Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: 97e8c4b43c17c90c622ce09040fb40df0f2668f6
https://github.com/WebKit/WebKit/commit/97e8c4b43c17c90c622ce09040fb40df0f2668f6
Author: Zak Ridouh <[email protected]>
Date: 2026-07-02 (Thu, 02 Jul 2026)
Changed paths:
A
LayoutTests/fast/webgpu/regression/extra-bind-group-beyond-pipeline-layout-expected.txt
A
LayoutTests/fast/webgpu/regression/extra-bind-group-beyond-pipeline-layout.html
A
LayoutTests/fast/webgpu/regression/pipeline-layout-make-invalid-bind-group-bypass-expected.txt
A
LayoutTests/fast/webgpu/regression/pipeline-layout-make-invalid-bind-group-bypass.html
M Source/WebGPU/WebGPU/ComputePassEncoder.mm
M Source/WebGPU/WebGPU/PipelineLayout.mm
M Source/WebGPU/WebGPU/RenderBundleEncoder.mm
M Source/WebGPU/WebGPU/RenderPassEncoder.mm
Log Message:
-----------
[WebGPU] PipelineLayout::makeInvalid leaves m_bindGroupLayouts engaged,
causing GPU OOB
<https://bugs.webkit.org/show_bug.cgi?id=312336>
<rdar://174670323>
Reviewed by Mike Wyrzykowski.
PipelineLayout::makeInvalid() cleared the bind group layouts vector but left the
std::optional engaged. This caused errorValidatingBindGroupCompatibility() to
see
an engaged-but-empty vector, skip its validation loop entirely, and return
success.
A poisoned pipeline layout could then reach Metal dispatch with a structurally
incompatible argument buffer bound, causing GPU-side out-of-bounds access.
The trigger is getBindGroupLayout(index) with an index >= maxBindGroups, which
calls makeInvalid() on the pipeline layout. This is reachable from web content
via the standard WebGPU API.
Applied three defense-in-depth fixes:
1. PipelineLayout::makeInvalid(): reset m_bindGroupLayouts to std::nullopt
instead of clearing the vector, so the optional is fully disengaged.
2. PipelineLayout::errorValidatingBindGroupCompatibility(): early-return an
error if !m_isValid, before inspecting the bind group layouts at all.
3. ComputePassEncoder::executePreDispatchCommands(),
RenderPassEncoder::executePreDrawCommands(), and
RenderBundleEncoder::executePreDrawCommands(): check pipeline->isValid()
after the existing null check, rejecting pipelines whose layout has been
invalidated between setPipeline and the dispatch/draw.
Tests:
- fast/webgpu/regression/pipeline-layout-make-invalid-bind-group-bypass.html
exercises the security fix (poisoned layout must not reach Metal).
- fast/webgpu/regression/extra-bind-group-beyond-pipeline-layout.html guards
the spec-permitted case where bind groups are bound at indices beyond the
pipeline's numberOfBindGroupLayouts() — these must continue to be silently
ignored at dispatch time. (Caught a transient regression of this case
during development; added to prevent recurrence.)
*
LayoutTests/fast/webgpu/regression/extra-bind-group-beyond-pipeline-layout-expected.txt:
Added.
*
LayoutTests/fast/webgpu/regression/extra-bind-group-beyond-pipeline-layout.html:
Added.
*
LayoutTests/fast/webgpu/regression/pipeline-layout-make-invalid-bind-group-bypass-expected.txt:
Added.
*
LayoutTests/fast/webgpu/regression/pipeline-layout-make-invalid-bind-group-bypass.html:
Added.
* Source/WebGPU/WebGPU/ComputePassEncoder.mm:
(WebGPU::ComputePassEncoder::executePreDispatchCommands):
* Source/WebGPU/WebGPU/PipelineLayout.mm:
(WebGPU::PipelineLayout::makeInvalid):
(WebGPU::PipelineLayout::errorValidatingBindGroupCompatibility const):
* Source/WebGPU/WebGPU/RenderBundleEncoder.mm:
(WebGPU::RenderBundleEncoder::executePreDrawCommands):
* Source/WebGPU/WebGPU/RenderPassEncoder.mm:
(WebGPU::RenderPassEncoder::executePreDrawCommands):
Originally-landed-as: 305413.848@safari-7624-branch (f4805607466f).
rdar://180436205
Canonical link: https://commits.webkit.org/316387@main
To unsubscribe from these emails, change your notification settings at
https://github.com/WebKit/WebKit/settings/notifications