Bug 228893

Summary: [GTK] WTFCrash in WebCore::FontCache::lastResortFallbackFont
Product: WebKit Reporter: Chijin <tlock.chijin>
Component: WebKitGTKAssignee: Nobody <webkit-unassigned>
Status: RESOLVED FIXED    
Severity: Normal CC: bfulgham, bugs-noreply, cgarcia, changseok, clopez, crzwdjk, esprehn+autocc, ews-watchlist, glenn, Hironori.Fujii, kondapallykalyan, mcatanzaro, mmaxfield, pdr, simon.fraser, webkit-bug-importer, zalan
Priority: P2 Keywords: InRadar
Version: WebKit Local Build   
Hardware: PC   
OS: Linux   
See Also: https://bugs.webkit.org/show_bug.cgi?id=229740
Attachments:
Description Flags
This file is generated by a browser fuzzer
none
Reduced test case
none
Reproducer without WebKit
none
Reduced test case
none
Patch mcatanzaro: review+

Description Chijin 2021-08-07 01:00:26 PDT 
Created attachment 435120 [details]
This file is generated by a browser fuzzer

When the attachment is opened by MiniBrowser, a WTFCrash is raised. 

OS: ubuntu 20.04
WebKit: webkit chunk; commit: bf8523d11fc7a9fd8cbcc6f85dd31df3ceb2b138


Asan message:


```
1   0x7fe6d3a509e0 WTFReportBacktrace
2   0x7fe6d3a50ec6 WTFCrash
3   0x7fe6d67cdeef /path/to/WebKitBuild/GTK/Release/lib/libwebkit2gtk-4.0.so.37(+0x1547eef) [0x7fe6d67cdeef]
4   0x7fe6de6a2359 WebCore::FontCache::lastResortFallbackFont(WebCore::FontDescription const&)
5   0x7fe6dcd54db4 WebCore::FontCascadeFonts::realizeFallbackRangesAt(WebCore::FontCascadeDescription const&, unsigned int)
6   0x7fe6db60c83c /path/to/WebKitBuild/GTK/Release/lib/libwebkit2gtk-4.0.so.37(+0x638683c) [0x7fe6db60c83c]
7   0x7fe6dda38855 /path/to/WebKitBuild/GTK/Release/lib/libwebkit2gtk-4.0.so.37(+0x87b2855) [0x7fe6dda38855]
8   0x7fe6dd3e27ea /path/to/WebKitBuild/GTK/Release/lib/libwebkit2gtk-4.0.so.37(+0x815c7ea) [0x7fe6dd3e27ea]
9   0x7fe6dd970a90 /path/to/WebKitBuild/GTK/Release/lib/libwebkit2gtk-4.0.so.37(+0x86eaa90) [0x7fe6dd970a90]
10  0x7fe6dd96e7b2 /path/to/WebKitBuild/GTK/Release/lib/libwebkit2gtk-4.0.so.37(+0x86e87b2) [0x7fe6dd96e7b2]
11  0x7fe6dd38ab6e /path/to/WebKitBuild/GTK/Release/lib/libwebkit2gtk-4.0.so.37(+0x8104b6e) [0x7fe6dd38ab6e]
12  0x7fe6dd385097 /path/to/WebKitBuild/GTK/Release/lib/libwebkit2gtk-4.0.so.37(+0x80ff097) [0x7fe6dd385097]
13  0x7fe6dd395e70 /path/to/WebKitBuild/GTK/Release/lib/libwebkit2gtk-4.0.so.37(+0x810fe70) [0x7fe6dd395e70]
14  0x7fe6dd4320de /path/to/WebKitBuild/GTK/Release/lib/libwebkit2gtk-4.0.so.37(+0x81ac0de) [0x7fe6dd4320de]
15  0x7fe6dd3c473f /path/to/WebKitBuild/GTK/Release/lib/libwebkit2gtk-4.0.so.37(+0x813e73f) [0x7fe6dd3c473f]
16  0x7fe6dd43c22b /path/to/WebKitBuild/GTK/Release/lib/libwebkit2gtk-4.0.so.37(+0x81b622b) [0x7fe6dd43c22b]
17  0x7fe6dd436469 /path/to/WebKitBuild/GTK/Release/lib/libwebkit2gtk-4.0.so.37(+0x81b0469) [0x7fe6dd436469]
18  0x7fe6dd4320cb /path/to/WebKitBuild/GTK/Release/lib/libwebkit2gtk-4.0.so.37(+0x81ac0cb) [0x7fe6dd4320cb]
19  0x7fe6dd3c473f /path/to/WebKitBuild/GTK/Release/lib/libwebkit2gtk-4.0.so.37(+0x813e73f) [0x7fe6dd3c473f]
20  0x7fe6dd43c22b /path/to/WebKitBuild/GTK/Release/lib/libwebkit2gtk-4.0.so.37(+0x81b622b) [0x7fe6dd43c22b]
21  0x7fe6dd436469 /path/to/WebKitBuild/GTK/Release/lib/libwebkit2gtk-4.0.so.37(+0x81b0469) [0x7fe6dd436469]
22  0x7fe6dd4320cb /path/to/WebKitBuild/GTK/Release/lib/libwebkit2gtk-4.0.so.37(+0x81ac0cb) [0x7fe6dd4320cb]
23  0x7fe6dd3c473f /path/to/WebKitBuild/GTK/Release/lib/libwebkit2gtk-4.0.so.37(+0x813e73f) [0x7fe6dd3c473f]
24  0x7fe6dd43c22b /path/to/WebKitBuild/GTK/Release/lib/libwebkit2gtk-4.0.so.37(+0x81b622b) [0x7fe6dd43c22b]
25  0x7fe6dd436469 /path/to/WebKitBuild/GTK/Release/lib/libwebkit2gtk-4.0.so.37(+0x81b0469) [0x7fe6dd436469]
26  0x7fe6dd4320cb /path/to/WebKitBuild/GTK/Release/lib/libwebkit2gtk-4.0.so.37(+0x81ac0cb) [0x7fe6dd4320cb]
27  0x7fe6dd3c473f /path/to/WebKitBuild/GTK/Release/lib/libwebkit2gtk-4.0.so.37(+0x813e73f) [0x7fe6dd3c473f]
28  0x7fe6dd919069 /path/to/WebKitBuild/GTK/Release/lib/libwebkit2gtk-4.0.so.37(+0x8693069) [0x7fe6dd919069]
29  0x7fe6dc81c2b7 /path/to/WebKitBuild/GTK/Release/lib/libwebkit2gtk-4.0.so.37(+0x75962b7) [0x7fe6dc81c2b7]
30  0x7fe6db1095f2 WebCore::Document::updateLayout()
31  0x7fe6db10e5c6 WebCore::Document::updateLayoutIgnorePendingStylesheets(WebCore::Document::RunPostLayoutTasks)

