Opened 2 years ago

Closed 23 months ago

#18169 closed bug (fixed)

WebPositive (master) - random crashes

Reported by: vidrep Owned by: axeld
Priority: critical Milestone: R1/beta5
Component: Servers/app_server Version: R1/beta4
Keywords: Cc:
Blocked By: Blocking: #18231, #18259
Platform: All

Description (last modified by vidrep)

hrev56671 x86_64

HaikuWebKit 1.9.1 WebKit 615.1.10

Random crashes of app_server when using WebPositive

Debug report and photo attached

Attachments (3)

app_server-794-debug-24-12-2022-17-49-35.report (43.7 KB ) - added by vidrep 2 years ago.
IMG_0214.JPG (1.4 MB ) - added by vidrep 2 years ago.
IMG_0215.JPG (1.5 MB ) - added by vidrep 2 years ago.

Change History (10)

comment:1 by vidrep, 2 years ago

Description: modified (diff)

by vidrep, 2 years ago

Attachment: IMG_0214.JPG added

by vidrep, 2 years ago

Attachment: IMG_0215.JPG added

comment:2 by waddlesplash, 2 years ago

Component: Applications/WebPositiveServers/app_server
Milestone: UnscheduledR1/beta5
Owner: changed from pulkomandy to axeld
Priority: normalcritical

NULL dereference in the font code. Unsurprising as this was just refactored.

comment:3 by madmax, 2 years ago

Blocking: 18231 added

comment:4 by madmax, 23 months ago

Any hint on how to improve the chance of hitting this?

I've stumbled upon two places that may incorrectly delete a FontFamily so that a later search may lead to this, but they require an allocation error or a very long style name, and even that wouldn't be enough by itself. If there's a site you've always visited when you had this crash (not necessarily open the very same moment the crash happens) and it uses a font with a wild name, that may be it. But until so proven it may be a different cause.

comment:5 by pulkomandy, 23 months ago

Can you clarify where you see a NULL derefernce? The crashing instruction is mov (%rsi,%rdx),%ecx which translates to "read memory at RSI+RDX and write to register ECX".

RSI is not 0 so that is not a NULL pointer at all. RDX is 0 and is the osset into the string (so we're just accessing the first 4 bytes of it).

So it is not a NULL, but a completely uninitialized or otherwise corrupt pointer?

comment:6 by waddlesplash, 23 months ago

Blocking: 18259 added

comment:7 by madmax, 23 months ago

Resolution: fixed
Status: newclosed

Fixed in hrev56765.

Observed with icons font in DuckDuckGo. It sometimes loads with no style name. A later visit sometimes loads fonts again. In that case, when we get to _AddUserFont:

  1. We check if we already have that family. We do, so we'll use that instead of creating a new one.
  2. We ask the family if it already has this face. HasStyle calls _FindStyle, that doesn't like the empty style name and says there's no such face.
  3. We create the new style.
  4. We AddStyle to the family. This one checks again if the family already has that style, but does so directly, not through _FindStyle, and not checking if the style name is empty. So it finds the former style, doesn't add the new one and says so in the return value.
  5. As we didn't add the style, we delete it and also the not new family. OUCH.

The next search by family name that touches that item crashes apps_server. If that doesn't happen, it crashes anyway on WebPositive exit when cleaning up the font manager.

There's still the question of whether the font is really sent with an empty style name or there's a bug somewhere else, and what to do with empty style names (and even family names) if they are legal. At least for svg fonts those are optional attributes without default values.

Note: See TracTickets for help on using tickets.