Bug 228893 - [GTK] WTFCrash in WebCore::FontCache::lastResortFallbackFont
Summary: [GTK] WTFCrash in WebCore::FontCache::lastResortFallbackFont
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: WebKitGTK (show other bugs)
Version: WebKit Local Build
Hardware: PC Linux
: P2 Normal
Assignee: Nobody
URL:
Keywords: InRadar
Depends on:
Blocks:
 
Reported: 2021-08-07 01:00 PDT by Chijin
Modified: 2021-08-31 15:18 PDT (History)
17 users (show)

See Also:

Attachments
This file is generated by a browser fuzzer (487.28 KB, text/html)
2021-08-07 01:00 PDT, Chijin 		no flags Details
Reduced test case (98 bytes, text/html)
2021-08-17 05:30 PDT, Carlos Garcia Campos 		no flags Details
Reproducer without WebKit (683 bytes, text/x-csrc)
2021-08-17 05:40 PDT, Carlos Garcia Campos 		no flags Details
Reduced test case (74 bytes, text/html)
2021-08-17 05:42 PDT, Carlos Garcia Campos 		no flags Details
Patch (1.50 KB, patch)
2021-08-18 03:27 PDT, Carlos Garcia Campos 		mcatanzaro: review+
Details | Formatted Diff | Diff
Show Obsolete (1) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Chijin 2021-08-07 01:00:26 PDT 
Created attachment 435120 [details]
This file is generated by a browser fuzzer

When the attachment is opened by MiniBrowser, a WTFCrash is raised. 

OS: ubuntu 20.04
WebKit: webkit chunk; commit: bf8523d11fc7a9fd8cbcc6f85dd31df3ceb2b138


Asan message:


```
1   0x7fe6d3a509e0 WTFReportBacktrace
2   0x7fe6d3a50ec6 WTFCrash
3   0x7fe6d67cdeef /path/to/WebKitBuild/GTK/Release/lib/libwebkit2gtk-4.0.so.37(+0x1547eef) [0x7fe6d67cdeef]
4   0x7fe6de6a2359 WebCore::FontCache::lastResortFallbackFont(WebCore::FontDescription const&)
5   0x7fe6dcd54db4 WebCore::FontCascadeFonts::realizeFallbackRangesAt(WebCore::FontCascadeDescription const&, unsigned int)
6   0x7fe6db60c83c /path/to/WebKitBuild/GTK/Release/lib/libwebkit2gtk-4.0.so.37(+0x638683c) [0x7fe6db60c83c]
7   0x7fe6dda38855 /path/to/WebKitBuild/GTK/Release/lib/libwebkit2gtk-4.0.so.37(+0x87b2855) [0x7fe6dda38855]
8   0x7fe6dd3e27ea /path/to/WebKitBuild/GTK/Release/lib/libwebkit2gtk-4.0.so.37(+0x815c7ea) [0x7fe6dd3e27ea]
9   0x7fe6dd970a90 /path/to/WebKitBuild/GTK/Release/lib/libwebkit2gtk-4.0.so.37(+0x86eaa90) [0x7fe6dd970a90]
10  0x7fe6dd96e7b2 /path/to/WebKitBuild/GTK/Release/lib/libwebkit2gtk-4.0.so.37(+0x86e87b2) [0x7fe6dd96e7b2]
11  0x7fe6dd38ab6e /path/to/WebKitBuild/GTK/Release/lib/libwebkit2gtk-4.0.so.37(+0x8104b6e) [0x7fe6dd38ab6e]
12  0x7fe6dd385097 /path/to/WebKitBuild/GTK/Release/lib/libwebkit2gtk-4.0.so.37(+0x80ff097) [0x7fe6dd385097]
13  0x7fe6dd395e70 /path/to/WebKitBuild/GTK/Release/lib/libwebkit2gtk-4.0.so.37(+0x810fe70) [0x7fe6dd395e70]
14  0x7fe6dd4320de /path/to/WebKitBuild/GTK/Release/lib/libwebkit2gtk-4.0.so.37(+0x81ac0de) [0x7fe6dd4320de]
15  0x7fe6dd3c473f /path/to/WebKitBuild/GTK/Release/lib/libwebkit2gtk-4.0.so.37(+0x813e73f) [0x7fe6dd3c473f]
16  0x7fe6dd43c22b /path/to/WebKitBuild/GTK/Release/lib/libwebkit2gtk-4.0.so.37(+0x81b622b) [0x7fe6dd43c22b]
17  0x7fe6dd436469 /path/to/WebKitBuild/GTK/Release/lib/libwebkit2gtk-4.0.so.37(+0x81b0469) [0x7fe6dd436469]
18  0x7fe6dd4320cb /path/to/WebKitBuild/GTK/Release/lib/libwebkit2gtk-4.0.so.37(+0x81ac0cb) [0x7fe6dd4320cb]
19  0x7fe6dd3c473f /path/to/WebKitBuild/GTK/Release/lib/libwebkit2gtk-4.0.so.37(+0x813e73f) [0x7fe6dd3c473f]
20  0x7fe6dd43c22b /path/to/WebKitBuild/GTK/Release/lib/libwebkit2gtk-4.0.so.37(+0x81b622b) [0x7fe6dd43c22b]
21  0x7fe6dd436469 /path/to/WebKitBuild/GTK/Release/lib/libwebkit2gtk-4.0.so.37(+0x81b0469) [0x7fe6dd436469]
22  0x7fe6dd4320cb /path/to/WebKitBuild/GTK/Release/lib/libwebkit2gtk-4.0.so.37(+0x81ac0cb) [0x7fe6dd4320cb]
23  0x7fe6dd3c473f /path/to/WebKitBuild/GTK/Release/lib/libwebkit2gtk-4.0.so.37(+0x813e73f) [0x7fe6dd3c473f]
24  0x7fe6dd43c22b /path/to/WebKitBuild/GTK/Release/lib/libwebkit2gtk-4.0.so.37(+0x81b622b) [0x7fe6dd43c22b]
25  0x7fe6dd436469 /path/to/WebKitBuild/GTK/Release/lib/libwebkit2gtk-4.0.so.37(+0x81b0469) [0x7fe6dd436469]
26  0x7fe6dd4320cb /path/to/WebKitBuild/GTK/Release/lib/libwebkit2gtk-4.0.so.37(+0x81ac0cb) [0x7fe6dd4320cb]
27  0x7fe6dd3c473f /path/to/WebKitBuild/GTK/Release/lib/libwebkit2gtk-4.0.so.37(+0x813e73f) [0x7fe6dd3c473f]
28  0x7fe6dd919069 /path/to/WebKitBuild/GTK/Release/lib/libwebkit2gtk-4.0.so.37(+0x8693069) [0x7fe6dd919069]
29  0x7fe6dc81c2b7 /path/to/WebKitBuild/GTK/Release/lib/libwebkit2gtk-4.0.so.37(+0x75962b7) [0x7fe6dc81c2b7]
30  0x7fe6db1095f2 WebCore::Document::updateLayout()
31  0x7fe6db10e5c6 WebCore::Document::updateLayoutIgnorePendingStylesheets(WebCore::Document::RunPostLayoutTasks)

```
Comment 1 Radar WebKit Bug Importer 2021-08-08 08:48:52 PDT 
<rdar://problem/81670715>
Comment 2 Carlos Garcia Campos 2021-08-17 05:30:07 PDT 
Created attachment 435677 [details]
Reduced test case
Comment 3 Carlos Garcia Campos 2021-08-17 05:37:12 PDT 
The crash happens because we always fail to create fonts for a size of 65535px. It's not a high limit, because it works for 65537px or even higher values. For some reason FT_Set_Char_Size() fails for some fonts when 65536 is passed for char width/height. It seems to depend on the font too, because it works with Cantarell for example, but for fallback fonts we try just "serif" as font family, in my case it ends up getting Bitstream Vera, but it also crashes with Liberation which is what I get with WTR.
Comment 4 Carlos Garcia Campos 2021-08-17 05:40:11 PDT 
Created attachment 435678 [details]
Reproducer without WebKit

This is a simple program using pango to reproduce the issue. When paassing "serif 49152" (which ends up setting the size to 65536) it gives runtime warnings, with any other value there's no output at all.

$ ./test "serif 49152"

(process:78079): Pango-WARNING **: 14:28:36.435: failed to create cairo scaled font, expect ugly output. the offending font is 'Bitstream Vera Serif 49152'

(process:78079): Pango-WARNING **: 14:28:36.435: font_face status is: error occurred in libfreetype

(process:78079): Pango-WARNING **: 14:28:36.435: scaled_font status is: error occurred in libfreetype
Comment 5 Carlos Garcia Campos 2021-08-17 05:42:04 PDT 
Created attachment 435679 [details]
Reduced test case
Comment 6 Carlos Garcia Campos 2021-08-17 07:36:16 PDT 
The issue seems to be the unsigned short cast here:

https://gitlab.freedesktop.org/freetype/freetype/-/blob/master/src/base/ftobjs.c#L3229

when 65536 is passed that's 0, but for 65537 we get 1 and so on, that's why 65536 is the only problematic value. The reason why it only fails for some fonts is the driver, the truetype driver size request implementation returns an error when ppem is 0, but the cff doesn't. So, I guess this is a Freetype limitation and we should ensure font size is always < 65536.
Comment 7 Carlos Garcia Campos 2021-08-17 07:57:00 PDT 
I've reported it to freetype, see https://gitlab.freedesktop.org/freetype/freetype/-/issues/1086
Comment 8 Carlos Garcia Campos 2021-08-18 03:27:52 PDT 
Created attachment 435757 [details]
Patch
Comment 9 Michael Catanzaro 2021-08-18 09:20:57 PDT 
Comment on attachment 435757 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=435757&action=review

> Source/WebCore/rendering/style/RenderStyleConstants.h:1111
> +static const float maximumAllowedFontSize = 65535.0f;

How about: std::numeric_limits<unsigned short>::max?
Comment 10 Carlos Garcia Campos 2021-08-23 00:11:52 PDT 
Committed r281439 (240822@main): <https://commits.webkit.org/240822@main>
Comment 11 Arcady Goldmints-Orlov 2021-08-26 06:25:44 PDT 
This patch apparently caused a regression in fast/box-shadow/box-shadow-huge-area-crash.html.
Comment 12 Carlos Garcia Campos 2021-08-27 01:36:47 PDT 
(In reply to Arcady Goldmints-Orlov from comment #11)
> This patch apparently caused a regression in
> fast/box-shadow/box-shadow-huge-area-crash.html.

What regression exactly? is it crashing now?
Comment 13 Carlos Alberto Lopez Perez 2021-08-31 15:18:35 PDT 
(In reply to Carlos Garcia Campos from comment #12)
> (In reply to Arcady Goldmints-Orlov from comment #11)
> > This patch apparently caused a regression in
> > fast/box-shadow/box-shadow-huge-area-crash.html.
> 
> What regression exactly? is it crashing now?

See bug 229740