Title: [236509] tags/Safari-607.1.7.3/Source/WebCore
- Revision
- 236509
- Author
- bshaf...@apple.com
- Date
- 2018-09-26 11:20:06 -0700 (Wed, 26 Sep 2018)
Log Message
Cherry-pick r236254. rdar://problem/44182860
Fix crash under FontCache::purgeInactiveFontData() when a memory warning fires
https://bugs.webkit.org/show_bug.cgi?id=189722
rdar://problem/44182860
Reviewed by Myles C. Maxfield.
Hashing of FontPlatformData for cachedFonts() is somewhat broken because CFEqual() on CTFont
can return false when the fonts are actually the same, and have the same CFHash(). This
can result in multiple entries in cachedFonts() with the same Font.
Then in FontCache::purgeInactiveFontData(), the loop that appends fonts to fontsToDelete
gets the value by reference, and WTFMoves it into fontsToDelete. This nulls out all
the entries sharing the same value, leaving null entries in the hash table.
We later crash at font->hasOneRef() when using one of those null entries.
Fix by making a copy of the RefPtr<Font> in the loop, so the WTFMove doesn't nuke
the hash table entries. The entries will get removed at cachedFonts().remove() lower down.
* platform/graphics/FontCache.cpp:
(WebCore::FontCache::purgeInactiveFontData):
git-svn-id: https://svn.webkit.org/repository/webkit/trunk@236254 268f45cc-cd09-0410-ab3c-d52691b4dbfc
Modified Paths
Diff
Modified: tags/Safari-607.1.7.3/Source/WebCore/ChangeLog (236508 => 236509)
--- tags/Safari-607.1.7.3/Source/WebCore/ChangeLog 2018-09-26 18:16:14 UTC (rev 236508)
+++ tags/Safari-607.1.7.3/Source/WebCore/ChangeLog 2018-09-26 18:20:06 UTC (rev 236509)
@@ -1,3 +1,54 @@
+2018-09-26 Babak Shafiei <bshaf...@apple.com>
+
+ Cherry-pick r236254. rdar://problem/44182860
+
+ Fix crash under FontCache::purgeInactiveFontData() when a memory warning fires
+ https://bugs.webkit.org/show_bug.cgi?id=189722
+ rdar://problem/44182860
+
+ Reviewed by Myles C. Maxfield.
+
+ Hashing of FontPlatformData for cachedFonts() is somewhat broken because CFEqual() on CTFont
+ can return false when the fonts are actually the same, and have the same CFHash(). This
+ can result in multiple entries in cachedFonts() with the same Font.
+
+ Then in FontCache::purgeInactiveFontData(), the loop that appends fonts to fontsToDelete
+ gets the value by reference, and WTFMoves it into fontsToDelete. This nulls out all
+ the entries sharing the same value, leaving null entries in the hash table.
+ We later crash at font->hasOneRef() when using one of those null entries.
+
+ Fix by making a copy of the RefPtr<Font> in the loop, so the WTFMove doesn't nuke
+ the hash table entries. The entries will get removed at cachedFonts().remove() lower down.
+
+ * platform/graphics/FontCache.cpp:
+ (WebCore::FontCache::purgeInactiveFontData):
+
+
+ git-svn-id: https://svn.webkit.org/repository/webkit/trunk@236254 268f45cc-cd09-0410-ab3c-d52691b4dbfc
+
+ 2018-09-20 Simon Fraser <simon.fra...@apple.com>
+
+ Fix crash under FontCache::purgeInactiveFontData() when a memory warning fires
+ https://bugs.webkit.org/show_bug.cgi?id=189722
+ rdar://problem/44182860
+
+ Reviewed by Myles C. Maxfield.
+
+ Hashing of FontPlatformData for cachedFonts() is somewhat broken because CFEqual() on CTFont
+ can return false when the fonts are actually the same, and have the same CFHash(). This
+ can result in multiple entries in cachedFonts() with the same Font.
+
+ Then in FontCache::purgeInactiveFontData(), the loop that appends fonts to fontsToDelete
+ gets the value by reference, and WTFMoves it into fontsToDelete. This nulls out all
+ the entries sharing the same value, leaving null entries in the hash table.
+ We later crash at font->hasOneRef() when using one of those null entries.
+
+ Fix by making a copy of the RefPtr<Font> in the loop, so the WTFMove doesn't nuke
+ the hash table entries. The entries will get removed at cachedFonts().remove() lower down.
+
+ * platform/graphics/FontCache.cpp:
+ (WebCore::FontCache::purgeInactiveFontData):
+
2018-09-20 Kocsen Chung <kocsen_ch...@apple.com>
Revert r235976. rdar://problem/44646452
Modified: tags/Safari-607.1.7.3/Source/WebCore/platform/graphics/FontCache.cpp (236508 => 236509)
--- tags/Safari-607.1.7.3/Source/WebCore/platform/graphics/FontCache.cpp 2018-09-26 18:16:14 UTC (rev 236508)
+++ tags/Safari-607.1.7.3/Source/WebCore/platform/graphics/FontCache.cpp 2018-09-26 18:20:06 UTC (rev 236509)
@@ -376,7 +376,7 @@
while (purgeCount) {
Vector<RefPtr<Font>, 20> fontsToDelete;
- for (auto& font : cachedFonts().values()) {
+ for (auto font : cachedFonts().values()) {
LOG(Fonts, " trying to purge font %s (has one ref %d)", font->platformData().description().utf8().data(), font->hasOneRef());
if (!font->hasOneRef())
continue;
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes
