Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: cf0a14a0f239bd54510623530f01b1ddee0214b4
      
https://github.com/WebKit/WebKit/commit/cf0a14a0f239bd54510623530f01b1ddee0214b4
  Author: Ruthvik Konda <[email protected]>
  Date:   2026-07-02 (Thu, 02 Jul 2026)

  Changed paths:
    A 
LayoutTests/fast/webgpu/nocrash/index-buffer-invalidation-multi-command-buffer-expected.txt
    A 
LayoutTests/fast/webgpu/nocrash/index-buffer-invalidation-multi-command-buffer.html
    M Source/WebGPU/WebGPU/Buffer.h
    M Source/WebGPU/WebGPU/Buffer.mm
    M Source/WebGPU/WebGPU/CommandEncoder.mm

  Log Message:
  -----------
  [WebGPU] Per-buffer m_mustTakeSlowIndexValidationPath cleared between command 
buffers leads to GPU OOB vertex fetch
https://bugs.webkit.org/show_bug.cgi?id=314835
rdar://176482961

Reviewed by Mike Wyrzykowski.

Buffer::m_mustTakeSlowIndexValidationPath is a single per-Buffer bool that
guards re-validation of cache-hit drawIndexed/drawIndirect calls after the
buffer is invalidated via writeBuffer/copyBufferToBuffer/unmap. Queue::submit
processes submitted command buffers sequentially with preCommitHandler ->
commit -> postCommitHandler per buffer. The first command buffer's
postCommitHandler clears the per-buffer flag before the second command
buffer's preCommitHandler reads it, so the second command buffer skips
takeSlowIndexValidationPath and its pre-recorded direct
drawIndexedPrimitives executes against rewritten OOB indices, causing a
GPU-side out-of-bounds vertex fetch at an attacker-controlled offset.
Reachable via the public navigator.gpu API only.

The fix gates clearMustTakeSlowIndexValidationPath() on
m_skippedValidationCommandEncoders being empty, using the existing
computeSize() helper that prunes destroyed-encoder IDs. The flag now stays
set until every encoder that was pending at invalidation time has run its
preCommit. This is conservative: while a finished-unsubmitted command buffer
that cache-hit this buffer remains alive, subsequent cache-hit draws also
take the slow path; this fails safe (over-validates) and is bounded by
command buffer lifetime.

The two raw m_mustTakeSlowIndexValidationPath = false writes in the
drawIndexedIndirect and drawIndirect on-commit lambdas are routed through
the gated accessor for the same reason.

* 
LayoutTests/fast/webgpu/nocrash/index-buffer-invalidation-multi-command-buffer-expected.txt:
 Added.
* 
LayoutTests/fast/webgpu/nocrash/index-buffer-invalidation-multi-command-buffer.html:
 Added.
* Source/WebGPU/WebGPU/Buffer.h:
(WebGPU::Buffer::clearMustTakeSlowIndexValidationPath): Deleted.
* Source/WebGPU/WebGPU/Buffer.mm:
(WebGPU::Buffer::skippedDrawIndirectIndexedValidation):
(WebGPU::Buffer::skippedDrawIndirectValidation):
(WebGPU::Buffer::clearMustTakeSlowIndexValidationPath):

Originally-landed-as: 305413.907@safari-7624-branch (69246dd9556c). 
rdar://180437229
Canonical link: https://commits.webkit.org/316379@main



To unsubscribe from these emails, change your notification settings at 
https://github.com/WebKit/WebKit/settings/notifications

Reply via email to