[webkit-changes] [244125] branches/safari-607-branch

Wed, 10 Apr 2019 10:11:57 -0700

Title: [244125] branches/safari-607-branch
Revision
244125
Author
[email protected]
Date
2019-04-10 10:11:11 -0700 (Wed, 10 Apr 2019)

Log Message

Cherry-pick r243828. rdar://problem/49725673

    Documents can be destroyed before their CSSFontFaceSet is destroyed
    https://bugs.webkit.org/show_bug.cgi?id=195830

    Reviewed by Darin Adler.

    Source/WebCore:

    CSSFontFaceSet has a raw pointer to its owning document. JS can keep the CSSFontFaceSet alive (by using FontFaceSet)
    and can destroy the document at any time. When the document is destroyed, the link between the two objects needs to
    be severed.

    Test: fast/text/font-face-set-destroy-document.html

    * css/CSSFontFace.cpp:
    (WebCore::CSSFontFace::CSSFontFace):
    * css/CSSFontFace.h:
    * css/CSSFontFaceSet.cpp:
    (WebCore::CSSFontFaceSet::CSSFontFaceSet):
    (WebCore::CSSFontFaceSet::ensureLocalFontFacesForFamilyRegistered):
    * css/CSSFontFaceSet.h:
    * css/CSSFontSelector.cpp:
    (WebCore::CSSFontSelector::CSSFontSelector):
    (WebCore::CSSFontSelector::addFontFaceRule):
    * css/CSSFontSelector.h:
    * css/FontFace.cpp:
    (WebCore::FontFace::FontFace):

    LayoutTests:

    * fast/text/font-face-set-destroy-document-expected.html: Added.
    * fast/text/font-face-set-destroy-document.html: Added.

    git-svn-id: https://svn.webkit.org/repository/webkit/trunk@243828 268f45cc-cd09-0410-ab3c-d52691b4dbfc

Modified Paths

Added Paths

Diff

Modified: branches/safari-607-branch/LayoutTests/ChangeLog (244124 => 244125)


--- branches/safari-607-branch/LayoutTests/ChangeLog	2019-04-10 17:11:08 UTC (rev 244124)
+++ branches/safari-607-branch/LayoutTests/ChangeLog	2019-04-10 17:11:11 UTC (rev 244125)
@@ -1,5 +1,53 @@
 2019-04-09  Alan Coon  <[email protected]>
 
+        Cherry-pick r243828. rdar://problem/49725673
+
+    Documents can be destroyed before their CSSFontFaceSet is destroyed
+    https://bugs.webkit.org/show_bug.cgi?id=195830
+    
+    Reviewed by Darin Adler.
+    
+    Source/WebCore:
+    
+    CSSFontFaceSet has a raw pointer to its owning document. JS can keep the CSSFontFaceSet alive (by using FontFaceSet)
+    and can destroy the document at any time. When the document is destroyed, the link between the two objects needs to
+    be severed.
+    
+    Test: fast/text/font-face-set-destroy-document.html
+    
+    * css/CSSFontFace.cpp:
+    (WebCore::CSSFontFace::CSSFontFace):
+    * css/CSSFontFace.h:
+    * css/CSSFontFaceSet.cpp:
+    (WebCore::CSSFontFaceSet::CSSFontFaceSet):
+    (WebCore::CSSFontFaceSet::ensureLocalFontFacesForFamilyRegistered):
+    * css/CSSFontFaceSet.h:
+    * css/CSSFontSelector.cpp:
+    (WebCore::CSSFontSelector::CSSFontSelector):
+    (WebCore::CSSFontSelector::addFontFaceRule):
+    * css/CSSFontSelector.h:
+    * css/FontFace.cpp:
+    (WebCore::FontFace::FontFace):
+    
+    LayoutTests:
+    
+    * fast/text/font-face-set-destroy-document-expected.html: Added.
+    * fast/text/font-face-set-destroy-document.html: Added.
+    
+    git-svn-id: https://svn.webkit.org/repository/webkit/trunk@243828 268f45cc-cd09-0410-ab3c-d52691b4dbfc
+
+    2019-04-03  Myles C. Maxfield  <[email protected]>
+
+            Documents can be destroyed before their CSSFontFaceSet is destroyed
+            https://bugs.webkit.org/show_bug.cgi?id=195830
+
+            Reviewed by Darin Adler.
+
+            * fast/text/font-face-set-destroy-document-expected.html: Added.
+            * fast/text/font-face-set-destroy-document.html: Added.
+
+2019-04-09  Alan Coon  <[email protected]>
+
         Cherry-pick r243786. rdar://problem/49725702
 
     REGRESSION (r238266): Exchange 2013 Outlook Web Access displays partially blank page when creating new e-mail

