So it looks like this is cairo being a bit clumsy with failing to initialize members, in one of its code paths. Here's what happens that triggers the crash: - we hit `_cairo_cff_fallback_init` which declares variable `font` which is initially null: - that calls `status = _cairo_cff_font_fallback_create (font_subset, &font, subset_name);` - ...and that function `_cairo_cff_font_fallback_create` **fails to initialize a handful of member variables**, including `fd_local_sub_bias`. - So when we go to clean up the font later, we call `free` on those member variables, which are still uninitialized. In particular, compare this chunk of (better, I think?) `_cairo_cff_font_create`: https://searchfox.org/mozilla-central/rev/6121b33709dd80979a6806ff59096a561e348ae8/gfx/cairo/cairo/src/cairo-cff-subset.c#2861-2875 ```cpp font->fdselect = NULL; font->fd_dict = NULL; font->fd_private_dict = NULL; font->fd_local_sub_index = NULL; font->fd_local_sub_bias = NULL; font->fdselect_subset = NULL; font->fd_subset_map = NULL; font->private_dict_offset = NULL; font->global_subs_used = NULL; font->local_subs_used = NULL; font->fd_local_subs_used = NULL; *font_return = font; return CAIRO_STATUS_SUCCESS; ``` ...vs. this buggy-I-think analogous code in `_cairo_cff_font_fallback_create`: https://searchfox.org/mozilla-central/rev/6121b33709dd80979a6806ff59096a561e348ae8/gfx/cairo/cairo/src/cairo-cff-subset.c#3213-3226 ```cpp font->global_subs_used = NULL; font->local_subs_used = NULL; font->subset_subroutines = FALSE; font->fdselect = NULL; font->fd_dict = NULL; font->fd_private_dict = NULL; font->fd_local_sub_index = NULL; font->fdselect_subset = NULL; font->fd_subset_map = NULL; font->private_dict_offset = NULL; *font_return = font; return CAIRO_STATUS_SUCCESS; ``` Both of these are working with a freshly-allocated `cairo_cff_font_t` object, but the latter snippet (in `_cairo_cff_font_fallback_create`) leaves some fields uninitialized, like e.g. `fd_local_subs_used`, `fd_local_sub_bias`, and others.
Bug 1893270 Comment 9 Edit History
Note: The actual edited comment in the bug view page will always show the original commenter’s name and original timestamp.
So it looks like this is cairo being a bit clumsy with failing to initialize members, in one of its code paths. Here's what happens that triggers the crash: - we hit `_cairo_cff_fallback_init` which declares variable `font` which is initially null: - that calls `status = _cairo_cff_font_fallback_create (font_subset, &font, subset_name);` - ...and that function `_cairo_cff_font_fallback_create` **fails to initialize a handful of member variables**, including `fd_local_sub_bias`. - So when we go to clean up the font later in `cairo_cff_font_destroy`, we call `free` on those never-initialized member variables (`font->fd_local_sub_bias` in particular in the crash here), so we're calling `free` on something uninitialized and we crash. In particular, compare this chunk of (better, I think?) `_cairo_cff_font_create`: https://searchfox.org/mozilla-central/rev/6121b33709dd80979a6806ff59096a561e348ae8/gfx/cairo/cairo/src/cairo-cff-subset.c#2861-2875 ```cpp font->fdselect = NULL; font->fd_dict = NULL; font->fd_private_dict = NULL; font->fd_local_sub_index = NULL; font->fd_local_sub_bias = NULL; font->fdselect_subset = NULL; font->fd_subset_map = NULL; font->private_dict_offset = NULL; font->global_subs_used = NULL; font->local_subs_used = NULL; font->fd_local_subs_used = NULL; *font_return = font; return CAIRO_STATUS_SUCCESS; ``` ...vs. this buggy-I-think analogous code in `_cairo_cff_font_fallback_create`: https://searchfox.org/mozilla-central/rev/6121b33709dd80979a6806ff59096a561e348ae8/gfx/cairo/cairo/src/cairo-cff-subset.c#3213-3226 ```cpp font->global_subs_used = NULL; font->local_subs_used = NULL; font->subset_subroutines = FALSE; font->fdselect = NULL; font->fd_dict = NULL; font->fd_private_dict = NULL; font->fd_local_sub_index = NULL; font->fdselect_subset = NULL; font->fd_subset_map = NULL; font->private_dict_offset = NULL; *font_return = font; return CAIRO_STATUS_SUCCESS; ``` Both of these are working with a freshly-allocated `cairo_cff_font_t` object, but the latter snippet (in `_cairo_cff_font_fallback_create`) leaves some fields uninitialized, like e.g. `fd_local_subs_used`, `fd_local_sub_bias`, and others.