[webkit-changes] [WebKit/WebKit] 38946d: Crash in SVGFontFaceElement::associatedFontElement...

Sun Apr 9 00:02:53 PDT 2023

  Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: 38946d45dfe831d30d7c7fce8123ea8a85b00169
      https://github.com/WebKit/WebKit/commit/38946d45dfe831d30d7c7fce8123ea8a85b00169
  Author: Myles C. Maxfield <mmaxfield at apple.com>
  Date:   2023-04-09 (Sun, 09 Apr 2023)

  Changed paths:
    A LayoutTests/platform/glib/imported/w3c/web-platform-tests/svg/import/text-intro-02-b-manual-expected.txt
    A LayoutTests/platform/glib/imported/w3c/web-platform-tests/svg/import/text-intro-03-b-manual-expected.txt
    R LayoutTests/platform/gtk/imported/w3c/web-platform-tests/svg/import/text-intro-02-b-manual-expected.txt
    M LayoutTests/platform/gtk/svg/W3C-SVG-1.1-SE/text-intro-09-b-expected.txt
    R LayoutTests/platform/wpe/imported/w3c/web-platform-tests/svg/import/text-intro-02-b-manual-expected.txt
    M LayoutTests/platform/wpe/svg/W3C-SVG-1.1-SE/text-intro-09-b-expected.txt
    M Source/WebCore/css/CSSFontSelector.h
    M Source/WebCore/rendering/svg/RenderSVGInlineText.cpp
    M Source/WebCore/rendering/svg/RenderSVGText.cpp
    M Source/WebCore/rendering/svg/RenderSVGText.h
    M Source/WebCore/svg/SVGFontFaceElement.cpp

  Log Message:
  -----------
  Crash in SVGFontFaceElement::associatedFontElement crash when removing SVGFontFaceElement
https://bugs.webkit.org/show_bug.cgi?id=249434
<rdar://problem/103420468>

Reviewed by Said Abou-Hallawa.

Port of Blink commit https://src.chromium.org/viewvc/blink?revision=167993&view=revision.
The Blink commit message is:

> Fix crash in SVGFontFaceElement::associatedFontElement crash when removing SVGFontFaceElement.
>
> (1) We need to remove its font-face rule from FontCache when removing SVGFontFaceElement,
>
> (2) We should not use old styles in RenderSVGInlineText::styleDidChange.
> Since styleRecalc is done in document-order, we cannot see any styles of next renderer
> (obtained by nextInPreOrder).
> The old styles might have old fonts which are created by SVGFontFaceElement.

* Source/WebCore/css/CSSFontFaceSet.cpp:
(WebCore::CSSFontFaceSet::remove):
* Source/WebCore/css/CSSFontFaceSet.h:
* Source/WebCore/css/CSSFontSelector.h:
* Source/WebCore/rendering/svg/RenderSVGInlineText.cpp:
(WebCore::RenderSVGInlineText::styleDidChange):
* Source/WebCore/rendering/svg/RenderSVGText.cpp:
(WebCore::RenderSVGText::subtreeStyleDidChange):
(WebCore::RenderSVGText::layout):
* Source/WebCore/rendering/svg/RenderSVGText.h:
* Source/WebCore/svg/SVGFontFaceElement.cpp:
(WebCore::SVGFontFaceElement::removedFromAncestor):

Cherry-pick: 259548.279 at safari-7615-branch (41f425bc0ef8). rdar://107710008
Canonical link: https://commits.webkit.org/262756@main