Invalid write of size 4 in core/safe_refcount.h atomic_decrement

[qarmin]

Godot version:
3.2.alpha.custom_build. 24e1039

OS/device including version:
Ubuntu 19.04

Issue description:
When I do something like in GIF, Godot uses a memory that doesn't have.

WRITE of size 4 at 0x6160008c34b0 thread T0
    #0 0xe3e5c86 in atomic_decrement<unsigned int> core/safe_refcount.h:118
    #1 0xe3e5c86 in SafeRefCount::unref() core/safe_refcount.h:192
    #2 0xe3e5c86 in _ObjectDebugLock::~_ObjectDebugLock() core/object.cpp:53
    #3 0xe3c347d in Object::emit_signal(StringName const&, Variant const**, int) core/object.cpp:1178
    #4 0xe3c3e08 in Object::emit_signal(StringName const&, Variant const&, Variant const&, Variant const&, Variant const&, Variant const&) core/object.cpp:1274
    #5 0x938c355 in Timer::_notification(int) scene/main/timer.cpp:61
    #6 0x93988c7 in Timer::_notificationv(int, bool) scene/main/timer.h:38
    #7 0xe3b8dbd in Object::notification(int, bool) core/object.cpp:931
    #8 0x92e5617 in SceneTree::_notify_group_pause(StringName const&, int) scene/main/scene_tree.cpp:958
    #9 0x92d6123 in SceneTree::idle(float) scene/main/scene_tree.cpp:515
    #10 0x156af00 in Main::iteration() main/main.cpp:1930
    #11 0x146a00c in OS_X11::run() platform/x11/os_x11.cpp:3184
    #12 0x13e6ba3 in main platform/x11/godot_x11.cpp:56
    #13 0x7fad966dbb6a in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x26b6a)
    #14 0x13e67a9 in _start (/usr/bin/godots+0x13e67a9)

0x6160008c34b0 is located 48 bytes inside of 568-byte region [0x6160008c3480,0x6160008c36b8)
freed by thread T0 here:
    #0 0x7fad97fd704f in __interceptor_free (/lib/x86_64-linux-gnu/libasan.so.5+0x10c04f)
    #1 0xe94b899 in Memory::free_static(void*, bool) core/os/memory.cpp:181
    #2 0x73ac12d in void memdelete<Timer>(Timer*) core/os/memory.h:118
    #3 0x72a1ff8 in CanvasItemEditor::_popup_warning_depop(Control*) editor/plugins/canvas_item_editor_plugin.cpp:3909
    #4 0x5bf5ed9 in MethodBind1<Control*>::call(Object*, Variant const**, int, Variant::CallError&) core/method_bind.gen.inc:775
    #5 0xe3b8852 in Object::call(StringName const&, Variant const**, int, Variant::CallError&) core/object.cpp:921
    #6 0xe3c1f4a in Object::emit_signal(StringName const&, Variant const**, int) core/object.cpp:1218
    #7 0xe3c3e08 in Object::emit_signal(StringName const&, Variant const&, Variant const&, Variant const&, Variant const&, Variant const&) core/object.cpp:1274
    #8 0x938c355 in Timer::_notification(int) scene/main/timer.cpp:61
    #9 0x93988c7 in Timer::_notificationv(int, bool) scene/main/timer.h:38
    #10 0xe3b8dbd in Object::notification(int, bool) core/object.cpp:931
    #11 0x92e5617 in SceneTree::_notify_group_pause(StringName const&, int) scene/main/scene_tree.cpp:958
    #12 0x92d6123 in SceneTree::idle(float) scene/main/scene_tree.cpp:515
    #13 0x156af00 in Main::iteration() main/main.cpp:1930
    #14 0x146a00c in OS_X11::run() platform/x11/os_x11.cpp:3184
    #15 0x13e6ba3 in main platform/x11/godot_x11.cpp:56
    #16 0x7fad966dbb6a in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x26b6a)

previously allocated by thread T0 here:
    #0 0x7fad97fd7448 in malloc (/lib/x86_64-linux-gnu/libasan.so.5+0x10c448)
    #1 0xe94a844 in Memory::alloc_static(unsigned long, bool) core/os/memory.cpp:85
    #2 0xe94a740 in operator new(unsigned long, char const*) core/os/memory.cpp:42
    #3 0x72a2629 in CanvasItemEditor::_popup_warning_temporarily(Control*, float) editor/plugins/canvas_item_editor_plugin.cpp:3916
    #4 0x7169047 in CanvasItemEditor::_is_node_movable(Node const*, bool) editor/plugins/canvas_item_editor_plugin.cpp:187
    #5 0x720675e in CanvasItemEditor::_gui_input_select(Ref<InputEvent> const&) editor/plugins/canvas_item_editor_plugin.cpp:2183
    #6 0x720f64f in CanvasItemEditor::_gui_input_viewport(Ref<InputEvent> const&) editor/plugins/canvas_item_editor_plugin.cpp:2358
    #7 0x2269e4f in MethodBind1<Ref<InputEvent> const&>::call(Object*, Variant const**, int, Variant::CallError&) core/method_bind.gen.inc:775
    #8 0xe3b8852 in Object::call(StringName const&, Variant const**, int, Variant::CallError&) core/object.cpp:921
    #9 0xe3c1f4a in Object::emit_signal(StringName const&, Variant const**, int) core/object.cpp:1218
    #10 0xe3c3e08 in Object::emit_signal(StringName const&, Variant const&, Variant const&, Variant const&, Variant const&, Variant const&) core/object.cpp:1274
    #11 0x93e50f0 in Viewport::_gui_call_input(Control*, Ref<InputEvent> const&) scene/main/viewport.cpp:1516
    #12 0x93f1b85 in Viewport::_gui_input_event(Ref<InputEvent>) scene/main/viewport.cpp:1828
    #13 0x94190ed in Viewport::input(Ref<InputEvent> const&) scene/main/viewport.cpp:2674
    #14 0x93da682 in Viewport::_vp_input(Ref<InputEvent> const&) scene/main/viewport.cpp:1302
    #15 0x2269e4f in MethodBind1<Ref<InputEvent> const&>::call(Object*, Variant const**, int, Variant::CallError&) core/method_bind.gen.inc:775
    #16 0xe3b8852 in Object::call(StringName const&, Variant const**, int, Variant::CallError&) core/object.cpp:921
    #17 0xe3b6cd2 in Object::call(StringName const&, Variant const&, Variant const&, Variant const&, Variant const&, Variant const&) core/object.cpp:847
    #18 0x92cb23f in SceneTree::call_group_flags(unsigned int, StringName const&, StringName const&, Variant const&, Variant const&, Variant const&, Variant const&, Variant const&) scene/main/scene_tree.cpp:264
    #19 0x92d0747 in SceneTree::input_event(Ref<InputEvent> const&) scene/main/scene_tree.cpp:419
    #20 0x14cc474 in InputDefault::_parse_input_event_impl(Ref<InputEvent> const&, bool) main/input_default.cpp:442
    #21 0x14c18c6 in InputDefault::parse_input_event(Ref<InputEvent> const&) main/input_default.cpp:259
    #22 0x14d4a94 in InputDefault::flush_accumulated_events() main/input_default.cpp:678
    #23 0x14573ec in OS_X11::process_xevents() platform/x11/os_x11.cpp:2618
    #24 0x1469e88 in OS_X11::run() platform/x11/os_x11.cpp:3180
    #25 0x13e6ba3 in main platform/x11/godot_x11.cpp:56
    #26 0x7fad966dbb6a in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x26b6a)

Steps to reproduce:

Minimal reproduction project:
https://github.com/miskatonicstudio/intrepid

[capnm]

Can not reproduce on Ubuntu 18.04 and Mesa AMD driver

3.2.alpha.custom_build.24e1039eb
OpenGL renderer string: AMD Radeon HD 7700 Series
    (VERDE, DRM 3.27.0, 5.0.0-20-generic, LLVM 9.0.0)
OpenGL core profile version string: 4.5 (Core Profile) Mesa 19.2.0-devel - padoka PPA
OpenGL ES profile version string: OpenGL ES 3.2 Mesa 19.2.0-devel - padoka PPA

[qarmin]

I forgot to add, that crash happens only when I use sanitizers support

scons p=x11 -j6 use_ubsan=yes use_lsan=yes use_asan=yes

with default options, Godot not crash.

[qarmin]

This happens also with other project, but only when I select Control node

[qarmin]

This also happens with other projects like https://github.com/qarmin/The-worst-Godot-test-project/archive/master.zip
Steps to reproduce

1. Open ControlAll.tscn scene
2. Click at different Control nodes on viewport and wait 1/2s(not always works)

With Godot 3.2 Beta 4 it shows an error:

 core/object.cpp:1955 - Object was freed or unreferenced while signal 'timeout' is being emitted from it. Try connecting to the signal using 'CONNECT_DEFERRED' flag, or use queue_free() to free the object (if this object is a Node) to avoid this error and potential crashes

so probably needs similar fix like #34478

[akien-mga]

I tried for a few minutes but didn't manage to get this error with 3.2 beta 4 as described on #32078 (comment)

Nevertheless, based on the error one should look for occurrences where the timeout signal is connected, and the Timer emitting it ends up being freed in the callback.

Code locations that would be worth reviewing:

$ rg 'connect.*"timeout"'
editor/editor_audio_buses.cpp
883:    preview_timer->connect("timeout", this, "_hide_value_preview");
1384:   save_timer->connect("timeout", this, "_server_save");

editor/editor_network_profiler.cpp
210:    frame_delay->connect("timeout", this, "_update_frame");

editor/code_editor.cpp
1761:   idle->connect("timeout", this, "_text_changed_idle_timeout");
1763:   code_complete_timer->connect("timeout", this, "_code_complete_timer_timeout");
1771:   font_resize_timer->connect("timeout", this, "_font_resize_timeout");

editor/settings_config_dialog.cpp
503:    timer->connect("timeout", this, "_settings_save");

editor/editor_profiler.cpp
774:    frame_delay->connect("timeout", this, "_update_frame");
780:    plot_delay->connect("timeout", this, "_update_plot");

scene/main/http_request.cpp
592:    timer->connect("timeout", this, "_timeout");

editor/project_settings_editor.cpp
2128:   timer->connect("timeout", ProjectSettings::get_singleton(), "save");

editor/scene_tree_editor.cpp
1215:   update_timer->connect("timeout", this, "_update_tree");

editor/editor_export.cpp
1426:   save_timer->connect("timeout", this, "_save");

editor/editor_feature_profile.cpp
918:    update_timer->connect("timeout", this, "_emit_current_profile_changed");

editor/editor_node.cpp
5868:   dock_drag_timer->connect("timeout", this, "_save_docks");
6765:   screenshot_timer->connect("timeout", this, "_request_screenshot");

scene/gui/spin_box.cpp
301:    range_click_timer->connect("timeout", this, "_range_click_timeout");

scene/gui/line_edit.cpp
1852:   caret_blink_timer->connect("timeout", this, "_toggle_draw_caret");

scene/gui/text_edit.cpp
7198:   caret_blink_timer->connect("timeout", this, "_toggle_draw_caret");
7206:   idle_detect->connect("timeout", this, "_push_current_op");
7211:   click_select_held->connect("timeout", this, "_click_selection_held");

scene/gui/popup_menu.cpp
1516:   submenu_timer->connect("timeout", this, "_submenu_timeout");

modules/visual_script/visual_script_yield_nodes.cpp
127:                            case VisualScriptYield::YIELD_WAIT: state->connect_to_signal(tree->create_timer(wait_time).ptr(), "timeout", Array()); break;

modules/visual_script/visual_script_editor.cpp
4838:   hint_text_timer->connect("timeout", this, "_hide_timer");

scene/gui/tree.cpp
4006:   range_click_timer->connect("timeout", this, "_range_click_timeout");

editor/plugins/script_editor_plugin.cpp
3463:   autosave_timer->connect("timeout", this, "_autosave_scripts");

editor/plugins/canvas_item_editor_plugin.cpp
4089:           timer->connect("timeout", this, "_popup_warning_depop", varray(p_control));

[qarmin]

I tried to reproduce this on Ubuntu 19.10, but I get this error only on two machines with Windows 10

[KoBeWi]

Can anyone still reproduce this bug in Godot 3.2.3 or any later release?

[qarmin]

I don't have now any Windows machine which is able to run Godot to test it, but since no one reproduced it except me I think it is better to close it.

I remember that I opened this issue when some bigger changes with signals was made to the engine and I think that this may be fixed now.