20400 2008-08-15 07:26:03 -0700 Infinite recursion crash in WebCore::RenderSVGRoot::absoluteClippedOverflowRect on a <stop> element outside of a gradient block 2008-10-27 14:36:49 -0700 1 1 1 Unclassified WebKit SVG 528+ (Nightly build) Mac OS X 10.5 RESOLVED FIXED HasReduction, InRadar P2 Normal --- 1 filipe eric hyatt mrowe oldest_to_newest 88568 0 filipe 2008-08-15 07:26:03 -0700 Webkit runs out of stack if it encounters a <stop> element outside a gradient block. 88569 1 22816 filipe 2008-08-15 07:26:48 -0700 Created attachment 22816 test case (crashes safari) 88577 2 mrowe 2008-08-15 08:28:19 -0700 [... snip ...] #149625 0x02765064 in WebCore::RenderObject::absoluteClippedOverflowRect (this=0x19b0f7dc) at WebCore/rendering/RenderObject.cpp:1991 #149626 0x0277f83f in WebCore::RenderSVGRoot::absoluteClippedOverflowRect (this=0x19b0f69c) at WebCore/rendering/RenderSVGRoot.cpp:232 #149627 0x02765064 in WebCore::RenderObject::absoluteClippedOverflowRect (this=0x19b0f7dc) at WebCore/rendering/RenderObject.cpp:1991 #149628 0x0277f83f in WebCore::RenderSVGRoot::absoluteClippedOverflowRect (this=0x19b0f69c) at WebCore/rendering/RenderSVGRoot.cpp:232 #149629 0x02765064 in WebCore::RenderObject::absoluteClippedOverflowRect (this=0x19b0f7dc) at WebCore/rendering/RenderObject.cpp:1991 #149630 0x0277f83f in WebCore::RenderSVGRoot::absoluteClippedOverflowRect (this=0x19b0f69c) at WebCore/rendering/RenderSVGRoot.cpp:232 #149631 0x02780417 in WebCore::RenderSVGRoot::layout (this=0x19b0f69c) at WebCore/rendering/RenderSVGRoot.cpp:96 #149632 0x02715897 in WebCore::RenderBlock::layoutBlockChildren (this=0x19b0f0bc, relayoutChildren=true, maxFloatBottom=@0xbfffde1c) at WebCore/rendering/RenderBlock.cpp:1281 #149633 0x02717625 in WebCore::RenderBlock::layoutBlock (this=0x19b0f0bc, relayoutChildren=true) at WebCore/rendering/RenderBlock.cpp:627 #149634 0x02705a3c in WebCore::RenderBlock::layout (this=0x19b0f0bc) at WebCore/rendering/RenderBlock.cpp:536 #149635 0x027b1db8 in WebCore::RenderView::layout (this=0x19b0f0bc) at WebCore/rendering/RenderView.cpp:118 #149636 0x024ea52b in WebCore::FrameView::layout (this=0x19b455b0, allowSubtree=true) at WebCore/page/FrameView.cpp:486 #149637 0x02439c1e in WebCore::Document::implicitClose (this=0x4978400) at WebCore/dom/Document.cpp:1591 Confirmed with TOT. 88578 3 mrowe 2008-08-15 08:29:07 -0700 <rdar://problem/6152395> 96100 4 eric 2008-10-21 13:55:14 -0700 This seems like a fundamental misunderstanding in SVG's absoluteClippedOverflowRect implementation: IntRect RenderSVGRoot::absoluteClippedOverflowRect() { IntRect repaintRect; for (RenderObject* current = firstChild(); current != 0; current = current->nextSibling()) repaintRect.unite(current->absoluteClippedOverflowRect()); #if ENABLE(SVG_FILTERS) // Filters can expand the bounding box SVGResourceFilter* filter = getFilterById(document(), style()->svgStyle()->filter()); if (filter) repaintRect.unite(enclosingIntRect(filter->filterBBoxForItemBBox(repaintRect))); #endif return repaintRect; } IntRect RenderObject::absoluteClippedOverflowRect() { if (parent()) return parent()->absoluteClippedOverflowRect(); return IntRect(); } These two recursively call each other. :( One fix would be to add a absoluteClippedOverflowRect() implementation to RenderSVGGradientStop. I'll do that for now, but I think we may need more fixes to SVG here. 96101 5 24545 eric 2008-10-21 14:23:07 -0700 Created attachment 24545 Fix the crash LayoutTests/ChangeLog | 10 ++++++++++ LayoutTests/svg/custom/stop-crash-expected.txt | 1 + LayoutTests/svg/custom/stop-crash.svg | 8 ++++++++ WebCore/ChangeLog | 13 +++++++++++++ WebCore/rendering/RenderSVGGradientStop.h | 10 ++++++++-- 5 files changed, 40 insertions(+), 2 deletions(-) 96758 6 eric 2008-10-27 13:01:00 -0700 Committing to http://svn.webkit.org/repository/webkit/trunk ... M LayoutTests/ChangeLog A LayoutTests/svg/custom/stop-crash-expected.txt A LayoutTests/svg/custom/stop-crash.svg M WebCore/ChangeLog M WebCore/rendering/RenderSVGGradientStop.h Committed r37899 96761 7 darin 2008-10-27 13:12:30 -0700 I wish the comment explained things in a more positive way. It talks about "preventing a crash", but I'd like to understand more positively what the design is. 96785 8 eric 2008-10-27 14:36:49 -0700 (In reply to comment #7) > I wish the comment explained things in a more positive way. It talks about > "preventing a crash", but I'd like to understand more positively what the > design is. Me too. I'm not sure the design is right. I don't understand how absoluteClippedOverflowRect is supposed to work. Hyatt may be the only one who does. 22816 2008-08-15 07:26:48 -0700 2008-08-15 07:26:48 -0700 test case (crashes safari) stop.svg image/svg+xml 