232972 – REGRESSION(r285481): Infinite recursion with cyclic filter reference

Bug 232972 - REGRESSION(r285481): Infinite recursion with cyclic filter reference

Summary: REGRESSION(r285481): Infinite recursion with cyclic filter reference

Status:	RESOLVED FIXED

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	SVG (show other bugs)
Version:	WebKit Nightly Build
Hardware:	Unspecified Unspecified

Importance:	P2 Normal
Assignee:	Said Abou-Hallawa

URL:
Keywords:	InRadar

Depends on:
Blocks:	231253
	Show dependency tree / graph

Reported:	2021-11-10 17:02 PST by Said Abou-Hallawa
Modified:	2021-11-12 21:52 PST (History)
CC List:	18 users (show)

See Also:	232369

Attachments
test case (362 bytes, image/svg+xml) 2021-11-10 17:02 PST, Said Abou-Hallawa	no flags	Details
Patch (7.35 KB, patch) 2021-11-10 18:57 PST, Said Abou-Hallawa	wenson_hsieh: review+ ews-feeder: commit-queue-	Details \| Formatted Diff \| Diff
Patch (7.03 KB, patch) 2021-11-12 17:41 PST, Said Abou-Hallawa	ews-feeder: commit-queue-	Details \| Formatted Diff \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Said Abou-Hallawa 2021-11-10 17:02:32 PST

Created attachment 443878 [details]
test case

Open the attached test case.

Result: WebKit crashes because of infinite recursion.

This happens because of r285481. Before this change, we were creating the ImageBuffer of the referenced SVGElement for the FEImage through RenderSVGResourceFilter::postApplyResource(). Now we we create this ImageBuffer through RenderSVGResourceFilter::applyResource(). The difference is at the end of RenderSVGResourceFilter::applyResource() we add entry to m_rendererFilterDataMap

m_rendererFilterDataMap.set(&renderer, WTFMove(filterData));

This will detect the cycle if we try to build the same filter while we are running RenderSVGResourceFilter::postApplyResource().

if (m_rendererFilterDataMap.contains(&renderer)) {
    FilterData* filterData = m_rendererFilterDataMap.get(&renderer);
    if (filterData->state == FilterData::PaintingSource || filterData->state == FilterData::Applying)
        filterData->state = FilterData::CycleDetected;
    return false; // Already built, or we're in a cycle, or we're marked for removal. Regardless, just do nothing more now.
}

But this will not help detect it before we add the entry to the m_rendererFilterDataMap.

Comment 1 Said Abou-Hallawa 2021-11-10 17:03:03 PST

rdar://85264240

Comment 2 Said Abou-Hallawa 2021-11-10 18:57:28 PST

Created attachment 443895 [details]
Patch

Comment 3 EWS 2021-11-12 15:47:26 PST

Tools/Scripts/svn-apply failed to apply attachment 443895 [details] to trunk.
Please resolve the conflicts and upload a new patch.

Comment 4 Said Abou-Hallawa 2021-11-12 17:41:52 PST

Created attachment 444129 [details]
Patch

Comment 5 EWS 2021-11-12 18:12:12 PST

Committed r285769 (244213@main): <https://commits.webkit.org/244213@main>

All reviewed patches have been landed. Closing bug and clearing flags on attachment 444129 [details].