Bug 6951 - hang due to infinitely growing points array because parsePoints loop is broken
Summary: hang due to infinitely growing points array because parsePoints loop is broken
Alias: None
Product: WebKit
Classification: Unclassified
Component: SVG (show other bugs)
Version: 420+
Hardware: Mac OS X 10.4
: P1 Normal
Assignee: Nobody
URL: http://www.treebuilder.de/default.asp...
Keywords: HasReduction, SVGHitList
Depends on: 6890
  Show dependency treegraph
Reported: 2006-01-30 18:10 PST by Eric Seidel (no email)
Modified: 2011-11-11 08:29 PST (History)
2 users (show)

See Also:

testcase (432 bytes, image/svg+xml)
2006-02-04 10:25 PST, Joost de Valk (AlthA)
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Eric Seidel (no email) 2006-01-30 18:10:24 PST
"Brown" SVG hangs safari

Crash/Data Loss, SVGHitList, p2.

Comment 1 Joost de Valk (AlthA) 2006-02-04 10:25:53 PST
Created attachment 6249 [details]

This testcase still hangs WebKit. The var "d" is initialized without a value, and then used to set an attribute, if the var "d" is given a value, the testcase no longer hangs Safari.
Comment 2 Darin Adler 2006-02-11 10:49:46 PST
Might be nice to have a reduction that didn't involve SVG.
Comment 3 Darin Adler 2006-02-12 21:40:51 PST
The hang doesn't seem to have anything to do with the unintiailized JS variable. It's inside SVG path parsing.
Comment 4 Darin Adler 2006-02-12 21:52:50 PST
The reason for the hang is that SVGPolyParser::parsePoints ends up calling parseMappedAttribute over and over again, because each time it calls svgPolyTo it then appends a new item to the points which triggers the attribute mapping machinery again over and over again, so it just keeps making the points array longer and longer forever.
Comment 5 Alexander Kellett 2006-02-13 02:40:30 PST
i've already got a fix for this one, actually its not due to notifications, its just because parsePoints never steps forward through the empty string, it just infinite loops over nothing
Comment 6 Darin Adler 2006-03-06 15:08:47 PST
Alex landed a fix for this.
Comment 7 Martin Robinson 2011-11-11 08:29:15 PST
*** Bug 71454 has been marked as a duplicate of this bug. ***