Title: [265506] branches/safari-610.1.25.10-branch/Source/WebCore
- Revision
- 265506
- Author
- repst...@apple.com
- Date
- 2020-08-11 10:30:56 -0700 (Tue, 11 Aug 2020)
Log Message
Cherry-pick r265432. rdar://problem/66802579
Return values of FontDatabase::collectionForFamily are not thread safe
https://bugs.webkit.org/show_bug.cgi?id=215320
<rdar://problem/66502539>
Reviewed by Anders Carlsson.
Font prewarming can add new entries to m_familyNameToFontDescriptors while lookups are being made.
Access to it is protected by a lock.
However if the hashmap ends up rehashing, the pointer returned from collectionForFamily may end up becoming invalid.
This can result in a crash later under findClosestFont.
* platform/graphics/cocoa/FontCacheCoreText.cpp:
(WebCore::FontDatabase::collectionForFamily):
Heap allocate the hashmap values so they stay valid over hashtable mutations.
git-svn-id: https://svn.webkit.org/repository/webkit/trunk@265432 268f45cc-cd09-0410-ab3c-d52691b4dbfc
Modified Paths
Diff
Modified: branches/safari-610.1.25.10-branch/Source/WebCore/ChangeLog (265505 => 265506)
--- branches/safari-610.1.25.10-branch/Source/WebCore/ChangeLog 2020-08-11 17:30:53 UTC (rev 265505)
+++ branches/safari-610.1.25.10-branch/Source/WebCore/ChangeLog 2020-08-11 17:30:56 UTC (rev 265506)
@@ -1,5 +1,48 @@
2020-08-11 Russell Epstein <repst...@apple.com>
+ Cherry-pick r265432. rdar://problem/66802579
+
+ Return values of FontDatabase::collectionForFamily are not thread safe
+ https://bugs.webkit.org/show_bug.cgi?id=215320
+ <rdar://problem/66502539>
+
+ Reviewed by Anders Carlsson.
+
+ Font prewarming can add new entries to m_familyNameToFontDescriptors while lookups are being made.
+ Access to it is protected by a lock.
+
+ However if the hashmap ends up rehashing, the pointer returned from collectionForFamily may end up becoming invalid.
+ This can result in a crash later under findClosestFont.
+
+ * platform/graphics/cocoa/FontCacheCoreText.cpp:
+ (WebCore::FontDatabase::collectionForFamily):
+
+ Heap allocate the hashmap values so they stay valid over hashtable mutations.
+
+
+ git-svn-id: https://svn.webkit.org/repository/webkit/trunk@265432 268f45cc-cd09-0410-ab3c-d52691b4dbfc
+
+ 2020-08-10 Antti Koivisto <an...@apple.com>
+
+ Return values of FontDatabase::collectionForFamily are not thread safe
+ https://bugs.webkit.org/show_bug.cgi?id=215320
+ <rdar://problem/66502539>
+
+ Reviewed by Anders Carlsson.
+
+ Font prewarming can add new entries to m_familyNameToFontDescriptors while lookups are being made.
+ Access to it is protected by a lock.
+
+ However if the hashmap ends up rehashing, the pointer returned from collectionForFamily may end up becoming invalid.
+ This can result in a crash later under findClosestFont.
+
+ * platform/graphics/cocoa/FontCacheCoreText.cpp:
+ (WebCore::FontDatabase::collectionForFamily):
+
+ Heap allocate the hashmap values so they stay valid over hashtable mutations.
+
+2020-08-11 Russell Epstein <repst...@apple.com>
+
Cherry-pick r265357. rdar://problem/66801720
Web process crashes at WebCore::FullscreenManager::didExitFullscreen
Modified: branches/safari-610.1.25.10-branch/Source/WebCore/platform/graphics/cocoa/FontCacheCoreText.cpp (265505 => 265506)
--- branches/safari-610.1.25.10-branch/Source/WebCore/platform/graphics/cocoa/FontCacheCoreText.cpp 2020-08-11 17:30:53 UTC (rev 265505)
+++ branches/safari-610.1.25.10-branch/Source/WebCore/platform/graphics/cocoa/FontCacheCoreText.cpp 2020-08-11 17:30:56 UTC (rev 265506)
@@ -889,6 +889,8 @@
};
struct InstalledFontFamily {
+ WTF_MAKE_STRUCT_FAST_ALLOCATED;
+
InstalledFontFamily() = default;
explicit InstalledFontFamily(Vector<InstalledFont>&& installedFonts)
@@ -924,7 +926,7 @@
auto locker = holdLock(m_familyNameToFontDescriptorsLock);
auto it = m_familyNameToFontDescriptors.find(folded);
if (it != m_familyNameToFontDescriptors.end())
- return it->value;
+ return *it->value;
}
auto installedFontFamily = [&] {
@@ -942,13 +944,13 @@
InstalledFont installedFont(static_cast<CTFontDescriptorRef>(CFArrayGetValueAtIndex(matches.get(), i)), m_allowUserInstalledFonts);
result.uncheckedAppend(WTFMove(installedFont));
}
- return InstalledFontFamily(WTFMove(result));
+ return makeUnique<InstalledFontFamily>(WTFMove(result));
}
- return InstalledFontFamily();
+ return makeUnique<InstalledFontFamily>();
}();
auto locker = holdLock(m_familyNameToFontDescriptorsLock);
- return m_familyNameToFontDescriptors.add(folded.isolatedCopy(), WTFMove(installedFontFamily)).iterator->value;
+ return *m_familyNameToFontDescriptors.add(folded.isolatedCopy(), WTFMove(installedFontFamily)).iterator->value;
}
const InstalledFont& fontForPostScriptName(const AtomString& postScriptName)
@@ -986,7 +988,7 @@
}
Lock m_familyNameToFontDescriptorsLock;
- HashMap<String, InstalledFontFamily> m_familyNameToFontDescriptors;
+ HashMap<String, std::unique_ptr<InstalledFontFamily>> m_familyNameToFontDescriptors;
HashMap<String, InstalledFont> m_postScriptNameToFontDescriptors;
AllowUserInstalledFonts m_allowUserInstalledFonts;
};
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes