- Revision
- 195837
- Author
- [email protected]
- Date
- 2016-01-29 13:00:24 -0800 (Fri, 29 Jan 2016)
Log Message
Source/WebCore:
[WebGL] Check vertex array bounds before permitting a glDrawArrays to execute
https://bugs.webkit.org/show_bug.cgi?id=153643
<rdar://problem/23424456>
Reviewed by Dean Jackson.
Tested by fast/canvas/webgl/webgl-drawarrays-crash.html.
* html/canvas/WebGLRenderingContextBase.cpp:
(WebCore::WebGLRenderingContextBase::validateDrawArrays): Make sure that we have at
least one buffer bound to a program if a drawArray call with a non-zero range of
requested data is being made.
(WebCore::WebGLRenderingContextBase::validateDrawElements): Drive-by formatting fix.
LayoutTests:
Test to check for stack recursion when indexed propertyNames defined using Object.defineProperty are deleted.
https://bugs.webkit.org/show_bug.cgi?id=149179
<rdar://problem/22708019>.
Patch by Pranjal Jumde <[email protected]> on 2015-12-22
Reviewed by Dean Jackson.
* storage/domstorage/localstorage/delete-defineproperty-removal-expected.txt: Added.
* storage/domstorage/localstorage/delete-defineproperty-removal.html: Added.
Modified Paths
Added Paths
Diff
Modified: trunk/LayoutTests/ChangeLog (195836 => 195837)
--- trunk/LayoutTests/ChangeLog 2016-01-29 20:37:52 UTC (rev 195836)
+++ trunk/LayoutTests/ChangeLog 2016-01-29 21:00:24 UTC (rev 195837)
@@ -1,3 +1,27 @@
+2015-12-22 Pranjal Jumde <[email protected]>
+
+ Test to check for stack recursion when indexed propertyNames defined using Object.defineProperty are deleted.
+ https://bugs.webkit.org/show_bug.cgi?id=149179
+ <rdar://problem/22708019>.
+
+ Reviewed by Dean Jackson.
+
+ * storage/domstorage/localstorage/delete-defineproperty-removal-expected.txt: Added.
+ * storage/domstorage/localstorage/delete-defineproperty-removal.html: Added.
+
+<<<<<<< .mine
+2016-01-29 Brent Fulgham <[email protected]>
+
+ [WebGL] Check vertex array bounds before permitting a glDrawArrays to execute
+ https://bugs.webkit.org/show_bug.cgi?id=153643
+ <rdar://problem/23424456>
+
+ Reviewed by Dean Jackson.
+
+ * fast/canvas/webgl/webgl-drawarrays-crash-expected.txt: Added.
+ * fast/canvas/webgl/webgl-drawarrays-crash.html: Added.
+
+=======
2016-01-29 Ryan Haddad <[email protected]>
Rebaseline fast/forms tests after r195700
@@ -99,6 +123,7 @@
* js/regress/v8-raytrace-with-try-catch-high-frequency-throws-expected.txt: Added.
* js/regress/v8-raytrace-with-try-catch-high-frequency-throws.html: Added.
+>>>>>>> .r195836
2016-01-29 Carlos Alberto Lopez Perez <[email protected]>
[GTK] Unreviewed gardening after r195740 (v2).
Added: trunk/LayoutTests/fast/canvas/webgl/webgl-drawarrays-crash-expected.txt (0 => 195837)
--- trunk/LayoutTests/fast/canvas/webgl/webgl-drawarrays-crash-expected.txt (rev 0)
+++ trunk/LayoutTests/fast/canvas/webgl/webgl-drawarrays-crash-expected.txt 2016-01-29 21:00:24 UTC (rev 195837)
@@ -0,0 +1,3 @@
+CONSOLE MESSAGE: line 22: WebGL: INVALID_OPERATION: drawArrays: attempt to access out of bounds arrays
+PASS. You didn't crash.
+
Added: trunk/LayoutTests/fast/canvas/webgl/webgl-drawarrays-crash.html (0 => 195837)
--- trunk/LayoutTests/fast/canvas/webgl/webgl-drawarrays-crash.html (rev 0)
+++ trunk/LayoutTests/fast/canvas/webgl/webgl-drawarrays-crash.html 2016-01-29 21:00:24 UTC (rev 195837)
@@ -0,0 +1,42 @@
+<!DOCTYPE html>
+<html>
+<head>
+ <script src="" </script>
+ <script>
+ function runTest()
+ {
+ var canvas = document.getElementById('webgl-canvas');
+ var gl = WebGLTestUtils.create3DContext(canvas);
+ var fragmentShader = gl.createShader(gl.FRAGMENT_SHADER);
+ var program = gl.createProgram();
+ var vertexShader = gl.createShader(gl.VERTEX_SHADER);
+ gl.shaderSource(vertexShader, 'attribute vec2 pos; void main() { gl_Position = vec4(pos, 0, 1); }');
+ gl.compileShader(vertexShader);
+ gl.shaderSource(fragmentShader, 'precision mediump float; void main() { gl_FragColor = vec4(0,0.8,0,1); }');
+ gl.compileShader(fragmentShader);
+ gl.attachShader(program, vertexShader);
+ gl.shaderSource(vertexShader, 'attribute vec2 pos; void main() { gl_Position = vec4(pos, 0, 1); }');
+ gl.attachShader(program, fragmentShader);
+ gl.linkProgram(program);
+ gl.useProgram(program);
+ gl.drawArrays(gl.TRIANGLES, 22000, 440000);
+
+ if (window.testRunner)
+ testRunner.notifyDone();
+ }
+
+ if (window.testRunner) {
+ testRunner.dumpAsText();
+ testRunner.overridePreference("WebKitAcceleratedCompositingEnabled", "1");
+ testRunner.overridePreference("WebKitWebGLEnabled", "1");
+ testRunner.waitUntilDone();
+ }
+
+ window._onpageshow_ = runTest;
+ </script>
+</head>
+<body>
+ <div>PASS. You didn't crash.</div>
+ <canvas id="webgl-canvas" width="100px" height="100px"></canvas>
+</body>
+</html>
Modified: trunk/Source/WebCore/ChangeLog (195836 => 195837)
--- trunk/Source/WebCore/ChangeLog 2016-01-29 20:37:52 UTC (rev 195836)
+++ trunk/Source/WebCore/ChangeLog 2016-01-29 21:00:24 UTC (rev 195837)
@@ -1,3 +1,19 @@
+2016-01-29 Brent Fulgham <[email protected]>
+
+ [WebGL] Check vertex array bounds before permitting a glDrawArrays to execute
+ https://bugs.webkit.org/show_bug.cgi?id=153643
+ <rdar://problem/23424456>
+
+ Reviewed by Dean Jackson.
+
+ Tested by fast/canvas/webgl/webgl-drawarrays-crash.html.
+
+ * html/canvas/WebGLRenderingContextBase.cpp:
+ (WebCore::WebGLRenderingContextBase::validateDrawArrays): Make sure that we have at
+ least one buffer bound to a program if a drawArray call with a non-zero range of
+ requested data is being made.
+ (WebCore::WebGLRenderingContextBase::validateDrawElements): Drive-by formatting fix.
+
2016-01-29 Brady Eidson <[email protected]>
Modern IDB: Fix logging that overwhelms python with strings of excessive length.
Modified: trunk/Source/WebCore/html/canvas/WebGLRenderingContextBase.cpp (195836 => 195837)
--- trunk/Source/WebCore/html/canvas/WebGLRenderingContextBase.cpp 2016-01-29 20:37:52 UTC (rev 195836)
+++ trunk/Source/WebCore/html/canvas/WebGLRenderingContextBase.cpp 2016-01-29 21:00:24 UTC (rev 195837)
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2015 Apple Inc. All rights reserved.
+ * Copyright (C) 2015-2016 Apple Inc. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
@@ -1720,6 +1720,10 @@
if (!sawNonInstancedAttrib && sawEnabledAttrib)
return false;
+ // Guard against access into non-existent buffers.
+ if (elementCount && !sawEnabledAttrib && !m_currentProgram->isUsingVertexAttrib0())
+ return false;
+
return true;
}
@@ -1792,10 +1796,10 @@
bool WebGLRenderingContextBase::validateDrawElements(const char* functionName, GC3Denum mode, GC3Dsizei count, GC3Denum type, long long offset, unsigned& numElements, GC3Dsizei primitiveCount)
{
if (isContextLostOrPending() || !validateDrawMode(functionName, mode))
- return false;
+ return false;
if (!validateStencilSettings(functionName))
- return false;
+ return false;
switch (type) {
case GraphicsContext3D::UNSIGNED_BYTE:
