Title: [265432] trunk/Source/WebCore
- Revision
- 265432
- Author
- [email protected]
- Date
- 2020-08-10 09:41:47 -0700 (Mon, 10 Aug 2020)
Log Message
Return values of FontDatabase::collectionForFamily are not thread safe
https://bugs.webkit.org/show_bug.cgi?id=215320
<rdar://problem/66502539>
Reviewed by Anders Carlsson.
Font prewarming can add new entries to m_familyNameToFontDescriptors while lookups are being made.
Access to it is protected by a lock.
However if the hashmap ends up rehashing, the pointer returned from collectionForFamily may end up becoming invalid.
This can result in a crash later under findClosestFont.
* platform/graphics/cocoa/FontCacheCoreText.cpp:
(WebCore::FontDatabase::collectionForFamily):
Heap allocate the hashmap values so they stay valid over hashtable mutations.
Modified Paths
Diff
Modified: trunk/Source/WebCore/ChangeLog (265431 => 265432)
--- trunk/Source/WebCore/ChangeLog 2020-08-10 16:31:38 UTC (rev 265431)
+++ trunk/Source/WebCore/ChangeLog 2020-08-10 16:41:47 UTC (rev 265432)
@@ -1,3 +1,22 @@
+2020-08-10 Antti Koivisto <[email protected]>
+
+ Return values of FontDatabase::collectionForFamily are not thread safe
+ https://bugs.webkit.org/show_bug.cgi?id=215320
+ <rdar://problem/66502539>
+
+ Reviewed by Anders Carlsson.
+
+ Font prewarming can add new entries to m_familyNameToFontDescriptors while lookups are being made.
+ Access to it is protected by a lock.
+
+ However if the hashmap ends up rehashing, the pointer returned from collectionForFamily may end up becoming invalid.
+ This can result in a crash later under findClosestFont.
+
+ * platform/graphics/cocoa/FontCacheCoreText.cpp:
+ (WebCore::FontDatabase::collectionForFamily):
+
+ Heap allocate the hashmap values so they stay valid over hashtable mutations.
+
2020-08-09 Said Abou-Hallawa <[email protected]>
[macOS] Drag/drop an image of a unsupported format to an file input element should convert it to a supported format
Modified: trunk/Source/WebCore/platform/graphics/cocoa/FontCacheCoreText.cpp (265431 => 265432)
--- trunk/Source/WebCore/platform/graphics/cocoa/FontCacheCoreText.cpp 2020-08-10 16:31:38 UTC (rev 265431)
+++ trunk/Source/WebCore/platform/graphics/cocoa/FontCacheCoreText.cpp 2020-08-10 16:41:47 UTC (rev 265432)
@@ -889,6 +889,8 @@
};
struct InstalledFontFamily {
+ WTF_MAKE_STRUCT_FAST_ALLOCATED;
+
InstalledFontFamily() = default;
explicit InstalledFontFamily(Vector<InstalledFont>&& installedFonts)
@@ -924,7 +926,7 @@
auto locker = holdLock(m_familyNameToFontDescriptorsLock);
auto it = m_familyNameToFontDescriptors.find(folded);
if (it != m_familyNameToFontDescriptors.end())
- return it->value;
+ return *it->value;
}
auto installedFontFamily = [&] {
@@ -942,13 +944,13 @@
InstalledFont installedFont(static_cast<CTFontDescriptorRef>(CFArrayGetValueAtIndex(matches.get(), i)), m_allowUserInstalledFonts);
result.uncheckedAppend(WTFMove(installedFont));
}
- return InstalledFontFamily(WTFMove(result));
+ return makeUnique<InstalledFontFamily>(WTFMove(result));
}
- return InstalledFontFamily();
+ return makeUnique<InstalledFontFamily>();
}();
auto locker = holdLock(m_familyNameToFontDescriptorsLock);
- return m_familyNameToFontDescriptors.add(folded.isolatedCopy(), WTFMove(installedFontFamily)).iterator->value;
+ return *m_familyNameToFontDescriptors.add(folded.isolatedCopy(), WTFMove(installedFontFamily)).iterator->value;
}
const InstalledFont& fontForPostScriptName(const AtomString& postScriptName)
@@ -986,7 +988,7 @@
}
Lock m_familyNameToFontDescriptorsLock;
- HashMap<String, InstalledFontFamily> m_familyNameToFontDescriptors;
+ HashMap<String, std::unique_ptr<InstalledFontFamily>> m_familyNameToFontDescriptors;
HashMap<String, InstalledFont> m_postScriptNameToFontDescriptors;
AllowUserInstalledFonts m_allowUserInstalledFonts;
};
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
