Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: 20c2476108c028f4cc0ea92661bb13e9880ca3db
https://github.com/WebKit/WebKit/commit/20c2476108c028f4cc0ea92661bb13e9880ca3db
Author: Mike Wyrzykowski <mwyrzykow...@apple.com>
Date: 2025-03-05 (Wed, 05 Mar 2025)
Changed paths:
A LayoutTests/fast/webgpu/nocrash/fuzz-289006-expected.txt
A LayoutTests/fast/webgpu/nocrash/fuzz-289006.html
M Source/WebGPU/WebGPU/BindGroupLayout.mm
M Source/WebGPU/WebGPU/RenderPipeline.mm
Log Message:
-----------
[WebGPU] buffer array lengths from automatically generated bind groups can
overwrite actual bindings
https://bugs.webkit.org/show_bug.cgi?id=289006
rdar://145996237
Reviewed by Tadeu Zagallo.
Array lengths were given binding indices which could overlap with binding
indices provided by the user, leading to incorret automatically generated
bind groups.
Address this by keeping array length bindings in their own range, specifically
in the range
[lastValidBindingIndex + 1, lastValidBindingIndex + maxBindingsPerBindGroup]
* LayoutTests/fast/webgpu/nocrash/fuzz-289006-expected.txt: Added.
* LayoutTests/fast/webgpu/nocrash/fuzz-289006.html: Added.
Add regression test.
* Source/WebGPU/WebGPU/BindGroupLayout.mm:
(WebGPU::isArrayLength):
Add helper.
(WebGPU::Device::createBindGroupLayout):
Ensure array lengths don't cause validation to fail.
* Source/WebGPU/WebGPU/RenderPipeline.mm:
(WebGPU::Device::addPipelineLayouts):
Keep array lengths in their own address space.
Canonical link: https://commits.webkit.org/291643@main
To unsubscribe from these emails, change your notification settings at
https://github.com/WebKit/WebKit/settings/notifications
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes
