[Webkit-unassigned] [Bug 183323] New: Crash when using different font-feature-settings on a couple of spans. Crashing on exception: -[__NSCFNumber compare:]: nil argument
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Sun Mar 4 20:39:37 PST 2018
https://bugs.webkit.org/show_bug.cgi?id=183323
Bug ID: 183323
Summary: Crash when using different font-feature-settings on a
couple of spans. Crashing on exception: -[__NSCFNumber
compare:]: nil argument
Product: WebKit
Version: Safari 11
Hardware: All
OS: macOS 10.13
Status: NEW
Severity: Critical
Priority: P2
Component: CSS
Assignee: webkit-unassigned at lists.webkit.org
Reporter: niteshchordiya at gmail.com
Created attachment 334987
--> https://bugs.webkit.org/attachment.cgi?id=334987&action=review
Sample html to reproduce the issue
Summary:
-------------
When I use font-feature-setting in css for a couple of spans, Safari is unable to show the html, it crashes and warns that 'problem repeatedly occurred' with test file. The problem occurs with different combinations of font-feature-setting values in span styles.
I have attached an html file with minimal sample to consistently reproduce this problem. You may also try the code snippet in my stackoverflow query: https://stackoverflow.com/questions/48989228/safari-11-crash-on-10-13-with-css-using-font-feature-settings-for-open-type-feat
Steps to Reproduce:
--------------------------
1. Define a css style, say .style1 using "case" in font-feature-setting.
2. Define another css style, say .style2 using "numr".
3. Use 'Adobe Caslon Pro' in both the styles. (Or a font that supports both of these open type features)
4. Use these styles on two separate spans in html.
5. Save the html and open in Safari.
Some observations:
--------------------------
1. It crashes in 11.0.2, 11.0.3 (on High Sierra), but not in 11.0.1 (on Sierra)
2. ITS NOT FONT SPECIFIC. Crashed with other fonts too which support the features used in styles
3. It doesn't crash if only single style was used.
4. Its not specific to combination of 'numr' or 'case' features. e.g. it crashes for 'case' & 'ornm' too.
5. The crash log says Crashing on exception: -[__NSCFNumber compare:]: nil argument
Sample html to reproduce the issue:
------------------------------------------------
<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>
Safari Crash Bug
</title>
<meta http-equiv="Content-Type" content="text/html;CHARSET=utf-8"/>
<style type="text/css">
<!--
.char-Style1 {
font-family:'Adobe Caslon Pro','ACaslonPro-Regular';
font-feature-settings:"case";
}
.char-Styl22 {
font-family:'Adobe Caslon Pro','ACaslonPro-Regular';
font-feature-settings:"numr";
}
-->
</style>
</head>
<body>
<div>
<span class="char-Style1">A</span>
<span class="char-Style2">1</span>
</div>
</body>
</html>
Crash log:
-------------
Crashed Thread: 0 Dispatch queue: com.apple.main-thread
Exception Type: EXC_BAD_INSTRUCTION (SIGILL)
Exception Codes: 0x0000000000000001, 0x0000000000000000
Exception Note: EXC_CORPSE_NOTIFY
Termination Signal: Illegal instruction: 4
Termination Reason: Namespace SIGNAL, Code 0x4
Terminating Process: exc handler [0]
Application Specific Information:
Crashing on exception: -[__NSCFNumber compare:]: nil argument
Bundle controller class:
BrowserBundleController
Application Specific Backtrace 1:
0 CoreFoundation 0x00007fff4a0f41fb __exceptionPreprocess + 171
1 libobjc.A.dylib 0x00007fff70d73942 objc_exception_throw + 48
2 CoreFoundation 0x00007fff4a1846d5 +[NSException raise:format:] + 197
3 CoreFoundation 0x00007fff4a01efe4 -[__NSCFNumber compare:] + 84
4 CoreFoundation 0x00007fff4a01ef76 -[__NSCFNumber isEqualToNumber:] + 22
5 CoreText 0x00007fff4bb7e03a -[CTFeatureSetting isEqualToFeatureSetting:] + 68
6 CoreFoundation 0x00007fff4a06e0ce -[NSArray isEqualToArray:] + 350
7 CoreFoundation 0x00007fff4a009259 CFEqual + 585
8 CoreFoundation 0x00007fff4a08b5a6 __CFBasicHashesAreEqual_block_invoke + 2614
9 CoreFoundation 0x00007fff4a060a28 CFBasicHashesAreEqual + 600
10 CoreText 0x00007fff4bb27b4c _ZeqRK6TCFRefIPK14__CFDictionaryES5_ + 32
11 CoreText 0x00007fff4bb32a86 _ZNK5TFonteqERKS_ + 134
12 CoreText 0x00007fff4bb329f9 _ZN7TCFBaseI5TFontE10ClassEqualEPKvS3_ + 17
13 WebCore 0x00007fff570ca349 _ZNK7WebCore16FontPlatformData15platformIsEqualERKS0_ + 25
14 WebCore 0x00007fff5761e6d7 _ZN3WTF7HashMapIN7WebCore16FontPlatformDataENS_6RefPtrINS1_4FontEEENS1_20FontDataCacheKeyHashENS1_22FontDataCacheKeyTraitsENS_10HashTraitsIS5_EEE3addIDnEENS_18HashTableAddResultINS_17HashTableIteratorIS2_NS_12KeyValuePairIS2_S5_EENS_24KeyValuePairKeyExtractorISF_EES6_NSA_18KeyValuePairTraitsES7_EEEERKS2_OT_ + 247
15 WebCore 0x00007fff5761e564 _ZN7WebCore9FontCache19fontForPlatformDataERKNS_16FontPlatformDataE + 100
16 WebCore 0x00007fff5761e4d8 _ZN7WebCore9FontCache13fontForFamilyERKNS_15FontDescriptionERKN3WTF12AtomicStringEPKNS_18FontTaggedSettingsIiEEPKNS_19FontVariantSettingsENS_34FontSelectionSpecifiedCapabilitiesEb + 216
17 WebCore 0x00007fff5748ec6e _ZN7WebCore15CSSFontSelector19fontRangesForFamilyERKNS_15FontDescriptionERKN3WTF12AtomicStringE + 270
18 WebCore 0x00007fff57634ce4 _ZN7WebCoreL19realizeNextFallbackERKNS_22FontCascadeDescriptionERjPNS_12FontSelectorE + 180
19 WebCore 0x00007fff576349ce _ZN7WebCore16FontCascadeFonts23realizeFallbackRangesAtERKNS_22FontCascadeDescriptionEj + 270
20 WebCore 0x00007fff5714a43c _ZN7WebCore12RenderInline27updateAlwaysCreateLineBoxesEb + 364
21 WebCore 0x00007fff57edc8b8 _ZN7WebCore15RenderBlockFlow15layoutLineBoxesEbRNS_10LayoutUnitES2_ + 824
22 WebCore 0x00007fff57ec86c2 _ZN7WebCore15RenderBlockFlow11layoutBlockEbNS_10LayoutUnitE + 866
23 WebCore 0x00007fff570ffe88 _ZN7WebCore11RenderBlock6layoutEv + 56
24 WebCore 0x00007fff57eca4c1 _ZN7WebCore15RenderBlockFlow16layoutBlockChildERNS_9RenderBoxERNS0_10MarginInfoERNS_10LayoutUnitES6_ + 817
25 WebCore 0x00007fff57ec945c _ZN7WebCore15RenderBlockFlow19layoutBlockChildrenEbRNS_10LayoutUnitE + 508
26 WebCore 0x00007fff57ec86b0 _ZN7WebCore15RenderBlockFlow11layoutBlockEbNS_10LayoutUnitE + 848
27 WebCore 0x00007fff570ffe88 _ZN7WebCore11RenderBlock6layoutEv + 56
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20180305/1c0c894a/attachment-0001.html>
More information about the webkit-unassigned
mailing list