[webkit-changes] [WebKit/WebKit] ad3a1e: DocumentFontLoader::fontLoadingTimerFired() must k...
Rupin Mittal
noreply at github.com
Fri Jan 10 08:40:19 PST 2025
Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: ad3a1e258c9b923ab61f09886cc49c818c2cb0ea
https://github.com/WebKit/WebKit/commit/ad3a1e258c9b923ab61f09886cc49c818c2cb0ea
Author: Rupin Mittal <rupin at apple.com>
Date: 2025-01-10 (Fri, 10 Jan 2025)
Changed paths:
A LayoutTests/http/tests/security/document-cached-font-loading-expected.txt
A LayoutTests/http/tests/security/document-cached-font-loading.html
A LayoutTests/http/tests/security/resources/document-cached-font-loading-helper.html
A LayoutTests/http/tests/security/resources/font.ttf
M Source/WebCore/dom/DocumentFontLoader.cpp
Log Message:
-----------
DocumentFontLoader::fontLoadingTimerFired() must keep a Ref of Document on the stack
https://bugs.webkit.org/show_bug.cgi?id=281912
rdar://138215892
Reviewed by Chris Dumez.
DocumentFontLoader::fontLoadingTimerFired() calls CachedResourceLoader::loadDone(),
which holds a RefPtr to the Document. It seems that in certain cases (like the
reproduction case in the radar), this is the only Ref keeping the Document alive.
So when the function ends, the Document is destroyed. Then, when fontLoadingTimerFired()
calls Document::frame() with it's WeakRef m_document, there is a crash since the
Document has been destroyed.
Since Document owns DocumentFontLoader, we make DocumentFontLoader forward its refcounting
to its owning Document. Then we ensure that the Document is alive by holding a RefPtr to
the DocumentFontLoader itself at the beginning of fontLoadingTimerFired().
* LayoutTests/http/tests/security/document-cached-font-loading-expected.txt: Added.
* LayoutTests/http/tests/security/document-cached-font-loading.html: Added.
* LayoutTests/http/tests/security/resources/document-cached-font-loading-helper.html: Added.
* LayoutTests/http/tests/security/resources/font.ttf: Added.
This is the test created based on the reproduction case in the Radar.
* Source/WebCore/dom/DocumentFontLoader.cpp:
(WebCore::DocumentFontLoader::fontLoadingTimerFired):
Originally-landed-as: 283286.365 at safari-7620-branch (e7b7957de026). rdar://141318198
Canonical link: https://commits.webkit.org/288711@main
To unsubscribe from these emails, change your notification settings at https://github.com/WebKit/WebKit/settings/notifications
More information about the webkit-changes
mailing list