Use after free and resource leakage during shutdown

[cdkrot]

Godot version

4.5.stable

godot-cpp version

godot-4.5-stable

System information

Linux (Debian 13.1)

Issue description

I am using gdextension to work with customized physics code.

We observe every run two problematic symptoms:

• engine always complains during the shutdown about the resource leakage
• it oftens exits "with crash"

I compiled godot from source code with ubsan and asan to have a better understanding of what's going on.

SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior thirdparty/harfbuzz/src/hb-buffer.hh:479:69 
ERROR: 192 RID allocations of type 'P12GodotShape2D' were leaked at exit.
WARNING: 17 RIDs of type "CanvasItem" were leaked.
     at: _free_rids (servers/rendering/renderer_canvas_cull.cpp:2678)
ERROR: 16 RID allocations of type 'N10RendererRD14TextureStorage7TextureE' were leaked at exit.
ERROR: 6 RID allocations of type 'N10RendererRD14TextureStorage13CanvasTextureE' were leaked at exit.
=================================================================
==18433==ERROR: AddressSanitizer: heap-use-after-free on address 0x50600095afb0 at pc 0x558ab0ad19b6 bp 0x7ffe244eafa0 sp 0x7ffe244eaf98
READ of size 8 at 0x50600095afb0 thread T0
    #0 0x558ab0ad19b5 in LocalVector<RID, unsigned int, false, true>::begin() /home/alice/soft/godot/./core/templates/local_vector.h:254:19
    #1 0x558ab0ad19b5 in RendererCanvasRenderRD::_canvas_texture_invalidation_callback(bool, void*) /home/alice/soft/godot/servers/rendering/renderer_rd/renderer_canvas_render_rd.cpp:2973:15
    #2 0x558aaff14423 in RendererRD::TextureStorage::CanvasTexture::~CanvasTexture() /home/alice/soft/godot/servers/rendering/renderer_rd/storage_rd/texture_storage.cpp:53:3
    #3 0x558aaff14423 in RID_Alloc<RendererRD::TextureStorage::CanvasTexture, true>::~RID_Alloc() /home/alice/soft/godot/./core/templates/rid_owner.h:449:65
    #4 0x558aafe8b199 in RID_Owner<RendererRD::TextureStorage::CanvasTexture, true>::~RID_Owner() /home/alice/soft/godot/./core/templates/rid_owner.h:527:7
    #5 0x558aafe8b199 in RendererRD::TextureStorage::~TextureStorage() /home/alice/soft/godot/servers/rendering/renderer_rd/storage_rd/texture_storage.cpp:564:1
    #6 0x558aaf585354 in void memdelete<RendererRD::TextureStorage>(RendererRD::TextureStorage*) /home/alice/soft/godot/./core/os/memory.h:139:13
    #7 0x558aaf585354 in RendererCompositorRD::finalize() /home/alice/soft/godot/servers/rendering/renderer_rd/renderer_compositor_rd.cpp:179:2
    #8 0x558aaf18c02d in RenderingServerDefault::_finish() /home/alice/soft/godot/servers/rendering/rendering_server_default.cpp:245:19
    #9 0x558a9ce77829 in finalize_display() /home/alice/soft/godot/main/main.cpp:404:20
    #10 0x558a9cf0e4df in Main::cleanup(bool) /home/alice/soft/godot/main/main.cpp:5061:2
    #11 0x558a9cc1f3a7 in main /home/alice/soft/godot/platform/linuxbsd/godot_linuxbsd.cpp:89:2
    #12 0x7f9589c49ca7  (/lib/x86_64-linux-gnu/libc.so.6+0x29ca7) (BuildId: c495b62edadd6c356265942ec1282d98058a7b41)
    #13 0x7f9589c49d64 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x29d64) (BuildId: c495b62edadd6c356265942ec1282d98058a7b41)
    #14 0x558a9cb3b690 in _start (/home/alice/soft/godot/bin/godot.linuxbsd.editor.x86_64.llvm.san+0xab8d690) (BuildId: d04aa1bb3047432769e682d01b15f0456528d423)

0x50600095afb0 is located 48 bytes inside of 56-byte region [0x50600095af80,0x50600095afb8)
freed by thread T0 here:
    #0 0x558a9cbdb22a in free (/home/alice/soft/godot/bin/godot.linuxbsd.editor.x86_64.llvm.san+0xac2d22a) (BuildId: d04aa1bb3047432769e682d01b15f0456528d423)
    #1 0x558ab0aea6b7 in void memdelete<HashMapElement<RID, LocalVector<RID, unsigned int, false, true>>>(HashMapElement<RID, LocalVector<RID, unsigned int, false, true>>*) /home/alice/soft/godot/./core/os/memory.h:142:2
    #2 0x558ab0aea6b7 in DefaultTypedAllocator<HashMapElement<RID, LocalVector<RID, unsigned int, false, true>>>::delete_allocation(HashMapElement<RID, LocalVector<RID, unsigned int, false, true>>*) /home/alice/soft/godot/./core/os/memory.h:258:59
    #3 0x558ab0aea6b7 in HashMap<RID, LocalVector<RID, unsigned int, false, true>, HashMapHasherDefault, HashMapComparatorDefault<RID>, DefaultTypedAllocator<HashMapElement<RID, LocalVector<RID, unsigned int, false, true>>>>::clear() /home/alice/soft/godot/./core/templates/hash_map.h:257:15

previously allocated by thread T0 here:
    #0 0x558a9cbdb4c3 in malloc (/home/alice/soft/godot/bin/godot.linuxbsd.editor.x86_64.llvm.san+0xac2d4c3) (BuildId: d04aa1bb3047432769e682d01b15f0456528d423)
    #1 0x558ab120a91b in void* Memory::alloc_static<false>(unsigned long, bool) /home/alice/soft/godot/core/os/memory.cpp:108:9
    #2 0x000100000000  (<unknown module>)

SUMMARY: AddressSanitizer: heap-use-after-free /home/alice/soft/godot/./core/templates/local_vector.h:254:19 in LocalVector<RID, unsigned int, false, true>::begin()
Shadow bytes around the buggy address:

Steps to reproduce

Combination of:

• Creating custom canvas items inherited from tilemap or node2d
• inspecting tree state using get_children() and godot::cast_to<>.

I have a suspicion godot::cast_to is problematic because it creates a wrapping reference to the object which I couldn't find where it is getting deleted.

Minimal reproduction project

Sorry, crunch time right now, can prepare one later if requested.