Fix SIGBUS crash on macOS arm64 for any \setmainfont{} call

nadimkobeissi · nadimkobeissi · commit f2837a1bf7bc · 2026-04-12T16:17:40.000+02:00
Tectonic 0.16.x crashes with SIGBUS (exit 138) on macOS arm64 on any `\setmainfont{}` call. This PR fixes the root cause and several additional bugs introduced in the `xetex_layout` Rust port (#1138). ROOT CAUSE `CFArray`'s `Index` implementation (`crates/mac_core/src/array.rs`) was unsound. `CFArrayGetValueAtIndex` returns the stored `CFTypeRef` value directly (i.e., the pointer *is* the value), but the code treated it as a *pointer to* `T` and dereferenced it: ```rust let ptr = CFArrayGetValueAtIndex(...).cast::<T>(); unsafe { &*ptr } // reads CF object internals as a NonNull — garbage ``` When `find_font_with_name` called `matches[0].clone()`, this garbage pointer was passed to `CFRetain`, crashing immediately with `EXC_BAD_ACCESS` in `CFRetain`. FIX Replace the broken `Index<usize>` impl with a `get(index) -> T` method that correctly calls `CFRetain` via `new_borrowed` on the returned `CFTypeRef`. ADDITIONAL FIXES While investigating this issue, I stumbled upon other bugs which I initially thought were causing the problem here with `\setmainfont{}` but weren't. I fixed them anyway: - `c_api.rs`: `Fixed` type on macOS defined as `u32` instead of `i32`, mismatching the C `SInt32` typedef. Negative `scaled_size` values (used by TeX for font probing) became ~65K pt sizes. Changed to `i32`. - `font.rs:277`: AFM file reading used the already-closed main font `handle` instead of `afm_handle`. Changed to `afm_handle`. - `font.rs` (macOS init): Several `.unwrap()` calls could panic across `extern "C"` boundaries (undefined behavior). Replaced with `ok_or(())?` / `.map_err()` error propagation. - `mac_core/font.rs`: `CTFont::new_descriptor` unconditionally unwrapped a potentially-null CoreText return (the original C++ code checked for null). Changed return type to `Option<CTFont>`.
diff --git a/crates/mac_core/src/array.rs b/crates/mac_core/src/array.rs
@@ -1,6 +1,5 @@
 use super::{sys, CoreType};
 use std::marker::PhantomData;
-use std::ops::Index;
 use std::ptr;
 use std::ptr::NonNull;
 
@@ -53,20 +52,22 @@ impl<T: CoreType> CFArray<T> {
     pub fn is_empty(&self) -> bool {
         self.len() == 0
     }
-}
-
-impl<T: CoreType> Index<usize> for CFArray<T> {
-    type Output = T;
 
-    fn index(&self, index: usize) -> &Self::Output {
+    /// Get a borrowed value at the given index. The returned value has its reference count
+    /// incremented and will be released when dropped.
+    ///
+    /// `CFArrayGetValueAtIndex` returns the stored `CFTypeRef` value directly (not a pointer
+    /// to it), so we must construct a new borrowed `T` from it rather than casting to `&T`.
+    pub fn get(&self, index: usize) -> T {
         if index >= self.len() {
             panic!("Index {index} out of bounds for CFArray");
         }
         // SAFETY: Internal pointer is guaranteed valid. Index has been verified in-bounds.
-        let ptr =
-            unsafe { sys::CFArrayGetValueAtIndex(self.0.cast().as_ptr(), index as sys::CFIndex) }
-                .cast::<T>();
-        // SAFETY: API contracts ensure all values are of the correct type and live for our lifetime.
-        unsafe { &*ptr }
+        let value =
+            unsafe { sys::CFArrayGetValueAtIndex(self.0.cast().as_ptr(), index as sys::CFIndex) };
+        // SAFETY: The returned value is a valid CFTypeRef for type T.
+        //         new_borrowed calls CFRetain, giving us ownership of a new reference.
+        let ptr = NonNull::new(value.cast_mut()).unwrap();
+        unsafe { T::new_borrowed(ptr.cast()) }
     }
 }
diff --git a/crates/mac_core/src/font.rs b/crates/mac_core/src/font.rs
@@ -85,7 +85,8 @@ cfty! {
 
 impl CTFont {
     /// Create a new font from a [`CTFontDescriptor`] and a size to render at.
-    pub fn new_descriptor(descriptor: &CTFontDescriptor, size: f64) -> CTFont {
+    /// Returns `None` if CoreText cannot create the font (rare, but possible).
+    pub fn new_descriptor(descriptor: &CTFontDescriptor, size: f64) -> Option<CTFont> {
         // SAFETY: Provided descriptor is guaranteed valid. Any size will work. Null matrix is always
         //         allowed.
         let ptr = unsafe {
@@ -95,9 +96,8 @@ impl CTFont {
                 ptr::null_mut(),
             )
         };
-        let ptr = NonNull::new(ptr.cast_mut()).unwrap();
         // SAFETY: If non-null, pointer from CTFontCreateWithFontDescriptor is a new, owned CTFont.
-        unsafe { CTFont::new_owned(ptr) }
+        NonNull::new(ptr.cast_mut()).map(|ptr| unsafe { CTFont::new_owned(ptr) })
     }
 
     /// Get an attribute of this font, if present
diff --git a/crates/xetex_layout/src/c_api.rs b/crates/xetex_layout/src/c_api.rs
@@ -30,7 +30,7 @@ pub struct GlyphBBox {
 pub type Fixed = i32;
 /// cbindgen:ignore
 #[cfg(target_os = "macos")]
-pub type Fixed = u32;
+pub type Fixed = i32;
 pub type OTTag = u32;
 pub type GlyphID = u16;
 /// cbindgen:ignore
diff --git a/crates/xetex_layout/src/font.rs b/crates/xetex_layout/src/font.rs
@@ -274,7 +274,7 @@ impl Font {
                     let sz = engine.input_get_size(afm_handle);
                     let mut backing_data2 = vec![0; sz];
                     engine
-                        .input_read(handle, &mut backing_data2)
+                        .input_read(afm_handle, &mut backing_data2)
                         .expect("failed to read AFM file");
 
                     self.ft_face().attach_stream_mem(backing_data2).unwrap();
@@ -358,13 +358,15 @@ impl Font {
             CFDictionary::new([(FontAttribute::CascadeList.to_str(), empty_cascade_list)]);
 
         *descriptor = descriptor.copy_with_attrs(&attributes);
-        *font_ref = Some(CTFont::new_descriptor(
-            descriptor,
-            self.point_size as f64 * 72.0 / 72.27,
-        ));
+        *font_ref = Some(
+            CTFont::new_descriptor(descriptor, self.point_size as f64 * 72.0 / 72.27)
+                .ok_or(())?,
+        );
         let mut index = 0;
-        let pathname = get_file_name_from_ct_font(font_ref.as_ref().unwrap(), &mut index).unwrap();
-        self.initialize_ft(pathname.to_str().unwrap(), index as usize)
+        let pathname =
+            get_file_name_from_ct_font(font_ref.as_ref().unwrap(), &mut index).ok_or(())?;
+        let pathname_str = pathname.to_str().map_err(|_| ())?;
+        self.initialize_ft(pathname_str, index as usize)
     }
 
     pub(crate) fn ft_face(&self) -> std::sync::MutexGuard<'_, ft::Face> {
diff --git a/crates/xetex_layout/src/manager/mac.rs b/crates/xetex_layout/src/manager/mac.rs
@@ -21,11 +21,11 @@ fn find_fonts_with_name(name: CFString, key: FontAttribute) -> CFArray<CTFontDes
 fn find_font_with_name(name: CFString, key: FontAttribute) -> Option<CTFontDescriptor> {
     let matches = find_fonts_with_name(name, key);
 
-    let mut matched = None;
     if !matches.is_empty() {
-        matched = Some(matches[0].clone());
+        Some(matches.get(0))
+    } else {
+        None
     }
-    matched
 }
 
 fn append_name_to_list(font: &CTFont, name_list: &mut Vec<CString>, name_key: FontNameKey) {
@@ -48,14 +48,16 @@ impl MacBackend {
 
     fn add_fonts_to_caches(&self, maps: &mut FontMaps, members: CFArray<CTFontDescriptor>) {
         for i in 0..members.len() {
-            let font = &members[i];
+            let font = members.get(i);
             let names = self.read_names(font.clone());
-            maps.add_to_maps(self, font.clone(), &names)
+            maps.add_to_maps(self, font, &names)
         }
     }
 
     fn add_font_and_siblings_to_caches(&self, maps: &mut FontMaps, font: &CTFontDescriptor) {
-        let font = CTFont::new_descriptor(font, 10.0);
+        let Some(font) = CTFont::new_descriptor(font, 10.0) else {
+            return;
+        };
         let attr = font.attr(FontAttribute::FamilyName).unwrap();
         // SAFETY: CFString has no generic parameters
         let family = unsafe { attr.downcast::<CFString>() }.unwrap();
@@ -79,7 +81,9 @@ impl FontManagerBackend for MacBackend {
     fn get_platform_font_desc<'a>(&'a self, font: &'a PlatformFontRef) -> Cow<'a, CStr> {
         let mut path = Cow::Borrowed(c"[unknown]");
 
-        let ct_font = CTFont::new_descriptor(font, 0.0);
+        let Some(ct_font) = CTFont::new_descriptor(font, 0.0) else {
+            return path;
+        };
         let url = ct_font
             .attr(FontAttribute::URL)
             // SAFETY: CFUrl has no generic parameters
@@ -154,7 +158,9 @@ impl FontManagerBackend for MacBackend {
 
         names.ps_name = Some(ps_name.get_cstring());
 
-        let font = CTFont::new_descriptor(&font, 0.0);
+        let Some(font) = CTFont::new_descriptor(&font, 0.0) else {
+            return names;
+        };
         append_name_to_list(&font, &mut names.full_names, FontNameKey::Full);
         append_name_to_list(&font, &mut names.family_names, FontNameKey::Family);
         append_name_to_list(&font, &mut names.style_names, FontNameKey::Style);
