Bug 50749 - SVG nested tags recursions cause stack exhaustions
Summary: SVG nested tags recursions cause stack exhaustions
Status: RESOLVED DUPLICATE of bug 63290
Alias: None
Product: WebKit
Classification: Unclassified
Component: SVG (show other bugs)
Version: 528+ (Nightly build)
Hardware: PC Windows Vista
: P1 Normal
Assignee: Nobody
URL: http://code.google.com/p/chromium/iss...
Keywords:
Depends on:
Blocks:
 
Reported: 2010-12-09 04:46 PST by Berend-Jan Wever
Modified: 2014-12-03 15:27 PST (History)
4 users (show)

See Also:

Attachments
Repro (813 bytes, text/html)
2010-12-09 04:46 PST, Berend-Jan Wever 		no flags Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Berend-Jan Wever 2010-12-09 04:46:42 PST 
Created attachment 76047 [details]
Repro

I could not find an open bug for this issue, even though it has been around for a while.

The following simple repro can be used to check for recursion issues in various tags:
<body>
<script>
  var asTags = ['a', 'altGlyph', 'altGlyphDef', 'altGlyphItem', 'animate',
    'animateColor', 'animateMotion', 'animateTransform', 'circle', 'clipPath',
    'color-profile', 'cursor', 'definition-src', 'defs', 'desc', 'ellipse',
    'feBlend', 'feColorMatrix', 'feComponentTransfer', 'feComposite',
    'feConvolveMatrix', 'feDiffuseLighting', 'feDisplacementMap',
    'feDistantLight', 'feFlood', 'feFuncA', 'feFuncB', 'feFuncG', 'feFuncR',
    'feGaussianBlur', 'feImage', 'feMerge', 'feMergeNode', 'feMorphology',
    'feOffset', 'fePointLight', 'feSpecularLighting', 'feSpotLight', 'feTile',
    'feTurbulence', 'filter', 'font', 'font-face', 'font-face-format',
    'font-face-name', 'font-face-src', 'font-face-uri', 'foreignObject', 'g',
    'glyph', 'glyphRef', 'hkern', 'image', 'line', 'linearGradient', 'marker',
    'mask', 'metadata', 'missing-glyph', 'mpath', 'path', 'pattern', 'polygon',
    'polyline', 'radialGradient', 'rect', 'script', 'set', 'stop', 'style',
    'svg', 'switch', 'symbol', 'text', 'textPath', 'title', 'tref', 'tspan',
    'use', 'view', 'vkern'];
  setInterval(function() {
    if (confirm('Would you like to test "' + asTags[0] + '"...?')) {
      document.open();
      document.write('<svg xmlns="http://www.w3.org/2000/svg">' + 
          new Array(20000).join('<' + asTags[0] + '>'));
      document.close();
    }
    asTags.shift();
  }, 1);
</script>

Here's a list of the crashes I've seen so far:
chrome.dll!WebCore::ContainerNode::willRemove RecursionSOV (d2c46b73f6877654a2020cfd44fc561d)
chrome.dll!WebCore::RenderSVGHiddenContainer::layout+1 RecursionSOV (28afd91631a23d8ec42d3e81959a0578)

My fuzzers also found this one but I cannot reproduce it manually:
chrome.dll!WebCore::RenderSVGModelObject::computeRectForRepaint+1 RecursionSOV (d6b83f31f12c0154765b5a9962f9b8d0)
Comment 1 Alexey Proskuryakov 2011-01-11 09:45:26 PST 
See also: bug 15123.
Comment 2 Said Abou-Hallawa 2014-12-03 15:27:12 PST 
Running the test case passes with no crashes. From running it I noticed that processing some of the tags are pretty slow like <svg> for example. But I think these tags should not occur that many in an svg. The slowness should happen because of constructing new heavy objects and because of updating the DOM tree extensively for these tags.

*** This bug has been marked as a duplicate of bug 63290 ***