Bug 228893

Summary: [GTK] WTFCrash in WebCore::FontCache::lastResortFallbackFont
Product: WebKit Reporter: Chijin <tlock.chijin>
Component: WebKitGTKAssignee: Nobody <webkit-unassigned>
Status: RESOLVED FIXED    
Severity: Normal CC: bfulgham, bugs-noreply, cgarcia, changseok, clopez, crzwdjk, esprehn+autocc, ews-watchlist, fujii.hironori, glenn, kondapallykalyan, mcatanzaro, mmaxfield, pdr, simon.fraser, webkit-bug-importer, zalan
Priority: P2 Keywords: InRadar
Version: WebKit Local Build   
Hardware: PC   
OS: Linux   
See Also: https://bugs.webkit.org/show_bug.cgi?id=229740
Attachments:
Description Flags
This file is generated by a browser fuzzer
none
Reduced test case
none
Reproducer without WebKit
none
Reduced test case
none
Patch mcatanzaro: review+

Chijin
Reported 2021-08-07 01:00:26 PDT
Created attachment 435120 [details] This file is generated by a browser fuzzer When the attachment is opened by MiniBrowser, a WTFCrash is raised. OS: ubuntu 20.04 WebKit: webkit chunk; commit: bf8523d11fc7a9fd8cbcc6f85dd31df3ceb2b138 Asan message: ``` 1 0x7fe6d3a509e0 WTFReportBacktrace 2 0x7fe6d3a50ec6 WTFCrash 3 0x7fe6d67cdeef /path/to/WebKitBuild/GTK/Release/lib/libwebkit2gtk-4.0.so.37(+0x1547eef) [0x7fe6d67cdeef] 4 0x7fe6de6a2359 WebCore::FontCache::lastResortFallbackFont(WebCore::FontDescription const&) 5 0x7fe6dcd54db4 WebCore::FontCascadeFonts::realizeFallbackRangesAt(WebCore::FontCascadeDescription const&, unsigned int) 6 0x7fe6db60c83c /path/to/WebKitBuild/GTK/Release/lib/libwebkit2gtk-4.0.so.37(+0x638683c) [0x7fe6db60c83c] 7 0x7fe6dda38855 /path/to/WebKitBuild/GTK/Release/lib/libwebkit2gtk-4.0.so.37(+0x87b2855) [0x7fe6dda38855] 8 0x7fe6dd3e27ea /path/to/WebKitBuild/GTK/Release/lib/libwebkit2gtk-4.0.so.37(+0x815c7ea) [0x7fe6dd3e27ea] 9 0x7fe6dd970a90 /path/to/WebKitBuild/GTK/Release/lib/libwebkit2gtk-4.0.so.37(+0x86eaa90) [0x7fe6dd970a90] 10 0x7fe6dd96e7b2 /path/to/WebKitBuild/GTK/Release/lib/libwebkit2gtk-4.0.so.37(+0x86e87b2) [0x7fe6dd96e7b2] 11 0x7fe6dd38ab6e /path/to/WebKitBuild/GTK/Release/lib/libwebkit2gtk-4.0.so.37(+0x8104b6e) [0x7fe6dd38ab6e] 12 0x7fe6dd385097 /path/to/WebKitBuild/GTK/Release/lib/libwebkit2gtk-4.0.so.37(+0x80ff097) [0x7fe6dd385097] 13 0x7fe6dd395e70 /path/to/WebKitBuild/GTK/Release/lib/libwebkit2gtk-4.0.so.37(+0x810fe70) [0x7fe6dd395e70] 14 0x7fe6dd4320de /path/to/WebKitBuild/GTK/Release/lib/libwebkit2gtk-4.0.so.37(+0x81ac0de) [0x7fe6dd4320de] 15 