Crash when pasting the unicode character for U+25B6 into Chrome
Reported by
e...@figma.com,
Jul 5 2016
|
|||||||||||||||||||||||||||||||||||
Issue descriptionUserAgent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.106 Safari/537.36 Steps to reproduce the problem: It happens pretty much everywhere, but it also happened when logging this bug report so I'll use that as the repro steps. 1. Visit crbug.com 2. Click "New issue" 3. Get to the one-line summary textbox 4. Paste the unicode character for U+25B6 into the textbox (it's a solid black right triangle) What is the expected behavior? The character should appear when pasted. What went wrong? The tab crashes. This happens every time I do it on a newly-created tab. Refreshing an old crashed tab doesn't do it again sometimes, maybe because it reuses something about the old process? Crashed report ID: Crash ID 9acfb1d600000000 (3bad1088-e9bf-4274-90da-8fcaf22e1ccf) How much crashed? Just one tab Is it a problem with a plugin? No Did this work before? N/A Chrome version: 51.0.2704.106 Channel: stable OS Version: OS X 10.9.5 Flash Version: Shockwave Flash 22.0 r0 I suspect this may be a problem with CoreText. I got Slack to crash by pasting in the same character and the crash report for Slack showed a stack overflow alternating between TGlyphEncoder::AppendUnmappedCharRun() and TGlyphEncoder::RunUnicodeEncoderRecursively(). The stack traces for Chrome seem pretty useless so I'm not sure how to debug this (it just looks like it crashed in libunwind.dylib without any other functions in the call stack). My machine details from Apple > About This Mac: MacBook Pro Retina, 15-inch, Early 2013 Processor 2.8 GHz Intel Core i7 Memory 16 GB 1600 MHz DDR3 Graphics NVIDIA GeForce GT 650M 1024 MB Software OS X 10.9.5 (13F1808)
,
Jul 7 2016
Aha, a dup of 576941, probably. (10.9, core text crash!). This may give us an easy repro, and would also explain why some people are crashing a lot on gmail (they probably have an email with this or similar emoji). I wonder if the timing of this crash lines up with the changes that allowed Chrome to start displaying emoji in the content area.
,
Jul 7 2016
If we can reproduce this, and can't work around it, maybe we should disable emoji on 10.9?
,
Jul 7 2016
if we can repro: does the repro make safari's renderer crash too?
,
Jul 7 2016
I wasn't able to repro it on a 10.9 device that I had access to. evan: Can you check to see if the bug repros in Safari?
,
Jul 7 2016
I can't get it to happen in Safari. I also can't get my reduced test case from this bug report to repro in Chrome anymore. Weird. I have another repro that should hopefully work more consistently. Extract the attached zip folder, open index.html, and paste the contents of data.json into the textarea. This is closer to the original problem I was running into. It still crashes Chrome consistently for me even though the original repro steps in this bug no longer cause a crash. I generated lots more crash reports today and I attached another dmp file from one of them, which appears to be Crash ID d279300200000000 (8de07a41-56d7-4287-a51d-2810d203649b) from chrome://crashes. Both the old and the new steps don't repro in Safari (Version 9.1.1/9537.86.6.17, WebKit.framework 537.78.2) or Firefox (47.0). Chrome is the only affected browser as far as I can tell. It's probably possible to crash WebKit somehow since Slack probably uses WebKit.framework but I've been using Slack all day and it's only crashed when viewing that character once since then.
,
Jul 7 2016
Thanks for the repro information. I'll try to see if I can further reduce this in my 10.9 VM. This is definitely a dupe of issue 576941 , which we know to be 10.9-only. This isn't related to the Mac emoji work--that happened in 2014. Unfortunately we don't have a clear idea as to when this started happening. Best guess, from that other bug, is: https://chromium.googlesource.com/chromium/src/+log/45.0.2453.0..45.0.2454.0?pretty=fuller&n=10000 Which contains a few blink rolls (total list of changes): https://chromium.googlesource.com/chromium/blink/+log/448d61e..abaaf1d?pretty=fuller
,
Jul 7 2016
Awesome, I can repro this with the attachment in #6. Thanks a ton! I'll try and start minimizing the conditions that cause CoreText to do this.
Bottom part of the stack that we don't have in the other issue:
frame #23163: 0x00007fff8346352b CoreText`TGlyphEncoder::AppendUnmappedCharRun(TCFRef<CTRun*>&, __CTFont const*, CFRange, CFRange, TGlyphList<TDeletedGlyphIndex>&, TGlyphList<TDeletedGlyphIndex>&, TFontCascade const&, TGlyphEncoder::ClusterMatching) + 857
frame #23164: 0x00007fff83462f2c CoreText`TGlyphEncoder::RunUnicodeEncoderRecursively(TCFRef<CTRun*>&&, __CTFont const*, CFRange, TGlyphList<TDeletedGlyphIndex>&, TGlyphList<TDeletedGlyphIndex>&, TFontCascade const*, TGlyphEncoder::ClusterMatching, bool) + 1118
frame #23165: 0x00007fff83437015 CoreText`TGlyphEncoder::RunUnicodeEncoder(TCFRef<CTRun*>&&, __CTFont const*, CFRange, TGlyphList<TDeletedGlyphIndex>&, TFontCascade const*) + 115
frame #23166: 0x00007fff834157d5 CoreText`TGlyphEncoder::EncodeChars(CFRange, TAttributes const&, TGlyphList<TDeletedGlyphIndex>&, TGlyphEncoder::Fallbacks) + 1169
frame #23167: 0x00007fff83413d0a CoreText`TTypesetterAttrString::Initialize(__CFAttributedString const*) + 364
frame #23168: 0x00007fff8346b897 CoreText`CTTypesetterCreateWithAttributedStringAndOptions + 84
frame #23169: 0x0000000110db29d5 Chromium Framework`_hb_coretext_shape + 4069
frame #23170: 0x0000000110db0df4 Chromium Framework`hb_shape_plan_execute + 404
frame #23171: 0x0000000110db12b1 Chromium Framework`hb_shape + 65
frame #23172: 0x00000001124a1063 Chromium Framework`blink::HarfBuzzShaper::shapeRange(hb_buffer_t*, unsigned int, unsigned int, blink::SimpleFontData const*, WTF::PassRefPtr<blink::UnicodeRangeSet>, UScriptCode, hb_language_impl_t const*) + 323
frame #23173: 0x00000001124a0ab9 Chromium Framework`blink::HarfBuzzShaper::shapeResult() + 1561
frame #23174: 0x000000011249a5a2 Chromium Framework`blink::CachingWordShapeIterator::shapeWordWithoutSpacing(blink::TextRun const&, blink::Font const*) + 178
frame #23175: 0x000000011249a1c6 Chromium Framework`blink::CachingWordShapeIterator::shapeWord(blink::TextRun const&, blink::Font const*) + 38
frame #23176: 0x000000011249a351 Chromium Framework`blink::CachingWordShapeIterator::shapeToEndIndex(WTF::RefPtr<blink::ShapeResult const>*, unsigned int) + 273
frame #23177: 0x000000011249a023 Chromium Framework`blink::CachingWordShapeIterator::nextForAllowTabs(WTF::RefPtr<blink::ShapeResult const>*) + 163
frame #23178: 0x000000011249975d Chromium Framework`blink::CachingWordShapeIterator::next(WTF::RefPtr<blink::ShapeResult const>*) + 221
frame #23179: 0x00000001124995db Chromium Framework`blink::CachingWordShaper::width(blink::Font const*, blink::TextRun const&, WTF::HashSet<blink::SimpleFontData const*, WTF::PtrHash<blink::SimpleFontData const>, WTF::HashTraits<blink::SimpleFontData const*>, WTF::PartitionAllocator>*, blink::FloatRect*) + 107
frame #23180: 0x00000001124744ce Chromium Framework`blink::Font::width(blink::TextRun const&, WTF::HashSet<blink::SimpleFontData const*, WTF::PtrHash<blink::SimpleFontData const>, WTF::HashTraits<blink::SimpleFontData const*>, WTF::PartitionAllocator>*, blink::FloatRect*) const + 158
frame #23181: 0x000000010fa496dc Chromium Framework`blink::BreakingContext::calculateWordWidth(WTF::Vector<blink::WordMeasurement, 64ul, WTF::PartitionAllocator>&, blink::LineLayoutText&, unsigned int, float&, float, blink::Font const&, float, unsigned short) + 636
frame #23182: 0x000000010fa44056 Chromium Framework`blink::BreakingContext::handleText(WTF::Vector<blink::WordMeasurement, 64ul, WTF::PartitionAllocator>&, bool&) + 3494
frame #23183: 0x000000010fa42234 Chromium Framework`blink::LineBreaker::nextLineBreak(blink::BidiResolver<blink::InlineIterator, blink::BidiRun, blink::BidiIsolatedRun>&, blink::LineInfo&, blink::LayoutTextInfo&, WTF::Vector<blink::WordMeasurement, 64ul, WTF::PartitionAllocator>&) + 596
frame #23184: 0x000000010f92f9e2 Chromium Framework`blink::LayoutBlockFlow::layoutRunsAndFloatsInRange(blink::LineLayoutState&, blink::BidiResolver<blink::InlineIterator, blink::BidiRun, blink::BidiIsolatedRun>&, blink::InlineIterator const&, blink::BidiStatus const&) + 3426
frame #23185: 0x000000010f92df55 Chromium Framework`blink::LayoutBlockFlow::layoutRunsAndFloats(blink::LineLayoutState&) + 757
frame #23186: 0x000000010f932d96 Chromium Framework`blink::LayoutBlockFlow::layoutInlineChildren(bool, blink::LayoutUnit) + 1846
frame #23187: 0x000000010f91a336 Chromium Framework`blink::LayoutBlockFlow::layoutBlockFlow(bool, blink::LayoutUnit&, blink::SubtreeLayoutScope&) + 1254
frame #23188: 0x000000010f919be0 Chromium Framework`blink::LayoutBlockFlow::layoutBlock(bool) + 192
frame #23189: 0x000000010f90e4ca Chromium Framework`blink::LayoutBlock::layout() + 90
frame #23190: 0x000000010f91b414 Chromium Framework`blink::LayoutBlockFlow::positionAndLayoutOnceIfNeeded(blink::LayoutBox&, blink::LayoutUnit, blink::BlockChildrenLayoutInfo&) + 468
frame #23191: 0x000000010f91b6df Chromium Framework`blink::LayoutBlockFlow::layoutBlockChild(blink::LayoutBox&, blink::BlockChildrenLayoutInfo&) + 239
frame #23192: 0x000000010f91f43d Chromium Framework`blink::LayoutBlockFlow::layoutBlockChildren(bool, blink::SubtreeLayoutScope&, blink::LayoutUnit, blink::LayoutUnit) + 781
frame #23193: 0x000000010f91a354 Chromium Framework`blink::LayoutBlockFlow::layoutBlockFlow(bool, blink::LayoutUnit&, blink::SubtreeLayoutScope&) + 1284
frame #23194: 0x000000010f919be0 Chromium Framework`blink::LayoutBlockFlow::layoutBlock(bool) + 192
frame #23195: 0x000000010f90e4ca Chromium Framework`blink::LayoutBlock::layout() + 90
frame #23196: 0x000000010f680fe1 Chromium Framework`blink::FrameView::performLayout(bool) + 513
frame #23197: 0x000000010f67f256 Chromium Framework`blink::FrameView::layout() + 2726
frame #23198: 0x000000010f09968e Chromium Framework`blink::Document::updateStyleAndLayout() + 222
frame #23199: 0x000000010f09957a Chromium Framework`blink::Document::updateStyleAndLayoutIgnorePendingStylesheets(blink::Document::RunPostLayoutTasks) + 26
frame #23200: 0x000000010f598abd Chromium Framework`blink::canonicalPositionOf(blink::PositionTemplate<blink::EditingAlgorithm<blink::NodeTraversal> > const&) + 237
frame #23201: 0x000000010f592e7f Chromium Framework`blink::VisiblePositionTemplate<blink::EditingAlgorithm<blink::NodeTraversal> >::create(blink::PositionWithAffinityTemplate<blink::EditingAlgorithm<blink::NodeTraversal> > const&) + 127
frame #23202: 0x000000010f593335 Chromium Framework`blink::createVisiblePosition(blink::PositionTemplate<blink::EditingAlgorithm<blink::NodeTraversal> > const&, blink::TextAffinity) + 37
frame #23203: 0x000000010f5dc724 Chromium Framework`blink::ReplaceSelectionCommand::doApply(blink::EditingState*) + 6356
frame #23204: 0x000000010f5b6bc0 Chromium Framework`blink::CompositeEditCommand::apply() + 208
frame #23205: 0x000000010f56f425 Chromium Framework`blink::Editor::replaceSelectionWithFragment(blink::DocumentFragment*, bool, bool, bool) + 645
frame #23206: 0x000000010f56f142 Chromium Framework`blink::Editor::handleTextEvent(blink::TextEvent*) + 258
frame #23207: 0x000000010f1e4b48 Chromium Framework`blink::EventHandler::defaultTextInputEventHandler(blink::TextEvent*) + 24
frame #23208: 0x000000010f1bc16d Chromium Framework`blink::EventDispatcher::dispatchEventPostProcess(blink::EventDispatchHandlingState*) + 237
frame #23209: 0x000000010f1bb967 Chromium Framework`blink::EventDispatcher::dispatch() + 567
frame #23210: 0x000000010f1bb163 Chromium Framework`blink::EventDispatcher::dispatchEvent(blink::Node&, blink::EventDispatchMediator*) + 259
frame #23211: 0x000000010f570cc5 Chromium Framework`blink::Editor::pasteAsPlainText(WTF::String const&, bool) + 149
frame #23212: 0x000000010f574017 Chromium Framework`blink::Editor::paste() + 599
frame #23213: 0x000000010f5c9bf1 Chromium Framework`blink::executePaste(blink::LocalFrame&, blink::Event*, blink::EditorCommandSource, WTF::String const&) + 97
frame #23214: 0x000000010f5c6487 Chromium Framework`blink::Editor::Command::execute(WTF::String const&, blink::Event*) const + 599
frame #23215: 0x000000010f5c61fa Chromium Framework`blink::Editor::executeCommand(WTF::String const&) + 554
frame #23216: 0x000000011266cfcc Chromium Framework`blink::WebLocalFrameImpl::executeCommand(blink::WebString const&) + 540
frame #23217: 0x000000010fc4ec8f Chromium Framework`content::RenderFrameImpl::OnPaste() + 95
frame #23218: 0x000000010fc4eb52 Chromium Framework`bool IPC::MessageT<InputMsg_Paste_Meta, std::__1::tuple<>, void>::Dispatch<content::RenderFrameImpl, content::RenderFrameImpl, void, void (content::RenderFrameImpl::*)()>(IPC::Message const*, content::RenderFrameImpl*, content::RenderFrameImpl*, void*, void (content::RenderFrameImpl::*)()) + 98
