[webkit-dev] SVG Stabilization

George Staikos staikos at kde.org
Wed Feb 21 16:25:13 PST 2007


On 22-Feb-07, at 1:22 AM, Maciej Stachowiak wrote:

>>> 2) Additional testing
>>>   * Fuzz-test for custom parsers - the biggest security risk is  
>>> buffer overruns in some of the custom parsers, so we'd like to  
>>> develop a fuzz-testing tool for attributes that trigger these,  
>>> and fix resulting crashes.
>>
>>    It's a bit worrisome that we could still have issues like this.
>
> On the one hand, all browsers have uncaught security holes. But on  
> the other hand, some of the SVG code is indeed less tested and less  
> hardened than other portions of the code, which is why we are  
> considering disabling some of it and want to do additional  
> automated and manual testing.
>
> I think we need to make better use of tools like fuzz testers and  
> static checkers over time. With BuildBot, it's relatively simple to  
> add more kinds of automated testing that happens on every checkin.

    Also: I'm regularly running Valgrind on it, but now that we have  
a Qt buildbot we could actually set that up to do runs with valgrind  
too.  I did that with another project before and it worked very nicely.

--
George Staikos
KDE Developer				http://www.kde.org/
Staikos Computing Services Inc.		http://www.staikos.net/






More information about the webkit-dev mailing list