[SCM] WebKit Debian packaging branch, debian/experimental, updated. upstream/1.3.3-9427-gc2be6fc
zmo at google.com
zmo at google.com
Wed Dec 22 11:46:59 UTC 2010
The following commit has been merged in the debian/experimental branch:
commit 680126730173282b9c017da5f136adbfd0ee450a
Author: zmo at google.com <zmo at google.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Date: Fri Aug 6 18:03:51 2010 +0000
2010-08-04 Zhenyao Mo <zmo at google.com>
Reviewed by Dimitri Glazkov.
WebGLBuffer::associateBufferData(ArrayBufferView* array) copies incorrect data for sliced views
https://bugs.webkit.org/show_bug.cgi?id=42124
* html/canvas/WebGLBuffer.cpp:
(WebCore::WebGLBuffer::associateBufferDataImpl): Helper function that's called by all associateBufferData().
(WebCore::WebGLBuffer::associateBufferData): Call associateBufferDataImpl().
(WebCore::WebGLBuffer::associateBufferSubDataImpl): Helper function that's called by all associateBufferSubData().
(WebCore::WebGLBuffer::associateBufferSubData): Call associateBufferSubDataImpl().
* html/canvas/WebGLBuffer.h: Declare helper functions.
2010-08-04 Zhenyao Mo <zmo at google.com>
Reviewed by Dimitri Glazkov.
WebGLBuffer::associateBufferData(ArrayBufferView* array) copies incorrect data for sliced views
https://bugs.webkit.org/show_bug.cgi?id=42124
* fast/canvas/webgl/draw-elements-out-of-bounds-expected.txt: Adding test case for bufferData and bufferSubData with ArrayBufferView input.
* fast/canvas/webgl/draw-elements-out-of-bounds.html: Ditto.
git-svn-id: http://svn.webkit.org/repository/webkit/trunk@64859 268f45cc-cd09-0410-ab3c-d52691b4dbfc
diff --git a/LayoutTests/ChangeLog b/LayoutTests/ChangeLog
index 16f57c0..c7e7bc3 100644
--- a/LayoutTests/ChangeLog
+++ b/LayoutTests/ChangeLog
@@ -1,3 +1,13 @@
+2010-08-04 Zhenyao Mo <zmo at google.com>
+
+ Reviewed by Dimitri Glazkov.
+
+ WebGLBuffer::associateBufferData(ArrayBufferView* array) copies incorrect data for sliced views
+ https://bugs.webkit.org/show_bug.cgi?id=42124
+
+ * fast/canvas/webgl/draw-elements-out-of-bounds-expected.txt: Adding test case for bufferData and bufferSubData with ArrayBufferView input.
+ * fast/canvas/webgl/draw-elements-out-of-bounds.html: Ditto.
+
2010-08-06 Martin Robinson <mrobinson at igalia.com>
Reviewed by Gustavo Noronha Silva.
diff --git a/LayoutTests/fast/canvas/webgl/draw-elements-out-of-bounds-expected.txt b/LayoutTests/fast/canvas/webgl/draw-elements-out-of-bounds-expected.txt
index 6ff9c3b..3d8deb8 100644
--- a/LayoutTests/fast/canvas/webgl/draw-elements-out-of-bounds-expected.txt
+++ b/LayoutTests/fast/canvas/webgl/draw-elements-out-of-bounds-expected.txt
@@ -28,6 +28,12 @@ PASS context.drawElements(context.TRIANGLES, 0, context.UNSIGNED_BYTE, 4) genera
PASS context.drawElements(context.TRIANGLES, 0xffffffff, context.UNSIGNED_BYTE, 0) generated expected GL error: INVALID_VALUE.
PASS context.drawElements(context.TRIANGLES, 0x7fffffff, context.UNSIGNED_BYTE, 0) generated expected GL error: INVALID_OPERATION.
PASS context.drawElements(context.TRIANGLES, 0x7fffffff, context.UNSIGNED_BYTE, 0x7fffffff) generated expected GL error: INVALID_OPERATION.
+PASS context.bufferData(context.ELEMENT_ARRAY_BUFFER, (new Uint8Array([ 3, 0, 1, 2 ])).slice(1), context.STATIC_DRAW) generated expected GL error: NO_ERROR.
+PASS context.drawElements(context.TRIANGLES, 3, context.UNSIGNED_BYTE, 0) generated expected GL error: NO_ERROR.
+PASS context.bufferSubData(context.ELEMENT_ARRAY_BUFFER, 0, new Uint8Array([ 3, 0, 1])) generated expected GL error: NO_ERROR.
+PASS context.drawElements(context.TRIANGLES, 3, context.UNSIGNED_BYTE, 0) generated expected GL error: INVALID_OPERATION.
+PASS context.bufferSubData(context.ELEMENT_ARRAY_BUFFER, 0, (new Uint8Array([ 3, 0, 1, 2 ])).slice(1)) generated expected GL error: NO_ERROR.
+PASS context.drawElements(context.TRIANGLES, 3, context.UNSIGNED_BYTE, 0) generated expected GL error: NO_ERROR.
Test buffer with interleaved (3+2) float vectors
PASS context.drawElements(context.TRIANGLES, 9, context.UNSIGNED_SHORT, 0) generated expected GL error: NO_ERROR.
diff --git a/LayoutTests/fast/canvas/webgl/draw-elements-out-of-bounds.html b/LayoutTests/fast/canvas/webgl/draw-elements-out-of-bounds.html
index 9f76c52..cd32c1c 100644
--- a/LayoutTests/fast/canvas/webgl/draw-elements-out-of-bounds.html
+++ b/LayoutTests/fast/canvas/webgl/draw-elements-out-of-bounds.html
@@ -55,6 +55,13 @@ shouldGenerateGLError(context, context.INVALID_VALUE, "context.drawElements(cont
shouldGenerateGLError(context, context.INVALID_OPERATION, "context.drawElements(context.TRIANGLES, 0x7fffffff, context.UNSIGNED_BYTE, 0)");
shouldGenerateGLError(context, context.INVALID_OPERATION, "context.drawElements(context.TRIANGLES, 0x7fffffff, context.UNSIGNED_BYTE, 0x7fffffff)");
+shouldGenerateGLError(context, context.NO_ERROR, "context.bufferData(context.ELEMENT_ARRAY_BUFFER, (new Uint8Array([ 3, 0, 1, 2 ])).slice(1), context.STATIC_DRAW)");
+shouldGenerateGLError(context, context.NO_ERROR, "context.drawElements(context.TRIANGLES, 3, context.UNSIGNED_BYTE, 0)");
+shouldGenerateGLError(context, context.NO_ERROR, "context.bufferSubData(context.ELEMENT_ARRAY_BUFFER, 0, new Uint8Array([ 3, 0, 1]))");
+shouldGenerateGLError(context, context.INVALID_OPERATION, "context.drawElements(context.TRIANGLES, 3, context.UNSIGNED_BYTE, 0)");
+shouldGenerateGLError(context, context.NO_ERROR, "context.bufferSubData(context.ELEMENT_ARRAY_BUFFER, 0, (new Uint8Array([ 3, 0, 1, 2 ])).slice(1))");
+shouldGenerateGLError(context, context.NO_ERROR, "context.drawElements(context.TRIANGLES, 3, context.UNSIGNED_BYTE, 0)");
+
debug("")
debug("Test buffer with interleaved (3+2) float vectors")
diff --git a/WebCore/ChangeLog b/WebCore/ChangeLog
index 244b3f0..c9b6e36 100644
--- a/WebCore/ChangeLog
+++ b/WebCore/ChangeLog
@@ -1,3 +1,17 @@
+2010-08-04 Zhenyao Mo <zmo at google.com>
+
+ Reviewed by Dimitri Glazkov.
+
+ WebGLBuffer::associateBufferData(ArrayBufferView* array) copies incorrect data for sliced views
+ https://bugs.webkit.org/show_bug.cgi?id=42124
+
+ * html/canvas/WebGLBuffer.cpp:
+ (WebCore::WebGLBuffer::associateBufferDataImpl): Helper function that's called by all associateBufferData().
+ (WebCore::WebGLBuffer::associateBufferData): Call associateBufferDataImpl().
+ (WebCore::WebGLBuffer::associateBufferSubDataImpl): Helper function that's called by all associateBufferSubData().
+ (WebCore::WebGLBuffer::associateBufferSubData): Call associateBufferSubDataImpl().
+ * html/canvas/WebGLBuffer.h: Declare helper functions.
