50749 2010-12-09 04:46:42 -0800 SVG nested tags recursions cause stack exhaustions 2014-12-03 15:27:12 -0800 1 1 1 Unclassified WebKit SVG 528+ (Nightly build) PC Windows Vista RESOLVED DUPLICATE 63290 http://code.google.com/p/chromium/issues/detail?id=66030 P1 Normal --- 1 skylined webkit-unassigned christopher.reiss eric sabouhallawa zimmermann oldest_to_newest 319404 0 76047 skylined 2010-12-09 04:46:42 -0800 Created attachment 76047 Repro I could not find an open bug for this issue, even though it has been around for a while. The following simple repro can be used to check for recursion issues in various tags: <body> <script> var asTags = ['a', 'altGlyph', 'altGlyphDef', 'altGlyphItem', 'animate', 'animateColor', 'animateMotion', 'animateTransform', 'circle', 'clipPath', 'color-profile', 'cursor', 'definition-src', 'defs', 'desc', 'ellipse', 'feBlend', 'feColorMatrix', 'feComponentTransfer', 'feComposite', 'feConvolveMatrix', 'feDiffuseLighting', 'feDisplacementMap', 'feDistantLight', 'feFlood', 'feFuncA', 'feFuncB', 'feFuncG', 'feFuncR', 'feGaussianBlur', 'feImage', 'feMerge', 'feMergeNode', 'feMorphology', 'feOffset', 'fePointLight', 'feSpecularLighting', 'feSpotLight', 'feTile', 'feTurbulence', 'filter', 'font', 'font-face', 'font-face-format', 'font-face-name', 'font-face-src', 'font-face-uri', 'foreignObject', 'g', 'glyph', 'glyphRef', 'hkern', 'image', 'line', 'linearGradient', 'marker', 'mask', 'metadata', 'missing-glyph', 'mpath', 'path', 'pattern', 'polygon', 'polyline', 'radialGradient', 'rect', 'script', 'set', 'stop', 'style', 'svg', 'switch', 'symbol', 'text', 'textPath', 'title', 'tref', 'tspan', 'use', 'view', 'vkern']; setInterval(function() { if (confirm('Would you like to test "' + asTags[0] + '"...?')) { document.open(); document.write('<svg xmlns="http://www.w3.org/2000/svg">' + new Array(20000).join('<' + asTags[0] + '>')); document.close(); } asTags.shift(); }, 1); </script> Here's a list of the crashes I've seen so far: chrome.dll!WebCore::ContainerNode::willRemove RecursionSOV (d2c46b73f6877654a2020cfd44fc561d) chrome.dll!WebCore::RenderSVGHiddenContainer::layout+1 RecursionSOV (28afd91631a23d8ec42d3e81959a0578) My fuzzers also found this one but I cannot reproduce it manually: chrome.dll!WebCore::RenderSVGModelObject::computeRectForRepaint+1 RecursionSOV (d6b83f31f12c0154765b5a9962f9b8d0) 332408 1 ap 2011-01-11 09:45:26 -0800 See also: bug 15123. 1052309 2 sabouhallawa 2014-12-03 15:27:12 -0800 Running the test case passes with no crashes. From running it I noticed that processing some of the tags are pretty slow like <svg> for example. But I think these tags should not occur that many in an svg. The slowness should happen because of constructing new heavy objects and because of updating the DOM tree extensively for these tags. *** This bug has been marked as a duplicate of bug 63290 *** 76047 2010-12-09 04:46:42 -0800 2010-12-09 04:46:42 -0800 Repro repro2.html text/html 813 skylined PGJvZHk+CjxzY3JpcHQ+CiAgdmFyIGFzVGFncyA9IFsnZmlsdGVyJywgJ2ZvbnQnLCAnZm9udC1m YWNlJywgJ2ZvbnQtZmFjZS1mb3JtYXQnLAogICAgJ2ZvbnQtZmFjZS1uYW1lJywgJ2ZvbnQtZmFj ZS1zcmMnLCAnZm9udC1mYWNlLXVyaScsICdmb3JlaWduT2JqZWN0JywgJ2cnLAogICAgJ2dseXBo JywgJ2dseXBoUmVmJywgJ2hrZXJuJywgJ2ltYWdlJywgJ2xpbmUnLCAnbGluZWFyR3JhZGllbnQn LCAnbWFya2VyJywKICAgICdtYXNrJywgJ21ldGFkYXRhJywgJ21pc3NpbmctZ2x5cGgnLCAnbXBh dGgnLCAncGF0aCcsICdwYXR0ZXJuJywgJ3BvbHlnb24nLAogICAgJ3BvbHlsaW5lJywgJ3JhZGlh bEdyYWRpZW50JywgJ3JlY3QnLCAnc2NyaXB0JywgJ3NldCcsICdzdG9wJywgJ3N0eWxlJywKICAg ICdzdmcnLCAnc3dpdGNoJywgJ3N5bWJvbCcsICd0ZXh0JywgJ3RleHRQYXRoJywgJ3RpdGxlJywg J3RyZWYnLCAndHNwYW4nLAogICAgJ3VzZScsICd2aWV3JywgJ3ZrZXJuJ107CiAgc2V0SW50ZXJ2 YWwoZnVuY3Rpb24oKSB7CiAgICBpZiAoY29uZmlybSgnV291bGQgeW91IGxpa2UgdG8gdGVzdCAi JyArIGFzVGFnc1swXSArICciLi4uPycpKSB7CiAgICAgIGRvY3VtZW50Lm9wZW4oKTsKICAgICAg ZG9jdW1lbnQud3JpdGUoJzxzdmcgeG1sbnM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvc3ZnIj4n ICsgCiAgICAgICAgICBuZXcgQXJyYXkoMjAwMDApLmpvaW4oJzwnICsgYXNUYWdzWzBdICsgJz4n KSk7CiAgICAgIGRvY3VtZW50LmNsb3NlKCk7CiAgICB9CiAgICBhc1RhZ3Muc2hpZnQoKTsKICB9 LCAxKTsKPC9zY3JpcHQ+