2011-04-20 Cris Neckar <cdn@chromium.org>
authorcdn@chromium.org <cdn@chromium.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Wed, 20 Apr 2011 21:57:07 +0000 (21:57 +0000)
committercdn@chromium.org <cdn@chromium.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Wed, 20 Apr 2011 21:57:07 +0000 (21:57 +0000)
        Reviewed by Dirk Schulze.

        Tests for crash when copying a filter effect after applying tranforms.
        https://bugs.webkit.org/show_bug.cgi?id=57885

        * svg/filters/svg-transform-blur-crash-expected.txt: Added.
        * svg/filters/svg-transform-blur-crash.xhtml: Added.
2011-04-20  Cris Neckar  <cdn@chromium.org>

        Reviewed by Dirk Schulze.

        Return early when the paint rect and the source rect do not overlap as no bytes need to be copied.
        https://bugs.webkit.org/show_bug.cgi?id=57885

        Test: svg/filters/svg-transform-blur-crash.xhtml

        * platform/graphics/filters/FilterEffect.cpp:
        (WebCore::FilterEffect::copyImageBytes):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@84422 268f45cc-cd09-0410-ab3c-d52691b4dbfc

LayoutTests/ChangeLog
LayoutTests/svg/filters/svg-transform-blur-crash-expected.txt [new file with mode: 0644]
LayoutTests/svg/filters/svg-transform-blur-crash.svg [new file with mode: 0644]
Source/WebCore/ChangeLog
Source/WebCore/platform/graphics/filters/FilterEffect.cpp

index de7fa54..0a27a2a 100644 (file)
@@ -1,3 +1,13 @@
+2011-04-20  Cris Neckar  <cdn@chromium.org>
+
+        Reviewed by Dirk Schulze.
+
+        Tests for crash when copying a filter effect after applying tranforms.
+        https://bugs.webkit.org/show_bug.cgi?id=57885
+
+        * svg/filters/svg-transform-blur-crash-expected.txt: Added.
+        * svg/filters/svg-transform-blur-crash.xhtml: Added.
+
 2011-04-20  Jian Li  <jianli@chromium.org>
 
         Reviewed by Kenneth Russell.
 2011-04-20  Jian Li  <jianli@chromium.org>
 
         Reviewed by Kenneth Russell.
diff --git a/LayoutTests/svg/filters/svg-transform-blur-crash-expected.txt b/LayoutTests/svg/filters/svg-transform-blur-crash-expected.txt
new file mode 100644 (file)
index 0000000..7ef22e9
--- /dev/null
@@ -0,0 +1 @@
+PASS
diff --git a/LayoutTests/svg/filters/svg-transform-blur-crash.svg b/LayoutTests/svg/filters/svg-transform-blur-crash.svg
new file mode 100644 (file)
index 0000000..a1023c9
--- /dev/null
@@ -0,0 +1,14 @@
+<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 200 200">\r
+  <script>\r
+  if (window.layoutTestController)\r
+      layoutTestController.dumpAsText();\r
+  </script>\r
+  <defs>\r
+    <filter id="blur" filterUnits="userSpaceOnUse" x="200" filterRes="200">\r
+      <feGaussianBlur stdDeviation="1 1"/>\r
+    </filter>\r
+  </defs>\r
+  <text filter="url(#blur)" transform="skewX(1) translate(0,1)">\r
+    PASS\r
+  </text>\r
+</svg>\r
index 195de63..8766819 100644 (file)
@@ -1,3 +1,15 @@
+2011-04-20  Cris Neckar  <cdn@chromium.org>
+
+        Reviewed by Dirk Schulze.
+
+        Return early when the paint rect and the source rect do not overlap as no bytes need to be copied.
+        https://bugs.webkit.org/show_bug.cgi?id=57885
+
+        Test: svg/filters/svg-transform-blur-crash.xhtml
+
+        * platform/graphics/filters/FilterEffect.cpp:
+        (WebCore::FilterEffect::copyImageBytes):
+
 2011-04-20  Jian Li  <jianli@chromium.org>
 
         Reviewed by Kenneth Russell.
 2011-04-20  Jian Li  <jianli@chromium.org>
 
         Reviewed by Kenneth Russell.
index f07d00c..c0e6e4a 100644 (file)
@@ -118,10 +118,14 @@ PassRefPtr<ByteArray> FilterEffect::asPremultipliedImage(const IntRect& rect)
 
 inline void FilterEffect::copyImageBytes(ByteArray* source, ByteArray* destination, const IntRect& rect)
 {
 
 inline void FilterEffect::copyImageBytes(ByteArray* source, ByteArray* destination, const IntRect& rect)
 {
-    // Copy the necessary lines.
-    if (rect.x() < 0 || rect.y() < 0 || rect.maxY() > m_absolutePaintRect.width() || rect.maxY() > m_absolutePaintRect.height())
+    // Initialize the destination to transparent black, if not entirely covered by the source.
+    if (rect.x() < 0 || rect.y() < 0 || rect.maxX() > m_absolutePaintRect.width() || rect.maxY() > m_absolutePaintRect.height())
         memset(destination->data(), 0, destination->length());
 
         memset(destination->data(), 0, destination->length());
 
+    // Early return if the rect does not intersect with the source.
+    if (rect.maxX() <= 0 || rect.maxY() <= 0 || rect.x() >= m_absolutePaintRect.width() || rect.y() >= m_absolutePaintRect.height())
+        return;
+
     int xOrigin = rect.x();
     int xDest = 0;
     if (xOrigin < 0) {
     int xOrigin = rect.x();
     int xDest = 0;
     if (xOrigin < 0) {