Crash in destructor AreaPair2DSW with Multi-Threaded physics

[qarmin]

Godot version:
3.2 a69436a

OS/device including version:
Ubuntu 19.04

Issue description:
When I run game, then it crash with this backtrace

[1] /lib/x86_64-linux-gnu/libc.so.6(+0x43f60) [0x7f6279320f60] (??:0)
[2] Map<Area2DSW::BodyKey, Area2DSW::BodyState, Comparator<Area2DSW::BodyKey>, DefaultAllocator>::_insert_rb_fix(Map<Area2DSW::BodyKey, Area2DSW::BodyState, Comparator<Area2DSW::BodyKey>, DefaultAllocator>::Element*) (/home/rafal/Pulpit/godot/./core/map.h:327)
[3] Map<Area2DSW::BodyKey, Area2DSW::BodyState, Comparator<Area2DSW::BodyKey>, DefaultAllocator>::_insert(Area2DSW::BodyKey const&, Area2DSW::BodyState const&) (/home/rafal/Pulpit/godot/./core/map.h:373)
[4] Map<Area2DSW::BodyKey, Area2DSW::BodyState, Comparator<Area2DSW::BodyKey>, DefaultAllocator>::insert(Area2DSW::BodyKey const&, Area2DSW::BodyState const&) (/home/rafal/Pulpit/godot/./core/map.h:568)
[5] Map<Area2DSW::BodyKey, Area2DSW::BodyState, Comparator<Area2DSW::BodyKey>, DefaultAllocator>::operator[](Area2DSW::BodyKey const&) (/home/rafal/Pulpit/godot/./core/map.h:610)
[6] Area2DSW::remove_body_from_query(Body2DSW*, unsigned int, unsigned int) (/home/rafal/Pulpit/godot/servers/physics_2d/area_2d_sw.h:182)
[7] AreaPair2DSW::~AreaPair2DSW() (/home/rafal/Pulpit/godot/servers/physics_2d/area_pair_2d_sw.cpp:92)
[8] void memdelete<Constraint2DSW>(Constraint2DSW*) (/home/rafal/Pulpit/godot/./core/os/memory.h:122)
[9] Space2DSW::_broadphase_unpair(CollisionObject2DSW*, int, CollisionObject2DSW*, int, void*, void*) (/home/rafal/Pulpit/godot/servers/physics_2d/space_2d_sw.cpp:1170)
[10] BroadPhase2DHashGrid::_check_motion(BroadPhase2DHashGrid::Element*) (/home/rafal/Pulpit/godot/servers/physics_2d/broad_phase_2d_hash_grid.cpp:95)
[11] BroadPhase2DHashGrid::move(unsigned int, Rect2 const&) (/home/rafal/Pulpit/godot/servers/physics_2d/broad_phase_2d_hash_grid.cpp:359)
[12] CollisionObject2DSW::_update_shapes() (/home/rafal/Pulpit/godot/servers/physics_2d/collision_object_2d_sw.cpp:180)
[13] CollisionObject2DSW::_set_transform(Transform2D const&, bool) (/home/rafal/Pulpit/godot/servers/physics_2d/collision_object_2d_sw.h:92)
[14] Area2DSW::set_transform(Transform2D const&) (/home/rafal/Pulpit/godot/servers/physics_2d/area_2d_sw.cpp:57)
[15] Physics2DServerSW::area_set_transform(RID, Transform2D const&) (/home/rafal/Pulpit/godot/servers/physics_2d/physics_2d_server_sw.cpp:521)
[16] CommandQueueMT::Command2<Physics2DServer, void (Physics2DServer::*)(RID, Transform2D const&), RID, Transform2D>::call() (/home/rafal/Pulpit/godot/./core/command_queue_mt.h:305 (discriminator 4))
[17] CommandQueueMT::flush_one(bool) (/home/rafal/Pulpit/godot/./core/command_queue_mt.h:431)
[18] CommandQueueMT::wait_and_flush_one() (/home/rafal/Pulpit/godot/./core/command_queue_mt.h:464)
[19] Physics2DServerWrapMT::thread_loop() (/home/rafal/Pulpit/godot/servers/physics_2d/physics_2d_server_wrap_mt.cpp:63)
[20] Physics2DServerWrapMT::_thread_callback(void*) (/home/rafal/Pulpit/godot/servers/physics_2d/physics_2d_server_wrap_mt.cpp:51)
[21] ThreadPosix::thread_callback(void*) (/home/rafal/Pulpit/godot/drivers/unix/thread_posix.cpp:76)
[22] /lib/x86_64-linux-gnu/libpthread.so.0(+0x9182) [0x7f6279820182] (??:0)
[23] /lib/x86_64-linux-gnu/libc.so.6(clone+0x3f) [0x7f62793fab1f] (??:0)

Minimal reproduction project:
https://github.com/qarmin/The-worst-Godot-test-project
commit 8bfcc7a5af0957d8295589729b4379f233153603
Old
Bug.zip
New
AAAAAAAAAAAAAAAAAAAAAA.zip

[Raphael2048]

I cannot reproduce it in latest version.

[qarmin]

I can still reproduce it, almost always crash in this project -
AAAAAAAAAAAAAAAAAAAAAA.zip

[creikey]

I cannot reproduce this issue in the latest commit with that zip file on arch linux. I am, however, getting repeated messages in the debugger about a 'method/function failing' along with an eventual freeze of godot after about 20 seconds. Maybe a simpler example project would help highlight the issue?

[qarmin]

Do you check AAAAA.zip file from my latest post?
In my computer it crash a little after opening(also with latest master).

[creikey]

With the newly uploaded zip, yes there is a crash

[Xrayez]

I have narrowed down the issue with a more minimal project:

area_2d_process_multithreaded.zip

1. In project setttings, the threading model is set to Multithreaded. Doesn't happen in Single-safe.
2. Likely Area2D changing position in _process causes the collision list to be updated.
3. The likelihood of crash increases with more Area2D instances with several collision shapes assigned.
4. Updating position in _physics_process instead fixes the issue too.

The documentation suggests that any physics related stuff should be done in the _physics_process callback to avoid these kind of crashes.

[KoBeWi]

It seems to crash in 3.2.4 beta4 when you duplicate the areas (in the newest project). Although I tried it on master and there's some crash that looks unrelated, so not sure.

[qarmin]

New minimal project(2 scenes 1 script) - AA.zip

Looks that only changing position, monitoring or monitorable properties is enough to crash Godot.
This is how looks only script in project:

extends Area2D

func _process(delta) -> void:
		
	position = Vector2(randi() % 600, randi() % 600)
	
	set_monitoring(bool(randi()%2))
	set_monitorable(bool(randi()%2))

[Listwon]

Still crashes in 3.x (I tried AA.zip attached by @qarmin ). You don't even need to use set_monitoring or set_monitorable, just changing position as above crashes every time.

