RESOLVED DUPLICATE of bug 38684 38680
FloatRect::enclosingIntRect performs unsafe type conversion float -> int 
https://bugs.webkit.org/show_bug.cgi?id=38680
Summary FloatRect::enclosingIntRect performs unsafe type conversion float -> int
W. James MacLean
Reported 2010-05-06 13:20:12 PDT
Steps to Reproduce: Render the attached SVG file (mask-excessive-malloc.svg, from the existing layout tests directory) Actual output: dumping the render tree gives layer at (0,0) size 800x600 RenderView at (0,0) size 800x600 layer at (0,0) size 800x600 RenderSVGRoot {svg} at (0,0) size 800x600 RenderSVGResourceMasker {mask} [id="mask"] [maskUnits=objectBoundingBox] [maskContentUnits=userSpaceOnUse] RenderPath {rect} at (0,0) size 0x0 [fill={[type=SOLID] [color=#FFFFFF]}] [data="M0.00,0.00 L2147483648.00,0.00 L2147483648.00,2147483648.00 L0.00,2147483648.00 Z"] RenderPath {path} at (200,200) size 100x200 [fill={[type=SOLID] [color=#0000FF]}] [data="M200.00,200.00 L300.00,200.00 L300.00,400.00 L200.00,400.00 Z"] [masker="mask"] RenderSVGResourceMasker {mask} at (190,180) size 214748364800.00x429496729600.00 Expected output: the render tree should look like (note size of first RenderPath object): layer at (0,0) size 800x600 RenderView at (0,0) size 800x600 layer at (0,0) size 800x600 RenderSVGRoot {svg} at (0,0) size 800x600 RenderSVGResourceMasker {mask} [id="mask"] [maskUnits=objectBoundingBox] [maskContentUnits=userSpaceOnUse] RenderPath {rect} at (0,0) size 800x600 [fill={[type=SOLID] [color=#FFFFFF]}] [data="M0.00,0.00 L2147483648.00,0.00 L2147483648.00,2147483648.00 L0.00,2147483648.00 Z"] RenderPath {path} at (200,200) size 100x200 [fill={[type=SOLID] [color=#0000FF]}] [data="M200.00,200.00 L300.00,200.00 L300.00,400.00 L200.00,400.00 Z"] [masker="mask"] RenderSVGResourceMasker {mas Additional information: The underlying cause appears to be an unsafe float-> int conversion in FloatRect::enclosingIntRect, where static_cast<int> is used on a float outside the range representable by int.
Attachments
Add attachment proposed patch, testcase, etc.
Alexey Proskuryakov
Comment 1 2010-05-07 13:39:34 PDT
The incorrect result is what is currently checked in as an expected result. Why is it incorrect?
W. James MacLean
Comment 2 2010-05-07 15:03:03 PDT
(In reply to comment #1) > The incorrect result is what is currently checked in as an expected result. Why > is it incorrect? I assume we're both looking at http://trac.webkit.org/browser/trunk/LayoutTests/platform/mac/svg/custom/mask-excessive-malloc-expected.txt If you modify mask-excessive-malloc.svg so the rect has dimensions in the range of int, and dump the results render tree, you will find the size of the RenderPath (line 6) is 800x600, not 0x0. I.e. it clips to the size of the view port. If you fix the float -> int conversions so that values greater than the max int 2147483647 are clipped to 2147483647 (which is one reasonable approach), then the size will be computed as 800x600. The 0x0 size seems to occur when very large positive floats get erroneously converted to -2147483648, which gets clipped to 0 for lengths such as height and width. TI am going to request this bug be deleted, as it seems to have been created twice (the more up-to-date version being 38684).
Alexey Proskuryakov
Comment 3 2010-05-07 15:15:34 PDT
*** This bug has been marked as a duplicate of bug 38684 ***
Note You need to log in before you can comment on or make changes to this bug.