Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: 3e90b93505908113017e1ab04c5f6c89119d0627
https://github.com/WebKit/WebKit/commit/3e90b93505908113017e1ab04c5f6c89119d0627
Author: Karl Dubost <[email protected]>
Date: 2026-06-15 (Mon, 15 Jun 2026)
Changed paths:
M LayoutTests/TestExpectations
M LayoutTests/ipc/empty-svgfilterrenderer-expression-crash.html
M
Source/WebCore/platform/graphics/coreimage/FEDisplacementMapCoreImageApplier.mm
M Source/WebCore/platform/graphics/filters/FEDisplacementMap.cpp
M Source/WebCore/platform/graphics/filters/FEDisplacementMap.h
M Source/WebCore/platform/graphics/filters/FilterEffect.h
M
Source/WebCore/platform/graphics/filters/software/FEDisplacementMapSoftwareApplier.cpp
M Source/WebCore/svg/SVGFEDiffuseLightingElement.cpp
M Source/WebCore/svg/SVGFEDiffuseLightingElement.h
M Source/WebCore/svg/SVGFEDropShadowElement.cpp
M Source/WebCore/svg/SVGFEDropShadowElement.h
M Source/WebCore/svg/SVGFEFloodElement.cpp
M Source/WebCore/svg/SVGFEFloodElement.h
M Source/WebCore/svg/SVGFEImageElement.h
M Source/WebCore/svg/SVGFESpecularLightingElement.cpp
M Source/WebCore/svg/SVGFESpecularLightingElement.h
M Source/WebCore/svg/SVGFilterPrimitiveStandardAttributes.cpp
M Source/WebCore/svg/SVGFilterPrimitiveStandardAttributes.h
M Source/WebKit/Shared/WebCoreArgumentCoders.serialization.in
Log Message:
-----------
Filter primitives don't taint output when flood-color/lighting-color resolves
to currentColor
https://bugs.webkit.org/show_bug.cgi?id=317073
rdar://179666093
Reviewed by Simon Fraser.
Implements CSS Filter Effects 1 section 16.3 (Tainted Filter Primitives)
and section 16.4 (feDisplacementMap restrictions) for the four primitives
whose output depends on a CSS color property:
feFlood, feDropShadow flood-color
feDiffuseLighting lighting-color
feSpecularLighting lighting-color
When the relevant <color> resolves through currentColor, the primitive's
output is now flagged tainted. Taint propagates through the filter graph
(matching Blink and Gecko behavior).
FEDisplacementMap gets a new bool member, m_in2IsTainted, set during
filter graph build and serialised across IPC to the GPU process along
with the rest of the filter. The software applier and the Core Image
applier each check the flag at the start of apply(); when set, they
skip the displacement math and just write the source image into the
result buffer.
feImage already had its own check for "this references a cross-origin
image" (renderingTaintsOrigin). Rather than duplicate that detection,
the new taintsOrigin() hook on feImage just forwards to the existing
check, so feImage rides on the same graph-wide propagation channel as
the four currentColor primitives.
Spec: https://drafts.csswg.org/filter-effects-1/#tainted-filter-primitives
* LayoutTests/ipc/empty-svgfilterrenderer-expression-crash.html:
* LayoutTests/TestExpectations: Making these tests PASS
imported/w3c/web-platform-tests/css/filter-effects/tainting-feblend-002.html
imported/w3c/web-platform-tests/css/filter-effects/tainting-fecomponenttransfer-002.html
imported/w3c/web-platform-tests/css/filter-effects/tainting-fecomposite-002.html
imported/w3c/web-platform-tests/css/filter-effects/tainting-feconvolvematrix-002.html
imported/w3c/web-platform-tests/css/filter-effects/tainting-fediffuselighting-002.html
imported/w3c/web-platform-tests/css/filter-effects/tainting-fediffuselighting-003.html
imported/w3c/web-platform-tests/css/filter-effects/tainting-fediffuselighting-dynamic.html
imported/w3c/web-platform-tests/css/filter-effects/tainting-fedisplacementmap-002.html
imported/w3c/web-platform-tests/css/filter-effects/tainting-fedropshadow-002.html
imported/w3c/web-platform-tests/css/filter-effects/tainting-fedropshadow-003.html
imported/w3c/web-platform-tests/css/filter-effects/tainting-feflood-002.html
imported/w3c/web-platform-tests/css/filter-effects/tainting-feflood-dynamic.html
imported/w3c/web-platform-tests/css/filter-effects/tainting-fegaussianblur-002.html
imported/w3c/web-platform-tests/css/filter-effects/tainting-femorphology-002.html
imported/w3c/web-platform-tests/css/filter-effects/tainting-feoffset-002.html
imported/w3c/web-platform-tests/css/filter-effects/tainting-fespecularlighting-002.html
imported/w3c/web-platform-tests/css/filter-effects/tainting-fespecularlighting-003.html
imported/w3c/web-platform-tests/css/filter-effects/tainting-fetile-002.html
*
Source/WebCore/platform/graphics/coreimage/FEDisplacementMapCoreImageApplier.mm:
* Source/WebCore/platform/graphics/filters/FEDisplacementMap.cpp:
(WebCore::FEDisplacementMap::create):
(WebCore::FEDisplacementMap::operator== const):
* Source/WebCore/platform/graphics/filters/FEDisplacementMap.h:
* Source/WebCore/platform/graphics/filters/FilterEffect.h:
(WebCore::FilterEffect::taintsOrigin const):
(WebCore::FilterEffect::setTaintsOrigin):
*
Source/WebCore/platform/graphics/filters/software/FEDisplacementMapSoftwareApplier.cpp:
(WebCore::FEDisplacementMapSoftwareApplier::apply const):
* Source/WebCore/svg/SVGFEDiffuseLightingElement.cpp:
(WebCore::SVGFEDiffuseLightingElement::taintsOrigin const):
* Source/WebCore/svg/SVGFEDiffuseLightingElement.h:
* Source/WebCore/svg/SVGFEDropShadowElement.cpp:
(WebCore::SVGFEDropShadowElement::taintsOrigin const):
* Source/WebCore/svg/SVGFEDropShadowElement.h:
* Source/WebCore/svg/SVGFEFloodElement.cpp:
(WebCore::SVGFEFloodElement::taintsOrigin const):
* Source/WebCore/svg/SVGFEFloodElement.h:
* Source/WebCore/svg/SVGFEImageElement.h:
* Source/WebCore/svg/SVGFESpecularLightingElement.cpp:
(WebCore::SVGFESpecularLightingElement::taintsOrigin const):
* Source/WebCore/svg/SVGFESpecularLightingElement.h:
* Source/WebCore/svg/SVGFilterPrimitiveStandardAttributes.cpp:
(WebCore::SVGFilterPrimitiveStandardAttributes::filterEffect):
(WebCore::SVGFilterPrimitiveStandardAttributes::updateTaintsOrigin const):
(WebCore::SVGFilterPrimitiveStandardAttributes::primitiveAttributeChanged):
* Source/WebCore/svg/SVGFilterPrimitiveStandardAttributes.h:
(WebCore::SVGFilterPrimitiveStandardAttributes::taintsOrigin const):
* Source/WebKit/Shared/WebCoreArgumentCoders.serialization.in:
Canonical link: https://commits.webkit.org/315273@main
To unsubscribe from these emails, change your notification settings at
https://github.com/WebKit/WebKit/settings/notifications
