Open Bug 1577584 Opened 5 years ago Updated 2 years ago

reference binding to address with insufficient space for an object of type 'const OT::LangSys'

Categories

(Core :: Graphics: Text, defect, P3)

Product:
Core
Component:
Graphics: Text
Type:
defect

Tracking

()

Status:
REOPENED
Tracking Flags:
Tracking Status
firefox-esr68 --- unaffected
firefox-esr91 --- wontfix
firefox70 --- wontfix
firefox71 --- wontfix
firefox72 --- wontfix
firefox73 --- wontfix
firefox100 --- wontfix
firefox101 --- wontfix
firefox102 --- wontfix

People

(Reporter: tsmith, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: csectype-undefined, regression, sec-low)

Found with m-c 20190829-8edbf8fe48bf. This issue is hit on startup. Marking a s-s to be safe.

This was built with undefined behavior sanitizer checks enabled via mozconfig.
ac_add_options --enable-undefined-sanitizer="object-size"

src/gfx/harfbuzz/src/hb-ot-layout-common.hh:254:1: runtime error: reference binding to address 0x7ff4c359bca0 with insufficient space for an object of type 'const OT::LangSys'
0x7ff4c359bca0: note: pointer points here
 00 00 00 00  00 00 ff ff 00 00 00 00  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  00 00 00 00
              ^ 
    #0 0x7ff4d1aabf0a in OT::Script::get_lang_sys(unsigned int) const src/gfx/harfbuzz/src/hb-ot-layout-common.hh
    #1 0x7ff4d1a43fc5 in hb_ot_layout_language_get_required_feature src/gfx/harfbuzz/src/hb-ot-layout.cc:824:54
    #2 0x7ff4d1a4bd2f in hb_ot_map_builder_t::compile(hb_ot_map_t&, hb_ot_shape_plan_key_t const&) src/gfx/harfbuzz/src/hb-ot-map.cc:172:5
    #3 0x7ff4d1a684fe in hb_ot_shape_planner_t::compile(hb_ot_shape_plan_t&, hb_ot_shape_plan_key_t const&) src/gfx/harfbuzz/src/hb-ot-shape.cc:108:7
    #4 0x7ff4d1a6977f in hb_ot_shape_plan_t::init0(hb_face_t*, hb_shape_plan_key_t const*) src/gfx/harfbuzz/src/hb-ot-shape.cc:225:11
    #5 0x7ff4d1a724ea in hb_shape_plan_create2 src/gfx/harfbuzz/src/hb-shape-plan.cc:232:7
    #6 0x7ff4d1a72f32 in hb_shape_plan_create_cached2 src/gfx/harfbuzz/src/hb-shape-plan.cc:489:33
    #7 0x7ff4d1a73300 in hb_shape_full src/gfx/harfbuzz/src/hb-shape.cc:135:33
    #8 0x7ff4ca17062a in gfxHarfBuzzShaper::ShapeText(mozilla::gfx::DrawTarget*, char16_t const*, unsigned int, unsigned int, mozilla::unicode::Script, bool, gfxFontShaper::RoundingFlags, gfxShapedText*) src/gfx/thebes/gfxHarfBuzzShaper.cpp:1398:3
    #9 0x7ff4ca113b31 in gfxFont::ShapeText(mozilla::gfx::DrawTarget*, char16_t const*, unsigned int, unsigned int, mozilla::unicode::Script, bool, gfxFontShaper::RoundingFlags, gfxShapedText*) src/gfx/thebes/gfxFont.cpp:2834:24
    #10 0x7ff4ca144dfa in gfxShapedWord* gfxFont::GetShapedWord<char16_t>(mozilla::gfx::DrawTarget*, char16_t const*, unsigned int, unsigned int, mozilla::unicode::Script, bool, int, mozilla::gfx::ShapedTextFlags, gfxFontShaper::RoundingFlags, gfxTextPerfMetrics*) src/gfx/thebes/gfxFont.cpp:2745:24
    #11 0x7ff4ca1437c8 in bool gfxFont::SplitAndInitTextRun<char16_t>(mozilla::gfx::DrawTarget*, gfxTextRun*, char16_t const*, unsigned int, unsigned int, mozilla::unicode::Script, mozilla::gfx::ShapedTextFlags) src/gfx/thebes/gfxFont.cpp:3122:27
    #12 0x7ff4ca1ed286 in void gfxFontGroup::InitScriptRun<char16_t>(mozilla::gfx::DrawTarget*, gfxTextRun*, char16_t const*, unsigned int, unsigned int, mozilla::unicode::Script, gfxMissingFontRecorder*) src/gfx/thebes/gfxTextRun.cpp:2501:25
    #13 0x7ff4ca1d9218 in void gfxFontGroup::InitTextRun<char16_t>(mozilla::gfx::DrawTarget*, gfxTextRun*, char16_t const*, unsigned int, gfxMissingFontRecorder*) src/gfx/thebes/gfxTextRun.cpp:2408:9
    #14 0x7ff4ca1b0749 in gfxFontGroup::MakeTextRun(char16_t const*, unsigned int, gfxTextRunFactory::Parameters const*, mozilla::gfx::ShapedTextFlags, nsTextFrameUtils::Flags, gfxMissingFontRecorder*) src/gfx/thebes/gfxTextRun.cpp:2280:3
    #15 0x7ff4cfeb6e83 in BuildTextRunsScanner::BuildTextRunForFrames(void*) src/layout/generic/nsTextFrame.cpp:2482:28
    #16 0x7ff4cfeb2edb in BuildTextRunsScanner::FlushFrames(bool, bool) src/layout/generic/nsTextFrame.cpp:1640:17
    #17 0x7ff4cfebe1e2 in BuildTextRuns src/layout/generic/nsTextFrame.cpp:1564:11
    #18 0x7ff4cfebe1e2 in nsTextFrame::EnsureTextRun(nsTextFrame::TextRunType, mozilla::gfx::DrawTarget*, nsIFrame*, nsLineList_iterator const*, unsigned int*) src/layout/generic/nsTextFrame.cpp:2937
    #19 0x7ff4cfef866c in nsTextFrame::ReflowText(nsLineLayout&, int, mozilla::gfx::DrawTarget*, mozilla::ReflowOutput&, nsReflowStatus&) src/layout/generic/nsTextFrame.cpp:9150:7
    #20 0x7ff4cfdfcc50 in nsLineLayout::ReflowFrame(nsIFrame*, nsReflowStatus&, mozilla::ReflowOutput*, bool&) src/layout/generic/nsLineLayout.cpp:880:40
    #21 0x7ff4cfc3a615 in nsBlockFrame::ReflowInlineFrame(mozilla::BlockReflowInput&, nsLineLayout&, nsLineList_iterator, nsIFrame*, LineReflowStatus*) src/layout/generic/nsBlockFrame.cpp:4331:15
    #22 0x7ff4cfc39155 in nsBlockFrame::DoReflowInlineFrames(mozilla::BlockReflowInput&, nsLineLayout&, nsLineList_iterator, nsFlowAreaRect&, int&, nsFloatManager::SavedState*, bool*, LineReflowStatus*, bool) src/layout/generic/nsBlockFrame.cpp:4133:5
    #23 0x7ff4cfc313b7 in nsBlockFrame::ReflowInlineFrames(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) src/layout/generic/nsBlockFrame.cpp:4018:9
    #24 0x7ff4cfc2903d in nsBlockFrame::ReflowLine(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) src/layout/generic/nsBlockFrame.cpp:2997:5
    #25 0x7ff4cfc1fe98 in nsBlockFrame::ReflowDirtyLines(mozilla::BlockReflowInput&) src/layout/generic/nsBlockFrame.cpp:2537:7
    #26 0x7ff4cfc18803 in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) src/layout/generic/nsBlockFrame.cpp:1280:3
    #27 0x7ff4cfc36880 in nsBlockReflowContext::ReflowBlock(mozilla::LogicalRect const&, bool, nsCollapsingMargin&, int, bool, nsLineBox*, mozilla::ReflowInput&, nsReflowStatus&, mozilla::BlockReflowInput&) src/layout/generic/nsBlockReflowContext.cpp:297:11