0x7fe6dd3c473f /path/to/WebKitBuild/GTK/Release/lib/libwebkit2gtk-4.0.so.37(+0x813e73f) [0x7fe6dd3c473f] 16 0x7fe6dd43c22b /path/to/WebKitBuild/GTK/Release/lib/libwebkit2gtk-4.0.so.37(+0x81b622b) [0x7fe6dd43c22b] 17 0x7fe6dd436469 /path/to/WebKitBuild/GTK/Release/lib/libwebkit2gtk-4.0.so.37(+0x81b0469) [0x7fe6dd436469] 18 0x7fe6dd4320cb /path/to/WebKitBuild/GTK/Release/lib/libwebkit2gtk-4.0.so.37(+0x81ac0cb) [0x7fe6dd4320cb] 19 0x7fe6dd3c473f /path/to/WebKitBuild/GTK/Release/lib/libwebkit2gtk-4.0.so.37(+0x813e73f) [0x7fe6dd3c473f] 20 0x7fe6dd43c22b /path/to/WebKitBuild/GTK/Release/lib/libwebkit2gtk-4.0.so.37(+0x81b622b) [0x7fe6dd43c22b] 21 0x7fe6dd436469 /path/to/WebKitBuild/GTK/Release/lib/libwebkit2gtk-4.0.so.37(+0x81b0469) [0x7fe6dd436469] 22 0x7fe6dd4320cb /path/to/WebKitBuild/GTK/Release/lib/libwebkit2gtk-4.0.so.37(+0x81ac0cb) [0x7fe6dd4320cb] 23 0x7fe6dd3c473f /path/to/WebKitBuild/GTK/Release/lib/libwebkit2gtk-4.0.so.37(+0x813e73f) [0x7fe6dd3c473f] 24 0x7fe6dd43c22b /path/to/WebKitBuild/GTK/Release/lib/libwebkit2gtk-4.0.so.37(+0x81b622b) [0x7fe6dd43c22b] 25 0x7fe6dd436469 /path/to/WebKitBuild/GTK/Release/lib/libwebkit2gtk-4.0.so.37(+0x81b0469) [0x7fe6dd436469] 26 0x7fe6dd4320cb /path/to/WebKitBuild/GTK/Release/lib/libwebkit2gtk-4.0.so.37(+0x81ac0cb) [0x7fe6dd4320cb] 27 0x7fe6dd3c473f /path/to/WebKitBuild/GTK/Release/lib/libwebkit2gtk-4.0.so.37(+0x813e73f) [0x7fe6dd3c473f] 28 0x7fe6dd919069 /path/to/WebKitBuild/GTK/Release/lib/libwebkit2gtk-4.0.so.37(+0x8693069) [0x7fe6dd919069] 29 0x7fe6dc81c2b7 /path/to/WebKitBuild/GTK/Release/lib/libwebkit2gtk-4.0.so.37(+0x75962b7) [0x7fe6dc81c2b7] 30 0x7fe6db1095f2 WebCore::Document::updateLayout() 31 0x7fe6db10e5c6 WebCore::Document::updateLayoutIgnorePendingStylesheets(WebCore::Document::RunPostLayoutTasks) ```
Attachments
This file is generated by a browser fuzzer (487.28 KB, text/html)
2021-08-07 01:00 PDT, Chijin 		no flags
Details
Reduced test case (98 bytes, text/html)
2021-08-17 05:30 PDT, Carlos Garcia Campos 		no flags
Details
Reproducer without WebKit (683 bytes, text/x-csrc)
2021-08-17 05:40 PDT, Carlos Garcia Campos 		no flags
Details
Reduced test case (74 bytes, text/html)
2021-08-17 05:42 PDT, Carlos Garcia Campos 		no flags
Details
Patch (1.50 KB, patch)
2021-08-18 03:27 PDT, Carlos Garcia Campos 		mcatanzaro: review+
DetailsFormatted DiffDiff
Show Obsolete (1) View All Add attachment proposed patch, testcase, etc.
