SVG clip-path references can clip out later content
authorpdr@google.com <pdr@google.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Fri, 10 Feb 2017 03:27:40 +0000 (03:27 +0000)
committerpdr@google.com <pdr@google.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Fri, 10 Feb 2017 03:27:40 +0000 (03:27 +0000)
https://bugs.webkit.org/show_bug.cgi?id=164181

Reviewed by Said Abou-Hallawa.

Source/WebCore:

RenderSVGResourceClipper can modify the GraphicsContext state (through the path-only
clipping codepath) so we need to ensure RenderLayer::setupClipPath saves the context
and its caller restores it back so later content is not clipped as well.

This patch is based on a chromium patch by fs@opera.com:
https://chromium.googlesource.com/chromium/src/+/b3f7e7d2c4afb3c7e5c7eb438ff5933cbe2109b3

Test: css3/masking/clip-path-reference-restore.html

* rendering/RenderLayer.cpp:
(WebCore::RenderLayer::setupClipPath): Add a GC save and return true to restore. Also switch to downcast instead of static_cast.

LayoutTests:

Make sure applying multiple clip-path references does not clip out later content.

* css3/masking/clip-path-reference-restore-expected.html: Added.
* css3/masking/clip-path-reference-restore.html: Added.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@212038 268f45cc-cd09-0410-ab3c-d52691b4dbfc

LayoutTests/ChangeLog
LayoutTests/css3/masking/clip-path-reference-restore-expected.html [new file with mode: 0644]
LayoutTests/css3/masking/clip-path-reference-restore.html [new file with mode: 0644]
Source/WebCore/ChangeLog
Source/WebCore/rendering/RenderLayer.cpp

index 1b7f6dc..8c76324 100644 (file)
@@ -1,3 +1,15 @@
+2017-02-09  Philip Rogers  <pdr@google.com>
+
+        SVG clip-path references can clip out later content
+        https://bugs.webkit.org/show_bug.cgi?id=164181
+
+        Reviewed by Said Abou-Hallawa.
+
+        Make sure applying multiple clip-path references does not clip out later content.
+
+        * css3/masking/clip-path-reference-restore-expected.html: Added.
+        * css3/masking/clip-path-reference-restore.html: Added.
+
 2017-02-09  Filip Pizlo  <fpizlo@apple.com>
 
         SharedArrayBuffer does not need to be in the transfer list
diff --git a/LayoutTests/css3/masking/clip-path-reference-restore-expected.html b/LayoutTests/css3/masking/clip-path-reference-restore-expected.html
new file mode 100644 (file)
index 0000000..683511f
--- /dev/null
@@ -0,0 +1,2 @@
+<!DOCTYPE html>
+<div style="width: 100px; height: 100px; background-color: green;"></div>
diff --git a/LayoutTests/css3/masking/clip-path-reference-restore.html b/LayoutTests/css3/masking/clip-path-reference-restore.html
new file mode 100644 (file)
index 0000000..475e53e
--- /dev/null
@@ -0,0 +1,25 @@
+<!DOCTYPE html>
+<style>
+  .error {
+    width: 100px;
+    height: 100px;
+    background-color: red;
+    position: absolute;
+  }
+  .test {
+    width: 200px;
+    height: 50px;
+    background-color: green;
+    -webkit-clip-path: url(#c);
+  }
+</style>
+<div class="error"></div>
+<div class="test"></div>
+<div class="test"></div>
+<svg>
+  <defs>
+    <clipPath id="c" clipPathUnits="objectBoundingBox">
+      <rect width="0.5" height="1"/>
+    </clipPath>
+  </defs>
+</svg>
index 3865857..99b89b2 100644 (file)
@@ -1,3 +1,22 @@
+2017-02-09  Philip Rogers  <pdr@google.com>
+
+        SVG clip-path references can clip out later content
+        https://bugs.webkit.org/show_bug.cgi?id=164181
+
+        Reviewed by Said Abou-Hallawa.
+
+        RenderSVGResourceClipper can modify the GraphicsContext state (through the path-only
+        clipping codepath) so we need to ensure RenderLayer::setupClipPath saves the context
+        and its caller restores it back so later content is not clipped as well.
+
+        This patch is based on a chromium patch by fs@opera.com:
+        https://chromium.googlesource.com/chromium/src/+/b3f7e7d2c4afb3c7e5c7eb438ff5933cbe2109b3
+
+        Test: css3/masking/clip-path-reference-restore.html
+
+        * rendering/RenderLayer.cpp:
+        (WebCore::RenderLayer::setupClipPath): Add a GC save and return true to restore. Also switch to downcast instead of static_cast.
+
 2017-02-09  Filip Pizlo  <fpizlo@apple.com>
 
         SharedArrayBuffer does not need to be in the transfer list
index 7c36853..77de956 100644 (file)
@@ -4170,9 +4170,9 @@ bool RenderLayer::setupClipPath(GraphicsContext& context, const LayerPaintingInf
         ReferenceClipPathOperation* referenceClipPathOperation = static_cast<ReferenceClipPathOperation*>(style.clipPath());
         Element* element = renderer().document().getElementById(referenceClipPathOperation->fragment());
         if (element && element->hasTagName(SVGNames::clipPathTag) && element->renderer()) {
-            // FIXME: This should use a safer cast such as toRenderSVGResourceContainer().
-            // FIXME: Should this do a context.save() and return true so we restore the context?
-            static_cast<RenderSVGResourceClipper*>(element->renderer())->applyClippingToContext(renderer(), rootRelativeBounds, paintingInfo.paintDirtyRect, context);
+            context.save();
+            downcast<RenderSVGResourceClipper>(*element->renderer()).applyClippingToContext(renderer(), rootRelativeBounds, paintingInfo.paintDirtyRect, context);
+            return true;
         }
     }