=================================================================
==2756==ERROR: AddressSanitizer: heap-use-after-free on address 0x12b55be23e60 at pc 0x7ff6bf32646e bp 0x00dcd1ffe650 sp 0x00dcd1ffe658
READ of size 8 at 0x12b55be23e60 thread T13
    #0 0x7ff6bf32646d in RID::operator== G:\Cpp\godot\core\rid.h:67
    #1 0x7ff6c4595424 in Area2DSW::BodyKey::operator< G:\Cpp\godot\servers\physics_2d\area_2d_sw.h:74
    #2 0x7ff6c45956f1 in Comparator<Area2DSW::BodyKey>::operator() G:\Cpp\godot\core\typedefs.h:292
    #3 0x7ff6c4598232 in Map<Area2DSW::BodyKey,Area2DSW::BodyState,Comparator<Area2DSW::BodyKey>,DefaultAllocator>::_insert G:\Cpp\godot\core\map.h:356
    #4 0x7ff6c459cca4 in Map<Area2DSW::BodyKey,Area2DSW::BodyState,Comparator<Area2DSW::BodyKey>,DefaultAllocator>::insert G:\Cpp\godot\core\map.h:565
    #5 0x7ff6c45952b3 in Map<Area2DSW::BodyKey,Area2DSW::BodyState,Comparator<Area2DSW::BodyKey>,DefaultAllocator>::operator[] G:\Cpp\godot\core\map.h:608
    #6 0x7ff6c459d4ca in Area2DSW::remove_area_from_query G:\Cpp\godot\servers\physics_2d\area_2d_sw.h:197
    #7 0x7ff6c4594eba in Area2Pair2DSW::~Area2Pair2DSW G:\Cpp\godot\servers\physics_2d\area_pair_2d_sw.cpp:154
    #8 0x7ff6c4595716 in Area2Pair2DSW::`scalar deleting destructor'+0x16 (G:\Cpp\godot\bin\godot.windows.tools.64.s.exe+0x1469a5716)
    #9 0x7ff6c454a253 in memdelete<Constraint2DSW> G:\Cpp\godot\core\os\memory.h:117
    #10 0x7ff6c4540aae in Space2DSW::_broadphase_unpair G:\Cpp\godot\servers\physics_2d\space_2d_sw.cpp:1209
    #11 0x7ff6c4557bb2 in BroadPhase2DHashGrid::_unpair_attempt G:\Cpp\godot\servers\physics_2d\broad_phase_2d_hash_grid.cpp:66
    #12 0x7ff6c4556d74 in BroadPhase2DHashGrid::_exit_grid G:\Cpp\godot\servers\physics_2d\broad_phase_2d_hash_grid.cpp:267
    #13 0x7ff6c4558b3b in BroadPhase2DHashGrid::move G:\Cpp\godot\servers\physics_2d\broad_phase_2d_hash_grid.cpp:351
    #14 0x7ff6c45114ac in CollisionObject2DSW::_update_shapes G:\Cpp\godot\servers\physics_2d\collision_object_2d_sw.cpp:202
    #15 0x7ff6c451e298 in CollisionObject2DSW::_set_transform G:\Cpp\godot\servers\physics_2d\collision_object_2d_sw.h:92
    #16 0x7ff6c45180cf in Area2DSW::set_transform G:\Cpp\godot\servers\physics_2d\area_2d_sw.cpp:59
    #17 0x7ff6c43b4460 in Physics2DServerSW::area_set_transform G:\Cpp\godot\servers\physics_2d\physics_2d_server_sw.cpp:507
    #18 0x7ff6c441626e in CommandQueueMT::Command2<Physics2DServer,void (__cdecl Physics2DServer::*)(RID,Transform2D const &),RID,Transform2D>::call G:\Cpp\godot\core\command_queue_mt.h:301
    #19 0x7ff6c3dfc6a3 in CommandQueueMT::flush_one G:\Cpp\godot\core\command_queue_mt.h:440
    #20 0x7ff6c3e1caf2 in CommandQueueMT::wait_and_flush_one G:\Cpp\godot\core\command_queue_mt.h:473
    #21 0x7ff6c43d58d8 in Physics2DServerWrapMT::thread_loop G:\Cpp\godot\servers\physics_2d\physics_2d_server_wrap_mt.cpp:63
    #22 0x7ff6c43d56bc in Physics2DServerWrapMT::_thread_callback G:\Cpp\godot\servers\physics_2d\physics_2d_server_wrap_mt.cpp:50
    #23 0x7ff6c4a41daa in Thread::callback G:\Cpp\godot\core\os\thread.cpp:75
    #24 0x7ff6c4a4449b in std::invoke<void (__cdecl*)(Thread *,Thread::Settings const &,void (__cdecl*)(void *),void *),Thread *,Thread::Settings,void (__cdecl*)(void *),void *> C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\VC\Tools\MSVC\14.28.29910\include\type_traits:1596
    #25 0x7ff6c4a43e00 in std::thread::_Invoke<std::tuple<void (__cdecl*)(Thread *,Thread::Settings const &,void (__cdecl*)(void *),void *),Thread *,Thread::Settings,void (__cdecl*)(void *),void *>,0,1,2,3,4> C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\VC\Tools\MSVC\14.28.29910\include\thread:54
    #26 0x7ff6c5552047 in thread_start<unsigned int (__cdecl*)(void *),1> minkernel\crts\ucrt\src\appcrt\startup\thread.cpp:97
    #27 0x7ff6bdcbf287 in __asan::AsanThread::ThreadStart D:\a01\_work\9\s\src\vctools\crt\asan\llvm\compiler-rt\lib\asan\asan_thread.cc:262
    #28 0x7ffb65787033 in BaseThreadInitThunk+0x13 (C:\WINDOWS\System32\KERNEL32.DLL+0x180017033)
    #29 0x7ffb667a2650 in RtlUserThreadStart+0x20 (C:\WINDOWS\SYSTEM32\ntdll.dll+0x180052650)

0x12b55be23e60 is located 64 bytes inside of 96-byte region [0x12b55be23e20,0x12b55be23e80)
freed by thread T0 here:
    #0 0x7ff6bdccc572 in free D:\a01\_work\9\s\src\vctools\crt\asan\llvm\compiler-rt\lib\asan\asan_malloc_win.cc:109
    #1 0x7ff6c47bcbf8 in Memory::free_static G:\Cpp\godot\core\os\memory.cpp:178
    #2 0x7ff6bdc8a7f4 in DefaultAllocator::free G:\Cpp\godot\core\os\memory.h:66
    #3 0x7ff6c451a677 in memdelete_allocator<Map<Area2DSW::BodyKey,Area2DSW::BodyState,Comparator<Area2DSW::BodyKey>,DefaultAllocator>::Element,DefaultAllocator> G:\Cpp\godot\core\os\memory.h:130
    #4 0x7ff6c451d1c4 in Map<Area2DSW::BodyKey,Area2DSW::BodyState,Comparator<Area2DSW::BodyKey>,DefaultAllocator>::_Data::_free_root G:\Cpp\godot\core\map.h:136
    #5 0x7ff6c451e734 in Map<Area2DSW::BodyKey,Area2DSW::BodyState,Comparator<Area2DSW::BodyKey>,DefaultAllocator>::erase G:\Cpp\godot\core\map.h:575
    #6 0x7ff6c4519b7a in Area2DSW::call_queries G:\Cpp\godot\servers\physics_2d\area_2d_sw.cpp:246
    #7 0x7ff6c4541713 in Space2DSW::call_queries G:\Cpp\godot\servers\physics_2d\space_2d_sw.cpp:1303
    #8 0x7ff6c43baead in Physics2DServerSW::flush_queries G:\Cpp\godot\servers\physics_2d\physics_2d_server_sw.cpp:1360
    #9 0x7ff6c43d63e7 in Physics2DServerWrapMT::flush_queries G:\Cpp\godot\servers\physics_2d\physics_2d_server_wrap_mt.cpp:99
    #10 0x7ff6bdd086b7 in Main::iteration G:\Cpp\godot\main\main.cpp:2098
    #11 0x7ff6bdc6a49d in OS_Windows::run G:\Cpp\godot\platform\windows\os_windows.cpp:3440
    #12 0x7ff6bdc386f7 in widechar_main G:\Cpp\godot\platform\windows\godot_windows.cpp:161
    #13 0x7ff6bdc3896b in _main G:\Cpp\godot\platform\windows\godot_windows.cpp:184
    #14 0x7ff6bdc389e1 in main G:\Cpp\godot\platform\windows\godot_windows.cpp:196
    #15 0x7ff6c5514c47 in __scrt_common_main_seh d:\A01\_work\12\s\src\vctools\crt\vcstartup\src\startup\exe_common.inl:288
    #16 0x7ffb65787033 in BaseThreadInitThunk+0x13 (C:\WINDOWS\System32\KERNEL32.DLL+0x180017033)
    #17 0x7ffb667a2650 in RtlUserThreadStart+0x20 (C:\WINDOWS\SYSTEM32\ntdll.dll+0x180052650)

previously allocated by thread T13 here:
    #0 0x7ff6bdccc6a2 in malloc D:\a01\_work\9\s\src\vctools\crt\asan\llvm\compiler-rt\lib\asan\asan_malloc_win.cc:118
    #1 0x7ff6c47bc6b3 in Memory::alloc_static G:\Cpp\godot\core\os\memory.cpp:82
    #2 0x7ff6bdc89704 in DefaultAllocator::alloc G:\Cpp\godot\core\os\memory.h:65
    #3 0x7ff6c47bcca6 in operator new G:\Cpp\godot\core\os\memory.cpp:47
    #4 0x7ff6c45957a8 in Map<Area2DSW::BodyKey,Area2DSW::BodyState,Comparator<Area2DSW::BodyKey>,DefaultAllocator>::_Data::_create_root G:\Cpp\godot\core\map.h:128
    #5 0x7ff6c4595257 in Map<Area2DSW::BodyKey,Area2DSW::BodyState,Comparator<Area2DSW::BodyKey>,DefaultAllocator>::operator[] G:\Cpp\godot\core\map.h:604
    #6 0x7ff6c459d4ca in Area2DSW::remove_area_from_query G:\Cpp\godot\servers\physics_2d\area_2d_sw.h:197
    #7 0x7ff6c4594eba in Area2Pair2DSW::~Area2Pair2DSW G:\Cpp\godot\servers\physics_2d\area_pair_2d_sw.cpp:154
    #8 0x7ff6c4595716 in Area2Pair2DSW::`scalar deleting destructor'+0x16 (G:\Cpp\godot\bin\godot.windows.tools.64.s.exe+0x1469a5716)
    #9 0x7ff6c454a253 in memdelete<Constraint2DSW> G:\Cpp\godot\core\os\memory.h:117
    #10 0x7ff6c4540aae in Space2DSW::_broadphase_unpair G:\Cpp\godot\servers\physics_2d\space_2d_sw.cpp:1209
    #11 0x7ff6c4557bb2 in BroadPhase2DHashGrid::_unpair_attempt G:\Cpp\godot\servers\physics_2d\broad_phase_2d_hash_grid.cpp:66
    #12 0x7ff6c4556d74 in BroadPhase2DHashGrid::_exit_grid G:\Cpp\godot\servers\physics_2d\broad_phase_2d_hash_grid.cpp:267
    #13 0x7ff6c4558b3b in BroadPhase2DHashGrid::move G:\Cpp\godot\servers\physics_2d\broad_phase_2d_hash_grid.cpp:351
    #14 0x7ff6c45114ac in CollisionObject2DSW::_update_shapes G:\Cpp\godot\servers\physics_2d\collision_object_2d_sw.cpp:202
    #15 0x7ff6c451e298 in CollisionObject2DSW::_set_transform G:\Cpp\godot\servers\physics_2d\collision_object_2d_sw.h:92
    #16 0x7ff6c45180cf in Area2DSW::set_transform G:\Cpp\godot\servers\physics_2d\area_2d_sw.cpp:59
    #17 0x7ff6c43b4460 in Physics2DServerSW::area_set_transform G:\Cpp\godot\servers\physics_2d\physics_2d_server_sw.cpp:507
    #18 0x7ff6c441626e in CommandQueueMT::Command2<Physics2DServer,void (__cdecl Physics2DServer::*)(RID,Transform2D const &),RID,Transform2D>::call G:\Cpp\godot\core\command_queue_mt.h:301
    #19 0x7ff6c3dfc6a3 in CommandQueueMT::flush_one G:\Cpp\godot\core\command_queue_mt.h:440
    #20 0x7ff6c3e1caf2 in CommandQueueMT::wait_and_flush_one G:\Cpp\godot\core\command_queue_mt.h:473
    #21 0x7ff6c43d58d8 in Physics2DServerWrapMT::thread_loop G:\Cpp\godot\servers\physics_2d\physics_2d_server_wrap_mt.cpp:63
    #22 0x7ff6c43d56bc in Physics2DServerWrapMT::_thread_callback G:\Cpp\godot\servers\physics_2d\physics_2d_server_wrap_mt.cpp:50
    #23 0x7ff6c4a41daa in Thread::callback G:\Cpp\godot\core\os\thread.cpp:75
    #24 0x7ff6c4a4449b in std::invoke<void (__cdecl*)(Thread *,Thread::Settings const &,void (__cdecl*)(void *),void *),Thread *,Thread::Settings,void (__cdecl*)(void *),void *> C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\VC\Tools\MSVC\14.28.29910\include\type_traits:1596
    #25 0x7ff6c4a43e00 in std::thread::_Invoke<std::tuple<void (__cdecl*)(Thread *,Thread::Settings const &,void (__cdecl*)(void *),void *),Thread *,Thread::Settings,void (__cdecl*)(void *),void *>,0,1,2,3,4> C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\VC\Tools\MSVC\14.28.29910\include\thread:54
    #26 0x7ff6c5552047 in thread_start<unsigned int (__cdecl*)(void *),1> minkernel\crts\ucrt\src\appcrt\startup\thread.cpp:97
    #27 0x7ff6bdcbf287 in __asan::AsanThread::ThreadStart D:\a01\_work\9\s\src\vctools\crt\asan\llvm\compiler-rt\lib\asan\asan_thread.cc:262
    #28 0x7ffb65787033 in BaseThreadInitThunk+0x13 (C:\WINDOWS\System32\KERNEL32.DLL+0x180017033)

Thread T13 created by T0 here:
    #0 0x7ff6bdcbdd18 in __asan_wrap_CreateThread D:\a01\_work\9\s\src\vctools\crt\asan\llvm\compiler-rt\lib\asan\asan_win.cc:145
    #1 0x7ff6c5552406 in _beginthreadex minkernel\crts\ucrt\src\appcrt\startup\thread.cpp:209
    #2 0x7ff6c4a44078 in std::thread::_Start<void (__cdecl*)(Thread *,Thread::Settings const &,void (__cdecl*)(void *),void *),Thread *,Thread::Settings const &,void (__cdecl*&)(void *),void * &> C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\VC\Tools\MSVC\14.28.29910\include\thread:74
    #3 0x7ff6c4a436a4 in std::thread::thread<void (__cdecl*)(Thread *,Thread::Settings const &,void (__cdecl*)(void *),void *),Thread *,Thread::Settings const &,void (__cdecl*&)(void *),void * &,0> C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\VC\Tools\MSVC\14.28.29910\include\thread:89
    #4 0x7ff6c4a428c3 in Thread::start G:\Cpp\godot\core\os\thread.cpp:91
    #5 0x7ff6c43d5c0d in Physics2DServerWrapMT::init G:\Cpp\godot\servers\physics_2d\physics_2d_server_wrap_mt.cpp:112
    #6 0x7ff6bdd0a9bf in initialize_physics G:\Cpp\godot\main\main.cpp:193
    #7 0x7ff6bdcfd015 in Main::setup2 G:\Cpp\godot\main\main.cpp:1460
    #8 0x7ff6bdcf835e in Main::setup G:\Cpp\godot\main\main.cpp:1229
    #9 0x7ff6bdc3857a in widechar_main G:\Cpp\godot\platform\windows\godot_windows.cpp:150
    #10 0x7ff6bdc3896b in _main G:\Cpp\godot\platform\windows\godot_windows.cpp:184
    #11 0x7ff6bdc389e1 in main G:\Cpp\godot\platform\windows\godot_windows.cpp:196
    #12 0x7ff6c5514c47 in __scrt_common_main_seh d:\A01\_work\12\s\src\vctools\crt\vcstartup\src\startup\exe_common.inl:288
    #13 0x7ffb65787033 in BaseThreadInitThunk+0x13 (C:\WINDOWS\System32\KERNEL32.DLL+0x180017033)
    #14 0x7ffb667a2650 in RtlUserThreadStart+0x20 (C:\WINDOWS\SYSTEM32\ntdll.dll+0x180052650)

SUMMARY: AddressSanitizer: heap-use-after-free G:\Cpp\godot\core\rid.h:67 in RID::operator==
Shadow bytes around the buggy address:
  0x04fc073c4770: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd
  0x04fc073c4780: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd
  0x04fc073c4790: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd
  0x04fc073c47a0: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd
  0x04fc073c47b0: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd
=>0x04fc073c47c0: fa fa fa fa fd fd fd fd fd fd fd fd[fd]fd fd fd
  0x04fc073c47d0: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd
  0x04fc073c47e0: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd
  0x04fc073c47f0: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00
  0x04fc073c4800: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00
  0x04fc073c4810: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==2756==ABORTING

[rburing]

Does not crash in 4.0 RC 3; changing milestone to 3.6.

[akien-mga]

This also doesn't crash in 3.4 and later. It crashes in 3.3.