Tag: b'feat' Checksum: 0x00000a56 Offset: 412/0x0000019c Length: 156 Table: b'feat' Number of replaced values: 2 Offset: 61/0x00003d Value: ['ff', 'c4', '40', '0f'] Offset: 100/0x000064 Value: ['80', '00', '00', '00'] […] Feature Name Array: 4 Feature: 255 nSettings: 50240 SettingTable: 251658364 FeatureFlags: b'\x80\x00' NameIndex: b'\x01\x0e' […] Feature, nSettings and SettingTable table were overwritten by Value 1. nSettings = number of records in the setting name array SettingTable = offset to setting name array (here: out of range) Note: I was not able to reproduce this bug with Safari or Fontbook.

One thing to note on reproducing bugs in Safari, you should try using: body { text-rendering: optimizeLegibility; } This will explicitly cause Safari to use a CoreText codepath closer to our default text rendering codepath. It may or may not cause a crash in the same code but the chances are greater with that property enabled.

Hi John, I did that before posting here but it had no affect (@crash).

A similar crash can be triggered in TextEdit.app by using this font and attempting to open the Typography palette; note that this is also crashing in a TFontFeatures() constructor, called from TBaseFont::CopyFeatures(). Process: TextEdit [80927] Path: /Applications/TextEdit.app/Contents/MacOS/TextEdit Identifier: com.apple.TextEdit Version: 1.6 (264) Build Info: TextEdit-2640000~1 Code Type: X86-64 (Native) Parent Process: launchd [240] Date/Time: 2010-08-13 10:13:21.444 +0100 OS Version: Mac OS X 10.6.4 (10F569) Report Version: 6 Interval Since Last Report: 23513 sec Crashes Since Last Report: 3 Per-App Interval Since Last Report: 21 sec Per-App Crashes Since Last Report: 1 Anonymous UUID: A841BCF6-F4B2-447A-A660-7E0FAC0EFBA8 Exception Type: EXC_BAD_ACCESS (SIGSEGV) Exception Codes: KERN_INVALID_ADDRESS at 0x0000000121621218 Crashed Thread: 0 Dispatch queue: com.apple.main-thread Thread 0 Crashed: Dispatch queue: com.apple.main-thread 0 com.apple.CoreText 0x00007fff81d9af76 TFontFeatures::TFontFeatures(CGFont*) + 746 1 com.apple.CoreText 0x00007fff81db0b0f TBaseFont::CopyFeatures() const + 83 2 com.apple.TypographyPanel 0x0000000100325c78 FlipContextForRect + 15281 3 com.apple.TypographyPanel 0x0000000100331cb9 sliderSort + 43238 4 com.apple.TypographyPanel 0x000000010032d8ee sliderSort + 25883 5 com.apple.AppKit 0x00007fff80d832b5 -[NSFontPanel _openExtrasPopup:] + 1640 6 com.apple.AppKit 0x00007fff80b46152 -[NSApplication sendAction:to:from:] + 95 7 com.apple.AppKit 0x00007fff80b460b1 -[NSControl sendAction:to:] + 94 8 com.apple.AppKit 0x00007fff80b46152 -[NSApplication sendAction:to:from:] + 95 9 com.apple.AppKit 0x00007fff80b6a6be -[NSMenuItem _corePerformAction] + 365 10 com.apple.AppKit 0x00007fff80b6a428 -[NSCarbonMenuImpl performActionWithHighlightingForItemAtIndex:] + 121 11 com.apple.AppKit 0x00007fff80dee41d -[NSMenu _internalPerformActionForItemAtIndex:] + 35 12 com.apple.AppKit 0x00007fff80ca0217 -[NSCarbonMenuImpl _carbonCommandProcessEvent:handlerCallRef:] + 136 13 com.apple.AppKit 0x00007fff80b4cc14 NSSLMMenuEventHandler + 321 14 com.apple.HIToolbox 0x00007fff82c5e997 DispatchEventToHandlers(EventTargetRec*, OpaqueEventRef*, HandlerCallRec*) + 1002 15 com.apple.HIToolbox 0x00007fff82c5dee6 SendEventToEventTargetInternal(OpaqueEventRef*, OpaqueEventTargetRef*, HandlerCallRec*) + 395 16 com.apple.HIToolbox 0x00007fff82c7bba9 SendEventToEventTarget + 45 17 com.apple.HIToolbox 0x00007fff82caacd1 SendHICommandEvent(unsigned int, HICommand const*, unsigned int, unsigned int, unsigned char, void const*, OpaqueEventTargetRef*, OpaqueEventTargetRef*, OpaqueEventRef**) + 387 18 com.apple.HIToolbox 0x00007fff82cd7b06 SendMenuCommandWithContextAndModifiers + 56 19 com.apple.HIToolbox 0x00007fff82cd7abe SendMenuItemSelectedEvent + 101 20 com.apple.HIToolbox 0x00007fff82cd79be FinishMenuSelection(SelectionData*, MenuResult*, MenuResult*) + 150 21 com.apple.HIToolbox 0x00007fff82de0a75 PopUpMenuSelectCore(MenuData*, Point, double, Point, unsigned short, unsigned int, Rect const*, unsigned short, unsigned int, Rect const*, Rect const*, __CFString const*, OpaqueMenuRef**, unsigned short*) + 1618 22 com.apple.HIToolbox 0x00007fff82de0dce _HandlePopUpMenuSelection7 + 665 23 com.apple.AppKit 0x00007fff80c9d1c9 _NSSLMPopUpCarbonMenu3 + 3710 24 com.apple.AppKit 0x00007fff80e4cd0e -[NSPopUpButtonCell trackMouse:inRect:ofView:untilMouseUp:] + 554 25 com.apple.AppKit 0x00007fff80bd04b5 -[NSControl mouseDown:] + 624 26 com.apple.AppKit 0x00007fff80aea763 -[NSWindow sendEvent:] + 5409 27 com.apple.AppKit 0x00007fff80a1fee2 -[NSApplication sendEvent:] + 4719 28 com.apple.AppKit 0x00007fff809b6922 -[NSApplication run] + 474 29 com.apple.AppKit 0x00007fff809af5f8 NSApplicationMain + 364 30 com.apple.TextEdit 0x0000000100000fb8 0x100000000 + 4024

This will be fixed by the OTS sanitizer (bug 527276).

Fixed on trunk and 1.9.2 by the OTS sanitizer.

QA needs to check this in OS X 10.6.4. It no longer crashes on OS X 10.6.5 with 1.9.2.12.

OTS landed in 1.9.1 as well.