Title: [174954] releases/WebKitGTK/webkit-2.6
- Revision
- 174954
- Author
- carlo...@webkit.org
- Date
- 2014-10-21 06:33:06 -0700 (Tue, 21 Oct 2014)
Log Message
Merge r174273 - REGRESSION (r173531): Use after free in WebCore::RenderStyle::fontMetrics /
WebCore::CSSPrimitiveValue::computeLengthDouble
https://bugs.webkit.org/show_bug.cgi?id=136864
Reviewed by Andreas Kling.
Source/WebCore:
FontLoader previously called updateDocumentStyleIfNeeded,
which would reset styles currently in use as part of
the tabIndex calculation. The FontLoader should instead
wait for pending stylesheets to load.
Tests: fast/css/fontloader-tab-index.html
* css/FontLoader.cpp:
(WebCore::FontLoader::notifyWhenFontsReady): Do not immediately
call loadingDone().
(WebCore::FontLoader::loadingDone): Wait for stylesheets to
finish loading rather than updating document styles.
* css/FontLoader.h:
(WebCore::FontLoader::loading): Include JS font loads when testing
for the loading state.
LayoutTests:
Test that getting the tab index on a body element with
font-relative measurements to a local @font-face do not
cause a crash.
* fast/css/fontloader-tab-index-expected.html: Added.
* fast/css/fontloader-tab-index.html: Added.
Modified Paths
Added Paths
Diff
Modified: releases/WebKitGTK/webkit-2.6/LayoutTests/ChangeLog (174953 => 174954)
--- releases/WebKitGTK/webkit-2.6/LayoutTests/ChangeLog 2014-10-21 13:23:38 UTC (rev 174953)
+++ releases/WebKitGTK/webkit-2.6/LayoutTests/ChangeLog 2014-10-21 13:33:06 UTC (rev 174954)
@@ -1,3 +1,18 @@
+2014-10-03 Bear Travis <betra...@adobe.com>
+
+ REGRESSION (r173531): Use after free in WebCore::RenderStyle::fontMetrics /
+ WebCore::CSSPrimitiveValue::computeLengthDouble
+ https://bugs.webkit.org/show_bug.cgi?id=136864
+
+ Reviewed by Andreas Kling.
+
+ Test that getting the tab index on a body element with
+ font-relative measurements to a local @font-face do not
+ cause a crash.
+
+ * fast/css/fontloader-tab-index-expected.html: Added.
+ * fast/css/fontloader-tab-index.html: Added.
+
2014-10-02 Krzysztof Czech <k.cz...@samsung.com>
AX: Default orientation for aria scrollbars should be vertical
Added: releases/WebKitGTK/webkit-2.6/LayoutTests/fast/css/fontloader-tab-index-expected.html (0 => 174954)
--- releases/WebKitGTK/webkit-2.6/LayoutTests/fast/css/fontloader-tab-index-expected.html (rev 0)
+++ releases/WebKitGTK/webkit-2.6/LayoutTests/fast/css/fontloader-tab-index-expected.html 2014-10-21 13:33:06 UTC (rev 174954)
@@ -0,0 +1,17 @@
+<!doctype html>
+<html>
+<head>
+<style>
+@font-face {
+ font-family: 'times';
+ src: local('Lucida Grande');
+}
+body {
+ margin: 1ex;
+}
+</style>
+</head>
+<body>
+Fetching tabIndex should not cause a crash when involving font-relative units on the body element of the document.
+</body>
+</html>
Added: releases/WebKitGTK/webkit-2.6/LayoutTests/fast/css/fontloader-tab-index.html (0 => 174954)
--- releases/WebKitGTK/webkit-2.6/LayoutTests/fast/css/fontloader-tab-index.html (rev 0)
+++ releases/WebKitGTK/webkit-2.6/LayoutTests/fast/css/fontloader-tab-index.html 2014-10-21 13:33:06 UTC (rev 174954)
@@ -0,0 +1,20 @@
+<!doctype html>
+<html>
+<head>
+<style>
+@font-face {
+ font-family: 'times';
+ src: local('Lucida Grande');
+}
+body {
+ margin: 1ex;
+}
+</style>
+</head>
+<body>
+<script>
+var idx = document.querySelector("body").tabIndex;
+</script>
+Fetching tabIndex should not cause a crash when involving font-relative units on the body element of the document.
+</body>
+</html>
Modified: releases/WebKitGTK/webkit-2.6/Source/WebCore/ChangeLog (174953 => 174954)
--- releases/WebKitGTK/webkit-2.6/Source/WebCore/ChangeLog 2014-10-21 13:23:38 UTC (rev 174953)
+++ releases/WebKitGTK/webkit-2.6/Source/WebCore/ChangeLog 2014-10-21 13:33:06 UTC (rev 174954)
@@ -1,3 +1,27 @@
+2014-10-03 Bear Travis <betra...@adobe.com>
+
+ REGRESSION (r173531): Use after free in WebCore::RenderStyle::fontMetrics /
+ WebCore::CSSPrimitiveValue::computeLengthDouble
+ https://bugs.webkit.org/show_bug.cgi?id=136864
+
+ Reviewed by Andreas Kling.
+
+ FontLoader previously called updateDocumentStyleIfNeeded,
+ which would reset styles currently in use as part of
+ the tabIndex calculation. The FontLoader should instead
+ wait for pending stylesheets to load.
+
+ Tests: fast/css/fontloader-tab-index.html
+
+ * css/FontLoader.cpp:
+ (WebCore::FontLoader::notifyWhenFontsReady): Do not immediately
+ call loadingDone().
+ (WebCore::FontLoader::loadingDone): Wait for stylesheets to
+ finish loading rather than updating document styles.
+ * css/FontLoader.h:
+ (WebCore::FontLoader::loading): Include JS font loads when testing
+ for the loading state.
+
2014-10-02 Chris Dumez <cdu...@apple.com>
XMLHttpRequestProgressEventThrottle shouldn't throttle / defer progress events if there are no listeners
Modified: releases/WebKitGTK/webkit-2.6/Source/WebCore/css/FontLoader.cpp (174953 => 174954)
--- releases/WebKitGTK/webkit-2.6/Source/WebCore/css/FontLoader.cpp 2014-10-21 13:23:38 UTC (rev 174953)
+++ releases/WebKitGTK/webkit-2.6/Source/WebCore/css/FontLoader.cpp 2014-10-21 13:33:06 UTC (rev 174954)
@@ -211,12 +211,11 @@
void FontLoader::notifyWhenFontsReady(PassRefPtr<VoidCallback> callback)
{
m_callbacks.append(callback);
- loadingDone();
}
void FontLoader::loadingDone()
{
- if (loading())
+ if (loading() || !m_document->haveStylesheetsLoaded())
return;
if (!m_loadingDoneEvent && m_callbacks.isEmpty())
return;
@@ -224,9 +223,6 @@
if (FrameView* view = m_document->view()) {
if (view->isInLayout() || view->needsLayout())
return;
- m_document->updateStyleIfNeeded();
- if (view->needsLayout())
- return;
}
if (m_loadingDoneEvent)
Modified: releases/WebKitGTK/webkit-2.6/Source/WebCore/css/FontLoader.h (174953 => 174954)
--- releases/WebKitGTK/webkit-2.6/Source/WebCore/css/FontLoader.h 2014-10-21 13:23:38 UTC (rev 174953)
+++ releases/WebKitGTK/webkit-2.6/Source/WebCore/css/FontLoader.h 2014-10-21 13:33:06 UTC (rev 174954)
@@ -68,7 +68,7 @@
void notifyWhenFontsReady(PassRefPtr<VoidCallback>);
- bool loading() const { return m_numLoadingFromCSS > 0; }
+ bool loading() const { return m_numLoadingFromCSS > 0 || m_numLoadingFromJS > 0; }
virtual ScriptExecutionContext* scriptExecutionContext() const;
virtual EventTargetInterface eventTargetInterface() const;
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes