object*, CSharpScriptBinding, Comparator<Object*>, DefaultAllocator>::_cleanup_tree(RBMap<Object*, CSharpScriptBinding, Comparator<Object*>, DefaultAllocator>::Element*) core/templates/rb_map.h:587
#6 0x561c682a7792 in RBMap<Object*, CSharpScriptBinding, Comparator<Object*>, DefaultAllocator>::_cleanup_tree(RBMap<Object*, CSharpScriptBinding, Comparator<Object*>, DefaultAllocator>::Element*) core/templates/rb_map.h:587
#7 0x561c682a7792 in RBMap<Object*, CSharpScriptBinding, Comparator<Object*>, DefaultAllocator>::_cleanup_tree(RBMap<Object*, CSharpScriptBinding, Comparator<Object*>, DefaultAllocator>::Element*) core/templates/rb_map.h:587
#8 0x561c682a7792 in RBMap<Object*, CSharpScriptBinding, Comparator<Object*>, DefaultAllocator>::_cleanup_tree(RBMap<Object*, CSharpScriptBinding, Comparator<Object*>, DefaultAllocator>::Element*) core/templates/rb_map.h:587
#9 0x561c6829cccc in RBMap<Object*, CSharpScriptBinding, Comparator<Object*>, DefaultAllocator>::clear() core/templates/rb_map.h:752
#10 0x561c68294177 in RBMap<Object*, CSharpScriptBinding, Comparator<Object*>, DefaultAllocator>::~RBMap() core/templates/rb_map.h:769
#11 0x561c68276f0d in CSharpLanguage::~CSharpLanguage() modules/mono/csharp_script.cpp:1123
#12 0x561c6826aad7 in void memdelete<CSharpLanguage>(CSharpLanguage*) core/os/memory.h:116
#13 0x561c6826984f in uninitialize_mono_module(ModuleInitializationLevel) modules/mono/register_types.cpp:71
#14 0x561c6741c0e1 in uninitialize_modules(ModuleInitializationLevel) modules/register_module_types.gen.cpp:332
#15 0x561c673cea44 in Main::cleanup(bool) main/main.cpp:4235
#16 0x561c671e0a16 in main platform/linuxbsd/godot_linuxbsd.cpp:89
#17 0x7ffabbc5bd8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58

previously allocated by thread T0 here:

0 0x7ffabbff6887 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:145

#1 0x561c70ea09da in Memory::alloc_static(unsigned long, bool) core/os/memory.cpp:75
#2 0x561c671e230f in DefaultAllocator::alloc(unsigned long) core/os/memory.h:72
#3 0x561c70ea0913 in operator new(unsigned long, void* (*)(unsigned long)) core/os/memory.cpp:44
#4 0x561c6829da6b in RBMap<Object*, CSharpScriptBinding, Comparator<Object*>, DefaultAllocator>::_insert(Object* const&, CSharpScriptBinding const&) core/templates/rb_map.h:427
#5 0x561c682943f5 in RBMap<Object*, CSharpScriptBinding, Comparator<Object*>, DefaultAllocator>::insert(Object* const&, CSharpScriptBinding const&) core/templates/rb_map.h:644
#6 0x561c68277c5d in CSharpLanguage::insert_script_binding(Object*, CSharpScriptBinding const&) modules/mono/csharp_script.cpp:1185
#7 0x561c68277e6e in CSharpLanguage::_instance_binding_create_callback(void*, void*) modules/mono/csharp_script.cpp:1200
#8 0x561c71e6bdcf in Object::get_instance_binding(void*, GDExtensionInstanceBindingCallbacks const*) core/object/object.cpp:1955
#9 0x561c68278917 in CSharpLanguage::get_instance_binding(Object*) modules/mono/csharp_script.cpp:1313
#10 0x561c682789ba in CSharpLanguage::get_instance_binding_with_setup(Object*) modules/mono/csharp_script.cpp:1317
#11 0x561c682c905b in godotsharp_internal_unmanaged_get_instance_binding_managed modules/mono/glue/runtime_interop.cpp:242
#12 0x7ffa0681077b  (/memfd:doublemapper (deleted)+0x18177b)
#13 0x7ffa068106a8  (/memfd:doublemapper (deleted)+0x1816a8)
#14 0x7ffa06810345  (/memfd:doublemapper (deleted)+0x181345)
#15 0x7ffa068122c6  (/memfd:doublemapper (deleted)+0x1832c6)
#16 0x7ffa0680f712  (/memfd:doublemapper (deleted)+0x180712)
#17 0x7ffa0680abd7  (/memfd:doublemapper (deleted)+0x17bbd7)
#18 0x7ffa0680a11a  (/memfd:doublemapper (deleted)+0x17b11a)
#19 0x7ffa84e76c36  (/home/luo/.dotnet/shared/Microsoft.NETCore.App/8.0.4/libcoreclr.so+0x49fc36)
#20 0x7ffa84cae855  (/home/luo/.dotnet/shared/Microsoft.NETCore.App/8.0.4/libcoreclr.so+0x2d7855)
#21 0x7ffa84d61691  (/home/luo/.dotnet/shared/Microsoft.NETCore.App/8.0.4/libcoreclr.so+0x38a691)
#22 0x7ffa05cb6f1e  (/home/luo/.dotnet/shared/Microsoft.NETCore.App/8.0.4/System.Private.CoreLib.dll+0x276f1e)
#23 0x7ffa06809ec3  (/memfd:doublemapper (deleted)+0x17aec3)
#24 0x561c68284567 in CSharpScript::_create_instance(Variant const**, int, Object*, bool, Callable::CallError&) modules/mono/csharp_script.cpp:2358
#25 0x561c682859ec in CSharpScript::instance_create(Object*) modules/mono/csharp_script.cpp:2434
#26 0x561c71e56fab in Object::set_script(Variant const&) core/object/object.cpp:973
#27 0x561c6ba2253f in Node::set_script(Variant const&) scene/main/node.cpp:3849
#28 0x561c673c6aaa in Main::start() main/main.cpp:3628
#29 0x561c671e09de in main platform/linuxbsd/godot_linuxbsd.cpp:84

