Opened 23 months ago
Closed 21 months ago
#18169 closed bug (fixed)
WebPositive (master) - random crashes
| Reported by: | vidrep | Owned by: | axeld |
|---|---|---|---|
| Priority: | critical | Milestone: | R1/beta5 |
| Component: | Servers/app_server | Version: | R1/beta4 |
| Keywords: | Cc: | ||
| Blocked By: | Blocking: | #18231, #18259 | |
| Platform: | All |
Description (last modified by )
hrev56671 x86_64
HaikuWebKit 1.9.1 WebKit 615.1.10
Random crashes of app_server when using WebPositive
Debug report and photo attached
Attachments (3)
Change History (10)
by , 23 months ago
| Attachment: | app_server-794-debug-24-12-2022-17-49-35.report added |
|---|
comment:1 by , 23 months ago
| Description: | modified (diff) |
|---|
by , 23 months ago
| Attachment: | IMG_0214.JPG added |
|---|
by , 23 months ago
| Attachment: | IMG_0215.JPG added |
|---|
comment:2 by , 23 months ago
| Component: | Applications/WebPositive → Servers/app_server |
|---|---|
| Milestone: | Unscheduled → R1/beta5 |
| Owner: | changed from to |
| Priority: | normal → critical |
comment:3 by , 22 months ago
| Blocking: | 18231 added |
|---|
comment:4 by , 21 months ago
Any hint on how to improve the chance of hitting this?
I've stumbled upon two places that may incorrectly delete a FontFamily so that a later search may lead to this, but they require an allocation error or a very long style name, and even that wouldn't be enough by itself. If there's a site you've always visited when you had this crash (not necessarily open the very same moment the crash happens) and it uses a font with a wild name, that may be it. But until so proven it may be a different cause.
comment:5 by , 21 months ago
Can you clarify where you see a NULL derefernce? The crashing instruction is mov (%rsi,%rdx),%ecx which translates to "read memory at RSI+RDX and write to register ECX".
RSI is not 0 so that is not a NULL pointer at all. RDX is 0 and is the osset into the string (so we're just accessing the first 4 bytes of it).
So it is not a NULL, but a completely uninitialized or otherwise corrupt pointer?
comment:6 by , 21 months ago
| Blocking: | 18259 added |
|---|
comment:7 by , 21 months ago
| Resolution: | → fixed |
|---|---|
| Status: | new → closed |
Fixed in hrev56765.
Observed with icons font in DuckDuckGo. It sometimes loads with no style name. A later visit sometimes loads fonts again. In that case, when we get to _AddUserFont:
- We check if we already have that family. We do, so we'll use that instead of creating a new one.
- We ask the family if it already has this face.
HasStylecalls_FindStyle, that doesn't like the empty style name and says there's no such face. - We create the new style.
- We
AddStyleto the family. This one checks again if the family already has that style, but does so directly, not through_FindStyle, and not checking if the style name is empty. So it finds the former style, doesn't add the new one and says so in the return value. - As we didn't add the style, we delete it and also the not new family. OUCH.
The next search by family name that touches that item crashes apps_server. If that doesn't happen, it crashes anyway on WebPositive exit when cleaning up the font manager.
There's still the question of whether the font is really sent with an empty style name or there's a bug somewhere else, and what to do with empty style names (and even family names) if they are legal. At least for svg fonts those are optional attributes without default values.
NULL dereference in the font code. Unsurprising as this was just refactored.