[Webkit-unassigned] [Bug 47498] Crash while processing ill-formed SVG with cycles.

Thu Oct 14 19:11:02 PDT 2010

https://bugs.webkit.org/show_bug.cgi?id=47498

Cosmin Truta <ctruta at chromium.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
  Attachment #70819|                            |review?
               Flag|                            |

--- Comment #3 from Cosmin Truta <ctruta at chromium.org>  2010-10-14 19:11:02 PST ---
Created an attachment (id=70819)
 --> (https://bugs.webkit.org/attachment.cgi?id=70819&action=review)
First attempt to fix

I'm submitting this patch to ask for review and advice only, without a test, a ChangeLog entry, or an intention to commit.

I am checking the resource type inside paintingResourceFromSVGPaint, instead of doing this inside buildCachedResources. The other alternative would have required doing the same check, two times: once for fill, and once for stroke.
The patch also contains a series of ASSERT's that I consider useful.

But this seems not to be sufficient, as the code still crashes inside RenderInline::layout. I'm probably missing a node that should be set to NULL, but I don't know where exactly should I do that. Since the filter has been invalidated, nothing should be rendered. I think there are some children at a point where shouldn't be.

It is worth mentioning that the crash after applying the patch is the same, regardless what attribute (clip=, fill=, mask=, stroke=) is being used.
I believe the patch that I'm submitting does solve the initialization issue discussed in comment #2, but there is another lingering issue that's causing grief. I also believe that the fix to do for the remaining issue will resolve the behavior of all of these attributes.

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.