[webkit-changes] [212038] trunk

Thu, 09 Feb 2017 19:26:56 -0800

Title: [212038] trunk
Revision
212038
Author
p...@google.com
Date
2017-02-09 19:27:40 -0800 (Thu, 09 Feb 2017)

Log Message

SVG clip-path references can clip out later content
https://bugs.webkit.org/show_bug.cgi?id=164181

Reviewed by Said Abou-Hallawa.

Source/WebCore:

RenderSVGResourceClipper can modify the GraphicsContext state (through the path-only
clipping codepath) so we need to ensure RenderLayer::setupClipPath saves the context
and its caller restores it back so later content is not clipped as well.

This patch is based on a chromium patch by f...@opera.com:
https://chromium.googlesource.com/chromium/src/+/b3f7e7d2c4afb3c7e5c7eb438ff5933cbe2109b3

Test: css3/masking/clip-path-reference-restore.html

* rendering/RenderLayer.cpp:
(WebCore::RenderLayer::setupClipPath): Add a GC save and return true to restore. Also switch to downcast instead of static_cast.

LayoutTests:

Make sure applying multiple clip-path references does not clip out later content.

* css3/masking/clip-path-reference-restore-expected.html: Added.
* css3/masking/clip-path-reference-restore.html: Added.

Modified Paths

Added Paths

Diff

Modified: trunk/LayoutTests/ChangeLog (212037 => 212038)


--- trunk/LayoutTests/ChangeLog	2017-02-10 03:02:25 UTC (rev 212037)
+++ trunk/LayoutTests/ChangeLog	2017-02-10 03:27:40 UTC (rev 212038)
@@ -1,3 +1,15 @@
+2017-02-09  Philip Rogers  <p...@google.com>
+
+        SVG clip-path references can clip out later content
+        https://bugs.webkit.org/show_bug.cgi?id=164181
+
+        Reviewed by Said Abou-Hallawa.
+
+        Make sure applying multiple clip-path references does not clip out later content.
+
+        * css3/masking/clip-path-reference-restore-expected.html: Added.
+        * css3/masking/clip-path-reference-restore.html: Added.
+
 2017-02-09  Filip Pizlo  <fpi...@apple.com>
 
         SharedArrayBuffer does not need to be in the transfer list

Added: trunk/LayoutTests/css3/masking/clip-path-reference-restore-expected.html (0 => 212038)


--- trunk/LayoutTests/css3/masking/clip-path-reference-restore-expected.html	                        (rev 0)
+++ trunk/LayoutTests/css3/masking/clip-path-reference-restore-expected.html	2017-02-10 03:27:40 UTC (rev 212038)
@@ -0,0 +1,2 @@
+<!DOCTYPE html>
+<div style="width: 100px; height: 100px; background-color: green;"></div>

Added: trunk/LayoutTests/css3/masking/clip-path-reference-restore.html (0 => 212038)


--- trunk/LayoutTests/css3/masking/clip-path-reference-restore.html	                        (rev 0)
+++ trunk/LayoutTests/css3/masking/clip-path-reference-restore.html	2017-02-10 03:27:40 UTC (rev 212038)
@@ -0,0 +1,25 @@
+<!DOCTYPE html>
+<style>
+  .error {
+    width: 100px;
+    height: 100px;
+    background-color: red;
+    position: absolute;
+  }
+  .test {
+    width: 200px;
+    height: 50px;
+    background-color: green;
+    -webkit-clip-path: url(#c);
+  }
+</style>
+<div class="error"></div>
+<div class="test"></div>
+<div class="test"></div>
+<svg>
+  <defs>
+    <clipPath id="c" clipPathUnits="objectBoundingBox">
+      <rect width="0.5" height="1"/>
+    </clipPath>
+  </defs>
+</svg>

Modified: trunk/Source/WebCore/ChangeLog (212037 => 212038)


--- trunk/Source/WebCore/ChangeLog	2017-02-10 03:02:25 UTC (rev 212037)
+++ trunk/Source/WebCore/ChangeLog	2017-02-10 03:27:40 UTC (rev 212038)
@@ -1,3 +1,22 @@
+2017-02-09  Philip Rogers  <p...@google.com>
+
+        SVG clip-path references can clip out later content
+        https://bugs.webkit.org/show_bug.cgi?id=164181
+
+        Reviewed by Said Abou-Hallawa.
+
+        RenderSVGResourceClipper can modify the GraphicsContext state (through the path-only
+        clipping codepath) so we need to ensure RenderLayer::setupClipPath saves the context
+        and its caller restores it back so later content is not clipped as well.
+
+        This patch is based on a chromium patch by f...@opera.com:
+        https://chromium.googlesource.com/chromium/src/+/b3f7e7d2c4afb3c7e5c7eb438ff5933cbe2109b3
+
+        Test: css3/masking/clip-path-reference-restore.html
+
+        * rendering/RenderLayer.cpp:
+        (WebCore::RenderLayer::setupClipPath): Add a GC save and return true to restore. Also switch to downcast instead of static_cast.
+
 2017-02-09  Filip Pizlo  <fpi...@apple.com>
 
         SharedArrayBuffer does not need to be in the transfer list

Modified: trunk/Source/WebCore/rendering/RenderLayer.cpp (212037 => 212038)


--- trunk/Source/WebCore/rendering/RenderLayer.cpp	2017-02-10 03:02:25 UTC (rev 212037)
+++ trunk/Source/WebCore/rendering/RenderLayer.cpp	2017-02-10 03:27:40 UTC (rev 212038)
@@ -4170,9 +4170,9 @@
         ReferenceClipPathOperation* referenceClipPathOperation = static_cast<ReferenceClipPathOperation*>(style.clipPath());
         Element* element = renderer().document().getElementById(referenceClipPathOperation->fragment());
         if (element && element->hasTagName(SVGNames::clipPathTag) && element->renderer()) {
-            // FIXME: This should use a safer cast such as toRenderSVGResourceContainer().
-            // FIXME: Should this do a context.save() and return true so we restore the context?
-            static_cast<RenderSVGResourceClipper*>(element->renderer())->applyClippingToContext(renderer(), rootRelativeBounds, paintingInfo.paintDirtyRect, context);
+            context.save();
+            downcast<RenderSVGResourceClipper>(*element->renderer()).applyClippingToContext(renderer(), rootRelativeBounds, paintingInfo.paintDirtyRect, context);
+            return true;
         }
     }
 

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to