RESOLVED FIXED 6951
hang due to infinitely growing points array because parsePoints loop is broken 
https://bugs.webkit.org/show_bug.cgi?id=6951
Summary hang due to infinitely growing points array because parsePoints loop is broken
Eric Seidel (no email)
Reported 2006-01-30 18:10:24 PST
"Brown" SVG hangs safari Crash/Data Loss, SVGHitList, p2. http://www.treebuilder.de/default.asp?file=606899.xml
Attachments
testcase (432 bytes, image/svg+xml)
2006-02-04 10:25 PST, Joost de Valk (AlthA) 		no flags
Details
View All Add attachment proposed patch, testcase, etc.
Joost de Valk (AlthA)
Comment 1 2006-02-04 10:25:53 PST
Created attachment 6249 [details] testcase This testcase still hangs WebKit. The var "d" is initialized without a value, and then used to set an attribute, if the var "d" is given a value, the testcase no longer hangs Safari.
Darin Adler
Comment 2 2006-02-11 10:49:46 PST
Might be nice to have a reduction that didn't involve SVG.
Darin Adler
Comment 3 2006-02-12 21:40:51 PST
The hang doesn't seem to have anything to do with the unintiailized JS variable. It's inside SVG path parsing.
Darin Adler
Comment 4 2006-02-12 21:52:50 PST
The reason for the hang is that SVGPolyParser::parsePoints ends up calling parseMappedAttribute over and over again, because each time it calls svgPolyTo it then appends a new item to the points which triggers the attribute mapping machinery again over and over again, so it just keeps making the points array longer and longer forever.
Alexander Kellett
Comment 5 2006-02-13 02:40:30 PST
i've already got a fix for this one, actually its not due to notifications, its just because parsePoints never steps forward through the empty string, it just infinite loops over nothing
Darin Adler
Comment 6 2006-03-06 15:08:47 PST
Alex landed a fix for this.
Martin Robinson
Comment 7 2011-11-11 08:29:15 PST
*** Bug 71454 has been marked as a duplicate of this bug. ***
Note You need to log in before you can comment on or make changes to this bug.