[SCM] WebKit Debian packaging branch, webkit-1.1, updated. upstream/1.1.17-1283-gcf603cf

mitz at apple.com mitz at apple.com
Tue Jan 5 23:50:28 UTC 2010 

The following commit has been merged in the webkit-1.1 branch:
commit 1b69bdccd35e6373ecdf33ee0dedfaf5a01d8120
Author: mitz at apple.com <mitz at apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Date:   Tue Dec 15 22:12:50 2009 +0000

    <rdar://problem/7470452> Safari/Chromium crashes on complicated @font-face rule
    https://bugs.webkit.org/show_bug.cgi?id=32257
    
    Reviewed by Darin Adler.
    
    WebCore:
    
    Test: fast/css/font-face-unused-source-loaded.html
    
    The loading of a font resource caused a CSSFontFace that had the resource in one of its
    sources, but wasn’t using it (due to using an earlier source) to invalidate its
    CSSSegmentedFontFaces. This caused FontData for the active source (the one that did not just
    finish loading) to be deleted, but that went unnoticed by Font::operator==(), since the
    corresponding FontFallbackLists were not in the loading state. The fix is for CSSFontFace to
    ignore loads from unused sources.
    
    * css/CSSFontFace.cpp:
    (WebCore::CSSFontFace::fontLoaded): Bail out if the loaded source is not the active source.
    (WebCore::CSSFontFace::getFontData): Set m_activeSource to the source that supplied the
        FontData.
    * css/CSSFontFace.h:
    (WebCore::CSSFontFace::CSSFontFace): Initialize m_activeSource.
    
    LayoutTests:
    
    * fast/css/font-face-unused-source-loaded-expected.txt: Added.
    * fast/css/font-face-unused-source-loaded.html: Added.
    
    
    
    git-svn-id: http://svn.webkit.org/repository/webkit/trunk@52174 268f45cc-cd09-0410-ab3c-d52691b4dbfc

diff --git a/LayoutTests/ChangeLog b/LayoutTests/ChangeLog
index 8bb4ecc..f7e0bf4 100644
--- a/LayoutTests/ChangeLog
+++ b/LayoutTests/ChangeLog
@@ -1,3 +1,13 @@
+2009-12-15  Dan Bernstein  <mitz at apple.com>
+
+        Reviewed by Darin Adler.
+
+        <rdar://problem/7470452> Safari/Chromium crashes on complicated @font-face rule
+        https://bugs.webkit.org/show_bug.cgi?id=32257
+
+        * fast/css/font-face-unused-source-loaded-expected.txt: Added.
+        * fast/css/font-face-unused-source-loaded.html: Added.
+
 2009-12-15  Kenneth Russell  <kbr at google.com>
 
         Reviewed by Darin Fisher.
diff --git a/LayoutTests/fast/css/font-face-unused-source-loaded-expected.txt b/LayoutTests/fast/css/font-face-unused-source-loaded-expected.txt
new file mode 100644
index 0000000..acdcb8d
--- /dev/null
+++ b/LayoutTests/fast/css/font-face-unused-source-loaded-expected.txt
@@ -0,0 +1,6 @@
+Test for https://bugs.webkit.org/show_bug.cgi?id=32257 Safari/Chromium crashes on complicated @font-face rule.
+
+The test passes if it does not crash.
+
+Ahem
+Arial
diff --git a/LayoutTests/fast/css/font-face-unused-source-loaded.html b/LayoutTests/fast/css/font-face-unused-source-loaded.html
new file mode 100644
index 0000000..04048c2
--- /dev/null
+++ b/LayoutTests/fast/css/font-face-unused-source-loaded.html
@@ -0,0 +1,33 @@
+<style>
+    @font-face {
+        font-family: url-only;
+        src: url(resources/Ahem.ttf);
+    }
+
+    @font-face {
+        font-family: local-and-url;
+        src: local(Arial), url(resources/Ahem.ttf);
+    }
+</style>
+<body onload="document.body.offsetTop">
+    <p>
+        Test for <i><a href="https://bugs.webkit.org/show_bug.cgi?id=32257">https://bugs.webkit.org/show_bug.cgi?id=32257</a>
+        Safari/Chromium crashes on complicated @font-face rule</i>.
+    </p>
+    <p>
+        The test passes if it does not crash.
+    </p>
+    <div style="font-family: url-only">
+        Ahem
+    </div>
+    <div style="font-family: local-and-url">
+        Arial
+    </div>
+    <script>
+        if (window.layoutTestController)
+            layoutTestController.dumpAsText();
+
+        // Force layout now to kick off font loading before the load even fires.
+        document.body.offsetTop;
+    </script>
+</body>
diff --git a/WebCore/ChangeLog b/WebCore/ChangeLog
index db8724f..0a7491d 100644
--- a/WebCore/ChangeLog
+++ b/WebCore/ChangeLog
@@ -1,3 +1,26 @@
+2009-12-15  Dan Bernstein  <mitz at apple.com>
+
+        Reviewed by Darin Adler.
+
+        <rdar://problem/7470452> Safari/Chromium crashes on complicated @font-face rule
+        https://bugs.webkit.org/show_bug.cgi?id=32257
+
+        Test: fast/css/font-face-unused-source-loaded.html
+
+        The loading of a font resource caused a CSSFontFace that had the resource in one of its
+        sources, but wasn’t using it (due to using an earlier source) to invalidate its
+        CSSSegmentedFontFaces. This caused FontData for the active source (the one that did not just
+        finish loading) to be deleted, but that went unnoticed by Font::operator==(), since the
+        corresponding FontFallbackLists were not in the loading state. The fix is for CSSFontFace to
+        ignore loads from unused sources.
+
+        * css/CSSFontFace.cpp:
+        (WebCore::CSSFontFace::fontLoaded): Bail out if the loaded source is not the active source.
+        (WebCore::CSSFontFace::getFontData): Set m_activeSource to the source that supplied the
+            FontData.
+        * css/CSSFontFace.h:
+        (WebCore::CSSFontFace::CSSFontFace): Initialize m_activeSource.
+
 2009-12-15  Yael Aharon  <yael.aharon at nokia.com>
 