```
Comment 1 Radar WebKit Bug Importer 2021-08-08 08:48:52 PDT 
<rdar://problem/81670715>
Comment 2 Carlos Garcia Campos 2021-08-17 05:30:07 PDT 
Created attachment 435677 [details]
Reduced test case
Comment 3 Carlos Garcia Campos 2021-08-17 05:37:12 PDT 
The crash happens because we always fail to create fonts for a size of 65535px. It's not a high limit, because it works for 65537px or even higher values. For some reason FT_Set_Char_Size() fails for some fonts when 65536 is passed for char width/height. It seems to depend on the font too, because it works with Cantarell for example, but for fallback fonts we try just "serif" as font family, in my case it ends up getting Bitstream Vera, but it also crashes with Liberation which is what I get with WTR.
Comment 4 Carlos Garcia Campos 2021-08-17 05:40:11 PDT 
Created attachment 435678 [details]
Reproducer without WebKit

This is a simple program using pango to reproduce the issue. When paassing "serif 49152" (which ends up setting the size to 65536) it gives runtime warnings, with any other value there's no output at all.

$ ./test "serif 49152"

(process:78079): Pango-WARNING **: 14:28:36.435: failed to create cairo scaled font, expect ugly output. the offending font is 'Bitstream Vera Serif 49152'

(process:78079): Pango-WARNING **: 14:28:36.435: font_face status is: error occurred in libfreetype

(process:78079): Pango-WARNING **: 14:28:36.435: scaled_font status is: error occurred in libfreetype
Comment 5 Carlos Garcia Campos 2021-08-17 05:42:04 PDT 
Created attachment 435679 [details]
Reduced test case
Comment 6 Carlos Garcia Campos 2021-08-17 07:36:16 PDT 
The issue seems to be the unsigned short cast here:

https://gitlab.freedesktop.org/freetype/freetype/-/blob/master/src/base/ftobjs.c#L3229

when 65536 is passed that's 0, but for 65537 we get 1 and so on, that's why 65536 is the only problematic value. The reason why it only fails for some fonts is the driver, the truetype driver size request implementation returns an error when ppem is 0, but the cff doesn't. So, I guess this is a Freetype limitation and we should ensure font size is always < 65536.
Comment 7 Carlos Garcia Campos 2021-08-17 07:57:00 PDT 
I've reported it to freetype, see https://gitlab.freedesktop.org/freetype/freetype/-/issues/1086
Comment 8 Carlos Garcia Campos 2021-08-18 03:27:52 PDT 
Created attachment 435757 [details]
Patch
Comment 9 Michael Catanzaro 2021-08-18 09:20:57 PDT 
Comment on attachment 435757 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=435757&action=review

> Source/WebCore/rendering/style/RenderStyleConstants.h:1111
> +static const float maximumAllowedFontSize = 65535.0f;

How about: std::numeric_limits<unsigned short>::max?
Comment 10 Carlos Garcia Campos 2021-08-23 00:11:52 PDT 
Committed r281439 (240822@main): <https://commits.webkit.org/240822@main>
Comment 11 Arcady Goldmints-Orlov 2021-08-26 06:25:44 PDT 
This patch apparently caused a regression in fast/box-shadow/box-shadow-huge-area-crash.html.
Comment 12 Carlos Garcia Campos 2021-08-27 01:36:47 PDT 
(In reply to Arcady Goldmints-Orlov from comment #11)
> This patch apparently caused a regression in
> fast/box-shadow/box-shadow-huge-area-crash.html.

What regression exactly? is it crashing now?
Comment 13 Carlos Alberto Lopez Perez 2021-08-31 15:18:35 PDT 
(In reply to Carlos Garcia Campos from comment #12)
> (In reply to Arcady Goldmints-Orlov from comment #11)
> > This patch apparently caused a regression in
> > fast/box-shadow/box-shadow-huge-area-crash.html.
> 
> What regression exactly? is it crashing now?

See bug 229740