Bug 189403 - [FreeType] Crash on www.axis-praxis.org in FontPlatformData constructor
Summary: [FreeType] Crash on www.axis-praxis.org in FontPlatformData constructor
Status: RESOLVED WORKSFORME
Alias: None
Product: WebKit
Classification: Unclassified
Component: WebKitGTK (show other bugs)
Version: Other
Hardware: Unspecified Linux
: P2 Normal
Assignee: Nobody
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2018-09-07 05:06 PDT by Jérémy Lal
Modified: 2019-05-17 09:47 PDT (History)
3 users (show)

See Also:


Attachments
Full backtrace (96.43 KB, text/plain)
2018-09-10 17:33 PDT, Michael Catanzaro
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Jérémy Lal 2018-09-07 05:06:58 PDT
https://www.axis-praxis.org/specimens/__DEFAULT__
makes the page crash on webkitgtk 2.20 and 2.22 (at least).

It's a web page for testing variable fonts.
Comment 1 Alexey Proskuryakov 2018-09-09 13:38:27 PDT
I cannot reproduce in Safari for Mac, so probably platform specific.
Comment 2 Michael Catanzaro 2018-09-10 17:21:25 PDT
Normally we expect a backtrace to be included in the bug report, but in this case it was easy enough for me to reproduce. Truncated backtrace is:

#0  0x00007f5cf2212eab in __GI_raise (sig=sig@entry=6)
    at ../sysdeps/unix/sysv/linux/raise.c:50
#1  0x00007f5cf21fd5b9 in __GI_abort () at abort.c:79
#2  0x00007f5cf22557b7 in __libc_message (action=action@entry=
    do_abort, fmt=fmt@entry=0x7f5cf235f359 "%s\n")
    at ../sysdeps/posix/libc_fatal.c:181
#3  0x00007f5cf225bc4c in malloc_printerr (str=str@entry=0x7f5cf2360c40 "munmap_chunk(): invalid pointer") at malloc.c:5350
#4  0x00007f5cf225c1a4 in munmap_chunk (p=<optimized out>) at malloc.c:2846
#5  0x00007f5cf9e57713 in cairo_ft_apply_variations (face=face@entry=0x7f5cdc0cdb80, scaled_font=<optimized out>, scaled_font=<optimized out>)
    at cairo-ft-font.c:2384
#6  0x00007f5cf9e5a69f in cairo_ft_scaled_font_lock_face (abstract_font=abstract_font@entry=0x560dde7082c0) at cairo-ft-font.c:3851
#7  0x00007f5d007e3bea in WebCore::CairoFtFaceLocker::CairoFtFaceLocker(_cairo_scaled_font*) (scaledFont=0x560dde7082c0, this=<synthetic pointer>)
    at /usr/src/debug/webkit2gtk3-2.20.5-1.fc28.x86_64/Source/WebCore/platform/graphics/freetype/FontPlatformDataFreeType.cpp:168
#8  0x00007f5d007e3bea in WebCore::FontPlatformData::FontPlatformData(_cairo_font_face*, WebCore::FontDescription const&, bool, bool) (this=0x7ffcbb048a80, fontFace=<optimized out>, description=..., bold=<optimized out>, italic=<optimized out>)
    at /usr/src/debug/webkit2gtk3-2.20.5-1.fc28.x86_64/Source/WebCore/platform/g-raphics/freetype/FontPlatformDataFreeType.cpp:168
#9  0x00007f5d007e3097 in WebCore::FontCustomPlatformData::fontPlatformData(WebCore::FontDescription const&, bool, bool) (this=<optimized out>, description=..., bold=<optimized out>, italic=<optimized out>)
    at /usr/src/debug/webkit2gtk3-2.20.5-1.fc28.x86_64/Source/WebCore/platform/graphics/freetype/FontCustomPlatformDataFreeType.cpp:61
#10 0x00007f5d0014ab38 in WebCore::CachedFont::platformDataFromCustomData(WebCore::FontCustomPlatformData&, WebCore::FontDescription const&, bool, bool, WebCore::FontTaggedSettings<int> const&, WebCore::FontVariantSettings const&, WebCore::FontSelectionSpecifiedCapabilities) (fontCustomPlatformData=..., fontDescription=..., bold=<optimized out>, italic=<optimized out>, fontFaceFeatures=..., fontFaceVariantSettings=..., fontFaceCapabilities=...)
    at /usr/src/debug/webkit2gtk3-2.20.5-1.fc28.x86_64/Source/WebCore/loader/cache/CachedFont.cpp:158
Comment 3 Michael Catanzaro 2018-09-10 17:33:21 PDT
Created attachment 349362 [details]
Full backtrace
Comment 4 Michael Catanzaro 2018-09-10 18:24:20 PDT
Guess: probably the call to cairo_scaled_font_create() at the bottom of FontPlatformData::buildScaledFont is returning nullptr (though that would be a cairo bug as it is not documented to be nullable).
Comment 5 azeikui6ziwjypjgu5w2tixgcxdaapxx 2019-05-17 00:09:32 PDT
No longer crashes on : 

Epiphany : 3.33.1-1375a8e6d
WebKitGTK 2.24.1
Comment 6 Michael Catanzaro 2019-05-17 09:47:14 PDT
Indeed, there were a lot of changes to this code recently. Let's assume fixed unless Jeremy can still reproduce.