Changeset 143655 in webkit

Timestamp:

Feb 21, 2013, 3:29:17 PM (13 years ago)

Author:

Simon Fraser

Message:

[Safari] Crash with opacity + drop shadow filter + child element extending beyond filter outsets
​https://bugs.webkit.org/show_bug.cgi?id=107467

Source/WebCore:

Reviewed by Dean Jackson.

The filter code plays games with the current GraphicsContext, replacing the current
context with one which will get filtered.

This doesn't play nicely with the RenderLayer code which lazily starts transparency
layers. If we don't start a transparency layer until painting a child of the filtered
layer, then the transparency layer is started using the wrong context.

Fix by eagerly starting transparency layers if we have both a filter and opacity.

Test: css3/filters/filter-with-opacity-and-children.html

• rendering/RenderLayer.cpp:

(WebCore::RenderLayer::paintLayerContents):

LayoutTests:

Reviewed by Dean Jackson.

Testcase with filtered element with opacity, and layer child.

• css3/filters/filter-with-opacity-and-children-expected.txt: Added.
• css3/filters/filter-with-opacity-and-children.html: Added.

Location:

trunk

Files:

• LayoutTests/ChangeLog (modified) (1 diff)
• LayoutTests/css3/filters/filter-with-opacity-and-children-expected.txt (added)
• LayoutTests/css3/filters/filter-with-opacity-and-children.html (added)
• Source/WebCore/ChangeLog (modified) (1 diff)
• Source/WebCore/rendering/RenderLayer.cpp (modified) (1 diff)

trunk/LayoutTests/ChangeLog

@@ +1 @@
+2013-02-21  Simon Fraser  <simon.fraser@apple.com>
+
+        [Safari] Crash with opacity + drop shadow filter + child element extending beyond filter outsets
+        https://bugs.webkit.org/show_bug.cgi?id=107467
+
+        Reviewed by Dean Jackson.
+        
+        Testcase with filtered element with opacity, and layer child.
+
+        * css3/filters/filter-with-opacity-and-children-expected.txt: Added.
+        * css3/filters/filter-with-opacity-and-children.html: Added.
+
 2013-02-21  Philip Rogers  <pdr@google.com>
 

trunk/Source/WebCore/ChangeLog

@@ +1 @@
+2013-02-21  Simon Fraser  <simon.fraser@apple.com>
+
+        [Safari] Crash with opacity + drop shadow filter + child element extending beyond filter outsets
+        https://bugs.webkit.org/show_bug.cgi?id=107467
+
+        Reviewed by Dean Jackson.
+        
+        The filter code plays games with the current GraphicsContext, replacing the current
+        context with one which will get filtered.
+        
+        This doesn't play nicely with the RenderLayer code which lazily starts transparency
+        layers. If we don't start a transparency layer until painting a child of the filtered
+        layer, then the transparency layer is started using the wrong context.
+        
+        Fix by eagerly starting transparency layers if we have both a filter and opacity.
+
+        Test: css3/filters/filter-with-opacity-and-children.html
+
+        * rendering/RenderLayer.cpp:
+        (WebCore::RenderLayer::paintLayerContents):
+
 2013-02-21  Tony Chang  <tony@chromium.org>
 

trunk/Source/WebCore/rendering/RenderLayer.cpp

@@ -3725 +3725 @@
     if (this != localPaintingInfo.rootLayer || !(localPaintFlags & PaintLayerPaintingOverflowContents))
         shouldPaintContent &= intersectsDamageRect(layerBounds, damageRect.rect(), localPaintingInfo.rootLayer, &offsetFromRoot);
-    
+
+#if ENABLE(CSS_FILTERS)
+    if (filterPainter.hasStartedFilterEffect() && haveTransparency) {
+        // If we have a filter and transparency, we have to eagerly start a transparency layer here, rather than risk a child layer lazily starts one with the wrong context.
+        beginTransparencyLayers(transparencyLayerContext, localPaintingInfo.rootLayer, paintingInfo.paintDirtyRect, localPaintingInfo.paintBehavior);
+    }
+#endif
+
     if (localPaintFlags & PaintLayerPaintingCompositingBackgroundPhase) {
         if (shouldPaintContent && !selectionOnly) {