[Webkit-unassigned] [Bug 38851] New: Large SVG rect with shadow fails to render

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Mon May 10 09:12:05 PDT 2010 

https://bugs.webkit.org/show_bug.cgi?id=38851

           Summary: Large SVG rect with shadow fails to render
           Product: WebKit
           Version: 528+ (Nightly build)
          Platform: Other
        OS/Version: Linux
            Status: UNCONFIRMED
          Severity: Normal
          Priority: P2
         Component: WebCore Misc.
        AssignedTo: webkit-unassigned at lists.webkit.org
        ReportedBy: wjmaclean at chromium.org


Created an attachment (id=55559)
 --> (https://bugs.webkit.org/attachment.cgi?id=55559)
SVG large rect with shadow

Addition of a shadow to a large rect (x=0,y=0,height=100,width=2147483647) causes it to no longer render.

Platform: Chromium (most recent build)

Steps to reproduce: Load the attached file, rect-with-shadow-maxing.svg in Chromium.

Expected output: A purple rectangle at the top of the viewport, with a grey shadow underneath. The rect will fill the width of the viewport.

Actual output: No rectangle or shadow is rendered.

Additional Information: This is a contrived example to demonstrate the danger of unsafe float->int type conversions in the function SVGRenderStyle::inflateForShadow(FloatRect &). This function converts the FloatRect into integer values, then back to float with the shadow dimensions added. By choosing x=0 and width=2147483647 this ensures that adding any non-zero shadow to the right-hand side results in a value too large to store in an int, thus returning -2147483648 for the width of the inflated rect.

To observe that this error does not occur when the shadow is removed, simply remove "-webkit-svg-shadow: 5px 5px 5px grey" from the rect specification.

Although submitted as a Chromium/WebKit bug, it is expected this same effect will be seen with other WebKit-based browsers on other platforms.

Although found while debugging Bug 25645, this bug is independent of it.

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

More information about the webkit-unassigned mailing list