[webkit-changes] [WebKit/WebKit] bdc472: [WebGPU] out of bounds access in drawIndirect call

[mwyrzykowski]

  Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: bdc472fd3321132aaedd43a89572dfc21722697c
      
https://github.com/WebKit/WebKit/commit/bdc472fd3321132aaedd43a89572dfc21722697c
  Author: Mike Wyrzykowski <mwyrzykow...@apple.com>
  Date:   2024-06-05 (Wed, 05 Jun 2024)

  Changed paths:
    A LayoutTests/fast/webgpu/regression/repro_274994-expected.txt
    A LayoutTests/fast/webgpu/regression/repro_274994.html
    A LayoutTests/fast/webgpu/regression/repro_274994b-expected.txt
    A LayoutTests/fast/webgpu/regression/repro_274994b.html
    M Source/WebGPU/WebGPU/BindableResource.h
    M Source/WebGPU/WebGPU/Buffer.h
    M Source/WebGPU/WebGPU/Buffer.mm
    M Source/WebGPU/WebGPU/Device.mm
    M Source/WebGPU/WebGPU/RenderBundleEncoder.h
    M Source/WebGPU/WebGPU/RenderBundleEncoder.mm
    M Source/WebGPU/WebGPU/RenderPassEncoder.h
    M Source/WebGPU/WebGPU/RenderPassEncoder.mm

  Log Message:
  -----------
  [WebGPU] out of bounds access in drawIndirect call
https://bugs.webkit.org/show_bug.cgi?id=274994
<radar://129061487>

Reviewed by Dan Glastonbury.

Instance counts were not being validated in indirect calls, leading to out of
bounds buffer accesses.

* LayoutTests/fast/webgpu/regression/repro_274994-expected.txt: Added.
* LayoutTests/fast/webgpu/regression/repro_274994.html: Added.
* LayoutTests/fast/webgpu/regression/repro_274994b-expected.txt: Added.
* LayoutTests/fast/webgpu/regression/repro_274994b.html: Added.
Add regression tests.

* Source/WebGPU/WebGPU/BindableResource.h:
* Source/WebGPU/WebGPU/Buffer.h:
* Source/WebGPU/WebGPU/Buffer.mm:
(WebGPU::Buffer::indirectBufferRequiresRecomputation const):
(WebGPU::Buffer::indirectBufferRecomputed):
(WebGPU::Buffer::indirectBufferInvalidated):
* Source/WebGPU/WebGPU/Device.mm:
(WebGPU::Device::copyIndexIndirectArgsPipeline):
* Source/WebGPU/WebGPU/RenderBundleEncoder.h:
* Source/WebGPU/WebGPU/RenderBundleEncoder.mm:
(WebGPU::RenderBundleEncoder::computeMininumVertexInstanceCount const):
(WebGPU::RenderBundleEncoder::storeVertexBufferCountsForValidation):
(WebGPU::RenderBundleEncoder::drawIndexedIndirect):
(WebGPU::RenderBundleEncoder::drawIndirect):
(WebGPU::RenderBundleEncoder::computeMininumVertexCount const): Deleted.
* Source/WebGPU/WebGPU/RenderPassEncoder.h:
* Source/WebGPU/WebGPU/RenderPassEncoder.mm:
(WebGPU::RenderPassEncoder::computeMininumVertexInstanceCount const):
(WebGPU::RenderPassEncoder::clampIndexBufferToValidValues):
(WebGPU::RenderPassEncoder::clampIndirectIndexBufferToValidValues):
(WebGPU::RenderPassEncoder::clampIndirectBufferToValidValues):
(WebGPU::RenderPassEncoder::drawIndexedIndirect):
(WebGPU::RenderPassEncoder::drawIndirect):
(WebGPU::RenderPassEncoder::executeBundles):
(WebGPU::RenderPassEncoder::computeMininumVertexCount const): Deleted.

Canonical link: https://commits.webkit.org/279730@main



To unsubscribe from these emails, change your notification settings at 
https://github.com/WebKit/WebKit/settings/notifications
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes