Created attachment 424340 [details] Test e.g. ASSERTION FAILED: m_clients.contains(&client) ./css/CSSFontFace.cpp(404) : void WebCore::CSSFontFace::removeClient(WebCore::CSSFontFace::Client &) 1 0x538de4cc9 WTFCrash 2 0x5186c550b WTFCrashWithInfo(int, char const*, char const*, int) 3 0x51b2a5cdb WebCore::CSSFontFace::removeClient(WebCore::CSSFontFace::Client&) 4 0x51b33c029 WebCore::CSSSegmentedFontFace::~CSSSegmentedFontFace() 5 0x51b33c105 WebCore::CSSSegmentedFontFace::~CSSSegmentedFontFace() 6 0x51b2cb38b std::__1::default_delete<WebCore::CSSSegmentedFontFace>::operator()(WebCore::CSSSegmentedFontFace*) const 7 0x51b2cb352 WTF::RefCounted<WebCore::CSSSegmentedFontFace, std::__1::default_delete<WebCore::CSSSegmentedFontFace> >::deref() const 8 0x51b2cb2fe WebCore::CSSSegmentedFontFace::deref() ... 24 0x51b2bbd3a WebCore::CSSFontFaceSet::remove(WebCore::CSSFontFace const&) 25 0x51b2c3bd7 WebCore::CSSFontSelector::addFontFaceRule(WebCore::StyleRuleFontFace&, bool) 26 0x51d0d9893 WebCore::Style::Resolver::addCurrentSVGFontFaceRules() 27 0x51d0ed990 WebCore::Style::Scope::resolver() 28 0x51d0f4e4a WebCore::Style::TreeResolver::Scope::Scope(WebCore::Document&) 29 0x51d0f4ebd WebCore::Style::TreeResolver::Scope::Scope(WebCore::Document&) 30 0x51d0f8635 WebCore::Style::TreeResolver::resolve() 31 0x51b5bc23d WebCore::Document::resolveStyle(WebCore::Document::ResolveStyleType) <rdar://75879757>
Created attachment 424631 [details] Reduced testcase
Created attachment 427772 [details] Super reduced test case
Created attachment 427917 [details] Patch
I'm attaching a test case because I think this is not a security issue. We're just trying to remove something from a HashSet twice. In the proposed patch I decided to add some code to the loop that calls appendFontFace() in CSSFontFaceSet::fontFace(). A couple of comments: * Removing duplicate entries could be done with removeRepeatedElements() too but that would mean an extra unneeded traversal of the Vector. * My first thought was using a ListHashSet for candidateFontFaces instead of a Vector to avoid the duplicates. However that is not possible because we don't have the proper operators to be able to run std::stable_sort
Committed r277378 (237634@main): <https://commits.webkit.org/237634@main> All reviewed patches have been landed. Closing bug and clearing flags on attachment 427917 [details].