Modified: trunk/Source/WebCore/ChangeLog (139922 => 139923)
--- trunk/Source/WebCore/ChangeLog 2013-01-16 21:58:45 UTC (rev 139922)
+++ trunk/Source/WebCore/ChangeLog 2013-01-16 22:05:46 UTC (rev 139923)
@@ -1,3 +1,20 @@
+2013-01-16 Kenneth Russell <[email protected]>
+
+ Unreviewed, rolling out r139914.
+ http://trac.webkit.org/changeset/139914
+ https://bugs.webkit.org/show_bug.cgi?id=106975
+
+ Caused crashes in compositing/visibility/visibility-simple-
+ webgl-layer.html
+
+ * html/canvas/WebGLBuffer.cpp:
+ (WebCore::WebGLBuffer::associateBufferDataImpl):
+ (WebCore::WebGLBuffer::associateBufferData):
+ (WebCore::WebGLBuffer::associateBufferSubDataImpl):
+ (WebCore::WebGLBuffer::associateBufferSubData):
+ * html/canvas/WebGLBuffer.h:
+ (WebGLBuffer):
+
2013-01-16 Alexis Menard <[email protected]>
Monitor usage of unprefixed and prefixed DOM events for CSS Transitions.
Modified: trunk/Source/WebCore/html/canvas/WebGLBuffer.cpp (139922 => 139923)
--- trunk/Source/WebCore/html/canvas/WebGLBuffer.cpp 2013-01-16 21:58:45 UTC (rev 139922)
+++ trunk/Source/WebCore/html/canvas/WebGLBuffer.cpp 2013-01-16 22:05:46 UTC (rev 139923)
@@ -61,11 +61,19 @@
context3d->deleteBuffer(object);
}
-bool WebGLBuffer::associateBufferDataImpl(const void* data, GC3Dsizeiptr byteLength)
+bool WebGLBuffer::associateBufferDataImpl(ArrayBuffer* array, GC3Dintptr byteOffset, GC3Dsizeiptr byteLength)
{
- if (byteLength < 0)
+ if (byteLength < 0 || byteOffset < 0)
return false;
+ if (array && byteLength) {
+ CheckedInt<GC3Dintptr> checkedOffset(byteOffset);
+ CheckedInt<GC3Dsizeiptr> checkedLength(byteLength);
+ CheckedInt<GC3Dintptr> checkedMax = checkedOffset + checkedLength;
+ if (!checkedMax.isValid() || checkedMax.value() > static_cast<int32_t>(array->byteLength()))
+ return false;
+ }
+
switch (m_target) {
case GraphicsContext3D::ELEMENT_ARRAY_BUFFER:
m_byteLength = byteLength;
@@ -76,11 +84,13 @@
m_byteLength = 0;
return false;
}
- if (data) {
+ if (array) {
// We must always clone the incoming data because client-side
// modifications without calling bufferData or bufferSubData
// must never be able to change the validation results.
