AnimMontage notify callback destroying owning actor causes crash

Destroying the owning actor as a response to an anim montage's anim notify causes unsafe access of the current anim montage. See repro steps.

• Create an anim montage
• Add an Montage Anim Notify to the montage's notify track with anim notify name Test
• In blueprint, call Play Montage on a skeletal mesh component to play the montage
• Destroy the owning actor in the Play Montage node's Begin Notify exec pin

Before testing, put a breakpoint in UAnimInstance::UninitializeAnimation()

When playing the montage and the actor is destroyed, notice that the breakpoint in UninitializeAnimation is hit and inspect the callstack. UninitializeAnimation() is called while executing the blueprint as a result of the anim notify. This happens in MontageInstance->Advance().

UninitializeAnimation() deletes all MontageInstances and clears the array that is currently being iterated in UAnimInstance::UpdateMontage(). This may or may not result in a crash because the memory being accessed may or may not have been overwritten yet, but further access of the current array element is definitely unsafe since it has been deleted.

[Image Removed]