Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

hb-buffer.cc:398: bool hb_buffer_t::move_to(unsigned int): Assertion `i <= out_len + (len - idx)' failed. #173

Closed
kcc opened this issue Nov 19, 2015 · 2 comments
Closed

hb-buffer.cc:398: bool hb_buffer_t::move_to(unsigned int): Assertion `i <= out_len + (len - idx)' failed. #173

kcc opened this issue Nov 19, 2015 · 2 comments

Comments

@kcc
Copy link
Collaborator

kcc commented Nov 19, 2015

found on fresh trunk by the libfuzzer bot (see #139), repro attached.
repro.pdf
@kcc
Copy link
Collaborator Author

kcc commented Nov 19, 2015

stack trace

    #0 0x7faf70eb7cc8 in gsignal (/lib/x86_64-linux-gnu/libc.so.6+0x36cc8)
    #1 0x7faf70ebb0d7 in abort (/lib/x86_64-linux-gnu/libc.so.6+0x3a0d7)
    #2 0x7faf70eb0b85  (/lib/x86_64-linux-gnu/libc.so.6+0x2fb85)
    #3 0x7faf70eb0c31 in __assert_fail (/lib/x86_64-linux-gnu/libc.so.6+0x2fc31)
    #4 0x4ef40b in hb_buffer_t::move_to(unsigned int) asan_cov/src/hb-buffer.cc:398:3
    #5 0x5f8e1d in OT::apply_lookup(OT::hb_apply_context_t*, unsigned int, unsigned int*, unsigned int, OT::LookupRecord const*, unsigned int) asan_cov/src/./hb-ot-layout-gsubgpos-private.hh:1022:3
    #6 0x6608d8 in OT::chain_context_apply_lookup(OT::hb_apply_context_t*, unsigned int, OT::IntType<unsigned short, 2u> const*, unsigned int, OT::IntType<unsigned short, 2u> const*, unsigned int, OT::IntT
ype<unsigned short, 2u> const*, unsigned int, OT::LookupRecord const*, OT::ChainContextApplyLookupContext&) asan_cov/src/./hb-ot-layout-gsubgpos-private.hh:1635:10
    #7 0x6608d8 in OT::ChainContextFormat3::apply(OT::hb_apply_context_t*) const asan_cov/src/./hb-ot-layout-gsubgpos-private.hh:2075
    #8 0x6552c5 in bool OT::hb_apply_context_t::dispatch<OT::ChainContextFormat3>(OT::ChainContextFormat3 const&) asan_cov/src/./hb-ot-layout-gsubgpos-private.hh:446:52
    #9 0x6552c5 in OT::hb_apply_context_t::return_t OT::ChainContext::dispatch<OT::hb_apply_context_t>(OT::hb_apply_context_t*) const asan_cov/src/./hb-ot-layout-gsubgpos-private.hh:2126
    #10 0x6552c5 in OT::hb_apply_context_t::return_t OT::SubstLookupSubTable::dispatch<OT::hb_apply_context_t>(OT::hb_apply_context_t*, unsigned int) const asan_cov/src/./hb-ot-layout-gsub-table.hh:1084
    #11 0x6543b5 in OT::hb_apply_context_t::return_t OT::Lookup::dispatch<OT::SubstLookupSubTable, OT::hb_apply_context_t>(OT::hb_apply_context_t*) const asan_cov/src/./hb-ot-layout-common-private.hh:625:4
0
    #12 0x6543b5 in OT::hb_apply_context_t::return_t OT::SubstLookup::dispatch<OT::hb_apply_context_t>(OT::hb_apply_context_t*) const asan_cov/src/./hb-ot-layout-gsub-table.hh:1234
    #13 0x6543b5 in OT::SubstLookup::apply_recurse_func(OT::hb_apply_context_t*, unsigned int) asan_cov/src/./hb-ot-layout-gsub-table.hh:1332
    #14 0x5f6f83 in OT::hb_apply_context_t::recurse(unsigned int) asan_cov/src/./hb-ot-layout-gsubgpos-private.hh:455:16
    #15 0x5f6f83 in OT::apply_lookup(OT::hb_apply_context_t*, unsigned int, unsigned int*, unsigned int, OT::LookupRecord const*, unsigned int) asan_cov/src/./hb-ot-layout-gsubgpos-private.hh:977
    #16 0x6608d8 in OT::chain_context_apply_lookup(OT::hb_apply_context_t*, unsigned int, OT::IntType<unsigned short, 2u> const*, unsigned int, OT::IntType<unsigned short, 2u> const*, unsigned int, OT::Int
Type<unsigned short, 2u> const*, unsigned int, OT::LookupRecord const*, OT::ChainContextApplyLookupContext&) asan_cov/src/./hb-ot-layout-gsubgpos-private.hh:1635:10
    #17 0x6608d8 in OT::ChainContextFormat3::apply(OT::hb_apply_context_t*) const asan_cov/src/./hb-ot-layout-gsubgpos-private.hh:2075
    #18 0x6826d0 in _ZL13apply_forwardIN2OT19ChainContextFormat3EEbPNS0_18hb_apply_context_tERKT_RK33hb_ot_layout_lookup_accelerator_t asan_cov/src/hb-ot-layout.cc:898:2
    #19 0x6826d0 in bool hb_apply_forward_context_t::dispatch<OT::ChainContextFormat3>(OT::ChainContextFormat3 const&) asan_cov/src/hb-ot-layout.cc:934
    #20 0x683afb in hb_apply_forward_context_t::return_t OT::ChainContext::dispatch<hb_apply_forward_context_t>(hb_apply_forward_context_t*) const asan_cov/src/./hb-ot-layout-gsubgpos-private.hh:2126:13
    #21 0x683afb in hb_apply_forward_context_t::return_t OT::SubstLookupSubTable::dispatch<hb_apply_forward_context_t>(hb_apply_forward_context_t*, unsigned int) const asan_cov/src/./hb-ot-layout-gsub-tabl
e.hh:1084
    #22 0x5ef5a8 in hb_apply_forward_context_t::return_t OT::Lookup::dispatch<OT::SubstLookupSubTable, hb_apply_forward_context_t>(hb_apply_forward_context_t*) const asan_cov/src/./hb-ot-layout-common-priv
ate.hh:625:40
    #23 0x5ef5a8 in hb_apply_forward_context_t::return_t OT::SubstLookup::dispatch<hb_apply_forward_context_t>(hb_apply_forward_context_t*) const asan_cov/src/./hb-ot-layout-gsub-table.hh:1234
    #24 0x5ef5a8 in _ZL12apply_stringI9GSUBProxyEvPN2OT18hb_apply_context_tERKNT_6LookupERK33hb_ot_layout_lookup_accelerator_t asan_cov/src/hb-ot-layout.cc:973
    #25 0x5ffd53 in void hb_ot_map_t::apply<GSUBProxy>(GSUBProxy const&, hb_ot_shape_plan_t const*, hb_font_t*, hb_buffer_t*) const asan_cov/src/hb-ot-layout.cc:1027:7
    #26 0x5eecb3 in hb_ot_map_t::substitute(hb_ot_shape_plan_t const*, hb_font_t*, hb_buffer_t*) const asan_cov/src/hb-ot-layout.cc:1043:3
    #27 0x53f51d in hb_ot_shape_plan_t::substitute(hb_font_t*, hb_buffer_t*) const asan_cov/src/./hb-ot-shape-private.hh:59:73
    #28 0x53f51d in hb_ot_substitute_complex(hb_ot_shape_context_t*) asan_cov/src/hb-ot-shape.cc:585
    #29 0x53f51d in hb_ot_substitute(hb_ot_shape_context_t*) asan_cov/src/hb-ot-shape.cc:599
    #30 0x53f51d in hb_ot_shape_internal(hb_ot_shape_context_t*) asan_cov/src/hb-ot-shape.cc:823
    #31 0x53f51d in _hb_ot_shape asan_cov/src/hb-ot-shape.cc:848
    #32 0x5225c6 in hb_shape_plan_execute asan_cov/src/./hb-shaper-list.hh:43:1
    #33 0x51f8c6 in hb_shape_full asan_cov/src/hb-shape.cc:375:19

@behdad
Copy link
Member

behdad commented Nov 19, 2015

I wonder if there's any chance to win this race...

@behdad behdad closed this as completed in 37b40cd Nov 19, 2015
gpgreen pushed a commit to gpgreen/harfbuzz that referenced this issue Jan 10, 2024
Auto merge of harfbuzz#173 - servo:ragelless, r=jdm
eba6132 
Never run ragel when generated files exist

This is untested, but hopefully works around servo/servo#24611.

This is not suitable for development of Harfbuzz itself (as opposed to bindings), but hopefully that doesn’t happen in this repository and being required to run `cargo clean` after updating the Harfbuzz version is acceptable.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@behdad @kcc