         Reviewed by Kenneth Rohde Christiansen.
diff --git a/WebCore/css/CSSFontFace.cpp b/WebCore/css/CSSFontFace.cpp
index 4d8da59..70cd9bb 100644
--- a/WebCore/css/CSSFontFace.cpp
+++ b/WebCore/css/CSSFontFace.cpp
@@ -77,8 +77,11 @@ void CSSFontFace::addSource(CSSFontFaceSource* source)
     source->setFontFace(this);
 }
 
-void CSSFontFace::fontLoaded(CSSFontFaceSource*)
+void CSSFontFace::fontLoaded(CSSFontFaceSource* source)
 {
+    if (source != m_activeSource)
+        return;
+
     // FIXME: Can we assert that m_segmentedFontFaces is not empty? That may
     // require stopping in-progress font loading when the last
     // CSSSegmentedFontFace is removed.
@@ -97,17 +100,22 @@ void CSSFontFace::fontLoaded(CSSFontFaceSource*)
 
 SimpleFontData* CSSFontFace::getFontData(const FontDescription& fontDescription, bool syntheticBold, bool syntheticItalic)
 {
+    m_activeSource = 0;
     if (!isValid())
         return 0;
-        
+
     ASSERT(!m_segmentedFontFaces.isEmpty());
     CSSFontSelector* fontSelector = (*m_segmentedFontFaces.begin())->fontSelector();
 
-    SimpleFontData* result = 0;
-    unsigned size = m_sources.size();
-    for (unsigned i = 0; i < size && !result; i++)
-        result = m_sources[i]->getFontData(fontDescription, syntheticBold, syntheticItalic, fontSelector);
-    return result;
+    size_t size = m_sources.size();
+    for (size_t i = 0; i < size; ++i) {
+        if (SimpleFontData* result = m_sources[i]->getFontData(fontDescription, syntheticBold, syntheticItalic, fontSelector)) {
+            m_activeSource = m_sources[i];
+            return result;
+        }
+    }
+
+    return 0;
 }
 
 }
diff --git a/WebCore/css/CSSFontFace.h b/WebCore/css/CSSFontFace.h
index 41c9c55..4e2fee5 100644
--- a/WebCore/css/CSSFontFace.h
+++ b/WebCore/css/CSSFontFace.h
@@ -82,6 +82,7 @@ public:
 private:
     CSSFontFace(FontTraitsMask traitsMask)
         : m_traitsMask(traitsMask)
+        , m_activeSource(0)
     {
     }
 
@@ -89,6 +90,7 @@ private:
     Vector<UnicodeRange> m_ranges;
     HashSet<CSSSegmentedFontFace*> m_segmentedFontFaces;
     Vector<CSSFontFaceSource*> m_sources;
+    CSSFontFaceSource* m_activeSource;
 };
 
 }

-- 
WebKit Debian packaging

More information about the Pkg-webkit-commits mailing list