Bug 106228

Summary:

[Qt] SVG tests with huge paths and with small dashes are crashing

Product:

WebKit

Reporter:

Renata Hodovan <rhodovan.u-szeged>

Component:

SVG

Assignee:

Nobody <webkit-unassigned>

Status:

RESOLVED INVALID

Severity:

Normal

CC:

fmalita, kling, pdr, schenney, zimmermann

Priority:

Version:

528+ (Nightly build)

Hardware:

Unspecified

OS:

Linux

Bug Depends on:

Bug Blocks:

116980

Attachments:

Description	Flags
Test case	none

Description Renata Hodovan 2013-01-07 09:39:22 PST

During SVG fuzzing I got a crash with the attached test case.
The test contains one huge path with small dashes. The problem is that too many small dash fragments are generated and there is memory is allocated for each of them. This way we run out of memory.
The same problem was detected in skia too. They limited the maximum number of dashes per paths to 1 million. How about a similar solution in Qt too?

Backtrace:

#0  memcpy () at ../sysdeps/x86_64/memcpy.S:437
#1  0x00007fffe95ce7ef in ?? () from /usr/local/Trolltech/Qt5/Qt-5.0.0-r40/lib/libQt5Gui.so.5
#2  0x00007fffe9612c12 in ?? () from /usr/local/Trolltech/Qt5/Qt-5.0.0-r40/lib/libQt5Gui.so.5
#3  0x00007fffe960b205 in QPainterPath::lineTo(QPointF const&) () from /usr/local/Trolltech/Qt5/Qt-5.0.0-r40/lib/libQt5Gui.so.5
#4  0x00007fffe960b3d7 in ?? () from /usr/local/Trolltech/Qt5/Qt-5.0.0-r40/lib/libQt5Gui.so.5
#5  0x00007fffe963fce0 in QStroker::joinPoints(double, double, QLineF const&, QStroker::LineJoinMode) ()
   from /usr/local/Trolltech/Qt5/Qt-5.0.0-r40/lib/libQt5Gui.so.5
#6  0x00007fffe9644847 in ?? () from /usr/local/Trolltech/Qt5/Qt-5.0.0-r40/lib/libQt5Gui.so.5
#7  0x00007fffe964294b in QStroker::processCurrentSubpath() () from /usr/local/Trolltech/Qt5/Qt-5.0.0-r40/lib/libQt5Gui.so.5
#8  0x00007fffe964071f in ?? () from /usr/local/Trolltech/Qt5/Qt-5.0.0-r40/lib/libQt5Gui.so.5
#9  0x00007fffe964114c in QDashStroker::processCurrentSubpath() () from /usr/local/Trolltech/Qt5/Qt-5.0.0-r40/lib/libQt5Gui.so.5
#10 0x00007fffe9642acb in QStrokerOps::strokePath(QPainterPath const&, void*, QTransform const&) ()
   from /usr/local/Trolltech/Qt5/Qt-5.0.0-r40/lib/libQt5Gui.so.5
#11 0x00007fffe960d08b in QPainterPathStroker::createStroke(QPainterPath const&) const () from /usr/local/Trolltech/Qt5/Qt-5.0.0-r40/lib/libQt5Gui.so.5
#12 0x00007ffff48335da in WebCore::Path::strokeBoundingRect (this=0x9936c0, applier=0x7fffffffc060)
    at /home/reni/WebKit-git/Source/WebCore/platform/graphics/qt/PathQt.cpp:177
#13 0x00007ffff4994316 in WebCore::RenderSVGShape::calculateStrokeBoundingBox (this=0x99b3d8)
    at /home/reni/WebKit-git/Source/WebCore/rendering/svg/RenderSVGShape.cpp:398
#14 0x00007ffff4992a3b in WebCore::RenderSVGShape::updateShapeFromElement (this=0x99b3d8)
    at /home/reni/WebKit-git/Source/WebCore/rendering/svg/RenderSVGShape.cpp:77
....

Comment 1 Philip Rogers 2013-01-07 13:00:18 PST

+fmalita, who just solved this (or a closely related) issue.

Comment 2 Andreas Kling 2013-05-29 20:47:23 PDT

(In reply to comment #0)
> During SVG fuzzing I got a crash with the attached test case.

The test case has gone missing!

Comment 3 Renata Hodovan 2013-05-30 00:51:26 PDT

Created attachment 203319 [details]
Test case

Comment 4 Renata Hodovan 2013-05-30 00:53:57 PDT

(In reply to comment #2)
> (In reply to comment #0)
> > During SVG fuzzing I got a crash with the attached test case.
> 
> The test case has gone missing!

Indeed :$ It's supplemented already.

Comment 5 Jocelyn Turcotte 2014-02-03 03:24:19 PST

=== Bulk closing of Qt bugs ===

If you believe that this bug report is still relevant for a non-Qt port of webkit.org, please re-open it and remove [Qt] from the summary.

If you believe that this is still an important QtWebKit bug, please fill a new report at https://bugreports.qt-project.org and add a link to this issue. See http://qt-project.org/wiki/ReportingBugsInQt for additional guidelines.