Bug 204689 - [HarfBuzz] WebKitWebProcess crashes when displaying a KaTeX formula
Summary: [HarfBuzz] WebKitWebProcess crashes when displaying a KaTeX formula
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: WebKitGTK (show other bugs)
Version: WebKit Nightly Build
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Nobody
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2019-11-28 10:30 PST by Alice Mikhaylenko
Modified: 2019-12-13 07:37 PST (History)
6 users (show)

See Also:


Attachments
backtrace (35.59 KB, text/plain)
2019-11-28 10:30 PST, Alice Mikhaylenko
no flags Details
Patch (1.72 KB, patch)
2019-12-13 07:04 PST, Carlos Garcia Campos
clopez: review+
Details | Formatted Diff | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Alice Mikhaylenko 2019-11-28 10:30:37 PST
Created attachment 384464 [details]
backtrace

A good reproducer would be https://katex.org/docs/supported.html

I can reproduce it with Epiphany Technology Preview (WebKit 2.27.3) and self-built 3.34.2 flatpak (2.26.2). Fedora 31 build (2.26.2 too) doesn't crash and freezes the window instead.

I don't have debug symbols in Flatpak, but another person was able to get a backtrace, attaching it.
Comment 1 Carlos Garcia Campos 2019-12-12 10:17:46 PST
#0  0x00007fd7b72ce0a6 in BEInt<unsigned short, 2>::operator unsigned short (this=<optimized out>) at hb-blob.hh:58
#1  OT::IntType<unsigned short, 2u>::operator unsigned int (this=<optimized out>) at hb-open-type.hh:67
#2  OT::Offset<OT::IntType<unsigned short, 2u>, true>::is_null (this=<optimized out>) at hb-open-type.hh:174
#3  OT::OffsetTo<OT::MathConstants, OT::IntType<unsigned short, 2u>, true>::operator() (base=<optimized out>, this=<optimized out>) at hb-open-type.hh:260
#4  OT::operator+<const OT::MATH*, OT::IntType<short unsigned int, 2>, true, OT::MathConstants> (base=<optimized out>, offset=...) at hb-open-type.hh:346
#5  OT::MATH::get_constant (font=<optimized out>, constant=<optimized out>, this=<optimized out>) at hb-ot-math-table.hh:698
#6  hb_ot_math_get_constant (font=0x564bb3253580, constant=HB_OT_MATH_CONSTANT_SUBSCRIPT_SHIFT_DOWN) at hb-ot-math.cc:83
#7  0x00007fd7bd9c9786 in WebCore::OpenTypeMathData::getMathConstant(WebCore::Font const&, WebCore::OpenTypeMathData::MathConstant) const ()
   from /home/cgarcia/src/git/gnome/WebKit/WebKitBuild/Release/lib/libwebkit2gtk-4.0.so.37
#8  0x00007fd7bdcbf9c0 in WebCore::RenderMathMLScripts::verticalParameters() const () from /home/cgarcia/src/git/gnome/WebKit/WebKitBuild/Release/lib/libwebkit2gtk-4.0.so.37
#9  0x00007fd7bdcbfedd in WebCore::RenderMathMLScripts::verticalMetrics(WebCore::RenderMathMLScripts::ReferenceChildren const&) ()
   from /home/cgarcia/src/git/gnome/WebKit/WebKitBuild/Release/lib/libwebkit2gtk-4.0.so.37
Comment 2 Carlos Garcia Campos 2019-12-13 03:55:44 PST
==53068== Thread 1:
==53068== Invalid read of size 1
==53068==    at 0xCDB4956: operator short unsigned int (hb-machinery.hh:712)
==53068==    by 0xCDB4956: operator OT::IntType<short unsigned int, 2>::wide_type (hb-open-type.hh:67)
==53068==    by 0xCDB4956: is_null (hb-open-type.hh:174)
==53068==    by 0xCDB4956: operator() (hb-open-type.hh:260)
==53068==    by 0xCDB4956: operator+<const OT::MATH*, OT::IntType<short unsigned int, 2>, true, OT::MathConstants> (hb-open-type.hh:346)
==53068==    by 0xCDB4956: get_constant (hb-ot-math-table.hh:698)
==53068==    by 0xCDB4956: hb_ot_math_get_constant (hb-ot-math.cc:83)
==53068==    by 0x7C265C5: WebCore::OpenTypeMathData::getMathConstant(WebCore::Font const&, WebCore::OpenTypeMathData::MathConstant) const (in /home/cgarcia/src/git/gnome/WebKit/WebKitBuild/Release/lib/libwebkit2gtk-4.0.so.37.42.0)
==53068==    by 0x7F1D414: WebCore::RenderMathMLScripts::spaceAfterScript() (in /home/cgarcia/src/git/gnome/WebKit/WebKitBuild/Release/lib/libwebkit2gtk-4.0.so.37.42.0)
==53068==    by 0x7F1D5DA: WebCore::RenderMathMLScripts::computePreferredLogicalWidths() (in /home/cgarcia/src/git/gnome/WebKit/WebKitBuild/Release/lib/libwebkit2gtk-4.0.so.37.42.0)
==53068==    by 0x7D15F22: WebCore::RenderBox::maxPreferredLogicalWidth() const (in /home/cgarcia/src/git/gnome/WebKit/WebKitBuild/Release/lib/libwebkit2gtk-4.0.so.37.42.0)
==53068==    by 0x7F18BC3: WebCore::RenderMathMLRow::computePreferredLogicalWidths() (in /home/cgarcia/src/git/gnome/WebKit/WebKitBuild/Release/lib/libwebkit2gtk-4.0.so.37.42.0)
==53068==    by 0x7D15F22: WebCore::RenderBox::maxPreferredLogicalWidth() const (in /home/cgarcia/src/git/gnome/WebKit/WebKitBuild/Release/lib/libwebkit2gtk-4.0.so.37.42.0)
==53068==    by 0x7F18BC3: WebCore::RenderMathMLRow::computePreferredLogicalWidths() (in /home/cgarcia/src/git/gnome/WebKit/WebKitBuild/Release/lib/libwebkit2gtk-4.0.so.37.42.0)
==53068==    by 0x7D15F22: WebCore::RenderBox::maxPreferredLogicalWidth() const (in /home/cgarcia/src/git/gnome/WebKit/WebKitBuild/Release/lib/libwebkit2gtk-4.0.so.37.42.0)
==53068==    by 0x7F18BC3: WebCore::RenderMathMLRow::computePreferredLogicalWidths() (in /home/cgarcia/src/git/gnome/WebKit/WebKitBuild/Release/lib/libwebkit2gtk-4.0.so.37.42.0)
==53068==    by 0x7D3B42B: WebCore::RenderBox::computeLogicalWidthInFragmentUsing(WebCore::SizeType, WebCore::Length, WebCore::LayoutUnit, WebCore::RenderBlock const&, WebCore::RenderFragmentContainer*) const (in /home/cgarcia/src/git/gnome/WebKit/WebKitBuild/Release/lib/libwebkit2gtk-4.0.so.37.42.0)
==53068==    by 0x7D53752: WebCore::RenderBox::computeLogicalWidthInFragment(WebCore::RenderBox::LogicalExtentComputedValues&, WebCore::RenderFragmentContainer*) const (in /home/cgarcia/src/git/gnome/WebKit/WebKitBuild/Release/lib/libwebkit2gtk-4.0.so.37.42.0)
==53068==  Address 0x61012464 is not stack'd, malloc'd or (recently) free'd
Comment 3 Carlos Garcia Campos 2019-12-13 07:04:34 PST
Created attachment 385599 [details]
Patch
Comment 4 Carlos Garcia Campos 2019-12-13 07:18:56 PST
Committed r253470: <https://trac.webkit.org/changeset/253470>
Comment 5 Frédéric Wang (:fredw) 2019-12-13 07:37:29 PST
thanks!