[Webkit-unassigned] [Bug 47498] Crash while processing ill-formed SVG with cycles.

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Tue Oct 12 12:50:09 PDT 2010


https://bugs.webkit.org/show_bug.cgi?id=47498





--- Comment #2 from Cosmin Truta <ctruta at chromium.org>  2010-10-12 12:50:09 PST ---
Here is what happens, according to Niko's interpretation of the debug output:

It's processing the <textPath>, and it has "Fill" set to the filter element. That should be avoided, in advance.

The failing ASSERT is placed correctly.

We shouldn't store a fill resource pointing to a filter at all. Only linear/radialGradients/patterns should be allowed as fill/stroke: only clip as clipper, only mask as masker, only filter as filter.
That's just missing. It should be easy to patch into SVGResources::buildCachedResources.
Once that is fixed, the cycle detection logic won't run at all for these cases in "static inline RenderSVGResourceContainer* paintingResourceFromSVGPaint(Document* document, SVGPaint* paint, AtomicString& id, bool& hasPendingResource)"
There's the getRenderSVGResourceContainerById() call that returns the filter here. We should check if the resource type is lingrad/radgrad or pattern. If it's not the container, it should be nulled.

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.



More information about the webkit-unassigned mailing list