    #28 0x7ff4cfc2c834 in nsBlockFrame::ReflowBlockFrame(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) src/layout/generic/nsBlockFrame.cpp:3649:11
    #29 0x7ff4cfc29291 in nsBlockFrame::ReflowLine(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) src/layout/generic/nsBlockFrame.cpp:2994:5
    #30 0x7ff4cfc1fe98 in nsBlockFrame::ReflowDirtyLines(mozilla::BlockReflowInput&) src/layout/generic/nsBlockFrame.cpp:2537:7
    #31 0x7ff4cfc18803 in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) src/layout/generic/nsBlockFrame.cpp:1280:3
    #32 0x7ff4cfc36880 in nsBlockReflowContext::ReflowBlock(mozilla::LogicalRect const&, bool, nsCollapsingMargin&, int, bool, nsLineBox*, mozilla::ReflowInput&, nsReflowStatus&, mozilla::BlockReflowInput&) src/layout/generic/nsBlockReflowContext.cpp:297:11
    #33 0x7ff4cfc2c834 in nsBlockFrame::ReflowBlockFrame(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) src/layout/generic/nsBlockFrame.cpp:3649:11
    #34 0x7ff4cfc29291 in nsBlockFrame::ReflowLine(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) src/layout/generic/nsBlockFrame.cpp:2994:5
    #35 0x7ff4cfc1fe98 in nsBlockFrame::ReflowDirtyLines(mozilla::BlockReflowInput&) src/layout/generic/nsBlockFrame.cpp:2537:7
    #36 0x7ff4cfc18803 in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) src/layout/generic/nsBlockFrame.cpp:1280:3
    #37 0x7ff4cfc66191 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) src/layout/generic/nsContainerFrame.cpp:896:14
    #38 0x7ff4cfc64be4 in nsCanvasFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) src/layout/generic/nsCanvasFrame.cpp:729:5
    #39 0x7ff4cfc66191 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) src/layout/generic/nsContainerFrame.cpp:896:14
    #40 0x7ff4cfd5c4be in nsHTMLScrollFrame::ReflowScrolledFrame(mozilla::ScrollReflowInput*, bool, bool, mozilla::ReflowOutput*) src/layout/generic/nsGfxScrollFrame.cpp:644:3
    #41 0x7ff4cfd5dfab in nsHTMLScrollFrame::ReflowContents(mozilla::ScrollReflowInput*, mozilla::ReflowOutput const&) src/layout/generic/nsGfxScrollFrame.cpp:758:3
    #42 0x7ff4cfd62162 in nsHTMLScrollFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) src/layout/generic/nsGfxScrollFrame.cpp:1160:3
    #43 0x7ff4cfc07fc1 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, int, int, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) src/layout/generic/nsContainerFrame.cpp:936:14
    #44 0x7ff4cfc0755b in mozilla::ViewportFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) src/layout/generic/ViewportFrame.cpp:309:7
    #45 0x7ff4cf9e7664 in mozilla::PresShell::DoReflow(nsIFrame*, bool, mozilla::OverflowChangedTracker*) src/layout/base/PresShell.cpp:9261:11
    #46 0x7ff4cf9fd2c0 in mozilla::PresShell::ProcessReflowCommands(bool) src/layout/base/PresShell.cpp:9431:24
    #47 0x7ff4cf9fb7b6 in mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) src/layout/base/PresShell.cpp:4174:11
    #48 0x7ff4cf98226b in nsRefreshDriver::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) src/layout/base/nsRefreshDriver.cpp:2006:20
    #49 0x7ff4cf9947e1 in TickDriver src/layout/base/nsRefreshDriver.cpp:373:13
    #50 0x7ff4cf9947e1 in mozilla::RefreshDriverTimer::TickRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver> >&) src/layout/base/nsRefreshDriver.cpp:350
    #51 0x7ff4cf994321 in mozilla::RefreshDriverTimer::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) src/layout/base/nsRefreshDriver.cpp:367:5
    #52 0x7ff4cf99815e in RunRefreshDrivers src/layout/base/nsRefreshDriver.cpp:807:5
    #53 0x7ff4cf99815e in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::TickRefreshDriver(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) src/layout/base/nsRefreshDriver.cpp:727
    #54 0x7ff4cf997298 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsync(mozilla::VsyncEvent const&) src/layout/base/nsRefreshDriver.cpp:622:9
    #55 0x7ff4d01e8584 in mozilla::layout::VsyncChild::RecvNotify(mozilla::VsyncEvent const&) src/layout/ipc/VsyncChild.cpp:65:16
    #56 0x7ff4c874d334 in mozilla::layout::PVsyncChild::OnMessageReceived(IPC::Message const&) src/objdir-ff-ubsan/ipc/ipdl/PVsyncChild.cpp:187:54
    #57 0x7ff4c81d72bf in mozilla::ipc::PBackgroundChild::OnMessageReceived(IPC::Message const&) src/objdir-ff-ubsan/ipc/ipdl/PBackgroundChild.cpp:5759:32
    #58 0x7ff4c7a0a72b in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) src/ipc/glue/MessageChannel.cpp:2184:25
    #59 0x7ff4c7a04dc8 in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) src/ipc/glue/MessageChannel.cpp:2108:9
    #60 0x7ff4c7a07208 in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&) src/ipc/glue/MessageChannel.cpp:1955:3
    #61 0x7ff4c7a082d6 in mozilla::ipc::MessageChannel::MessageTask::Run() src/ipc/glue/MessageChannel.cpp:1986:13
    #62 0x7ff4c64f3092 in nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:1225:14
    #63 0x7ff4c64f9bb6 in NS_ProcessNextEvent(nsIThread*, bool) src/xpcom/threads/nsThreadUtils.cpp:486:10
    #64 0x7ff4c7a171ff in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:88:21
    #65 0x7ff4c788a7a7 in RunInternal src/ipc/chromium/src/base/message_loop.cc:315:10
    #66 0x7ff4c788a7a7 in RunHandler src/ipc/chromium/src/base/message_loop.cc:308
    #67 0x7ff4c788a7a7 in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:290
    #68 0x7ff4cf479391 in nsBaseAppShell::Run() src/widget/nsBaseAppShell.cpp:137:27
    #69 0x7ff4d37c008d in XRE_RunAppShell() src/toolkit/xre/nsEmbedFunctions.cpp:934:20
    #70 0x7ff4c788a7a7 in RunInternal src/ipc/chromium/src/base/message_loop.cc:315:10
    #71 0x7ff4c788a7a7 in RunHandler src/ipc/chromium/src/base/message_loop.cc:308
    #72 0x7ff4c788a7a7 in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:290
    #73 0x7ff4d37bee30 in XRE_InitChildProcess(int, char**, XREChildData const*) src/toolkit/xre/nsEmbedFunctions.cpp:769:34
    #74 0x5579cd578049 in content_process_main(mozilla::Bootstrap*, int, char**) src/browser/app/../../ipc/contentproc/plugin-container.cpp:56:28
    #75 0x5579cd5782e5 in main src/browser/app/nsBrowserApp.cpp:267:18

This looks bogus to me. Code is certainly fine. You might get a lot similar reports in HarfBuzz. We do some shady, but correct, things.

see also bug 810823

Keywords: sec-low
See Also: → 810823

I put a workaround in anyway: https://github.com/harfbuzz/harfbuzz/commit/911c76abcdfe89770b252eb0d4eb621c0db00ad5

this is not a security issue though.

Ugh... And indeed I broke things. I'm looking into fixing.

I reverted that. I prefer not to touch it. I couldn't find an easy workaround.

(In reply to Behdad Esfahbod from comment #5)

I reverted that. I prefer not to touch it. I couldn't find an easy workaround.

Could you explain what you think is the problem here? I would like to understand what exactly it is complaining about here and those structs look very unusual for sure. I tried to look at it for a bit but I don't really understand the report. Once we know exactly what the problem is, we can better judge how to proceed.

(In reply to Behdad Esfahbod from comment #1)

We do some shady, but correct, things.

Note that this is undefined behavior, which is by definition not correct. This code might work, but it only works as long as the compiler happens to not exploit the property violated here. We have seen other cases where compilers started to do this to produce more optimized code, which leads to hard-to-find bugs and it can happen at any compiler upgrade. So if we really cannot fix this, it would be good to make at least sure that it is unlikely to be broken by future optimizations. Thanks!

Flags: needinfo?(mozilla)

FWIW this seems to have been introduced some where between m-c 20190813-5192a77b994c and m-c 20190829-8edbf8fe48bf.

Perhaps one of these changes.
2643027a3dd8ba3bed25066b0792acc03750ef67 Ryan VanderMeulen — Bug 1576041 - Update HarfBuzz to 2.6.1. r=jfkthame
b2da42c3a66deadb31036d5cbce66c5465cac70e Ryan VanderMeulen — Bug 1573841 - Update HarfBuzz to 2.6.0. r=jfkthame

Prior to those was from Jun 29:
4f4de7a970353de0c86ee8cf7470ea00feb0cec9: Bug 1560439 - Update HarfBuzz to 2.5.3. r=jfkthame

Simplified version:

Imagine we have following struct:

struct LangSys {
char a[6];
char b[1];
};

And we have an area of 6 bytes called LangSysNull. We cast LangSysNull to a LangSys&. It is guaranteed that we never access the 'b' member of it though.

That's it. The reason we have this is because we cannot declare char b[0]. Some compilers don't like that.

Flags: needinfo?(mozilla)

Thanks a lot for the great explanation. We're going to try and reproduce that in a smaller example and figure out why this is actually undefined behavior and if there is an easy way to make it defined.

Flags: needinfo?(choller)

It's easy to imagine why standard would call it undefined. We are relying on POD structs and memory to work reliably the way they do in C though...

That said, I have another workaround/fix in the works. Hold on.

Reading this now:
https://herbsutter.com/2009/09/02/when-is-a-zero-length-array-okay/

working on using zero-sized arrays on modern compilers.

Looks like zero-length arrays are still not part of the standard? I might condition it on being clang/gcc then.

Just trying to change it to 0 I have discovered a couple of bugs. So yeah, I think having it be different on different compilers might actually be a good idea, so our bots will catch code making wrong assumptions.

So, MSVC seems to only have a problem with this if such a class is used as a base-class then. Which, again, is understandable.

I'm working on figuring out a fix.

So basically now I'm only hitting this:
https://docs.microsoft.com/en-us/cpp/error-messages/compiler-errors-2/compiler-error-c2503?view=vs-2019
https://ci.appveyor.com/project/harfbuzz/harfbuzz/build/job/48qv4t1m01jsxcs3

I just reviewed all the cases and I think I can easily rewrite code to avoid. So, going for that. This is making the codebase better. Thank you for your persistence. :)

No problem! Thank you for investigating and your quick response :)

Priority: -- → P3
Flags: needinfo?(choller)
Blocks: 1580918

jfkthame: Was bug 1585138 intended to fixed this?

I am able to trigger it in a recent build: https://treeherder.mozilla.org/logviewer.html#/jobs?job_id=269881660&repo=try&lineNumber=1571

Flags: needinfo?(jfkthame)

Behdad, what's the status of this -- should 2.6.2 have resolved it, or did it never get finished? The last relevant-looking commit I see is 3f2cdf07a417f81aeeb1e296db493b6e02d76ba8, but that restored the [1] that triggers this issue.

Flags: needinfo?(jfkthame) → needinfo?(mozilla)

I need to finish it.

Basically, I made the code compile with setting HB_VAR_ARRAY to 0. But it emits other warnings with gcc/clang now. I plan to fix those, then make it default to 0 if gcc/clang and to 1 otherwise.

Tried fixing MSVC errors with setting it to 0, but that's trickier than I was hoping for. So, ongoing. Will give it another push soon.

Flags: needinfo?(mozilla)

I'm hitting more snags. If I define HB_VAR_ARRAY to 0 I get warnings when we try to access the first member (when we know is there). If I define it to empty (which gcc/clang accept as flexible array), then they both each complain about something with how we use them:

gcc:
make all-recursive
make[1]: Entering directory '/home/behdad/src/harfbuzz/build/src'
make[2]: Entering directory '/home/behdad/src/harfbuzz/build/src'
CXX main-main.o
In file included from ../../src/hb-static.cc:29,
from ../../src/main.cc:27:
../../src/hb-open-type.hh: In instantiation of ‘struct OT::UnsizedArrayOf<OT::IntType<unsigned char, 1> >’:
../../src/hb-open-type.hh:1056:27: required from here
../../src/hb-open-type.hh:486:28: error: flexible array member ‘OT::UnsizedArrayOf<OT::IntType<unsigned char, 1> >::arrayZ’ in an otherwise empty ‘struct OT::UnsizedArrayOf<OT::IntType<unsigned char, 1> >’
Type arrayZ[HB_VAR_ARRAY];
^

Clang:
In file included from ../../src/main.cc:27:
In file included from ../../src/hb-static.cc:29:
../../src/hb-open-type.hh:525:31: fatal error: base class 'UnsizedArrayOf' has a flexible
array member
struct SortedUnsizedArrayOf : UnsizedArrayOf<Type>
^
../../src/hb-aat-layout-feat-table.hh:207:3: note: in instantiation of template class
'OT::SortedUnsizedArrayOf<AAT::FeatureName>' requested here
namesZ; /* The feature name array. */
^
1 error generated.
make[2]: *** [Makefile:2583: main-main.o] Error 1
make[2]: Leaving directory '/home/behdad/src/harfbuzz/clangbuild/src'
make[1]: *** [Makefile:3001: all-recursive] Error 1
make[1]: Leaving directory '/home/behdad/src/harfbuzz/clangbuild/src'
make: *** [Makefile:1629: all] Error 2

So, maybe we just accept this as is...

(In reply to Behdad Esfahbod from comment #3)

I put a workaround in anyway: https://github.com/harfbuzz/harfbuzz/commit/911c76abcdfe89770b252eb0d4eb621c0db00ad5

(In reply to Behdad Esfahbod from comment #5)

I reverted that. I prefer not to touch it. I couldn't find an easy workaround.

It seems like that commit wouldn't solve the problem anyway. The storage for the null object is still sized based on null_size, so we'd still be trying to cast a 6-byte array to an 8-byte object: https://searchfox.org/mozilla-central/rev/b2b0077c2e6a516a76bf8077d6f0237c58f5959a/gfx/harfbuzz/src/hb-null.hh#99,103

Is there a reason why it's not possible to change the definition of null_size to be sizeof(*this) here? https://searchfox.org/mozilla-central/rev/b2b0077c2e6a516a76bf8077d6f0237c58f5959a/gfx/harfbuzz/src/hb-machinery.hh#139

(In reply to :dmajor from comment #22)

Is there a reason why it's not possible to change the definition of null_size to be sizeof(*this) here? https://searchfox.org/mozilla-central/rev/b2b0077c2e6a516a76bf8077d6f0237c58f5959a/gfx/harfbuzz/src/hb-machinery.hh#139

There are reasons; I tried that and tests were failing and I'm too lazy to remember. But the whole point of defining null_size is for this use alone. I'm sure there were reasons it was done this way even though I don't fully remember all details now.

(In reply to Behdad Esfahbod from comment #23)

(In reply to :dmajor from comment #22)

Is there a reason why it's not possible to change the definition of null_size to be sizeof(*this) here? https://searchfox.org/mozilla-central/rev/b2b0077c2e6a516a76bf8077d6f0237c58f5959a/gfx/harfbuzz/src/hb-machinery.hh#139

There are reasons; I tried that and tests were failing and I'm too lazy to remember. But the whole point of defining null_size is for this use alone. I'm sure there were reasons it was done this way even though I don't fully remember all details now.

I did some digging, and this changed in https://github.com/harfbuzz/harfbuzz/commit/f9cfa5cb0e70203279e74fb6adb0cd4570238ff8, "Change null-pool specialization to min_size again". There is no reason given in the commit message as to the motivation for doing so.

Using the right size seems like the most straightforward solution to this problem. It was a good-faith proposal, and dismissing it with "there must be reasons but I won't tell you" is not a helpful response. In the absence of memory, or a record in the source history, it seems like it would be worthwhile to try again, and see what breaks. Perhaps other parts of the system need to be corrected to match, or if this current behavior really is absolutely required, that fact could be documented somewhere so that this doesn't keep coming up again from future ubsan testers.

We have shipped our last beta for 71, as this is a sec bug, I am setting 71 as fix-optional in case a safe fix could be uplifted as a ridealong in a dot release.

status-firefox70: fix-optionalwontfix
status-firefox71: affectedfix-optional
status-firefox72: --- → affected

...I'm sure there were reasons it was done this way even though I don't fully remember all details now.

...dismissing it with "there must be reasons but I won't tell you" is not a helpful response...

That's quite some twisting there.

Here, why don't you debug why tests fail when I try this: https://github.com/harfbuzz/harfbuzz/pull/2067

Documenting my steps: using WSL, I followed roughly the steps in https://circleci.com/gh/harfbuzz/harfbuzz/118664?utm_campaign=vcs-integration-link&utm_medium=referral&utm_source=github-build-link, except I took out the ASan flags.

I confirmed that on a clean tree, make check passes, and that with https://github.com/harfbuzz/harfbuzz/pull/2067, I get failures on the same two tests as CI: test-subset-os2 and test-ot-metrics.

Tyson or decoder, since I don't have an rr-capable machine, would one of you be able to get a Pernosco trace of this failure to make it easier to debug?

Flags: needinfo?(twsmith)

Likely too late for a fix in 72 but we could still take a patch for 73/74.

status-firefox71: fix-optionalwontfix
status-firefox72: affectedwontfix
status-firefox73: --- → affected

Pernosco sessions:
test-ot-metrics: https://pernos.co/debug/6swEITqSMuqOncg1Y6_sYA/index.html
test-subset-os2: https://pernos.co/debug/5WjqXvaVOerLJ3LRrbuxaw/index.html

Flags: needinfo?(twsmith)

The test file TestCFF2VF.otf contains an OT::OpenTypeTable for the tag OS/2 that says the table's length is 96 bytes.

Then, at the following call stack...

hb_ot_metrics_get_position () at /hb-ot-metrics.cc:155
hb_lazy_loader_t<>::operator-> () at /hb-machinery.hh:207
hb_lazy_loader_t<OT::OS2, hb_table_lazy_loader_t<>, hb_face_t, (unsigned int)5, hb_blob_t>::get () at /hb-machinery.hh:245
hb_table_lazy_loader_t<OT::OS2, (unsigned int)5>::convert () at /hb-machinery.hh:300
hb_blob_t::as<OT::OS2> (this=0xff6910) at /hb-blob.hh:59
hb_array_t<char const>::as<OT::OS2, (unsigned int)1, (void*)0> (this=0x7ffc38357128) at /hb-array.hh:197

...the hb_array_t has length of 96. However, with the patch applied, hb_null_size(OT::OS2) is 100, so this is the point of divergence: as<OS2>() ends up returning a Null rather than the arrayZ.

It's worth noting that sizeof(OT::OS2) is 100 with or without the patch(!), so that 96 in the .otf file is looking suspicious...

I guess if it was a "v2" OS2 or earlier, then 96 bytes would be acceptable.

In that case, is it right for as() to compare against the full hb_null_size ?

Edit: I'm not sure what the UB rules would say about using a pointer-to-100-byte-object to point to a 96-byte slice of an mmap. Somehow it feels wrong, but it doesn't seem like C++'s bailiwick to say so, since the mmap was never a C++ object to begin with.

Ah thanks. That's great. Let me look into. That should compare to min_size instead.

Can someone please lift the security flag on this so it becomes visible to others? Thanks.

Okay. I finally got to fix it upstream. Please let me know if it doesn't work.
https://github.com/harfbuzz/harfbuzz/pull/2067

Fixed by bug 1711472.

Thanks Behdad!

Status: NEW → RESOLVED
Closed: 2 years ago
status-firefox100: --- → fixed
status-firefox74: fix-optional → ---
status-firefox-esr91: --- → fixed
Resolution: --- → FIXED
Group: gfx-core-security → core-security-release
Depends on: 1711472
Keywords: regressionwindow-wanted
Target Milestone: --- → 90 Branch
Group: core-security-release

I managed to reproduce it again on start up (building m-c 20220525-fb0c469ac2fb with -O1).

src/gfx/harfbuzz/src/hb-ot-layout-common.hh:694:1: runtime error: reference binding to address 0x7f1c7dadd6c0 with insufficient space for an object of type 'const OT::LangSys'
0x7f1c7dadd6c0: note: pointer points here
 00 00 00 00  00 00 ff ff 00 00 00 00  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  00 00 00 00
              ^ 
    #0 0x7f1c8c1b4dfc in Null<OT::LangSys>::get_null() src/gfx/harfbuzz/src/hb-ot-layout-common.hh:694:1
    #1 0x7f1c8c1b4dfc in NullHelper<OT::LangSys>::get_null() src/gfx/harfbuzz/src/hb-null.hh:104:44
    #2 0x7f1c8c1b4dfc in OT::_hb_has_null<OT::LangSys, true>::get_null() src/gfx/harfbuzz/src/hb-open-type.hh:295:44
    #3 0x7f1c8c1b4dfc in OT::OffsetTo<OT::LangSys, OT::IntType<unsigned short, 2u>, true>::operator()(void const*) const src/gfx/harfbuzz/src/hb-open-type.hh:309:46
    #4 0x7f1c8c1470d6 in OT::Script::get_lang_sys(unsigned int) const src/gfx/harfbuzz/src/hb-ot-layout-common.hh
    #5 0x7f1c8c0d9365 in hb_ot_layout_language_get_required_feature src/gfx/harfbuzz/src/hb-ot-layout.cc:821:54
    #6 0x7f1c8c0e1ef2 in hb_ot_map_builder_t::compile(hb_ot_map_t&, hb_ot_shape_plan_key_t const&) src/gfx/harfbuzz/src/hb-ot-map.cc:186:5
    #7 0x7f1c8c0fcb23 in hb_ot_shape_planner_t::compile(hb_ot_shape_plan_t&, hb_ot_shape_plan_key_t const&) src/gfx/harfbuzz/src/hb-ot-shape.cc:102:7
    #8 0x7f1c8c0fdc5f in hb_ot_shape_plan_t::init0(hb_face_t*, hb_shape_plan_key_t const*) src/gfx/harfbuzz/src/hb-ot-shape.cc:231:11
    #9 0x7f1c8c107104 in hb_shape_plan_create2 src/gfx/harfbuzz/src/hb-shape-plan.cc:258:7
    #10 0x7f1c8c107aef in hb_shape_plan_create_cached2 src/gfx/harfbuzz/src/hb-shape-plan.cc:555:33
    #11 0x7f1c8c107eff in hb_shape_full src/gfx/harfbuzz/src/hb-shape.cc:136:33
    #12 0x7f1c8c10803b in hb_shape src/gfx/harfbuzz/src/hb-shape.cc:179:3
    #13 0x7f1c839c4ed1 in gfxHarfBuzzShaper::ShapeText(mozilla::gfx::DrawTarget*, char16_t const*, unsigned int, unsigned int, mozilla::intl::Script, nsAtom*, bool, gfxFontShaper::RoundingFlags, gfxShapedText*) src/gfx/thebes/gfxHarfBuzzShaper.cpp:1382:3
    #14 0x7f1c8393f721 in gfxFont::ShapeText(mozilla::gfx::DrawTarget*, char16_t const*, unsigned int, unsigned int, mozilla::intl::Script, nsAtom*, bool, gfxFontShaper::RoundingFlags, gfxShapedText*) src/gfx/thebes/gfxFont.cpp:3021:15
    #15 0x7f1c8396bd21 in gfxShapedWord* gfxFont::GetShapedWord<char16_t>(mozilla::gfx::DrawTarget*, char16_t const*, unsigned int, unsigned int, mozilla::intl::Script, nsAtom*, bool, int, mozilla::gfx::ShapedTextFlags, gfxFontShaper::RoundingFlags, gfxTextPerfMetrics*) src/gfx/thebes/gfxFont.cpp:2879:24
    #16 0x7f1c8396aae2 in bool gfxFont::SplitAndInitTextRun<char16_t>(mozilla::gfx::DrawTarget*, gfxTextRun*, char16_t const*, unsigned int, unsigned int, mozilla::intl::Script, nsAtom*, mozilla::gfx::ShapedTextFlags) src/gfx/thebes/gfxFont.cpp:3317:27
    #17 0x7f1c83a46a78 in void gfxFontGroup::InitScriptRun<char16_t>(mozilla::gfx::DrawTarget*, gfxTextRun*, char16_t const*, unsigned int, unsigned int, mozilla::intl::Script, gfxMissingFontRecorder*) src/gfx/thebes/gfxTextRun.cpp:2744:25
    #18 0x7f1c83a28797 in void gfxFontGroup::InitTextRun<char16_t>(mozilla::gfx::DrawTarget*, gfxTextRun*, char16_t const*, unsigned int, gfxMissingFontRecorder*) src/gfx/thebes/gfxTextRun.cpp:2651:9
    #19 0x7f1c83a02107 in gfxFontGroup::MakeTextRun(char16_t const*, unsigned int, gfxTextRunFactory::Parameters const*, mozilla::gfx::ShapedTextFlags, nsTextFrameUtils::Flags, gfxMissingFontRecorder*) src/gfx/thebes/gfxTextRun.cpp:2525:3
    #20 0x7f1c89e4e0a0 in BuildTextRunsScanner::BuildTextRunForFrames(void*) src/layout/generic/nsTextFrame.cpp:2637:28
    #21 0x7f1c89e4a46e in BuildTextRunsScanner::FlushFrames(bool, bool) src/layout/generic/nsTextFrame.cpp:1750:17
    #22 0x7f1c89e5491b in BuildTextRuns(mozilla::gfx::DrawTarget*, nsTextFrame*, nsIFrame*, nsLineList_iterator const*, nsTextFrame::TextRunType) src/layout/generic/nsTextFrame.cpp:1672:11
    #23 0x7f1c89e5491b in nsTextFrame::EnsureTextRun(nsTextFrame::TextRunType, mozilla::gfx::DrawTarget*, nsIFrame*, nsLineList_iterator const*, unsigned int*) src/layout/generic/nsTextFrame.cpp:3096:7
    #24 0x7f1c89e14568 in nsTextFrame::ReflowText(nsLineLayout&, int, mozilla::gfx::DrawTarget*, mozilla::ReflowOutput&, nsReflowStatus&) src/layout/generic/nsTextFrame.cpp:9573:7
    #25 0x7f1c89e11484 in nsLineLayout::ReflowFrame(nsIFrame*, nsReflowStatus&, mozilla::ReflowOutput*, bool&) src/layout/generic/nsLineLayout.cpp:873:40
    #26 0x7f1c89bfbf4f in nsBlockFrame::ReflowInlineFrame(mozilla::BlockReflowState&, nsLineLayout&, nsLineList_iterator, nsIFrame*, LineReflowStatus*) src/layout/generic/nsBlockFrame.cpp:4578:15
    #27 0x7f1c89bfb4c5 in nsBlockFrame::DoReflowInlineFrames(mozilla::BlockReflowState&, nsLineLayout&, nsLineList_iterator, nsFlowAreaRect&, int&, nsFloatManager::SavedState*, bool*, LineReflowStatus*, bool) src/layout/generic/nsBlockFrame.cpp:4380:5
    #28 0x7f1c89bf613b in nsBlockFrame::ReflowInlineFrames(mozilla::BlockReflowState&, nsLineList_iterator, bool*) src/layout/generic/nsBlockFrame.cpp:4263:9
    #29 0x7f1c89bf07b8 in nsBlockFrame::ReflowLine(mozilla::BlockReflowState&, nsLineList_iterator, bool*) src/layout/generic/nsBlockFrame.cpp:3250:5
    #30 0x7f1c89be966f in nsBlockFrame::ReflowDirtyLines(mozilla::BlockReflowState&) src/layout/generic/nsBlockFrame.cpp:2779:7
    #31 0x7f1c89be363f in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) src/layout/generic/nsBlockFrame.cpp:1410:3
    #32 0x7f1c89bf9371 in nsBlockReflowContext::ReflowBlock(mozilla::LogicalRect const&, bool, nsCollapsingMargin&, int, bool, nsLineBox*, mozilla::ReflowInput&, nsReflowStatus&, mozilla::BlockReflowState&) src/layout/generic/nsBlockReflowContext.cpp:288:11
    #33 0x7f1c89bf33a2 in nsBlockFrame::ReflowBlockFrame(mozilla::BlockReflowState&, nsLineList_iterator, bool*) src/layout/generic/nsBlockFrame.cpp:3897:11
    #34 0x7f1c89bf0997 in nsBlockFrame::ReflowLine(mozilla::BlockReflowState&, nsLineList_iterator, bool*) src/layout/generic/nsBlockFrame.cpp:3247:5
    #35 0x7f1c89be966f in nsBlockFrame::ReflowDirtyLines(mozilla::BlockReflowState&) src/layout/generic/nsBlockFrame.cpp:2779:7
    #36 0x7f1c89be363f in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) src/layout/generic/nsBlockFrame.cpp:1410:3
    #37 0x7f1c89bf9371 in nsBlockReflowContext::ReflowBlock(mozilla::LogicalRect const&, bool, nsCollapsingMargin&, int, bool, nsLineBox*, mozilla::ReflowInput&, nsReflowStatus&, mozilla::BlockReflowState&) src/layout/generic/nsBlockReflowContext.cpp:288:11
    #38 0x7f1c89bf33a2 in nsBlockFrame::ReflowBlockFrame(mozilla::BlockReflowState&, nsLineList_iterator, bool*) src/layout/generic/nsBlockFrame.cpp:3897:11
    #39 0x7f1c89bf0997 in nsBlockFrame::ReflowLine(mozilla::BlockReflowState&, nsLineList_iterator, bool*) src/layout/generic/nsBlockFrame.cpp:3247:5
    #40 0x7f1c89be966f in nsBlockFrame::ReflowDirtyLines(mozilla::BlockReflowState&) src/layout/generic/nsBlockFrame.cpp:2779:7
    #41 0x7f1c89be363f in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) src/layout/generic/nsBlockFrame.cpp:1410:3
    #42 0x7f1c89c11e57 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) src/layout/generic/nsContainerFrame.cpp:1005:14
    #43 0x7f1c89c10969 in nsCanvasFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) src/layout/generic/nsCanvasFrame.cpp:791:7
    #44 0x7f1c89c11e57 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) src/layout/generic/nsContainerFrame.cpp:1005:14
    #45 0x7f1c89c9c61d in nsHTMLScrollFrame::ReflowScrolledFrame(mozilla::ScrollReflowInput&, bool, bool, mozilla::ReflowOutput*) src/layout/generic/nsGfxScrollFrame.cpp:838:3
    #46 0x7f1c89c9d928 in nsHTMLScrollFrame::ReflowContents(mozilla::ScrollReflowInput&, mozilla::ReflowOutput const&) src/layout/generic/nsGfxScrollFrame.cpp:974:3
    #47 0x7f1c89ca36c0 in nsHTMLScrollFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) src/layout/generic/nsGfxScrollFrame.cpp:1395:3
    #48 0x7f1c89bd67b2 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, int, int, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) src/layout/generic/nsContainerFrame.cpp:1045:14
    #49 0x7f1c89bd5ff4 in mozilla::ViewportFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) src/layout/generic/ViewportFrame.cpp:374:7
    #50 0x7f1c89a079c3 in mozilla::PresShell::DoReflow(nsIFrame*, bool, mozilla::OverflowChangedTracker*) src/layout/base/PresShell.cpp:9621:11
    #51 0x7f1c89a18d17 in mozilla::PresShell::ProcessReflowCommands(bool) src/layout/base/PresShell.cpp:9792:24
    #52 0x7f1c89a17bb7 in mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) src/layout/base/PresShell.cpp:4361:11
    #53 0x7f1c83f13f15 in mozilla::PresShell::FlushPendingNotifications(mozilla::ChangesToFlush) src/objdir-ff-ubsan/dist/include/mozilla/PresShell.h:1448:5
    #54 0x7f1c899a43d9 in nsRefreshDriver::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsRefreshDriver::IsExtraTick) src/layout/base/nsRefreshDriver.cpp:2556:20
    #55 0x7f1c899b5ff3 in mozilla::RefreshDriverTimer::TickDriver(nsRefreshDriver*, mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) src/layout/base/nsRefreshDriver.cpp:368:13
    #56 0x7f1c899b5ff3 in mozilla::RefreshDriverTimer::TickRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver> >&) src/layout/base/nsRefreshDriver.cpp:346:7
    #57 0x7f1c899b5c85 in mozilla::RefreshDriverTimer::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) src/layout/base/nsRefreshDriver.cpp:362:5
    #58 0x7f1c899b5217 in mozilla::VsyncRefreshDriverTimer::RunRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) src/layout/base/nsRefreshDriver.cpp:884:5
    #59 0x7f1c899b4662 in mozilla::VsyncRefreshDriverTimer::TickRefreshDriver(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) src/layout/base/nsRefreshDriver.cpp:797:5
    #60 0x7f1c899b3e1a in mozilla::VsyncRefreshDriverTimer::NotifyVsyncOnMainThread(mozilla::VsyncEvent const&) src/layout/base/nsRefreshDriver.cpp:724:5
    #61 0x7f1c899b347d in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsyncTimerOnMainThread() src/layout/base/nsRefreshDriver.cpp:587:14
    #62 0x7f1c899b3069 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsync(mozilla::VsyncEvent const&) src/layout/base/nsRefreshDriver.cpp:544:9
    #63 0x7f1c8868756c in mozilla::dom::VsyncMainChild::RecvNotify(mozilla::VsyncEvent const&, float const&) src/dom/ipc/VsyncMainChild.cpp:68:15
    #64 0x7f1c88aad1b8 in mozilla::dom::PVsyncChild::OnMessageReceived(IPC::Message const&) src/objdir-ff-ubsan/ipc/ipdl/PVsyncChild.cpp:220:78
    #65 0x7f1c8290004c in mozilla::ipc::PBackgroundChild::OnMessageReceived(IPC::Message const&) src/objdir-ff-ubsan/ipc/ipdl/PBackgroundChild.cpp:6088:32
    #66 0x7f1c82860788 in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) src/ipc/glue/MessageChannel.cpp:1781:25
    #67 0x7f1c8285d97b in mozilla::ipc::MessageChannel::DispatchMessage(mozilla::ipc::ActorLifecycleProxy*, mozilla::UniquePtr<IPC::Message, mozilla::DefaultDelete<IPC::Message> >) src/ipc/glue/MessageChannel.cpp:1706:9
    #68 0x7f1c8285e48e in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::ActorLifecycleProxy*, mozilla::ipc::MessageChannel::MessageTask&) src/ipc/glue/MessageChannel.cpp:1506:3
    #69 0x7f1c8285f4b9 in mozilla::ipc::MessageChannel::MessageTask::Run() src/ipc/glue/MessageChannel.cpp:1604:14
    #70 0x7f1c811aab8a in mozilla::RunnableTask::Run() src/xpcom/threads/TaskController.cpp:475:16
    #71 0x7f1c8116ebe1 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) src/xpcom/threads/TaskController.cpp:788:26
    #72 0x7f1c8116c45e in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) src/xpcom/threads/TaskController.cpp:620:15
    #73 0x7f1c8116cbcb in mozilla::TaskController::ProcessPendingMTTask(bool) src/xpcom/threads/TaskController.cpp:398:36
    #74 0x7f1c8119dd41 in mozilla::TaskController::InitializeInternal()::$_0::operator()() const src/xpcom/threads/TaskController.cpp:124:37
    #75 0x7f1c8119dd41 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_0>::Run() src/objdir-ff-ubsan/dist/include/nsThreadUtils.h:531:5
    #76 0x7f1c8118a82e in nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:1180:16
    #77 0x7f1c8119281c in NS_ProcessNextEvent(nsIThread*, bool) src/xpcom/threads/nsThreadUtils.cpp:465:10
    #78 0x7f1c82867a62 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:85:21
    #79 0x7f1c82869042 in mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:268:30
    #80 0x7f1c826e2011 in MessageLoop::RunInternal() src/ipc/chromium/src/base/message_loop.cc:380:10
    #81 0x7f1c826e2011 in MessageLoop::RunHandler() src/ipc/chromium/src/base/message_loop.cc:373:3
    #82 0x7f1c826e2011 in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:355:3
    #83 0x7f1c8943ef58 in nsBaseAppShell::Run() src/widget/nsBaseAppShell.cpp:137:27
    #84 0x7f1c8e0e6baf in XRE_RunAppShell() src/toolkit/xre/nsEmbedFunctions.cpp:874:20
    #85 0x7f1c82869021 in mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:235:9
    #86 0x7f1c826e2011 in MessageLoop::RunInternal() src/ipc/chromium/src/base/message_loop.cc:380:10
    #87 0x7f1c826e2011 in MessageLoop::RunHandler() src/ipc/chromium/src/base/message_loop.cc:373:3
    #88 0x7f1c826e2011 in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:355:3
    #89 0x7f1c8e0e5ccb in XRE_InitChildProcess(int, char**, XREChildData const*) src/toolkit/xre/nsEmbedFunctions.cpp:733:34
    #90 0x7f1c8e0f8f20 in mozilla::BootstrapImpl::XRE_InitChildProcess(int, char**, XREChildData const*) src/toolkit/xre/Bootstrap.cpp:67:12
    #91 0x561e4c6c053d in content_process_main(mozilla::Bootstrap*, int, char**) src/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
    #92 0x561e4c6c0902 in main src/browser/app/nsBrowserApp.cpp:338:18
    #93 0x7f1caa62ac86 in __libc_start_main /build/glibc-uZu3wS/glibc-2.27/csu/../csu/libc-start.c:310
    #94 0x561e4c600928 in _start (src/objdir-ff-ubsan/dist/bin/firefox+0xd3928) (BuildId: 7f1670592add8f0dbe970da52bc3c4504c02c973)
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
status-firefox100: fixedwontfix
status-firefox-esr91: fixedwontfix
No longer depends on: 1711472
Flags: needinfo?(mozilla)
Target Milestone: 90 Branch → ---