236 filipe PD94bWwgdmVyc2lvbj0iMS4wIiBzdGFuZGFsb25lPSJubyI/Pgo8IURPQ1RZUEUgc3ZnIFBVQkxJ QyAiLS8vVzNDLy9EVEQgU1ZHIDEuMS8vRU4iCiJodHRwOi8vd3d3LnczLm9yZy9HcmFwaGljcy9T VkcvMS4xL0RURC9zdmcxMS5kdGQiPgo8c3ZnIHdpZHRoPSIxMDAlIiBoZWlnaHQ9IjEwMCUiIHZl cnNpb249IjEuMSIgeG1sbnM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvc3ZnIj4KICA8c3RvcC8+ Cjwvc3ZnPgo= 24545 2008-10-21 14:23:07 -0700 2008-10-22 12:42:01 -0700 Fix the crash Fix-the-crash.patch text/plain 3131 eric N2JlYTgzNWQwNGE4ZWYwMGM0YTI2MDZhYWQ0NzlkODhjNDA1NjVhMwpkaWZmIC0tZ2l0IGEvTGF5 b3V0VGVzdHMvQ2hhbmdlTG9nIGIvTGF5b3V0VGVzdHMvQ2hhbmdlTG9nCmluZGV4IDQ3NGRkYzQu LmRmMTEyMjIgMTAwNjQ0Ci0tLSBhL0xheW91dFRlc3RzL0NoYW5nZUxvZworKysgYi9MYXlvdXRU ZXN0cy9DaGFuZ2VMb2cKQEAgLTEsMyArMSwxMyBAQAorMjAwOC0xMC0yMSAgRXJpYyBTZWlkZWwg IDxlcmljQHdlYmtpdC5vcmc+CisKKyAgICAgICAgUmV2aWV3ZWQgYnkgTk9CT0RZIChPT1BTISku CisKKyAgICAgICAgSW5maW5pdGUgcmVjdXJzaW9uIGNyYXNoIGluIFdlYkNvcmU6OlJlbmRlclNW R1Jvb3Q6OmFic29sdXRlQ2xpcHBlZE92ZXJmbG93UmVjdCBvbiBhIDxzdG9wPiBlbGVtZW50IG91 dHNpZGUgb2YgYSBncmFkaWVudCBibG9jaworICAgICAgICBodHRwczovL2J1Z3Mud2Via2l0Lm9y Zy9zaG93X2J1Zy5jZ2k/aWQ9MjA0MDAKKworICAgICAgICAqIHN2Zy9jdXN0b20vc3RvcC1jcmFz aC1leHBlY3RlZC50eHQ6IEFkZGVkLgorICAgICAgICAqIHN2Zy9jdXN0b20vc3RvcC1jcmFzaC5z dmc6IEFkZGVkLgorCiAyMDA4LTEwLTIwICBDaHJpcyBGbGVpemFjaCAgPGNmbGVpemFjaEBhcHBs ZS5jb20+CiAKICAgICAgICAgUmV2aWV3ZWQgYnkgSm9uIEhvbmV5Y3V0dC4KZGlmZiAtLWdpdCBh L0xheW91dFRlc3RzL3N2Zy9jdXN0b20vc3RvcC1jcmFzaC1leHBlY3RlZC50eHQgYi9MYXlvdXRU ZXN0cy9zdmcvY3VzdG9tL3N0b3AtY3Jhc2gtZXhwZWN0ZWQudHh0Cm5ldyBmaWxlIG1vZGUgMTAw NjQ0CmluZGV4IDAwMDAwMDAuLjViZjQ2MDcKLS0tIC9kZXYvbnVsbAorKysgYi9MYXlvdXRUZXN0 cy9zdmcvY3VzdG9tL3N0b3AtY3Jhc2gtZXhwZWN0ZWQudHh0CkBAIC0wLDAgKzEgQEAKK1BBU1Mg LS0gaWYgdGhpcyB0ZXN0IGRvZXNuJ3QgY3Jhc2ggaXQgcGFzc2VzLgpkaWZmIC0tZ2l0IGEvTGF5 b3V0VGVzdHMvc3ZnL2N1c3RvbS9zdG9wLWNyYXNoLnN2ZyBiL0xheW91dFRlc3RzL3N2Zy9jdXN0 b20vc3RvcC1jcmFzaC5zdmcKbmV3IGZpbGUgbW9kZSAxMDA2NDQKaW5kZXggMDAwMDAwMC4uMWI1 OGM1NwotLS0gL2Rldi9udWxsCisrKyBiL0xheW91dFRlc3RzL3N2Zy9jdXN0b20vc3RvcC1jcmFz aC5zdmcKQEAgLTAsMCArMSw4IEBACis8c3ZnIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAw L3N2ZyI+CisgIDxzdG9wLz4KKyAgPHNjcmlwdD4KKyAgaWYgKGxheW91dFRlc3RDb250cm9sbGVy KQorICAgICBsYXlvdXRUZXN0Q29udHJvbGxlci5kdW1wQXNUZXh0KCk7CisgIDwvc2NyaXB0Pgor ICA8dGV4dCB4PSIxMCIgeT0iMjUiPlBBU1MgLS0gaWYgdGhpcyB0ZXN0IGRvZXNuJ3QgY3Jhc2gg aXQgcGFzc2VzLjwvdGV4dD4KKzwvc3ZnPgpcIE5vIG5ld2xpbmUgYXQgZW5kIG9mIGZpbGUKZGlm ZiAtLWdpdCBhL1dlYkNvcmUvQ2hhbmdlTG9nIGIvV2ViQ29yZS9DaGFuZ2VMb2cKaW5kZXggYTgx NTcyYy4uNWFlMzE0OSAxMDA2NDQKLS0tIGEvV2ViQ29yZS9DaGFuZ2VMb2cKKysrIGIvV2ViQ29y ZS9DaGFuZ2VMb2cKQEAgLTEsMyArMSwxNiBAQAorMjAwOC0xMC0yMSAgRXJpYyBTZWlkZWwgIDxl cmljQHdlYmtpdC5vcmc+CisKKyAgICAgICAgUmV2aWV3ZWQgYnkgTk9CT0RZIChPT1BTISkuCisK KyAgICAgICAgSW5maW5pdGUgcmVjdXJzaW9uIGNyYXNoIGluIFdlYkNvcmU6OlJlbmRlclNWR1Jv b3Q6OmFic29sdXRlQ2xpcHBlZE92ZXJmbG93UmVjdCBvbiBhIDxzdG9wPiBlbGVtZW50IG91dHNp ZGUgb2YgYSBncmFkaWVudCBibG9jaworICAgICAgICBodHRwczovL2J1Z3Mud2Via2l0Lm9yZy9z aG93X2J1Zy5jZ2k/aWQ9MjA0MDAKKworICAgICAgICBUZXN0OiBzdmcvY3VzdG9tL3N0b3AtY3Jh c2guc3ZnCisKKyAgICAgICAgKiBXZWJDb3JlLnhjb2RlcHJvai9wcm9qZWN0LnBieHByb2o6Cisg ICAgICAgICogcmVuZGVyaW5nL1JlbmRlclNWR0dyYWRpZW50U3RvcC5oOgorICAgICAgICAoV2Vi Q29yZTo6UmVuZGVyU1ZHR3JhZGllbnRTdG9wOjphYnNvbHV0ZUNsaXBwZWRPdmVyZmxvd1JlY3Qp OgorCiAyMDA4LTEwLTIxICBZYWVsIEFoYXJvbiA8eWFlbC5haGFyb25Abm9raWEuY29tPgogCiAg ICAgICAgIFJldmlld2VkIGJ5IFNpbW9uLgpkaWZmIC0tZ2l0IGEvV2ViQ29yZS9yZW5kZXJpbmcv UmVuZGVyU1ZHR3JhZGllbnRTdG9wLmggYi9XZWJDb3JlL3JlbmRlcmluZy9SZW5kZXJTVkdHcmFk aWVudFN0b3AuaAppbmRleCA5YjQ1MjFlLi44NmRlNmQwIDEwMDY0NAotLS0gYS9XZWJDb3JlL3Jl bmRlcmluZy9SZW5kZXJTVkdHcmFkaWVudFN0b3AuaAorKysgYi9XZWJDb3JlL3JlbmRlcmluZy9S ZW5kZXJTVkdHcmFkaWVudFN0b3AuaApAQCAtMzYsMTAgKzM2LDE2IEBAIG5hbWVzcGFjZSBXZWJD b3JlIHsKICAgICBwdWJsaWM6CiAgICAgICAgIFJlbmRlclNWR0dyYWRpZW50U3RvcChTVkdTdG9w RWxlbWVudCopOwogICAgICAgICB2aXJ0dWFsIH5SZW5kZXJTVkdHcmFkaWVudFN0b3AoKTsKLSAg ICAgICAgCisKICAgICAgICAgdmlydHVhbCBjb25zdCBjaGFyKiByZW5kZXJOYW1lKCkgY29uc3Qg eyByZXR1cm4gIlJlbmRlclNWR0dyYWRpZW50U3RvcCI7IH0KLSAgICAgICAgCisKICAgICAgICAg dmlydHVhbCB2b2lkIGxheW91dCgpOworCisgICAgICAgIC8vIFRoaXMgb3ZlcnJpZGUgaXMgbmVl ZGVkIHRvIHByZXZlbnQgY3Jhc2hpbmcgb24gPHN2Zz48c3RvcCAvPjwvc3ZnPgorICAgICAgICAv LyBSZW5kZXJPYmplY3QncyBkZWZhdWx0IGltcGwgYXNrcyB0aGUgcGFyZW50IE9iamVjdCBhbmQg UmVuZGVyU1ZHUm9vdAorICAgICAgICAvLyBhc2tzIGFsbCBjaGlsZCBSZW5kZXJPYmplY3RzIGZv ciBvdmVyZmxvdyByZWN0cywgdGh1cyBpbmZpbml0ZSBsb29wLgorICAgICAgICAvLyBodHRwczov L2J1Z3Mud2Via2l0Lm9yZy9zaG93X2J1Zy5jZ2k/aWQ9MjA0MDAKKyAgICAgICAgdmlydHVhbCBJ bnRSZWN0IGFic29sdXRlQ2xpcHBlZE92ZXJmbG93UmVjdCgpIHsgcmV0dXJuIEludFJlY3QoKTsg fQogICAgIAogICAgIHByb3RlY3RlZDoKICAgICAgICAgdmlydHVhbCB2b2lkIHN0eWxlRGlkQ2hh bmdlKFJlbmRlclN0eWxlOjpEaWZmLCBjb25zdCBSZW5kZXJTdHlsZSogb2xkU3R5bGUpOwo=