38684 2010-05-06 13:32:05 -0700 Incorrect RenderPath object size when large coordinate values encountered 2016-10-12 05:43:45 -0700 1 1 1 Unclassified WebKit SVG 528+ (Nightly build) All OS X 10.5 RESOLVED INVALID P2 Normal --- 25645 1 wjmaclean webkit-unassigned krit simon.fraser zimmermann oldest_to_newest 221925 0 wjmaclean 2010-05-06 13:32:05 -0700 Steps to Reproduce: Render the attached SVG file (mask-excessive-malloc.svg, from the existing layout tests directory) Actual output: dumping the render tree gives layer at (0,0) size 800x600 RenderView at (0,0) size 800x600 layer at (0,0) size 800x600 RenderSVGRoot {svg} at (0,0) size 800x600 RenderSVGResourceMasker {mask} [id="mask"] [maskUnits=objectBoundingBox] [maskContentUnits=userSpaceOnUse] RenderPath {rect} at (0,0) size 0x0 [fill={[type=SOLID] [color=#FFFFFF]}] [data="M0.00,0.00 L2147483648.00,0.00 L2147483648.00,2147483648.00 L0.00,2147483648.00 Z"] RenderPath {path} at (200,200) size 100x200 [fill={[type=SOLID] [color=#0000FF]}] [data="M200.00,200.00 L300.00,200.00 L300.00,400.00 L200.00,400.00 Z"] [masker="mask"] RenderSVGResourceMasker {mask} at (190,180) size 214748364800.00x429496729600.00 Expected output: the render tree should look like (note size of first RenderPath object): layer at (0,0) size 800x600 RenderView at (0,0) size 800x600 layer at (0,0) size 800x600 RenderSVGRoot {svg} at (0,0) size 800x600 RenderSVGResourceMasker {mask} [id="mask"] [maskUnits=objectBoundingBox] [maskContentUnits=userSpaceOnUse] RenderPath {rect} at (0,0) size 800x600 [fill={[type=SOLID] [color=#FFFFFF]}] [data="M0.00,0.00 L2147483648.00,0.00 L2147483648.00,2147483648.00 L0.00,2147483648.00 Z"] RenderPath {path} at (200,200) size 100x200 [fill={[type=SOLID] [color=#0000FF]}] [data="M200.00,200.00 L300.00,200.00 L300.00,400.00 L200.00,400.00 Z"] [masker="mask"] RenderSVGResourceMasker {mas Chromium 5.0.395.0 (46220) Additional information: The underlying cause appears to be an unsafe float-> int conversion in FloatRect::enclosingIntRect, where static_cast<int> is used on a float outside the range representable by int. 221926 1 55290 wjmaclean 2010-05-06 13:33:16 -0700 Created attachment 55290 SVG File with large coordinate values 222656 2 ap 2010-05-07 15:15:34 -0700 *** Bug 38680 has been marked as a duplicate of this bug. *** 222657 3 ap 2010-05-07 15:16:18 -0700 An explanation of why this is wrong from duplicate: If you modify mask-excessive-malloc.svg so the rect has dimensions in the range of int, and dump the results render tree, you will find the size of the RenderPath (line 6) is 800x600, not 0x0. I.e. it clips to the size of the view port. If you fix the float -> int conversions so that values greater than the max int 2147483647 are clipped to 2147483647 (which is one reasonable approach), then the size will be computed as 800x600. The 0x0 size seems to occur when very large positive floats get erroneously converted to -2147483648, which gets clipped to 0 for lengths such as height and width. 249000 4 zimmermann 2010-07-09 07:25:31 -0700 Changed component to SVG, so it shows up in my all-svg-bugs search. 1239254 5 krit 2016-10-12 05:43:45 -0700 We changed that a long time ago and this particular test passes and we actually do have a test for it in the repo. However, there might be still problems with huge values. Instead you should use viewBox, transform or similar ways to upscale. 55290 2010-05-06 13:33:16 -0700 2016-10-12 05:41:30 -0700 SVG File with large coordinate values mask-excessive-malloc.svg image/svg+xml 289 wjmaclean PD94bWwgdmVyc2lvbj0iMS4wIj8+CjxzdmcgeG1sbnM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAv c3ZnIj4KPG1hc2sgaWQ9Im1hc2siIHdpZHRoPSIyMTQ3NDgzNjQ3IiBoZWlnaHQ9IjIxNDc0ODM2 NDciPgogICAgPHJlY3QgeD0iMCIgeT0iMCIgd2lkdGg9IjIxNDc0ODM2NDciIGhlaWdodD0iMjE0 NzQ4MzY0NyIgZmlsbD0id2hpdGUiLz4KPC9tYXNrPgo8cGF0aCBtYXNrPSJ1cmwoI21hc2spIiBm aWxsPSJibHVlIiBkPSJNIDIwMCAyMDAgbCAxMDAgMCBsIDAgMjAwIGwgLTEwMCAwIFoiLz4KPC9z dmc+Cg==