38680 2010-05-06 13:20:12 -0700 FloatRect::enclosingIntRect performs unsafe type conversion float -> int 2010-05-07 15:15:34 -0700 1 1 1 Unclassified WebKit SVG 528+ (Nightly build) All OS X 10.5 RESOLVED DUPLICATE 38684 P2 Normal --- 0 wjmaclean webkit-unassigned ap oldest_to_newest 221912 0 wjmaclean 2010-05-06 13:20:12 -0700 Steps to Reproduce: Render the attached SVG file (mask-excessive-malloc.svg, from the existing layout tests directory) Actual output: dumping the render tree gives layer at (0,0) size 800x600 RenderView at (0,0) size 800x600 layer at (0,0) size 800x600 RenderSVGRoot {svg} at (0,0) size 800x600 RenderSVGResourceMasker {mask} [id="mask"] [maskUnits=objectBoundingBox] [maskContentUnits=userSpaceOnUse] RenderPath {rect} at (0,0) size 0x0 [fill={[type=SOLID] [color=#FFFFFF]}] [data="M0.00,0.00 L2147483648.00,0.00 L2147483648.00,2147483648.00 L0.00,2147483648.00 Z"] RenderPath {path} at (200,200) size 100x200 [fill={[type=SOLID] [color=#0000FF]}] [data="M200.00,200.00 L300.00,200.00 L300.00,400.00 L200.00,400.00 Z"] [masker="mask"] RenderSVGResourceMasker {mask} at (190,180) size 214748364800.00x429496729600.00 Expected output: the render tree should look like (note size of first RenderPath object): layer at (0,0) size 800x600 RenderView at (0,0) size 800x600 layer at (0,0) size 800x600 RenderSVGRoot {svg} at (0,0) size 800x600 RenderSVGResourceMasker {mask} [id="mask"] [maskUnits=objectBoundingBox] [maskContentUnits=userSpaceOnUse] RenderPath {rect} at (0,0) size 800x600 [fill={[type=SOLID] [color=#FFFFFF]}] [data="M0.00,0.00 L2147483648.00,0.00 L2147483648.00,2147483648.00 L0.00,2147483648.00 Z"] RenderPath {path} at (200,200) size 100x200 [fill={[type=SOLID] [color=#0000FF]}] [data="M200.00,200.00 L300.00,200.00 L300.00,400.00 L200.00,400.00 Z"] [masker="mask"] RenderSVGResourceMasker {mas Additional information: The underlying cause appears to be an unsafe float-> int conversion in FloatRect::enclosingIntRect, where static_cast<int> is used on a float outside the range representable by int. 222593 1 ap 2010-05-07 13:39:34 -0700 The incorrect result is what is currently checked in as an expected result. Why is it incorrect? 222644 2 wjmaclean 2010-05-07 15:03:03 -0700 (In reply to comment #1) > The incorrect result is what is currently checked in as an expected result. Why > is it incorrect? I assume we're both looking at http://trac.webkit.org/browser/trunk/LayoutTests/platform/mac/svg/custom/mask-excessive-malloc-expected.txt If you modify mask-excessive-malloc.svg so the rect has dimensions in the range of int, and dump the results render tree, you will find the size of the RenderPath (line 6) is 800x600, not 0x0. I.e. it clips to the size of the view port. If you fix the float -> int conversions so that values greater than the max int 2147483647 are clipped to 2147483647 (which is one reasonable approach), then the size will be computed as 800x600. The 0x0 size seems to occur when very large positive floats get erroneously converted to -2147483648, which gets clipped to 0 for lengths such as height and width. TI am going to request this bug be deleted, as it seems to have been created twice (the more up-to-date version being 38684). 222655 3 ap 2010-05-07 15:15:34 -0700 *** This bug has been marked as a duplicate of bug 38684 ***