+
2010-08-06 Adam Barth <abarth at webkit.org>
Reviewed by Eric Seidel.
diff --git a/WebCore/html/canvas/WebGLBuffer.cpp b/WebCore/html/canvas/WebGLBuffer.cpp
index be797e2..fc98a9d 100644
--- a/WebCore/html/canvas/WebGLBuffer.cpp
+++ b/WebCore/html/canvas/WebGLBuffer.cpp
@@ -29,6 +29,7 @@
#include "WebGLBuffer.h"
+#include "CheckedInt.h"
#include "WebGLRenderingContext.h"
namespace WebCore {
@@ -53,150 +54,111 @@ void WebGLBuffer::deleteObjectImpl(Platform3DObject object)
context()->graphicsContext3D()->deleteBuffer(object);
}
-bool WebGLBuffer::associateBufferData(int size)
+bool WebGLBuffer::associateBufferDataImpl(ArrayBuffer* array, unsigned byteOffset, unsigned byteLength)
{
- if (!m_target)
- return false;
-
- if (m_target == GraphicsContext3D::ELEMENT_ARRAY_BUFFER) {
- m_byteLength = size;
- clearCachedMaxIndices();
- m_elementArrayBuffer = ArrayBuffer::create(size, 1);
- if (!m_elementArrayBuffer) {
- m_byteLength = 0;
+ if (array && byteLength) {
+ CheckedInt<uint32_t> checkedOffset(byteOffset);
+ CheckedInt<uint32_t> checkedLength(byteLength);
+ CheckedInt<uint32_t> checkedMax = checkedOffset + checkedLength;
+ if (!checkedMax.valid() || checkedMax.value() > array->byteLength())
return false;
- }
- return true;
}
- if (m_target == GraphicsContext3D::ARRAY_BUFFER) {
- m_byteLength = size;
+ switch (m_target) {
+ case GraphicsContext3D::ELEMENT_ARRAY_BUFFER:
+ m_byteLength = byteLength;
+ clearCachedMaxIndices();
+ if (byteLength) {
+ m_elementArrayBuffer = ArrayBuffer::create(byteLength, 1);
+ if (!m_elementArrayBuffer) {
+ m_byteLength = 0;
+ return false;
+ }
+ if (array) {
+ // We must always clone the incoming data because client-side
+ // modifications without calling bufferData or bufferSubData
+ // must never be able to change the validation results.
+ memcpy(static_cast<unsigned char*>(m_elementArrayBuffer->data()),
+ static_cast<unsigned char*>(array->data()) + byteOffset,
+ byteLength);
+ }
+ } else
+ m_elementArrayBuffer = 0;
+ return true;
+ case GraphicsContext3D::ARRAY_BUFFER:
+ m_byteLength = byteLength;
return true;
+ default:
+ return false;
}
+}
- return false;
+bool WebGLBuffer::associateBufferData(int size)
+{
+ if (size < 0)
+ return false;
+ return associateBufferDataImpl(0, 0, static_cast<unsigned>(size));
}
bool WebGLBuffer::associateBufferData(ArrayBuffer* array)
{
- if (!m_target)
- return false;
if (!array)
return false;
-
- if (m_target == GraphicsContext3D::ELEMENT_ARRAY_BUFFER) {
- clearCachedMaxIndices();
- m_byteLength = array->byteLength();
- // We must always clone the incoming data because client-side
- // modifications without calling bufferData or bufferSubData
- // must never be able to change the validation results.
- m_elementArrayBuffer = ArrayBuffer::create(array);
- if (!m_elementArrayBuffer) {
- m_byteLength = 0;
- return false;
- }
- return true;
- }
-
- if (m_target == GraphicsContext3D::ARRAY_BUFFER) {
- m_byteLength = array->byteLength();
- return true;
- }
-
- return false;
+ return associateBufferDataImpl(array, 0, array->byteLength());
}
bool WebGLBuffer::associateBufferData(ArrayBufferView* array)
{
- if (!m_target)
- return false;
if (!array)
return false;
+ return associateBufferDataImpl(array->buffer().get(), array->byteOffset(), array->byteLength());
+}
- if (m_target == GraphicsContext3D::ELEMENT_ARRAY_BUFFER) {
- clearCachedMaxIndices();
- m_byteLength = array->byteLength();
- // We must always clone the incoming data because client-side
- // modifications without calling bufferData or bufferSubData
- // must never be able to change the validation results.
- m_elementArrayBuffer = ArrayBuffer::create(array->buffer().get());
- if (!m_elementArrayBuffer) {
- m_byteLength = 0;
+bool WebGLBuffer::associateBufferSubDataImpl(long offset, ArrayBuffer* array, unsigned arrayByteOffset, unsigned byteLength)
+{
+ if (!array || offset < 0)
+ return false;
+
+ if (byteLength) {
+ CheckedInt<uint32_t> checkedBufferOffset(offset);
+ CheckedInt<uint32_t> checkedArrayOffset(arrayByteOffset);
+ CheckedInt<uint32_t> checkedLength(byteLength);
+ CheckedInt<uint32_t> checkedArrayMax = checkedArrayOffset + checkedLength;
+ CheckedInt<uint32_t> checkedBufferMax = checkedBufferOffset + checkedLength;
+ if (!checkedArrayMax.valid() || checkedArrayMax.value() > array->byteLength() || !checkedBufferMax.valid() || checkedBufferMax.value() > m_byteLength)
return false;
- }
- return true;
}
- if (m_target == GraphicsContext3D::ARRAY_BUFFER) {
- m_byteLength = array->byteLength();
+ switch (m_target) {
+ case GraphicsContext3D::ELEMENT_ARRAY_BUFFER:
+ clearCachedMaxIndices();
+ if (byteLength) {
+ if (!m_elementArrayBuffer)
+ return false;
+ memcpy(static_cast<unsigned char*>(m_elementArrayBuffer->data()) + offset,
+ static_cast<unsigned char*>(array->data()) + arrayByteOffset,
+ byteLength);
+ }
return true;
+ case GraphicsContext3D::ARRAY_BUFFER:
+ return true;
+ default:
+ return false;
}
-
- return false;
}
bool WebGLBuffer::associateBufferSubData(long offset, ArrayBuffer* array)
{
- if (!m_target)
- return false;
if (!array)
return false;
-
- if (m_target == GraphicsContext3D::ELEMENT_ARRAY_BUFFER) {
- clearCachedMaxIndices();
-
- // We need to protect against integer overflow with these tests
- if (offset < 0)
- return false;
-
- unsigned long uoffset = static_cast<unsigned long>(offset);
- if (uoffset > m_byteLength || array->byteLength() > m_byteLength - uoffset)
- return false;
-
- if (!m_elementArrayBuffer)
- return false;
-
- memcpy(static_cast<unsigned char*>(m_elementArrayBuffer->data()) + offset,
- static_cast<unsigned char*>(array->data()),
- array->byteLength());
- return true;
- }
-
- if (m_target == GraphicsContext3D::ARRAY_BUFFER)
- return array->byteLength() + offset <= m_byteLength;
-
- return false;
+ return associateBufferSubDataImpl(offset, array, 0, array->byteLength());
}
bool WebGLBuffer::associateBufferSubData(long offset, ArrayBufferView* array)
{
- if (!m_target)
- return false;
if (!array)
return false;
-
- if (m_target == GraphicsContext3D::ELEMENT_ARRAY_BUFFER) {
- clearCachedMaxIndices();
-
- // We need to protect against integer overflow with these tests
- if (offset < 0)
- return false;
-
- unsigned long uoffset = static_cast<unsigned long>(offset);
- if (uoffset > m_byteLength || array->byteLength() > m_byteLength - uoffset)
- return false;
-
- if (!m_elementArrayBuffer)
- return false;
-
- memcpy(static_cast<unsigned char*>(m_elementArrayBuffer->data()) + offset, array->baseAddress(), array->byteLength());
- return true;
- }
-
- if (m_target == GraphicsContext3D::ARRAY_BUFFER)
- return array->byteLength() + offset <= m_byteLength;
-
- return false;
+ return associateBufferSubDataImpl(offset, array->buffer().get(), array->byteOffset(), array->byteLength());
}
unsigned WebGLBuffer::byteLength() const
diff --git a/WebCore/html/canvas/WebGLBuffer.h b/WebCore/html/canvas/WebGLBuffer.h
index 8df84a5..a7a25b9 100644
--- a/WebCore/html/canvas/WebGLBuffer.h
+++ b/WebCore/html/canvas/WebGLBuffer.h
@@ -90,6 +90,11 @@ private:
// Clears all of the cached max indices.
void clearCachedMaxIndices();
+
+ // Helper function called by the three associateBufferData().
+ bool associateBufferDataImpl(ArrayBuffer* array, unsigned byteOffset, unsigned byteLength);
+ // Helper function called by the two associateBufferSubData().
+ bool associateBufferSubDataImpl(long offset, ArrayBuffer* array, unsigned arrayByteOffset, unsigned byteLength);
};
} // namespace WebCore
--
WebKit Debian packaging
More information about the Pkg-webkit-commits
mailing list