Executing MultiMesh.set_buffer function crashes Godot

[qarmin]

Godot version

4.2.beta.custom_build. e5bacbc

System information

Ubuntu 22.04 CI

Issue description

When executing (this code was automatically minimized, so it is possible, that an even more "minimal" project can be created)

extends Node
func _process(delta):
	for i in get_children():
		i.queue_free()
	var temp_variable8107 = CanvasItemMaterial.new()
	temp_variable8107.set_particles_anim_h_frames(-22)
	var temp_variable8274 = MultiMesh.new()
	temp_variable8274.set_mesh(PlaceholderMesh.new())
	temp_variable8274.get_instance_custom_data(-72)
	temp_variable8274.set_use_colors(true)
	temp_variable8274.set_instance_count(0)
	temp_variable8274.get_instance_transform(13)
	temp_variable8274.set_buffer(PackedFloat32Array([]))

Godot crashes:

Godot Engine v4.2.beta.custom_build.e5bacbc47 - https://godotengine.org
WARNING: Could not set V-Sync mode. V-Sync is not supported.
     at: set_use_vsync (platform/linuxbsd/x11/gl_manager_x11.cpp:365)
servers/rendering/shader_compiler.h:89:9: runtime error: load of value 2051843833, which is not a valid value for type 'TextureFilter'
servers/rendering/shader_compiler.h:89:9: runtime error: load of value 21871, which is not a valid value for type 'TextureRepeat'
servers/rendering/shader_compiler.h:89:9: runtime error: load of value 2051843833, which is not a valid value for type 'TextureFilter'
servers/rendering/shader_compiler.h:89:9: runtime error: load of value 21871, which is not a valid value for type 'TextureRepeat'
drivers/gles3/storage/material_storage.cpp:2954:23: runtime error: load of value 190, which is not a valid value for type 'bool'
drivers/gles3/storage/material_storage.cpp:2955:23: runtime error: load of value 190, which is not a valid value for type 'bool'
drivers/gles3/storage/material_storage.cpp:2956:23: runtime error: load of value 190, which is not a valid value for type 'bool'
drivers/gles3/storage/material_storage.cpp:2957:23: runtime error: load of value 190, which is not a valid value for type 'bool'
drivers/gles3/storage/material_storage.cpp:2958:23: runtime error: load of value 190, which is not a valid value for type 'bool'
drivers/gles3/storage/material_storage.cpp:2959:23: runtime error: load of value 190, which is not a valid value for type 'bool'
drivers/gles3/storage/material_storage.cpp:2960:23: runtime error: load of value 190, which is not a valid value for type 'bool'
drivers/gles3/storage/material_storage.cpp:2961:23: runtime error: load of value 190, which is not a valid value for type 'bool'
drivers/gles3/storage/material_storage.cpp:2962:23: runtime error: load of value 190, which is not a valid value for type 'bool'
drivers/gles3/storage/material_storage.cpp:2963:23: runtime error: load of value 190, which is not a valid value for type 'bool'
OpenGL API 4.5 (Core Profile) Mesa 23.0.4-0ubuntu1~22.04.1 - Compatibility - Using Device: Mesa - llvmpipe (LLVM 15.0.7, 256 bits)
Time set to: 0 seconds.
Loaded settings:
modules/gdscript/gdscript_vm.cpp:698:13: runtime error: store to misaligned address 0x6210002d475c for type '<unknown> *', which requires 8 byte alignment
0x6210002d475c: note: pointer points here
  04 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  15 00 00 00 10 00 00 01  14 00 00 00 06 00 00 00
              ^ 
'add_arguments_to_tree' with value 'true'
modules/gdscript/gdscript_vm.cpp:705:42: runtime error: load of misaligned address 0x6210002d475c for type '<unknown> *', which requires 8 byte alignment
0x6210002d475c: note: pointer points here
  04 00 00 00 e5 da a0 7b  6f 55 00 00 00 00 00 00  15 00 00 00 10 00 00 01  14 00 00 00 06 00 00 00
              ^ 
'delay_removing_added_arguments_to_next_frame' with value 'true'
######################## Ending test ########################
ERROR: Index p_index = -72 is out of bounds (multimesh->instances = 0).
   at: multimesh_instance_get_custom_data (drivers/gles3/storage/mesh_storage.cpp:1749)
ERROR: Index p_index = 13 is out of bounds (multimesh->instances = 0).
   at: multimesh_instance_get_transform (drivers/gles3/storage/mesh_storage.cpp:1669)
drivers/gles3/storage/mesh_storage.cpp:1841:44: runtime error: store to null pointer of type 'bool'
================================================================
handle_crash: Program crashed with signal 11
Engine version: Godot Engine v4.2.beta.custom_build (e5bacbc4716ce5b54bc2ab8b3053cd5e22ffe446)
Dumping the backtrace. Please include this when reporting the bug to the project developer.