Radar WebKit Bug Importer
Comment 1 2021-08-08 08:48:52 PDT
<rdar://problem/81670715>
Carlos Garcia Campos
Comment 2 2021-08-17 05:30:07 PDT
Created attachment 435677 [details] Reduced test case
Carlos Garcia Campos
Comment 3 2021-08-17 05:37:12 PDT
The crash happens because we always fail to create fonts for a size of 65535px. It's not a high limit, because it works for 65537px or even higher values. For some reason FT_Set_Char_Size() fails for some fonts when 65536 is passed for char width/height. It seems to depend on the font too, because it works with Cantarell for example, but for fallback fonts we try just "serif" as font family, in my case it ends up getting Bitstream Vera, but it also crashes with Liberation which is what I get with WTR.
Carlos Garcia Campos
Comment 4 2021-08-17 05:40:11 PDT
Created attachment 435678 [details] Reproducer without WebKit This is a simple program using pango to reproduce the issue. When paassing "serif 49152" (which ends up setting the size to 65536) it gives runtime warnings, with any other value there's no output at all. $ ./test "serif 49152" (process:78079): Pango-WARNING **: 14:28:36.435: failed to create cairo scaled font, expect ugly output. the offending font is 'Bitstream Vera Serif 49152' (process:78079): Pango-WARNING **: 14:28:36.435: font_face status is: error occurred in libfreetype (process:78079): Pango-WARNING **: 14:28:36.435: scaled_font status is: error occurred in libfreetype
Carlos Garcia Campos
Comment 5 2021-08-17 05:42:04 PDT
Created attachment 435679 [details] Reduced test case
Carlos Garcia Campos
Comment 6 2021-08-17 07:36:16 PDT
The issue seems to be the unsigned short cast here: https://gitlab.freedesktop.org/freetype/freetype/-/blob/master/src/base/ftobjs.c#L3229 when 65536 is passed that's 0, but for 65537 we get 1 and so on, that's why 65536 is the only problematic value. The reason why it only fails for some fonts is the driver, the truetype driver size request implementation returns an error when ppem is 0, but the cff doesn't. So, I guess this is a Freetype limitation and we should ensure font size is always < 65536.
Carlos Garcia Campos
Comment 7 2021-08-17 07:57:00 PDT
I've reported it to freetype, see https://gitlab.freedesktop.org/freetype/freetype/-/issues/1086
Carlos Garcia Campos
Comment 8 2021-08-18 03:27:52 PDT
Created attachment 435757 [details] Patch
Michael Catanzaro
Comment 9 2021-08-18 09:20:57 PDT
Comment on attachment 435757 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=435757&action=review > Source/WebCore/rendering/style/RenderStyleConstants.h:1111 > +static const float maximumAllowedFontSize = 65535.0f; How about: std::numeric_limits<unsigned short>::max?
Carlos Garcia Campos
Comment 10 2021-08-23 00:11:52 PDT
Committed r281439 (240822@main): <https://commits.webkit.org/240822@main>
Arcady Goldmints-Orlov
Comment 11 2021-08-26 06:25:44 PDT
This patch apparently caused a regression in fast/box-shadow/box-shadow-huge-area-crash.html.
Carlos Garcia Campos
Comment 12 2021-08-27 01:36:47 PDT
(In reply to Arcady Goldmints-Orlov from comment #11) > This patch apparently caused a regression in > fast/box-shadow/box-shadow-huge-area-crash.html. What regression exactly? is it crashing now?
Carlos Alberto Lopez Perez
Comment 13 2021-08-31 15:18:35 PDT
(In reply to Carlos Garcia Campos from comment #12) > (In reply to Arcady Goldmints-Orlov from comment #11) > > This patch apparently caused a regression in > > fast/box-shadow/box-shadow-huge-area-crash.html. > > What regression exactly? is it crashing now? See bug 229740
Note You need to log in before you can comment on or make changes to this bug.