Crashing in ShapeText with CEFGlue on Ubuntu 24.04

[0xJins]

Describe the bug

At an indeterminate time after successful startup and load AvaloniaCefBrowser, an Avalonia UI app running on Linux (Ubuntu 22.04 and 24.04), crashes with the following stack trace:

Thread 1 "Xilium.CefGlue." received signal SIGSEGV, Segmentation fault.
0x0000555555dadea0 in ?? ()
(gdb) bt
#0  0x0000555555dadea0 in ?? ()
#1  0x00007fff746f8aab in hb_face_t::reference_table (tag=<optimized out>, this=<optimized out>)
    at ../src/hb-face.hh:79
#2  hb_face_reference_table (face=<optimized out>, tag=<optimized out>) at ../src/hb-face.cc:411
#3  0x00007fff7474b3ab in hb_sanitize_context_t::reference_table<OT::Layout::GSUB> (
    tableTag=1196643650, face=0x555555daffd0, this=0x7fffffff7420) at ../src/hb-sanitize.hh:500
#4  OT::GSUBGPOS::accelerator_t<OT::Layout::GSUB>::accelerator_t (this=<optimized out>, 
    face=<optimized out>, this=<optimized out>, face=<optimized out>)
    at ../src/OT/Layout/GPOS/../../../hb-ot-layout-gsubgpos.hh:4757
#5  0x00007fff7473cce3 in OT::GSUB_accelerator_t::GSUB_accelerator_t (face=0x555555daffd0, 
    this=0x555555e52cc0) at ../src/OT/Layout/GSUB/GSUB.hh:55
--Type <RET> for more, q to quit, c to continue without paging--
#6  hb_lazy_loader_t<OT::GSUB_accelerator_t, hb_face_lazy_loader_t<OT::GSUB_accelerator_t, 25u>, hb_face_t, 25u, OT::GSUB_accelerator_t>::create (data=<optimized out>) at ../src/hb-machinery.hh:258
#7  hb_data_wrapper_t<hb_face_t, 25u>::call_create<OT::GSUB_accelerator_t, hb_face_lazy_loader_t<OT::GSUB_accelerator_t, 25u> > (this=<optimized out>) at ../src/hb-machinery.hh:158
#8  hb_lazy_loader_t<OT::GSUB_accelerator_t, hb_face_lazy_loader_t<OT::GSUB_accelerator_t, 25u>, hb_face_t, 25u, OT::GSUB_accelerator_t>::get_stored (this=<optimized out>) at ../src/hb-machinery.hh:221
#9  hb_lazy_loader_t<OT::GSUB_accelerator_t, hb_face_lazy_loader_t<OT::GSUB_accelerator_t, 25u>, hb_face_t, 25u, OT::GSUB_accelerator_t>::get (this=<optimized out>) at ../src/hb-machinery.hh:245
#10 hb_lazy_loader_t<OT::GSUB_accelerator_t, hb_face_lazy_loader_t<OT::GSUB_accelerator_t, 25u>, hb_face_t, 25u, OT::GSUB_accelerator_t>::operator-> (this=<optimized out>) at ../src/hb-machinery.hh:205
#11 get_gsubgpos_table (face=0x555555db8d30, table_tag=<optimized out>) at ../src/hb-ot-layout.cc:421
#12 0x00007fff7473e483 in hb_ot_layout_table_find_feature_variations (face=<optimized out>, table_tag=<optimized out>, 
    coords=0x0, num_coords=0, variations_index=0x7fffffff75fc) at ../src/hb-ot-layout.cc:1445
#13 0x00007fff74781a10 in hb_ot_shape_plan_key_t::init (num_coords=0, coords=0x0, face=0x555555db8d30, 
    this=0x7fffffff75fc) at ../src/hb-ot-shape.hh:45
#14 hb_shape_plan_key_t::init (this=0x7fffffff75d0, copy=<optimized out>, face=0x555555db8d30, props=<optimized out>, 
    user_features=<optimized out>, num_user_features=0, coords=0x0, num_coords=0, shaper_list=0x0)
    at ../src/hb-shape-plan.cc:92
#15 0x00007fff7478b728 in hb_shape_plan_create_cached2 (face=0x555555db8d30, props=0x555555e7a2c0, user_features=0x0, 
    num_user_features=0, coords=0x0, num_coords=0, shaper_list=0x0) at ../src/hb-shape-plan.cc:536
#16 0x00007fff74250627 in hb_shape_full ()

I compiled the CefGlue.Demo.Avalonia project and running it.
The exception is caught at Font.ShapeText first. The App come from CefGlue

the clrstack

(lldb) clrstack 
OS Thread Id: 0x84ef (1)
        Child SP               IP Call Site
00007FFFFFFF60D8 0000555556a9a410 [InlinedCallFrame: 00007fffffff60d8] HarfBuzzSharp.HarfBuzzApi.hb_shape_full(IntPtr, IntPtr, HarfBuzzSharp.Feature*, UInt32, Void**)
00007FFFFFFF60D8 00007fff7aea7023 [InlinedCallFrame: 00007fffffff60d8] HarfBuzzSharp.HarfBuzzApi.hb_shape_full(IntPtr, IntPtr, HarfBuzzSharp.Feature*, UInt32, Void**)
00007FFFFFFF60D0 00007FFF7AEA7023 ILStubClass.IL_STUB_PInvoke(IntPtr, IntPtr, HarfBuzzSharp.Feature*, UInt32, Void**)
00007FFFFFFF6160 00007FFF7AEA6BE6 HarfBuzzSharp.Font.Shape(HarfBuzzSharp.Buffer, System.Collections.Generic.IReadOnlyList`1<HarfBuzzSharp.Feature>, System.Collections.Generic.IReadOnlyList`1<System.String>)
00007FFFFFFF6310 00007FFF7AEA657A HarfBuzzSharp.Font.Shape(HarfBuzzSharp.Buffer, HarfBuzzSharp.Feature[])
00007FFFFFFF6340 00007FFF7AEA44C4 Avalonia.Skia.TextShaperImpl.ShapeText(System.ReadOnlyMemory`1<Char>, Avalonia.Media.TextFormatting.TextShaperOptions) [E:\Exploit\AvaloniaUI\Avalonia\src\Skia\Avalonia.Skia\TextShaperImpl.cs @ 46]
00007FFFFFFF66B0 00007FFF7AEA3F8B Avalonia.Media.TextFormatting.TextShaper.ShapeText(System.ReadOnlyMemory`1<Char>, Avalonia.Media.TextFormatting.TextShaperOptions) [E:\Exploit\AvaloniaUI\Avalonia\src\Avalonia.Base\Media\TextFormatting\TextShaper.cs @ 45]
00007FFFFFFF6720 00007FFF7AEA3D6D Avalonia.Media.TextFormatting.TextFormatterImpl.ShapeTogether(System.Collections.Generic.IReadOnlyList`1<Avalonia.Media.TextFormatting.UnshapedTextRun>, System.ReadOnlyMemory`1<Char>, Avalonia.Media.TextFormatting.TextShaperOptions, Avalonia.Media.TextFormatting.TextShaper, RentedList`1<Avalonia.Media.TextFormatting.TextRun>) [E:\Exploit\AvaloniaUI\Avalonia\src\Avalonia.Base\Media\TextFormatting\TextFormatterImpl.cs @ 372]
00007FFFFFFF6820 00007FFF7AE9599E Avalonia.Media.TextFormatting.TextFormatterImpl.ShapeTextRuns(System.Collections.Generic.IReadOnlyList`1<Avalonia.Media.TextFormatting.TextRun>, Avalonia.Media.TextFormatting.TextParagraphProperties, Avalonia.Media.TextFormatting.FormattingObjectPool, Avalonia.Media.FontManager, Avalonia.Media.FlowDirection ByRef) [E:\Exploit\AvaloniaUI\Avalonia\src\Avalonia.Base\Media\TextFormatting\TextFormatterImpl.cs @ 279]
00007FFFFFFF6C20 00007FFF7AE90D5A Avalonia.Media.TextFormatting.TextFormatterImpl.FormatLine(Avalonia.Media.TextFormatting.ITextSource, Int32, Double, Avalonia.Media.TextFormatting.TextParagraphProperties, Avalonia.Media.TextFormatting.TextLineBreak) [E:\Exploit\AvaloniaUI\Avalonia\src\Avalonia.Base\Media\TextFormatting\TextFormatterImpl.cs @ 49]
00007FFFFFFF6DB0 00007FFF7AE8F816 Avalonia.Media.TextFormatting.TextLayout.CreateTextLines() [E:\Exploit\AvaloniaUI\Avalonia\src\Avalonia.Base\Media\TextFormatting\TextLayout.cs @ 578]
00007FFFFFFF71F0 00007FFF7AE8F3B9 Avalonia.Media.TextFormatting.TextLayout..ctor(Avalonia.Media.TextFormatting.ITextSource, Avalonia.Media.TextFormatting.TextParagraphProperties, Avalonia.Media.TextTrimming, Double, Double, Int32) [E:\Exploit\AvaloniaUI\Avalonia\src\Avalonia.Base\Media\TextFormatting\TextLayout.cs @ 144]
00007FFFFFFF7270 00007FFF7AE8DB3B Avalonia.Controls.TextBlock.CreateTextLayout(System.String) [E:\Exploit\AvaloniaUI\Avalonia\src\Avalonia.Controls\TextBlock.cs @ 673]
00007FFFFFFF7410 00007FFF7AE8D444 Avalonia.Controls.Primitives.AccessText.CreateTextLayout(System.String) [E:\Exploit\AvaloniaUI\Avalonia\src\Avalonia.Controls\Primitives\AccessText.cs @ 87]
00007FFFFFFF7450 00007FFF7AE8D32B Avalonia.Controls.TextBlock.get_TextLayout() [E:\Exploit\AvaloniaUI\Avalonia\src\Avalonia.Controls\TextBlock.cs @ 191]
00007FFFFFFF74A0 00007FFF7AE8D045 Avalonia.Controls.TextBlock.MeasureOverride(Avalonia.Size) [E:\Exploit\AvaloniaUI\Avalonia\src\Avalonia.Controls\TextBlock.cs @ 732]
00007FFFFFFF76C0 00007FFF7AE7ADC9 Avalonia.Layout.Layoutable.MeasureCore(Avalonia.Size) [E:\Exploit\AvaloniaUI\Avalonia\src\Avalonia.Base\Layout\Layoutable.cs @ 549]
00007FFFFFFF7970 00007FFF7AC4F3BE Avalonia.Layout.Layoutable.Measure(Avalonia.Size) [E:\Exploit\AvaloniaUI\Avalonia\src\Avalonia.Base\Layout\Layoutable.cs @ 378]
00007FFFFFFF7B80 00007FFF7AE7C16D Avalonia.Layout.LayoutHelper.MeasureChild(Avalonia.Layout.Layoutable, Avalonia.Size, Avalonia.Thickness, Avalonia.Thickness) [E:\Exploit\AvaloniaUI\Avalonia\src\Avalonia.Base\Layout\LayoutHelper.cs @ 47]
00007FFFFFFF7D20 00007FFF7AE7DAA3 Avalonia.Controls.Presenters.ContentPresenter.MeasureOverride(Avalonia.Size) [E:\Exploit\AvaloniaUI\Avalonia\src\Avalonia.Controls\Presenters\ContentPresenter.cs @ 601]
...

To Reproduce

1. Just running the CefGlue.Demo.Avalonia project on Ubuntu 24.04

Expected behavior

I'd expect the app to be stable and not crash with this exception intermittently.

Avalonia version

11.0.4 ~11.2

OS

Linux

Additional context

I try to ShapeText by self at the Startup before Loading CefGlue. The problems fixed.

    public override void OnFrameworkInitializationCompleted()
    {

         FixShapeTextCrash();
         ... 
    }

    private static void FixShapeTextCrash()
    {
        var text = "FixedShapeTextCrashBug\t";
        var options = new TextShaperOptions(Typeface.Default.GlyphTypeface, 12, 0, CultureInfo.CurrentCulture, 100);
        var shapedBuffer = TextShaper.Current.ShapeText(text.AsMemory().Slice(6), options);
    }

However, I try to trace the stack, It seem access a wild callback pointer that register from hb_face_create_for_tables in Face's construct.

hb_blob_t *reference_table (hb_tag_t tag) const
{
hb_blob_t *blob;

if (unlikely (!reference_table_func))
    return hb_blob_get_empty ();

blob = reference_table_func (/*Oh, well.*/const_cast<hb_face_t *> (this), tag, user_data);   // crash on this
if (unlikely (!blob))
    return hb_blob_get_empty ();

return blob;
}

If I don't load the CefGlue, It seems does not access the hb_face_t::reference_table, so it does not access the reference_table_func callback and able to Shape Text.