WebKit Bugzilla
New
Browse
Search+
Log In
×
Sign in with GitHub
or
Remember my login
Create Account
·
Forgot Password
Forgotten password account recovery
RESOLVED FIXED
223790
ASSERTION FAILED: m_clients.contains(&client) in CSSFontFace::removeClient via CSSSegmentedFontFace::~CSSSegmentedFontFace()
https://bugs.webkit.org/show_bug.cgi?id=223790
Summary
ASSERTION FAILED: m_clients.contains(&client) in CSSFontFace::removeClient vi...
Ryosuke Niwa
Reported
2021-03-26 03:03:04 PDT
Created
attachment 424340
[details]
Test e.g. ASSERTION FAILED: m_clients.contains(&client) ./css/CSSFontFace.cpp(404) : void WebCore::CSSFontFace::removeClient(WebCore::CSSFontFace::Client &) 1 0x538de4cc9 WTFCrash 2 0x5186c550b WTFCrashWithInfo(int, char const*, char const*, int) 3 0x51b2a5cdb WebCore::CSSFontFace::removeClient(WebCore::CSSFontFace::Client&) 4 0x51b33c029 WebCore::CSSSegmentedFontFace::~CSSSegmentedFontFace() 5 0x51b33c105 WebCore::CSSSegmentedFontFace::~CSSSegmentedFontFace() 6 0x51b2cb38b std::__1::default_delete<WebCore::CSSSegmentedFontFace>::operator()(WebCore::CSSSegmentedFontFace*) const 7 0x51b2cb352 WTF::RefCounted<WebCore::CSSSegmentedFontFace, std::__1::default_delete<WebCore::CSSSegmentedFontFace> >::deref() const 8 0x51b2cb2fe WebCore::CSSSegmentedFontFace::deref() ... 24 0x51b2bbd3a WebCore::CSSFontFaceSet::remove(WebCore::CSSFontFace const&) 25 0x51b2c3bd7 WebCore::CSSFontSelector::addFontFaceRule(WebCore::StyleRuleFontFace&, bool) 26 0x51d0d9893 WebCore::Style::Resolver::addCurrentSVGFontFaceRules() 27 0x51d0ed990 WebCore::Style::Scope::resolver() 28 0x51d0f4e4a WebCore::Style::TreeResolver::Scope::Scope(WebCore::Document&) 29 0x51d0f4ebd WebCore::Style::TreeResolver::Scope::Scope(WebCore::Document&) 30 0x51d0f8635 WebCore::Style::TreeResolver::resolve() 31 0x51b5bc23d WebCore::Document::resolveStyle(WebCore::Document::ResolveStyleType) <
rdar://75879757
>
Attachments
Test
(473.95 KB, text/html)
2021-03-26 03:03 PDT
,
Ryosuke Niwa
no flags
Details
Reduced testcase
(308 bytes, text/html)
2021-03-30 05:44 PDT
,
Frédéric Wang (:fredw)
no flags
Details
Super reduced test case
(184 bytes, text/html)
2021-05-05 09:15 PDT
,
Sergio Villar Senin
no flags
Details
Patch
(3.76 KB, patch)
2021-05-06 12:07 PDT
,
Sergio Villar Senin
no flags
Details
Formatted Diff
Diff
Show Obsolete
(1)
View All
Add attachment
proposed patch, testcase, etc.
Frédéric Wang (:fredw)
Comment 1
2021-03-30 05:44:11 PDT
Created
attachment 424631
[details]
Reduced testcase
Sergio Villar Senin
Comment 2
2021-05-05 09:15:46 PDT
Created
attachment 427772
[details]
Super reduced test case
Sergio Villar Senin
Comment 3
2021-05-06 12:07:56 PDT
Created
attachment 427917
[details]
Patch
Sergio Villar Senin
Comment 4
2021-05-06 12:13:41 PDT
I'm attaching a test case because I think this is not a security issue. We're just trying to remove something from a HashSet twice. In the proposed patch I decided to add some code to the loop that calls appendFontFace() in CSSFontFaceSet::fontFace(). A couple of comments: * Removing duplicate entries could be done with removeRepeatedElements() too but that would mean an extra unneeded traversal of the Vector. * My first thought was using a ListHashSet for candidateFontFaces instead of a Vector to avoid the duplicates. However that is not possible because we don't have the proper operators to be able to run std::stable_sort
EWS
Comment 5
2021-05-12 10:58:26 PDT
Committed
r277378
(
237634@main
): <
https://commits.webkit.org/237634@main
> All reviewed patches have been landed. Closing bug and clearing flags on
attachment 427917
[details]
.
Note
You need to
log in
before you can comment on or make changes to this bug.
Top of Page
Format For Printing
XML
Clone This Bug