frame #23219: 0x000000010fc4beda Chromium Framework`content::RenderFrameImpl::OnMessageReceived(IPC::Message const&) + 5882
frame #23220: 0x00000001113f9fdc Chromium Framework`IPC::MessageRouter::RouteMessage(IPC::Message const&) + 140
frame #23221: 0x00000001113f9f3d Chromium Framework`IPC::MessageRouter::OnMessageReceived(IPC::Message const&) + 141
frame #23222: 0x000000010eba33f3 Chromium Framework`content::ChildThreadImpl::OnMessageReceived(IPC::Message const&) + 915
frame #23223: 0x000000010fc86529 Chromium Framework`base::internal::Invoker<base::internal::BindState<void (base::CancelableCallback<void (IPC::Message const&)>::*)(IPC::Message cons constt&), base::WeakPtr<base::CancelableCallback<void (IPC::Message const&)> > >, void (IPC::Message const&)>::Run(base::internal::BindStateBase*, IPC::Message const&) + 105
frame #23224: 0x000000010fbf676a Chromium Framework`base::internal::Invoker<base::internal::BindState<base::Callback<void (IPC::Message const&), (base::internal::CopyMode)1>, IPC::Message>, void ()>::Run(base::internal::BindStateBase*) + 106
frame #23225: 0x000000011037d70b Chromium Framework`base::debug::TaskAnnotator::RunTask(char const*, base::PendingTask const&) + 187
frame #23226: 0x0000000112400cfb Chromium Framework`scheduler::TaskQueueManager::ProcessTaskFromWorkQueue(scheduler::internal::WorkQueue*, scheduler::internal::TaskQueueImpl::Task*) + 811
frame #23227: 0x00000001123ff8bb Chromium Framework`scheduler::TaskQueueManager::DoWork(base::TimeTicks, bool) + 507
frame #23228: 0x0000000112401bbb Chromium Framework`base::internal::Invoker<base::internal::BindState<void (scheduler::TaskQueueManager::*)(base::TimeTicks, bool), base::WeakPtr<scheduler::TaskQueueManager>, base::TimeTicks, bool>, void ()>::Run(base::internal::BindStateBase*) + 107
frame #23229: 0x000000011037d70b Chromium Framework`base::debug::TaskAnnotator::RunTask(char const*, base::PendingTask const&) + 187
frame #23230: 0x00000001103ab0ac Chromium Framework`base::MessageLoop::RunTask(base::PendingTask const&) + 572
frame #23231: 0x00000001103ab3ac Chromium Framework`base::MessageLoop::DeferOrRunPendingTask(base::PendingTask const&) + 44
frame #23232: 0x00000001103ab6fb Chromium Framework`base::MessageLoop::DoWork() + 299
frame #23233: 0x00000001103aea47 Chromium Framework`base::MessagePumpCFRunLoopBase::RunWork() + 55
frame #23234: 0x000000011039b7aa Chromium Framework`base::mac::CallWithEHFrame(void () block_pointer) + 10
frame #23235: 0x00000001103ae3f4 Chromium Framework`base::MessagePumpCFRunLoopBase::RunWorkSource(void*) + 68
frame #23236: 0x00007fff8720e5b1 CoreFoundation`__CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ + 17
frame #23237: 0x00007fff871ffc62 CoreFoundation`__CFRunLoopDoSources0 + 242
frame #23238: 0x00007fff871ff3ef CoreFoundation`__CFRunLoopRun + 831
frame #23239: 0x00007fff871fee75 CoreFoundation`CFRunLoopRunSpecific + 309
frame #23240: 0x00007fff831730fc Foundation`-[NSRunLoop(NSRunLoop) runMode:beforeDate:] + 253
frame #23241: 0x00000001103af11e Chromium Framework`base::MessagePumpNSRunLoop::DoRun(base::MessagePump::Delegate*) + 126
frame #23242: 0x00000001103ae87f Chromium Framework`base::MessagePumpCFRunLoopBase::Run(base::MessagePump::Delegate*) + 127
frame #23243: 0x00000001103aac07 Chromium Framework`base::MessageLoop::RunHandler() + 215
frame #23244: 0x00000001103d1bf3 Chromium Framework`base::RunLoop::Run() + 51
frame #23245: 0x000000010fcafe44 Chromium Framework`content::RendererMain(content::MainFunctionParams const&) + 740
frame #23246: 0x000000010febaff2 Chromium Framework`content::ContentMainRunnerImpl::Run() + 802
frame #23247: 0x000000010feba036 Chromium Framework`content::ContentMain(content::ContentMainParams const&) + 54
frame #23248: 0x000000010cfccfea Chromium Framework`ChromeMain + 58
frame #23249: 0x000000010cf95d62 Chromium Helper`main + 530
frame #23250: 0x000000010cf95b44 Chromium Helper`start + 52
,
Jul 8 2016
This is definitely related to U+25B6 and the Courier font. I was able to minimize the repro to just pasting ▶ into the .html file in #6. Though pasting the entire JSON contents also causes the crash to reliably happen on 10.9.5 13F1712.
