Changeset 199890 in webkit

Timestamp:

Apr 22, 2016 12:24:42 PM (8 years ago)

Author:

Chris Dumez

Message:

Crash under FontCache::purgeInactiveFontData()
​https://bugs.webkit.org/show_bug.cgi?id=156822
<rdar://problem/25373970>

Reviewed by Darin Adler.

In some rare cases, the Font constructor would mutate the FontPlatformData
that is being passed in. This is an issue because because our FontCache
uses the FontPlatformData as key for the cached fonts. This could lead to
crashes because the WTFMove() in FontCache::purgeInactiveFontData() would
nullify values in our HashMap but we would then fail to remove them from
the HashMap (because the key did not match). We would then reference the
null font when looping again when doing font->hasOneRef().

This patch marks Font::m_platformData member as const to avoid such issues
in the future and moves the code altering the FontPlatformData from the
Font constructor into the FontPlatformData constructor. The purpose of
that code was to initialize FontPlatformData::m_cgFont in case the CGFont
passed in the constructor was null.

• platform/graphics/Font.h:
• platform/graphics/FontCache.cpp:

(WebCore::FontCache::fontForPlatformData):
(WebCore::FontCache::purgeInactiveFontData):

• platform/graphics/FontPlatformData.cpp:

(WebCore::FontPlatformData::FontPlatformData):

• platform/graphics/FontPlatformData.h:
• platform/graphics/cocoa/FontCocoa.mm:

(WebCore::webFallbackFontFamily): Deleted.
(WebCore::Font::platformInit): Deleted.

• platform/graphics/cocoa/FontPlatformDataCocoa.mm:

(WebCore::webFallbackFontFamily):
(WebCore::FontPlatformData::setFallbackCGFont):

• platform/graphics/win/FontPlatformDataCGWin.cpp:

(WebCore::FontPlatformData::setFallbackCGFont):

Location:

trunk/Source/WebCore

Files:

• ChangeLog (modified) (1 diff)
• platform/graphics/Font.h (modified) (1 diff)
• platform/graphics/FontCache.cpp (modified) (2 diffs)
• platform/graphics/FontPlatformData.cpp (modified) (1 diff)
• platform/graphics/FontPlatformData.h (modified) (1 diff)
• platform/graphics/cocoa/FontCocoa.mm (modified) (2 diffs)
• platform/graphics/cocoa/FontPlatformDataCocoa.mm (modified) (1 diff)
• platform/graphics/freetype/FontPlatformData.h (modified) (1 diff)
• platform/graphics/freetype/FontPlatformDataFreeType.cpp (modified) (1 diff)
• platform/graphics/win/FontPlatformDataCGWin.cpp (modified) (2 diffs)
• platform/graphics/win/FontPlatformDataCairoWin.cpp (modified) (1 diff)
• platform/graphics/win/SimpleFontDataCGWin.cpp (modified) (1 diff)
• platform/graphics/win/SimpleFontDataCairoWin.cpp (modified) (3 diffs)

trunk/Source/WebCore/ChangeLog

@@ +1 @@
+2016-04-22  Chris Dumez  <cdumez@apple.com>
+
+        Crash under FontCache::purgeInactiveFontData()
+        https://bugs.webkit.org/show_bug.cgi?id=156822
+        <rdar://problem/25373970>
+
+        Reviewed by Darin Adler.
+
+        In some rare cases, the Font constructor would mutate the FontPlatformData
+        that is being passed in. This is an issue because because our FontCache
+        uses the FontPlatformData as key for the cached fonts. This could lead to
+        crashes because the WTFMove() in FontCache::purgeInactiveFontData() would
+        nullify values in our HashMap but we would then fail to remove them from
+        the HashMap (because the key did not match). We would then reference the
+        null font when looping again when doing font->hasOneRef().
+
+        This patch marks Font::m_platformData member as const to avoid such issues
+        in the future and moves the code altering the FontPlatformData from the
+        Font constructor into the FontPlatformData constructor. The purpose of
+        that code was to initialize FontPlatformData::m_cgFont in case the CGFont
+        passed in the constructor was null.
+
+        * platform/graphics/Font.h:
+        * platform/graphics/FontCache.cpp:
+        (WebCore::FontCache::fontForPlatformData):
+        (WebCore::FontCache::purgeInactiveFontData):
+        * platform/graphics/FontPlatformData.cpp:
+        (WebCore::FontPlatformData::FontPlatformData):
+        * platform/graphics/FontPlatformData.h:
+        * platform/graphics/cocoa/FontCocoa.mm:
+        (WebCore::webFallbackFontFamily): Deleted.
+        (WebCore::Font::platformInit): Deleted.
+        * platform/graphics/cocoa/FontPlatformDataCocoa.mm:
+        (WebCore::webFallbackFontFamily):
+        (WebCore::FontPlatformData::setFallbackCGFont):
+        * platform/graphics/win/FontPlatformDataCGWin.cpp:
+        (WebCore::FontPlatformData::setFallbackCGFont):
+
 2016-04-22  Chris Dumez  <cdumez@apple.com>
 

trunk/Source/WebCore/platform/graphics/Font.h

@@ -230 +230 @@
     float m_avgCharWidth;
 
-    FontPlatformData m_platformData;
+    const FontPlatformData m_platformData;
 
     mutable RefPtr<GlyphPage> m_glyphPageZero;

trunk/Source/WebCore/platform/graphics/FontCache.cpp

@@ -397 +397 @@
         addResult.iterator->value = Font::create(platformData);
 
+    ASSERT(addResult.iterator->value->platformData() == platformData);
+
     return *addResult.iterator->value;
 }
@@ -436 +438 @@
         if (fontsToDelete.isEmpty())
             break;
-        for (auto& font : fontsToDelete)
-            cachedFonts().remove(font->platformData());
+        for (auto& font : fontsToDelete) {
+            bool success = cachedFonts().remove(font->platformData());
+            ASSERT_UNUSED(success, success);
+        }
     };
 

trunk/Source/WebCore/platform/graphics/FontPlatformData.cpp

@@ -59 +59 @@
 {
     m_cgFont = cgFont;
+    if (!m_cgFont)
+        setFallbackCGFont();
 }
 #endif

trunk/Source/WebCore/platform/graphics/FontPlatformData.h

@@ -217 +217 @@
     void platformDataInit(HFONT, float size, HDC, WCHAR* faceName);
 #endif
+#if USE(CG)
+    void setFallbackCGFont();
+#endif
 
 public:

trunk/Source/WebCore/platform/graphics/cocoa/FontCocoa.mm

@@ -80 +80 @@
 }
 
-#if USE(APPKIT)
-static NSString *webFallbackFontFamily(void)
-{
-    static NSString *webFallbackFontFamily = [[[NSFont systemFontOfSize:16.0f] familyName] retain];
-    return webFallbackFontFamily;
-}
-#else
+#if !USE(APPKIT)
 bool fontFamilyShouldNotBeUsedForArabic(CFStringRef fontFamilyName)
 {
@@ -104 +98 @@
 #if USE(APPKIT)
     m_syntheticBoldOffset = m_platformData.m_syntheticBold ? 1.0f : 0.f;
-
-    bool failedSetup = false;
-    if (!platformData().cgFont()) {
-        // Ack! Something very bad happened, like a corrupt font.
-        // Try looking for an alternate 'base' font for this renderer.
-
-        // Special case hack to use "Times New Roman" in place of "Times".
-        // "Times RO" is a common font whose family name is "Times".
-        // It overrides the normal "Times" family font.
-        // It also appears to have a corrupt regular variant.
-        NSString *fallbackFontFamily;
-        if ([[m_platformData.nsFont() familyName] isEqual:@"Times"])
-            fallbackFontFamily = @"Times New Roman";
-        else
-            fallbackFontFamily = webFallbackFontFamily();
-        
-        // Try setting up the alternate font.
-        // This is a last ditch effort to use a substitute font when something has gone wrong.
-#if !ERROR_DISABLED
-        RetainPtr<NSFont> initialFont = m_platformData.nsFont();
-#endif
-        if (m_platformData.font())
-            m_platformData.setNSFont([[NSFontManager sharedFontManager] convertFont:m_platformData.nsFont() toFamily:fallbackFontFamily]);
-        else
-            m_platformData.setNSFont([NSFont fontWithName:fallbackFontFamily size:m_platformData.size()]);
-        if (!platformData().cgFont()) {
-            if ([fallbackFontFamily isEqual:@"Times New Roman"]) {
-                // OK, couldn't setup Times New Roman as an alternate to Times, fallback
-                // on the system font.  If this fails we have no alternative left.
-                m_platformData.setNSFont([[NSFontManager sharedFontManager] convertFont:m_platformData.nsFont() toFamily:webFallbackFontFamily()]);
-                if (!platformData().cgFont()) {
-                    // We tried, Times, Times New Roman, and the system font. No joy. We have to give up.
-                    LOG_ERROR("unable to initialize with font %@", initialFont.get());
-                    failedSetup = true;
-                }
-            } else {
-                // We tried the requested font and the system font. No joy. We have to give up.
-                LOG_ERROR("unable to initialize with font %@", initialFont.get());
-                failedSetup = true;
-            }
-        }
-
-        // Report the problem.
-        LOG_ERROR("Corrupt font detected, using %@ in place of %@.",
-            [m_platformData.nsFont() familyName], [initialFont.get() familyName]);
-    }
-
-    // If all else fails, try to set up using the system font.
-    // This is probably because Times and Times New Roman are both unavailable.
-    if (failedSetup) {
-        m_platformData.setNSFont([NSFont systemFontOfSize:[m_platformData.nsFont() pointSize]]);
-        LOG_ERROR("failed to set up font, using system font %s", m_platformData.font());
-    }
 
 #if PLATFORM(MAC) && __MAC_OS_X_VERSION_MIN_REQUIRED < 101100

trunk/Source/WebCore/platform/graphics/cocoa/FontPlatformDataCocoa.mm

@@ -58 +58 @@
 {
 }
+
+#if USE(APPKIT)
+
+static NSString *webFallbackFontFamily(void)
+{
+    static NSString *webFallbackFontFamily = [[[NSFont systemFontOfSize:16.0f] familyName] retain];
+    return webFallbackFontFamily;
+}
+
+void FontPlatformData::setFallbackCGFont()
+{
+    if (cgFont())
+        return;
+
+    // Ack! Something very bad happened, like a corrupt font.
+    // Try looking for an alternate 'base' font for this renderer.
+
+    // Special case hack to use "Times New Roman" in place of "Times".
+    // "Times RO" is a common font whose family name is "Times".
+    // It overrides the normal "Times" family font.
+    // It also appears to have a corrupt regular variant.
+    NSString *fallbackFontFamily;
+    if ([[nsFont() familyName] isEqual:@"Times"])
+        fallbackFontFamily = @"Times New Roman";
+    else
+        fallbackFontFamily = webFallbackFontFamily();
+
+    // Try setting up the alternate font.
+    // This is a last ditch effort to use a substitute font when something has gone wrong.
+#if !ERROR_DISABLED
+    RetainPtr<NSFont> initialFont = nsFont();
+#endif
+    if (font())
+        setNSFont([[NSFontManager sharedFontManager] convertFont:nsFont() toFamily:fallbackFontFamily]);
+    else
+        setNSFont([NSFont fontWithName:fallbackFontFamily size:size()]);
+
+    if (cgFont())
+        return;
+
+    if ([fallbackFontFamily isEqual:@"Times New Roman"]) {
+        // OK, couldn't setup Times New Roman as an alternate to Times, fallback
+        // on the system font. If this fails we have no alternative left.
+        setNSFont([[NSFontManager sharedFontManager] convertFont:nsFont() toFamily:webFallbackFontFamily()]);
+        if (cgFont())
+            return;
+
+        // We tried, Times, Times New Roman, and the system font. No joy. We have to give up.
+        LOG_ERROR("unable to initialize with font %@", initialFont.get());
+    } else {
+        // We tried the requested font and the system font. No joy. We have to give up.
+        LOG_ERROR("unable to initialize with font %@", initialFont.get());
+    }
+
+    // Report the problem.
+    LOG_ERROR("Corrupt font detected, using %@ in place of %@.", [nsFont() familyName], [initialFont.get() familyName]);
+
+    // If all else fails, try to set up using the system font.
+    // This is probably because Times and Times New Roman are both unavailable.
+    ASSERT(!cgFont());
+    setNSFont([NSFont systemFontOfSize:[nsFont() pointSize]]);
+    LOG_ERROR("failed to set up font, using system font %s", font());
+}
+
+#else
+
+void FontPlatformData::setFallbackCGFont()
+{
+}
+
+#endif
 
 void FontPlatformData::platformDataInit(const FontPlatformData& f)

trunk/Source/WebCore/platform/graphics/freetype/FontPlatformData.h

@@ -73 +73 @@
     HarfBuzzFace* harfBuzzFace() const;
 
-    bool isFixedPitch();
+    bool isFixedPitch() const;
     float size() const { return m_size; }
     void setSize(float size) { m_size = size; }

trunk/Source/WebCore/platform/graphics/freetype/FontPlatformDataFreeType.cpp

@@ -274 +274 @@
 }
 
-bool FontPlatformData::isFixedPitch()
+bool FontPlatformData::isFixedPitch() const
 {
     return m_fixedWidth;

trunk/Source/WebCore/platform/graphics/win/FontPlatformDataCGWin.cpp

@@ -114 +114 @@
     GetObject(font, sizeof(logfont), &logfont);
     m_cgFont = adoptCF(CGFontCreateWithPlatformFont(&logfont));
+    if (!m_useGDI)
+        m_isSystemFont = !wcscmp(faceName, L"Lucida Grande");
 }
 
@@ -156 +158 @@
 }
 
+void FontPlatformData::setFallbackCGFont()
+{
 }
+
+}

trunk/Source/WebCore/platform/graphics/win/FontPlatformDataCairoWin.cpp

@@ -55 +55 @@
     m_scaledFont = cairo_scaled_font_create(fontFace, &sizeMatrix, &ctm, fontOptions);
     cairo_font_face_destroy(fontFace);
+
+    if (!m_useGDI && m_size)
+        m_isSystemFont = !wcscmp(faceName, L"Lucida Grande");
 }
 

trunk/Source/WebCore/platform/graphics/win/SimpleFontDataCGWin.cpp

@@ -87 +87 @@
         Vector<WCHAR> faceName(faceLength);
         GetTextFace(dc, faceLength, faceName.data());
-        m_platformData.setIsSystemFont(!wcscmp(faceName.data(), L"Lucida Grande"));
         SelectObject(dc, oldFont);
 

trunk/Source/WebCore/platform/graphics/win/SimpleFontDataCairoWin.cpp

@@ -47 +47 @@
     m_scriptCache = 0;
     m_scriptFontProperties = 0;
-    m_platformData.setIsSystemFont(false);
 
     if (m_platformData.useGDI())
@@ -56 +55 @@
         m_avgCharWidth = 0;
         m_maxCharWidth = 0;
-        m_platformData.setIsSystemFont(false);
         m_scriptCache = 0;
         m_scriptFontProperties = 0;
@@ -87 +85 @@
     }
     float xHeight = ascent * 0.56f; // Best guess for xHeight for non-Truetype fonts.
-
-    int faceLength = ::GetTextFace(dc, 0, 0);
-    Vector<WCHAR> faceName(faceLength);
-    ::GetTextFace(dc, faceLength, faceName.data());
-    m_platformData.setIsSystemFont(!wcscmp(faceName.data(), L"Lucida Grande"));
 
     m_fontMetrics.setAscent(ascent);