Added: branches/safari-607-branch/LayoutTests/fast/text/font-face-set-destroy-document-expected.html (0 => 244125)


--- branches/safari-607-branch/LayoutTests/fast/text/font-face-set-destroy-document-expected.html	                        (rev 0)
+++ branches/safari-607-branch/LayoutTests/fast/text/font-face-set-destroy-document-expected.html	2019-04-10 17:11:11 UTC (rev 244125)
@@ -0,0 +1,3 @@
+<html>
+This test makes sure FontFaceSets don't access deleted documents. The test passes if there is no crash when running under ASan.
+</html>

Added: branches/safari-607-branch/LayoutTests/fast/text/font-face-set-destroy-document.html (0 => 244125)


--- branches/safari-607-branch/LayoutTests/fast/text/font-face-set-destroy-document.html	                        (rev 0)
+++ branches/safari-607-branch/LayoutTests/fast/text/font-face-set-destroy-document.html	2019-04-10 17:11:11 UTC (rev 244125)
@@ -0,0 +1,15 @@
+<html>
+This test makes sure FontFaceSets don't access deleted documents. The test passes if there is no crash when running under ASan.
+<script>
+
+d = document.implementation.createDocument(null, '');
+f = new FontFace('f', 'local(F)', {});
+ffs = d.fonts;
+delete d;
+// gc();
+GCController.collect();
+
+// trigger use after free
+ffs.add(f);
+</script>
+</html>

Modified: branches/safari-607-branch/Source/WebCore/ChangeLog (244124 => 244125)


--- branches/safari-607-branch/Source/WebCore/ChangeLog	2019-04-10 17:11:08 UTC (rev 244124)
+++ branches/safari-607-branch/Source/WebCore/ChangeLog	2019-04-10 17:11:11 UTC (rev 244125)
@@ -1,5 +1,70 @@
 2019-04-09  Alan Coon  <[email protected]>
 
+        Cherry-pick r243828. rdar://problem/49725673
+
+    Documents can be destroyed before their CSSFontFaceSet is destroyed
+    https://bugs.webkit.org/show_bug.cgi?id=195830
+    
+    Reviewed by Darin Adler.
+    
+    Source/WebCore:
+    
+    CSSFontFaceSet has a raw pointer to its owning document. JS can keep the CSSFontFaceSet alive (by using FontFaceSet)
+    and can destroy the document at any time. When the document is destroyed, the link between the two objects needs to
+    be severed.
+    
+    Test: fast/text/font-face-set-destroy-document.html
+    
+    * css/CSSFontFace.cpp:
+    (WebCore::CSSFontFace::CSSFontFace):
+    * css/CSSFontFace.h:
+    * css/CSSFontFaceSet.cpp:
+    (WebCore::CSSFontFaceSet::CSSFontFaceSet):
+    (WebCore::CSSFontFaceSet::ensureLocalFontFacesForFamilyRegistered):
+    * css/CSSFontFaceSet.h:
+    * css/CSSFontSelector.cpp:
+    (WebCore::CSSFontSelector::CSSFontSelector):
+    (WebCore::CSSFontSelector::addFontFaceRule):
+    * css/CSSFontSelector.h:
+    * css/FontFace.cpp:
+    (WebCore::FontFace::FontFace):
+    
+    LayoutTests:
+    
+    * fast/text/font-face-set-destroy-document-expected.html: Added.
+    * fast/text/font-face-set-destroy-document.html: Added.
+    
+    git-svn-id: https://svn.webkit.org/repository/webkit/trunk@243828 268f45cc-cd09-0410-ab3c-d52691b4dbfc
+
+    2019-04-03  Myles C. Maxfield  <[email protected]>
+
+            Documents can be destroyed before their CSSFontFaceSet is destroyed
+            https://bugs.webkit.org/show_bug.cgi?id=195830
+
+            Reviewed by Darin Adler.
+
+            CSSFontFaceSet has a raw pointer to its owning document. JS can keep the CSSFontFaceSet alive (by using FontFaceSet)
+            and can destroy the document at any time. When the document is destroyed, the link between the two objects needs to
+            be severed.
+
+            Test: fast/text/font-face-set-destroy-document.html
+
+            * css/CSSFontFace.cpp:
+            (WebCore::CSSFontFace::CSSFontFace):
+            * css/CSSFontFace.h:
+            * css/CSSFontFaceSet.cpp:
+            (WebCore::CSSFontFaceSet::CSSFontFaceSet):
+            (WebCore::CSSFontFaceSet::ensureLocalFontFacesForFamilyRegistered):
+            * css/CSSFontFaceSet.h:
+            * css/CSSFontSelector.cpp:
+            (WebCore::CSSFontSelector::CSSFontSelector):
+            (WebCore::CSSFontSelector::addFontFaceRule):
+            * css/CSSFontSelector.h:
+            * css/FontFace.cpp:
+            (WebCore::FontFace::FontFace):
+
+2019-04-09  Alan Coon  <[email protected]>
+
         Cherry-pick r243786. rdar://problem/49725702
 
     REGRESSION (r238266): Exchange 2013 Outlook Web Access displays partially blank page when creating new e-mail

Modified: branches/safari-607-branch/Source/WebCore/css/CSSFontFace.h (244124 => 244125)


--- branches/safari-607-branch/Source/WebCore/css/CSSFontFace.h	2019-04-10 17:11:08 UTC (rev 244124)
+++ branches/safari-607-branch/Source/WebCore/css/CSSFontFace.h	2019-04-10 17:11:11 UTC (rev 244125)
@@ -189,7 +189,7 @@
     FontLoadingBehavior m_loadingBehavior { FontLoadingBehavior::Auto };
 
     Vector<std::unique_ptr<CSSFontFaceSource>, 0, CrashOnOverflow, 0> m_sources;
-    RefPtr<CSSFontSelector> m_fontSelector;
+    RefPtr<CSSFontSelector> m_fontSelector; // FIXME: https://bugs.webkit.org/show_bug.cgi?id=196437 There's a retain cycle: CSSFontSelector -> CSSFontFaceSet -> CSSFontFace -> CSSFontSelector
     RefPtr<StyleRuleFontFace> m_cssConnection;
     HashSet<Client*> m_clients;
     WeakPtr<FontFace> m_wrapper;

Modified: branches/safari-607-branch/Source/WebCore/css/CSSFontFaceSet.cpp (244124 => 244125)


--- branches/safari-607-branch/Source/WebCore/css/CSSFontFaceSet.cpp	2019-04-10 17:11:08 UTC (rev 244124)
+++ branches/safari-607-branch/Source/WebCore/css/CSSFontFaceSet.cpp	2019-04-10 17:11:11 UTC (rev 244125)
@@ -42,7 +42,7 @@
 namespace WebCore {
 
 CSSFontFaceSet::CSSFontFaceSet(CSSFontSelector* owningFontSelector)
-    : m_owningFontSelector(owningFontSelector)
+    : m_owningFontSelector(makeWeakPtr(owningFontSelector))
 {
 }
 
@@ -113,7 +113,7 @@
 
     Vector<Ref<CSSFontFace>> faces;
     for (auto item : capabilities) {
-        Ref<CSSFontFace> face = CSSFontFace::create(m_owningFontSelector, nullptr, nullptr, true);
+        Ref<CSSFontFace> face = CSSFontFace::create(m_owningFontSelector.get(), nullptr, nullptr, true);
         
         Ref<CSSValueList> familyList = CSSValueList::createCommaSeparated();
         familyList->append(CSSValuePool::singleton().createFontFamilyValue(familyName));

Modified: branches/safari-607-branch/Source/WebCore/css/CSSFontFaceSet.h (244124 => 244125)


--- branches/safari-607-branch/Source/WebCore/css/CSSFontFaceSet.h	2019-04-10 17:11:08 UTC (rev 244124)
+++ branches/safari-607-branch/Source/WebCore/css/CSSFontFaceSet.h	2019-04-10 17:11:11 UTC (rev 244125)
@@ -120,7 +120,7 @@
     size_t m_facesPartitionIndex { 0 }; // All entries in m_faces before this index are CSS-connected.
     Status m_status { Status::Loaded };
     HashSet<CSSFontFaceSetClient*> m_clients;
-    CSSFontSelector* m_owningFontSelector;
+    WeakPtr<CSSFontSelector> m_owningFontSelector;
     unsigned m_activeCount { 0 };
 };

Modified: branches/safari-607-branch/Source/WebCore/css/CSSFontSelector.h (244124 => 244125)


--- branches/safari-607-branch/Source/WebCore/css/CSSFontSelector.h	2019-04-10 17:11:08 UTC (rev 244124)
+++ branches/safari-607-branch/Source/WebCore/css/CSSFontSelector.h	2019-04-10 17:11:11 UTC (rev 244125)
@@ -47,7 +47,7 @@
 class Document;
 class StyleRuleFontFace;
 
-class CSSFontSelector final : public FontSelector, public CSSFontFaceSetClient {
+class CSSFontSelector final : public FontSelector, public CSSFontFaceSetClient, public CanMakeWeakPtr<CSSFontSelector> {
 public:
     static Ref<CSSFontSelector> create(Document& document)
     {

_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to