WebKit Bugzilla
Attachment 350073 Details for
Bug 189722
: Fix crash under FontCache::purgeInactiveFontData() when a memory warning fires
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
Remember
[x]
|
Forgot Password
Login:
[x]
[patch]
Patch
bug-189722-20180918161806.patch (text/plain), 2.33 KB, created by
Simon Fraser (smfr)
on 2018-09-18 16:18:08 PDT
(
hide
)
Description:
Patch
Filename:
MIME Type:
Creator:
Simon Fraser (smfr)
Created:
2018-09-18 16:18:08 PDT
Size:
2.33 KB
patch
obsolete
>Subversion Revision: 236094 >diff --git a/Source/WebCore/ChangeLog b/Source/WebCore/ChangeLog >index 715675b0ff32617bcb4325885854bc24c667987f..5bf6521ce084d38a1d05a59f76e3d425607a47d3 100644 >--- a/Source/WebCore/ChangeLog >+++ b/Source/WebCore/ChangeLog >@@ -1,3 +1,26 @@ >+2018-09-18 Simon Fraser <simon.fraser@apple.com> >+ >+ Fix crash under FontCache::purgeInactiveFontData() when a memory warning fires >+ https://bugs.webkit.org/show_bug.cgi?id=189722 >+ rdar://problem/44182860 >+ >+ Reviewed by NOBODY (OOPS!). >+ >+ Hashing of FontPlatformData for cachedFonts() is somewhat broken because CFEqual() on CTFont >+ can return false when the fonts are actually the same, and have the same CFHash(). This >+ can result in multiple entries in cachedFonts() with the same Font. >+ >+ Then in FontCache::purgeInactiveFontData(), the loop that appends fonts to fontsToDelete >+ gets the value by reference, and WTFMoves it into fontsToDelete. This nulls out all >+ the entries sharing the same value, leaving null entries in the hash table. >+ We later crash at font->hasOneRef() when using one of those null entries. >+ >+ Fix by making a copy of the RefPtr<Font> in the loop, so the WTFMove doesn't nuke >+ the hash table entries. The entries will get removed at cachedFonts().remove() lower down. >+ >+ * platform/graphics/FontCache.cpp: >+ (WebCore::FontCache::purgeInactiveFontData): >+ > 2018-09-17 Jer Noble <jer.noble@apple.com> > > Add support for HEVC codec types in Media Capabilities >diff --git a/Source/WebCore/platform/graphics/FontCache.cpp b/Source/WebCore/platform/graphics/FontCache.cpp >index 58773be73c26c3791398090bd540b3a920ad56bf..4bbadfb28300e4cf12eb2e82b6e9ea62b6b1885f 100644 >--- a/Source/WebCore/platform/graphics/FontCache.cpp >+++ b/Source/WebCore/platform/graphics/FontCache.cpp >@@ -376,7 +376,7 @@ void FontCache::purgeInactiveFontData(unsigned purgeCount) > > while (purgeCount) { > Vector<RefPtr<Font>, 20> fontsToDelete; >- for (auto& font : cachedFonts().values()) { >+ for (auto font : cachedFonts().values()) { > LOG(Fonts, " trying to purge font %s (has one ref %d)", font->platformData().description().utf8().data(), font->hasOneRef()); > if (!font->hasOneRef()) > continue;
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=350073">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Formatted Diff
|
Diff
Attachments on
bug 189722
: 350073