Bug 189403

Summary:

[FreeType] Crash on www.axis-praxis.org in FontPlatformData constructor

Product:

WebKit

Reporter:

Jérémy Lal <kapouer>

Component:

WebKitGTK

Assignee:

Nobody <webkit-unassigned>

Status:

RESOLVED WORKSFORME

Severity:

Normal

CC:

bugs-noreply, mcatanzaro, webkit-bugzilla

Priority:

Version:

Other

Hardware:

Unspecified

OS:

Linux

Attachments:

Description	Flags
Full backtrace	none

Description Jérémy Lal 2018-09-07 05:06:58 PDT

https://www.axis-praxis.org/specimens/__DEFAULT__
makes the page crash on webkitgtk 2.20 and 2.22 (at least).

It's a web page for testing variable fonts.

Comment 1 Alexey Proskuryakov 2018-09-09 13:38:27 PDT

I cannot reproduce in Safari for Mac, so probably platform specific.

Comment 2 Michael Catanzaro 2018-09-10 17:21:25 PDT

Normally we expect a backtrace to be included in the bug report, but in this case it was easy enough for me to reproduce. Truncated backtrace is:

#0  0x00007f5cf2212eab in __GI_raise (sig=sig@entry=6)
    at ../sysdeps/unix/sysv/linux/raise.c:50
#1  0x00007f5cf21fd5b9 in __GI_abort () at abort.c:79
#2  0x00007f5cf22557b7 in __libc_message (action=action@entry=
    do_abort, fmt=fmt@entry=0x7f5cf235f359 "%s\n")
    at ../sysdeps/posix/libc_fatal.c:181
#3  0x00007f5cf225bc4c in malloc_printerr (str=str@entry=0x7f5cf2360c40 "munmap_chunk(): invalid pointer") at malloc.c:5350
#4  0x00007f5cf225c1a4 in munmap_chunk (p=<optimized out>) at malloc.c:2846
#5  0x00007f5cf9e57713 in cairo_ft_apply_variations (face=face@entry=0x7f5cdc0cdb80, scaled_font=<optimized out>, scaled_font=<optimized out>)
    at cairo-ft-font.c:2384
#6  0x00007f5cf9e5a69f in cairo_ft_scaled_font_lock_face (abstract_font=abstract_font@entry=0x560dde7082c0) at cairo-ft-font.c:3851
#7  0x00007f5d007e3bea in WebCore::CairoFtFaceLocker::CairoFtFaceLocker(_cairo_scaled_font*) (scaledFont=0x560dde7082c0, this=<synthetic pointer>)
    at /usr/src/debug/webkit2gtk3-2.20.5-1.fc28.x86_64/Source/WebCore/platform/graphics/freetype/FontPlatformDataFreeType.cpp:168
#8  0x00007f5d007e3bea in WebCore::FontPlatformData::FontPlatformData(_cairo_font_face*, WebCore::FontDescription const&, bool, bool) (this=0x7ffcbb048a80, fontFace=<optimized out>, description=..., bold=<optimized out>, italic=<optimized out>)
    at /usr/src/debug/webkit2gtk3-2.20.5-1.fc28.x86_64/Source/WebCore/platform/g-raphics/freetype/FontPlatformDataFreeType.cpp:168
#9  0x00007f5d007e3097 in WebCore::FontCustomPlatformData::fontPlatformData(WebCore::FontDescription const&, bool, bool) (this=<optimized out>, description=..., bold=<optimized out>, italic=<optimized out>)
    at /usr/src/debug/webkit2gtk3-2.20.5-1.fc28.x86_64/Source/WebCore/platform/graphics/freetype/FontCustomPlatformDataFreeType.cpp:61
#10 0x00007f5d0014ab38 in WebCore::CachedFont::platformDataFromCustomData(WebCore::FontCustomPlatformData&, WebCore::FontDescription const&, bool, bool, WebCore::FontTaggedSettings<int> const&, WebCore::FontVariantSettings const&, WebCore::FontSelectionSpecifiedCapabilities) (fontCustomPlatformData=..., fontDescription=..., bold=<optimized out>, italic=<optimized out>, fontFaceFeatures=..., fontFaceVariantSettings=..., fontFaceCapabilities=...)
    at /usr/src/debug/webkit2gtk3-2.20.5-1.fc28.x86_64/Source/WebCore/loader/cache/CachedFont.cpp:158

Comment 3 Michael Catanzaro 2018-09-10 17:33:21 PDT

Created attachment 349362 [details]
Full backtrace

Comment 4 Michael Catanzaro 2018-09-10 18:24:20 PDT

Guess: probably the call to cairo_scaled_font_create() at the bottom of FontPlatformData::buildScaledFont is returning nullptr (though that would be a cairo bug as it is not documented to be nullable).

Comment 5 Lionir 2019-05-17 00:09:32 PDT

No longer crashes on : 

Epiphany : 3.33.1-1375a8e6d
WebKitGTK 2.24.1

Comment 6 Michael Catanzaro 2019-05-17 09:47:14 PDT

Indeed, there were a lot of changes to this code recently. Let's assume fixed unless Jeremy can still reproduce.