https://bugs.webkit.org/show_bug.cgi?id=167329
Reviewed by Saam Barati.
Source/JavaScriptCore:
DOM unwrapping methods should return null rather than crashing. The code expects an
unshared buffer, so we should return null when it's shared. The caller can then decide
if they like null or not.
* runtime/JSArrayBufferViewInlines.h:
(JSC::JSArrayBufferView::toWrapped):
LayoutTests:
This test used to crash and now it doesn't. It throws some exception.
* js/shared-array-buffer-webgl-expected.txt: Added.
* js/shared-array-buffer-webgl.html: Added.
git-svn-id: https://svn.webkit.org/repository/webkit/trunk@211065
268f45cc-cd09-0410-ab3c-
d52691b4dbfc
+2017-01-23 Filip Pizlo <fpizlo@apple.com>
+
+ SharedArrayBuffer plus WebGL should not equal CRASH
+ https://bugs.webkit.org/show_bug.cgi?id=167329
+
+ Reviewed by Saam Barati.
+
+ This test used to crash and now it doesn't. It throws some exception.
+
+ * js/shared-array-buffer-webgl-expected.txt: Added.
+ * js/shared-array-buffer-webgl.html: Added.
+
2017-01-23 Myles C. Maxfield <mmaxfield@apple.com>
Migrate font variations tests to using David Jonathan Ross's Boxis font
--- /dev/null
+Test that passing a SharedArrayBuffer to WebGL does not crash.
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+PASS successfullyParsed is true
+
+TEST COMPLETE
+
--- /dev/null
+<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML//EN">
+<html>
+<head>
+<script src="../resources/js-test-pre.js"></script>
+</head>
+<body>
+<canvas id="canvas"></canvas>
+<script>
+description('Test that passing a SharedArrayBuffer to WebGL does not crash.')
+
+var canvas = document.getElementById("canvas");
+var gl = canvas.getContext("webgl");
+var texture = gl.createTexture();
+
+var ext = (
+ gl.getExtension("WEBGL_compressed_texture_s3tc") ||
+ gl.getExtension("MOZ_WEBGL_compressed_texture_s3tc") ||
+ gl.getExtension("WEBKIT_WEBGL_compressed_texture_s3tc")
+);
+
+var data = new SharedArrayBuffer(1024);
+var view = new Uint8Array(data);
+
+try {
+ var texture = gl.createTexture();
+ gl.bindTexture(gl.TEXTURE_2D, texture);
+ gl.compressedTexImage2D(gl.TEXTURE_2D, 0, ext.COMPRESSED_RGBA_S3TC_DXT5_EXT, 512, 512, 0, view);
+} catch (e) { } // This shouldn't crash.
+</script>
+<script src="../resources/js-test-post.js"></script>
+</body>
+</html>
+2017-01-23 Filip Pizlo <fpizlo@apple.com>
+
+ SharedArrayBuffer plus WebGL should not equal CRASH
+ https://bugs.webkit.org/show_bug.cgi?id=167329
+
+ Reviewed by Saam Barati.
+
+ DOM unwrapping methods should return null rather than crashing. The code expects an
+ unshared buffer, so we should return null when it's shared. The caller can then decide
+ if they like null or not.
+
+ * runtime/JSArrayBufferViewInlines.h:
+ (JSC::JSArrayBufferView::toWrapped):
+
2017-01-23 Mark Lam <mark.lam@apple.com>
ObjCCallbackFunction::destroy() should not use jsCast().
inline RefPtr<ArrayBufferView> JSArrayBufferView::toWrapped(JSValue value)
{
- if (JSArrayBufferView* view = jsDynamicCast<JSArrayBufferView*>(value))
- return view->unsharedImpl();
+ if (JSArrayBufferView* view = jsDynamicCast<JSArrayBufferView*>(value)) {
+ if (!view->isShared())
+ return view->unsharedImpl();
+ }
return nullptr;
}
git://git.webkit.org / WebKit-https.git / commitdiff