RESOLVED FIXED 281375
[Skia] Crash in WebCore::FontCache::lastResortFallbackFont 
https://bugs.webkit.org/show_bug.cgi?id=281375
Summary [Skia] Crash in WebCore::FontCache::lastResortFallbackFont
Nils K
Reported 2024-10-12 05:22:36 PDT
Testing WPE WebKit 2.46.1 on one machine only led the process (cog) crashing instantly. This worked without problems under 2.44. Before the crash there is "Fontconfig error: Cannot load default config file: No such file: (null)" logged, but this was also happening on previous versions without any problem. I will also not that the systems use an immutable/hermetic /usr partition and the rest of the filesystem (most importantly /etc) is empty apart from a few symlinks. I am not sure how Skia loads font but that could have something to do with it? Backtrace: #0 __pthread_kill_implementation (threadid=<optimized out>, signo=signo@entry=6, no_tid=no_tid@entry=0) at pthread_kill.c:44 #1 0x00007fb0d35c46d3 in __pthread_kill_internal (threadid=<optimized out>, signo=6) at pthread_kill.c:78 #2 0x00007fb0d356bc4e in __GI_raise (sig=sig@entry=6) at ../sysdeps/posix/raise.c:26 #3 0x00007fb0d3553902 in __GI_abort () at abort.c:79 #4 0x00007fb0d427355f in WTFCrashWithInfo(int, char const*, char const*, int) () from /lib64/libWPEWebKit-2.0.so.1 #5 0x00007fb0d7e830f5 in WebCore::FontCache::lastResortFallbackFont(WebCore::FontDescription const&) () from /lib64/libWPEWebKit-2.0.so.1 #6 0x00007fb0d7d62259 in WebCore::FontCascadeFonts::realizeFallbackRangesAt(WebCore::FontCascadeDescription const&, unsigned int) () from /lib64/libWPEWebKit-2.0.so.1 #7 0x00007fb0d70c4cac in WebCore::FontCascadeFonts::primaryFont(WebCore::FontCascadeDescription const&) () from /lib64/libWPEWebKit-2.0.so.1 #8 0x00007fb0d83267a7 in WebCore::Style::Resolver::Resolver(WebCore::Document&, WebCore::Style::Resolver::ScopeType) () from /lib64/libWPEWebKit-2.0.so.1 #9 0x00007fb0d832da46 in WebCore::Style::Scope::createDocumentResolver() () from /lib64/libWPEWebKit-2.0.so.1 #10 0x00007fb0d832d2ae in WebCore::Style::Scope::resolver() () from /lib64/libWPEWebKit-2.0.so.1 #11 0x00007fb0d8343ff7 in WebCore::Style::TreeResolver::resolve() () from /lib64/libWPEWebKit-2.0.so.1 #12 0x00007fb0d732c9f2 in WebCore::Document::resolveStyle(WebCore::Document::ResolveStyleType) () from /lib64/libWPEWebKit-2.0.so.1 #13 0x00007fb0d732d68f in WebCore::Document::updateStyleIfNeeded() () from /lib64/libWPEWebKit-2.0.so.1 #14 0x00007fb0d7351a1b in WebCore::Document::finishedParsing() () from /lib64/libWPEWebKit-2.0.so.1 #15 0x00007fb0d77c1cbe in WebCore::HTMLConstructionSite::finishedParsing() () from /lib64/libWPEWebKit-2.0.so.1 #16 0x00007fb0d77c8f37 in WebCore::HTMLDocumentParser::prepareToStopParsing() () from /lib64/libWPEWebKit-2.0.so.1 #17 0x00007fb0d77cb8d8 in WebCore::HTMLDocumentParser::finish() () from /lib64/libWPEWebKit-2.0.so.1 #18 0x00007fb0d79b03b1 in WebCore::DocumentWriter::end() () from /lib64/libWPEWebKit-2.0.so.1 #19 0x00007fb0d79af5d3 in WebCore::DocumentLoader::finishedLoading() () from /lib64/libWPEWebKit-2.0.so.1 #20 0x00007fb0d79ba170 in WebCore::DocumentLoader::maybeLoadEmpty() () from /lib64/libWPEWebKit-2.0.so.1 #21 0x00007fb0d79bade9 in WebCore::DocumentLoader::startLoadingMainResource() () from /lib64/libWPEWebKit-2.0.so.1 #22 0x00007fb0d79d68cd in WebCore::FrameLoader::init() () from /lib64/libWPEWebKit-2.0.so.1 #23 0x00007fb0d49f9534 in WebKit::WebFrame::initWithCoreMainFrame(WebKit::WebPage&, WebCore::Frame&) () from /lib64/libWPEWebKit-2.0.so.1 #24 0x00007fb0d49c2161 in WebKit::WebPage::WebPage(WTF::ObjectIdentifierGeneric<WebCore::PageIdentifierType, WTF::ObjectIdentifierMainThreadAccessTraits<unsigned long>, unsigned long, (WTF::SupportsObjectIdentifierNullState)1>, WebKit::WebPageCreationParameters&&) () from /lib64/libWPEWebKit-2.0.so.1 #25 0x00007fb0d49bffb3 in WebKit::WebPage::create(WTF::ObjectIdentifierGeneric<WebCore::PageIdentifierType, WTF::ObjectIdentifierMainThreadAccessTraits<unsigned long>, unsigned long, (WTF::SupportsObjectIdentifierNullState)1>, WebKit::WebPageCreationParameters&&) () from /lib64/libWPEWebKit-2.0.so.1 #26 0x00007fb0d48af2e4 in WebKit::WebProcess::createWebPage(WTF::ObjectIdentifierGeneric<WebCore::PageIdentifierType, WTF::ObjectIdentifierMainThreadAccessTraits<unsigned long>, unsigned long, (WTF::SupportsObjectIdentifierNullState)1>, WebKit::WebPageCreationParameters&&) () from /lib64/libWPEWebKit-2.0.so.1 #27 0x00007fb0d43b8050 in WebKit::WebProcess::didReceiveWebProcessMessage(IPC::Connection&, IPC::Decoder&) () from /lib64/libWPEWebKit-2.0.so.1 #28 0x00007fb0d467bf6d in IPC::Connection::dispatchMessage(WTF::UniqueRef<IPC::Decoder>) () from /lib64/libWPEWebKit-2.0.so.1 #29 0x00007fb0d467f9a8 in WTF::Detail::CallableWrapper<IPC::Connection::enqueueIncomingMessage(WTF::UniqueRef<IPC::Decoder>)::$_1, void>::call() () from /lib64/libWPEWebKit-2.0.so.1 #30 0x00007fb0d5f2b3ab in WTF::RunLoop::performWork() () from /lib64/libWPEWebKit-2.0.so.1 #31 0x00007fb0d5fc119d in WTF::RunLoop::RunLoop()::$_0::__invoke(void*) () from /lib64/libWPEWebKit-2.0.so.1 #32 0x00007fb0d5fc0321 in WTF::RunLoop::$_0::__invoke(_GSource*, int (*)(void*), void*) () from /lib64/libWPEWebKit-2.0.so.1 #33 0x00007fb0d3defe8c in g_main_dispatch (context=0x15ec9a80) at ../glib/gmain.c:3344 #34 g_main_context_dispatch_unlocked (context=0x15ec9a80) at ../glib/gmain.c:4152 #35 0x00007fb0d3e51c98 in g_main_context_iterate_unlocked.isra.0 (context=0x15ec9a80, block=block@entry=1, dispatch=dispatch@entry=1, self=<optimized out>) at ../glib/gmain.c:4217 #36 0x00007fb0d3df5f37 in g_main_loop_run (loop=0x15ec9bd0) at ../glib/gmain.c:4419 #37 0x00007fb0d5fc091d in WTF::RunLoop::run() () from /lib64/libWPEWebKit-2.0.so.1 #38 0x00007fb0d4a18106 in WebKit::WebProcessMain(int, char**) () from /lib64/libWPEWebKit-2.0.so.1 #39 0x00007fb0d3555088 in __libc_start_call_main (main=main@entry=0x2017f0 <main>, argc=argc@entry=4, argv=argv@entry=0x7ffe785793e8) at ../sysdeps/nptl/libc_start_call_main.h:58 #40 0x00007fb0d355514b in __libc_start_main_impl (main=0x2017f0 <main>, argc=4, argv=0x7ffe785793e8, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7ffe785793d8) at ../csu/libc-start.c:360 #41 0x0000000000201725 in _start () Sadly, gdb reports "No symbol table info available." for the symbols from libWPEWebKit-2.0.so.1. I will see later if I can get more details out of there.
Attachments
Add attachment proposed patch, testcase, etc.
Michael Catanzaro
Comment 1 2024-10-12 11:34:26 PDT
You don't need additional debuginfo for this. The last resort fallback font is just "serif" but fontconfig wasn't able to provide a match even for that, so you've no hope. This is not a WebKit bug; it's either a font configuration issue or else possibly a Fontconfig bug.
Nils K
Comment 2 2024-10-13 07:45:18 PDT
(In reply to Michael Catanzaro from comment #1) > You don't need additional debuginfo for this. The last resort fallback font > is just "serif" but fontconfig wasn't able to provide a match even for that, > so you've no hope. This is not a WebKit bug; it's either a font > configuration issue or else possibly a Fontconfig bug. Fontconfig is able to find a match for serif. Running "fc-match serif" warns about a missing fontconfig file but successfully returns: 'NotoSans[wght].ttf: "Noto Sans" "Regular"' This also worked in WebKit 2.44 with the same fontconfig version (2.15.0). Maybe it has something to do with it being a variable width font? Or is there something else appended to the pattern used when searching fonts? On another machine with more fonts "fc-match sans-serif" also returns NotoSans but WebKit instead selects Nimbus Roman which fontconfig ranks lower.
Carlos Garcia Campos
Comment 3 2024-10-14 01:20:29 PDT
I think the problem is that Skia is always doing strong matching, which is needed for CSS fallbacks, but not for the last resort fallback font. We could try not passing a family name. Another possibility is what Adrián suggested some time ago, adding a font to the library as a GREsource and returning it always as last resort, ensuring we always have a font even if the system doesn't have any font installed (unlikely, but still).
Nils K
Comment 4 2024-10-14 04:14:52 PDT
(In reply to Carlos Garcia Campos from comment #3) > I think the problem is that Skia is always doing strong matching, which is > needed for CSS fallbacks, but not for the last resort fallback font. We > could try not passing a family name. Another possibility is what Adrián > suggested some time ago, adding a font to the library as a GREsource and > returning it always as last resort, ensuring we always have a font even if > the system doesn't have any font installed (unlikely, but still). It is possible to check this strong matching from the commandline (or a short C program)?
Carlos Garcia Campos
Comment 5 2024-10-21 02:46:46 PDT
Pull request: https://github.com/WebKit/WebKit/pull/35514
EWS
Comment 6 2024-10-21 06:28:12 PDT
Committed 285505@main (f30738ce1fc8): <https://commits.webkit.org/285505@main> Reviewed commits have been landed. Closing PR #35514 and removing active labels.
Nils K
Comment 7 2024-10-23 15:18:33 PDT
I just tested 2.46.2 and can confirm that the crash no longer occurs, thanks!
Note You need to log in before you can comment on or make changes to this bug.