[webkit-changes] [WebKit/WebKit] e29850: WebGL provoking vertex with uint16 primitive resta...

Tue, 28 Apr 2026 15:41:16 -0700 

  Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: e298509a76abafc3a886a7c567f031cf62451cc0
      
https://github.com/WebKit/WebKit/commit/e298509a76abafc3a886a7c567f031cf62451cc0
  Author: Ruthvik Konda <[email protected]>
  Date:   2026-04-28 (Tue, 28 Apr 2026)

  Changed paths:
    M LayoutTests/platform/glib/TestExpectations
    M LayoutTests/platform/ios/TestExpectations
    A 
LayoutTests/webgl/webgl2-provoking-vertex-primitive-restart-uint16-nocrash-expected.txt
    A 
LayoutTests/webgl/webgl2-provoking-vertex-primitive-restart-uint16-nocrash.html
    M 
Source/ThirdParty/ANGLE/src/libANGLE/renderer/metal/shaders/mtl_internal_shaders_autogen.metal
    M 
Source/ThirdParty/ANGLE/src/libANGLE/renderer/metal/shaders/mtl_internal_shaders_src_autogen.h
    M 
Source/ThirdParty/ANGLE/src/libANGLE/renderer/metal/shaders/rewrite_indices.metal

  Log Message:
  -----------
  WebGL provoking vertex with uint16 primitive restart causes GPU OOB access
https://bugs.webkit.org/show_bug.cgi?id=305531
rdar://167631804

Reviewed by Mike Wyrzykowski.

The fixIndexBuffer Metal compute kernel uses a hardcoded restart index of 
0xFFFFFFFF,
which is only correct for uint32 indices. For uint16 indices, the primitive 
restart marker is 0xFFFF.
So when provoking vertex is used and we need to process the uint16 index buffer 
with primitive restart
enabled, the shader fails to recognize the restart markers, causing the restart 
marker to be used as a valid
index resulting in an OOB GPU buffer access.

Fix by selecting the type-appropriate restart index based on 
indexBufferIsUint16.

Test: webgl/webgl2-provoking-vertex-primitive-restart-uint16-nocrash.html

* LayoutTests/platform/ios/TestExpectations:
* 
LayoutTests/webgl/webgl2-provoking-vertex-primitive-restart-uint16-nocrash-expected.txt:
 Added.
* 
LayoutTests/webgl/webgl2-provoking-vertex-primitive-restart-uint16-nocrash.html:
 Added.
* 
Source/ThirdParty/ANGLE/src/libANGLE/renderer/metal/shaders/mtl_internal_shaders_autogen.metal:
* 
Source/ThirdParty/ANGLE/src/libANGLE/renderer/metal/shaders/mtl_internal_shaders_src_autogen.h:
(readIdx):
(outputPrimitive):
(fixIndexBuffer):
* 
Source/ThirdParty/ANGLE/src/libANGLE/renderer/metal/shaders/rewrite_indices.metal:

Originally-landed-as: 305413.88@safari-7624-branch (b2f04087d62a). 
rdar://173968824
Canonical link: https://commits.webkit.org/312243@main



To unsubscribe from these emails, change your notification settings at 
https://github.com/WebKit/WebKit/settings/notifications

Reply via email to