Changeset 116374 in webkit

Timestamp:

May 7, 2012 4:56:47 PM (12 years ago)

Author:

zmo@google.com

Message:

vertexAttribPointer needs to reject large negative offsets
​https://bugs.webkit.org/show_bug.cgi?id=85117

Reviewed by Kenneth Russell.

Source/WebCore:

• html/canvas/WebGLRenderingContext.cpp: Use long long for GLsizeiptr and GLintptr

(WebCore):
(WebCore::WebGLRenderingContext::bufferData):
(WebCore::WebGLRenderingContext::bufferSubData):
(WebCore::WebGLRenderingContext::drawElements):
(WebCore::WebGLRenderingContext::getVertexAttribOffset):
(WebCore::WebGLRenderingContext::vertexAttribPointer):

• html/canvas/WebGLRenderingContext.h: Ditto

(WebGLRenderingContext):

• html/canvas/WebGLRenderingContext.idl: Ditto

LayoutTests:

• fast/canvas/webgl/index-validation-expected.txt:
• fast/canvas/webgl/index-validation.html: Add a test case for large negative offset.

Location:

trunk

Files:

• LayoutTests/ChangeLog (modified) (1 diff)
• LayoutTests/fast/canvas/webgl/index-validation-expected.txt (modified) (1 diff)
• LayoutTests/fast/canvas/webgl/index-validation.html (modified) (4 diffs)
• Source/WebCore/ChangeLog (modified) (1 diff)
• Source/WebCore/html/canvas/WebGLRenderingContext.cpp (modified) (17 diffs)
• Source/WebCore/html/canvas/WebGLRenderingContext.h (modified) (4 diffs)
• Source/WebCore/html/canvas/WebGLRenderingContext.idl (modified) (4 diffs)

trunk/LayoutTests/ChangeLog

@@ +1 @@
+2012-05-04  Zhenyao Mo  <zmo@google.com>
+
+        vertexAttribPointer needs to reject large negative offsets
+        https://bugs.webkit.org/show_bug.cgi?id=85117
+
+        Reviewed by Kenneth Russell.
+
+        * fast/canvas/webgl/index-validation-expected.txt:
+        * fast/canvas/webgl/index-validation.html: Add a test case for large negative offset.
+
 2012-05-07  Pravin D  <pravind.2k4@gmail.com>
 

trunk/LayoutTests/fast/canvas/webgl/index-validation-expected.txt

@@ -5 +5 @@
 Testing with valid indices
 PASS gl.checkFramebufferStatus(gl.FRAMEBUFFER) is gl.FRAMEBUFFER_COMPLETE
-PASS gl.getError() is 0
+PASS getError was expected value: NO_ERROR : 
 PASS gl.drawElements(gl.TRIANGLES, 3, gl.UNSIGNED_SHORT, 0) is undefined.
-PASS gl.getError() is 0
+PASS getError was expected value: NO_ERROR : 
 Testing with out-of-range indices
 Enable vertices, valid
-PASS gl.getError() is 0
+PASS getError was expected value: NO_ERROR : 
 PASS gl.drawElements(gl.TRIANGLES, 3, gl.UNSIGNED_SHORT, 0) is undefined.
-PASS gl.getError() is 0
+PASS getError was expected value: NO_ERROR : 
 Enable normals, out-of-range
-PASS gl.getError() is 0
+PASS getError was expected value: NO_ERROR : 
 PASS gl.drawElements(gl.TRIANGLES, 3, gl.UNSIGNED_SHORT, 0) is undefined.
-PASS gl.getError() is gl.INVALID_OPERATION
+PASS getError was expected value: INVALID_OPERATION : 
 Test with enabled attribute that does not belong to current program
 Enable an extra attribute with null
-PASS gl.getError() is 0
+PASS getError was expected value: NO_ERROR : 
 PASS gl.drawElements(gl.TRIANGLES, 3, gl.UNSIGNED_SHORT, 0) is undefined.
-PASS gl.getError() is gl.INVALID_OPERATION
+PASS getError was expected value: INVALID_OPERATION : 
 Enable an extra attribute with insufficient data buffer
-PASS gl.getError() is 0
+PASS getError was expected value: NO_ERROR : 
 PASS gl.drawElements(gl.TRIANGLES, 3, gl.UNSIGNED_SHORT, 0) is undefined.
-PASS gl.getError() is 0
+Pass large negative index to vertexAttribPointer
+PASS getError was expected value: INVALID_VALUE : 
+PASS gl.drawElements(gl.TRIANGLES, 3, gl.UNSIGNED_SHORT, 0) is undefined.
 PASS successfullyParsed is true
 

trunk/LayoutTests/fast/canvas/webgl/index-validation.html

@@ +1 @@
+<!DOCTYPE html>
 <html>
 <head>
+<meta charset="utf-8">
+<link rel="stylesheet" href="../../js/resources/js-test-style.css"/>
 <script src="../../js/resources/js-test-pre.js"></script>
 <script src="resources/webgl-test.js"></script>
@@ -61 +64 @@
 gl.enableVertexAttribArray(normalLoc);
 shouldBe('gl.checkFramebufferStatus(gl.FRAMEBUFFER)', 'gl.FRAMEBUFFER_COMPLETE');
-shouldBe('gl.getError()', '0');
+glErrorShouldBe(gl, gl.NO_ERROR);
 shouldBeUndefined('gl.drawElements(gl.TRIANGLES, 3, gl.UNSIGNED_SHORT, 0)');
-shouldBe('gl.getError()', '0');
+glErrorShouldBe(gl, gl.NO_ERROR);
 
 debug("Testing with out-of-range indices");
@@ -74 +77 @@
 gl.disableVertexAttribArray(normalLoc);
 debug("Enable vertices, valid");
-shouldBe('gl.getError()', '0');
+glErrorShouldBe(gl, gl.NO_ERROR);
 shouldBeUndefined('gl.drawElements(gl.TRIANGLES, 3, gl.UNSIGNED_SHORT, 0)');
-shouldBe('gl.getError()', '0');
+glErrorShouldBe(gl, gl.NO_ERROR);
 debug("Enable normals, out-of-range");
 gl.vertexAttribPointer(normalLoc, 3, gl.FLOAT, false, 7 * sizeInBytes(gl.FLOAT), 4 * sizeInBytes(gl.FLOAT));
 gl.enableVertexAttribArray(normalLoc);
-shouldBe('gl.getError()', '0');
+glErrorShouldBe(gl, gl.NO_ERROR);
 shouldBeUndefined('gl.drawElements(gl.TRIANGLES, 3, gl.UNSIGNED_SHORT, 0)');
-shouldBe('gl.getError()', 'gl.INVALID_OPERATION');
+glErrorShouldBe(gl, gl.INVALID_OPERATION);
 
 debug("Test with enabled attribute that does not belong to current program");
@@ -90 +93 @@
 gl.enableVertexAttribArray(extraLoc);
 debug("Enable an extra attribute with null");
-shouldBe('gl.getError()', '0');
+glErrorShouldBe(gl, gl.NO_ERROR);
 shouldBeUndefined('gl.drawElements(gl.TRIANGLES, 3, gl.UNSIGNED_SHORT, 0)');
-shouldBe('gl.getError()', 'gl.INVALID_OPERATION');
+glErrorShouldBe(gl, gl.INVALID_OPERATION);
 debug("Enable an extra attribute with insufficient data buffer");
 gl.vertexAttribPointer(extraLoc, 3, gl.FLOAT, false, 7 * sizeInBytes(gl.FLOAT), 4 * sizeInBytes(gl.FLOAT));
-shouldBe('gl.getError()', '0');
+glErrorShouldBe(gl, gl.NO_ERROR);
 shouldBeUndefined('gl.drawElements(gl.TRIANGLES, 3, gl.UNSIGNED_SHORT, 0)');
-shouldBe('gl.getError()', '0');
+debug("Pass large negative index to vertexAttribPointer");
+gl.vertexAttribPointer(normalLoc, 3, gl.FLOAT, false, 7 * sizeInBytes(gl.FLOAT), -2000000000 * sizeInBytes(gl.FLOAT));
+glErrorShouldBe(gl, gl.INVALID_VALUE);
+shouldBeUndefined('gl.drawElements(gl.TRIANGLES, 3, gl.UNSIGNED_SHORT, 0)');
+
+successfullyParsed = true;
 </script>
 

trunk/Source/WebCore/ChangeLog

@@ +1 @@
+2012-05-04  Zhenyao Mo  <zmo@google.com>
+
+        vertexAttribPointer needs to reject large negative offsets
+        https://bugs.webkit.org/show_bug.cgi?id=85117
+
+        Reviewed by Kenneth Russell.
+
+        * html/canvas/WebGLRenderingContext.cpp: Use long long for GLsizeiptr and GLintptr
+        (WebCore):
+        (WebCore::WebGLRenderingContext::bufferData):
+        (WebCore::WebGLRenderingContext::bufferSubData):
+        (WebCore::WebGLRenderingContext::drawElements):
+        (WebCore::WebGLRenderingContext::getVertexAttribOffset):
+        (WebCore::WebGLRenderingContext::vertexAttribPointer):
+        * html/canvas/WebGLRenderingContext.h: Ditto
+        (WebGLRenderingContext):
+        * html/canvas/WebGLRenderingContext.idl: Ditto
+
 2012-05-07  Pravin D  <pravind.2k4@gmail.com>
 

trunk/Source/WebCore/html/canvas/WebGLRenderingContext.cpp

@@ -1037 +1037 @@
 }
 
-void WebGLRenderingContext::bufferData(GC3Denum target, GC3Dsizeiptr size, GC3Denum usage, ExceptionCode& ec)
+void WebGLRenderingContext::bufferData(GC3Denum target, long long size, GC3Denum usage, ExceptionCode& ec)
 {
     UNUSED_PARAM(ec);
@@ -1050 +1050 @@
     }
     if (!isErrorGeneratedOnOutOfBoundsAccesses()) {
-        if (!buffer->associateBufferData(size)) {
+        if (!buffer->associateBufferData(static_cast<GC3Dsizeiptr>(size))) {
             synthesizeGLError(GraphicsContext3D::INVALID_VALUE, "bufferData", "invalid buffer");
             return;
@@ -1056 +1056 @@
     }
 
-    m_context->bufferData(target, size, usage);
+    m_context->bufferData(target, static_cast<GC3Dsizeiptr>(size), usage);
     cleanupAfterGraphicsCall(false);
 }
@@ -1106 +1106 @@
 }
 
-void WebGLRenderingContext::bufferSubData(GC3Denum target, GC3Dintptr offset, ArrayBuffer* data, ExceptionCode& ec)
+void WebGLRenderingContext::bufferSubData(GC3Denum target, long long offset, ArrayBuffer* data, ExceptionCode& ec)
 {
     UNUSED_PARAM(ec);
@@ -1121 +1121 @@
         return;
     if (!isErrorGeneratedOnOutOfBoundsAccesses()) {
-        if (!buffer->associateBufferSubData(offset, data)) {
+        if (!buffer->associateBufferSubData(static_cast<GC3Dintptr>(offset), data)) {
             synthesizeGLError(GraphicsContext3D::INVALID_VALUE, "bufferSubData", "offset out of range");
             return;
@@ -1127 +1127 @@
     }
 
-    m_context->bufferSubData(target, offset, data->byteLength(), data->data());
-    cleanupAfterGraphicsCall(false);
-}
-
-void WebGLRenderingContext::bufferSubData(GC3Denum target, GC3Dintptr offset, ArrayBufferView* data, ExceptionCode& ec)
+    m_context->bufferSubData(target, static_cast<GC3Dintptr>(offset), data->byteLength(), data->data());
+    cleanupAfterGraphicsCall(false);
+}
+
+void WebGLRenderingContext::bufferSubData(GC3Denum target, long long offset, ArrayBufferView* data, ExceptionCode& ec)
 {
     UNUSED_PARAM(ec);
@@ -1146 +1146 @@
         return;
     if (!isErrorGeneratedOnOutOfBoundsAccesses()) {
-        if (!buffer->associateBufferSubData(offset, data)) {
+        if (!buffer->associateBufferSubData(static_cast<GC3Dintptr>(offset), data)) {
             synthesizeGLError(GraphicsContext3D::INVALID_VALUE, "bufferSubData", "offset out of range");
             return;
@@ -1152 +1152 @@
     }
 
-    m_context->bufferSubData(target, offset, data->byteLength(), data->baseAddress());
+    m_context->bufferSubData(target, static_cast<GC3Dintptr>(offset), data->byteLength(), data->baseAddress());
     cleanupAfterGraphicsCall(false);
 }
@@ -1899 +1899 @@
 }
 
-void WebGLRenderingContext::drawElements(GC3Denum mode, GC3Dsizei count, GC3Denum type, GC3Dintptr offset, ExceptionCode& ec)
+void WebGLRenderingContext::drawElements(GC3Denum mode, GC3Dsizei count, GC3Denum type, long long offset, ExceptionCode& ec)
 {
     UNUSED_PARAM(ec);
@@ -1934 +1934 @@
     if (!isErrorGeneratedOnOutOfBoundsAccesses()) {
         // Ensure we have a valid rendering state
-        if (!validateElementArraySize(count, type, offset)) {
+        if (!validateElementArraySize(count, type, static_cast<GC3Dintptr>(offset))) {
             synthesizeGLError(GraphicsContext3D::INVALID_OPERATION, "drawElements", "request out of bounds for current ELEMENT_ARRAY_BUFFER");
             return;
@@ -1941 +1941 @@
             return;
         if (!validateIndexArrayConservative(type, numElements) || !validateRenderingState(numElements)) {
-            if (!validateIndexArrayPrecise(count, type, offset, numElements) || !validateRenderingState(numElements)) {
+            if (!validateIndexArrayPrecise(count, type, static_cast<GC3Dintptr>(offset), numElements) || !validateRenderingState(numElements)) {
                 synthesizeGLError(GraphicsContext3D::INVALID_OPERATION, "drawElements", "attempt to access out of bounds arrays");
                 return;
@@ -1962 +1962 @@
     if (!isGLES2Compliant()) {
         if (!numElements)
-            validateIndexArrayPrecise(count, type, offset, numElements);
+            validateIndexArrayPrecise(count, type, static_cast<GC3Dintptr>(offset), numElements);
         vertexAttrib0Simulated = simulateVertexAttrib0(numElements);
     }
     if (!isGLES2NPOTStrict())
         handleNPOTTextures(true);
-    m_context->drawElements(mode, count, type, offset);
+    m_context->drawElements(mode, count, type, static_cast<GC3Dintptr>(offset));
     if (!isGLES2Compliant() && vertexAttrib0Simulated)
         restoreStatesAfterVertexAttrib0Simulation();
@@ -3039 +3039 @@
 }
 
-GC3Dsizeiptr WebGLRenderingContext::getVertexAttribOffset(GC3Duint index, GC3Denum pname)
+long long WebGLRenderingContext::getVertexAttribOffset(GC3Duint index, GC3Denum pname)
 {
     if (isContextLost())
@@ -3045 +3045 @@
     GC3Dsizeiptr result = m_context->getVertexAttribOffset(index, pname);
     cleanupAfterGraphicsCall(false);
-    return result;
+    return static_cast<long long>(result);
 }
 
@@ -4251 +4251 @@
 }
 
-void WebGLRenderingContext::vertexAttribPointer(GC3Duint index, GC3Dint size, GC3Denum type, GC3Dboolean normalized, GC3Dsizei stride, GC3Dintptr offset, ExceptionCode& ec)
+void WebGLRenderingContext::vertexAttribPointer(GC3Duint index, GC3Dint size, GC3Denum type, GC3Dboolean normalized, GC3Dsizei stride, long long offset, ExceptionCode& ec)
 {
     UNUSED_PARAM(ec);
@@ -4285 +4285 @@
         return;
     }
-    if ((stride % typeSize) || (offset % typeSize)) {
+    if ((stride % typeSize) || (static_cast<GC3Dintptr>(offset) % typeSize)) {
         synthesizeGLError(GraphicsContext3D::INVALID_OPERATION, "vertexAttribPointer", "stride or offset not valid for type");
         return;
@@ -4301 +4301 @@
     state.stride = validatedStride;
     state.originalStride = stride;
-    state.offset = offset;
-    m_context->vertexAttribPointer(index, size, type, normalized, stride, offset);
+    state.offset = static_cast<GC3Dintptr>(offset);
+    m_context->vertexAttribPointer(index, size, type, normalized, stride, static_cast<GC3Dintptr>(offset));
     cleanupAfterGraphicsCall(false);
 }

trunk/Source/WebCore/html/canvas/WebGLRenderingContext.h

@@ -97 +97 @@
     void blendFuncSeparate(GC3Denum srcRGB, GC3Denum dstRGB, GC3Denum srcAlpha, GC3Denum dstAlpha);
 
-    void bufferData(GC3Denum target, GC3Dsizeiptr size, GC3Denum usage, ExceptionCode&);
+    void bufferData(GC3Denum target, long long size, GC3Denum usage, ExceptionCode&);
     void bufferData(GC3Denum target, ArrayBuffer* data, GC3Denum usage, ExceptionCode&);
     void bufferData(GC3Denum target, ArrayBufferView* data, GC3Denum usage, ExceptionCode&);
-    void bufferSubData(GC3Denum target, GC3Dintptr offset, ArrayBuffer* data, ExceptionCode&);
-    void bufferSubData(GC3Denum target, GC3Dintptr offset, ArrayBufferView* data, ExceptionCode&);
+    void bufferSubData(GC3Denum target, long long offset, ArrayBuffer* data, ExceptionCode&);
+    void bufferSubData(GC3Denum target, long long offset, ArrayBufferView* data, ExceptionCode&);
 
