[webkit-changes] [234413] releases/WebKitGTK/webkit-2.20

[carlosgc]

Title: [234413] releases/WebKitGTK/webkit-2.20

Revision

234413

Author

carlo...@webkit.org

Date

2018-07-31 02:24:40 -0700 (Tue, 31 Jul 2018)

Log Message

Merge r231441 - WebGL: Reset simulated values after validation fails
https://bugs.webkit.org/show_bug.cgi?id=185363
<rdar://problem/39733417>

Reviewed by Anders Carlsson.

Source/WebCore:

While fixing a previous bug, I forgot to reset some values
when validation fails. This caused a bug where a subsequent
invalid call might use those values and escape detection.

Test: fast/canvas/webgl/index-validation-with-subsequent-draws.html

* html/canvas/WebGLRenderingContextBase.cpp:
(WebCore::WebGLRenderingContextBase::simulateVertexAttrib0): Reset the
sizes when validation fails.
* html/canvas/WebGLRenderingContextBase.h:

LayoutTests:

* fast/canvas/webgl/index-validation-with-subsequent-draws-expected.txt: Added.
* fast/canvas/webgl/index-validation-with-subsequent-draws.html: Added.

Modified Paths

• releases/WebKitGTK/webkit-2.20/LayoutTests/ChangeLog
• releases/WebKitGTK/webkit-2.20/LayoutTests/platform/mac/TestExpectations
• releases/WebKitGTK/webkit-2.20/Source/WebCore/ChangeLog
• releases/WebKitGTK/webkit-2.20/Source/WebCore/html/canvas/WebGLRenderingContextBase.cpp
• releases/WebKitGTK/webkit-2.20/Source/WebCore/html/canvas/WebGLRenderingContextBase.h

Added Paths

• releases/WebKitGTK/webkit-2.20/LayoutTests/fast/canvas/webgl/index-validation-with-subsequent-draws-expected.txt
• releases/WebKitGTK/webkit-2.20/LayoutTests/fast/canvas/webgl/index-validation-with-subsequent-draws.html

Diff

Modified: releases/WebKitGTK/webkit-2.20/LayoutTests/ChangeLog (234412 => 234413)

--- releases/WebKitGTK/webkit-2.20/LayoutTests/ChangeLog	2018-07-31 09:24:32 UTC (rev 234412)
+++ releases/WebKitGTK/webkit-2.20/LayoutTests/ChangeLog	2018-07-31 09:24:40 UTC (rev 234413)
@@ -1,3 +1,14 @@
+2018-05-06  Dean Jackson  <d...@apple.com>
+
+        WebGL: Reset simulated values after validation fails
+        https://bugs.webkit.org/show_bug.cgi?id=185363
+        <rdar://problem/39733417>
+
+        Reviewed by Anders Carlsson.
+
+        * fast/canvas/webgl/index-validation-with-subsequent-draws-expected.txt: Added.
+        * fast/canvas/webgl/index-validation-with-subsequent-draws.html: Added.
+
 2018-05-02  Brent Fulgham  <bfulg...@apple.com>
 
         Use RetainPtr for form input type

Added: releases/WebKitGTK/webkit-2.20/LayoutTests/fast/canvas/webgl/index-validation-with-subsequent-draws-expected.txt (0 => 234413)

--- releases/WebKitGTK/webkit-2.20/LayoutTests/fast/canvas/webgl/index-validation-with-subsequent-draws-expected.txt	                        (rev 0)
+++ releases/WebKitGTK/webkit-2.20/LayoutTests/fast/canvas/webgl/index-validation-with-subsequent-draws-expected.txt	2018-07-31 09:24:40 UTC (rev 234413)
@@ -0,0 +1,3 @@
+CONSOLE MESSAGE: line 50: WebGL: INVALID_OPERATION: drawElements: unable to simulate vertexAttrib0 array
+CONSOLE MESSAGE: line 56: WebGL: INVALID_OPERATION: drawElements: unable to simulate vertexAttrib0 array
+

Added: releases/WebKitGTK/webkit-2.20/LayoutTests/fast/canvas/webgl/index-validation-with-subsequent-draws.html (0 => 234413)

--- releases/WebKitGTK/webkit-2.20/LayoutTests/fast/canvas/webgl/index-validation-with-subsequent-draws.html	                        (rev 0)
+++ releases/WebKitGTK/webkit-2.20/LayoutTests/fast/canvas/webgl/index-validation-with-subsequent-draws.html	2018-07-31 09:24:40 UTC (rev 234413)
@@ -0,0 +1,58 @@
+<!DOCTYPE html>
+<html>
+<script id='2d-vertex-shader' type='x-shader/x-vertex'>
+    attribute vec4 a_Position; 
+    void main() { gl_Position = a_Position; }
+</script>
+<script id='2d-fragment-shader' type='x-shader/x-fragment'>
+    void main( void ) {}
+</script>
+<body>
+<canvas id="canvas1" width="20" height="20"></canvas>
+<script>
+if (window.testRunner)
+    testRunner.dumpAsText();
+
+// Boilerplate set-up.
+let canvas = document.getElementById('canvas1');
+let gl = canvas.getContext('webgl');
+
+let vShader = gl.createShader(gl.VERTEX_SHADER);
+let vShaderScript = document.getElementById('2d-vertex-shader');
+gl.shaderSource(vShader, vShaderScript.text);
+gl.compileShader(vShader);
+
+let fShader = gl.createShader(gl.FRAGMENT_SHADER);
+let fShaderScript = document.getElementById('2d-fragment-shader');
+gl.shaderSource(fShader, fShaderScript.text);
+gl.compileShader(fShader);
+
+let program = gl.createProgram();
+gl.attachShader(program, vShader);
+gl.attachShader(program, fShader);
+gl.linkProgram(program);
+gl.useProgram(program);
+
+gl.getExtension("OES_element_index_uint");
+let ext = gl.getExtension('ANGLE_instanced_arrays');
+
+// Execute a draw that is valid, if strange.
+let buffer = gl.createBuffer();
+gl.bindBuffer(gl.ELEMENT_ARRAY_BUFFER, buffer);
+gl.bufferData(gl.ELEMENT_ARRAY_BUFFER, new Uint8ClampedArray([256, 256, 256, 256]), gl.STATIC_DRAW);
+ext.drawElementsInstancedANGLE(gl.TRIANGLES, 2, gl.UNSIGNED_SHORT, 0, gl.UNSIGNED_SHORT);
+
+// Execute a draw that is invalid because an element index is too large.
+buffer = gl.createBuffer();
+gl.bindBuffer(gl.ELEMENT_ARRAY_BUFFER, buffer);
+gl.bufferData(gl.ELEMENT_ARRAY_BUFFER, new Uint16Array([65536, 137413, 65536, 65536, 65536, 65536, 65536, 65536, 65536, 65536, 65536, 65536, 65536, 65536, 65536]), gl.STATIC_DRAW);
+gl.bufferSubData(gl.ELEMENT_ARRAY_BUFFER, 10, new Uint8ClampedArray([256, 256, 256, 256, 256, 256]));
+gl.drawElements(gl.TRIANGLES, 1, gl.UNSIGNED_INT, 0);
+
+// Now execute a similarly invalid call, that uses a smaller simulated buffer than the previous invalid call.
+buffer = gl.createBuffer();
+gl.bindBuffer(gl.ELEMENT_ARRAY_BUFFER, buffer);
+gl.bufferData(gl.ELEMENT_ARRAY_BUFFER, new Uint8ClampedArray([256, 256, 256, 256, 256, 256]), gl.STATIC_DRAW);
+gl.drawElements(gl.TRIANGLES, 1, gl.UNSIGNED_SHORT, 0);
+</script>
+</html>
\ No newline at end of file

Modified: releases/WebKitGTK/webkit-2.20/LayoutTests/platform/mac/TestExpectations (234412 => 234413)

--- releases/WebKitGTK/webkit-2.20/LayoutTests/platform/mac/TestExpectations	2018-07-31 09:24:32 UTC (rev 234412)
+++ releases/WebKitGTK/webkit-2.20/LayoutTests/platform/mac/TestExpectations	2018-07-31 09:24:40 UTC (rev 234413)
@@ -1768,9 +1768,10 @@
 
 webkit.org/b/181494 accessibility/mac/aria-multiple-liveregions-notification.html [ Pass Failure ]
 
-# A lot of GPU hardware simply crashes with this test, since it allocates a lot of memory.
-# It is enabled on systems that instead return GL_OUT_OF_MEMORY.
+# A lot of GPU hardware simply crashes with these tests, since they allocate a lot of memory.
+# They are enabled on systems that instead return GL_OUT_OF_MEMORY.
 [ ElCapitan Sierra ] fast/canvas/webgl/simulated-vertexAttrib0-invalid-indicies.html [ Skip ]
+[ ElCapitan Sierra ] fast/canvas/webgl/index-validation-with-subsequent-draws.html [ Skip ]
 
 webkit.org/b/181100 inspector/worker/worker-recover-if-inspector-close.html [ Pass Failure ]
 

Modified: releases/WebKitGTK/webkit-2.20/Source/WebCore/ChangeLog (234412 => 234413)

--- releases/WebKitGTK/webkit-2.20/Source/WebCore/ChangeLog	2018-07-31 09:24:32 UTC (rev 234412)
+++ releases/WebKitGTK/webkit-2.20/Source/WebCore/ChangeLog	2018-07-31 09:24:40 UTC (rev 234413)
@@ -1,3 +1,22 @@
+2018-05-06  Dean Jackson  <d...@apple.com>
+
+        WebGL: Reset simulated values after validation fails
+        https://bugs.webkit.org/show_bug.cgi?id=185363
+        <rdar://problem/39733417>
+
+        Reviewed by Anders Carlsson.
+
+        While fixing a previous bug, I forgot to reset some values
+        when validation fails. This caused a bug where a subsequent
+        invalid call might use those values and escape detection.
+
+        Test: fast/canvas/webgl/index-validation-with-subsequent-draws.html
+
+        * html/canvas/WebGLRenderingContextBase.cpp:
+        (WebCore::WebGLRenderingContextBase::simulateVertexAttrib0): Reset the
+        sizes when validation fails.
+        * html/canvas/WebGLRenderingContextBase.h:
+
 2018-05-02  Brent Fulgham  <bfulg...@apple.com>
 
         Widgets should hold a WeakPtr to their parents

Modified: releases/WebKitGTK/webkit-2.20/Source/WebCore/html/canvas/WebGLRenderingContextBase.cpp (234412 => 234413)

--- releases/WebKitGTK/webkit-2.20/Source/WebCore/html/canvas/WebGLRenderingContextBase.cpp	2018-07-31 09:24:32 UTC (rev 234412)
+++ releases/WebKitGTK/webkit-2.20/Source/WebCore/html/canvas/WebGLRenderingContextBase.cpp	2018-07-31 09:24:40 UTC (rev 234413)
@@ -5746,6 +5746,8 @@
         if (m_context->getError() != GraphicsContext3D::NO_ERROR) {
             // We were unable to create a buffer.
             m_vertexAttrib0UsedBefore = false;
+            m_vertexAttrib0BufferSize = 0;
+            m_forceAttrib0BufferRefill = true;
             return std::nullopt;
         }
         m_vertexAttrib0BufferSize = bufferDataSize;

Modified: releases/WebKitGTK/webkit-2.20/Source/WebCore/html/canvas/WebGLRenderingContextBase.h (234412 => 234413)

--- releases/WebKitGTK/webkit-2.20/Source/WebCore/html/canvas/WebGLRenderingContextBase.h	2018-07-31 09:24:32 UTC (rev 234412)
+++ releases/WebKitGTK/webkit-2.20/Source/WebCore/html/canvas/WebGLRenderingContextBase.h	2018-07-31 09:24:40 UTC (rev 234413)
@@ -488,10 +488,10 @@
     Vector<VertexAttribValue> m_vertexAttribValue;
     unsigned m_maxVertexAttribs;
     RefPtr<WebGLBuffer> m_vertexAttrib0Buffer;
-    long m_vertexAttrib0BufferSize;
+    long m_vertexAttrib0BufferSize { 0 };
     GC3Dfloat m_vertexAttrib0BufferValue[4];
-    bool m_forceAttrib0BufferRefill;
-    bool m_vertexAttrib0UsedBefore;
+    bool m_forceAttrib0BufferRefill { true };
+    bool m_vertexAttrib0UsedBefore { false };
 
     RefPtr<WebGLProgram> m_currentProgram;
     RefPtr<WebGLFramebuffer> m_framebufferBinding;

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes