[webkit-changes] [203077] trunk

Mon, 11 Jul 2016 12:44:04 -0700

Title: [203077] trunk
Revision
203077
Author
[email protected]
Date
2016-07-11 12:43:19 -0700 (Mon, 11 Jul 2016)

Log Message

[WebGL] Check for existing buffer exists for enabled vertex array attributes before permitting glDrawArrays to execute
https://bugs.webkit.org/show_bug.cgi?id=159590
<rdar://problem/26865535>

Reviewed by Dean Jackson.

Source/WebCore:

Test: fast/canvas/webgl/webgl-drawarrays-crash-2.html

* html/canvas/WebGLRenderingContextBase.cpp:
(WebCore::WebGLRenderingContextBase::validateVertexAttributes): If enabled array buffer attributes exist,
ensure that an array buffer has been bound.

LayoutTests:

* fast/canvas/webgl/webgl-drawarrays-crash-2-expected.txt: Added.
* fast/canvas/webgl/webgl-drawarrays-crash-2.html: Added.

Modified Paths

Added Paths

Diff

Modified: trunk/LayoutTests/ChangeLog (203076 => 203077)


--- trunk/LayoutTests/ChangeLog	2016-07-11 19:13:05 UTC (rev 203076)
+++ trunk/LayoutTests/ChangeLog	2016-07-11 19:43:19 UTC (rev 203077)
@@ -1,3 +1,14 @@
+2016-07-11  Brent Fulgham  <[email protected]>
+
+        [WebGL] Check for existing buffer exists for enabled vertex array attributes before permitting glDrawArrays to execute
+        https://bugs.webkit.org/show_bug.cgi?id=159590
+        <rdar://problem/26865535>
+
+        Reviewed by Dean Jackson.
+
+        * fast/canvas/webgl/webgl-drawarrays-crash-2-expected.txt: Added.
+        * fast/canvas/webgl/webgl-drawarrays-crash-2.html: Added.
+
 2016-07-11  Keith Miller  <[email protected]>
 
         STP TypedArray.subarray 5x slowdown compared to 9.1

Added: trunk/LayoutTests/fast/canvas/webgl/webgl-drawarrays-crash-2-expected.txt (0 => 203077)


--- trunk/LayoutTests/fast/canvas/webgl/webgl-drawarrays-crash-2-expected.txt	                        (rev 0)
+++ trunk/LayoutTests/fast/canvas/webgl/webgl-drawarrays-crash-2-expected.txt	2016-07-11 19:43:19 UTC (rev 203077)
@@ -0,0 +1,3 @@
+CONSOLE MESSAGE: line 23: WebGL: INVALID_OPERATION: drawArrays: attempt to access out of bounds arrays
+PASS. You didn't crash.
+

Added: trunk/LayoutTests/fast/canvas/webgl/webgl-drawarrays-crash-2.html (0 => 203077)


--- trunk/LayoutTests/fast/canvas/webgl/webgl-drawarrays-crash-2.html	                        (rev 0)
+++ trunk/LayoutTests/fast/canvas/webgl/webgl-drawarrays-crash-2.html	2016-07-11 19:43:19 UTC (rev 203077)
@@ -0,0 +1,41 @@
+<!DOCTYPE html>
+<html>
+<head>
+    <script src="" </script>
+    <script>
+    function runTest()
+    {
+        var canvas = document.getElementById("webgl-canvas");
+        var gl = WebGLTestUtils.create3DContext(canvas);
+        var fragmentShader = gl.createShader(gl.FRAGMENT_SHADER);
+        var program = gl.createProgram();
+        var vertexShader = gl.createShader(gl.VERTEX_SHADER);
+        gl.shaderSource(vertexShader, 'attribute mediump mat4 attribute_mat4_0; mediump mat4 my_mat4_0; void main() { my_mat4_0 = attribute_mat4_0; }');
+        gl.compileShader(vertexShader);
+        gl.attachShader(program, vertexShader);
+        gl.shaderSource(fragmentShader, 'void main() { gl_FragColor = vec4(1.0, 0.0, 0.0, 1.0); }');
+        gl.compileShader(fragmentShader);
+        gl.attachShader(program, fragmentShader);
+        gl.linkProgram(program);
+        gl.useProgram(program);
+
+        gl.enableVertexAttribArray(0);
+        gl.drawArrays(gl.LINE_LOOP, 0, 1);
+
+        if (window.testRunner)
+          testRunner.notifyDone();
+    }
+
+    if (window.testRunner) {
+        testRunner.dumpAsText();
+        testRunner.waitUntilDone();
+    }
+
+    window._onpageshow_ = runTest;
+    </script>    
+</head>  
+<body>
+    <div>PASS. You didn't crash.</div>
+    <canvas id="webgl-canvas" width="100px" height="100px"></canvas>
+</body>
+</html>
\ No newline at end of file

Modified: trunk/Source/WebCore/ChangeLog (203076 => 203077)


--- trunk/Source/WebCore/ChangeLog	2016-07-11 19:13:05 UTC (rev 203076)
+++ trunk/Source/WebCore/ChangeLog	2016-07-11 19:43:19 UTC (rev 203077)
@@ -1,3 +1,17 @@
+2016-07-11  Brent Fulgham  <[email protected]>
+
+        [WebGL] Check for existing buffer exists for enabled vertex array attributes before permitting glDrawArrays to execute
+        https://bugs.webkit.org/show_bug.cgi?id=159590
+        <rdar://problem/26865535>
+
+        Reviewed by Dean Jackson.
+
+        Test: fast/canvas/webgl/webgl-drawarrays-crash-2.html
+
+        * html/canvas/WebGLRenderingContextBase.cpp:
+        (WebCore::WebGLRenderingContextBase::validateVertexAttributes): If enabled array buffer attributes exist,
+        ensure that an array buffer has been bound.
+
 2016-07-11  Nan Wang  <[email protected]>
 
         AX: WKWebView should have API to prevent pinch-to-zoom always being allowed

Modified: trunk/Source/WebCore/html/canvas/WebGLRenderingContextBase.cpp (203076 => 203077)


--- trunk/Source/WebCore/html/canvas/WebGLRenderingContextBase.cpp	2016-07-11 19:13:05 UTC (rev 203076)
+++ trunk/Source/WebCore/html/canvas/WebGLRenderingContextBase.cpp	2016-07-11 19:43:19 UTC (rev 203077)
@@ -1761,6 +1761,11 @@
     if (elementCount && !sawEnabledAttrib && !m_currentProgram->isUsingVertexAttrib0())
         return false;
 
+    if (elementCount && sawEnabledAttrib) {
+        if (!m_boundArrayBuffer && !m_boundVertexArrayObject->getElementArrayBuffer())
+            return false;
+    }
+    
     return true;
 }
 

_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to