Branch: refs/heads/webkitglib/2.52
Home: https://github.com/WebKit/WebKit
Commit: f1fff08a99d77bac49c2500ece3fdcfac06c8f1c
https://github.com/WebKit/WebKit/commit/f1fff08a99d77bac49c2500ece3fdcfac06c8f1c
Author: Claudio Saavedra <[email protected]>
Date: 2026-07-03 (Fri, 03 Jul 2026)
Changed paths:
M Source/WebCore/css/CSSFontFace.cpp
Log Message:
-----------
[GLIB/2.52] Reentrant client removal during CSSFontFace::iterateClients
triggers hasFace() assertion
https://bugs.webkit.org/show_bug.cgi?id=318530
Reviewed by Michael Catanzaro.
When we backported the fix for bug 313577 (use-after-free in
CSSFontFace::setStatus via CSSFontFace::load) we adopted the
protect(m_backing) change in FontFace::loadForBindings but knowingly
ignored the accompanying stress-mode assertion failure
ASSERT(hasFace(face)) in CSSFontFaceSet::fontStateChanged: the regression
test fonts/font-face-load-crash.html passed in the normal layout test run
and only crashed under stress mode, and the assertion is debug-only, so
the security fix itself was complete and the failure was deferred.
The MR for main (in pull request #68176) addresses the root
cause in CSSFontFace::iterateClients: a callback can re-enter and remove a
client from the set mid-iteration, after which the stale, already-copied
client vector still invokes the callback on the removed client. That is
exactly what caused fontStateChanged() to be called on a CSSFontFaceSet
that no longer contained the face, tripping the assertion.
Guard each callback with clients.contains(client) so clients removed
during iteration are skipped. This resolves the stress-mode assertion. The
previously-landed protect(m_backing) change is retained, matching main.
* Source/WebCore/css/CSSFontFace.cpp:
(WebCore::iterateClients):
Canonical link: https://commits.webkit.org/305877.919@webkitglib/2.52
To unsubscribe from these emails, change your notification settings at
https://github.com/WebKit/WebKit/settings/notifications