Autoloads and engine singletons sometimes are considered "freed"

[vnen]

Godot version:
3.1 stable

OS/device including version:
Linux and Android (multiple versions)

Issue description:
Sometimes we get errors and crashes where the message is like "Trying to access property 'X' from a stray pointer object". Happens with properties and sometimes functions. We added those checks in release mode so we can gather info from Google Play crash reports, since Godot only has them in debug.

When looking at the base from which the property belongs, we found it was an autoload marked as singleton. It doesn't make sense since we don't free this autoload and it should only be gone when the application exits.

We also had reports of freed instances when calling static functions from some scripts and from the OS singleton (which is on Godot itself and should never be freed).

I tried to use Valgrind but couldn't find anything particular that could be related to those errors.

This is quite similar to #26564, maybe the same thing.

We need help to figure out what could be causing this.

Steps to reproduce:
Not sure since it happens rarely.

[KoBeWi]

Sounds similar to #30700 (comment)

[jahd2602]

Can confirm. The frequency is quite high considering a game with more than a few users.

In our latest Google Play Pre-launch report, from 8 tested devices, we got 1 with this problem. (In this case, Global, which is an autoloaded variable was a stray pointer object)

I know it is a small sample size but still supposes a 12.5% rate of this crash happening.

It sometimes happen on linux, but is semi-impossible to replicate (a matter of luck). Also: happens more frequently when there is no max fps (when fps reaches the hundreds/thousands).

[vnen]

I'm running with ASAN and found this:

=================================================================
==30888==ERROR: AddressSanitizer: heap-use-after-free on address 0x604000b9b178 at pc 0x000001046f54 bp 0x7fffffffb570 sp 0x7fffffffb560
READ of size 8 at 0x604000b9b178 thread T0
    #0 0x1046f53 in CowData<Vector2>::set(int, Vector2 const&) core/cowdata.h:139
    #1 0x1045199 in Vector<Vector2>::set(int, Vector2 const&) core/vector.h:82
    #2 0x104124d in Vector<Vector2>::push_back(Vector2 const&) core/vector.h:154
    #3 0x3c1a56c in LineBuilder::strip_add_tri(Vector2, LineBuilder::Orientation) scene/2d/line_builder.cpp:495
    #4 0x3c1ac5e in LineBuilder::strip_add_arc(Vector2, float, LineBuilder::Orientation) scene/2d/line_builder.cpp:526
    #5 0x3c181ba in LineBuilder::build() scene/2d/line_builder.cpp:356
    #6 0x3c009ac in Line2D::_draw() scene/2d/line_2d.cpp:266
    #7 0x3bffd5e in Line2D::_notification(int) scene/2d/line_2d.cpp:203
    #8 0x3c09f1f in Line2D::_notificationv(int, bool) scene/2d/line_2d.h:38
    #9 0x5098c91 in Object::notification(int, bool) core/object.cpp:952
    #10 0x3b0a558 in CanvasItem::_update_callback() scene/2d/canvas_item.cpp:455
    #11 0x1337ac1 in MethodBind0::call(Object*, Variant const**, int, Variant::CallError&) core/method_bind.gen.inc:54
    #12 0x50988e7 in Object::call(StringName const&, Variant const**, int, Variant::CallError&) core/object.cpp:942
    #13 0x5081e67 in MessageQueue::_call_function(Object*, StringName const&, Variant const*, int, bool) core/message_queue.cpp:256
    #14 0x508261f in MessageQueue::flush() core/message_queue.cpp:303
    #15 0x31078d8 in SceneTree::idle(float) scene/main/scene_tree.cpp:513
    #16 0xfdf50e in Main::iteration() main/main.cpp:1899
    #17 0xf6fd65 in OS_X11::run() platform/x11/os_x11.cpp:3006
    #18 0xf46e79 in main platform/x11/godot_x11.cpp:55
    #19 0x7ffff690dee2 in __libc_start_main (/usr/lib/libc.so.6+0x26ee2)
    #20 0xf46c1d in _start (/home/george/workspace/javary/games/monster-pop/godot/bin/godot.x11.tools.64s+0xf46c1d)

0x604000b9b178 is located 40 bytes inside of 48-byte region [0x604000b9b150,0x604000b9b180)
freed by thread T0 here:
    #0 0x7ffff766ef40 in __interceptor_realloc /build/gcc/src/gcc/libsanitizer/asan/asan_malloc_linux.cc:163
    #1 0x537684b in Memory::realloc_static(void*, unsigned long, bool) core/os/memory.cpp:140
    #2 0x10417cd in CowData<Vector2>::resize(int) core/cowdata.h:282
    #3 0x103f85b in Vector<Vector2>::resize(int) core/vector.h:84
    #4 0x10411b0 in Vector<Vector2>::push_back(Vector2 const&) core/vector.h:152
    #5 0x3c1a56c in LineBuilder::strip_add_tri(Vector2, LineBuilder::Orientation) scene/2d/line_builder.cpp:495
    #6 0x3c1ac5e in LineBuilder::strip_add_arc(Vector2, float, LineBuilder::Orientation) scene/2d/line_builder.cpp:526
    #7 0x3c181ba in LineBuilder::build() scene/2d/line_builder.cpp:356
    #8 0x3c009ac in Line2D::_draw() scene/2d/line_2d.cpp:266
    #9 0x3bffd5e in Line2D::_notification(int) scene/2d/line_2d.cpp:203
    #10 0x3c09f1f in Line2D::_notificationv(int, bool) scene/2d/line_2d.h:38
    #11 0x5098c91 in Object::notification(int, bool) core/object.cpp:952
    #12 0x3b0a558 in CanvasItem::_update_callback() scene/2d/canvas_item.cpp:455
    #13 0x1337ac1 in MethodBind0::call(Object*, Variant const**, int, Variant::CallError&) core/method_bind.gen.inc:54
    #14 0x50988e7 in Object::call(StringName const&, Variant const**, int, Variant::CallError&) core/object.cpp:942
    #15 0x5081e67 in MessageQueue::_call_function(Object*, StringName const&, Variant const*, int, bool) core/message_queue.cpp:256
    #16 0x508261f in MessageQueue::flush() core/message_queue.cpp:303
    #17 0x31078d8 in SceneTree::idle(float) scene/main/scene_tree.cpp:513
    #18 0xfdf50e in Main::iteration() main/main.cpp:1899
    #19 0xf6fd65 in OS_X11::run() platform/x11/os_x11.cpp:3006
    #20 0xf46e79 in main platform/x11/godot_x11.cpp:55
    #21 0x7ffff690dee2 in __libc_start_main (/usr/lib/libc.so.6+0x26ee2)

previously allocated by thread T0 here:
    #0 0x7ffff766ef40 in __interceptor_realloc /build/gcc/src/gcc/libsanitizer/asan/asan_malloc_linux.cc:163
    #1 0x537684b in Memory::realloc_static(void*, unsigned long, bool) core/os/memory.cpp:140
    #2 0x10417cd in CowData<Vector2>::resize(int) core/cowdata.h:282
    #3 0x103f85b in Vector<Vector2>::resize(int) core/vector.h:84
    #4 0x10411b0 in Vector<Vector2>::push_back(Vector2 const&) core/vector.h:152
    #5 0x3c19f4d in LineBuilder::strip_add_quad(Vector2, Vector2, Color, float) scene/2d/line_builder.cpp:467
    #6 0x3c17920 in LineBuilder::build() scene/2d/line_builder.cpp:304
    #7 0x3c009ac in Line2D::_draw() scene/2d/line_2d.cpp:266
    #8 0x3bffd5e in Line2D::_notification(int) scene/2d/line_2d.cpp:203
    #9 0x3c09f1f in Line2D::_notificationv(int, bool) scene/2d/line_2d.h:38
    #10 0x5098c91 in Object::notification(int, bool) core/object.cpp:952
    #11 0x3b0a558 in CanvasItem::_update_callback() scene/2d/canvas_item.cpp:455
    #12 0x1337ac1 in MethodBind0::call(Object*, Variant const**, int, Variant::CallError&) core/method_bind.gen.inc:54
    #13 0x50988e7 in Object::call(StringName const&, Variant const**, int, Variant::CallError&) core/object.cpp:942
    #14 0x5081e67 in MessageQueue::_call_function(Object*, StringName const&, Variant const*, int, bool) core/message_queue.cpp:256
    #15 0x508261f in MessageQueue::flush() core/message_queue.cpp:303
    #16 0x31078d8 in SceneTree::idle(float) scene/main/scene_tree.cpp:513
    #17 0xfdf50e in Main::iteration() main/main.cpp:1899
    #18 0xf6fd65 in OS_X11::run() platform/x11/os_x11.cpp:3006
    #19 0xf46e79 in main platform/x11/godot_x11.cpp:55
    #20 0x7ffff690dee2 in __libc_start_main (/usr/lib/libc.so.6+0x26ee2)

It looks like a bug in Line2D. I wonder if other people that had this issue were using Line2D as well.

This is the same I've found with Valgrind some time ago. I had dismissed as not the cause, but now I think it actually might be the issue. This is reported in a similar point where we got the crash in the Pre-Launch Report from Google Play.

[vnen]

Sample project with just a Line2D. If you run with ASAN enabled you can see the issue. It happens with Godot master (05be97a) too.

line2d-bug.zip

[akien-mga]

LineBuilder was added in #7352 by @Zylann.

It changed quite a bit since that PR, but from a quick glance I don't see anything particularly fishy.

[Zylann]

I can't see what's wrong with those lines.
The only eventual issue that occured in the past was the fact there is stuff like this going on:

uvs.push_back(uvs[_last_index[UP]]);

But due to how Vector was implemented, it was resizing, invalidating the reference passed as parameter of push_back (which does not happen with other vector implementations). I wonder if that issue still occurs, although your logs doesn't mention lines like this.

[vnen]

I can't see what's wrong with those lines.
The only eventual issue that occured in the past was the fact there is stuff like this going on:

uvs.push_back(uvs[_last_index[UP]]);

This is exactly what I've found, actually. The logs I posted is from an older version of Godot, the actual issue is on this line:

godot/scene/2d/line_builder.cpp

Line 533 in 05be97a

uvs.push_back(uvs[_last_index[opposite_orientation]]);

Changing that to use a temporary variable doesn't give the ASAN error anymore.

I'm not entirely sure this is the cause of my initial problem, but it's the only memory issue I could find.

[Zylann]

This is the issue where it was found, it was assigned to @hpvb #16961 (comment)