Log Message
Cherry-pick r231441. rdar://problem/40050720
WebGL: Reset simulated values after validation fails
https://bugs.webkit.org/show_bug.cgi?id=185363
<rdar://problem/39733417>
Reviewed by Anders Carlsson.
Source/WebCore:
While fixing a previous bug, I forgot to reset some values
when validation fails. This caused a bug where a subsequent
invalid call might use those values and escape detection.
Test: fast/canvas/webgl/index-validation-with-subsequent-draws.html
* html/canvas/WebGLRenderingContextBase.cpp:
(WebCore::WebGLRenderingContextBase::simulateVertexAttrib0): Reset the
sizes when validation fails.
* html/canvas/WebGLRenderingContextBase.h:
LayoutTests:
* fast/canvas/webgl/index-validation-with-subsequent-draws-expected.txt: Added.
* fast/canvas/webgl/index-validation-with-subsequent-draws.html: Added.
git-svn-id: https://svn.webkit.org/repository/webkit/trunk@231441 268f45cc-cd09-0410-ab3c-d52691b4dbfc
Modified Paths
- branches/safari-605-branch/LayoutTests/ChangeLog
- branches/safari-605-branch/LayoutTests/platform/mac/TestExpectations
- branches/safari-605-branch/Source/WebCore/ChangeLog
- branches/safari-605-branch/Source/WebCore/html/canvas/WebGLRenderingContextBase.cpp
- branches/safari-605-branch/Source/WebCore/html/canvas/WebGLRenderingContextBase.h
Added Paths
Diff
Modified: branches/safari-605-branch/LayoutTests/ChangeLog (231544 => 231545)
--- branches/safari-605-branch/LayoutTests/ChangeLog 2018-05-09 05:50:35 UTC (rev 231544)
+++ branches/safari-605-branch/LayoutTests/ChangeLog 2018-05-09 05:50:39 UTC (rev 231545)
@@ -1,5 +1,46 @@
2018-05-08 Jason Marcell <[email protected]>
+ Cherry-pick r231441. rdar://problem/40050720
+
+ WebGL: Reset simulated values after validation fails
+ https://bugs.webkit.org/show_bug.cgi?id=185363
+ <rdar://problem/39733417>
+
+ Reviewed by Anders Carlsson.
+
+ Source/WebCore:
+
+ While fixing a previous bug, I forgot to reset some values
+ when validation fails. This caused a bug where a subsequent
+ invalid call might use those values and escape detection.
+
+ Test: fast/canvas/webgl/index-validation-with-subsequent-draws.html
+
+ * html/canvas/WebGLRenderingContextBase.cpp:
+ (WebCore::WebGLRenderingContextBase::simulateVertexAttrib0): Reset the
+ sizes when validation fails.
+ * html/canvas/WebGLRenderingContextBase.h:
+
+ LayoutTests:
+
+ * fast/canvas/webgl/index-validation-with-subsequent-draws-expected.txt: Added.
+ * fast/canvas/webgl/index-validation-with-subsequent-draws.html: Added.
+
+ git-svn-id: https://svn.webkit.org/repository/webkit/trunk@231441 268f45cc-cd09-0410-ab3c-d52691b4dbfc
+
+ 2018-05-06 Dean Jackson <[email protected]>
+
+ WebGL: Reset simulated values after validation fails
+ https://bugs.webkit.org/show_bug.cgi?id=185363
+ <rdar://problem/39733417>
+
+ Reviewed by Anders Carlsson.
+
+ * fast/canvas/webgl/index-validation-with-subsequent-draws-expected.txt: Added.
+ * fast/canvas/webgl/index-validation-with-subsequent-draws.html: Added.
+
+2018-05-08 Jason Marcell <[email protected]>
+
Cherry-pick r231236. rdar://problem/40050705
Source/WebCore:
Added: branches/safari-605-branch/LayoutTests/fast/canvas/webgl/index-validation-with-subsequent-draws-expected.txt (0 => 231545)
--- branches/safari-605-branch/LayoutTests/fast/canvas/webgl/index-validation-with-subsequent-draws-expected.txt (rev 0)
+++ branches/safari-605-branch/LayoutTests/fast/canvas/webgl/index-validation-with-subsequent-draws-expected.txt 2018-05-09 05:50:39 UTC (rev 231545)
@@ -0,0 +1,3 @@
+CONSOLE MESSAGE: line 50: WebGL: INVALID_OPERATION: drawElements: unable to simulate vertexAttrib0 array
+CONSOLE MESSAGE: line 56: WebGL: INVALID_OPERATION: drawElements: unable to simulate vertexAttrib0 array
+
Added: branches/safari-605-branch/LayoutTests/fast/canvas/webgl/index-validation-with-subsequent-draws.html (0 => 231545)
--- branches/safari-605-branch/LayoutTests/fast/canvas/webgl/index-validation-with-subsequent-draws.html (rev 0)
+++ branches/safari-605-branch/LayoutTests/fast/canvas/webgl/index-validation-with-subsequent-draws.html 2018-05-09 05:50:39 UTC (rev 231545)
@@ -0,0 +1,58 @@
+<!DOCTYPE html>
+<html>
+<script id='2d-vertex-shader' type='x-shader/x-vertex'>
+ attribute vec4 a_Position;
+ void main() { gl_Position = a_Position; }
+</script>
+<script id='2d-fragment-shader' type='x-shader/x-fragment'>
+ void main( void ) {}
+</script>
+<body>
+<canvas id="canvas1" width="20" height="20"></canvas>
+<script>
+if (window.testRunner)
+ testRunner.dumpAsText();
+
+// Boilerplate set-up.
+let canvas = document.getElementById('canvas1');
+let gl = canvas.getContext('webgl');
+
+let vShader = gl.createShader(gl.VERTEX_SHADER);
+let vShaderScript = document.getElementById('2d-vertex-shader');
+gl.shaderSource(vShader, vShaderScript.text);
+gl.compileShader(vShader);
+
+let fShader = gl.createShader(gl.FRAGMENT_SHADER);
+let fShaderScript = document.getElementById('2d-fragment-shader');
+gl.shaderSource(fShader, fShaderScript.text);
+gl.compileShader(fShader);
+
+let program = gl.createProgram();
+gl.attachShader(program, vShader);
+gl.attachShader(program, fShader);
+gl.linkProgram(program);
+gl.useProgram(program);
+
+gl.getExtension("OES_element_index_uint");
+let ext = gl.getExtension('ANGLE_instanced_arrays');
+
+// Execute a draw that is valid, if strange.
+let buffer = gl.createBuffer();
+gl.bindBuffer(gl.ELEMENT_ARRAY_BUFFER, buffer);
+gl.bufferData(gl.ELEMENT_ARRAY_BUFFER, new Uint8ClampedArray([256, 256, 256, 256]), gl.STATIC_DRAW);
+ext.drawElementsInstancedANGLE(gl.TRIANGLES, 2, gl.UNSIGNED_SHORT, 0, gl.UNSIGNED_SHORT);
+
+// Execute a draw that is invalid because an element index is too large.
+buffer = gl.createBuffer();
+gl.bindBuffer(gl.ELEMENT_ARRAY_BUFFER, buffer);
+gl.bufferData(gl.ELEMENT_ARRAY_BUFFER, new Uint16Array([65536, 137413, 65536, 65536, 65536, 65536, 65536, 65536, 65536, 65536, 65536, 65536, 65536, 65536, 65536]), gl.STATIC_DRAW);
+gl.bufferSubData(gl.ELEMENT_ARRAY_BUFFER, 10, new Uint8ClampedArray([256, 256, 256, 256, 256, 256]));
+gl.drawElements(gl.TRIANGLES, 1, gl.UNSIGNED_INT, 0);
+
+// Now execute a similarly invalid call, that uses a smaller simulated buffer than the previous invalid call.
+buffer = gl.createBuffer();
+gl.bindBuffer(gl.ELEMENT_ARRAY_BUFFER, buffer);
+gl.bufferData(gl.ELEMENT_ARRAY_BUFFER, new Uint8ClampedArray([256, 256, 256, 256, 256, 256]), gl.STATIC_DRAW);
+gl.drawElements(gl.TRIANGLES, 1, gl.UNSIGNED_SHORT, 0);
+</script>
+</html>
\ No newline at end of file
Modified: branches/safari-605-branch/LayoutTests/platform/mac/TestExpectations (231544 => 231545)
--- branches/safari-605-branch/LayoutTests/platform/mac/TestExpectations 2018-05-09 05:50:35 UTC (rev 231544)
+++ branches/safari-605-branch/LayoutTests/platform/mac/TestExpectations 2018-05-09 05:50:39 UTC (rev 231545)
@@ -1758,9 +1758,10 @@
webkit.org/b/181502 swipe/pushstate-with-manual-scrollrestoration.html [ Failure ]
-# A lot of GPU hardware simply crashes with this test, since it allocates a lot of memory.
-# It is enabled on systems that instead return GL_OUT_OF_MEMORY.
+# A lot of GPU hardware simply crashes with these tests, since they allocate a lot of memory.
+# They are enabled on systems that instead return GL_OUT_OF_MEMORY.
