Changeset 38843 in webkit

Timestamp:

Nov 29, 2008 1:40:23 PM (15 years ago)

Author:

mitz@apple.com

Message:

WebCore:

Reviewed by Alexey Proskuryakov.

• fix ​https://bugs.webkit.org/show_bug.cgi?id=22454 <rdar://problem/6405550> REGRESSION (3.2-TOT): Crash below FontFallbackList::fontDataAt on jacobian.org

Test: http/tests/misc/font-face-in-multiple-segmented-faces.html

The crash happened because style recalculation was invoked by
CSSFontSelector after one CSSSegmentedFontFace had pruned its tables but
before another CSSSegmentedFontFace using the same CSSFontFace had done
so. The fix is to let all CSSSegmentedFontFaces using the CSSFontFace
prune their tables before telling the CSSFontSelector to recalc style.

• css/CSSFontFace.cpp: (WebCore::CSSFontFace::fontLoaded):
• css/CSSFontSelector.cpp: (WebCore::CSSFontSelector::fontLoaded):
• css/CSSFontSelector.h:
• css/CSSSegmentedFontFace.cpp: (WebCore::CSSSegmentedFontFace::fontLoaded):

LayoutTests:

Reviewed by Alexey Proskuryakov.

• test for ​https://bugs.webkit.org/show_bug.cgi?id=22454 <rdar://problem/6405550> REGRESSION (3.2-TOT): Crash below FontFallbackList::fontDataAt on jacobian.org

• http/tests/misc/font-face-in-multiple-segmented-faces-expected.txt: Added.
• http/tests/misc/font-face-in-multiple-segmented-faces.html: Added.

Location:

trunk

Files:

• LayoutTests/ChangeLog (modified) (1 diff)
• LayoutTests/http/tests/misc/font-face-in-multiple-segmented-faces-expected.txt (added)
• LayoutTests/http/tests/misc/font-face-in-multiple-segmented-faces.html (added)
• WebCore/ChangeLog (modified) (1 diff)
• WebCore/css/CSSFontFace.cpp (modified) (2 diffs)
• WebCore/css/CSSFontSelector.cpp (modified) (1 diff)
• WebCore/css/CSSFontSelector.h (modified) (1 diff)
• WebCore/css/CSSSegmentedFontFace.cpp (modified) (1 diff)

trunk/LayoutTests/ChangeLog

@@ +1 @@
+2008-11-29  Dan Bernstein  <mitz@apple.com>
+
+        Reviewed by Alexey Proskuryakov.
+
+        - test for https://bugs.webkit.org/show_bug.cgi?id=22454
+          <rdar://problem/6405550> REGRESSION (3.2-TOT): Crash below FontFallbackList::fontDataAt on jacobian.org
+
+        * http/tests/misc/font-face-in-multiple-segmented-faces-expected.txt: Added.
+        * http/tests/misc/font-face-in-multiple-segmented-faces.html: Added.
+
 2008-11-29  Alexey Proskuryakov  <ap@webkit.org>
 

trunk/WebCore/ChangeLog

@@ +1 @@
+2008-11-29  Dan Bernstein  <mitz@apple.com>
+
+        Reviewed by Alexey Proskuryakov.
+
+        - fix https://bugs.webkit.org/show_bug.cgi?id=22454
+          <rdar://problem/6405550> REGRESSION (3.2-TOT): Crash below FontFallbackList::fontDataAt on jacobian.org
+
+        Test: http/tests/misc/font-face-in-multiple-segmented-faces.html
+
+        The crash happened because style recalculation was invoked by
+        CSSFontSelector after one CSSSegmentedFontFace had pruned its tables but
+        before another CSSSegmentedFontFace using the same CSSFontFace had done
+        so. The fix is to let all CSSSegmentedFontFaces using the CSSFontFace
+        prune their tables before telling the CSSFontSelector to recalc style.
+
+        * css/CSSFontFace.cpp:
+        (WebCore::CSSFontFace::fontLoaded):
+        * css/CSSFontSelector.cpp:
+        (WebCore::CSSFontSelector::fontLoaded):
+        * css/CSSFontSelector.h:
+        * css/CSSSegmentedFontFace.cpp:
+        (WebCore::CSSSegmentedFontFace::fontLoaded):
+
 2008-11-29  Alexey Proskuryakov  <ap@webkit.org>
 

trunk/WebCore/css/CSSFontFace.cpp

@@ -28 +28 @@
 
 #include "CSSFontFaceSource.h"
+#include "CSSFontSelector.h"
 #include "CSSSegmentedFontFace.h"
 #include "FontDescription.h"
@@ -79 +80 @@
 void CSSFontFace::fontLoaded(CSSFontFaceSource*)
 {
+    // FIXME: Can we assert that m_segmentedFontFaces is not empty? That may
+    // require stopping in-progress font loading when the last
+    // CSSSegmentedFontFace is removed.
+    if (m_segmentedFontFaces.isEmpty())
+        return;
+
     HashSet<CSSSegmentedFontFace*>::iterator end = m_segmentedFontFaces.end();
     for (HashSet<CSSSegmentedFontFace*>::iterator it = m_segmentedFontFaces.begin(); it != end; ++it)
         (*it)->fontLoaded(this);
+
+    // Use one of the CSSSegmentedFontFaces' font selector. They all have
+    // the same font selector, so it's wasteful to store it in the CSSFontFace.
+    CSSFontSelector* fontSelector = (*m_segmentedFontFaces.begin())->fontSelector();
+    fontSelector->fontLoaded();
 }
 

trunk/WebCore/css/CSSFontSelector.cpp

@@ -358 +358 @@
 }
 
-void CSSFontSelector::fontLoaded(CSSSegmentedFontFace*)
+void CSSFontSelector::fontLoaded()
 {
     if (!m_document || m_document->inPageCache() || !m_document->renderer())

trunk/WebCore/css/CSSFontSelector.h

@@ -57 +57 @@
     void addFontFaceRule(const CSSFontFaceRule*);
 
-    void fontLoaded(CSSSegmentedFontFace*);
+    void fontLoaded();
     virtual void fontCacheInvalidated();
 

trunk/WebCore/css/CSSSegmentedFontFace.cpp

@@ -83 +83 @@
 {
     pruneTable();
-    m_fontSelector->fontLoaded(this);
 }