timeout in context_apply_lookup

[kcc]

timeout-c7f0b03f12f51efc0702eb48d336e7d4e1d3d252.pdf
Found with libFuzzer.
Run the attached file through the fuzzer target (see #139), it will run at least half hour (maybe forever)
This bug may cause DOS attacks and such, but it also hurts further fuzzing immensely.

The stack trace:

    #5 0x5c8e45 in OT::apply_lookup(OT::hb_apply_context_t*, unsigned int, unsigned int*, unsigned int, OT::LookupRecord const*, unsigned int) src/./hb-ot-layout-gsubgpos-private.hh:969:3
    #6 0x625c63 in OT::context_apply_lookup(OT::hb_apply_context_t*, unsigned int, OT::IntType<unsigned short, 2u> const*, unsigned int, OT::LookupRecord const*, OT::ContextApplyLookupContext&) src/./hb-ot-layout-gsubgpos-private.hh:1102:10
    #7 0x625c63 in OT::Rule::apply(OT::hb_apply_context_t*, OT::ContextApplyLookupContext&) const src/./hb-ot-layout-gsubgpos-private.hh:1141
    #8 0x625c63 in OT::RuleSet::apply(OT::hb_apply_context_t*, OT::ContextApplyLookupContext&) const src/./hb-ot-layout-gsubgpos-private.hh:1204
    #9 0x6204ca in OT::ContextFormat1::apply(OT::hb_apply_context_t*) const src/./hb-ot-layout-gsubgpos-private.hh:1290:5
    #10 0x6204ca in bool OT::hb_apply_context_t::dispatch<OT::ContextFormat1>(OT::ContextFormat1 const&) src/./hb-ot-layout-gsubgpos-private.hh:446
    #11 0x6204ca in OT::hb_apply_context_t::return_t OT::Context::dispatch<OT::hb_apply_context_t>(OT::hb_apply_context_t*) const src/./hb-ot-layout-gsubgpos-private.hh:1510
    #12 0x62d7d3 in OT::hb_apply_context_t::return_t OT::PosLookupSubTable::dispatch<OT::hb_apply_context_t>(OT::hb_apply_context_t*, unsigned int) const src/./hb-ot-layout-gpos-table.hh:1417:20
    #13 0x62c7cb in OT::hb_apply_context_t::return_t OT::Lookup::dispatch<OT::PosLookupSubTable, OT::hb_apply_context_t>(OT::hb_apply_context_t*) const src/./hb-ot-layout-common-private.hh:620:40
    #14 0x62c7cb in OT::hb_apply_context_t::return_t OT::PosLookup::dispatch<OT::hb_apply_context_t>(OT::hb_apply_context_t*) const src/./hb-ot-layout-gpos-table.hh:1478
    #15 0x62c7cb in OT::PosLookup::apply_recurse_func(OT::hb_apply_context_t*, unsigned int) src/./hb-ot-layout-gpos-table.hh:1629
    #16 0x5c7ce8 in OT::hb_apply_context_t::recurse(unsigned int) src/./hb-ot-layout-gsubgpos-private.hh:455:16
    #17 0x5c7ce8 in OT::apply_lookup(OT::hb_apply_context_t*, unsigned int, unsigned int*, unsigned int, OT::LookupRecord const*, unsigned int) src/./hb-ot-layout-gsubgpos-private.hh:978
    #18 0x625c63 in OT::context_apply_lookup(OT::hb_apply_context_t*, unsigned int, OT::IntType<unsigned short, 2u> const*, unsigned int, OT::LookupRecord const*, OT::ContextApplyLookupContext&) src/./hb-ot-layout-gsubgpos-private.hh:1102:10
    #19 0x625c63 in OT::Rule::apply(OT::hb_apply_context_t*, OT::ContextApplyLookupContext&) const src/./hb-ot-layout-gsubgpos-private.hh:1141
    #20 0x625c63 in OT::RuleSet::apply(OT::hb_apply_context_t*, OT::ContextApplyLookupContext&) const src/./hb-ot-layout-gsubgpos-private.hh:1204
    #21 0x6204ca in OT::ContextFormat1::apply(OT::hb_apply_context_t*) const src/./hb-ot-layout-gsubgpos-private.hh:1290:5
    #22 0x6204ca in bool OT::hb_apply_context_t::dispatch<OT::ContextFormat1>(OT::ContextFormat1 const&) src/./hb-ot-layout-gsubgpos-private.hh:446
    #23 0x6204ca in OT::hb_apply_context_t::return_t OT::Context::dispatch<OT::hb_apply_context_t>(OT::hb_apply_context_t*) const src/./hb-ot-layout-gsubgpos-private.hh:1510
    #24 0x62d7d3 in OT::hb_apply_context_t::return_t OT::PosLookupSubTable::dispatch<OT::hb_apply_context_t>(OT::hb_apply_context_t*, unsigned int) const src/./hb-ot-layout-gpos-table.hh:1417:20
    #25 0x62c7cb in OT::hb_apply_context_t::return_t OT::Lookup::dispatch<OT::PosLookupSubTable, OT::hb_apply_context_t>(OT::hb_apply_context_t*) const src/./hb-ot-layout-common-private.hh:620:40
    #26 0x62c7cb in OT::hb_apply_context_t::return_t OT::PosLookup::dispatch<OT::hb_apply_context_t>(OT::hb_apply_context_t*) const src/./hb-ot-layout-gpos-table.hh:1478
    #27 0x62c7cb in OT::PosLookup::apply_recurse_func(OT::hb_apply_context_t*, unsigned int) src/./hb-ot-layout-gpos-table.hh:1629
    #28 0x5c7ce8 in OT::hb_apply_context_t::recurse(unsigned int) src/./hb-ot-layout-gsubgpos-private.hh:455:16
    #29 0x5c7ce8 in OT::apply_lookup(OT::hb_apply_context_t*, unsigned int, unsigned int*, unsigned int, OT::LookupRecord const*, unsigned int) src/./hb-ot-layout-gsubgpos-private.hh:978
    #30 0x625c63 in OT::context_apply_lookup(OT::hb_apply_context_t*, unsigned int, OT::IntType<unsigned short, 2u> const*, unsigned int, OT::LookupRecord const*, OT::ContextApplyLookupContext&) src/./hb-ot-layout-gsubgpos-private.hh:1102:10
    #31 0x625c63 in OT::Rule::apply(OT::hb_apply_context_t*, OT::ContextApplyLookupContext&) const src/./hb-ot-layout-gsubgpos-private.hh:1141
    #32 0x625c63 in OT::RuleSet::apply(OT::hb_apply_context_t*, OT::ContextApplyLookupContext&) const src/./hb-ot-layout-gsubgpos-private.hh:1204
    #33 0x6204ca in OT::ContextFormat1::apply(OT::hb_apply_context_t*) const src/./hb-ot-layout-gsubgpos-private.hh:1290:5
    #34 0x6204ca in bool OT::hb_apply_context_t::dispatch<OT::ContextFormat1>(OT::ContextFormat1 const&) src/./hb-ot-layout-gsubgpos-private.hh:446
    #35 0x6204ca in OT::hb_apply_context_t::return_t OT::Context::dispatch<OT::hb_apply_context_t>(OT::hb_apply_context_t*) const src/./hb-ot-layout-gsubgpos-private.hh:1510
    #36 0x62d7d3 in OT::hb_apply_context_t::return_t OT::PosLookupSubTable::dispatch<OT::hb_apply_context_t>(OT::hb_apply_context_t*, unsigned int) const src/./hb-ot-layout-gpos-table.hh:1417:20
    #37 0x62c7cb in OT::hb_apply_context_t::return_t OT::Lookup::dispatch<OT::PosLookupSubTable, OT::hb_apply_context_t>(OT::hb_apply_context_t*) const src/./hb-ot-layout-common-private.hh:620:40
    #38 0x62c7cb in OT::hb_apply_context_t::return_t OT::PosLookup::dispatch<OT::hb_apply_context_t>(OT::hb_apply_context_t*) const src/./hb-ot-layout-gpos-table.hh:1478
    #39 0x62c7cb in OT::PosLookup::apply_recurse_func(OT::hb_apply_context_t*, unsigned int) src/./hb-ot-layout-gpos-table.hh:1629
    #40 0x5c7ce8 in OT::hb_apply_context_t::recurse(unsigned int) src/./hb-ot-layout-gsubgpos-private.hh:455:16
    #41 0x5c7ce8 in OT::apply_lookup(OT::hb_apply_context_t*, unsigned int, unsigned int*, unsigned int, OT::LookupRecord const*, unsigned int) src/./hb-ot-layout-gsubgpos-private.hh:978
    #42 0x625c63 in OT::context_apply_lookup(OT::hb_apply_context_t*, unsigned int, OT::IntType<unsigned short, 2u> const*, unsigned int, OT::LookupRecord const*, OT::ContextApplyLookupContext&) src/./hb-ot-layout-gsubgpos-private.hh:1102:10
    #43 0x625c63 in OT::Rule::apply(OT::hb_apply_context_t*, OT::ContextApplyLookupContext&) const src/./hb-ot-layout-gsubgpos-private.hh:1141
    #44 0x625c63 in OT::RuleSet::apply(OT::hb_apply_context_t*, OT::ContextApplyLookupContext&) const src/./hb-ot-layout-gsubgpos-private.hh:1204
    #45 0x6204ca in OT::ContextFormat1::apply(OT::hb_apply_context_t*) const src/./hb-ot-layout-gsubgpos-private.hh:1290:5
    #46 0x6204ca in bool OT::hb_apply_context_t::dispatch<OT::ContextFormat1>(OT::ContextFormat1 const&) src/./hb-ot-layout-gsubgpos-private.hh:446
    #47 0x6204ca in OT::hb_apply_context_t::return_t OT::Context::dispatch<OT::hb_apply_context_t>(OT::hb_apply_context_t*) const src/./hb-ot-layout-gsubgpos-private.hh:1510
    #48 0x62d7d3 in OT::hb_apply_context_t::return_t OT::PosLookupSubTable::dispatch<OT::hb_apply_context_t>(OT::hb_apply_context_t*, unsigned int) const src/./hb-ot-layout-gpos-table.hh:1417:20
    #49 0x62c7cb in OT::hb_apply_context_t::return_t OT::Lookup::dispatch<OT::PosLookupSubTable, OT::hb_apply_context_t>(OT::hb_apply_context_t*) const src/./hb-ot-layout-common-private.hh:620:40
    #50 0x62c7cb in OT::hb_apply_context_t::return_t OT::PosLookup::dispatch<OT::hb_apply_context_t>(OT::hb_apply_context_t*) const src/./hb-ot-layout-gpos-table.hh:1478
    #51 0x62c7cb in OT::PosLookup::apply_recurse_func(OT::hb_apply_context_t*, unsigned int) src/./hb-ot-layout-gpos-table.hh:1629
    #52 0x5c7ce8 in OT::hb_apply_context_t::recurse(unsigned int) src/./hb-ot-layout-gsubgpos-private.hh:455:16
    #53 0x5c7ce8 in OT::apply_lookup(OT::hb_apply_context_t*, unsigned int, unsigned int*, unsigned int, OT::LookupRecord const*, unsigned int) src/./hb-ot-layout-gsubgpos-private.hh:978
    #54 0x625c63 in OT::context_apply_lookup(OT::hb_apply_context_t*, unsigned int, OT::IntType<unsigned short, 2u> const*, unsigned int, OT::LookupRecord const*, OT::ContextApplyLookupContext&) src/./hb-ot-layout-gsubgpos-private.hh:1102:10
    #55 0x625c63 in OT::Rule::apply(OT::hb_apply_context_t*, OT::ContextApplyLookupContext&) const src/./hb-ot-layout-gsubgpos-private.hh:1141
    #56 0x625c63 in OT::RuleSet::apply(OT::hb_apply_context_t*, OT::ContextApplyLookupContext&) const src/./hb-ot-layout-gsubgpos-private.hh:1204
    #57 0x6204ca in OT::ContextFormat1::apply(OT::hb_apply_context_t*) const src/./hb-ot-layout-gsubgpos-private.hh:1290:5
    #58 0x6204ca in bool OT::hb_apply_context_t::dispatch<OT::ContextFormat1>(OT::ContextFormat1 const&) src/./hb-ot-layout-gsubgpos-private.hh:446
    #59 0x6204ca in OT::hb_apply_context_t::return_t OT::Context::dispatch<OT::hb_apply_context_t>(OT::hb_apply_context_t*) const src/./hb-ot-layout-gsubgpos-private.hh:1510
    #60 0x62d7d3 in OT::hb_apply_context_t::return_t OT::PosLookupSubTable::dispatch<OT::hb_apply_context_t>(OT::hb_apply_context_t*, unsigned int) const src/./hb-ot-layout-gpos-table.hh:1417:20
    #61 0x62c7cb in OT::hb_apply_context_t::return_t OT::Lookup::dispatch<OT::PosLookupSubTable, OT::hb_apply_context_t>(OT::hb_apply_context_t*) const src/./hb-ot-layout-common-private.hh:620:40
    #62 0x62c7cb in OT::hb_apply_context_t::return_t OT::PosLookup::dispatch<OT::hb_apply_context_t>(OT::hb_apply_context_t*) const src/./hb-ot-layout-gpos-table.hh:1478
    #63 0x62c7cb in OT::PosLookup::apply_recurse_func(OT::hb_apply_context_t*, unsigned int) src/./hb-ot-layout-gpos-table.hh:1629
    #64 0x5c7ce8 in OT::hb_apply_context_t::recurse(unsigned int) src/./hb-ot-layout-gsubgpos-private.hh:455:16
    #65 0x5c7ce8 in OT::apply_lookup(OT::hb_apply_context_t*, unsigned int, unsigned int*, unsigned int, OT::LookupRecord const*, unsigned int) src/./hb-ot-layout-gsubgpos-private.hh:978
    #66 0x625c63 in OT::context_apply_lookup(OT::hb_apply_context_t*, unsigned int, OT::IntType<unsigned short, 2u> const*, unsigned int, OT::LookupRecord const*, OT::ContextApplyLookupContext&) src/./hb-ot-layout-gsubgpos-private.hh:1102:10
    #67 0x625c63 in OT::Rule::apply(OT::hb_apply_context_t*, OT::ContextApplyLookupContext&) const src/./hb-ot-layout-gsubgpos-private.hh:1141
    #68 0x625c63 in OT::RuleSet::apply(OT::hb_apply_context_t*, OT::ContextApplyLookupContext&) const src/./hb-ot-layout-gsubgpos-private.hh:1204
    #69 0x6204ca in OT::ContextFormat1::apply(OT::hb_apply_context_t*) const src/./hb-ot-layout-gsubgpos-private.hh:1290:5
    #70 0x6204ca in bool OT::hb_apply_context_t::dispatch<OT::ContextFormat1>(OT::ContextFormat1 const&) src/./hb-ot-layout-gsubgpos-private.hh:446
    #71 0x6204ca in OT::hb_apply_context_t::return_t OT::Context::dispatch<OT::hb_apply_context_t>(OT::hb_apply_context_t*) const src/./hb-ot-layout-gsubgpos-private.hh:1510
    #72 0x62d7d3 in OT::hb_apply_context_t::return_t OT::PosLookupSubTable::dispatch<OT::hb_apply_context_t>(OT::hb_apply_context_t*, unsigned int) const src/./hb-ot-layout-gpos-table.hh:1417:20
    #73 0x62c7cb in OT::hb_apply_context_t::return_t OT::Lookup::dispatch<OT::PosLookupSubTable, OT::hb_apply_context_t>(OT::hb_apply_context_t*) const src/./hb-ot-layout-common-private.hh:620:40
    #74 0x62c7cb in OT::hb_apply_context_t::return_t OT::PosLookup::dispatch<OT::hb_apply_context_t>(OT::hb_apply_context_t*) const src/./hb-ot-layout-gpos-table.hh:1478
    #75 0x62c7cb in OT::PosLookup::apply_recurse_func(OT::hb_apply_context_t*, unsigned int) src/./hb-ot-layout-gpos-table.hh:1629
    #76 0x5c7ce8 in OT::hb_apply_context_t::recurse(unsigned int) src/./hb-ot-layout-gsubgpos-private.hh:455:16
    #77 0x5c7ce8 in OT::apply_lookup(OT::hb_apply_context_t*, unsigned int, unsigned int*, unsigned int, OT::LookupRecord const*, unsigned int) src/./hb-ot-layout-gsubgpos-private.hh:978
    #78 0x625c63 in OT::context_apply_lookup(OT::hb_apply_context_t*, unsigned int, OT::IntType<unsigned short, 2u> const*, unsigned int, OT::LookupRecord const*, OT::ContextApplyLookupContext&) src/./hb-ot-layout-gsubgpos-private.hh:1102:10
    #79 0x625c63 in OT::Rule::apply(OT::hb_apply_context_t*, OT::ContextApplyLookupContext&) const src/./hb-ot-layout-gsubgpos-private.hh:1141
    #80 0x625c63 in OT::RuleSet::apply(OT::hb_apply_context_t*, OT::ContextApplyLookupContext&) const src/./hb-ot-layout-gsubgpos-private.hh:1204
    #81 0x6204ca in OT::ContextFormat1::apply(OT::hb_apply_context_t*) const src/./hb-ot-layout-gsubgpos-private.hh:1290:5
    #82 0x6204ca in bool OT::hb_apply_context_t::dispatch<OT::ContextFormat1>(OT::ContextFormat1 const&) src/./hb-ot-layout-gsubgpos-private.hh:446
    #83 0x6204ca in OT::hb_apply_context_t::return_t OT::Context::dispatch<OT::hb_apply_context_t>(OT::hb_apply_context_t*) const src/./hb-ot-layout-gsubgpos-private.hh:1510
    #84 0x62d7d3 in OT::hb_apply_context_t::return_t OT::PosLookupSubTable::dispatch<OT::hb_apply_context_t>(OT::hb_apply_context_t*, unsigned int) const src/./hb-ot-layout-gpos-table.hh:1417:20
    #85 0x5d22f5 in OT::hb_apply_context_t::return_t OT::Lookup::dispatch<OT::PosLookupSubTable, OT::hb_apply_context_t>(OT::hb_apply_context_t*) const src/./hb-ot-layout-common-private.hh:620:40
    #86 0x5d22f5 in OT::hb_apply_context_t::return_t OT::PosLookup::dispatch<OT::hb_apply_context_t>(OT::hb_apply_context_t*) const src/./hb-ot-layout-gpos-table.hh:1478
    #87 0x5d22f5 in OT::PosLookup::apply(OT::hb_apply_context_t*) const src/./hb-ot-layout-gpos-table.hh:1455
    #88 0x5d22f5 in _ZL13apply_forwardIN2OT9PosLookupEEbPNS0_18hb_apply_context_tERKT_RK33hb_ot_layout_lookup_accelerator_t src/hb-ot-layout.cc:898
    #89 0x5d22f5 in _ZL12apply_stringI9GPOSProxyEvPN2OT18hb_apply_context_tERKNT_6LookupERK33hb_ot_layout_lookup_accelerator_t src/hb-ot-layout.cc:976
    #90 0x5d22f5 in void hb_ot_map_t::apply<GPOSProxy>(GPOSProxy const&, hb_ot_shape_plan_t const*, hb_font_t*, hb_buffer_t*) const src/hb-ot-layout.cc:1027
    #91 0x5c07cd in hb_ot_map_t::position(hb_ot_shape_plan_t const*, hb_font_t*, hb_buffer_t*) const src/hb-ot-layout.cc:1049:3
    #92 0x5264d1 in hb_ot_shape_plan_t::position(hb_font_t*, hb_buffer_t*) const src/./hb-ot-shape-private.hh:60:71
    #93 0x5264d1 in hb_ot_position_complex(hb_ot_shape_context_t*) src/hb-ot-shape.cc:715
    #94 0x5264d1 in hb_ot_position(hb_ot_shape_context_t*) src/hb-ot-shape.cc:754
    #95 0x5264d1 in hb_ot_shape_internal(hb_ot_shape_context_t*) src/hb-ot-shape.cc:796
    #96 0x5264d1 in _hb_ot_shape src/hb-ot-shape.cc:816
    #97 0x50bb8c in hb_shape_plan_execute src/./hb-shaper-list.hh:43:1
    #98 0x509570 in hb_shape_full src/hb-shape.cc:375:19
    #99 0x509570 in hb_shape src/hb-shape.cc:405
    #100 0x4d6936 in LLVMFuzzerTestOneInput 

[kcc]

With -DHB_MAX_NESTING_LEVEL=3 fuzzing is reasonably fast again.
It's hard for me to tell how significant the bug is and how many other bugs this workaround will hide from the fuzzer. But at least fuzzing is unblocked now, thanks!

[kcc]

It may be a different issue, but here is another reproducer that takes ~1 minute to process even with
-DHB_MAX_NESTING_LEVEL=3
slow-unit-d078a85fccc7bceaff1665c99683790b855a18e8.pdf

[kcc]

The fuzzer bot discovered more cases like this and is on its knees again. :(
One more case:
slow-unit-d5d79b46bda05a2238c8e44f219d4adb2a75145d.pdf

[behdad]

Just finished fixing some bugs that were blocking a harfbuzz release. will look into this next.

[behdad]

Just reduced HB_SANITIZE_MAX_EDITS from 100 to 8. You might want to set it to 3 or 2.

Also, can you send me a with a README file in hb/test/fuzzing with compiler parameters you are using, and possibly also a paragraph or two about how to setup fuzzing? I can then add a Makefile.am for the most relevant parts. Thanks!

[kcc]

will reply to the above in #139

[behdad]

I can't reproduce this. Can you test again? Can you reproduce with hb-shape commandline?

behdad:util 0$ make lib -j && ./hb-shape libfuzzer/timeout-c7f0b03f12f51efc0702eb48d336e7d4e1d3d252.pdf "ABCDEXYZ123@_%&)*$!" --font-funcs=ot

[kcc]

I've started using
-DHB_MAX_NESTING_LEVEL=3 -DHB_BUFFER_MAX_EXPANSION_FACTOR=3 -DHB_BUFFER_MAX_LEN_MIN=8
and now I see this:

harfbuzz_asan_cov_fuzzer: hb-buffer.cc:398: bool hb_buffer_t::move_to(unsigned int): Assertion `i <= out_len + (len - idx)' failed.
ASAN:DEADLYSIGNAL
=================================================================
==21662==ERROR: AddressSanitizer: SEGV on unknown address 0x03ea0000549e (pc 0x7fd174f34cc9 bp 0x7fd17507e830 sp 0x7ffc3f868f18 T0)
    #0 0x7fd174f34cc8 in gsignal (/lib/x86_64-linux-gnu/libc.so.6+0x36cc8)
    #1 0x7fd174f380d7 in abort (/lib/x86_64-linux-gnu/libc.so.6+0x3a0d7)
    #2 0x7fd174f2db85  (/lib/x86_64-linux-gnu/libc.so.6+0x2fb85)
    #3 0x7fd174f2dc31 in __assert_fail (/lib/x86_64-linux-gnu/libc.so.6+0x2fc31)
    #4 0x4ef3bb in hb_buffer_t::move_to(unsigned int) asan_cov/src/hb-buffer.cc:398:3
    #5 0x5f87dd in OT::apply_lookup(OT::hb_apply_context_t*, unsigned int, unsigned int*, unsigned int, OT::LookupRecord const*, unsigned int) asan_cov/src/./hb-ot-layout-gsubgpos-private.hh:1022:3
    #6 0x660018 in OT::chain_context_apply_lookup(OT::hb_apply_context_t*, unsigned int, OT::IntType<unsigned short, 2u> const*, unsigned int, OT::IntType<unsigned short, 2u> const*, unsigned int, OT::IntType<unsigned short, 2u> const*, unsigned int, OT::LookupRecord const*, OT::ChainContextApplyLookupContext&) asan_cov/src/./hb-ot-layout-gsubgpos-private.hh:1635:10
    #7 0x660018 in OT::ChainContextFormat3::apply(OT::hb_apply_context_t*) const asan_cov/src/./hb-ot-layout-gsubgpos-private.hh:2075
    #8 0x680a4e in _ZL13apply_forwardIN2OT19ChainContextFormat3EEbPNS0_18hb_apply_context_tERKT_RK33hb_ot_layout_lookup_accelerator_t asan_cov/src/hb-ot-layout.cc:898:2
    #9 0x680a4e in bool hb_apply_forward_context_t::dispatch<OT::ChainContextFormat3>(OT::ChainContextFormat3 const&) asan_cov/src/hb-ot-layout.cc:934
    #10 0x681d7b in hb_apply_forward_context_t::return_t OT::ChainContext::dispatch<hb_apply_forward_context_t>(hb_apply_forward_context_t*) const asan_cov/src/./hb-ot-layout-gsubgpos-private.hh:2126:13
    #11 0x681d7b in hb_apply_forward_context_t::return_t OT::SubstLookupSubTable::dispatch<hb_apply_forward_context_t>(hb_apply_forward_context_t*, unsigned int) const asan_cov/src/./hb-ot-layout-gsub-table.hh:1084
    #12 0x5ef0a7 in hb_apply_forward_context_t::return_t OT::Lookup::dispatch<OT::SubstLookupSubTable, hb_apply_forward_context_t>(hb_apply_forward_context_t*) const asan_cov/src/./hb-ot-layout-common-private.hh:625:40
    #13 0x5ef0a7 in hb_apply_forward_context_t::return_t OT::SubstLookup::dispatch<hb_apply_forward_context_t>(hb_apply_forward_context_t*) const asan_cov/src/./hb-ot-layout-gsub-table.hh:1234
    #14 0x5ef0a7 in _ZL12apply_stringI9GSUBProxyEvPN2OT18hb_apply_context_tERKNT_6LookupERK33hb_ot_layout_lookup_accelerator_t asan_cov/src/hb-ot-layout.cc:973
    #15 0x5ff713 in void hb_ot_map_t::apply<GSUBProxy>(GSUBProxy const&, hb_ot_shape_plan_t const*, hb_font_t*, hb_buffer_t*) const asan_cov/src/hb-ot-layout.cc:1027:7
    #16 0x5ee763 in hb_ot_map_t::substitute(hb_ot_shape_plan_t const*, hb_font_t*, hb_buffer_t*) const asan_cov/src/hb-ot-layout.cc:1043:3
    #17 0x53f50d in hb_ot_shape_plan_t::substitute(hb_font_t*, hb_buffer_t*) const asan_cov/src/./hb-ot-shape-private.hh:59:73
    #18 0x53f50d in hb_ot_substitute_complex(hb_ot_shape_context_t*) asan_cov/src/hb-ot-shape.cc:585
    #19 0x53f50d in hb_ot_substitute(hb_ot_shape_context_t*) asan_cov/src/hb-ot-shape.cc:599
    #20 0x53f50d in hb_ot_shape_internal(hb_ot_shape_context_t*) asan_cov/src/hb-ot-shape.cc:823
    #21 0x53f50d in _hb_ot_shape asan_cov/src/hb-ot-shape.cc:848
    #22 0x522666 in hb_shape_plan_execute asan_cov/src/./hb-shaper-list.hh:43:1
    #23 0x51f966 in hb_shape_full asan_cov/src/hb-shape.cc:375:19
    #24 0x51f966 in hb_shape asan_cov/src/hb-shape.cc:405

[behdad]

I've started using
-DHB_MAX_NESTING_LEVEL=3 -DHB_BUFFER_MAX_EXPANSION_FACTOR=3 -DHB_BUFFER_MAX_LEN_MIN=8
and now I see this:

Can I get test for this please?

[behdad]

Oh, same test case? Ok, let me try.

[behdad]

I still can't get this to work. Can you please update on exact configuration? I used the original file in this report, with hb compiled with -DHB_MAX_NESTING_LEVEL=3 -DHB_BUFFER_MAX_EXPANSION_FACTOR=3 -DHB_BUFFER_MAX_LEN_MIN=8, and tested with hb-fuzzer. The assertion failure doesn't happen.