Bug 204689

Summary: [HarfBuzz] WebKitWebProcess crashes when displaying a KaTeX formula
Product: WebKit Reporter: Alice Mikhaylenko <alicem>
Component: WebKitGTKAssignee: Nobody <webkit-unassigned>
Status: RESOLVED FIXED    
Severity: Normal CC: bugs-noreply, cgarcia, clopez, ews-watchlist, fred.wang, mmaxfield
Priority: P2    
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
backtrace
none
Patch clopez: review+

Alice Mikhaylenko
Reported 2019-11-28 10:30:37 PST
Created attachment 384464 [details] backtrace A good reproducer would be https://katex.org/docs/supported.html I can reproduce it with Epiphany Technology Preview (WebKit 2.27.3) and self-built 3.34.2 flatpak (2.26.2). Fedora 31 build (2.26.2 too) doesn't crash and freezes the window instead. I don't have debug symbols in Flatpak, but another person was able to get a backtrace, attaching it.
Attachments
backtrace (35.59 KB, text/plain)
2019-11-28 10:30 PST, Alice Mikhaylenko 		no flags
Details
Patch (1.72 KB, patch)
2019-12-13 07:04 PST, Carlos Garcia Campos 		clopez: review+
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Carlos Garcia Campos
Comment 1 2019-12-12 10:17:46 PST
#0 0x00007fd7b72ce0a6 in BEInt<unsigned short, 2>::operator unsigned short (this=<optimized out>) at hb-blob.hh:58 #1 OT::IntType<unsigned short, 2u>::operator unsigned int (this=<optimized out>) at hb-open-type.hh:67 #2 OT::Offset<OT::IntType<unsigned short, 2u>, true>::is_null (this=<optimized out>) at hb-open-type.hh:174 #3 OT::OffsetTo<OT::MathConstants, OT::IntType<unsigned short, 2u>, true>::operator() (base=<optimized out>, this=<optimized out>) at hb-open-type.hh:260 #4 OT::operator+<const OT::MATH*, OT::IntType<short unsigned int, 2>, true, OT::MathConstants> (base=<optimized out>, offset=...) at hb-open-type.hh:346 #5 OT::MATH::get_constant (font=<optimized out>, constant=<optimized out>, this=<optimized out>) at hb-ot-math-table.hh:698 #6 hb_ot_math_get_constant (font=0x564bb3253580, constant=HB_OT_MATH_CONSTANT_SUBSCRIPT_SHIFT_DOWN) at hb-ot-math.cc:83 #7 0x00007fd7bd9c9786 in WebCore::OpenTypeMathData::getMathConstant(WebCore::Font const&, WebCore::OpenTypeMathData::MathConstant) const () from /home/cgarcia/src/git/gnome/WebKit/WebKitBuild/Release/lib/libwebkit2gtk-4.0.so.37 #8 0x00007fd7bdcbf9c0 in WebCore::RenderMathMLScripts::verticalParameters() const () from /home/cgarcia/src/git/gnome/WebKit/WebKitBuild/Release/lib/libwebkit2gtk-4.0.so.37 #9 0x00007fd7bdcbfedd in WebCore::RenderMathMLScripts::verticalMetrics(WebCore::RenderMathMLScripts::ReferenceChildren const&) () from /home/cgarcia/src/git/gnome/WebKit/WebKitBuild/Release/lib/libwebkit2gtk-4.0.so.37
Carlos Garcia Campos
Comment 2 2019-12-13 03:55:44 PST