SUMMARY: AddressSanitizer: heap-use-after-free modules/mono/csharp_script.cpp:1244 in CSharpLanguage::_instance_binding_reference_callback(void, void, unsigned char) Shadow bytes around the buggy address: 0x0c16800cb830: fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa fa 0x0c16800cb840: fd fd fd fd fd fd fd fd fd fd fd fd fd fa fa fa 0x0c16800cb850: fa fa fa fa fa fa fd fd fd fd fd fd fd fd fd fd 0x0c16800cb860: fd fd fd fd fa fa fa fa fa fa fa fa fd fd fd fd 0x0c16800cb870: fd fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa =>0x0c16800cb880: fa fa fd fd fd fd fd fd fd fd fd fd fd fd fd[fd] 0x0c16800cb890: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd 0x0c16800cb8a0: fd fd fd fd fd fd fa fa fa fa fa fa fa fa fd fd 0x0c16800cb8b0: fd fd fd fd fd fd fd fd fd fd fd fd fa fa fa fa 0x0c16800cb8c0: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd 0x0c16800cb8d0: fd fd fa fa fa fa fa fa fa fa fd fd fd fd fd fd Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb Shadow gap: cc ==191560==ABORTING

Currently my workaround is:
```diff
diff --git a/main/main.cpp b/main/main.cpp
index 20ffdf5ae1..fba5ac99f5 100644
--- a/main/main.cpp
+++ b/main/main.cpp
@@ -4206,6 +4206,13 @@ void Main::cleanup(bool p_force) {
    ResourceLoader::clear_translation_remaps();
    ResourceLoader::clear_path_remaps();

+   if (audio_server) {
+       audio_server->finish();
+       memdelete(audio_server);
+   }
+
+   finalize_theme_db();
+
    ScriptServer::finish_languages();

    // Sync pending commands that may have been queued from a different thread during ScriptServer finalization
@@ -4238,8 +4245,6 @@ void Main::cleanup(bool p_force) {
    unregister_driver_types();
    unregister_scene_types();

-   finalize_theme_db();
-
    // Before deinitializing server extensions, finalize servers which may be loaded as extensions.
    finalize_navigation_server();
    finalize_physics();
@@ -4256,11 +4261,6 @@ void Main::cleanup(bool p_force) {
    }
 #endif // _3D_DISABLED

-   if (audio_server) {
-       audio_server->finish();
-       memdelete(audio_server);
-   }
-
    if (camera_server) {
        memdelete(camera_server);
    }

Steps to reproduce

For 1, add a AudioStreamPlayer with AudioStreamGenerator to scene and set autoplay to true, or call play() in script.

For 2, set the following c# theme to a Control in script:

using System;
using Godot;

public partial class MyTheme : Theme
{

    public MyTheme()
    {
        MergeWith(ThemeDB.GetDefaultTheme());
    }
}

Minimal reproduction project (MRP)

N/A

[beicause]

Actaully, this issue isn't reproducible in minimal project in product build. Only c# theme can be reproducible in minimal project with use_asan build. However, in my personal game project it's alway reproducible in most attempts, even in product build. And my workaround just partially fixes this issue, which still happends in use_asan build rarely, but doesn't happend in product build.