2009-11-25 Kenneth Russell <kbr@google.com>
authoreric@webkit.org <eric@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Thu, 26 Nov 2009 00:44:39 +0000 (00:44 +0000)
committereric@webkit.org <eric@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Thu, 26 Nov 2009 00:44:39 +0000 (00:44 +0000)
        Reviewed by Oliver Hunt.

        Off-by-one error in index validation for drawElements and drawArrays
        https://bugs.webkit.org/show_bug.cgi?id=31891

        Fixed computation of number of elements for bound array objects.

        Test: fast/canvas/webgl/index-validation.html

        * fast/canvas/webgl/index-validation-expected.txt: Added.
        * fast/canvas/webgl/index-validation.html: Added.
        * fast/canvas/webgl/script-tests/index-validation.js: Added.
2009-11-25  Kenneth Russell  <kbr@google.com>

        Reviewed by Oliver Hunt.

        Off-by-one error in index validation for drawElements and drawArrays
        https://bugs.webkit.org/show_bug.cgi?id=31891

        Fixed computation of number of elements for bound array objects.

        Test: fast/canvas/webgl/index-validation.html

        * html/canvas/WebGLRenderingContext.cpp:
        (WebCore::WebGLRenderingContext::vertexAttribPointer):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@51400 268f45cc-cd09-0410-ab3c-d52691b4dbfc

LayoutTests/ChangeLog
LayoutTests/fast/canvas/webgl/index-validation-expected.txt [new file with mode: 0644]
LayoutTests/fast/canvas/webgl/index-validation.html [new file with mode: 0644]
LayoutTests/fast/canvas/webgl/script-tests/index-validation.js [new file with mode: 0644]
WebCore/ChangeLog
WebCore/html/canvas/WebGLRenderingContext.cpp

index b184c56ccc2e1251af382f4acf8311ae1d21efad..3fd0af18533373c6e1fa8508745e8bcfd4648af4 100644 (file)
@@ -1,3 +1,18 @@
+2009-11-25  Kenneth Russell  <kbr@google.com>
+
+        Reviewed by Oliver Hunt.
+
+        Off-by-one error in index validation for drawElements and drawArrays
+        https://bugs.webkit.org/show_bug.cgi?id=31891
+
+        Fixed computation of number of elements for bound array objects.
+
+        Test: fast/canvas/webgl/index-validation.html
+
+        * fast/canvas/webgl/index-validation-expected.txt: Added.
+        * fast/canvas/webgl/index-validation.html: Added.
+        * fast/canvas/webgl/script-tests/index-validation.js: Added.
+
 2009-11-25  Csaba Osztrogon√°c  <ossy@webkit.org>
 
         [Qt] Remove a bunch of now passing fast tests from skiplist.
diff --git a/LayoutTests/fast/canvas/webgl/index-validation-expected.txt b/LayoutTests/fast/canvas/webgl/index-validation-expected.txt
new file mode 100644 (file)
index 0000000..42cf6f6
--- /dev/null
@@ -0,0 +1,11 @@
+Test of get calls against GL objects like getBufferParameter, etc.
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+PASS gl.getError() is 0
+PASS gl.drawElements(gl.TRIANGLES, 3, gl.UNSIGNED_SHORT, 0) is undefined.
+PASS gl.getError() is 0
+PASS successfullyParsed is true
+
+TEST COMPLETE
+
diff --git a/LayoutTests/fast/canvas/webgl/index-validation.html b/LayoutTests/fast/canvas/webgl/index-validation.html
new file mode 100644 (file)
index 0000000..4deb3c5
--- /dev/null
@@ -0,0 +1,15 @@
+<html>
+<head>
+<link rel="stylesheet" href="../../js/resources/js-test-style.css"/>
+<script src="../../js/resources/js-test-pre.js"></script>
+<script src="resources/webgl-test.js"></script>
+</head>
+<body>
+<div id="description"></div>
+<div id="console"></div>
+
+<script src="script-tests/index-validation.js"></script>
+
+<script src="../../js/resources/js-test-post.js"></script>
+</body>
+</html>
diff --git a/LayoutTests/fast/canvas/webgl/script-tests/index-validation.js b/LayoutTests/fast/canvas/webgl/script-tests/index-validation.js
new file mode 100644 (file)
index 0000000..083cffe
--- /dev/null
@@ -0,0 +1,32 @@
+description("Test of get calls against GL objects like getBufferParameter, etc.");
+
+var gl = create3DContext();
+var program = loadStandardProgram(gl);
+
+// 3 vertices => 1 triangle, interleaved data
+var data = new WebGLFloatArray([0, 0, 0, 1,
+                                0, 0, 1,
+                                1, 0, 0, 1,
+                                0, 0, 1,
+                                1, 1, 1, 1,
+                                0, 0, 1]);
+var indices = new WebGLUnsignedShortArray([0, 1, 2]);
+
+var buffer = gl.createBuffer();
+gl.bindBuffer(gl.ARRAY_BUFFER, buffer);
+gl.bufferData(gl.ARRAY_BUFFER, data, gl.STATIC_DRAW);
+var elements = gl.createBuffer();
+gl.bindBuffer(gl.ELEMENT_ARRAY_BUFFER, elements);
+gl.bufferData(gl.ELEMENT_ARRAY_BUFFER, indices, gl.STATIC_DRAW);
+gl.useProgram(program);
+var vertexLoc = gl.getAttribLocation(program, "a_vertex");
+var normalLoc = gl.getAttribLocation(program, "a_normal");
+gl.vertexAttribPointer(vertexLoc, 4, gl.FLOAT, false, 7 * gl.sizeInBytes(gl.FLOAT), 0);
+gl.enableVertexAttribArray(vertexLoc);
+gl.vertexAttribPointer(normalLoc, 3, gl.FLOAT, false, 7 * gl.sizeInBytes(gl.FLOAT), 3 * gl.sizeInBytes(gl.FLOAT));
+gl.enableVertexAttribArray(normalLoc);
+shouldBe('gl.getError()', '0');
+shouldBeUndefined('gl.drawElements(gl.TRIANGLES, 3, gl.UNSIGNED_SHORT, 0)');
+shouldBe('gl.getError()', '0');
+
+successfullyParsed = true;
index 94263a4de46adf1a8f71e2b44e6919bf6fff9013..84bad770ec3bf6e5080ec31ea970feaafda2d4fc 100644 (file)
@@ -1,3 +1,17 @@
+2009-11-25  Kenneth Russell  <kbr@google.com>
+
+        Reviewed by Oliver Hunt.
+
+        Off-by-one error in index validation for drawElements and drawArrays
+        https://bugs.webkit.org/show_bug.cgi?id=31891
+
+        Fixed computation of number of elements for bound array objects.
+
+        Test: fast/canvas/webgl/index-validation.html
+
+        * html/canvas/WebGLRenderingContext.cpp:
+        (WebCore::WebGLRenderingContext::vertexAttribPointer):
+
 2009-11-25  Dmitry Titov  <dimich@chromium.org>
 
         Reviewed by David Levin.
index 6c75947348fea0a425a346ad1e066a7eb2204638..32222d4559b758ecb80dd3fbb1d71b9345be0276 100644 (file)
@@ -2046,6 +2046,7 @@ void WebGLRenderingContext::vertexAttrib4fv(unsigned long indx, float* v, int si
 void WebGLRenderingContext::vertexAttribPointer(unsigned long indx, long size, unsigned long type, bool normalized, unsigned long stride, unsigned long offset, ExceptionCode& ec)
 {
     if (!m_boundArrayBuffer || indx >= m_maxVertexAttribs) {
+        // FIXME: raise GL_INVALID_VALUE error
         ec = INVALID_STATE_ERR;
         return;
     }
@@ -2058,17 +2059,25 @@ void WebGLRenderingContext::vertexAttribPointer(unsigned long indx, long size, u
     long bytesPerElement = size * sizeInBytes(type, ec);
     if (ec != 0)
         return;
-        
+    long validatedStride = bytesPerElement;
     if (stride != 0) {
         if ((long) stride < bytesPerElement) {
+            // FIXME: raise GL_INVALID_VALUE error
             ec = SYNTAX_ERR;
             return;
         }
         
-        bytesPerElement = stride;
+        validatedStride = stride;
     }
         
-    m_vertexAttribState[indx].numElements = (m_boundArrayBuffer->byteLength(GraphicsContext3D::ARRAY_BUFFER) - offset) / bytesPerElement;
+    // Avoid off-by-one errors in numElements computation.
+    // For the last element, we will only touch the data for the
+    // element and nothing beyond it.
+    long bytesRemaining = m_boundArrayBuffer->byteLength(GraphicsContext3D::ARRAY_BUFFER) - offset;
+    if (bytesRemaining < bytesPerElement)
+        m_vertexAttribState[indx].numElements = 0;
+    else
+        m_vertexAttribState[indx].numElements = 1 + (bytesRemaining - bytesPerElement) / validatedStride;
 
     m_context->vertexAttribPointer(indx, size, type, normalized, stride, offset);
     cleanupAfterGraphicsCall(false);