- Revision
- 281304
- Author
- [email protected]
- Date
- 2021-08-20 02:22:42 -0700 (Fri, 20 Aug 2021)
Log Message
Merge r275189 - REGRESSION(r274992): Nullptr crash in FontCache::retrieveOrAddCachedFonts
https://bugs.webkit.org/show_bug.cgi?id=223858
<rdar://75883697>
Reviewed by Darin Adler and Ryosuke Niwa.
Source/WebCore:
Stop using a hash as key in the FontCascadeCache. Instead, use HashTraits and use
FontCascadeCacheKey as key.
Test: fonts/font-cache-crash.html
* platform/graphics/FontCache.cpp:
(WebCore::FontCache::retrieveOrAddCachedFonts):
(WTF::FontCascadeCacheKeyHash::hash):
* platform/graphics/FontCache.h:
(WebCore::FontCascadeCacheKey::operator== const):
(WTF::FontCascadeCacheKeyHash::equal):
(WTF::HashTraits<WebCore::FontCascadeCacheKey>::emptyValue):
(WTF::HashTraits<WebCore::FontCascadeCacheKey>::constructDeletedValue):
(WTF::HashTraits<WebCore::FontCascadeCacheKey>::isDeletedValue):
LayoutTests:
Add layout test coverage.
* fonts/font-cache-crash-expected.txt: Added.
* fonts/font-cache-crash.html: Added.
Modified Paths
Added Paths
Diff
Modified: releases/WebKitGTK/webkit-2.32/LayoutTests/ChangeLog (281303 => 281304)
--- releases/WebKitGTK/webkit-2.32/LayoutTests/ChangeLog 2021-08-20 09:19:45 UTC (rev 281303)
+++ releases/WebKitGTK/webkit-2.32/LayoutTests/ChangeLog 2021-08-20 09:22:42 UTC (rev 281304)
@@ -1,3 +1,16 @@
+2021-03-29 Chris Dumez <[email protected]>
+
+ REGRESSION(r274992): Nullptr crash in FontCache::retrieveOrAddCachedFonts
+ https://bugs.webkit.org/show_bug.cgi?id=223858
+ <rdar://75883697>
+
+ Reviewed by Darin Adler and Ryosuke Niwa.
+
+ Add layout test coverage.
+
+ * fonts/font-cache-crash-expected.txt: Added.
+ * fonts/font-cache-crash.html: Added.
+
2021-03-22 Venky Dass <[email protected]>
Nullptr crash in WebCore::RenderObject::RenderObjectBitfields::isLineBreak() where a NULL check is missing.
Added: releases/WebKitGTK/webkit-2.32/LayoutTests/fonts/font-cache-crash-expected.txt (0 => 281304)
--- releases/WebKitGTK/webkit-2.32/LayoutTests/fonts/font-cache-crash-expected.txt (rev 0)
+++ releases/WebKitGTK/webkit-2.32/LayoutTests/fonts/font-cache-crash-expected.txt 2021-08-20 09:22:42 UTC (rev 281304)
@@ -0,0 +1 @@
+This test passes if it does not crash.
Added: releases/WebKitGTK/webkit-2.32/LayoutTests/fonts/font-cache-crash.html (0 => 281304)
--- releases/WebKitGTK/webkit-2.32/LayoutTests/fonts/font-cache-crash.html (rev 0)
+++ releases/WebKitGTK/webkit-2.32/LayoutTests/fonts/font-cache-crash.html 2021-08-20 09:22:42 UTC (rev 281304)
@@ -0,0 +1,23 @@
+<html lang="en">
+<head>
+<style></style>
+<script>
+ if (window.testRunner)
+ testRunner.dumpAsText();
+
+ _onload_ = () => {
+ internals.settings.setShouldEnableTextAutosizingBoost(true);
+ document.styleSheets[0].insertRule(`:last-child { font-feature-settings: "smcp" on, "c2sc" on, "pcap" off, "c2pc" off, "unic" off, "titl" off; }`);
+ document.styleSheets[0].insertRule(`:last-child { all: inherit; }`);
+ document.styleSheets[0].insertRule(`:first-of-type { zoom: 10; }`);
+ document.body.offsetTop;
+ document.styleSheets[0].insertRule(`* { font-weight: calc(150 + 50); }`);
+ document.body.offsetTop;
+ document.styleSheets[0].insertRule(`* { writing-mode: vertical-lr; }`);
+ };
+</script>
+</head>
+<body>
+<p>This test passes if it does not crash.</p>
+</body>
+</html>
Modified: releases/WebKitGTK/webkit-2.32/Source/WebCore/ChangeLog (281303 => 281304)
--- releases/WebKitGTK/webkit-2.32/Source/WebCore/ChangeLog 2021-08-20 09:19:45 UTC (rev 281303)
+++ releases/WebKitGTK/webkit-2.32/Source/WebCore/ChangeLog 2021-08-20 09:22:42 UTC (rev 281304)
@@ -1,3 +1,26 @@
+2021-03-29 Chris Dumez <[email protected]>
+
+ REGRESSION(r274992): Nullptr crash in FontCache::retrieveOrAddCachedFonts
+ https://bugs.webkit.org/show_bug.cgi?id=223858
+ <rdar://75883697>
+
+ Reviewed by Darin Adler and Ryosuke Niwa.
+
+ Stop using a hash as key in the FontCascadeCache. Instead, use HashTraits and use
+ FontCascadeCacheKey as key.
+
+ Test: fonts/font-cache-crash.html
+
+ * platform/graphics/FontCache.cpp:
+ (WebCore::FontCache::retrieveOrAddCachedFonts):
+ (WTF::FontCascadeCacheKeyHash::hash):
+ * platform/graphics/FontCache.h:
+ (WebCore::FontCascadeCacheKey::operator== const):
+ (WTF::FontCascadeCacheKeyHash::equal):
+ (WTF::HashTraits<WebCore::FontCascadeCacheKey>::emptyValue):
+ (WTF::HashTraits<WebCore::FontCascadeCacheKey>::constructDeletedValue):
+ (WTF::HashTraits<WebCore::FontCascadeCacheKey>::isDeletedValue):
+
2021-03-29 Ian Gilbert <[email protected]>
Make a Ref to HTMLPlugInElement when resolving callback
Modified: releases/WebKitGTK/webkit-2.32/Source/WebCore/platform/graphics/FontCache.cpp (281303 => 281304)
--- releases/WebKitGTK/webkit-2.32/Source/WebCore/platform/graphics/FontCache.cpp 2021-08-20 09:19:45 UTC (rev 281303)
+++ releases/WebKitGTK/webkit-2.32/Source/WebCore/platform/graphics/FontCache.cpp 2021-08-20 09:22:42 UTC (rev 281304)
@@ -403,7 +403,7 @@
platformPurgeInactiveFontData();
}
-static bool keysMatch(const FontCascadeCacheKey& a, const FontCascadeCacheKey& b)
+bool operator==(const FontCascadeCacheKey& a, const FontCascadeCacheKey& b)
{
if (a.fontDescriptionKey != b.fontDescriptionKey)
return false;
@@ -419,6 +419,18 @@
return true;
}
+unsigned FontCascadeCacheKeyHash::hash(const FontCascadeCacheKey& key)
+{
+ // FIXME: Should hash the key and the family name characters rather than making a hash out of other hashes.
+ Hasher hasher;
+ add(hasher, key.fontDescriptionKey.computeHash());
+ add(hasher, key.fontSelectorId);
+ add(hasher, key.fontSelectorVersion);
+ for (auto& family : key.families)
+ add(hasher, family.isNull() ? 0 : WebCore::FontCascadeDescription::familyNameHash(family));
+ return hasher.hash();
+}
+
void FontCache::invalidateFontCascadeCache()
{
m_fontCascadeCache.clear();
@@ -443,20 +455,6 @@
return key;
}
-static unsigned computeFontCascadeCacheHash(const FontCascadeCacheKey& key)
-{
- // FIXME: Should hash the key and the family name characters rather than making a hash out of other hashes.
- IntegerHasher hasher;
- hasher.add(key.fontDescriptionKey.computeHash());
- hasher.add(key.fontSelectorId);
- hasher.add(key.fontSelectorVersion);
- for (unsigned i = 0; i < key.families.size(); ++i) {
- auto& family = key.families[i];
- hasher.add(family.isNull() ? 0 : FontCascadeDescription::familyNameHash(family));
- }
- return hasher.hash();
-}
-
void FontCache::pruneUnreferencedEntriesFromFontCascadeCache()
{
m_fontCascadeCache.removeIf([](auto& entry) {
@@ -473,10 +471,8 @@
Ref<FontCascadeFonts> FontCache::retrieveOrAddCachedFonts(const FontCascadeDescription& fontDescription, RefPtr<FontSelector>&& fontSelector)
{
auto key = makeFontCascadeCacheKey(fontDescription, fontSelector.get());
-
- unsigned hash = computeFontCascadeCacheHash(key);
- auto addResult = m_fontCascadeCache.add(hash, nullptr);
- if (!addResult.isNewEntry && keysMatch(addResult.iterator->value->key, key))
+ auto addResult = m_fontCascadeCache.add(key, nullptr);
+ if (!addResult.isNewEntry)
return addResult.iterator->value->fonts.get();
auto& newEntry = addResult.iterator->value;
Modified: releases/WebKitGTK/webkit-2.32/Source/WebCore/platform/graphics/FontCache.h (281303 => 281304)
--- releases/WebKitGTK/webkit-2.32/Source/WebCore/platform/graphics/FontCache.h 2021-08-20 09:19:45 UTC (rev 281303)
+++ releases/WebKitGTK/webkit-2.32/Source/WebCore/platform/graphics/FontCache.h 2021-08-20 09:22:42 UTC (rev 281304)
@@ -37,6 +37,7 @@
#include <array>
#include <limits.h>
#include <wtf/Forward.h>
+#include <wtf/HashTraits.h>
#include <wtf/ListHashSet.h>
#include <wtf/RefPtr.h>
#include <wtf/Vector.h>
@@ -183,6 +184,8 @@
unsigned fontSelectorVersion;
};
+bool operator==(const FontCascadeCacheKey&, const FontCascadeCacheKey&);
+
struct FontCascadeCacheEntry {
WTF_MAKE_FAST_ALLOCATED;
public:
@@ -194,9 +197,20 @@
Ref<FontCascadeFonts> fonts;
};
-// FIXME: Should make hash traits for FontCascadeCacheKey instead of using a hash as the key (so we hash a hash).
-typedef HashMap<unsigned, std::unique_ptr<FontCascadeCacheEntry>, AlreadyHashed> FontCascadeCache;
+struct FontCascadeCacheKeyHash {
+ static unsigned hash(const WebCore::FontCascadeCacheKey&);
+ static bool equal(const WebCore::FontCascadeCacheKey& a, const WebCore::FontCascadeCacheKey& b) { return a == b; }
+ static const bool safeToCompareToEmptyOrDeleted = false;
+};
+struct FontCascadeCacheKeyHashTraits : WTF::GenericHashTraits<WebCore::FontCascadeCacheKey> {
+ static WebCore::FontCascadeCacheKey emptyValue() { return { }; }
+ static void constructDeletedValue(WebCore::FontCascadeCacheKey& slot) { slot.fontSelectorId = std::numeric_limits<unsigned>::max(); }
+ static bool isDeletedValue(const WebCore::FontCascadeCacheKey& slot) { return slot.fontSelectorId == std::numeric_limits<unsigned>::max(); }
+};
+
+using FontCascadeCache = HashMap<FontCascadeCacheKey, std::unique_ptr<FontCascadeCacheEntry>, FontCascadeCacheKeyHash, FontCascadeCacheKeyHashTraits>;
+
class FontCache {
friend class WTF::NeverDestroyed<FontCache>;
