[webkit-dev] SVG Stabilization
George Staikos
staikos at kde.org
Wed Feb 21 16:25:13 PST 2007
On 22-Feb-07, at 1:22 AM, Maciej Stachowiak wrote:
>>> 2) Additional testing
>>> * Fuzz-test for custom parsers - the biggest security risk is
>>> buffer overruns in some of the custom parsers, so we'd like to
>>> develop a fuzz-testing tool for attributes that trigger these,
>>> and fix resulting crashes.
>>
>> It's a bit worrisome that we could still have issues like this.
>
> On the one hand, all browsers have uncaught security holes. But on
> the other hand, some of the SVG code is indeed less tested and less
> hardened than other portions of the code, which is why we are
> considering disabling some of it and want to do additional
> automated and manual testing.
>
> I think we need to make better use of tools like fuzz testers and
> static checkers over time. With BuildBot, it's relatively simple to
> add more kinds of automated testing that happens on every checkin.
Also: I'm regularly running Valgrind on it, but now that we have
a Qt buildbot we could actually set that up to do runs with valgrind
too. I did that with another project before and it worked very nicely.
--
George Staikos
KDE Developer http://www.kde.org/
Staikos Computing Services Inc. http://www.staikos.net/
More information about the webkit-dev
mailing list