search

dfrg / swash

Font introspection, complex text shaping and glyph rendering.
Apache License 2.0
636 stars 36 forks source link

"Panic: misaligned pointer reference" in rustc 1.70.0 #38

Closed ruifengx closed 1 year ago

ruifengx commented 1 year ago

I experienced this crash after upgrading rustc to 1.70.0, and I cannot reproduce it using rustc 1.69.0. The crash happens in an iced application (with a dependency on swash 0.1.6).

The full crash log is attached here for your information. It seems there is something wrong about the font parsing process. I tested the application in Windows Sandbox (which comes with only the fonts that Microsoft ships with Windows), so the issue should not be about the custom fonts I installed.

Full crash log ```text thread 'main' panicked at 'misaligned pointer dereference: address must be a multiple of 0x2 but is 0x25ace2382a5', $HOME\.cargo\registry\src\mirrors.tuna.tsinghua.edu.cn-df7c3c540f42cdbd\swash-0.1.6\src\internal\parse.rs:452:13 stack backtrace: 0: std::panicking::begin_panic_handler at /rustc/90c541806f23a127002de5b4038be731ba1458ca/library\std\src\panicking.rs:578 1: core::panicking::panic_fmt at /rustc/90c541806f23a127002de5b4038be731ba1458ca/library\core\src\panicking.rs:67 2: core::panicking::panic_misaligned_pointer_dereference at /rustc/90c541806f23a127002de5b4038be731ba1458ca/library\core\src\panicking.rs:174 3: swash::internal::parse::impl$9::from_be_data_unchecked at $HOME\.cargo\registry\src\mirrors.tuna.tsinghua.edu.cn-df7c3c540f42cdbd\swash-0.1.6\src\internal\parse.rs:452 4: swash::internal::parse::FromBeData::from_be_data at $HOME\.cargo\registry\src\mirrors.tuna.tsinghua.edu.cn-df7c3c540f42cdbd\swash-0.1.6\src\internal\parse.rs:424 5: swash::internal::parse::Bytes::read at $HOME\.cargo\registry\src\mirrors.tuna.tsinghua.edu.cn-df7c3c540f42cdbd\swash-0.1.6\src\internal\parse.rs:55 6: swash::scale::cff::cff::IndexMetadata::unpack at $HOME\.cargo\registry\src\mirrors.tuna.tsinghua.edu.cn-df7c3c540f42cdbd\swash-0.1.6\src\scale\cff\cff.rs:1191 7: swash::scale::cff::cff::Index::new at $HOME\.cargo\registry\src\mirrors.tuna.tsinghua.edu.cn-df7c3c540f42cdbd\swash-0.1.6\src\scale\cff\cff.rs:1226 8: swash::scale::cff::cff::CffProxy::parse at $HOME\.cargo\registry\src\mirrors.tuna.tsinghua.edu.cn-df7c3c540f42cdbd\swash-0.1.6\src\scale\cff\cff.rs:92 9: swash::scale::cff::cff::CffProxy::from_font at $HOME\.cargo\registry\src\mirrors.tuna.tsinghua.edu.cn-df7c3c540f42cdbd\swash-0.1.6\src\scale\cff\cff.rs:54 10: swash::scale::proxy::ScalerProxy::from_font at $HOME\.cargo\registry\src\mirrors.tuna.tsinghua.edu.cn-df7c3c540f42cdbd\swash-0.1.6\src\scale\proxy.rs:28 11: swash::scale::impl$3::new::closure$0 at $HOME\.cargo\registry\src\mirrors.tuna.tsinghua.edu.cn-df7c3c540f42cdbd\swash-0.1.6\src\scale\mod.rs:351 12: swash::cache::FontCache::get > at $HOME\.cargo\registry\src\mirrors.tuna.tsinghua.edu.cn-df7c3c540f42cdbd\swash-0.1.6\src\cache.rs:50 13: swash::scale::ScalerBuilder::new at $HOME\.cargo\registry\src\mirrors.tuna.tsinghua.edu.cn-df7c3c540f42cdbd\swash-0.1.6\src\scale\mod.rs:349 14: swash::scale::ScaleContext::builder at $HOME\.cargo\registry\src\mirrors.tuna.tsinghua.edu.cn-df7c3c540f42cdbd\swash-0.1.6\src\scale\mod.rs:325 15: cosmic_text::swash::swash_image at $HOME\.cargo\git\checkouts\cosmic-text-ea4fb601986df06b\b85d6a4\src\swash.rs:32 16: cosmic_text::swash::SwashCache::get_image_uncached at $HOME\.cargo\git\checkouts\cosmic-text-ea4fb601986df06b\b85d6a4\src\swash.rs:115 17: glyphon::text_render::TextRenderer::prepare_with_depth,core::slice::iter::Iter >,iced_wgpu::text::impl$0::prepare::closur at $HOME\.cargo\git\checkouts\glyphon-70ff9ac92aaa9d8a\f145067\src\text_render.rs:103 18: glyphon::text_render::TextRenderer::prepare,core::slice::iter::Iter >,iced_wgpu::text::impl$0::prepare::closure_env$1> > at $HOME\.cargo\git\checkouts\glyphon-70ff9ac92aaa9d8a\f145067\src\text_render.rs:347 19: iced_wgpu::text::Pipeline::prepare at $HOME\.cargo\git\checkouts\iced-f01cba4d5e61fd0a\fcb1b45\wgpu\src\text.rs:170 20: iced_wgpu::backend::Backend::prepare_text at $HOME\.cargo\git\checkouts\iced-f01cba4d5e61fd0a\fcb1b45\wgpu\src\backend.rs:141 21: iced_wgpu::backend::Backend::present at $HOME\.cargo\git\checkouts\iced-f01cba4d5e61fd0a\fcb1b45\wgpu\src\backend.rs:99 22: iced_wgpu::window::compositor::present,alloc::string::String> at $HOME\.cargo\git\checkouts\iced-f01cba4d5e61fd0a\fcb1b45\wgpu\src\window\compositor.rs:172 23: iced_renderer::compositor::impl$0::present::closure$0,alloc::string::String> at $HOME\.cargo\git\checkouts\iced-f01cba4d5e61fd0a\fcb1b45\renderer\src\compositor.rs:122 24: iced_graphics::renderer::Renderer,enum2$ >::with_primitives,enum2$,enum2$,iced_graphics::comp at $HOME\.cargo\git\checkouts\iced-f01cba4d5e61fd0a\fcb1b45\graphics\src\renderer.rs:51 25: iced_renderer::compositor::impl$0::present,alloc::string::String> at $HOME\.cargo\git\checkouts\iced-f01cba4d5e61fd0a\fcb1b45\renderer\src\compositor.rs:103 26: iced_winit::application::run_instance::async_fn$0,iced_futures::backend::null::Executor,enum2$ > > > at $HOME\.cargo\git\checkouts\iced-f01cba4d5e61fd0a\fcb1b45\winit\src\application.rs:532 27: iced_winit::application::run::closure$1,iced_futures::backend::null::Executor,enum2$ > > > at $HOME\.cargo\git\checkouts\iced-f01cba4d5e61fd0a\fcb1b45\winit\src\application.rs:251 28: winit::platform_impl::platform::event_loop::impl$3::run_return::closure$0,iced_winit::application::run::closure_env$1,iced_futures::backend::null::Executor,enum2$ > >,ref_mut$ > >,dyn$ > >,ref_mut$ > at $HOME\.cargo\git\checkouts\winit-57d3141eaf559308\ac1ddfe\src\platform_impl\windows\event_loop\runner.rs:250 31: core::panic::unwind_safe::impl$23::call_once,winit::platform_impl::platform::event_loop::runner::impl$3::call_event_handler::closure_env$0 > > at /rustc/90c541806f23a127002de5b4038be731ba1458ca\library\core\src\panic\unwind_safe.rs:271 32: std::panicking::try::do_call > >,tuple$<> > at /rustc/90c541806f23a127002de5b4038be731ba1458ca\library\std\src\panicking.rs:485 33: winit::platform_impl::platform::icon::impl$8::clone 34: std::panicking::try,core::panic::unwind_safe::AssertUnwindSafe > > > at /rustc/90c541806f23a127002de5b4038be731ba1458ca\library\std\src\panicking.rs:449 35: std::panic::catch_unwind > >,tuple$<> > at /rustc/90c541806f23a127002de5b4038be731ba1458ca\library\std\src\panic.rs:140 36: winit::platform_impl::platform::event_loop::runner::EventLoopRunner >::catch_unwind,tuple$<>,winit::platform_impl::platform::event_loop::runner::impl$3::call_event_handler::closure_env$0 > > at $HOME\.cargo\git\checkouts\winit-57d3141eaf559308\ac1ddfe\src\platform_impl\windows\event_loop\runner.rs:157 37: winit::platform_impl::platform::event_loop::runner::EventLoopRunner >::call_event_handler > at $HOME\.cargo\git\checkouts\winit-57d3141eaf559308\ac1ddfe\src\platform_impl\windows\event_loop\runner.rs:242 38: winit::platform_impl::platform::event_loop::runner::EventLoopRunner >::send_event > at $HOME\.cargo\git\checkouts\winit-57d3141eaf559308\ac1ddfe\src\platform_impl\windows\event_loop\runner.rs:215 39: winit::platform_impl::platform::event_loop::WindowData >::send_event > at $HOME\.cargo\git\checkouts\winit-57d3141eaf559308\ac1ddfe\src\platform_impl\windows\event_loop.rs:142 40: winit::platform_impl::platform::event_loop::public_window_callback_inner::closure$0 > at $HOME\.cargo\git\checkouts\winit-57d3141eaf559308\ac1ddfe\src\platform_impl\windows\event_loop.rs:1125 41: core::ops::function::FnOnce::call_once >,tuple$<> > at /rustc/90c541806f23a127002de5b4038be731ba1458ca\library\core\src\ops\function.rs:250 42: core::panic::unwind_safe::impl$23::call_once > > at /rustc/90c541806f23a127002de5b4038be731ba1458ca\library\core\src\panic\unwind_safe.rs:271 43: std::panicking::try::do_call > >,isize> at /rustc/90c541806f23a127002de5b4038be731ba1458ca\library\std\src\panicking.rs:485 44: std::panicking::try::do_catch > >,tuple$ > > > at /rustc/90c541806f23a127002de5b4038be731ba1458ca\library\std\src\panicking.rs:449 46: std::panic::catch_unwind > >,isize> at /rustc/90c541806f23a127002de5b4038be731ba1458ca\library\std\src\panic.rs:140 47: winit::platform_impl::platform::event_loop::runner::EventLoopRunner >::catch_unwind,isize,winit::platform_impl::platform::event_loop::public_window_callback_inner::closure_env$0 > > at $HOME\.cargo\git\checkouts\winit-57d3141eaf559308\ac1ddfe\src\platform_impl\windows\event_loop\runner.rs:157 48: winit::platform_impl::platform::event_loop::public_window_callback_inner > at $HOME\.cargo\git\checkouts\winit-57d3141eaf559308\ac1ddfe\src\platform_impl\windows\event_loop.rs:2320 49: winit::platform_impl::platform::event_loop::public_window_callback > at $HOME\.cargo\git\checkouts\winit-57d3141eaf559308\ac1ddfe\src\platform_impl\windows\event_loop.rs:994 50: DispatchMessageW 51: DispatchMessageW 52: GetClassLongW 53: KiUserCallbackDispatcher 54: NtUserDispatchMessage 55: DispatchMessageW 56: winit::platform_impl::platform::event_loop::EventLoop >::run_return,iced_winit::application::run::closure_env$1,iced_futures::backend::null::Executor,enum2$,iced_winit::application::run::closure_env$1,iced_futures::backend::null::Executor,enum2$,iced_winit::application::run::closure_env$1,iced_futures::backend::null::Executor,enum2$,iced_futures::backend::null::Executor,enum2$ > > > at $HOME\.cargo\git\checkouts\iced-f01cba4d5e61fd0a\fcb1b45\winit\src\application.rs:226 60: iced::application::Application::run at $HOME\.cargo\git\checkouts\iced-f01cba4d5e61fd0a\fcb1b45\src\application.rs:208 61: iced::sandbox::Sandbox::run at $HOME\.cargo\git\checkouts\iced-f01cba4d5e61fd0a\fcb1b45\src\sandbox.rs:153 ```

The crash can be consistently reproduced on my PC with the following simple program:

use iced::{Element, Sandbox, Settings};
use iced::widget::TextInput;

struct App;

impl Sandbox for App {
    type Message = ();
    fn new() -> Self { App }
    fn title(&self) -> String { "Swash Crash".to_string() }
    fn update(&mut self, _message: Self::Message) {}
    fn view(&self) -> Element<'_, Self::Message> {
        TextInput::new("Placeholder", "Value").into()
    }
}

fn main() -> iced::Result { App::run(Settings::default()) }

with the following in Cargo.toml configuration (to use iced master):

[dependencies.iced]
git = "https://github.com/iced-rs/iced.git"
rev = "fcb1b454368638209862aeb5db41bc5f7d6d51a7"

I have already filed iced-rs/iced#1905, but I feel that this is more related to swash, so I also file a copy here.

ruifengx commented 1 year ago

Update: this crash cannot be reproduced using the latest version of swash (0.1.8). However, this might still be an interesting case to investigate (if it is not already known), because usually upgrading the compiler should not change program semantics.

Rodrigodd commented 1 year ago

Appear to be a duplicate of #34.

because usually upgrading the compiler should not change program semantics.

In this case in particular, the program was containing undefined-behaviour, whose semantics may indeed change between versions.

ruifengx commented 1 year ago

Indeed, it looks like the compiler managed to exploit a previously-unnoticed UB. Since it is already known and fixed in the latest version, I will close this issue now. Thanks for your explanation.