Bug 1976782 - Guard against possible race via gfxFontEntry::GetFontTable. a=diannaS DONTBUILD

Original Revision: https://phabricator.services.mozilla.com/D258728

Differential Revision: https://phabricator.services.mozilla.com/D259118

gfx/thebes/gfxFontEntry.cpp

@@ -453,7 +453,7 @@ class gfxFontEntry::FontTableBlobData {
 
  private:
   // The font table data block
-  nsTArray<uint8_t> mTableData;
+  const nsTArray<uint8_t> mTableData;
 
   // The blob destroy function needs to know the owning font entry
   // so that it can take the font-entry's lock while modifying the
@@ -536,11 +536,17 @@ hb_blob_t* gfxFontEntry::ShareFontTableAndGetBlob(uint32_t aTag,
     mFontTableCache = MakeUnique<FontTableCache>(8);
   }
 
-  FontTableHashEntry* entry = mFontTableCache->PutEntry(aTag);
-  if (MOZ_UNLIKELY(!entry)) {  // OOM
-    return nullptr;
+  FontTableHashEntry* entry;
+  if (MOZ_UNLIKELY(entry = mFontTableCache->GetEntry(aTag))) {
+    // We must have been racing with another GetFontTable for the same table,
+    // and it won the race and filled in the entry before we took the lock.
+    // Ignore `aBuffer` and return a reference to the existing blob.
+    return entry->GetBlob();
   }
 
+  // Infallible PutEntry call, so `entry` will be non-null.
+  entry = mFontTableCache->PutEntry(aTag);
+
   if (!aBuffer) {
     // ensure the entry is null
     entry->Clear();

gfx/thebes/gfxFontEntry.h

@@ -410,7 +410,7 @@ class gfxFontEntry {
   // unregisters the table from the font entry.
   //
   // Pass nullptr for aBuffer to indicate that the table is not present and
-  // nullptr will be returned.  Also returns nullptr on OOM.
+  // nullptr will be returned.
   hb_blob_t* ShareFontTableAndGetBlob(uint32_t aTag, nsTArray<uint8_t>* aTable);
 
   // Get the font's unitsPerEm from the 'head' table, in the case of an