[webkit-changes] [WebKit/WebKit] ad3a1e: DocumentFontLoader::fontLoadingTimerFired() must k...

Fri, 10 Jan 2025 08:40:46 -0800 

  Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: ad3a1e258c9b923ab61f09886cc49c818c2cb0ea
      
https://github.com/WebKit/WebKit/commit/ad3a1e258c9b923ab61f09886cc49c818c2cb0ea
  Author: Rupin Mittal <[email protected]>
  Date:   2025-01-10 (Fri, 10 Jan 2025)

  Changed paths:
    A LayoutTests/http/tests/security/document-cached-font-loading-expected.txt
    A LayoutTests/http/tests/security/document-cached-font-loading.html
    A 
LayoutTests/http/tests/security/resources/document-cached-font-loading-helper.html
    A LayoutTests/http/tests/security/resources/font.ttf
    M Source/WebCore/dom/DocumentFontLoader.cpp

  Log Message:
  -----------
  DocumentFontLoader::fontLoadingTimerFired() must keep a Ref of Document on 
the stack
https://bugs.webkit.org/show_bug.cgi?id=281912
rdar://138215892

Reviewed by Chris Dumez.

DocumentFontLoader::fontLoadingTimerFired() calls 
CachedResourceLoader::loadDone(),
which holds a RefPtr to the Document. It seems that in certain cases (like the
reproduction case in the radar), this is the only Ref keeping the Document 
alive.
So when the function ends, the Document is destroyed. Then, when 
fontLoadingTimerFired()
calls Document::frame() with it's WeakRef m_document, there is a crash since the
Document has been destroyed.

Since Document owns DocumentFontLoader, we make DocumentFontLoader forward its 
refcounting
to its owning Document. Then we ensure that the Document is alive by holding a 
RefPtr to
the DocumentFontLoader itself at the beginning of fontLoadingTimerFired().

* LayoutTests/http/tests/security/document-cached-font-loading-expected.txt: 
Added.
* LayoutTests/http/tests/security/document-cached-font-loading.html: Added.
* 
LayoutTests/http/tests/security/resources/document-cached-font-loading-helper.html:
 Added.
* LayoutTests/http/tests/security/resources/font.ttf: Added.
This is the test created based on the reproduction case in the Radar.

* Source/WebCore/dom/DocumentFontLoader.cpp:
(WebCore::DocumentFontLoader::fontLoadingTimerFired):

Originally-landed-as: 283286.365@safari-7620-branch (e7b7957de026). 
rdar://141318198
Canonical link: https://commits.webkit.org/288711@main



To unsubscribe from these emails, change your notification settings at 
https://github.com/WebKit/WebKit/settings/notifications
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to