Bug 38680
| Summary: | FloatRect::enclosingIntRect performs unsafe type conversion float -> int | ||
|---|---|---|---|
| Product: | WebKit | Reporter: | W. James MacLean <wjmaclean> |
| Component: | SVG | Assignee: | Nobody <webkit-unassigned> |
| Status: | RESOLVED DUPLICATE | ||
| Severity: | Normal | CC: | ap |
| Priority: | P2 | ||
| Version: | 528+ (Nightly build) | ||
| Hardware: | All | ||
| OS: | OS X 10.5 | ||
W. James MacLean
Steps to Reproduce:
Render the attached SVG file (mask-excessive-malloc.svg, from the existing layout tests directory)
Actual output: dumping the render tree gives
layer at (0,0) size 800x600
RenderView at (0,0) size 800x600
layer at (0,0) size 800x600
RenderSVGRoot {svg} at (0,0) size 800x600
RenderSVGResourceMasker {mask} [id="mask"] [maskUnits=objectBoundingBox] [maskContentUnits=userSpaceOnUse]
RenderPath {rect} at (0,0) size 0x0 [fill={[type=SOLID] [color=#FFFFFF]}] [data="M0.00,0.00 L2147483648.00,0.00 L2147483648.00,2147483648.00 L0.00,2147483648.00 Z"]
RenderPath {path} at (200,200) size 100x200 [fill={[type=SOLID] [color=#0000FF]}] [data="M200.00,200.00 L300.00,200.00 L300.00,400.00 L200.00,400.00 Z"]
[masker="mask"] RenderSVGResourceMasker {mask} at (190,180) size 214748364800.00x429496729600.00
Expected output: the render tree should look like (note size of first RenderPath object):
layer at (0,0) size 800x600
RenderView at (0,0) size 800x600
layer at (0,0) size 800x600
RenderSVGRoot {svg} at (0,0) size 800x600
RenderSVGResourceMasker {mask} [id="mask"] [maskUnits=objectBoundingBox] [maskContentUnits=userSpaceOnUse]
RenderPath {rect} at (0,0) size 800x600 [fill={[type=SOLID] [color=#FFFFFF]}] [data="M0.00,0.00 L2147483648.00,0.00 L2147483648.00,2147483648.00 L0.00,2147483648.00 Z"]
RenderPath {path} at (200,200) size 100x200 [fill={[type=SOLID] [color=#0000FF]}] [data="M200.00,200.00 L300.00,200.00 L300.00,400.00 L200.00,400.00 Z"]
[masker="mask"] RenderSVGResourceMasker {mas
Additional information:
The underlying cause appears to be an unsafe float-> int conversion in FloatRect::enclosingIntRect, where static_cast<int> is used on a float outside the range representable by int.
| Attachments | ||
|---|---|---|
| Add attachment proposed patch, testcase, etc. |
Alexey Proskuryakov
The incorrect result is what is currently checked in as an expected result. Why is it incorrect?
W. James MacLean
(In reply to comment #1)
> The incorrect result is what is currently checked in as an expected result. Why
> is it incorrect?
I assume we're both looking at
http://trac.webkit.org/browser/trunk/LayoutTests/platform/mac/svg/custom/mask-excessive-malloc-expected.txt
If you modify mask-excessive-malloc.svg so the rect has dimensions in the range of int, and dump the results render tree, you will find the size of the RenderPath (line 6) is 800x600, not 0x0. I.e. it clips to the size of the view port. If you fix the float -> int conversions so that values greater than the max int 2147483647 are clipped to 2147483647 (which is one reasonable approach), then the size will be computed as 800x600. The 0x0 size seems to occur when very large positive floats get erroneously converted to -2147483648, which gets clipped to 0 for lengths such as height and width.
TI am going to request this bug be deleted, as it seems to have been created twice (the more up-to-date version being 38684).
Alexey Proskuryakov
*** This bug has been marked as a duplicate of bug 38684 ***