GDScript: Fix some lambda bugs

[dalexeev]

• Closes GDScript 2.0: Lambda function seemingly not being called when static method of class with inferred type is called inside #69491.
• Closes Crash when lambda connected to signal attempts to use freed instance #79707.
• Closes GDScript crash when calling anonymous lambda stored as Callable #81572.

As stated in #81572, GDScriptFunction::_get_call_error() can crash the engine.

godot/modules/gdscript/gdscript_vm.cpp

Lines 118 to 121 in 3ed4497

	int errorarg = p_err.argument;
	// Handle the Object to Object case separately as we don't have further class details.
	#ifdef DEBUG_ENABLED
	if (p_err.expected == Variant::OBJECT && argptrs[errorarg]->get_type() == p_err.expected) {

godot/modules/gdscript/gdscript_vm.cpp

Line 1773 in 3ed4497

err_text = _get_call_error(err, "function '" + methodstr + (is_callable ? "" : "' in base '" + basestr) + "'", (const Variant **)argptrs);

I decided to check what err.argument was equal to, and it turned out to be -1. This is because lambda captures are hidden arguments of lambda function.

godot/modules/gdscript/gdscript_lambda_callable.cpp

Lines 77 to 88 in 3ed4497

	if (captures_amount > 0) {
	Vector<const Variant *> args;
	args.resize(p_argcount + captures_amount);
	for (int i = 0; i < captures_amount; i++) {
	args.write[i] = &captures[i];
	}
	for (int i = 0; i < p_argcount; i++) {
	args.write[i + captures_amount] = p_arguments[i];
	}
	r_return_value = function->call(nullptr, args.ptrw(), args.size(), r_call_error);
	r_call_error.argument -= captures_amount;

If for some reason a capture is invalid (for example, due to a bug in the compiler or if the object has been freed at this point), then this leads to a negative argument index and a crash.

godot/modules/gdscript/gdscript_vm.cpp

Lines 545 to 548 in 3ed4497

	if (!argument_types[i].is_type(*p_args[i], true)) {
	r_err.error = Callable::CallError::CALL_ERROR_INVALID_ARGUMENT;
	r_err.argument = i;
	r_err.expected = argument_types[i].builtin_type;

godot/modules/gdscript/gdscript_function.h

Lines 109 to 113 in 3ed4497

	bool was_freed = false;
	Object *obj = p_variant.get_validated_object_with_check(was_freed);
	if (!obj) {
	return !was_freed;
	}

• (See also Fix expected argument count for Callable call errors #80844.)

Status

• Lambda references are corrupted when script is modified while debugging #62769
  • 🚫 This bug is difficult to reproduce. It seems to be related to hot reloading.
• Engine crashes when modifying tool script #74607
  • 🚫 Some crashes were prevented, but the hot reloading bug remained (which can also cause a crash in itself).
• GDScript 2.0: Lambda function seemingly not being called when static method of class with inferred type is called inside #69491
  • ✅ Fixed.
• A bug with freed capture.
  • Crash when lambda connected to signal attempts to use freed instance #79707
  • ✅ Fixed.
• GDScript crash when calling anonymous lambda stored as Callable #81572
  • ✅ Fixed (comment).

@tool
extends EditorScript

func _run() -> void:
    var x: Node = Node.new()
    x.free()
    (func (): print(x)).call()

[akien-mga]

I confirm this fixes #81572 on my project 🎉

I tested #62769 and documented my findings there for the current master branch. This PR doesn't seem to improve or worsen things.

[dalexeev]

Thanks for testing and documenting! I also saw some of these and several others. It looks like hot reloading can cause a random effect, depending on how the bytecode length (or something else) changes. In theory this can be dangerous.

[dalexeev]

Maybe this also fixes/removes a crash #79707 ✔️, #75421 ❌ and/or #76108 ❌. I'll test it later.

[akien-mga]

I'm not proficient with the GDScriptCompiler but I tested the changes and confirmed the bug fixes, without visible regression in a project that uses lambdas and awaits them a lot.

So I think we can merge so this gets tested in dev5.

[adamscott]

Another great PR from our @dalexeev that pass the test! Thanks for the numerous tests added.

[akien-mga]

Thanks!