==53068== Thread 1: ==53068== Invalid read of size 1 ==53068== at 0xCDB4956: operator short unsigned int (hb-machinery.hh:712) ==53068== by 0xCDB4956: operator OT::IntType<short unsigned int, 2>::wide_type (hb-open-type.hh:67) ==53068== by 0xCDB4956: is_null (hb-open-type.hh:174) ==53068== by 0xCDB4956: operator() (hb-open-type.hh:260) ==53068== by 0xCDB4956: operator+<const OT::MATH*, OT::IntType<short unsigned int, 2>, true, OT::MathConstants> (hb-open-type.hh:346) ==53068== by 0xCDB4956: get_constant (hb-ot-math-table.hh:698) ==53068== by 0xCDB4956: hb_ot_math_get_constant (hb-ot-math.cc:83) ==53068== by 0x7C265C5: WebCore::OpenTypeMathData::getMathConstant(WebCore::Font const&, WebCore::OpenTypeMathData::MathConstant) const (in /home/cgarcia/src/git/gnome/WebKit/WebKitBuild/Release/lib/libwebkit2gtk-4.0.so.37.42.0) ==53068== by 0x7F1D414: WebCore::RenderMathMLScripts::spaceAfterScript() (in /home/cgarcia/src/git/gnome/WebKit/WebKitBuild/Release/lib/libwebkit2gtk-4.0.so.37.42.0) ==53068== by 0x7F1D5DA: WebCore::RenderMathMLScripts::computePreferredLogicalWidths() (in /home/cgarcia/src/git/gnome/WebKit/WebKitBuild/Release/lib/libwebkit2gtk-4.0.so.37.42.0) ==53068== by 0x7D15F22: WebCore::RenderBox::maxPreferredLogicalWidth() const (in /home/cgarcia/src/git/gnome/WebKit/WebKitBuild/Release/lib/libwebkit2gtk-4.0.so.37.42.0) ==53068== by 0x7F18BC3: WebCore::RenderMathMLRow::computePreferredLogicalWidths() (in /home/cgarcia/src/git/gnome/WebKit/WebKitBuild/Release/lib/libwebkit2gtk-4.0.so.37.42.0) ==53068== by 0x7D15F22: WebCore::RenderBox::maxPreferredLogicalWidth() const (in /home/cgarcia/src/git/gnome/WebKit/WebKitBuild/Release/lib/libwebkit2gtk-4.0.so.37.42.0) ==53068== by 0x7F18BC3: WebCore::RenderMathMLRow::computePreferredLogicalWidths() (in /home/cgarcia/src/git/gnome/WebKit/WebKitBuild/Release/lib/libwebkit2gtk-4.0.so.37.42.0) ==53068== by 0x7D15F22: WebCore::RenderBox::maxPreferredLogicalWidth() const (in /home/cgarcia/src/git/gnome/WebKit/WebKitBuild/Release/lib/libwebkit2gtk-4.0.so.37.42.0) ==53068== by 0x7F18BC3: WebCore::RenderMathMLRow::computePreferredLogicalWidths() (in /home/cgarcia/src/git/gnome/WebKit/WebKitBuild/Release/lib/libwebkit2gtk-4.0.so.37.42.0) ==53068== by 0x7D3B42B: WebCore::RenderBox::computeLogicalWidthInFragmentUsing(WebCore::SizeType, WebCore::Length, WebCore::LayoutUnit, WebCore::RenderBlock const&, WebCore::RenderFragmentContainer*) const (in /home/cgarcia/src/git/gnome/WebKit/WebKitBuild/Release/lib/libwebkit2gtk-4.0.so.37.42.0) ==53068== by 0x7D53752: WebCore::RenderBox::computeLogicalWidthInFragment(WebCore::RenderBox::LogicalExtentComputedValues&, WebCore::RenderFragmentContainer*) const (in /home/cgarcia/src/git/gnome/WebKit/WebKitBuild/Release/lib/libwebkit2gtk-4.0.so.37.42.0) ==53068== Address 0x61012464 is not stack'd, malloc'd or (recently) free'd
Carlos Garcia Campos
Comment 3 2019-12-13 07:04:34 PST
Created attachment 385599 [details] Patch
Carlos Garcia Campos
Comment 4 2019-12-13 07:18:56 PST
Committed r253470: <https://trac.webkit.org/changeset/253470>
Frédéric Wang (:fredw)
Comment 5 2019-12-13 07:37:29 PST
thanks!
Note You need to log in before you can comment on or make changes to this bug.