[webkit-changes] [196122] branches/safari-601.1.46-branch

Thu, 04 Feb 2016 08:22:59 -0800

Title: [196122] branches/safari-601.1.46-branch

Diff

Modified: branches/safari-601.1.46-branch/LayoutTests/ChangeLog (196121 => 196122)


--- branches/safari-601.1.46-branch/LayoutTests/ChangeLog	2016-02-04 16:22:19 UTC (rev 196121)
+++ branches/safari-601.1.46-branch/LayoutTests/ChangeLog	2016-02-04 16:22:23 UTC (rev 196122)
@@ -1,5 +1,33 @@
 2016-02-03  Matthew Hanson  <matthew_han...@apple.com>
 
+        Merge r195837. rdar://problem/24001782
+
+    2015-12-22  Pranjal Jumde  <pju...@apple.com>
+
+            Test to check for stack recursion when indexed propertyNames defined using Object.defineProperty are deleted.
+            https://bugs.webkit.org/show_bug.cgi?id=149179
+            <rdar://problem/22708019>.
+
+            Reviewed by Dean Jackson.
+
+            * storage/domstorage/localstorage/delete-defineproperty-removal-expected.txt: Added.
+            * storage/domstorage/localstorage/delete-defineproperty-removal.html: Added.
+
+<<<<<<< .mine
+2016-01-29  Brent Fulgham  <bfulg...@apple.com>
+
+        [WebGL] Check vertex array bounds before permitting a glDrawArrays to execute
+        https://bugs.webkit.org/show_bug.cgi?id=153643
+        <rdar://problem/23424456>
+
+        Reviewed by Dean Jackson.
+
+        * fast/canvas/webgl/webgl-drawarrays-crash-expected.txt: Added.
+        * fast/canvas/webgl/webgl-drawarrays-crash.html: Added.
+
+=======
+2016-02-03  Matthew Hanson  <matthew_han...@apple.com>
+
         Merge r196096. rdar://problem/24416768
 
     2016-02-03  Matthew Hanson  <matthew_han...@apple.com>
@@ -99,6 +127,7 @@
             * fast/loader/stateobjects/pushstate-frequency-with-user-gesture.html: Added.
             * fast/loader/stateobjects/pushstate-frequency.html: Added.
             * fast/loader/stateobjects/replacestate-frequency-expected.txt: Added.
+>>>>>>> .r195836
             * fast/loader/stateobjects/replacestate-frequency-iframe-expected.txt: Added.
             * fast/loader/stateobjects/replacestate-frequency-iframe.html: Added.
             * fast/loader/stateobjects/replacestate-frequency-with-user-gesture-expected.txt: Added.

Added: branches/safari-601.1.46-branch/LayoutTests/fast/canvas/webgl/webgl-drawarrays-crash-expected.txt (0 => 196122)


--- branches/safari-601.1.46-branch/LayoutTests/fast/canvas/webgl/webgl-drawarrays-crash-expected.txt	                        (rev 0)
+++ branches/safari-601.1.46-branch/LayoutTests/fast/canvas/webgl/webgl-drawarrays-crash-expected.txt	2016-02-04 16:22:23 UTC (rev 196122)
@@ -0,0 +1,3 @@
+CONSOLE MESSAGE: line 22: WebGL: INVALID_OPERATION: drawArrays: attempt to access out of bounds arrays
+PASS. You didn't crash.
+

Added: branches/safari-601.1.46-branch/LayoutTests/fast/canvas/webgl/webgl-drawarrays-crash.html (0 => 196122)


--- branches/safari-601.1.46-branch/LayoutTests/fast/canvas/webgl/webgl-drawarrays-crash.html	                        (rev 0)
+++ branches/safari-601.1.46-branch/LayoutTests/fast/canvas/webgl/webgl-drawarrays-crash.html	2016-02-04 16:22:23 UTC (rev 196122)
@@ -0,0 +1,42 @@
+<!DOCTYPE html>
+<html>
+<head>
+    <script src="" </script>
+    <script>
+    function runTest()
+    {
+        var canvas = document.getElementById('webgl-canvas');
+        var gl = WebGLTestUtils.create3DContext(canvas);
+        var fragmentShader = gl.createShader(gl.FRAGMENT_SHADER);
+        var program = gl.createProgram();
+        var vertexShader = gl.createShader(gl.VERTEX_SHADER);
+        gl.shaderSource(vertexShader, 'attribute vec2 pos; void main() { gl_Position = vec4(pos, 0, 1); }');
+        gl.compileShader(vertexShader);
+        gl.shaderSource(fragmentShader, 'precision mediump float; void main() { gl_FragColor = vec4(0,0.8,0,1); }');
+        gl.compileShader(fragmentShader);
+        gl.attachShader(program, vertexShader);
+        gl.shaderSource(vertexShader, 'attribute vec2 pos; void main() { gl_Position = vec4(pos, 0, 1); }');
+        gl.attachShader(program, fragmentShader);
+        gl.linkProgram(program);
+        gl.useProgram(program);
+        gl.drawArrays(gl.TRIANGLES, 22000, 440000);
+
+        if (window.testRunner)
+          testRunner.notifyDone();
+    }
+
+    if (window.testRunner) {
+      testRunner.dumpAsText();
+      testRunner.overridePreference("WebKitAcceleratedCompositingEnabled", "1");
+      testRunner.overridePreference("WebKitWebGLEnabled", "1");
+      testRunner.waitUntilDone();
+    }
+
+    window._onpageshow_ = runTest;
+    </script>
+</head>
+<body>
+    <div>PASS. You didn't crash.</div>
+    <canvas id="webgl-canvas" width="100px" height="100px"></canvas>
+</body>
+</html>

Modified: branches/safari-601.1.46-branch/Source/WebCore/ChangeLog (196121 => 196122)


--- branches/safari-601.1.46-branch/Source/WebCore/ChangeLog	2016-02-04 16:22:19 UTC (rev 196121)
+++ branches/safari-601.1.46-branch/Source/WebCore/ChangeLog	2016-02-04 16:22:23 UTC (rev 196122)
@@ -1,5 +1,25 @@
 2016-02-03  Matthew Hanson  <matthew_han...@apple.com>
 
+        Merge r195837. rdar://problem/24001782
+
+    2016-01-29  Brent Fulgham  <bfulg...@apple.com>
+
+            [WebGL] Check vertex array bounds before permitting a glDrawArrays to execute
+            https://bugs.webkit.org/show_bug.cgi?id=153643
+            <rdar://problem/23424456>
+
+            Reviewed by Dean Jackson.
+
+            Tested by fast/canvas/webgl/webgl-drawarrays-crash.html.
+
+            * html/canvas/WebGLRenderingContextBase.cpp:
+            (WebCore::WebGLRenderingContextBase::validateDrawArrays): Make sure that we have at
+            least one buffer bound to a program if a drawArray call with a non-zero range of
+            requested data is being made.
+            (WebCore::WebGLRenderingContextBase::validateDrawElements): Drive-by formatting fix.
+
+2016-02-03  Matthew Hanson  <matthew_han...@apple.com>
+
         Merge r196096. rdar://problem/24416768
 
     2016-02-03  Matthew Hanson  <matthew_han...@apple.com>

Modified: branches/safari-601.1.46-branch/Source/WebCore/html/canvas/WebGLRenderingContextBase.cpp (196121 => 196122)


--- branches/safari-601.1.46-branch/Source/WebCore/html/canvas/WebGLRenderingContextBase.cpp	2016-02-04 16:22:19 UTC (rev 196121)
+++ branches/safari-601.1.46-branch/Source/WebCore/html/canvas/WebGLRenderingContextBase.cpp	2016-02-04 16:22:23 UTC (rev 196122)
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2015 Apple Inc. All rights reserved.
+ * Copyright (C) 2015-2016 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -1736,6 +1736,10 @@
     if (!sawNonInstancedAttrib && sawEnabledAttrib)
         return false;
 
+    // Guard against access into non-existent buffers.
+    if (elementCount && !sawEnabledAttrib && !m_currentProgram->isUsingVertexAttrib0())
+        return false;
+
     return true;
 }
 
@@ -1808,10 +1812,10 @@
 bool WebGLRenderingContextBase::validateDrawElements(const char* functionName, GC3Denum mode, GC3Dsizei count, GC3Denum type, long long offset, unsigned& numElements, GC3Dsizei primitiveCount)
 {
     if (isContextLostOrPending() || !validateDrawMode(functionName, mode))
-    return false;
+        return false;
     
     if (!validateStencilSettings(functionName))
-    return false;
+        return false;
     
     switch (type) {
     case GraphicsContext3D::UNSIGNED_BYTE:

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to