Skip to site navigation (Press enter)

[webkit-changes] [277378] trunk

svillar Wed, 12 May 2021 10:59:03 -0700

Title: [277378] trunk

Revision: 277378
Author: [email protected]
Date: 2021-05-12 10:58:17 -0700 (Wed, 12 May 2021)

Log Message

ASSERTION FAILED: m_clients.contains(&client) in CSSFontFace::removeClient via CSSSegmentedFontFace::~CSSSegmentedFontFace()
https://bugs.webkit.org/show_bug.cgi?id=223790


Reviewed by Ryosuke Niwa.

Source/WebCore:

CSSFontFace does not support adding the same client twice as it uses a HashSet to track them. This means that
it's a mistake to call removeClient() more than once. This could happen when specifying the same font
family more than once in a <font-face> element inside a svg container.

Test: fast/css/svg-font-face-duplicate-crash.html

* css/CSSFontFaceSet.cpp:
(WebCore::CSSFontFaceSet::fontFace): Skip duplicate CSSFontFace's when before calling appendFontFace().

LayoutTests:

* fast/css/svg-font-face-duplicate-crash-expected.txt: Added.
* fast/css/svg-font-face-duplicate-crash.html: Added.

Modified Paths

trunk/LayoutTests/ChangeLog
trunk/Source/WebCore/ChangeLog
trunk/Source/WebCore/css/CSSFontFaceSet.cpp

Added Paths

trunk/LayoutTests/fast/css/svg-font-face-duplicate-crash-expected.txt
trunk/LayoutTests/fast/css/svg-font-face-duplicate-crash.html

Diff

Modified: trunk/LayoutTests/ChangeLog (277377 => 277378)


--- trunk/LayoutTests/ChangeLog	2021-05-12 17:54:07 UTC (rev 277377)
+++ trunk/LayoutTests/ChangeLog	2021-05-12 17:58:17 UTC (rev 277378)
@@ -1,3 +1,13 @@
+2021-05-12  Sergio Villar Senin  <[email protected]>
+
+        ASSERTION FAILED: m_clients.contains(&client) in CSSFontFace::removeClient via CSSSegmentedFontFace::~CSSSegmentedFontFace()
+        https://bugs.webkit.org/show_bug.cgi?id=223790
+
+        Reviewed by Ryosuke Niwa.
+
+        * fast/css/svg-font-face-duplicate-crash-expected.txt: Added.
+        * fast/css/svg-font-face-duplicate-crash.html: Added.
+
 2021-05-12  Ryosuke Niwa  <[email protected]>
 
         REGRESSION: Release assert in SlotAssignment::assignedNodesForSlot via ComposedTreeIterator::traverseNextInShadowTree in Element::insertedIntoAncestor

Added: trunk/LayoutTests/fast/css/svg-font-face-duplicate-crash-expected.txt (0 => 277378)


--- trunk/LayoutTests/fast/css/svg-font-face-duplicate-crash-expected.txt	                        (rev 0)
+++ trunk/LayoutTests/fast/css/svg-font-face-duplicate-crash-expected.txt	2021-05-12 17:58:17 UTC (rev 277378)
@@ -0,0 +1 @@
+Test PASS if it does not ASSERT in Debug.

Added: trunk/LayoutTests/fast/css/svg-font-face-duplicate-crash.html (0 => 277378)


--- trunk/LayoutTests/fast/css/svg-font-face-duplicate-crash.html	                        (rev 0)
+++ trunk/LayoutTests/fast/css/svg-font-face-duplicate-crash.html	2021-05-12 17:58:17 UTC (rev 277378)
@@ -0,0 +1,18 @@
+<!DOCTYPE html>
+<style>
+body {
+    overflow: hidden -webkit-paged-x;
+}
+</style>
+<script>
+if (window.testRunner)
+    testRunner.dumpAsText();
+</script>
+<body>
+<svg>
+    <font>
+	    <font-face font-family="Times,Times"></font-face>
+    </font>
+</svg>
+<p>Test PASS if it does not ASSERT in Debug.</p>
+</body>

Modified: trunk/Source/WebCore/ChangeLog (277377 => 277378)


--- trunk/Source/WebCore/ChangeLog	2021-05-12 17:54:07 UTC (rev 277377)
+++ trunk/Source/WebCore/ChangeLog	2021-05-12 17:58:17 UTC (rev 277378)
@@ -1,3 +1,19 @@
+2021-05-12  Sergio Villar Senin  <[email protected]>
+
+        ASSERTION FAILED: m_clients.contains(&client) in CSSFontFace::removeClient via CSSSegmentedFontFace::~CSSSegmentedFontFace()
+        https://bugs.webkit.org/show_bug.cgi?id=223790
+
+        Reviewed by Ryosuke Niwa.
+
+        CSSFontFace does not support adding the same client twice as it uses a HashSet to track them. This means that
+        it's a mistake to call removeClient() more than once. This could happen when specifying the same font
+        family more than once in a <font-face> element inside a svg container.
+
+        Test: fast/css/svg-font-face-duplicate-crash.html
+
+        * css/CSSFontFaceSet.cpp:
+        (WebCore::CSSFontFaceSet::fontFace): Skip duplicate CSSFontFace's when before calling appendFontFace().
+
 2021-05-12  Chris Dumez  <[email protected]>
 
         Queue notification permission requests for the same origin on WebKit side

Modified: trunk/Source/WebCore/css/CSSFontFaceSet.cpp (277377 => 277378)


--- trunk/Source/WebCore/css/CSSFontFaceSet.cpp	2021-05-12 17:54:07 UTC (rev 277377)
+++ trunk/Source/WebCore/css/CSSFontFaceSet.cpp	2021-05-12 17:58:17 UTC (rev 277378)
@@ -510,8 +510,13 @@
                 return true;
             return false;
         });
-        for (auto& candidate : candidateFontFaces)
+        CSSFontFace* previousCandidate = nullptr;
+        for (auto& candidate : candidateFontFaces) {
+            if (&candidate.get() == previousCandidate)
+                continue;
+            previousCandidate = &candidate.get();
             face->appendFontFace(candidate.get());
+        }
     }
 
     return face.get();

_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes