[Webkit-unassigned] [Bug 50749] New: SVG nested tags recursions cause stack exhaustions

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Thu Dec 9 04:46:42 PST 2010 

https://bugs.webkit.org/show_bug.cgi?id=50749

           Summary: SVG nested tags recursions cause stack exhaustions
           Product: WebKit
           Version: 528+ (Nightly build)
          Platform: PC
               URL: http://code.google.com/p/chromium/issues/detail?id=660
                    30
        OS/Version: Windows Vista
            Status: NEW
          Severity: Normal
          Priority: P1
         Component: SVG
        AssignedTo: webkit-unassigned at lists.webkit.org
        ReportedBy: skylined at chromium.org
                CC: eric at webkit.org, zimmermann at kde.org


Created an attachment (id=76047)
 --> (https://bugs.webkit.org/attachment.cgi?id=76047&action=review)
Repro

I could not find an open bug for this issue, even though it has been around for a while.

The following simple repro can be used to check for recursion issues in various tags:
<body>
<script>
  var asTags = ['a', 'altGlyph', 'altGlyphDef', 'altGlyphItem', 'animate',
    'animateColor', 'animateMotion', 'animateTransform', 'circle', 'clipPath',
    'color-profile', 'cursor', 'definition-src', 'defs', 'desc', 'ellipse',
    'feBlend', 'feColorMatrix', 'feComponentTransfer', 'feComposite',
    'feConvolveMatrix', 'feDiffuseLighting', 'feDisplacementMap',
    'feDistantLight', 'feFlood', 'feFuncA', 'feFuncB', 'feFuncG', 'feFuncR',
    'feGaussianBlur', 'feImage', 'feMerge', 'feMergeNode', 'feMorphology',
    'feOffset', 'fePointLight', 'feSpecularLighting', 'feSpotLight', 'feTile',
    'feTurbulence', 'filter', 'font', 'font-face', 'font-face-format',
    'font-face-name', 'font-face-src', 'font-face-uri', 'foreignObject', 'g',
    'glyph', 'glyphRef', 'hkern', 'image', 'line', 'linearGradient', 'marker',
    'mask', 'metadata', 'missing-glyph', 'mpath', 'path', 'pattern', 'polygon',
    'polyline', 'radialGradient', 'rect', 'script', 'set', 'stop', 'style',
    'svg', 'switch', 'symbol', 'text', 'textPath', 'title', 'tref', 'tspan',
    'use', 'view', 'vkern'];
  setInterval(function() {
    if (confirm('Would you like to test "' + asTags[0] + '"...?')) {
      document.open();
      document.write('<svg xmlns="http://www.w3.org/2000/svg">' + 
          new Array(20000).join('<' + asTags[0] + '>'));
      document.close();
    }
    asTags.shift();
  }, 1);
</script>

Here's a list of the crashes I've seen so far:
chrome.dll!WebCore::ContainerNode::willRemove RecursionSOV (d2c46b73f6877654a2020cfd44fc561d)
chrome.dll!WebCore::RenderSVGHiddenContainer::layout+1 RecursionSOV (28afd91631a23d8ec42d3e81959a0578)

My fuzzers also found this one but I cannot reproduce it manually:
chrome.dll!WebCore::RenderSVGModelObject::computeRectForRepaint+1 RecursionSOV (d6b83f31f12c0154765b5a9962f9b8d0)

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

More information about the webkit-unassigned mailing list