dynamic-stack-buffer-overflow crash when executing random functions on random physics objects

[qarmin]

Tested versions

4.3.beta.custom_build. daa81bb

System information

Ubuntu 24.04

Issue description

Running test physics scene, cause to show crashes related to stack overflow

servers/physics_2d/godot_body_2d.cpp:644:42: runtime error: load of value 4294967290, which is not a valid value for type 'CCDMode'
servers/physics_2d/godot_body_2d.cpp:647:6: runtime error: load of value 4294967290, which is not a valid value for type 'CCDMode'
=================================================================
==516057==ERROR: AddressSanitizer: dynamic-stack-buffer-overflow on address 0x7ffcd2e562a0 at pc 0x55e0c8c85fb4 bp 0x7ffcd2e55f30 sp 0x7ffcd2e55f20
READ of size 8 at 0x7ffcd2e562a0 thread T0
    #0 0x55e0c8c85fb3 in RigidBody3D::_body_inout(int, RID const&, ObjectID, int, int) scene/3d/physics/rigid_body_3d.cpp:91
    #1 0x55e0c8c8e8b2 in RigidBody3D::_body_state_changed(PhysicsDirectBodyState3D*) scene/3d/physics/rigid_body_3d.cpp:252
    #2 0x55e0c8d00bb5 in void call_with_variant_args_helper<RigidBody3D, PhysicsDirectBodyState3D*, 0ul>(RigidBody3D*, void (RigidBody3D::*)(PhysicsDirectBodyState3D*), Variant const**, Callable::CallError&, IndexSequence<0ul>) core/variant/binder_common.h:304
    #3 0x55e0c8cf900a in void call_with_variant_args<RigidBody3D, PhysicsDirectBodyState3D*>(RigidBody3D*, void (RigidBody3D::*)(PhysicsDirectBodyState3D*), Variant const**, int, Callable::CallError&) core/variant/binder_common.h:418
    #4 0x55e0c8cef8e8 in CallableCustomMethodPointer<RigidBody3D, PhysicsDirectBodyState3D*>::call(Variant const**, int, Variant&, Callable::CallError&) const core/object/callable_method_pointer.h:103
    #5 0x55e0d28492de in Callable::callp(Variant const**, int, Variant&, Callable::CallError&) const core/variant/callable.cpp:57
    #6 0x55e0b43bc115 in Variant Callable::call<Variant>(Variant) const core/variant/variant.h:875
    #7 0x55e0d1098166 in GodotBody3D::call_queries() servers/physics_3d/godot_body_3d.cpp:776
    #8 0x55e0d00eeb9f in GodotSpace3D::call_queries() servers/physics_3d/godot_space_3d.cpp:1167
    #9 0x55e0cff970df in GodotPhysicsServer3D::flush_queries() servers/physics_3d/godot_physics_server_3d.cpp:1669
    #10 0x55e0d03270de in PhysicsServer3DWrapMT::flush_queries() servers/physics_server_3d_wrap_mt.cpp:71
    #11 0x55e0b4550fb9 in Main::iteration() main/main.cpp:3999
    #12 0x55e0b42471f1 in OS_LinuxBSD::run() platform/linuxbsd/os_linuxbsd.cpp:962
    #13 0x55e0b422603f in main platform/linuxbsd/godot_linuxbsd.cpp:85
    #14 0x760e40a2a1c9 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
    #15 0x760e40a2a28a in __libc_start_main_impl ../csu/libc-start.c:360
    #16 0x55e0b4225ab4 in _start (/home/rafal/Downloads/rr/godot.linuxbsd.editor.dev.x86_64.san+0x425ddab4)

Address 0x7ffcd2e562a0 is located in stack of thread T0 at offset 640 in frame
    #0 0x55e0c8c850d3 in RigidBody3D::_body_inout(int, RID const&, ObjectID, int, int) scene/3d/physics/rigid_body_3d.cpp:76

  This frame has 14 object(s):
    [32, 40) 'objid' (line 78)
    [64, 72) 'E' (line 84)
    [96, 104) '<unknown>'
    [128, 136) 'p_instance_id' (line 76)
    [160, 168) 'p_instance' (line 76)
    [192, 204) '<unknown>'
    [224, 236) '<unknown>'
    [256, 272) '<unknown>'
    [288, 304) '<unknown>'
    [320, 336) '<unknown>'
    [352, 368) '<unknown>'
    [384, 400) '<unknown>'
    [416, 432) '<unknown>'
    [448, 480) '<unknown>' <== Memory access at offset 640 overflows this variable
HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork
      (longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: dynamic-stack-buffer-overflow scene/3d/physics/rigid_body_3d.cpp:91 in RigidBody3D::_body_inout(int, RID const&, ObjectID, int, int)

Steps to reproduce

• Download https://github.com/qarmin/Qarminer
• In StressPhysics.gd, uncomment line

	#random_functions()

https://github.com/qarmin/Qarminer/blob/fc3e7e846b52fcddfa5bc928089dd6811c0d7993/StressPhysics.gd#L104

• run project

Minimal reproduction project (MRP)

https://github.com/qarmin/Qarminer

[jamie-pate]

Also getting this in my project at 4.3-beta3 on my project..

Unable to reproduce with the current head of Qarminer

	if (body_in) {
		print_error("89");if (!E) {
			print_error("90");E = contact_monitor->body_map.insert(objid, BodyState());
			print_error("91");E->value.rid = p_body; <- this is the last line that executes before the asan assertion..

Seems like I may have just spent 3 hours debugging with asan only to notice this...

-                       _body_inout(1, toremove[i].rid, toadd[i].id, toadd[i].shape, toadd[i].local_shape);
+                       _body_inout(1, toadd[i].rid, toadd[i].id, toadd[i].shape, toadd[i].local_shape);

The sanitizer was satisfied after that...