64364 – crash in WebCore::FontFallbackList::determinePitch ()

Bug 64364 - crash in WebCore::FontFallbackList::determinePitch ()

Summary: crash in WebCore::FontFallbackList::determinePitch ()

Status:	RESOLVED CONFIGURATION CHANGED

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	WebCore Misc. (show other bugs)
Version:	528+ (Nightly build)
Hardware:	All All

Importance:	P2 Normal
Assignee:	Nobody

URL:
Keywords:

Depends on:
Blocks:

Reported:	2011-07-12 09:11 PDT by Marco Peereboom
Modified:	2022-04-08 00:23 PDT (History)
CC List:	4 users (show)

See Also:

Attachments
patch1 (1.31 KB, patch) 2011-07-12 09:21 PDT, Marco Peereboom	no flags	Details \| Formatted Diff \| Diff
patch2 (1.31 KB, patch) 2011-07-12 09:43 PDT, Marco Peereboom	no flags	Details \| Formatted Diff \| Diff
Show Obsolete (2) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Marco Peereboom 2011-07-12 09:11:54 PDT

WebCore/platform/graphics/FontFallbackList.cpp
void FontFallbackList::determinePitch(const Font* font) const

font can be NULL causing the following crash:
#0  0x00000002110c8d7b in WebCore::FontFallbackList::determinePitch () from /usr/local/lib/libwebkitgtk-1.0.so.0.1
#1  0x00000002111804be in WebCore::RenderBlock::findNextLineBreak () from /usr/local/lib/libwebkitgtk-1.0.so.0.1
#2  0x0000000211181c4c in WebCore::RenderBlock::layoutInlineChildren () from /usr/local/lib/libwebkitgtk-1.0.so.0.1
#3  0x0000000211170bf8 in WebCore::RenderBlock::layoutBlock () from /usr/local/lib/libwebkitgtk-1.0.so.0.1
#4  0x0000000211159fbd in WebCore::RenderBlock::layout () from /usr/local/lib/libwebkitgtk-1.0.so.0.1
#5  0x000000021116e552 in WebCore::RenderBlock::layoutBlockChild () from /usr/local/lib/libwebkitgtk-1.0.so.0.1
#6  0x00000002111701b8 in WebCore::RenderBlock::layoutBlockChildren () from /usr/local/lib/libwebkitgtk-1.0.so.0.1
#7  0x00000002111711d6 in WebCore::RenderBlock::layoutBlock () from /usr/local/lib/libwebkitgtk-1.0.so.0.1
#8  0x0000000211159fbd in WebCore::RenderBlock::layout () from /usr/local/lib/libwebkitgtk-1.0.so.0.1
#9  0x000000021116e552 in WebCore::RenderBlock::layoutBlockChild () from /usr/local/lib/libwebkitgtk-1.0.so.0.1
#10 0x00000002111701b8 in WebCore::RenderBlock::layoutBlockChildren () from /usr/local/lib/libwebkitgtk-1.0.so.0.1
#11 0x00000002111711d6 in WebCore::RenderBlock::layoutBlock () from /usr/local/lib/libwebkitgtk-1.0.so.0.1
#12 0x0000000211159fbd in WebCore::RenderBlock::layout () from /usr/local/lib/libwebkitgtk-1.0.so.0.1
#13 0x000000021116e552 in WebCore::RenderBlock::layoutBlockChild () from /usr/local/lib/libwebkitgtk-1.0.so.0.1
#14 0x00000002111701b8 in WebCore::RenderBlock::layoutBlockChildren () from /usr/local/lib/libwebkitgtk-1.0.so.0.1
#15 0x00000002111711d6 in WebCore::RenderBlock::layoutBlock () from /usr/local/lib/libwebkitgtk-1.0.so.0.1
#16 0x0000000211159fbd in WebCore::RenderBlock::layout () from /usr/local/lib/libwebkitgtk-1.0.so.0.1
#17 0x000000021116e552 in WebCore::RenderBlock::layoutBlockChild () from /usr/local/lib/libwebkitgtk-1.0.so.0.1
#18 0x00000002111701b8 in WebCore::RenderBlock::layoutBlockChildren () from /usr/local/lib/libwebkitgtk-1.0.so.0.1
#19 0x00000002111711d6 in WebCore::RenderBlock::layoutBlock () from /usr/local/lib/libwebkitgtk-1.0.so.0.1
#20 0x0000000211159fbd in WebCore::RenderBlock::layout () from /usr/local/lib/libwebkitgtk-1.0.so.0.1
#21 0x000000021116e552 in WebCore::RenderBlock::layoutBlockChild () from /usr/local/lib/libwebkitgtk-1.0.so.0.1
#22 0x00000002111701b8 in WebCore::RenderBlock::layoutBlockChildren () from /usr/local/lib/libwebkitgtk-1.0.so.0.1
#23 0x00000002111711d6 in WebCore::RenderBlock::layoutBlock () from /usr/local/lib/libwebkitgtk-1.0.so.0.1
#24 0x0000000211159fbd in WebCore::RenderBlock::layout () from /usr/local/lib/libwebkitgtk-1.0.so.0.1
#25 0x000000021116e552 in WebCore::RenderBlock::layoutBlockChild () from /usr/local/lib/libwebkitgtk-1.0.so.0.1
#26 0x00000002111701b8 in WebCore::RenderBlock::layoutBlockChildren () from /usr/local/lib/libwebkitgtk-1.0.so.0.1
#27 0x00000002111711d6 in WebCore::RenderBlock::layoutBlock () from /usr/local/lib/libwebkitgtk-1.0.so.0.1
#28 0x0000000211159fbd in WebCore::RenderBlock::layout () from /usr/local/lib/libwebkitgtk-1.0.so.0.1
#29 0x000000021116e552 in WebCore::RenderBlock::layoutBlockChild () from /usr/local/lib/libwebkitgtk-1.0.so.0.1
#30 0x00000002111701b8 in WebCore::RenderBlock::layoutBlockChildren () from /usr/local/lib/libwebkitgtk-1.0.so.0.1
#31 0x00000002111711d6 in WebCore::RenderBlock::layoutBlock () from /usr/local/lib/libwebkitgtk-1.0.so.0.1
#32 0x0000000211159fbd in WebCore::RenderBlock::layout () from /usr/local/lib/libwebkitgtk-1.0.so.0.1
#33 0x000000021116e552 in WebCore::RenderBlock::layoutBlockChild () from /usr/local/lib/libwebkitgtk-1.0.so.0.1
#34 0x00000002111701b8 in WebCore::RenderBlock::layoutBlockChildren () from /usr/local/lib/libwebkitgtk-1.0.so.0.1
#35 0x00000002111711d6 in WebCore::RenderBlock::layoutBlock () from /usr/local/lib/libwebkitgtk-1.0.so.0.1
#36 0x0000000211159fbd in WebCore::RenderBlock::layout () from /usr/local/lib/libwebkitgtk-1.0.so.0.1
#37 0x000000021116e552 in WebCore::RenderBlock::layoutBlockChild () from /usr/local/lib/libwebkitgtk-1.0.so.0.1
#38 0x00000002111701b8 in WebCore::RenderBlock::layoutBlockChildren () from /usr/local/lib/libwebkitgtk-1.0.so.0.1
#39 0x00000002111711d6 in WebCore::RenderBlock::layoutBlock () from /usr/local/lib/libwebkitgtk-1.0.so.0.1
#40 0x0000000211159fbd in WebCore::RenderBlock::layout () from /usr/local/lib/libwebkitgtk-1.0.so.0.1
#41 0x000000021116e552 in WebCore::RenderBlock::layoutBlockChild () from /usr/local/lib/libwebkitgtk-1.0.so.0.1
#42 0x00000002111701b8 in WebCore::RenderBlock::layoutBlockChildren () from /usr/local/lib/libwebkitgtk-1.0.so.0.1
#43 0x00000002111711d6 in WebCore::RenderBlock::layoutBlock () from /usr/local/lib/libwebkitgtk-1.0.so.0.1
#44 0x0000000211159fbd in WebCore::RenderBlock::layout () from /usr/local/lib/libwebkitgtk-1.0.so.0.1
#45 0x0000000211225d6f in WebCore::RenderView::layout () from /usr/local/lib/libwebkitgtk-1.0.so.0.1
#46 0x000000021108eeff in WebCore::FrameView::layout () from /usr/local/lib/libwebkitgtk-1.0.so.0.1
#47 0x000000021112420a in WebCore::ThreadTimers::sharedTimerFiredInternal () from /usr/local/lib/libwebkitgtk-1.0.so.0.1
#48 0x0000000210b04772 in WebCore::timeout_cb () from /usr/local/lib/libwebkitgtk-1.0.so.0.1
#49 0x00000002042e2b7b in g_source_get_time () from /usr/local/lib/libglib-2.0.so.2800.0
#50 0x00000002042e2173 in g_main_context_dispatch () from /usr/local/lib/libglib-2.0.so.2800.0
#51 0x00000002042e6152 in g_main_context_prepare () from /usr/local/lib/libglib-2.0.so.2800.0
#52 0x00000002042e6545 in g_main_loop_run () from /usr/local/lib/libglib-2.0.so.2800.0
#53 0x00000002122efa83 in gtk_main () from /usr/local/lib/libgtk-x11-2.0.so.2400.0
#54 0x0000000000417dc6 in main (argc=0, argv=0x7f7fffff2608) at /home/marco/xxxterm/xxxterm.c:8388

This seems to coincide with file descriptor starvation although I am not 100% sure of that.

Patch to follow.

Comment 1 Marco Peereboom 2011-07-12 09:21:21 PDT

Created attachment 100496 [details]
patch1

Verify font and fontData to be not NULL.

Comment 2 WebKit Review Bot 2011-07-12 09:24:01 PDT

Attachment 100496 [details] did not pass style-queue:

Failed to run "['Tools/Scripts/check-webkit-style', '--diff-files', u'Source/WebCore/ChangeLog', u'Source/WebCor..." exit_code: 1

Source/WebCore/platform/graphics/FontFallbackList.cpp:76:  Tests for true/false, null/non-null, and zero/non-zero should all be done without equality comparisons.  [readability/comparison_to_zero] [5]
Source/WebCore/platform/graphics/FontFallbackList.cpp:76:  Use 0 instead of NULL.  [readability/null] [5]
Source/WebCore/platform/graphics/FontFallbackList.cpp:77:  Tab found; better to use spaces  [whitespace/tab] [1]
Source/WebCore/platform/graphics/FontFallbackList.cpp:81:  Tests for true/false, null/non-null, and zero/non-zero should all be done without equality comparisons.  [readability/comparison_to_zero] [5]
Source/WebCore/platform/graphics/FontFallbackList.cpp:81:  Use 0 instead of NULL.  [readability/null] [5]
Source/WebCore/platform/graphics/FontFallbackList.cpp:82:  Tab found; better to use spaces  [whitespace/tab] [1]
Total errors found: 6 in 2 files


If any of these errors are false positives, please file a bug against check-webkit-style.

Comment 3 Martin Robinson 2011-07-12 09:29:40 PDT

What version of WebKit do you see this with? I recently fixed a FontCache bug that might have been causing this issue.

Comment 4 Marco Peereboom 2011-07-12 09:37:38 PDT

Whatever is bundled in webkit-gtk 1.4.2 as found here: http://webkitgtk.org/webkit-1.4.2.tar.gz

Comment 5 Marco Peereboom 2011-07-12 09:43:34 PDT

Created attachment 100501 [details]
patch2

Fix style

Comment 6 mitz 2011-07-12 21:48:32 PDT

Is this crash reproducible? As far as I can tell, bailing out of determinePitch() would merely delay the crash.

Comment 7 Marco Peereboom 2011-07-13 11:55:22 PDT

(In reply to comment #6)
> Is this crash reproducible? As far as I can tell, bailing out of determinePitch() would merely delay the crash.

This is trivially to reproduce on OpenBSD with a small number of file descriptors available.  In my browser I set the ulimit -n to like 60 and open up a ton of tabs and it'll bomb.  I agree though this patch only makes it a little better and in other cases it'll bomb elsewhere in the font code.  Even though this helps it isn't a fix so it should be disregarded.  What seems to be the root cause is file descriptor starvation but I have not been able to locate where this cascades into this (and many other similar crashes).

Comment 8 Adrian Perez 2022-04-08 00:23:36 PDT

This bug refers to code that has changed drastically since, and the
changes from the patch no longer seem relevant. Let's close this for
now =)