[SCM] WebKit Debian packaging branch, webkit-1.1, updated. upstream/1.1.16-1409-g5afdf4d

eric at webkit.org eric at webkit.org
Thu Dec 3 13:44:59 UTC 2009 

The following commit has been merged in the webkit-1.1 branch:
commit 91d94935886d1c346e975658287b049372d6b918
Author: eric at webkit.org <eric at webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Date:   Thu Nov 26 00:44:39 2009 +0000

    2009-11-25  Kenneth Russell  <kbr at google.com>
    
            Reviewed by Oliver Hunt.
    
            Off-by-one error in index validation for drawElements and drawArrays
            https://bugs.webkit.org/show_bug.cgi?id=31891
    
            Fixed computation of number of elements for bound array objects.
    
            Test: fast/canvas/webgl/index-validation.html
    
            * fast/canvas/webgl/index-validation-expected.txt: Added.
            * fast/canvas/webgl/index-validation.html: Added.
            * fast/canvas/webgl/script-tests/index-validation.js: Added.
    2009-11-25  Kenneth Russell  <kbr at google.com>
    
            Reviewed by Oliver Hunt.
    
            Off-by-one error in index validation for drawElements and drawArrays
            https://bugs.webkit.org/show_bug.cgi?id=31891
    
            Fixed computation of number of elements for bound array objects.
    
            Test: fast/canvas/webgl/index-validation.html
    
            * html/canvas/WebGLRenderingContext.cpp:
            (WebCore::WebGLRenderingContext::vertexAttribPointer):
    
    git-svn-id: http://svn.webkit.org/repository/webkit/trunk@51400 268f45cc-cd09-0410-ab3c-d52691b4dbfc

diff --git a/LayoutTests/ChangeLog b/LayoutTests/ChangeLog
index b184c56..3fd0af1 100644
--- a/LayoutTests/ChangeLog
+++ b/LayoutTests/ChangeLog
@@ -1,3 +1,18 @@
+2009-11-25  Kenneth Russell  <kbr at google.com>
+
+        Reviewed by Oliver Hunt.
+
+        Off-by-one error in index validation for drawElements and drawArrays
+        https://bugs.webkit.org/show_bug.cgi?id=31891
+
+        Fixed computation of number of elements for bound array objects.
+
+        Test: fast/canvas/webgl/index-validation.html
+
+        * fast/canvas/webgl/index-validation-expected.txt: Added.
+        * fast/canvas/webgl/index-validation.html: Added.
+        * fast/canvas/webgl/script-tests/index-validation.js: Added.
+
 2009-11-25  Csaba Osztrogonác  <ossy at webkit.org>
 
         [Qt] Remove a bunch of now passing fast tests from skiplist.
diff --git a/LayoutTests/fast/canvas/webgl/index-validation-expected.txt b/LayoutTests/fast/canvas/webgl/index-validation-expected.txt
new file mode 100644
index 0000000..42cf6f6
--- /dev/null
+++ b/LayoutTests/fast/canvas/webgl/index-validation-expected.txt
@@ -0,0 +1,11 @@
+Test of get calls against GL objects like getBufferParameter, etc.
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+PASS gl.getError() is 0
+PASS gl.drawElements(gl.TRIANGLES, 3, gl.UNSIGNED_SHORT, 0) is undefined.
+PASS gl.getError() is 0
+PASS successfullyParsed is true
+
+TEST COMPLETE
+
diff --git a/LayoutTests/fast/canvas/webgl/index-validation.html b/LayoutTests/fast/canvas/webgl/index-validation.html
new file mode 100644
index 0000000..4deb3c5
--- /dev/null
+++ b/LayoutTests/fast/canvas/webgl/index-validation.html
@@ -0,0 +1,15 @@
+<html>
+<head>
+<link rel="stylesheet" href="../../js/resources/js-test-style.css"/>
+<script src="../../js/resources/js-test-pre.js"></script>
+<script src="resources/webgl-test.js"></script>
+</head>
+<body>
+<div id="description"></div>
+<div id="console"></div>
+
+<script src="script-tests/index-validation.js"></script>
+
+<script src="../../js/resources/js-test-post.js"></script>
+</body>
+</html>
diff --git a/LayoutTests/fast/canvas/webgl/script-tests/index-validation.js b/LayoutTests/fast/canvas/webgl/script-tests/index-validation.js
new file mode 100644
index 0000000..083cffe
--- /dev/null
+++ b/LayoutTests/fast/canvas/webgl/script-tests/index-validation.js
@@ -0,0 +1,32 @@
+description("Test of get calls against GL objects like getBufferParameter, etc.");
+
+var gl = create3DContext();
+var program = loadStandardProgram(gl);
+
+// 3 vertices => 1 triangle, interleaved data
+var data = new WebGLFloatArray([0, 0, 0, 1,
+                                0, 0, 1,
+                                1, 0, 0, 1,
+                                0, 0, 1,
+                                1, 1, 1, 1,
+                                0, 0, 1]);
+var indices = new WebGLUnsignedShortArray([0, 1, 2]);
+
+var buffer = gl.createBuffer();
+gl.bindBuffer(gl.ARRAY_BUFFER, buffer);
+gl.bufferData(gl.ARRAY_BUFFER, data, gl.STATIC_DRAW);
+var elements = gl.createBuffer();
+gl.bindBuffer(gl.ELEMENT_ARRAY_BUFFER, elements);
+gl.bufferData(gl.ELEMENT_ARRAY_BUFFER, indices, gl.STATIC_DRAW);
+gl.useProgram(program);
+var vertexLoc = gl.getAttribLocation(program, "a_vertex");
+var normalLoc = gl.getAttribLocation(program, "a_normal");
+gl.vertexAttribPointer(vertexLoc, 4, gl.FLOAT, false, 7 * gl.sizeInBytes(gl.FLOAT), 0);
+gl.enableVertexAttribArray(vertexLoc);
+gl.vertexAttribPointer(normalLoc, 3, gl.FLOAT, false, 7 * gl.sizeInBytes(gl.FLOAT), 3 * gl.sizeInBytes(gl.FLOAT));
+gl.enableVertexAttribArray(normalLoc);
+shouldBe('gl.getError()', '0');
+shouldBeUndefined('gl.drawElements(gl.TRIANGLES, 3, gl.UNSIGNED_SHORT, 0)');
+shouldBe('gl.getError()', '0');
+
+successfullyParsed = true;
diff --git a/WebCore/ChangeLog b/WebCore/ChangeLog
index 94263a4..84bad77 100644
--- a/WebCore/ChangeLog
+++ b/WebCore/ChangeLog
@@ -1,3 +1,17 @@
+2009-11-25  Kenneth Russell  <kbr at google.com>
+
+        Reviewed by Oliver Hunt.
+
+        Off-by-one error in index validation for drawElements and drawArrays
+        https://bugs.webkit.org/show_bug.cgi?id=31891
+
+        Fixed computation of number of elements for bound array objects.
+
+        Test: fast/canvas/webgl/index-validation.html
+
+        * html/canvas/WebGLRenderingContext.cpp:
+        (WebCore::WebGLRenderingContext::vertexAttribPointer):
+
 2009-11-25  Dmitry Titov  <dimich at chromium.org>
 
         Reviewed by David Levin.
diff --git a/WebCore/html/canvas/WebGLRenderingContext.cpp b/WebCore/html/canvas/WebGLRenderingContext.cpp
index 6c75947..32222d4 100644
--- a/WebCore/html/canvas/WebGLRenderingContext.cpp
+++ b/WebCore/html/canvas/WebGLRenderingContext.cpp
@@ -2046,6 +2046,7 @@ void WebGLRenderingContext::vertexAttrib4fv(unsigned long indx, float* v, int si
 void WebGLRenderingContext::vertexAttribPointer(unsigned long indx, long size, unsigned long type, bool normalized, unsigned long stride, unsigned long offset, ExceptionCode& ec)
 {
     if (!m_boundArrayBuffer || indx >= m_maxVertexAttribs) {
+        // FIXME: raise GL_INVALID_VALUE error
         ec = INVALID_STATE_ERR;
         return;
     }
@@ -2058,17 +2059,25 @@ void WebGLRenderingContext::vertexAttribPointer(unsigned long indx, long size, u
     long bytesPerElement = size * sizeInBytes(type, ec);
     if (ec != 0)
         return;
-        
+    long validatedStride = bytesPerElement;
     if (stride != 0) {
         if ((long) stride < bytesPerElement) {
+            // FIXME: raise GL_INVALID_VALUE error
             ec = SYNTAX_ERR;
             return;
         }
         
-        bytesPerElement = stride;
+        validatedStride = stride;
     }
         
-    m_vertexAttribState[indx].numElements = (m_boundArrayBuffer->byteLength(GraphicsContext3D::ARRAY_BUFFER) - offset) / bytesPerElement;
+    // Avoid off-by-one errors in numElements computation.
+    // For the last element, we will only touch the data for the
+    // element and nothing beyond it.
+    long bytesRemaining = m_boundArrayBuffer->byteLength(GraphicsContext3D::ARRAY_BUFFER) - offset;
+    if (bytesRemaining < bytesPerElement)
+        m_vertexAttribState[indx].numElements = 0;
+    else
+        m_vertexAttribState[indx].numElements = 1 + (bytesRemaining - bytesPerElement) / validatedStride;
 
     m_context->vertexAttribPointer(indx, size, type, normalized, stride, offset);
     cleanupAfterGraphicsCall(false);

-- 
WebKit Debian packaging

More information about the Pkg-webkit-commits mailing list