Title: [174273] trunk
- Revision
- 174273
- Author
- betra...@adobe.com
- Date
- 2014-10-03 11:35:53 -0700 (Fri, 03 Oct 2014)
Log Message
REGRESSION (r173531): Use after free in WebCore::RenderStyle::fontMetrics /
WebCore::CSSPrimitiveValue::computeLengthDouble
https://bugs.webkit.org/show_bug.cgi?id=136864
Reviewed by Andreas Kling.
Source/WebCore:
FontLoader previously called updateDocumentStyleIfNeeded,
which would reset styles currently in use as part of
the tabIndex calculation. The FontLoader should instead
wait for pending stylesheets to load.
Tests: fast/css/fontloader-tab-index.html
* css/FontLoader.cpp:
(WebCore::FontLoader::notifyWhenFontsReady): Do not immediately
call loadingDone().
(WebCore::FontLoader::loadingDone): Wait for stylesheets to
finish loading rather than updating document styles.
* css/FontLoader.h:
(WebCore::FontLoader::loading): Include JS font loads when testing
for the loading state.
LayoutTests:
Test that getting the tab index on a body element with
font-relative measurements to a local @font-face do not
cause a crash.
* fast/css/fontloader-tab-index-expected.html: Added.
* fast/css/fontloader-tab-index.html: Added.
Modified Paths
Added Paths
Diff
Modified: trunk/LayoutTests/ChangeLog (174272 => 174273)
--- trunk/LayoutTests/ChangeLog 2014-10-03 17:55:17 UTC (rev 174272)
+++ trunk/LayoutTests/ChangeLog 2014-10-03 18:35:53 UTC (rev 174273)
@@ -1,3 +1,18 @@
+2014-10-03 Bear Travis <betra...@adobe.com>
+
+ REGRESSION (r173531): Use after free in WebCore::RenderStyle::fontMetrics /
+ WebCore::CSSPrimitiveValue::computeLengthDouble
+ https://bugs.webkit.org/show_bug.cgi?id=136864
+
+ Reviewed by Andreas Kling.
+
+ Test that getting the tab index on a body element with
+ font-relative measurements to a local @font-face do not
+ cause a crash.
+
+ * fast/css/fontloader-tab-index-expected.html: Added.
+ * fast/css/fontloader-tab-index.html: Added.
+
2014-10-03 Carlos Alberto Lopez Perez <clo...@igalia.com>
[GTK] Unreviewed GTK gardening.
Added: trunk/LayoutTests/fast/css/fontloader-tab-index-expected.html (0 => 174273)
--- trunk/LayoutTests/fast/css/fontloader-tab-index-expected.html (rev 0)
+++ trunk/LayoutTests/fast/css/fontloader-tab-index-expected.html 2014-10-03 18:35:53 UTC (rev 174273)
@@ -0,0 +1,17 @@
+<!doctype html>
+<html>
+<head>
+<style>
+@font-face {
+ font-family: 'times';
+ src: local('Lucida Grande');
+}
+body {
+ margin: 1ex;
+}
+</style>
+</head>
+<body>
+Fetching tabIndex should not cause a crash when involving font-relative units on the body element of the document.
+</body>
+</html>
Added: trunk/LayoutTests/fast/css/fontloader-tab-index.html (0 => 174273)
--- trunk/LayoutTests/fast/css/fontloader-tab-index.html (rev 0)
+++ trunk/LayoutTests/fast/css/fontloader-tab-index.html 2014-10-03 18:35:53 UTC (rev 174273)
@@ -0,0 +1,20 @@
+<!doctype html>
+<html>
+<head>
+<style>
+@font-face {
+ font-family: 'times';
+ src: local('Lucida Grande');
+}
+body {
+ margin: 1ex;
+}
+</style>
+</head>
+<body>
+<script>
+var idx = document.querySelector("body").tabIndex;
+</script>
+Fetching tabIndex should not cause a crash when involving font-relative units on the body element of the document.
+</body>
+</html>
Modified: trunk/Source/WebCore/ChangeLog (174272 => 174273)
--- trunk/Source/WebCore/ChangeLog 2014-10-03 17:55:17 UTC (rev 174272)
+++ trunk/Source/WebCore/ChangeLog 2014-10-03 18:35:53 UTC (rev 174273)
@@ -1,3 +1,27 @@
+2014-10-03 Bear Travis <betra...@adobe.com>
+
+ REGRESSION (r173531): Use after free in WebCore::RenderStyle::fontMetrics /
+ WebCore::CSSPrimitiveValue::computeLengthDouble
+ https://bugs.webkit.org/show_bug.cgi?id=136864
+
+ Reviewed by Andreas Kling.
+
+ FontLoader previously called updateDocumentStyleIfNeeded,
+ which would reset styles currently in use as part of
+ the tabIndex calculation. The FontLoader should instead
+ wait for pending stylesheets to load.
+
+ Tests: fast/css/fontloader-tab-index.html
+
+ * css/FontLoader.cpp:
+ (WebCore::FontLoader::notifyWhenFontsReady): Do not immediately
+ call loadingDone().
+ (WebCore::FontLoader::loadingDone): Wait for stylesheets to
+ finish loading rather than updating document styles.
+ * css/FontLoader.h:
+ (WebCore::FontLoader::loading): Include JS font loads when testing
+ for the loading state.
+
2014-10-03 Myles C. Maxfield <mmaxfi...@apple.com>
Unreviewed build fix.
Modified: trunk/Source/WebCore/css/FontLoader.cpp (174272 => 174273)
--- trunk/Source/WebCore/css/FontLoader.cpp 2014-10-03 17:55:17 UTC (rev 174272)
+++ trunk/Source/WebCore/css/FontLoader.cpp 2014-10-03 18:35:53 UTC (rev 174273)
@@ -211,12 +211,11 @@
void FontLoader::notifyWhenFontsReady(PassRefPtr<VoidCallback> callback)
{
m_callbacks.append(callback);
- loadingDone();
}
void FontLoader::loadingDone()
{
- if (loading())
+ if (loading() || !m_document->haveStylesheetsLoaded())
return;
if (!m_loadingDoneEvent && m_callbacks.isEmpty())
return;
@@ -224,9 +223,6 @@
if (FrameView* view = m_document->view()) {
if (view->isInLayout() || view->needsLayout())
return;
- m_document->updateStyleIfNeeded();
- if (view->needsLayout())
- return;
}
if (m_loadingDoneEvent)
Modified: trunk/Source/WebCore/css/FontLoader.h (174272 => 174273)
--- trunk/Source/WebCore/css/FontLoader.h 2014-10-03 17:55:17 UTC (rev 174272)
+++ trunk/Source/WebCore/css/FontLoader.h 2014-10-03 18:35:53 UTC (rev 174273)
@@ -68,7 +68,7 @@
void notifyWhenFontsReady(PassRefPtr<VoidCallback>);
- bool loading() const { return m_numLoadingFromCSS > 0; }
+ bool loading() const { return m_numLoadingFromCSS > 0 || m_numLoadingFromJS > 0; }
virtual ScriptExecutionContext* scriptExecutionContext() const;
virtual EventTargetInterface eventTargetInterface() const;
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes
