[Webkit-unassigned] [Bug 183323] New: Crash when using different font-feature-settings on a couple of spans. Crashing on exception: -[__NSCFNumber compare:]: nil argument

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Sun Mar 4 20:39:37 PST 2018 

https://bugs.webkit.org/show_bug.cgi?id=183323

            Bug ID: 183323
           Summary: Crash when using different font-feature-settings on a
                    couple of spans. Crashing on exception: -[__NSCFNumber
                    compare:]: nil argument
           Product: WebKit
           Version: Safari 11
          Hardware: All
                OS: macOS 10.13
            Status: NEW
          Severity: Critical
          Priority: P2
         Component: CSS
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: niteshchordiya at gmail.com

Created attachment 334987

  --> https://bugs.webkit.org/attachment.cgi?id=334987&action=review

Sample html to reproduce the issue

Summary:
-------------
When I use font-feature-setting in css for a couple of spans, Safari is unable to show the html, it crashes and warns that 'problem repeatedly occurred' with test file. The problem occurs with different combinations of font-feature-setting values in span styles.
I have attached an html file with minimal sample to consistently reproduce this problem. You may also try the code snippet in my stackoverflow query: https://stackoverflow.com/questions/48989228/safari-11-crash-on-10-13-with-css-using-font-feature-settings-for-open-type-feat

Steps to Reproduce:
--------------------------
1. Define a css style, say .style1 using "case" in font-feature-setting.
2. Define another css style, say .style2 using "numr".
3. Use 'Adobe Caslon Pro' in both the styles. (Or a font that supports both of these open type features)
4. Use these styles on two separate spans in html.
5. Save the html and open in Safari. 

Some observations:
--------------------------
1. It crashes in 11.0.2, 11.0.3 (on High Sierra), but not in 11.0.1 (on Sierra)
2. ITS NOT FONT SPECIFIC. Crashed with other fonts too which support the features used in styles
3. It doesn't crash if only single style was used.
4. Its not specific to combination of 'numr' or 'case' features. e.g. it crashes for 'case' & 'ornm' too.
5. The crash log says Crashing on exception: -[__NSCFNumber compare:]: nil argument

Sample html to reproduce the issue:
------------------------------------------------
<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>
    Safari Crash Bug
</title>
<meta http-equiv="Content-Type" content="text/html;CHARSET=utf-8"/>
<style type="text/css">
<!-- 
    .char-Style1 {
        font-family:'Adobe Caslon Pro','ACaslonPro-Regular';
        font-feature-settings:"case";
    }
    .char-Styl22 {
        font-family:'Adobe Caslon Pro','ACaslonPro-Regular';
        font-feature-settings:"numr";
    }
 -->
</style>
</head>

<body>
<div>
    <span class="char-Style1">A</span>
    <span class="char-Style2">1</span>
</div>
</body>
</html>

Crash log:
-------------
Crashed Thread:        0  Dispatch queue: com.apple.main-thread

Exception Type:        EXC_BAD_INSTRUCTION (SIGILL)
Exception Codes:       0x0000000000000001, 0x0000000000000000
Exception Note:        EXC_CORPSE_NOTIFY

Termination Signal:    Illegal instruction: 4
Termination Reason:    Namespace SIGNAL, Code 0x4
Terminating Process:   exc handler [0]

Application Specific Information:
Crashing on exception: -[__NSCFNumber compare:]: nil argument
Bundle controller class:
BrowserBundleController


Application Specific Backtrace 1:
0   CoreFoundation                      0x00007fff4a0f41fb __exceptionPreprocess + 171
1   libobjc.A.dylib                     0x00007fff70d73942 objc_exception_throw + 48
2   CoreFoundation                      0x00007fff4a1846d5 +[NSException raise:format:] + 197
3   CoreFoundation                      0x00007fff4a01efe4 -[__NSCFNumber compare:] + 84
4   CoreFoundation                      0x00007fff4a01ef76 -[__NSCFNumber isEqualToNumber:] + 22
5   CoreText                            0x00007fff4bb7e03a -[CTFeatureSetting isEqualToFeatureSetting:] + 68
6   CoreFoundation                      0x00007fff4a06e0ce -[NSArray isEqualToArray:] + 350
7   CoreFoundation                      0x00007fff4a009259 CFEqual + 585
8   CoreFoundation                      0x00007fff4a08b5a6 __CFBasicHashesAreEqual_block_invoke + 2614
9   CoreFoundation                      0x00007fff4a060a28 CFBasicHashesAreEqual + 600
10  CoreText                            0x00007fff4bb27b4c _ZeqRK6TCFRefIPK14__CFDictionaryES5_ + 32
11  CoreText                            0x00007fff4bb32a86 _ZNK5TFonteqERKS_ + 134
12  CoreText                            0x00007fff4bb329f9 _ZN7TCFBaseI5TFontE10ClassEqualEPKvS3_ + 17
13  WebCore                             0x00007fff570ca349 _ZNK7WebCore16FontPlatformData15platformIsEqualERKS0_ + 25
14  WebCore                             0x00007fff5761e6d7 _ZN3WTF7HashMapIN7WebCore16FontPlatformDataENS_6RefPtrINS1_4FontEEENS1_20FontDataCacheKeyHashENS1_22FontDataCacheKeyTraitsENS_10HashTraitsIS5_EEE3addIDnEENS_18HashTableAddResultINS_17HashTableIteratorIS2_NS_12KeyValuePairIS2_S5_EENS_24KeyValuePairKeyExtractorISF_EES6_NSA_18KeyValuePairTraitsES7_EEEERKS2_OT_ + 247
15  WebCore                             0x00007fff5761e564 _ZN7WebCore9FontCache19fontForPlatformDataERKNS_16FontPlatformDataE + 100
16  WebCore                             0x00007fff5761e4d8 _ZN7WebCore9FontCache13fontForFamilyERKNS_15FontDescriptionERKN3WTF12AtomicStringEPKNS_18FontTaggedSettingsIiEEPKNS_19FontVariantSettingsENS_34FontSelectionSpecifiedCapabilitiesEb + 216
17  WebCore                             0x00007fff5748ec6e _ZN7WebCore15CSSFontSelector19fontRangesForFamilyERKNS_15FontDescriptionERKN3WTF12AtomicStringE + 270
18  WebCore                             0x00007fff57634ce4 _ZN7WebCoreL19realizeNextFallbackERKNS_22FontCascadeDescriptionERjPNS_12FontSelectorE + 180
19  WebCore                             0x00007fff576349ce _ZN7WebCore16FontCascadeFonts23realizeFallbackRangesAtERKNS_22FontCascadeDescriptionEj + 270
20  WebCore                             0x00007fff5714a43c _ZN7WebCore12RenderInline27updateAlwaysCreateLineBoxesEb + 364
21  WebCore                             0x00007fff57edc8b8 _ZN7WebCore15RenderBlockFlow15layoutLineBoxesEbRNS_10LayoutUnitES2_ + 824
22  WebCore                             0x00007fff57ec86c2 _ZN7WebCore15RenderBlockFlow11layoutBlockEbNS_10LayoutUnitE + 866
23  WebCore                             0x00007fff570ffe88 _ZN7WebCore11RenderBlock6layoutEv + 56
24  WebCore                             0x00007fff57eca4c1 _ZN7WebCore15RenderBlockFlow16layoutBlockChildERNS_9RenderBoxERNS0_10MarginInfoERNS_10LayoutUnitES6_ + 817
25  WebCore                             0x00007fff57ec945c _ZN7WebCore15RenderBlockFlow19layoutBlockChildrenEbRNS_10LayoutUnitE + 508
26  WebCore                             0x00007fff57ec86b0 _ZN7WebCore15RenderBlockFlow11layoutBlockEbNS_10LayoutUnitE + 848
27  WebCore                             0x00007fff570ffe88 _ZN7WebCore11RenderBlock6layoutEv + 56

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20180305/1c0c894a/attachment-0001.html>

More information about the webkit-unassigned mailing list