Created attachment 435830 [details] Test This crashes: <script> onload = () => { let div0 = document.createElement('div'); let progress0 = document.createElement('progress'); div0.appendChild(progress0); let document2 = new Document(); document2.appendChild(div0); progress0.cloneNode(); let fontFace = new FontFace('a', 'url()'); let fontFaceSet = document2.fonts; queueMicrotask(() => { window.GCController?.collect(); fontFaceSet.add(fontFace); }); }; </script> e.g. #0 0x3fd2ac133 in WebCore::CSSFontFaceSet::ensureLocalFontFacesForFamilyRegistered(WTF::String const&)+0x203 (WebCore.framework/Versions/A/WebCore:x86_64+0x322e133) #1 0x3fd2ad0ec in WebCore::CSSFontFaceSet::addToFacesLookupTable(WebCore::CSSFontFace&)+0x3ac (WebCore.framework/Versions/A/WebCore:x86_64+0x322f0ec) #2 0x3fd2ad84c in WebCore::CSSFontFaceSet::add(WebCore::CSSFontFace&)+0x22c (WebCore.framework/Versions/A/WebCore:x86_64+0x322f84c) #3 0x3fd401067 in WebCore::FontFaceSet::add(WebCore::FontFace&)+0x57 (WebCore.framework/Versions/A/WebCore:x86_64+0x3383067) #4 0x3faceb1b2 in WebCore::jsFontFaceSetPrototypeFunction_addBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSFontFaceSet*)+0x1a2 (WebCore.framework/Versions/A/WebCore:x86_64+0xc6d1b2) #5 0x3faceaf70 in long long WebCore::IDLOperation<WebCore::JSFontFaceSet>::call<&(WebCore::jsFontFaceSetPrototypeFunction_addBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSFontFaceSet*)), (WebCore::CastedThisErrorBehavior)0>(JSC::JSGlobalObject&, JSC::CallFrame&, char const*)+0x100 (WebCore.framework/Versions/A/WebCore:x86_64+0xc6cf70) #6 0x3facea6b8 in WebCore::jsFontFaceSetPrototypeFunction_add(JSC::JSGlobalObject*, JSC::CallFrame*)+0x8 (WebCore.framework/Versions/A/WebCore:x86_64+0xc6c6b8) #7 0x2aa182c011d7 (<unknown module>) #8 0x41806f8d6 in llint_entry+0x1b5c6 (JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0xe318d6) #9 0x418054108 in vmEntryToJavaScript+0xd7 (JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0xe16108) #10 0x419a75084 in JSC::Interpreter::executeCall(JSC::JSGlobalObject*, JSC::JSObject*, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&)+0x5e4 (JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x2837084) #11 0x41a375b84 in JSC::call(JSC::JSGlobalObject*, JSC::JSValue, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&)+0x64 (JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x3137b84) #12 0x41a375e97 in JSC::profiledCall(JSC::JSGlobalObject*, JSC::ProfilingReason, JSC::JSValue, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&)+0x107 (JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x3137e97) #13 0x41a69c3fa in JSC::JSMicrotask::run(JSC::JSGlobalObject*)+0x25a (JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x345e3fa) #14 0x3fcedf8c7 in WebCore::JSExecState::runTask(JSC::JSGlobalObject*, JSC::Microtask&)+0xf7 (WebCore.framework/Versions/A/WebCore:x86_64+0x2e618c7) #15 0x3fcee603a in WebCore::JSMicrotaskCallback::call()+0x10a (WebCore.framework/Versions/A/WebCore:x86_64+0x2e6803a) #16 0x3fcee5d9f in WebCore::JSDOMWindowBase::queueMicrotaskToEventLoop(JSC::JSGlobalObject&, WTF::Ref<JSC::Microtask, WTF::RawPtrTraits<JSC::Microtask> >&&)::$_40::operator()()+0xcf (WebCore.framework/Versions/A/WebCore:x86_64+0x2e67d9f) #17 0x3fcee5c2c in WTF::Detail::CallableWrapper<WebCore::JSDOMWindowBase::queueMicrotaskToEventLoop(JSC::JSGlobalObject&, WTF::Ref<JSC::Microtask, WTF::RawPtrTraits<JSC::Microtask> >&&)::$_40, void>::call()+0xc (WebCore.framework/Versions/A/WebCore:x86_64+0x2e67c2c) #18 0x3fa096ebe in WTF::Function<void ()>::operator()() const+0x3e (WebCore.framework/Versions/A/WebCore:x86_64+0x18ebe) #19 0x3fd865fac in WebCore::EventLoopFunctionDispatchTask::execute()+0xc (WebCore.framework/Versions/A/WebCore:x86_64+0x37e7fac) #20 0x3fd8aa649 in WebCore::MicrotaskQueue::performMicrotaskCheckpoint()+0x699 (WebCore.framework/Versions/A/WebCore:x86_64+0x382c649) #21 0x3fd85413c in WebCore::EventLoop::performMicrotaskCheckpoint()+0x3c (WebCore.framework/Versions/A/WebCore:x86_64+0x37d613c) #22 0x3fd8560b8 in WebCore::EventLoopTaskGroup::performMicrotaskCheckpoint()+0x28 (WebCore.framework/Versions/A/WebCore:x86_64+0x37d80b8) #23 0x3fce7803e in WebCore::JSExecState::didLeaveScriptContext(JSC::JSGlobalObject*)+0x4e (WebCore.framework/Versions/A/WebCore:x86_64+0x2dfa03e)
<rdar://80578044>
I can reproduce this use after free with ASAN release build of WebKitTestRunner at r281219.
(In reply to Ryosuke Niwa from comment #2) > I can reproduce this use after free with ASAN release build of > WebKitTestRunner at r281219. I meant to say this *crash*, not use after free.
Created attachment 436171 [details] Patch
Comment on attachment 436171 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=436171&action=review > Source/WebCore/css/CSSFontFaceSet.cpp:114 > + if (!m_owningFontSelector->scriptExecutionContext()) > + return; > + AllowUserInstalledFonts allowUserInstalledFonts = m_owningFontSelector->scriptExecutionContext()->settingsValues().shouldAllowUserInstalledFonts ? AllowUserInstalledFonts::Yes : AllowUserInstalledFonts::No; Hm... ideally, we'd use the context document as the script execution context in this case but I guess there isn't much harm for now.
Committed r281487 (240861@main): <https://commits.webkit.org/240861@main> All reviewed patches have been landed. Closing bug and clearing flags on attachment 436171 [details].