I caught the renderer in the debugger before it descends into infinite recursion and gathered some data. Unfortunately, I cannot get the bug to repro in my test program (attached). Fonts in the renderer seem to be transmuted a lot from various NS/CT/CG types and I tried to capture that in my program, but I guess not successfully.
I'm a little out of my depths with Harfbuzz, so +drott who may have some ideas.
frame #1: 0x000000012df62f52 libblink_platform.dylib`::_hb_coretext_shape(shape_plan=0x00007fc648d5d080, font=0x00007fc648d5cfd0, buffer=0x00007fc648d5c5b0, features=0x0000000000000000, num_features=0) + 5634 at hb-coretext.cc:856
853 if (unlikely (!options))
854 FAIL ("CFDictionaryCreate failed");
855
-> 856 CTTypesetterRef typesetter = CTTypesetterCreateWithAttributedStringAndOptions (attr_string, options);
857 CFRelease (options);
858 CFRelease (attr_string);
859 if (unlikely (!typesetter))
(lldb) frame var
(hb_shape_plan_t *) shape_plan = 0x00007fc648d5d080
(hb_font_t *) font = 0x00007fc648d5cfd0
(hb_buffer_t *) buffer = 0x00007fc648d5c5b0
(const hb_feature_t *) features = 0x0000000000000000
(unsigned int) num_features = 0
(hb_face_t *) face = 0x00007fc648d5c6d0
(hb_coretext_shaper_face_data_t *) face_data = 0x00007fc648d5c770
(CGFloat) ct_font_size = 36
(CGFloat) x_mult = 20024.888888888891
(CGFloat) y_mult = 20024.888888888891
(hb_auto_array_t<feature_record_t>) feature_records = {
hb_prealloced_array_t<feature_record_t, 16> = {
len = 0
allocated = 0
array = 0x0000000000000000
static_array = {
[0] = (feature = 0, setting = 0)
[1] = (feature = 0, setting = 0)
[2] = (feature = 0, setting = 0)
[3] = (feature = 0, setting = 0)
[4] = (feature = 0, setting = 0)
[5] = (feature = 0, setting = 0)
[6] = (feature = 0, setting = 0)
[7] = (feature = 0, setting = 0)
[8] = (feature = 0, setting = 0)
[9] = (feature = 0, setting = 0)
[10] = (feature = 0, setting = 0)
[11] = (feature = 0, setting = 0)
[12] = (feature = 0, setting = 0)
[13] = (feature = 0, setting = 0)
[14] = (feature = 0, setting = 0)
[15] = (feature = 0, setting = 0)
}
}
}
(hb_auto_array_t<range_record_t>) range_records = {
hb_prealloced_array_t<range_record_t, 16> = {
len = 0
allocated = 0
array = 0x0000000000000000
static_array = {
[0] = (font = 0x0000000000000000, index_first = 0, index_last = 0)
[1] = (font = 0x0000000000000000, index_first = 0, index_last = 0)
[2] = (font = 0x0000000000000000, index_first = 0, index_last = 0)
[3] = (font = 0x0000000000000000, index_first = 0, index_last = 0)
[4] = (font = 0x0000000000000000, index_first = 0, index_last = 0)
[5] = (font = 0x0000000000000000, index_first = 0, index_last = 0)
[6] = (font = 0x0000000000000000, index_first = 0, index_last = 0)
[7] = (font = 0x0000000000000000, index_first = 0, index_last = 0)
[8] = (font = 0x0000000000000000, index_first = 0, index_last = 0)
[9] = (font = 0x0000000000000000, index_first = 0, index_last = 0)
[10] = (font = 0x0000000000000000, index_first = 0, index_last = 0)
[11] = (font = 0x0000000000000000, index_first = 0, index_last = 0)
[12] = (font = 0x0000000000000000, index_first = 0, index_last = 0)
[13] = (font = 0x0000000000000000, index_first = 0, index_last = 0)
[14] = (font = 0x0000000000000000, index_first = 0, index_last = 0)
[15] = (font = 0x0000000000000000, index_first = 0, index_last = 0)
}
}
}
(unsigned int) scratch_size = 78
(scratch_buffer_t *) scratch = 0x00007fc648d5ca60
(UniChar *) pchars = 0x00007fc648d5ca50
(unsigned int) chars_len = 1
(unsigned int *) log_clusters = 0x00007fc648d5ca58
(bool) ret = true
(CFStringRef) string_ref = 0x00007fc648d58fb0 @"▶"
(CTLineRef) line = 0x0000000000000000
(CFArrayRef) glyph_runs = 0x00007fc648d4c620 @"0 objects"
(unsigned int) num_runs = 32767
(uint32_t) status_and = 1904811392
(uint32_t) status_or = 0
(double) advances_so_far = 3.1620201333839779E-322
(CFRange) range_all = location=4406749696 length=16
(unsigned int) count = 0
(hb_glyph_info_t *) info = 0x00007fc648d2e920
(hb_glyph_position_t *) pos = 0x0000000000000004
(CFMutableAttributedStringRef) attr_string = 0x00007fc648d58c60
(int) level = 0
(CFNumberRef) level_number = 0x0000000000000027 (int)0
(CFDictionaryRef) options = 0x00007fc648d5d3e0 @"1 entry"
(CTTypesetterRef) typesetter = 0x0000000106a9aa00
(lldb) po face_data->ct_font
"Courier 36.00 pt. P [] (0x7fc648d5d4c0) fobj=0x7fc648d5d4c0, spc=21.60"
,
Jul 20 2016
One more thing that came to mind: Does this really only occur when pasting? If there is an element of Blink / CoreText state to this bug, we might not be successful reproducing it with a custom executable or hb-shape. If it only works with pasting, perhaps one next reduction attempt could be a setTimeout() based delayed insertion to the document?
,
Jul 20 2016
This happens all the time for me, not just when pasting. There are quite a few pages now that are completely unusable in Chrome because of this crashing bug. I discovered the bug while working on a web app. Our production instance of the web app is still inaccessible for me because of text on the page containing this character, as well as the bug database where I reported this issue and sometimes Slack when I open the channel where I discussed this issue.
,
Jul 22 2016
drott: That was my thought, too, but I can't seem to get a setTimeout()/setInterval() based repro to work:
<textarea id="boom" style="font-family:Courier"></textarea>
<script>
setInterval(function() {
var data = '\u25B6 \u25b6 \u25b6';
document.getElementById('boom').value = data;
}, 1000);
</script>
Pasting is very reliable. Sometimes just \u25b6 will not cause it to crash, but pasting the JSON always does.
Given how frequent this crash is on the crash servers, it seems likely that it is not just editing command related.
,
Jul 22 2016
I'm attaching the testcase file I've been working on, as well as three lldb sessions with back traces. The testcase has the sample textarea as well as a button that merely appends the unicode character to the textarea.
I did three tests:
just-button: Press the Insert button once, then press space, then press the insert button again. In the lldb session, we see shaping requests to CTTypesetterCreateWithAttributedStringAndOptions for the unicode character, then the space, and then nothing, since the unicode character is cached from the first shaping. No crashes.
just-paste: Paste the character directly into the textarea. We see the shaping request, and then it crashes immediately.
button-then-paste: Press the Insert button once, then press space, then paste the character. In the lldb session, the shaping request to CTTypesetterCreateWithAttributedStringAndOptions is the same as just-button when the Insert button is pressed. Pressing space sees the request for that character. But then pasting the unicode character causes a new request to CTTypesetterCreateWithAttributedStringAndOptions, indicating that it's not using the cached shape from pressing the Insert button.
Comparing the stack traces between just-button and just-paste, they are identical until frame 16:
just-paste:
frame #15: 0x00000001137d1c79 Chromium Framework`blink::Font::width(this=0x00000b3662900878, run=0x00007fff51654280, fallbackFonts=0x0000000000000000, glyphBounds=0x0000000000000000) const + 121 at Font.cpp:242
frame #16: 0x0000000110c133f9 Chromium Framework`blink::BreakingContext::handleText(WTF::Vector<blink::WordMeasurement, 64ul, WTF::PartitionAllocator>&, bool&) [inlined] blink::textWidth(from=<unavailable>, len=<unavailable>, font=<unavailable>, xPos=<unavailable>) + 244 at BreakingContextInlineHeaders.h:547
frame #17: 0x0000000110c13305 Chromium Framework`blink::BreakingContext::handleText(WTF::Vector<blink::WordMeasurement, 64ul, WTF::PartitionAllocator>&, bool&) [inlined] blink::BreakingContext::shouldMidWordBreak(this=0x00007fff516545c0, font=<unavailable>) + 151 at BreakingContextInlineHeaders.h:566
frame #18: 0x0000000110c1326e Chromium Framework`blink::BreakingContext::handleText(this=<unavailable>, wordMeasurements=0x00007fff51654a50, hyphenated=0x00007fff51654818) + 1998 at BreakingContextInlineHeaders.h:796
frame #19: 0x0000000110c11a24 Chromium Framework`blink::LineBreaker::nextLineBreak(this=<unavailable>, resolver=<unavailable>, lineInfo=<unavailable>, layoutTextInfo=0x00007fff51654818, wordMeasurements=0x00007fff51654a50) + 596 at LineBreaker.cpp:86
frame #20: 0x0000000110afe292 Chromium Framework`blink::LayoutBlockFlow::layoutRunsAndFloatsInRange(this=<unavailable>, layoutState=<unavailable>, resolver=<unavailable>, cleanLineStart=0x00007fff51655aa0, cleanLineBidiStatus=0x00007fff51655ab8) + 3410 at LayoutBlockFlowLine.cpp:857
frame #21: 0x0000000110afc815 Chromium Framework`blink::LayoutBlockFlow::layoutRunsAndFloats(this=<unavailable>, layoutState=<unavailable>) + 757 at LayoutBlockFlowLine.cpp:769
frame #22: 0x0000000110b01616 Chromium Framework`blink::LayoutBlockFlow::layoutInlineChildren(this=<unavailable>, relayoutChildren=<unavailable>, afterEdge=<unavailable>) + 1798 at LayoutBlockFlowLine.cpp:1602
frame #23: 0x0000000110ae8df3 Chromium Framework`blink::LayoutBlockFlow::layoutBlockFlow(this=0x00001c58db424358, relayoutChildren=true, pageLogicalHeight=<unavailable>, layoutScope=0x00001c58db4243dc) + 1251 at LayoutBlockFlow.cpp:469
frame #24: 0x0000000110ae86a0 Chromium Framework`blink::LayoutBlockFlow::layoutBlock(this=<unavailable>, relayoutChildren=<unavailable>) + 192 at LayoutBlockFlow.cpp:389
just-button:
frame #16: 0x0000000108855add Chromium Framework`blink::LayoutText::width(unsigned int, unsigned int, blink::Font const&, blink::LayoutUnit, blink::TextDirection, WTF::HashSet<blink::SimpleFontData const*, WTF::PtrHash<blink::SimpleFontData const>, WTF::HashTraits<blink::SimpleFontData const*>, WTF::PartitionAllocator>*, blink::FloatRect*) const [inlined] blink::LayoutText::widthFromFont(this=<unavailable>, start=0, len=1, leadWidth=<unavailable>, textWidthSoFar=0, textDirection=LTR, fallbackFonts=<unavailable>, glyphBoundsAccumulation=<unavailable>) const + 113 at LayoutText.cpp:729
frame #17: 0x0000000108855a6c Chromium Framework`blink::LayoutText::width(this=<unavailable>, from=0, len=1, f=0x00001ce0a41005b8, xPos=<unavailable>, textDirection=LTR, fallbackFonts=<unavailable>, glyphBounds=<unavailable>) const + 556 at LayoutText.cpp:1560
frame #18: 0x00000001088cd4af Chromium Framework`blink::BreakingContext::handleText(WTF::Vector<blink::WordMeasurement, 64ul, WTF::PartitionAllocator>&, bool&) [inlined] blink::LineLayoutText::width(from=<unavailable>, font=<unavailable>, xPos=<unavailable>) const + 29 at LineLayoutText.h:129
frame #19: 0x00000001088cd492 Chromium Framework`blink::BreakingContext::handleText(WTF::Vector<blink::WordMeasurement, 64ul, WTF::PartitionAllocator>&, bool&) [inlined] blink::textWidth(from=<unavailable>, len=<unavailable>, font=<unavailable>, xPos=<unavailable>) + 106 at BreakingContextInlineHeaders.h:542
frame #20: 0x00000001088cd428 Chromium Framework`blink::BreakingContext::handleText(WTF::Vector<blink::WordMeasurement, 64ul, WTF::PartitionAllocator>&, bool&) [inlined] blink::BreakingContext::shouldMidWordBreak(this=0x00007fff5999a690, font=<unavailable>) at BreakingContextInlineHeaders.h:566
frame #21: 0x00000001088cd428 Chromium Framework`blink::BreakingContext::handleText(this=<unavailable>, wordMeasurements=0x00007fff5999ab20, hyphenated=0x00007fff5999a8e8) + 2440 at BreakingContextInlineHeaders.h:796
frame #22: 0x00000001088cba24 Chromium Framework`blink::LineBreaker::nextLineBreak(this=<unavailable>, resolver=<unavailable>, lineInfo=<unavailable>, layoutTextInfo=0x00007fff5999a8e8, wordMeasurements=0x00007fff5999ab20) + 596 at LineBreaker.cpp:86
frame #23: 0x00000001087b8292 Chromium Framework`blink::LayoutBlockFlow::layoutRunsAndFloatsInRange(this=<unavailable>, layoutState=<unavailable>, resolver=<unavailable>, cleanLineStart=0x00007fff5999bb70, cleanLineBidiStatus=0x00007fff5999bb88) + 3410 at LayoutBlockFlowLine.cpp:857
frame #24: 0x00000001087b6815 Chromium Framework`blink::LayoutBlockFlow::layoutRunsAndFloats(this=<unavailable>, layoutState=<unavailable>) + 757 at LayoutBlockFlowLine.cpp:769
I'm not sure what to make of the difference between how the BreakingContext is being called.
,
Jul 22 2016
Debugging this with drott@, he suggested disabling the font cascade logic in create_ct_font() third_party/harfbuzz-ng/src/hb-coretext.cc. Doing that and I can no longer get it to repro, so conditionally disabling that on 10.9 may be the best way to resolve this.
,
Jul 22 2016
Bouncing over to drott@ to make a real harfbuzz patch for this.
,
Jul 22 2016
Behdad, looks like we need to disable the cascade list reconfiguration on 10.9 as CoreText crashes on it too frequently.
,
Jul 22 2016
Candidate fix up in https://codereview.chromium.org/2173883002
,
Jul 22 2016
Issue 576941 has been merged into this issue.
,
Jul 22 2016
Users experienced this crash on the following builds: Mac Dev 53.0.2785.21 - 5.70 CPM, 17 reports, 10 clients (signature libunwind::UnwindCursor<libunwind::LocalAddressSpace, libunwind::Registers_x86_64>::setInfoBasedOnIPRegister) If this update was incorrect, please add "Fracas-Wrong" label to prevent future updates. - Go/Fracas
,
Jul 22 2016
Users experienced this crash on the following builds: Mac Stable 52.0.2743.82 - 3.29 CPM, 82 reports, 59 clients (signature libunwind::UnwindCursor<libunwind::LocalAddressSpace, libunwind::Registers_x86_64>::setInfoBasedOnIPRegister) If this update was incorrect, please add "Fracas-Wrong" label to prevent future updates. - Go/Fracas
,
Jul 22 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/64a2d4d02ea769c849df4718d196df12a3f79091 commit 64a2d4d02ea769c849df4718d196df12a3f79091 Author: drott <drott@chromium.org> Date: Fri Jul 22 17:15:33 2016 Fix infinite recursion crash in HarfBuzz' CoreText backend The font cascade reconfiguration which was introduced as fix for AAT shaping performance regressions in crbug.com/547912 seems to occasionally cause CoreText crashes on OS X 10.9. We don't have a better way of detecting this than by OS or CoreText API version number. This is one of our top Mac crashers on Mac OS 10.9 with Chrome across versions [1]. This crash does not occur in newer versions of OS X and we can keep this important performance optimization enabled there. A big thanks to Robert Sesek (rsesek@) for the patient and thorough initial investigation. Discussing and working together on this issue we were able to identify the crash triggering code in HarfBuzz in this case. [1] https://bugs.chromium.org/p/chromium/issues/detail?id=576941#c74 BUG= 576941 , 625902 Review-Url: https://codereview.chromium.org/2173883002 Cr-Commit-Position: refs/heads/master@{#407185} [modify] https://crrev.com/64a2d4d02ea769c849df4718d196df12a3f79091/third_party/harfbuzz-ng/README.chromium [modify] https://crrev.com/64a2d4d02ea769c849df4718d196df12a3f79091/third_party/harfbuzz-ng/src/hb-coretext.cc
,
Jul 25 2016
The Canary is a base branch #407375, version 54.0.2806.0 and I see no reports for this version. Marking this as Fixed.
,
Jul 26 2016
I think we may want this for M53 merge.
,
Jul 27 2016
,
Jul 27 2016
Your change meets the bar and is auto-approved for M53 (branch: 2785)
,
Jul 27 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/79ae5a3b7fb58358b23443cbd8a3e09087e0ac86 commit 79ae5a3b7fb58358b23443cbd8a3e09087e0ac86 Author: Dominik Röttsches <drott@chromium.org> Date: Wed Jul 27 15:32:44 2016 Fix infinite recursion crash in HarfBuzz' CoreText backend The font cascade reconfiguration which was introduced as fix for AAT shaping performance regressions in crbug.com/547912 seems to occasionally cause CoreText crashes on OS X 10.9. We don't have a better way of detecting this than by OS or CoreText API version number. This is one of our top Mac crashers on Mac OS 10.9 with Chrome across versions [1]. This crash does not occur in newer versions of OS X and we can keep this important performance optimization enabled there. A big thanks to Robert Sesek (rsesek@) for the patient and thorough initial investigation. Discussing and working together on this issue we were able to identify the crash triggering code in HarfBuzz in this case. [1] https://bugs.chromium.org/p/chromium/issues/detail?id=576941#c74 BUG= 576941 , 625902 Review-Url: https://codereview.chromium.org/2173883002 Cr-Commit-Position: refs/heads/master@{#407185} (cherry picked from commit 64a2d4d02ea769c849df4718d196df12a3f79091) Review URL: https://codereview.chromium.org/2190463005 . Cr-Commit-Position: refs/branch-heads/2785@{#369} Cr-Branched-From: 68623971be0cfc492a2cb0427d7f478e7b214c24-refs/heads/master@{#403382} [modify] https://crrev.com/79ae5a3b7fb58358b23443cbd8a3e09087e0ac86/third_party/harfbuzz-ng/README.chromium [modify] https://crrev.com/79ae5a3b7fb58358b23443cbd8a3e09087e0ac86/third_party/harfbuzz-ng/src/hb-coretext.cc
,
Jul 29 2016
Issue 632512 has been merged into this issue.
,
Aug 12 2016
Verified the crash in issue : 576941 which is marked as the dupe of this bug. Confirming that the crash is not reported in latest Beta-53.0.2785.57 and Canary-54.0.2827.0 but still occurs in Stable. 52.0.2743.116 1.67% 3962 52.0.2743.82 1.05% 2489 We may need to merge this to M52 , if there is another re-spin.
,
Jul 6 2017
shrike@, this is an earlier one on 10.9, which was very painful to debug and work around. |
|||||||||||||||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||||||||||||||
Comment 1 by meh...@chromium.org
, Jul 6 2016