[Webkit-unassigned] [Bug 232972] New: REGRESSION(r285481): Infinite recursion with cyclic filter reference

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Wed Nov 10 17:02:32 PST 2021 

https://bugs.webkit.org/show_bug.cgi?id=232972

            Bug ID: 232972
           Summary: REGRESSION(r285481): Infinite recursion with cyclic
                    filter reference
           Product: WebKit
           Version: WebKit Nightly Build
          Hardware: Unspecified
                OS: Unspecified
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: SVG
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: sabouhallawa at apple.com
                CC: sabouhallawa at apple.com, zimmermann at kde.org

Created attachment 443878

  --> https://bugs.webkit.org/attachment.cgi?id=443878&action=review

test case

Open the attached test case.

Result: WebKit crashes because of infinite recursion.

This happens because of r285481. Before this change, we were creating the ImageBuffer of the referenced SVGElement for the FEImage through RenderSVGResourceFilter::postApplyResource(). Now we we create this ImageBuffer through RenderSVGResourceFilter::applyResource(). The difference is at the end of RenderSVGResourceFilter::applyResource() we add entry to m_rendererFilterDataMap

m_rendererFilterDataMap.set(&renderer, WTFMove(filterData));

This will detect the cycle if we try to build the same filter while we are running RenderSVGResourceFilter::postApplyResource().

if (m_rendererFilterDataMap.contains(&renderer)) {
    FilterData* filterData = m_rendererFilterDataMap.get(&renderer);
    if (filterData->state == FilterData::PaintingSource || filterData->state == FilterData::Applying)
        filterData->state = FilterData::CycleDetected;
    return false; // Already built, or we're in a cycle, or we're marked for removal. Regardless, just do nothing more now.
}

But this will not help detect it before we add the entry to the m_rendererFilterDataMap.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20211111/581ca4e5/attachment-0001.htm>

More information about the webkit-unassigned mailing list