From 3aee683a0b0cf7aab24756757515b7854225242b Mon Sep 17 00:00:00 2001
From: "fpizlo@apple.com"
 <fpizlo@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Date: Mon, 23 Jan 2017 23:13:41 +0000
Subject: [PATCH] SharedArrayBuffer plus WebGL should not equal CRASH
 https://bugs.webkit.org/show_bug.cgi?id=167329

Reviewed by Saam Barati.

Source/JavaScriptCore:

DOM unwrapping methods should return null rather than crashing. The code expects an
unshared buffer, so we should return null when it's shared. The caller can then decide
if they like null or not.

* runtime/JSArrayBufferViewInlines.h:
(JSC::JSArrayBufferView::toWrapped):

LayoutTests:

This test used to crash and now it doesn't. It throws some exception.

* js/shared-array-buffer-webgl-expected.txt: Added.
* js/shared-array-buffer-webgl.html: Added.



git-svn-id: https://svn.webkit.org/repository/webkit/trunk@211065 268f45cc-cd09-0410-ab3c-d52691b4dbfc
---
 LayoutTests/ChangeLog                              | 12 ++++++++
 .../js/shared-array-buffer-webgl-expected.txt      |  9 ++++++
 LayoutTests/js/shared-array-buffer-webgl.html      | 32 ++++++++++++++++++++++
 Source/JavaScriptCore/ChangeLog                    | 14 ++++++++++
 .../runtime/JSArrayBufferViewInlines.h             |  6 ++--
 5 files changed, 71 insertions(+), 2 deletions(-)
 create mode 100644 LayoutTests/js/shared-array-buffer-webgl-expected.txt
 create mode 100644 LayoutTests/js/shared-array-buffer-webgl.html

diff --git a/LayoutTests/ChangeLog b/LayoutTests/ChangeLog
index 3b5baa7..d6eb370 100644
--- a/LayoutTests/ChangeLog
+++ b/LayoutTests/ChangeLog
@@ -1,3 +1,15 @@
+2017-01-23  Filip Pizlo  <fpizlo@apple.com>
+
+        SharedArrayBuffer plus WebGL should not equal CRASH
+        https://bugs.webkit.org/show_bug.cgi?id=167329
+
+        Reviewed by Saam Barati.
+        
+        This test used to crash and now it doesn't. It throws some exception.
+
+        * js/shared-array-buffer-webgl-expected.txt: Added.
+        * js/shared-array-buffer-webgl.html: Added.
+
 2017-01-23  Myles C. Maxfield  <mmaxfield@apple.com>
 
         Migrate font variations tests to using David Jonathan Ross's Boxis font
diff --git a/LayoutTests/js/shared-array-buffer-webgl-expected.txt b/LayoutTests/js/shared-array-buffer-webgl-expected.txt
new file mode 100644
index 0000000..bceeaa6
--- /dev/null
+++ b/LayoutTests/js/shared-array-buffer-webgl-expected.txt
@@ -0,0 +1,9 @@
+Test that passing a SharedArrayBuffer to WebGL does not crash.
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+PASS successfullyParsed is true
+
+TEST COMPLETE
+
diff --git a/LayoutTests/js/shared-array-buffer-webgl.html b/LayoutTests/js/shared-array-buffer-webgl.html
new file mode 100644
index 0000000..855da05
--- /dev/null
+++ b/LayoutTests/js/shared-array-buffer-webgl.html
@@ -0,0 +1,32 @@
+<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML//EN">
+<html>
+<head>
+<script src="../resources/js-test-pre.js"></script>
+</head>
+<body>
+<canvas id="canvas"></canvas>
+<script>
+description('Test that passing a SharedArrayBuffer to WebGL does not crash.')
+
+var canvas = document.getElementById("canvas");
+var gl = canvas.getContext("webgl");
+var texture = gl.createTexture();
+
+var ext = (
+  gl.getExtension("WEBGL_compressed_texture_s3tc") ||
+  gl.getExtension("MOZ_WEBGL_compressed_texture_s3tc") ||
+  gl.getExtension("WEBKIT_WEBGL_compressed_texture_s3tc")
+);
+
+var data = new SharedArrayBuffer(1024);
+var view = new Uint8Array(data);
+
+try {
+    var texture = gl.createTexture();
+    gl.bindTexture(gl.TEXTURE_2D, texture);
+    gl.compressedTexImage2D(gl.TEXTURE_2D, 0, ext.COMPRESSED_RGBA_S3TC_DXT5_EXT, 512, 512, 0, view);
+} catch (e) { } // This shouldn't crash.
+</script>
+<script src="../resources/js-test-post.js"></script>
+</body>
+</html>
diff --git a/Source/JavaScriptCore/ChangeLog b/Source/JavaScriptCore/ChangeLog
index d8c79a1..cdfb050 100644
--- a/Source/JavaScriptCore/ChangeLog
+++ b/Source/JavaScriptCore/ChangeLog
@@ -1,3 +1,17 @@
+2017-01-23  Filip Pizlo  <fpizlo@apple.com>
+
+        SharedArrayBuffer plus WebGL should not equal CRASH
+        https://bugs.webkit.org/show_bug.cgi?id=167329
+
+        Reviewed by Saam Barati.
+        
+        DOM unwrapping methods should return null rather than crashing. The code expects an
+        unshared buffer, so we should return null when it's shared. The caller can then decide
+        if they like null or not.
+
+        * runtime/JSArrayBufferViewInlines.h:
+        (JSC::JSArrayBufferView::toWrapped):
+
 2017-01-23  Mark Lam  <mark.lam@apple.com>
 
         ObjCCallbackFunction::destroy() should not use jsCast().
diff --git a/Source/JavaScriptCore/runtime/JSArrayBufferViewInlines.h b/Source/JavaScriptCore/runtime/JSArrayBufferViewInlines.h
index a0656ca..2183a4b 100644
--- a/Source/JavaScriptCore/runtime/JSArrayBufferViewInlines.h
+++ b/Source/JavaScriptCore/runtime/JSArrayBufferViewInlines.h
@@ -91,8 +91,10 @@ inline unsigned JSArrayBufferView::byteOffset()
 
 inline RefPtr<ArrayBufferView> JSArrayBufferView::toWrapped(JSValue value)
 {
-    if (JSArrayBufferView* view = jsDynamicCast<JSArrayBufferView*>(value))
-        return view->unsharedImpl();
+    if (JSArrayBufferView* view = jsDynamicCast<JSArrayBufferView*>(value)) {
+        if (!view->isShared())
+            return view->unsharedImpl();
+    }
     return nullptr;
 }
 
-- 
1.8.3.1