Skip to site navigation (Press enter)

[webkit-changes] [211065] trunk

fpizlo Mon, 23 Jan 2017 15:13:37 -0800

Title: [211065] trunk

Revision: 211065
Author: fpi...@apple.com
Date: 2017-01-23 15:13:41 -0800 (Mon, 23 Jan 2017)

Log Message

SharedArrayBuffer plus WebGL should not equal CRASH
https://bugs.webkit.org/show_bug.cgi?id=167329


Reviewed by Saam Barati.
        
Source/_javascript_Core:

DOM unwrapping methods should return null rather than crashing. The code expects an
unshared buffer, so we should return null when it's shared. The caller can then decide
if they like null or not.

* runtime/JSArrayBufferViewInlines.h:
(JSC::JSArrayBufferView::toWrapped):

LayoutTests:

This test used to crash and now it doesn't. It throws some exception.

* js/shared-array-buffer-webgl-expected.txt: Added.
* js/shared-array-buffer-webgl.html: Added.

Modified Paths

trunk/LayoutTests/ChangeLog
trunk/Source/_javascript_Core/ChangeLog
trunk/Source/_javascript_Core/runtime/JSArrayBufferViewInlines.h

Added Paths

trunk/LayoutTests/js/shared-array-buffer-webgl-expected.txt
trunk/LayoutTests/js/shared-array-buffer-webgl.html

Diff

Modified: trunk/LayoutTests/ChangeLog (211064 => 211065)


--- trunk/LayoutTests/ChangeLog	2017-01-23 23:06:26 UTC (rev 211064)
+++ trunk/LayoutTests/ChangeLog	2017-01-23 23:13:41 UTC (rev 211065)
@@ -1,3 +1,15 @@
+2017-01-23  Filip Pizlo  <fpi...@apple.com>
+
+        SharedArrayBuffer plus WebGL should not equal CRASH
+        https://bugs.webkit.org/show_bug.cgi?id=167329
+
+        Reviewed by Saam Barati.
+        
+        This test used to crash and now it doesn't. It throws some exception.
+
+        * js/shared-array-buffer-webgl-expected.txt: Added.
+        * js/shared-array-buffer-webgl.html: Added.
+
 2017-01-23  Myles C. Maxfield  <mmaxfi...@apple.com>
 
         Migrate font variations tests to using David Jonathan Ross's Boxis font

Added: trunk/LayoutTests/js/shared-array-buffer-webgl-expected.txt (0 => 211065)


--- trunk/LayoutTests/js/shared-array-buffer-webgl-expected.txt	                        (rev 0)
+++ trunk/LayoutTests/js/shared-array-buffer-webgl-expected.txt	2017-01-23 23:13:41 UTC (rev 211065)
@@ -0,0 +1,9 @@
+Test that passing a SharedArrayBuffer to WebGL does not crash.
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+PASS successfullyParsed is true
+
+TEST COMPLETE
+

Added: trunk/LayoutTests/js/shared-array-buffer-webgl.html (0 => 211065)


--- trunk/LayoutTests/js/shared-array-buffer-webgl.html	                        (rev 0)
+++ trunk/LayoutTests/js/shared-array-buffer-webgl.html	2017-01-23 23:13:41 UTC (rev 211065)
@@ -0,0 +1,32 @@
+<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML//EN">
+<html>
+<head>
+<script src=""
+</head>
+<body>
+<canvas id="canvas"></canvas>
+<script>
+description('Test that passing a SharedArrayBuffer to WebGL does not crash.')
+
+var canvas = document.getElementById("canvas");
+var gl = canvas.getContext("webgl");
+var texture = gl.createTexture();
+
+var ext = (
+  gl.getExtension("WEBGL_compressed_texture_s3tc") ||
+  gl.getExtension("MOZ_WEBGL_compressed_texture_s3tc") ||
+  gl.getExtension("WEBKIT_WEBGL_compressed_texture_s3tc")
+);
+
+var data = "" SharedArrayBuffer(1024);
+var view = new Uint8Array(data);
+
+try {
+    var texture = gl.createTexture();
+    gl.bindTexture(gl.TEXTURE_2D, texture);
+    gl.compressedTexImage2D(gl.TEXTURE_2D, 0, ext.COMPRESSED_RGBA_S3TC_DXT5_EXT, 512, 512, 0, view);
+} catch (e) { } // This shouldn't crash.
+</script>
+<script src=""
+</body>
+</html>

Modified: trunk/Source/_javascript_Core/ChangeLog (211064 => 211065)


--- trunk/Source/_javascript_Core/ChangeLog	2017-01-23 23:06:26 UTC (rev 211064)
+++ trunk/Source/_javascript_Core/ChangeLog	2017-01-23 23:13:41 UTC (rev 211065)
@@ -1,3 +1,17 @@
+2017-01-23  Filip Pizlo  <fpi...@apple.com>
+
+        SharedArrayBuffer plus WebGL should not equal CRASH
+        https://bugs.webkit.org/show_bug.cgi?id=167329
+
+        Reviewed by Saam Barati.
+        
+        DOM unwrapping methods should return null rather than crashing. The code expects an
+        unshared buffer, so we should return null when it's shared. The caller can then decide
+        if they like null or not.
+
+        * runtime/JSArrayBufferViewInlines.h:
+        (JSC::JSArrayBufferView::toWrapped):
+
 2017-01-23  Mark Lam  <mark....@apple.com>
 
         ObjCCallbackFunction::destroy() should not use jsCast().

Modified: trunk/Source/_javascript_Core/runtime/JSArrayBufferViewInlines.h (211064 => 211065)


--- trunk/Source/_javascript_Core/runtime/JSArrayBufferViewInlines.h	2017-01-23 23:06:26 UTC (rev 211064)
+++ trunk/Source/_javascript_Core/runtime/JSArrayBufferViewInlines.h	2017-01-23 23:13:41 UTC (rev 211065)
@@ -91,8 +91,10 @@
 
 inline RefPtr<ArrayBufferView> JSArrayBufferView::toWrapped(JSValue value)
 {
-    if (JSArrayBufferView* view = jsDynamicCast<JSArrayBufferView*>(value))
-        return view->unsharedImpl();
+    if (JSArrayBufferView* view = jsDynamicCast<JSArrayBufferView*>(value)) {
+        if (!view->isShared())
+            return view->unsharedImpl();
+    }
     return nullptr;
 }

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes