Source/WebCore:

author bfulgham@apple.com <bfulgham@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>

Fri, 29 Jan 2016 21:00:24 +0000 (21:00 +0000)

committer bfulgham@apple.com <bfulgham@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>

Fri, 29 Jan 2016 21:00:24 +0000 (21:00 +0000)
author bfulgham@apple.com <bfulgham@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Fri, 29 Jan 2016 21:00:24 +0000 (21:00 +0000)
committer bfulgham@apple.com <bfulgham@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Fri, 29 Jan 2016 21:00:24 +0000 (21:00 +0000)
diff --git a/LayoutTests/ChangeLog b/LayoutTests/ChangeLog

index 9f17549..4ffa277 100644 (file)
--- a/LayoutTests/ChangeLog
+++ b/LayoutTests/ChangeLog
@@ -1,3 +1,27 @@
+2015-12-22  Pranjal Jumde  <pjumde@apple.com>
+
+        Test to check for stack recursion when indexed propertyNames defined using Object.defineProperty are deleted.
+        https://bugs.webkit.org/show_bug.cgi?id=149179
+        <rdar://problem/22708019>.
+
+        Reviewed by Dean Jackson.
+
+        * storage/domstorage/localstorage/delete-defineproperty-removal-expected.txt: Added.
+        * storage/domstorage/localstorage/delete-defineproperty-removal.html: Added.
+
+<<<<<<< .mine
+2016-01-29  Brent Fulgham  <bfulgham@apple.com>
+
+        [WebGL] Check vertex array bounds before permitting a glDrawArrays to execute
+        https://bugs.webkit.org/show_bug.cgi?id=153643
+        <rdar://problem/23424456>
+
+        Reviewed by Dean Jackson.
+
+        * fast/canvas/webgl/webgl-drawarrays-crash-expected.txt: Added.
+        * fast/canvas/webgl/webgl-drawarrays-crash.html: Added.
+
+=======
  2016-01-29  Ryan Haddad  <ryanhaddad@apple.com>
  
          Rebaseline fast/forms tests after r195700
@@ -99,6 +123,7 @@
          * js/regress/v8-raytrace-with-try-catch-high-frequency-throws-expected.txt: Added.
          * js/regress/v8-raytrace-with-try-catch-high-frequency-throws.html: Added.
  
+>>>>>>> .r195836
  2016-01-29  Carlos Alberto Lopez Perez  <clopez@igalia.com>
  
          [GTK] Unreviewed gardening after r195740 (v2).
diff --git a/LayoutTests/fast/canvas/webgl/webgl-drawarrays-crash-expected.txt b/LayoutTests/fast/canvas/webgl/webgl-drawarrays-crash-expected.txt

new file mode 100644 (file)

index 0000000..76327bc
--- /dev/null
+++ b/LayoutTests/fast/canvas/webgl/webgl-drawarrays-crash-expected.txt
@@ -0,0 +1,3 @@
+CONSOLE MESSAGE: line 22: WebGL: INVALID_OPERATION: drawArrays: attempt to access out of bounds arrays
+PASS. You didn't crash.
+
diff --git a/LayoutTests/fast/canvas/webgl/webgl-drawarrays-crash.html b/LayoutTests/fast/canvas/webgl/webgl-drawarrays-crash.html

new file mode 100644 (file)

index 0000000..29bf84b
--- /dev/null
+++ b/LayoutTests/fast/canvas/webgl/webgl-drawarrays-crash.html
@@ -0,0 +1,42 @@
+<!DOCTYPE html>
+<html>
+<head>
+    <script src="resources/webgl-test-utils.js"> </script>
+    <script>
+    function runTest()
+    {
+        var canvas = document.getElementById('webgl-canvas');
+        var gl = WebGLTestUtils.create3DContext(canvas);
+        var fragmentShader = gl.createShader(gl.FRAGMENT_SHADER);
+        var program = gl.createProgram();
+        var vertexShader = gl.createShader(gl.VERTEX_SHADER);
+        gl.shaderSource(vertexShader, 'attribute vec2 pos; void main() { gl_Position = vec4(pos, 0, 1); }');
+        gl.compileShader(vertexShader);
+        gl.shaderSource(fragmentShader, 'precision mediump float; void main() { gl_FragColor = vec4(0,0.8,0,1); }');
+        gl.compileShader(fragmentShader);
+        gl.attachShader(program, vertexShader);
+        gl.shaderSource(vertexShader, 'attribute vec2 pos; void main() { gl_Position = vec4(pos, 0, 1); }');
+        gl.attachShader(program, fragmentShader);
+        gl.linkProgram(program);
+        gl.useProgram(program);
+        gl.drawArrays(gl.TRIANGLES, 22000, 440000);
+
+        if (window.testRunner)
+          testRunner.notifyDone();
+    }
+
+    if (window.testRunner) {
+      testRunner.dumpAsText();
+      testRunner.overridePreference("WebKitAcceleratedCompositingEnabled", "1");
+      testRunner.overridePreference("WebKitWebGLEnabled", "1");
+      testRunner.waitUntilDone();
+    }
+
+    window.onpageshow = runTest;
+    </script>
+</head>
+<body>
+    <div>PASS. You didn't crash.</div>
+    <canvas id="webgl-canvas" width="100px" height="100px"></canvas>
+</body>
+</html>
diff --git a/Source/WebCore/ChangeLog b/Source/WebCore/ChangeLog

index 6587295..f9c567a 100644 (file)
--- a/Source/WebCore/ChangeLog
+++ b/Source/WebCore/ChangeLog
@@ -1,3 +1,19 @@
+2016-01-29  Brent Fulgham  <bfulgham@apple.com>
+
+        [WebGL] Check vertex array bounds before permitting a glDrawArrays to execute
+        https://bugs.webkit.org/show_bug.cgi?id=153643
+        <rdar://problem/23424456>
+
+        Reviewed by Dean Jackson.
+
+        Tested by fast/canvas/webgl/webgl-drawarrays-crash.html.
+
+        * html/canvas/WebGLRenderingContextBase.cpp:
+        (WebCore::WebGLRenderingContextBase::validateDrawArrays): Make sure that we have at
+        least one buffer bound to a program if a drawArray call with a non-zero range of
+        requested data is being made.
+        (WebCore::WebGLRenderingContextBase::validateDrawElements): Drive-by formatting fix.
+
  2016-01-29  Brady Eidson  <beidson@apple.com>
  
          Modern IDB: Fix logging that overwhelms python with strings of excessive length.
diff --git a/Source/WebCore/html/canvas/WebGLRenderingContextBase.cpp b/Source/WebCore/html/canvas/WebGLRenderingContextBase.cpp

index f44a4c5..0427c47 100644 (file)
--- a/Source/WebCore/html/canvas/WebGLRenderingContextBase.cpp
+++ b/Source/WebCore/html/canvas/WebGLRenderingContextBase.cpp
@@ -1,5 +1,5 @@
  /*
- * Copyright (C) 2015 Apple Inc. All rights reserved.
+ * Copyright (C) 2015-2016 Apple Inc. All rights reserved.
   *
   * Redistribution and use in source and binary forms, with or without
   * modification, are permitted provided that the following conditions
@@ -1720,6 +1720,10 @@ bool WebGLRenderingContextBase::validateVertexAttributes(unsigned elementCount,
      if (!sawNonInstancedAttrib && sawEnabledAttrib)
          return false;
  
+    // Guard against access into non-existent buffers.
+    if (elementCount && !sawEnabledAttrib && !m_currentProgram->isUsingVertexAttrib0())
+        return false;
+
      return true;
  }
  
@@ -1792,10 +1796,10 @@ bool WebGLRenderingContextBase::validateDrawArrays(const char* functionName, GC3
  bool WebGLRenderingContextBase::validateDrawElements(const char* functionName, GC3Denum mode, GC3Dsizei count, GC3Denum type, long long offset, unsigned& numElements, GC3Dsizei primitiveCount)
  {
      if (isContextLostOrPending() || !validateDrawMode(functionName, mode))
-    return false;
+        return false;
      
      if (!validateStencilSettings(functionName))
-    return false;
+        return false;
      
      switch (type) {
      case GraphicsContext3D::UNSIGNED_BYTE:
author	bfulgham@apple.com <bfulgham@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
	Fri, 29 Jan 2016 21:00:24 +0000 (21:00 +0000)
committer	bfulgham@apple.com <bfulgham@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
	Fri, 29 Jan 2016 21:00:24 +0000 (21:00 +0000)
LayoutTests/ChangeLog		patch \| blob \| history
LayoutTests/fast/canvas/webgl/webgl-drawarrays-crash-expected.txt	[new file with mode: 0644]	patch \| blob
LayoutTests/fast/canvas/webgl/webgl-drawarrays-crash.html	[new file with mode: 0644]	patch \| blob
Source/WebCore/ChangeLog		patch \| blob \| history
Source/WebCore/html/canvas/WebGLRenderingContextBase.cpp		patch \| blob \| history