Branch: refs/heads/webkitglib/2.52
  Home:   https://github.com/WebKit/WebKit
  Commit: f1fff08a99d77bac49c2500ece3fdcfac06c8f1c
      
https://github.com/WebKit/WebKit/commit/f1fff08a99d77bac49c2500ece3fdcfac06c8f1c
  Author: Claudio Saavedra <[email protected]>
  Date:   2026-07-03 (Fri, 03 Jul 2026)

  Changed paths:
    M Source/WebCore/css/CSSFontFace.cpp

  Log Message:
  -----------
  [GLIB/2.52] Reentrant client removal during CSSFontFace::iterateClients 
triggers hasFace() assertion
https://bugs.webkit.org/show_bug.cgi?id=318530

Reviewed by Michael Catanzaro.

When we backported the fix for bug 313577 (use-after-free in
CSSFontFace::setStatus via CSSFontFace::load) we adopted the
protect(m_backing) change in FontFace::loadForBindings but knowingly
ignored the accompanying stress-mode assertion failure
ASSERT(hasFace(face)) in CSSFontFaceSet::fontStateChanged: the regression
test fonts/font-face-load-crash.html passed in the normal layout test run
and only crashed under stress mode, and the assertion is debug-only, so
the security fix itself was complete and the failure was deferred.

The MR for main (in pull request #68176) addresses the root
cause in CSSFontFace::iterateClients: a callback can re-enter and remove a
client from the set mid-iteration, after which the stale, already-copied
client vector still invokes the callback on the removed client. That is
exactly what caused fontStateChanged() to be called on a CSSFontFaceSet
that no longer contained the face, tripping the assertion.

Guard each callback with clients.contains(client) so clients removed
during iteration are skipped. This resolves the stress-mode assertion. The
previously-landed protect(m_backing) change is retained, matching main.

* Source/WebCore/css/CSSFontFace.cpp:
(WebCore::iterateClients):

Canonical link: https://commits.webkit.org/305877.919@webkitglib/2.52



To unsubscribe from these emails, change your notification settings at 
https://github.com/WebKit/WebKit/settings/notifications

Reply via email to