Created attachment 435120 [details] This file is generated by a browser fuzzer When the attachment is opened by MiniBrowser, a WTFCrash is raised. OS: ubuntu 20.04 WebKit: webkit chunk; commit: bf8523d11fc7a9fd8cbcc6f85dd31df3ceb2b138 Asan message: ``` 1 0x7fe6d3a509e0 WTFReportBacktrace 2 0x7fe6d3a50ec6 WTFCrash 3 0x7fe6d67cdeef /path/to/WebKitBuild/GTK/Release/lib/libwebkit2gtk-4.0.so.37(+0x1547eef) [0x7fe6d67cdeef] 4 0x7fe6de6a2359 WebCore::FontCache::lastResortFallbackFont(WebCore::FontDescription const&) 5 0x7fe6dcd54db4 WebCore::FontCascadeFonts::realizeFallbackRangesAt(WebCore::FontCascadeDescription const&, unsigned int) 6 0x7fe6db60c83c /path/to/WebKitBuild/GTK/Release/lib/libwebkit2gtk-4.0.so.37(+0x638683c) [0x7fe6db60c83c] 7 0x7fe6dda38855 /path/to/WebKitBuild/GTK/Release/lib/libwebkit2gtk-4.0.so.37(+0x87b2855) [0x7fe6dda38855] 8 0x7fe6dd3e27ea /path/to/WebKitBuild/GTK/Release/lib/libwebkit2gtk-4.0.so.37(+0x815c7ea) [0x7fe6dd3e27ea] 9 0x7fe6dd970a90 /path/to/WebKitBuild/GTK/Release/lib/libwebkit2gtk-4.0.so.37(+0x86eaa90) [0x7fe6dd970a90] 10 0x7fe6dd96e7b2 /path/to/WebKitBuild/GTK/Release/lib/libwebkit2gtk-4.0.so.37(+0x86e87b2) [0x7fe6dd96e7b2] 11 0x7fe6dd38ab6e /path/to/WebKitBuild/GTK/Release/lib/libwebkit2gtk-4.0.so.37(+0x8104b6e) [0x7fe6dd38ab6e] 12 0x7fe6dd385097 /path/to/WebKitBuild/GTK/Release/lib/libwebkit2gtk-4.0.so.37(+0x80ff097) [0x7fe6dd385097] 13 0x7fe6dd395e70 /path/to/WebKitBuild/GTK/Release/lib/libwebkit2gtk-4.0.so.37(+0x810fe70) [0x7fe6dd395e70] 14 0x7fe6dd4320de /path/to/WebKitBuild/GTK/Release/lib/libwebkit2gtk-4.0.so.37(+0x81ac0de) [0x7fe6dd4320de] 15 0x7fe6dd3c473f /path/to/WebKitBuild/GTK/Release/lib/libwebkit2gtk-4.0.so.37(+0x813e73f) [0x7fe6dd3c473f] 16 0x7fe6dd43c22b /path/to/WebKitBuild/GTK/Release/lib/libwebkit2gtk-4.0.so.37(+0x81b622b) [0x7fe6dd43c22b] 17 0x7fe6dd436469 /path/to/WebKitBuild/GTK/Release/lib/libwebkit2gtk-4.0.so.37(+0x81b0469) [0x7fe6dd436469] 18 0x7fe6dd4320cb /path/to/WebKitBuild/GTK/Release/lib/libwebkit2gtk-4.0.so.37(+0x81ac0cb) [0x7fe6dd4320cb] 19 0x7fe6dd3c473f /path/to/WebKitBuild/GTK/Release/lib/libwebkit2gtk-4.0.so.37(+0x813e73f) [0x7fe6dd3c473f] 20 0x7fe6dd43c22b /path/to/WebKitBuild/GTK/Release/lib/libwebkit2gtk-4.0.so.37(+0x81b622b) [0x7fe6dd43c22b] 21 0x7fe6dd436469 /path/to/WebKitBuild/GTK/Release/lib/libwebkit2gtk-4.0.so.37(+0x81b0469) [0x7fe6dd436469] 22 0x7fe6dd4320cb /path/to/WebKitBuild/GTK/Release/lib/libwebkit2gtk-4.0.so.37(+0x81ac0cb) [0x7fe6dd4320cb] 23 0x7fe6dd3c473f /path/to/WebKitBuild/GTK/Release/lib/libwebkit2gtk-4.0.so.37(+0x813e73f) [0x7fe6dd3c473f] 24 0x7fe6dd43c22b /path/to/WebKitBuild/GTK/Release/lib/libwebkit2gtk-4.0.so.37(+0x81b622b) [0x7fe6dd43c22b] 25 0x7fe6dd436469 /path/to/WebKitBuild/GTK/Release/lib/libwebkit2gtk-4.0.so.37(+0x81b0469) [0x7fe6dd436469] 26 0x7fe6dd4320cb /path/to/WebKitBuild/GTK/Release/lib/libwebkit2gtk-4.0.so.37(+0x81ac0cb) [0x7fe6dd4320cb] 27 0x7fe6dd3c473f /path/to/WebKitBuild/GTK/Release/lib/libwebkit2gtk-4.0.so.37(+0x813e73f) [0x7fe6dd3c473f] 28 0x7fe6dd919069 /path/to/WebKitBuild/GTK/Release/lib/libwebkit2gtk-4.0.so.37(+0x8693069) [0x7fe6dd919069] 29 0x7fe6dc81c2b7 /path/to/WebKitBuild/GTK/Release/lib/libwebkit2gtk-4.0.so.37(+0x75962b7) [0x7fe6dc81c2b7] 30 0x7fe6db1095f2 WebCore::Document::updateLayout() 31 0x7fe6db10e5c6 WebCore::Document::updateLayoutIgnorePendingStylesheets(WebCore::Document::RunPostLayoutTasks) ```
<rdar://problem/81670715>
Created attachment 435677 [details] Reduced test case
The crash happens because we always fail to create fonts for a size of 65535px. It's not a high limit, because it works for 65537px or even higher values. For some reason FT_Set_Char_Size() fails for some fonts when 65536 is passed for char width/height. It seems to depend on the font too, because it works with Cantarell for example, but for fallback fonts we try just "serif" as font family, in my case it ends up getting Bitstream Vera, but it also crashes with Liberation which is what I get with WTR.
Created attachment 435678 [details] Reproducer without WebKit This is a simple program using pango to reproduce the issue. When paassing "serif 49152" (which ends up setting the size to 65536) it gives runtime warnings, with any other value there's no output at all. $ ./test "serif 49152" (process:78079): Pango-WARNING **: 14:28:36.435: failed to create cairo scaled font, expect ugly output. the offending font is 'Bitstream Vera Serif 49152' (process:78079): Pango-WARNING **: 14:28:36.435: font_face status is: error occurred in libfreetype (process:78079): Pango-WARNING **: 14:28:36.435: scaled_font status is: error occurred in libfreetype
Created attachment 435679 [details] Reduced test case
The issue seems to be the unsigned short cast here: https://gitlab.freedesktop.org/freetype/freetype/-/blob/master/src/base/ftobjs.c#L3229 when 65536 is passed that's 0, but for 65537 we get 1 and so on, that's why 65536 is the only problematic value. The reason why it only fails for some fonts is the driver, the truetype driver size request implementation returns an error when ppem is 0, but the cff doesn't. So, I guess this is a Freetype limitation and we should ensure font size is always < 65536.
I've reported it to freetype, see https://gitlab.freedesktop.org/freetype/freetype/-/issues/1086
Created attachment 435757 [details] Patch
Comment on attachment 435757 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=435757&action=review > Source/WebCore/rendering/style/RenderStyleConstants.h:1111 > +static const float maximumAllowedFontSize = 65535.0f; How about: std::numeric_limits<unsigned short>::max?
Committed r281439 (240822@main): <https://commits.webkit.org/240822@main>
This patch apparently caused a regression in fast/box-shadow/box-shadow-huge-area-crash.html.
(In reply to Arcady Goldmints-Orlov from comment #11) > This patch apparently caused a regression in > fast/box-shadow/box-shadow-huge-area-crash.html. What regression exactly? is it crashing now?
(In reply to Carlos Garcia Campos from comment #12) > (In reply to Arcady Goldmints-Orlov from comment #11) > > This patch apparently caused a regression in > > fast/box-shadow/box-shadow-huge-area-crash.html. > > What regression exactly? is it crashing now? See bug 229740