Merge r174273 - REGRESSION (r173531): Use after free in WebCore::Rend…

…erStyle::fontMetrics / WebCore::CSSPrimitiveValue::computeLengthDouble https://bugs.webkit.org/show_bug.cgi?id=136864 Reviewed by Andreas Kling. Source/WebCore: FontLoader previously called updateDocumentStyleIfNeeded, which would reset styles currently in use as part of the tabIndex calculation. The FontLoader should instead wait for pending stylesheets to load. Tests: fast/css/fontloader-tab-index.html * css/FontLoader.cpp: (WebCore::FontLoader::notifyWhenFontsReady): Do not immediately call loadingDone(). (WebCore::FontLoader::loadingDone): Wait for stylesheets to finish loading rather than updating document styles. * css/FontLoader.h: (WebCore::FontLoader::loading): Include JS font loads when testing for the loading state. LayoutTests: Test that getting the tab index on a body element with font-relative measurements to a local @font-face do not cause a crash. * fast/css/fontloader-tab-index-expected.html: Added. * fast/css/fontloader-tab-index.html: Added. Canonical link: https://commits.webkit.org/154760.102@webkitgtk/2.6 git-svn-id: https://svn.webkit.org/repository/webkit/releases/WebKitGTK/webkit-2.6@174954 268f45cc-cd09-0410-ab3c-d52691b4dbfc
WebKit · Oct 21, 2014 · 41f4f50 · 41f4f50
1 parent ed4d832
commit 41f4f50
Show file tree

Hide file tree

Showing 6 changed files with 78 additions and 6 deletions.
diff --git a/LayoutTests/ChangeLog b/LayoutTests/ChangeLog
@@ -1,3 +1,18 @@
+2014-10-03 Bear Travis <betravis@adobe.com>
+
+        REGRESSION (r173531): Use after free in WebCore::RenderStyle::fontMetrics /
+        WebCore::CSSPrimitiveValue::computeLengthDouble
+        https://bugs.webkit.org/show_bug.cgi?id=136864
+
+        Reviewed by Andreas Kling.
+
+        Test that getting the tab index on a body element with
+        font-relative measurements to a local @font-face do not
+        cause a crash.
+
+        * fast/css/fontloader-tab-index-expected.html: Added.
+        * fast/css/fontloader-tab-index.html: Added.
+
 2014-10-02  Krzysztof Czech  <k.czech@samsung.com>
 
         AX: Default orientation for aria scrollbars should be vertical

diff --git a/LayoutTests/fast/css/fontloader-tab-index-expected.html b/LayoutTests/fast/css/fontloader-tab-index-expected.html
@@ -0,0 +1,17 @@
+<!doctype html>
+<html>
+<head>
+<style>
+@font-face {
+    font-family: 'times';
+    src: local('Lucida Grande');
+}
+body {
+  margin: 1ex;
+}
+</style>
+</head>
+<body>
+Fetching tabIndex should not cause a crash when involving font-relative units on the body element of the document.
+</body>
+</html>
diff --git a/LayoutTests/fast/css/fontloader-tab-index.html b/LayoutTests/fast/css/fontloader-tab-index.html
@@ -0,0 +1,20 @@
+<!doctype html>
+<html>
+<head>
+<style>
+@font-face {
+    font-family: 'times';
+    src: local('Lucida Grande');
+}
+body {
+  margin: 1ex;
+}
+</style>
+</head>
+<body>
+<script>
+var idx = document.querySelector("body").tabIndex;
+</script>
+Fetching tabIndex should not cause a crash when involving font-relative units on the body element of the document.
+</body>
+</html>
diff --git a/Source/WebCore/ChangeLog b/Source/WebCore/ChangeLog
@@ -1,3 +1,27 @@
+2014-10-03 Bear Travis <betravis@adobe.com>
+
+        REGRESSION (r173531): Use after free in WebCore::RenderStyle::fontMetrics /
+        WebCore::CSSPrimitiveValue::computeLengthDouble
+        https://bugs.webkit.org/show_bug.cgi?id=136864
+
+        Reviewed by Andreas Kling.
+
+        FontLoader previously called updateDocumentStyleIfNeeded,
+        which would reset styles currently in use as part of
+        the tabIndex calculation. The FontLoader should instead
+        wait for pending stylesheets to load.
+
+        Tests: fast/css/fontloader-tab-index.html
+
+        * css/FontLoader.cpp:
+        (WebCore::FontLoader::notifyWhenFontsReady): Do not immediately
+        call loadingDone().
+        (WebCore::FontLoader::loadingDone): Wait for stylesheets to
+        finish loading rather than updating document styles.
+        * css/FontLoader.h:
+        (WebCore::FontLoader::loading): Include JS font loads when testing
+        for the loading state.
+
 2014-10-02  Chris Dumez  <cdumez@apple.com>
 
         XMLHttpRequestProgressEventThrottle shouldn't throttle / defer progress events if there are no listeners

diff --git a/Source/WebCore/css/FontLoader.cpp b/Source/WebCore/css/FontLoader.cpp
@@ -211,22 +211,18 @@ void FontLoader::loadError(CSSFontFaceRule* rule, CSSFontFaceSource* source)
 void FontLoader::notifyWhenFontsReady(PassRefPtr<VoidCallback> callback)
 {
     m_callbacks.append(callback);
-    loadingDone();
 }
 
 void FontLoader::loadingDone()
 {
-    if (loading())
+    if (loading() || !m_document->haveStylesheetsLoaded())
         return;
     if (!m_loadingDoneEvent && m_callbacks.isEmpty())
         return;
 
     if (FrameView* view = m_document->view()) {
         if (view->isInLayout() || view->needsLayout())
             return;
-        m_document->updateStyleIfNeeded();
-        if (view->needsLayout())
-            return;
     }
 
     if (m_loadingDoneEvent)

diff --git a/Source/WebCore/css/FontLoader.h b/Source/WebCore/css/FontLoader.h
@@ -68,7 +68,7 @@ class FontLoader : public RefCounted<FontLoader>, public ActiveDOMObject, public
 
     void notifyWhenFontsReady(PassRefPtr<VoidCallback>);
 
-    bool loading() const { return m_numLoadingFromCSS > 0; }
+    bool loading() const { return m_numLoadingFromCSS > 0 || m_numLoadingFromJS > 0; }
 
     virtual ScriptExecutionContext* scriptExecutionContext() const;
     virtual EventTargetInterface eventTargetInterface() const;