My apologies. Apparently my fix was incomplete. I just pushed another commit that I think should fix that:
https://github.com/harfbuzz/harfbuzz/commit/8df9aba99774c39839d05231c5ee7e38a2614663

Please try again after the next HarfBuzz roll, or try that patch manually. Thanks.

Flags: needinfo?(mozilla)

(In reply to Behdad Esfahbod from comment #37)

My apologies. Apparently my fix was incomplete. I just pushed another commit that I think should fix that:
https://github.com/harfbuzz/harfbuzz/commit/8df9aba99774c39839d05231c5ee7e38a2614663

Please try again after the next HarfBuzz roll, or try that patch manually. Thanks.

Please ignore that for now. I had to revert it. I'll work on a fix again.

(In reply to Behdad Esfahbod from comment #38)

(In reply to Behdad Esfahbod from comment #37)

My apologies. Apparently my fix was incomplete. I just pushed another commit that I think should fix that:
https://github.com/harfbuzz/harfbuzz/commit/8df9aba99774c39839d05231c5ee7e38a2614663

Please try again after the next HarfBuzz roll, or try that patch manually. Thanks.

Please ignore that for now. I had to revert it. I'll work on a fix again.

I take that back. My bad.

(In reply to Behdad Esfahbod from comment #37)

My apologies. Apparently my fix was incomplete. I just pushed another commit that I think should fix that:
https://github.com/harfbuzz/harfbuzz/commit/8df9aba99774c39839d05231c5ee7e38a2614663

Please try again after the next HarfBuzz roll, or try that patch manually. Thanks.

I applied the upstream patch locally and it does resolve the issue. I verified with both a -O1 and a -O2 build to be sure. Thank you :)

Severity: normal → S3
Severity: normal → S3
You need to log in before you can comment on or make changes to this bug.