- memcpy(m_elementArrayBuffer->data(), data, byteLength);
+ memcpy(static_cast<unsigned char*>(m_elementArrayBuffer->data()),
+ static_cast<unsigned char*>(array->data()) + byteOffset,
+ byteLength);
}
} else
m_elementArrayBuffer = 0;
@@ -95,33 +105,37 @@
bool WebGLBuffer::associateBufferData(GC3Dsizeiptr size)
{
- return associateBufferDataImpl(0, size);
+ if (size < 0)
+ return false;
+ return associateBufferDataImpl(0, 0, size);
}
bool WebGLBuffer::associateBufferData(ArrayBuffer* array)
{
if (!array)
return false;
- return associateBufferDataImpl(array ? array->data() : 0, array ? array->byteLength() : 0);
+ return associateBufferDataImpl(array, 0, array->byteLength());
}
bool WebGLBuffer::associateBufferData(ArrayBufferView* array)
{
if (!array)
return false;
- return associateBufferDataImpl(array ? array->baseAddress() : 0, array ? array->byteLength() : 0);
+ return associateBufferDataImpl(array->buffer().get(), array->byteOffset(), array->byteLength());
}
-bool WebGLBuffer::associateBufferSubDataImpl(GC3Dintptr offset, const void* data, GC3Dsizeiptr byteLength)
+bool WebGLBuffer::associateBufferSubDataImpl(GC3Dintptr offset, ArrayBuffer* array, GC3Dintptr arrayByteOffset, GC3Dsizeiptr byteLength)
{
- if (!data || offset < 0 || byteLength < 0)
+ if (!array || offset < 0 || arrayByteOffset < 0 || byteLength < 0)
return false;
if (byteLength) {
CheckedInt<GC3Dintptr> checkedBufferOffset(offset);
- CheckedInt<GC3Dsizeiptr> checkedDataLength(byteLength);
- CheckedInt<GC3Dintptr> checkedBufferMax = checkedBufferOffset + checkedDataLength;
- if (!checkedBufferMax.isValid() || offset > m_byteLength || checkedBufferMax.value() > m_byteLength)
+ CheckedInt<GC3Dintptr> checkedArrayOffset(arrayByteOffset);
+ CheckedInt<GC3Dsizeiptr> checkedLength(byteLength);
+ CheckedInt<GC3Dintptr> checkedArrayMax = checkedArrayOffset + checkedLength;
+ CheckedInt<GC3Dintptr> checkedBufferMax = checkedBufferOffset + checkedLength;
+ if (!checkedArrayMax.isValid() || checkedArrayMax.value() > static_cast<int32_t>(array->byteLength()) || !checkedBufferMax.isValid() || checkedBufferMax.value() > m_byteLength)
return false;
}
@@ -131,7 +145,9 @@
if (byteLength) {
if (!m_elementArrayBuffer)
return false;
- memcpy(static_cast<unsigned char*>(m_elementArrayBuffer->data()) + offset, data, byteLength);
+ memcpy(static_cast<unsigned char*>(m_elementArrayBuffer->data()) + offset,
+ static_cast<unsigned char*>(array->data()) + arrayByteOffset,
+ byteLength);
}
return true;
case GraphicsContext3D::ARRAY_BUFFER:
@@ -145,14 +161,14 @@
{
if (!array)
return false;
- return associateBufferSubDataImpl(offset, array->data(), array->byteLength());
+ return associateBufferSubDataImpl(offset, array, 0, array->byteLength());
}
bool WebGLBuffer::associateBufferSubData(GC3Dintptr offset, ArrayBufferView* array)
{
if (!array)
return false;
- return associateBufferSubDataImpl(offset, array->baseAddress(), array->byteLength());
+ return associateBufferSubDataImpl(offset, array->buffer().get(), array->byteOffset(), array->byteLength());
}
GC3Dsizeiptr WebGLBuffer::byteLength() const
Modified: trunk/Source/WebCore/html/canvas/WebGLBuffer.h (139922 => 139923)
--- trunk/Source/WebCore/html/canvas/WebGLBuffer.h 2013-01-16 21:58:45 UTC (rev 139922)
+++ trunk/Source/WebCore/html/canvas/WebGLBuffer.h 2013-01-16 22:05:46 UTC (rev 139923)
@@ -95,9 +95,9 @@
void clearCachedMaxIndices();
// Helper function called by the three associateBufferData().
- bool associateBufferDataImpl(const void* data, GC3Dsizeiptr byteLength);
+ bool associateBufferDataImpl(ArrayBuffer* array, GC3Dintptr byteOffset, GC3Dsizeiptr byteLength);
// Helper function called by the two associateBufferSubData().
- bool associateBufferSubDataImpl(GC3Dintptr offset, const void* data, GC3Dsizeiptr byteLength);
+ bool associateBufferSubDataImpl(GC3Dintptr offset, ArrayBuffer* array, GC3Dintptr arrayByteOffset, GC3Dsizeiptr byteLength);
};
} // namespace WebCore
