[SCM] WebKit Debian packaging branch, webkit-1.2, updated. upstream/1.1.90-6072-g9a69373
eric at webkit.org
eric at webkit.org
Thu Apr 8 00:52:57 UTC 2010
The following commit has been merged in the webkit-1.2 branch:
commit be0f93f2ed6e3940ed8282023c36b34a3b9ac1a7
Author: eric at webkit.org <eric at webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Date: Mon Jan 4 02:40:02 2010 +0000
2010-01-03 Kenneth Russell <kbr at google.com>
Reviewed by Maciej Stachowiak.
Index validation code must always copy client data
https://bugs.webkit.org/show_bug.cgi?id=32748
Client data must always be copied during bufferData and
bufferSubData calls, because otherwise the data the GL uses to
draw may differ from that checked by the index validation code.
* fast/canvas/webgl/index-validation-copies-indices-expected.txt: Added.
* fast/canvas/webgl/index-validation-copies-indices.html: Added.
2010-01-03 Kenneth Russell <kbr at google.com>
Reviewed by Maciej Stachowiak.
Index validation code must always copy client data
https://bugs.webkit.org/show_bug.cgi?id=32748
Client data must always be copied during bufferData and
bufferSubData calls, because otherwise the data the GL uses to
draw may differ from that checked by the index validation code.
Test: fast/canvas/webgl/index-validation-copies-indices.html
* html/canvas/WebGLBuffer.cpp:
(WebCore::WebGLBuffer::WebGLBuffer):
(WebCore::WebGLBuffer::associateBufferData):
(WebCore::WebGLBuffer::associateBufferSubData):
* html/canvas/WebGLBuffer.h:
git-svn-id: http://svn.webkit.org/repository/webkit/trunk@52700 268f45cc-cd09-0410-ab3c-d52691b4dbfc
diff --git a/LayoutTests/ChangeLog b/LayoutTests/ChangeLog
index ae223d9..a7248c1 100644
--- a/LayoutTests/ChangeLog
+++ b/LayoutTests/ChangeLog
@@ -1,3 +1,17 @@
+2010-01-03 Kenneth Russell <kbr at google.com>
+
+ Reviewed by Maciej Stachowiak.
+
+ Index validation code must always copy client data
+ https://bugs.webkit.org/show_bug.cgi?id=32748
+
+ Client data must always be copied during bufferData and
+ bufferSubData calls, because otherwise the data the GL uses to
+ draw may differ from that checked by the index validation code.
+
+ * fast/canvas/webgl/index-validation-copies-indices-expected.txt: Added.
+ * fast/canvas/webgl/index-validation-copies-indices.html: Added.
+
2010-01-03 Jakub Wieczorek <faw217 at gmail.com>
Reviewed by Eric Seidel.
diff --git a/LayoutTests/fast/canvas/webgl/index-validation-copies-indices-expected.txt b/LayoutTests/fast/canvas/webgl/index-validation-copies-indices-expected.txt
new file mode 100644
index 0000000..b6d11cb
--- /dev/null
+++ b/LayoutTests/fast/canvas/webgl/index-validation-copies-indices-expected.txt
@@ -0,0 +1,16 @@
+Test that client data is always copied during bufferData and bufferSubData calls, because otherwise the data the GL uses to draw may differ from that checked by the index validation code.
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+Regression test for https://bugs.webkit.org/show_bug.cgi?id=32748 : Index validation code must always copy client data
+PASS context.drawElements(context.TRIANGLE_STRIP, 4, context.UNSIGNED_SHORT, 2) is undefined.
+PASS context.drawElements(context.TRIANGLE_STRIP, 4, context.UNSIGNED_SHORT, 0) threw exception GL error 1282 in drawElements.
+PASS context.drawElements(context.TRIANGLE_STRIP, 4, context.UNSIGNED_SHORT, 4) threw exception GL error 1282 in drawElements.
+PASS context.drawElements(context.TRIANGLE_STRIP, 4, context.UNSIGNED_SHORT, 2) is undefined.
+PASS context.drawElements(context.TRIANGLE_STRIP, 4, context.UNSIGNED_SHORT, 0) threw exception GL error 1282 in drawElements.
+PASS context.drawElements(context.TRIANGLE_STRIP, 4, context.UNSIGNED_SHORT, 4) threw exception GL error 1282 in drawElements.
+
+PASS successfullyParsed is true
+
+TEST COMPLETE
+
diff --git a/LayoutTests/fast/canvas/webgl/index-validation-copies-indices.html b/LayoutTests/fast/canvas/webgl/index-validation-copies-indices.html
new file mode 100644
index 0000000..075ffe7
--- /dev/null
+++ b/LayoutTests/fast/canvas/webgl/index-validation-copies-indices.html
@@ -0,0 +1,47 @@
+<html>
+<head>
+<link rel="stylesheet" href="../../js/resources/js-test-style.css"/>
+<script src="../../js/resources/js-test-pre.js"></script>
+<script src="resources/webgl-test.js"></script>
+</head>
+<body>
+<div id="description"></div>
+<div id="console"></div>
+
+<script>
+description('Test that client data is always copied during bufferData and bufferSubData calls, because otherwise the data the GL uses to draw may differ from that checked by the index validation code.')
+
+debug('Regression test for <a href="https://bugs.webkit.org/show_bug.cgi?id=32748">https://bugs.webkit.org/show_bug.cgi?id=32748</a> : <code>Index validation code must always copy client data</code>');
+
+var context = create3DDebugContext();
+var program = loadStandardProgram(context);
+
+context.useProgram(program);
+var vertexObject = context.createBuffer();
+context.enableVertexAttribArray(0);
+context.bindBuffer(context.ARRAY_BUFFER, vertexObject);
+// 4 vertices -> 2 triangles
+context.bufferData(context.ARRAY_BUFFER, new WebGLFloatArray([ 0,0,0, 0,1,0, 1,0,0, 1,1,0 ]), context.STATIC_DRAW);
+context.vertexAttribPointer(0, 3, context.FLOAT, false, 0, 0);
+
+var indexObject = context.createBuffer();
+
+context.bindBuffer(context.ELEMENT_ARRAY_BUFFER, indexObject);
+var indices = new WebGLUnsignedShortArray([ 10000, 0, 1, 2, 3, 10000 ]);
+context.bufferData(context.ELEMENT_ARRAY_BUFFER, indices, context.STATIC_DRAW);
+shouldBeUndefined("context.drawElements(context.TRIANGLE_STRIP, 4, context.UNSIGNED_SHORT, 2)");
+shouldThrow("context.drawElements(context.TRIANGLE_STRIP, 4, context.UNSIGNED_SHORT, 0)");
+shouldThrow("context.drawElements(context.TRIANGLE_STRIP, 4, context.UNSIGNED_SHORT, 4)");
+indices[0] = 2;
+indices[5] = 1;
+shouldBeUndefined("context.drawElements(context.TRIANGLE_STRIP, 4, context.UNSIGNED_SHORT, 2)");
+shouldThrow("context.drawElements(context.TRIANGLE_STRIP, 4, context.UNSIGNED_SHORT, 0)");
+shouldThrow("context.drawElements(context.TRIANGLE_STRIP, 4, context.UNSIGNED_SHORT, 4)");
+
+debug("")
+successfullyParsed = true;
+</script>
+
+<script src="../../js/resources/js-test-post.js"></script>
+</body>
+</html>
diff --git a/WebCore/ChangeLog b/WebCore/ChangeLog
index 4492e6a..c4c175e 100644
--- a/WebCore/ChangeLog
+++ b/WebCore/ChangeLog
@@ -1,3 +1,22 @@
+2010-01-03 Kenneth Russell <kbr at google.com>
+
+ Reviewed by Maciej Stachowiak.
+
+ Index validation code must always copy client data
+ https://bugs.webkit.org/show_bug.cgi?id=32748
+
+ Client data must always be copied during bufferData and
+ bufferSubData calls, because otherwise the data the GL uses to
+ draw may differ from that checked by the index validation code.
+
+ Test: fast/canvas/webgl/index-validation-copies-indices.html
+
+ * html/canvas/WebGLBuffer.cpp:
+ (WebCore::WebGLBuffer::WebGLBuffer):
+ (WebCore::WebGLBuffer::associateBufferData):
+ (WebCore::WebGLBuffer::associateBufferSubData):
+ * html/canvas/WebGLBuffer.h:
+
2010-01-03 Adam Barth <abarth at webkit.org>
Reviewed by Eric Seidel.
diff --git a/WebCore/html/canvas/WebGLBuffer.cpp b/WebCore/html/canvas/WebGLBuffer.cpp
index 88d07de..958bedc 100644
--- a/WebCore/html/canvas/WebGLBuffer.cpp
+++ b/WebCore/html/canvas/WebGLBuffer.cpp
@@ -46,7 +46,6 @@ WebGLBuffer::WebGLBuffer(WebGLRenderingContext* ctx)
: CanvasObject(ctx)
, m_elementArrayBufferByteLength(0)
, m_arrayBufferByteLength(0)
- , m_elementArrayBufferCloned(false)
, m_nextAvailableCacheEntry(0)
{
setObject(context()->graphicsContext3D()->createBuffer());
@@ -89,8 +88,10 @@ bool WebGLBuffer::associateBufferData(unsigned long target, WebGLArray* array)
if (target == GraphicsContext3D::ELEMENT_ARRAY_BUFFER) {
clearCachedMaxIndices();
m_elementArrayBufferByteLength = array->byteLength();
- m_elementArrayBuffer = array->buffer();
- m_elementArrayBufferCloned = false;
+ // We must always clone the incoming data because client-side
+ // modifications without calling bufferData or bufferSubData
+ // must never be able to change the validation results.
+ m_elementArrayBuffer = WebGLArrayBuffer::create(array->buffer().get());
return true;
}
@@ -118,12 +119,6 @@ bool WebGLBuffer::associateBufferSubData(unsigned long target, long offset, WebG
if (uoffset > m_elementArrayBufferByteLength || array->byteLength() > m_elementArrayBufferByteLength - uoffset)
return false;
- // If we already have a buffer, we need to clone it and add the new data
- if (m_elementArrayBuffer && !m_elementArrayBufferCloned) {
- m_elementArrayBuffer = WebGLArrayBuffer::create(m_elementArrayBuffer.get());
- m_elementArrayBufferCloned = true;
- }
-
memcpy(static_cast<unsigned char*>(m_elementArrayBuffer->data()) + offset, array->baseAddress(), array->byteLength());
return true;
}
diff --git a/WebCore/html/canvas/WebGLBuffer.h b/WebCore/html/canvas/WebGLBuffer.h
index 4c3f04a..bdb7052 100644
--- a/WebCore/html/canvas/WebGLBuffer.h
+++ b/WebCore/html/canvas/WebGLBuffer.h
@@ -67,7 +67,6 @@ namespace WebCore {
RefPtr<WebGLArrayBuffer> m_elementArrayBuffer;
unsigned m_elementArrayBufferByteLength;
unsigned m_arrayBufferByteLength;
- bool m_elementArrayBufferCloned;
// Optimization for index validation. For each type of index
// (i.e., UNSIGNED_SHORT), cache the maximum index in the
--
WebKit Debian packaging
More information about the Pkg-webkit-commits
mailing list