WebGL: Reset simulated values after validation fails

https://bugs.webkit.org/show_bug.cgi?id=185363
<rdar://problem/39733417>

Reviewed by Anders Carlsson.

Source/WebCore:

While fixing a previous bug, I forgot to reset some values
when validation fails. This caused a bug where a subsequent
invalid call might use those values and escape detection.

Test: fast/canvas/webgl/index-validation-with-subsequent-draws.html

* html/canvas/WebGLRenderingContextBase.cpp:
(WebCore::WebGLRenderingContextBase::simulateVertexAttrib0): Reset the
sizes when validation fails.
* html/canvas/WebGLRenderingContextBase.h:

LayoutTests:

* fast/canvas/webgl/index-validation-with-subsequent-draws-expected.txt: Added.
* fast/canvas/webgl/index-validation-with-subsequent-draws.html: Added.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@231441 268f45cc-cd09-0410-ab3c-d52691b4dbfc

diff --git a/LayoutTests/ChangeLog b/LayoutTests/ChangeLog
index c2122db..7d78ffe 100644 (file)
--- a/LayoutTests/ChangeLog
+++ b/LayoutTests/ChangeLog
@@ -1,3 +1,14 @@
+2018-05-06  Dean Jackson  <dino@apple.com>
+
+        WebGL: Reset simulated values after validation fails
+        https://bugs.webkit.org/show_bug.cgi?id=185363
+        <rdar://problem/39733417>
+
+        Reviewed by Anders Carlsson.
+
+        * fast/canvas/webgl/index-validation-with-subsequent-draws-expected.txt: Added.
+        * fast/canvas/webgl/index-validation-with-subsequent-draws.html: Added.
+
 2018-05-07  Ms2ger  <Ms2ger@igalia.com>
 
         Support negative sw/sh values in createImageBitmap().

diff --git a/LayoutTests/fast/canvas/webgl/index-validation-with-subsequent-draws-expected.txt b/LayoutTests/fast/canvas/webgl/index-validation-with-subsequent-draws-expected.txt
new file mode 100644 (file)
index 0000000..a1dd990
--- /dev/null
+++ b/LayoutTests/fast/canvas/webgl/index-validation-with-subsequent-draws-expected.txt
@@ -0,0 +1,3 @@
+CONSOLE MESSAGE: line 50: WebGL: INVALID_OPERATION: drawElements: unable to simulate vertexAttrib0 array
+CONSOLE MESSAGE: line 56: WebGL: INVALID_OPERATION: drawElements: unable to simulate vertexAttrib0 array
+

diff --git a/LayoutTests/fast/canvas/webgl/index-validation-with-subsequent-draws.html b/LayoutTests/fast/canvas/webgl/index-validation-with-subsequent-draws.html
new file mode 100644 (file)
index 0000000..7ab76f0
--- /dev/null
+++ b/LayoutTests/fast/canvas/webgl/index-validation-with-subsequent-draws.html
@@ -0,0 +1,58 @@
+<!DOCTYPE html>\r
+<html>\r
+<script id='2d-vertex-shader' type='x-shader/x-vertex'>\r
+    attribute vec4 a_Position; \r
+    void main() { gl_Position = a_Position; }\r
+</script>\r
+<script id='2d-fragment-shader' type='x-shader/x-fragment'>\r
+    void main( void ) {}\r
+</script>\r
+<body>\r
+<canvas id="canvas1" width="20" height="20"></canvas>\r
+<script>\r
+if (window.testRunner)\r
+    testRunner.dumpAsText();\r
+\r
+// Boilerplate set-up.\r
+let canvas = document.getElementById('canvas1');\r
+let gl = canvas.getContext('webgl');\r
+\r
+let vShader = gl.createShader(gl.VERTEX_SHADER);\r
+let vShaderScript = document.getElementById('2d-vertex-shader');\r
+gl.shaderSource(vShader, vShaderScript.text);\r
+gl.compileShader(vShader);\r
+\r
+let fShader = gl.createShader(gl.FRAGMENT_SHADER);\r
+let fShaderScript = document.getElementById('2d-fragment-shader');\r
+gl.shaderSource(fShader, fShaderScript.text);\r
+gl.compileShader(fShader);\r
+\r
+let program = gl.createProgram();\r
+gl.attachShader(program, vShader);\r
+gl.attachShader(program, fShader);\r
+gl.linkProgram(program);\r
+gl.useProgram(program);\r
+\r
+gl.getExtension("OES_element_index_uint");\r
+let ext = gl.getExtension('ANGLE_instanced_arrays');\r
+\r
+// Execute a draw that is valid, if strange.\r
+let buffer = gl.createBuffer();\r
+gl.bindBuffer(gl.ELEMENT_ARRAY_BUFFER, buffer);\r
+gl.bufferData(gl.ELEMENT_ARRAY_BUFFER, new Uint8ClampedArray([256, 256, 256, 256]), gl.STATIC_DRAW);\r
+ext.drawElementsInstancedANGLE(gl.TRIANGLES, 2, gl.UNSIGNED_SHORT, 0, gl.UNSIGNED_SHORT);\r
+\r
+// Execute a draw that is invalid because an element index is too large.\r
+buffer = gl.createBuffer();\r
+gl.bindBuffer(gl.ELEMENT_ARRAY_BUFFER, buffer);\r
+gl.bufferData(gl.ELEMENT_ARRAY_BUFFER, new Uint16Array([65536, 137413, 65536, 65536, 65536, 65536, 65536, 65536, 65536, 65536, 65536, 65536, 65536, 65536, 65536]), gl.STATIC_DRAW);\r
+gl.bufferSubData(gl.ELEMENT_ARRAY_BUFFER, 10, new Uint8ClampedArray([256, 256, 256, 256, 256, 256]));\r
+gl.drawElements(gl.TRIANGLES, 1, gl.UNSIGNED_INT, 0);\r
+\r
+// Now execute a similarly invalid call, that uses a smaller simulated buffer than the previous invalid call.\r
+buffer = gl.createBuffer();\r
+gl.bindBuffer(gl.ELEMENT_ARRAY_BUFFER, buffer);\r
+gl.bufferData(gl.ELEMENT_ARRAY_BUFFER, new Uint8ClampedArray([256, 256, 256, 256, 256, 256]), gl.STATIC_DRAW);\r
+gl.drawElements(gl.TRIANGLES, 1, gl.UNSIGNED_SHORT, 0);\r
+</script>\r
+</html>
\ No newline at end of file

diff --git a/LayoutTests/platform/mac/TestExpectations b/LayoutTests/platform/mac/TestExpectations
index 8708f37..7fd7731 100644 (file)
--- a/LayoutTests/platform/mac/TestExpectations
+++ b/LayoutTests/platform/mac/TestExpectations
@@ -1701,9 +1701,10 @@ webkit.org/b/181479 http/tests/misc/slow-loading-animated-image.html [ Pass Imag
 
 webkit.org/b/181494 accessibility/mac/aria-multiple-liveregions-notification.html [ Pass Failure ]
 
-# A lot of GPU hardware simply crashes with this test, since it allocates a lot of memory.
-# It is enabled on systems that instead return GL_OUT_OF_MEMORY.
+# A lot of GPU hardware simply crashes with these tests, since they allocate a lot of memory.
+# They are enabled on systems that instead return GL_OUT_OF_MEMORY.
 [ ElCapitan Sierra ] fast/canvas/webgl/simulated-vertexAttrib0-invalid-indicies.html [ Skip ]
+[ ElCapitan Sierra ] fast/canvas/webgl/index-validation-with-subsequent-draws.html [ Skip ]
 
 webkit.org/b/181100 inspector/worker/worker-recover-if-inspector-close.html [ Pass Failure ]
 

diff --git a/Source/WebCore/ChangeLog b/Source/WebCore/ChangeLog
index b537d68..e5d587c 100644 (file)
--- a/Source/WebCore/ChangeLog
+++ b/Source/WebCore/ChangeLog
@@ -1,3 +1,22 @@
+2018-05-06  Dean Jackson  <dino@apple.com>
+
+        WebGL: Reset simulated values after validation fails
+        https://bugs.webkit.org/show_bug.cgi?id=185363
+        <rdar://problem/39733417>
+
+        Reviewed by Anders Carlsson.
+
+        While fixing a previous bug, I forgot to reset some values
+        when validation fails. This caused a bug where a subsequent
+        invalid call might use those values and escape detection.
+
+        Test: fast/canvas/webgl/index-validation-with-subsequent-draws.html
+
+        * html/canvas/WebGLRenderingContextBase.cpp:
+        (WebCore::WebGLRenderingContextBase::simulateVertexAttrib0): Reset the
+        sizes when validation fails.
+        * html/canvas/WebGLRenderingContextBase.h:
+
 2018-05-07  Ms2ger  <Ms2ger@igalia.com>
 
         Support negative sw/sh values in createImageBitmap().

diff --git a/Source/WebCore/html/canvas/WebGLRenderingContextBase.cpp b/Source/WebCore/html/canvas/WebGLRenderingContextBase.cpp
index 7875da8..0e5bfa1 100644 (file)
--- a/Source/WebCore/html/canvas/WebGLRenderingContextBase.cpp
+++ b/Source/WebCore/html/canvas/WebGLRenderingContextBase.cpp
@@ -5871,6 +5871,8 @@ std::optional<bool> WebGLRenderingContextBase::simulateVertexAttrib0(GC3Duint nu
         if (m_context->getError() != GraphicsContext3D::NO_ERROR) {
             // We were unable to create a buffer.
             m_vertexAttrib0UsedBefore = false;
+            m_vertexAttrib0BufferSize = 0;
+            m_forceAttrib0BufferRefill = true;
             return std::nullopt;
         }
         m_vertexAttrib0BufferSize = bufferDataSize;

diff --git a/Source/WebCore/html/canvas/WebGLRenderingContextBase.h b/Source/WebCore/html/canvas/WebGLRenderingContextBase.h
index d2a3919..9d80382 100644 (file)
--- a/Source/WebCore/html/canvas/WebGLRenderingContextBase.h
+++ b/Source/WebCore/html/canvas/WebGLRenderingContextBase.h
@@ -488,10 +488,10 @@ protected:
     Vector<VertexAttribValue> m_vertexAttribValue;
     unsigned m_maxVertexAttribs;
     RefPtr<WebGLBuffer> m_vertexAttrib0Buffer;
-    long m_vertexAttrib0BufferSize;
+    long m_vertexAttrib0BufferSize { 0 };
     GC3Dfloat m_vertexAttrib0BufferValue[4];
-    bool m_forceAttrib0BufferRefill;
-    bool m_vertexAttrib0UsedBefore;
+    bool m_forceAttrib0BufferRefill { true };
+    bool m_vertexAttrib0UsedBefore { false };
 
     RefPtr<WebGLProgram> m_currentProgram;
     RefPtr<WebGLFramebuffer> m_framebufferBinding;