Executing AnimationTree.set_animation_player function crashes Godot (inifinite recursion?)

[qarmin]

Godot version

v4.2.beta.custom_build.e8d57afae

System information

Ubuntu 22.04 CI

Issue description

When executing

extends Node
func _process(delta):
	var temp_variable1024 = AnimationTree.new()
	add_child(temp_variable1024)
	temp_variable1024.is_inside_tree()
	temp_variable1024.set_animation_player(NodePath("."))
	temp_variable1024.get_animation_library(StringName("662186651"))
	temp_variable1024.add_animation_library(StringName("."), null)
	temp_variable1024.get_animation_library(StringName(""))
	temp_variable1024.get_tree_root()
	temp_variable1024.get_node_or_null(NodePath("5555"))
	temp_variable1024.queue_free()

Godot crashes:

Godot Engine v4.2.beta.custom_build.e8d57afae - https://godotengine.org
ERROR: Method/function failed. Returning: Ref<AnimationLibrary>()
   at: get_animation_library (scene/animation/animation_mixer.cpp:245)
ERROR: Condition "p_animation_library.is_null()" is true. Returning: ERR_INVALID_PARAMETER
   at: add_animation_library (scene/animation/animation_mixer.cpp:268)
ERROR: Method/function failed. Returning: Ref<AnimationLibrary>()
   at: get_animation_library (scene/animation/animation_mixer.cpp:245)
ERROR: Failed method: AnimationTree::_setup_animation_player. Message queue out of memory. Message queue out of memory. Try increasing 'memory/limits/message_queue/max_size_mb' in project settings.
   at: push_callablep (core/object/message_queue.cpp:96)
=================================================================
==16085==ERROR: AddressSanitizer: heap-use-after-free on address 0x60800091c2b0 at pc 0x5591ba359104 bp 0x7ffce209b650 sp 0x7ffce209b640
READ of size 8 at 0x60800091c2b0 thread T0
    #0 0x5591ba359103 in Callable::get_object() const core/variant/callable.cpp:143
    #1 0x5591bb02e7c6 in CallQueue::statistics() core/object/message_queue.cpp:426
    #2 0x5591bb020a79 in CallQueue::push_callablep(Callable const&, Variant const**, int, bool) core/object/message_queue.cpp:97
    #3 0x5591bb067d0d in Object::emit_signalp(StringName const&, Variant const**, int) core/object/object.cpp:1121
    #4 0x5591aee16525 in Node::emit_signalp(StringName const&, Variant const**, int) scene/main/node.cpp:3607
    #5 0x5591a359b932 in Error Object::emit_signal<>(StringName const&) core/object/object.h:920
    #6 0x5591b24fe1c4 in AnimationMixer::_clear_caches() scene/animation/animation_mixer.cpp:552
    #7 0x5591b2531cf6 in AnimationMixer::clear_caches() scene/animation/animation_mixer.cpp:1821
    #8 0x5591b24faeaf in AnimationMixer::set_root_node(NodePath const&) scene/animation/animation_mixer.cpp:448
    #9 0x5591b2709760 in AnimationTree::_setup_animation_player() scene/animation/animation_tree.cpp:777
    #10 0x5591b27a7f64 in void call_with_variant_args_helper<AnimationTree>(AnimationTree*, void (AnimationTree::*)(), Variant const**, Callable::CallError&, IndexSequence<>) core/variant/binder_common.h:303
    #11 0x5591b279a911 in void call_with_variant_args<AnimationTree>(AnimationTree*, void (AnimationTree::*)(), Variant const**, int, Callable::CallError&) core/variant/binder_common.h:417
    #12 0x5591b27906a4 in CallableCustomMethodPointer<AnimationTree>::call(Variant const**, int, Variant&, Callable::CallError&) const core/object/callable_method_pointer.h:104
    #13 0x5591ba3568c2 in Callable::callp(Variant const**, int, Variant&, Callable::CallError&) const core/variant/callable.cpp:57
    #14 0x5591bb02768d in CallQueue::_call_function(Callable const&, Variant const*, int, bool) core/object/message_queue.cpp:219
    #15 0x5591bb02b666 in CallQueue::flush() core/object/message_queue.cpp:324
    #16 0x5591aef25dfa in SceneTree::process(double) scene/main/scene_tree.cpp:511
    #17 0x5591a07da611 in Main::iteration() main/main.cpp:3613
    #18 0x5591a04f4825 in OS_LinuxBSD::run() platform/linuxbsd/os_linuxbsd.cpp:933
    #19 0x5591a04d2d57 in main platform/linuxbsd/godot_linuxbsd.cpp:74
    #20 0x7f3f3ce29d8f  (/lib/x86_64-linux-gnu/libc.so.6+0x29d8f)
    #21 0x7f3f3ce29e3f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x29e3f)
    #22 0x5591a04d2704 in _start (/home/runner/work/Qarminer/Qarminer/godot.linuxbsd.editor.dev.x86_64.san+0x3a1bd704)
0x60800091c2b0 is located 16 bytes inside of 88-byte region [0x60800091c2a0,0x60800091c2f8)
freed by thread T0 here:
    #0 0x7f3f3dab4537 in __interceptor_free ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:127
    #1 0x5591b9707075 in Memory::free_static(void*, bool) core/os/memory.cpp:168
    #2 0x5591ba367a76 in void memdelete<CallableCustom>(CallableCustom*) core/os/memory.h:112
    #3 0x5591ba361d68 in Callable::~Callable() core/variant/callable.cpp:382
    #4 0x5591bb034c77 in CallQueue::Message::~Message() core/object/message_queue.h:84
    #5 0x5591bb02f62a in CallQueue::statistics() core/object/message_queue.cpp:478
    #6 0x5591bb020a79 in CallQueue::push_callablep(Callable const&, Variant const**, int, bool) core/object/message_queue.cpp:97
    #7 0x5591bb067d0d in Object::emit_signalp(StringName const&, Variant const**, int) core/object/object.cpp:1121
    #8 0x5591aee16525 in Node::emit_signalp(StringName const&, Variant const**, int) scene/main/node.cpp:3607
    #9 0x5591a359b932 in Error Object::emit_signal<>(StringName const&) core/object/object.h:920
    #10 0x5591b24fe1c4 in AnimationMixer::_clear_caches() scene/animation/animation_mixer.cpp:552
    #11 0x5591b2531cf6 in AnimationMixer::clear_caches() scene/animation/animation_mixer.cpp:1821
    #12 0x5591b24faeaf in AnimationMixer::set_root_node(NodePath const&) scene/animation/animation_mixer.cpp:448
    #13 0x5591b2709760 in AnimationTree::_setup_animation_player() scene/animation/animation_tree.cpp:777
    #14 0x5591b27a7f64 in void call_with_variant_args_helper<AnimationTree>(AnimationTree*, void (AnimationTree::*)(), Variant const**, Callable::CallError&, IndexSequence<>) core/variant/binder_common.h:303
    #15 0x5591b279a911 in void call_with_variant_args<AnimationTree>(AnimationTree*, void (AnimationTree::*)(), Variant const**, int, Callable::CallError&) core/variant/binder_common.h:417
    #16 0x5591b27906a4 in CallableCustomMethodPointer<AnimationTree>::call(Variant const**, int, Variant&, Callable::CallError&) const core/object/callable_method_pointer.h:104
    #17 0x5591ba3568c2 in Callable::callp(Variant const**, int, Variant&, Callable::CallError&) const core/variant/callable.cpp:57
    #18 0x5591bb02768d in CallQueue::_call_function(Callable const&, Variant const*, int, bool) core/object/message_queue.cpp:219
    #19 0x5591bb02b666 in CallQueue::flush() core/object/message_queue.cpp:324
    #20 0x5591aef25dfa in SceneTree::process(double) scene/main/scene_tree.cpp:511
    #21 0x5591a07da611 in Main::iteration() main/main.cpp:3613
    #22 0x5591a04f4825 in OS_LinuxBSD::run() platform/linuxbsd/os_linuxbsd.cpp:933
    #23 0x5591a04d2d57 in main platform/linuxbsd/godot_linuxbsd.cpp:74
    #24 0x7f3f3ce29d8f  (/lib/x86_64-linux-gnu/libc.so.6+0x29d8f)
previously allocated by thread T0 here:
    #0 0x7f3f3dab4887 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:145
    #1 0x5591b9705fc7 in Memory::alloc_static(unsigned long, bool) core/os/memory.cpp:75
    #2 0x5591b9705ed8 in operator new(unsigned long, char const*) core/os/memory.cpp:40
    #3 0x5591b274b9df in Callable create_custom_callable_function_pointer<AnimationTree>(AnimationTree*, char const*, void (AnimationTree::*)()) core/object/callable_method_pointer.h:125
    #4 0x5591b2708c0f in AnimationTree::_setup_animation_player() scene/animation/animation_tree.cpp:770
    #5 0x5591b270779c in AnimationTree::set_animation_player(NodePath const&) scene/animation/animation_tree.cpp:747
    #6 0x5591a12e2df3 in void call_with_variant_args_helper<__UnexistingClass, NodePath const&, 0ul>(__UnexistingClass*, void (__UnexistingClass::*)(NodePath const&), Variant const**, Callable::CallError&, IndexSequence<0ul>) core/variant/binder_common.h:303
    #7 0x5591a12cc32e in void call_with_variant_args_dv<__UnexistingClass, NodePath const&>(__UnexistingClass*, void (__UnexistingClass::*)(NodePath const&), Variant const**, int, Callable::CallError&, Vector<Variant> const&) core/variant/binder_common.h:450
    #8 0x5591a12b9996 in MethodBindT<NodePath const&>::call(Object*, Variant const**, int, Callable::CallError&) const core/object/method_bind.h:335
    #9 0x5591bb05b230 in Object::callp(StringName const&, Variant const**, int, Callable::CallError&) core/object/object.cpp:774
    #10 0x5591ba40ad0a in Variant::callp(StringName const&, Variant const**, int, Variant&, Callable::CallError&) core/variant/variant_call.cpp:1168
    #11 0x5591a1d91c49 in GDScriptFunction::call(GDScriptInstance*, Variant const**, int, Callable::CallError&, GDScriptFunction::CallState*) modules/gdscript/gdscript_vm.cpp:1696
    #12 0x5591a168baf0 in GDScriptInstance::callp(StringName const&, Variant const**, int, Callable::CallError&) modules/gdscript/gdscript.cpp:1896
    #13 0x5591aee365e8 in bool Node::_gdvirtual__process_call<false>(double) scene/main/node.h:318
    #14 0x5591aed74b94 in Node::_notification(int) scene/main/node.cpp:57
    #15 0x5591a119cad1 in Node::_notificationv(int, bool) scene/main/node.h:49
    #16 0x5591bb05cdba in Object::notification(int, bool) core/object/object.cpp:836
    #17 0x5591aef34834 in SceneTree::_process_group(SceneTree::ProcessGroup*, bool) scene/main/scene_tree.cpp:951
    #18 0x5591aef37ad8 in SceneTree::_process(bool) scene/main/scene_tree.cpp:1028
    #19 0x5591aef25bce in SceneTree::process(double) scene/main/scene_tree.cpp:508
    #20 0x5591a07da611 in Main::iteration() main/main.cpp:3613
    #21 0x5591a04f4825 in OS_LinuxBSD::run() platform/linuxbsd/os_linuxbsd.cpp:933
    #22 0x5591a04d2d57 in main platform/linuxbsd/godot_linuxbsd.cpp:74
    #23 0x7f3f3ce29d8f  (/lib/x86_64-linux-gnu/libc.so.6+0x29d8f)
SUMMARY: AddressSanitizer: heap-use-after-free core/variant/callable.cpp:143 in Callable::get_object() const
Shadow bytes around the buggy address:
  0x0c108011b800: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 fa
  0x0c108011b810: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 fa
  0x0c108011b820: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 fa
  0x0c108011b830: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 fa
  0x0c108011b840: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c108011b850: fa fa fa fa fd fd[fd]fd fd fd fd fd fd fd fd fa
  0x0c108011b860: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c108011b870: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 fa
  0x0c108011b880: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c108011b890: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c108011b8a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==16085==ABORTING

Command:

./reproducer" "godot.linuxbsd.editor.dev.x86_64.san" "60_50" "." "--rendering-driver" "opengl3" "--audio-driver" "Dummy

This example was found by Godot fuzzer - Qarminer, so it is quite unlikelly that this code could be used in real project, but still this should be handled gracefully.

Memory leaks or asan backtraces are visibe when using Godot build with sanitizers support - https://github.com/qarmin/GodotBuilds/actions (linux -> linux-editor-sanitizers)

Steps to reproduce

Above

Minimal reproduction project

Above

[CursedSpiderBoi]

@qarmin i would like to work on it