[ ElCapitan Sierra ] fast/canvas/webgl/simulated-vertexAttrib0-invalid-indicies.html [ Skip ]
+[ ElCapitan Sierra ] fast/canvas/webgl/index-validation-with-subsequent-draws.html [ Skip ]
animations/trigger-container-scroll-boundaries.html [ Skip ]
animations/trigger-container-scroll-simple.html [ Skip ]
Modified: branches/safari-605-branch/Source/WebCore/ChangeLog (231544 => 231545)
--- branches/safari-605-branch/Source/WebCore/ChangeLog 2018-05-09 05:50:35 UTC (rev 231544)
+++ branches/safari-605-branch/Source/WebCore/ChangeLog 2018-05-09 05:50:39 UTC (rev 231545)
@@ -1,5 +1,54 @@
2018-05-08 Jason Marcell <[email protected]>
+ Cherry-pick r231441. rdar://problem/40050720
+
+ WebGL: Reset simulated values after validation fails
+ https://bugs.webkit.org/show_bug.cgi?id=185363
+ <rdar://problem/39733417>
+
+ Reviewed by Anders Carlsson.
+
+ Source/WebCore:
+
+ While fixing a previous bug, I forgot to reset some values
+ when validation fails. This caused a bug where a subsequent
+ invalid call might use those values and escape detection.
+
+ Test: fast/canvas/webgl/index-validation-with-subsequent-draws.html
+
+ * html/canvas/WebGLRenderingContextBase.cpp:
+ (WebCore::WebGLRenderingContextBase::simulateVertexAttrib0): Reset the
+ sizes when validation fails.
+ * html/canvas/WebGLRenderingContextBase.h:
+
+ LayoutTests:
+
+ * fast/canvas/webgl/index-validation-with-subsequent-draws-expected.txt: Added.
+ * fast/canvas/webgl/index-validation-with-subsequent-draws.html: Added.
+
+ git-svn-id: https://svn.webkit.org/repository/webkit/trunk@231441 268f45cc-cd09-0410-ab3c-d52691b4dbfc
+
+ 2018-05-06 Dean Jackson <[email protected]>
+
+ WebGL: Reset simulated values after validation fails
+ https://bugs.webkit.org/show_bug.cgi?id=185363
+ <rdar://problem/39733417>
+
+ Reviewed by Anders Carlsson.
+
+ While fixing a previous bug, I forgot to reset some values
+ when validation fails. This caused a bug where a subsequent
+ invalid call might use those values and escape detection.
+
+ Test: fast/canvas/webgl/index-validation-with-subsequent-draws.html
+
+ * html/canvas/WebGLRenderingContextBase.cpp:
+ (WebCore::WebGLRenderingContextBase::simulateVertexAttrib0): Reset the
+ sizes when validation fails.
+ * html/canvas/WebGLRenderingContextBase.h:
+
+2018-05-08 Jason Marcell <[email protected]>
+
Cherry-pick r231236. rdar://problem/40050705
Source/WebCore:
Modified: branches/safari-605-branch/Source/WebCore/html/canvas/WebGLRenderingContextBase.cpp (231544 => 231545)
--- branches/safari-605-branch/Source/WebCore/html/canvas/WebGLRenderingContextBase.cpp 2018-05-09 05:50:35 UTC (rev 231544)
+++ branches/safari-605-branch/Source/WebCore/html/canvas/WebGLRenderingContextBase.cpp 2018-05-09 05:50:39 UTC (rev 231545)
@@ -5753,6 +5753,8 @@
if (m_context->getError() != GraphicsContext3D::NO_ERROR) {
// We were unable to create a buffer.
m_vertexAttrib0UsedBefore = false;
+ m_vertexAttrib0BufferSize = 0;
+ m_forceAttrib0BufferRefill = true;
return std::nullopt;
}
m_vertexAttrib0BufferSize = bufferDataSize.unsafeGet();
Modified: branches/safari-605-branch/Source/WebCore/html/canvas/WebGLRenderingContextBase.h (231544 => 231545)
--- branches/safari-605-branch/Source/WebCore/html/canvas/WebGLRenderingContextBase.h 2018-05-09 05:50:35 UTC (rev 231544)
+++ branches/safari-605-branch/Source/WebCore/html/canvas/WebGLRenderingContextBase.h 2018-05-09 05:50:39 UTC (rev 231545)
@@ -488,10 +488,10 @@
Vector<VertexAttribValue> m_vertexAttribValue;
unsigned m_maxVertexAttribs;
RefPtr<WebGLBuffer> m_vertexAttrib0Buffer;
- long m_vertexAttrib0BufferSize;
+ long m_vertexAttrib0BufferSize { 0 };
GC3Dfloat m_vertexAttrib0BufferValue[4];
- bool m_forceAttrib0BufferRefill;
- bool m_vertexAttrib0UsedBefore;
+ bool m_forceAttrib0BufferRefill { true };
+ bool m_vertexAttrib0UsedBefore { false };
RefPtr<WebGLProgram> m_currentProgram;
RefPtr<WebGLFramebuffer> m_framebufferBinding;
_______________________________________________ webkit-changes mailing list [email protected] https://lists.webkit.org/mailman/listinfo/webkit-changes