[1] ./godot.linuxbsd.editor.dev.x86_64.san(+0x3a261871) [0x556f61261871] (/home/runner/work/Qarminer/Qarminer/godot/platform/linuxbsd/crash_handler_linuxbsd.cpp:61)
[2] /lib/x86_64-linux-gnu/libc.so.6(+0x42520) [0x7f078f242520] (??:0)
[3] GLES3::MeshStorage::multimesh_set_buffer(RID, Vector<float> const&) (/home/runner/work/Qarminer/Qarminer/godot/drivers/gles3/storage/mesh_storage.cpp:1841 (discriminator 3))
[4] RenderingServerDefault::multimesh_set_buffer(RID, Vector<float> const&) (/home/runner/work/Qarminer/Qarminer/godot/servers/rendering/rendering_server_default.h:343)
[5] MultiMesh::set_buffer(Vector<float> const&) (/home/runner/work/Qarminer/Qarminer/godot/scene/resources/multimesh.cpp:199)
[6] void call_with_variant_args_helper<__UnexistingClass, Vector<float> const&, 0ul>(__UnexistingClass*, void (__UnexistingClass::*)(Vector<float> const&), Variant const**, Callable::CallError&, IndexSequence<0ul>) (/home/runner/work/Qarminer/Qarminer/godot/./core/variant/binder_common.h:303 (discriminator 4))
[7] void call_with_variant_args_dv<__UnexistingClass, Vector<float> const&>(__UnexistingClass*, void (__UnexistingClass::*)(Vector<float> const&), Variant const**, int, Callable::CallError&, Vector<Variant> const&) (/home/runner/work/Qarminer/Qarminer/godot/./core/variant/binder_common.h:421)
[8] MethodBindT<Vector<float> const&>::call(Object*, Variant const**, int, Callable::CallError&) const (/home/runner/work/Qarminer/Qarminer/godot/./core/object/method_bind.h:335)
[9] Object::callp(StringName const&, Variant const**, int, Callable::CallError&) (/home/runner/work/Qarminer/Qarminer/godot/core/object/object.cpp:774)
[10] Variant::callp(StringName const&, Variant const**, int, Variant&, Callable::CallError&) (/home/runner/work/Qarminer/Qarminer/godot/core/variant/variant_call.cpp:1168)
[11] GDScriptFunction::call(GDScriptInstance*, Variant const**, int, Callable::CallError&, GDScriptFunction::CallState*) (/home/runner/work/Qarminer/Qarminer/godot/modules/gdscript/gdscript_vm.cpp:1705)
[12] GDScriptInstance::callp(StringName const&, Variant const**, int, Callable::CallError&) (/home/runner/work/Qarminer/Qarminer/godot/modules/gdscript/gdscript.cpp:1896)
[13] bool Node::_gdvirtual__process_call<false>(double) (/home/runner/work/Qarminer/Qarminer/godot/scene/main/node.h:318 (discriminator 1))
[14] Node::_notification(int) (/home/runner/work/Qarminer/Qarminer/godot/scene/main/node.cpp:58)
[15] Node::_notificationv(int, bool) (/home/runner/work/Qarminer/Qarminer/godot/./scene/main/node.h:49 (discriminator 14))
[16] Object::notification(int, bool) (/home/runner/work/Qarminer/Qarminer/godot/core/object/object.cpp:839)
[17] SceneTree::_process_group(SceneTree::ProcessGroup*, bool) (/home/runner/work/Qarminer/Qarminer/godot/scene/main/scene_tree.cpp:951)
[18] SceneTree::_process(bool) (/home/runner/work/Qarminer/Qarminer/godot/scene/main/scene_tree.cpp:1023 (discriminator 2))
[19] SceneTree::process(double) (/home/runner/work/Qarminer/Qarminer/godot/scene/main/scene_tree.cpp:510)
[20] Main::iteration() (/home/runner/work/Qarminer/Qarminer/godot/main/main.cpp:3614)
[21] OS_LinuxBSD::run() (/home/runner/work/Qarminer/Qarminer/godot/platform/linuxbsd/os_linuxbsd.cpp:933)
[22] ./godot.linuxbsd.editor.dev.x86_64.san(main+0x58f) [0x556f612612d8] (/home/runner/work/Qarminer/Qarminer/godot/platform/linuxbsd/godot_linuxbsd.cpp:76)
[23] /lib/x86_64-linux-gnu/libc.so.6(+0x29d90) [0x7f078f229d90] (??:0)
[24] /lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0x80) [0x7f078f229e40] (??:0)
[25] ./godot.linuxbsd.editor.dev.x86_64.san(_start+0x25) [0x556f61260c85] (??:?)
-- END OF BACKTRACE --
================================================================
Aborted (core dumped)

This example was found by Godot fuzzer - Qarminer, so it is quite unlikelly that this code could be used in real project, but still this should be handled gracefully.

Memory leaks or asan backtraces are visible when using Godot build with sanitizers support - https://github.com/qarmin/GodotBuilds/actions (linux -> linux-editor-sanitizers)

Steps to reproduce

Above

Minimal reproduction project

Above

[AThousandShips]

Seems like an error when instance count is zero, here:

uint32_t data_cache_dirty_region_count = (multimesh->instances - 1) / MULTIMESH_DIRTY_REGION_SIZE + 1;
for (uint32_t i = 0; i < data_cache_dirty_region_count; i++) {
	multimesh->data_cache_dirty_regions[i] = false;
}
multimesh->data_cache_used_dirty_regions = 0;

No check for underflow here

CC @clayjohn

Edit: might be fixed by:

• Fix potential integer underflow in rounded up divisions #80390

[akien-mga]

Confirmed fixed by #80390.