Title: [207919] branches/safari-602-branch/Source/WebCore
- Revision
- 207919
- Author
- matthew_han...@apple.com
- Date
- 2016-10-26 16:17:59 -0700 (Wed, 26 Oct 2016)
Log Message
Merge r207221. rdar://problem/28894492
Modified Paths
Diff
Modified: branches/safari-602-branch/Source/WebCore/ChangeLog (207918 => 207919)
--- branches/safari-602-branch/Source/WebCore/ChangeLog 2016-10-26 23:17:56 UTC (rev 207918)
+++ branches/safari-602-branch/Source/WebCore/ChangeLog 2016-10-26 23:17:59 UTC (rev 207919)
@@ -1,5 +1,22 @@
2016-10-26 Matthew Hanson <matthew_han...@apple.com>
+ Merge r207221. rdar://problem/28894492
+
+ 2016-10-12 Brent Fulgham <bfulg...@apple.com>
+
+ [WebGL] Revise vertex array attribute checks to account for lazy memory allocation.
+ https://bugs.webkit.org/show_bug.cgi?id=163149
+ <rdar://problem/28629774>
+
+ Reviewed by Dean Jackson.
+
+ Tested by fast/canvas/webgl/webgl-drawarrays-crash-2.html
+
+ * html/canvas/WebGLRenderingContextBase.cpp:
+ (WebCore::WebGLRenderingContextBase::validateVertexAttributes):
+
+2016-10-26 Matthew Hanson <matthew_han...@apple.com>
+
Merge r206190. rdar://problem/28744102
2016-09-20 Nan Wang <n_w...@apple.com>
Modified: branches/safari-602-branch/Source/WebCore/html/canvas/WebGLRenderingContextBase.cpp (207918 => 207919)
--- branches/safari-602-branch/Source/WebCore/html/canvas/WebGLRenderingContextBase.cpp 2016-10-26 23:17:56 UTC (rev 207918)
+++ branches/safari-602-branch/Source/WebCore/html/canvas/WebGLRenderingContextBase.cpp 2016-10-26 23:17:59 UTC (rev 207919)
@@ -1757,13 +1757,23 @@
if (!sawNonInstancedAttrib && sawEnabledAttrib)
return false;
+ bool usingSimulatedArrayBuffer = m_currentProgram->isUsingVertexAttrib0();
+
// Guard against access into non-existent buffers.
- if (elementCount && !sawEnabledAttrib && !m_currentProgram->isUsingVertexAttrib0())
+ if (elementCount && !sawEnabledAttrib && !usingSimulatedArrayBuffer)
return false;
if (elementCount && sawEnabledAttrib) {
- if (!m_boundArrayBuffer && !m_boundVertexArrayObject->getElementArrayBuffer())
+ if (!m_boundArrayBuffer && !m_boundVertexArrayObject->getElementArrayBuffer()) {
+ if (usingSimulatedArrayBuffer) {
+ auto& state = m_boundVertexArrayObject->getVertexAttribState(0);
+ if (state.enabled && state.isBound()) {
+ if (state.bufferBinding->getTarget() == GraphicsContext3D::ARRAY_BUFFER || state.bufferBinding->getTarget() == GraphicsContext3D::ELEMENT_ARRAY_BUFFER)
+ return !!state.bufferBinding->byteLength();
+ }
+ }
return false;
+ }
}
return true;
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes