WebKit Bugzilla
New
Browse
Log In
×
Sign in with GitHub
or
Remember my login
Create Account
·
Forgot Password
Forgotten password account recovery
RESOLVED INVALID
106228
[Qt] SVG tests with huge paths and with small dashes are crashing
https://bugs.webkit.org/show_bug.cgi?id=106228
Summary
[Qt] SVG tests with huge paths and with small dashes are crashing
Renata Hodovan
Reported
2013-01-07 09:39:22 PST
During SVG fuzzing I got a crash with the attached test case. The test contains one huge path with small dashes. The problem is that too many small dash fragments are generated and there is memory is allocated for each of them. This way we run out of memory. The same problem was detected in skia too. They limited the maximum number of dashes per paths to 1 million. How about a similar solution in Qt too? Backtrace: #0 memcpy () at ../sysdeps/x86_64/memcpy.S:437 #1 0x00007fffe95ce7ef in ?? () from /usr/local/Trolltech/Qt5/Qt-5.0.0-r40/lib/libQt5Gui.so.5 #2 0x00007fffe9612c12 in ?? () from /usr/local/Trolltech/Qt5/Qt-5.0.0-r40/lib/libQt5Gui.so.5 #3 0x00007fffe960b205 in QPainterPath::lineTo(QPointF const&) () from /usr/local/Trolltech/Qt5/Qt-5.0.0-r40/lib/libQt5Gui.so.5 #4 0x00007fffe960b3d7 in ?? () from /usr/local/Trolltech/Qt5/Qt-5.0.0-r40/lib/libQt5Gui.so.5 #5 0x00007fffe963fce0 in QStroker::joinPoints(double, double, QLineF const&, QStroker::LineJoinMode) () from /usr/local/Trolltech/Qt5/Qt-5.0.0-r40/lib/libQt5Gui.so.5 #6 0x00007fffe9644847 in ?? () from /usr/local/Trolltech/Qt5/Qt-5.0.0-r40/lib/libQt5Gui.so.5 #7 0x00007fffe964294b in QStroker::processCurrentSubpath() () from /usr/local/Trolltech/Qt5/Qt-5.0.0-r40/lib/libQt5Gui.so.5 #8 0x00007fffe964071f in ?? () from /usr/local/Trolltech/Qt5/Qt-5.0.0-r40/lib/libQt5Gui.so.5 #9 0x00007fffe964114c in QDashStroker::processCurrentSubpath() () from /usr/local/Trolltech/Qt5/Qt-5.0.0-r40/lib/libQt5Gui.so.5 #10 0x00007fffe9642acb in QStrokerOps::strokePath(QPainterPath const&, void*, QTransform const&) () from /usr/local/Trolltech/Qt5/Qt-5.0.0-r40/lib/libQt5Gui.so.5 #11 0x00007fffe960d08b in QPainterPathStroker::createStroke(QPainterPath const&) const () from /usr/local/Trolltech/Qt5/Qt-5.0.0-r40/lib/libQt5Gui.so.5 #12 0x00007ffff48335da in WebCore::Path::strokeBoundingRect (this=0x9936c0, applier=0x7fffffffc060) at /home/reni/WebKit-git/Source/WebCore/platform/graphics/qt/PathQt.cpp:177 #13 0x00007ffff4994316 in WebCore::RenderSVGShape::calculateStrokeBoundingBox (this=0x99b3d8) at /home/reni/WebKit-git/Source/WebCore/rendering/svg/RenderSVGShape.cpp:398 #14 0x00007ffff4992a3b in WebCore::RenderSVGShape::updateShapeFromElement (this=0x99b3d8) at /home/reni/WebKit-git/Source/WebCore/rendering/svg/RenderSVGShape.cpp:77 ....
Attachments
Test case
(5.34 KB, image/svg+xml)
2013-05-30 00:51 PDT
,
Renata Hodovan
no flags
Details
View All
Add attachment
proposed patch, testcase, etc.
Philip Rogers
Comment 1
2013-01-07 13:00:18 PST
+fmalita, who just solved this (or a closely related) issue.
Andreas Kling
Comment 2
2013-05-29 20:47:23 PDT
(In reply to
comment #0
)
> During SVG fuzzing I got a crash with the attached test case.
The test case has gone missing!
Renata Hodovan
Comment 3
2013-05-30 00:51:26 PDT
Created
attachment 203319
[details]
Test case
Renata Hodovan
Comment 4
2013-05-30 00:53:57 PDT
(In reply to
comment #2
)
> (In reply to
comment #0
) > > During SVG fuzzing I got a crash with the attached test case. > > The test case has gone missing!
Indeed :$ It's supplemented already.
Jocelyn Turcotte
Comment 5
2014-02-03 03:24:19 PST
=== Bulk closing of Qt bugs === If you believe that this bug report is still relevant for a non-Qt port of webkit.org, please re-open it and remove [Qt] from the summary. If you believe that this is still an important QtWebKit bug, please fill a new report at
https://bugreports.qt-project.org
and add a link to this issue. See
http://qt-project.org/wiki/ReportingBugsInQt
for additional guidelines.
Note
You need to
log in
before you can comment on or make changes to this bug.
Top of Page
Format For Printing
XML
Clone This Bug