"Brown" SVG hangs safari
Crash/Data Loss, SVGHitList, p2.
Created attachment 6249 [details]
This testcase still hangs WebKit. The var "d" is initialized without a value, and then used to set an attribute, if the var "d" is given a value, the testcase no longer hangs Safari.
Might be nice to have a reduction that didn't involve SVG.
The hang doesn't seem to have anything to do with the unintiailized JS variable. It's inside SVG path parsing.
The reason for the hang is that SVGPolyParser::parsePoints ends up calling parseMappedAttribute over and over again, because each time it calls svgPolyTo it then appends a new item to the points which triggers the attribute mapping machinery again over and over again, so it just keeps making the points array longer and longer forever.
i've already got a fix for this one, actually its not due to notifications, its just because parsePoints never steps forward through the empty string, it just infinite loops over nothing
Alex landed a fix for this.
*** Bug 71454 has been marked as a duplicate of this bug. ***