     GC3Denum checkFramebufferStatus(GC3Denum target);
@@ -142 +142 @@
     void disableVertexAttribArray(GC3Duint index, ExceptionCode&);
     void drawArrays(GC3Denum mode, GC3Dint first, GC3Dsizei count, ExceptionCode&);
-    void drawElements(GC3Denum mode, GC3Dsizei count, GC3Denum type, GC3Dintptr offset, ExceptionCode&);
+    void drawElements(GC3Denum mode, GC3Dsizei count, GC3Denum type, long long offset, ExceptionCode&);
 
     void enable(GC3Denum cap);
@@ -175 +175 @@
     PassRefPtr<WebGLUniformLocation> getUniformLocation(WebGLProgram*, const String&, ExceptionCode&);
     WebGLGetInfo getVertexAttrib(GC3Duint index, GC3Denum pname, ExceptionCode&);
-    GC3Dsizeiptr getVertexAttribOffset(GC3Duint index, GC3Denum pname);
+    long long getVertexAttribOffset(GC3Duint index, GC3Denum pname);
 
     void hint(GC3Denum target, GC3Denum mode);
@@ -282 +282 @@
     void vertexAttrib4fv(GC3Duint index, GC3Dfloat* values, GC3Dsizei size);
     void vertexAttribPointer(GC3Duint index, GC3Dint size, GC3Denum type, GC3Dboolean normalized,
-                             GC3Dsizei stride, GC3Dintptr offset, ExceptionCode&);
+                             GC3Dsizei stride, long long offset, ExceptionCode&);
 
     void viewport(GC3Dint x, GC3Dint y, GC3Dsizei width, GC3Dsizei height);

trunk/Source/WebCore/html/canvas/WebGLRenderingContext.idl

@@ -464 +464 @@
         [StrictTypeChecking] void         bufferData(in unsigned long target, in ArrayBuffer data, in unsigned long usage) raises (DOMException);
         [StrictTypeChecking] void         bufferData(in unsigned long target, in ArrayBufferView data, in unsigned long usage) raises (DOMException);
-        [StrictTypeChecking] void         bufferData(in unsigned long target, in long size, in unsigned long usage) raises (DOMException);
-        [StrictTypeChecking] void         bufferSubData(in unsigned long target, in long offset, in ArrayBuffer data) raises (DOMException);
-        [StrictTypeChecking] void         bufferSubData(in unsigned long target, in long offset, in ArrayBufferView data) raises (DOMException);
+        [StrictTypeChecking] void         bufferData(in unsigned long target, in long long size, in unsigned long usage) raises (DOMException);
+        [StrictTypeChecking] void         bufferSubData(in unsigned long target, in long long offset, in ArrayBuffer data) raises (DOMException);
+        [StrictTypeChecking] void         bufferSubData(in unsigned long target, in long long offset, in ArrayBufferView data) raises (DOMException);
 
         [StrictTypeChecking] unsigned long checkFramebufferStatus(in unsigned long target);
@@ -508 +508 @@
         [StrictTypeChecking] void         disableVertexAttribArray(in unsigned long index) raises(DOMException);
         [StrictTypeChecking] void         drawArrays(in unsigned long mode, in long first, in long count) raises(DOMException);
-        [StrictTypeChecking] void         drawElements(in unsigned long mode, in long count, in unsigned long type, in long offset) raises(DOMException);
+        [StrictTypeChecking] void         drawElements(in unsigned long mode, in long count, in unsigned long type, in long long offset) raises(DOMException);
 
         [StrictTypeChecking] void         enable(in unsigned long cap);
@@ -568 +568 @@
         [StrictTypeChecking, Custom] void getVertexAttrib();
 
-        [StrictTypeChecking] long getVertexAttribOffset(in unsigned long index, in unsigned long pname);
+        [StrictTypeChecking] long long getVertexAttribOffset(in unsigned long index, in unsigned long pname);
 
         [StrictTypeChecking] void         hint(in unsigned long target, in unsigned long mode);
@@ -662 +662 @@
         [StrictTypeChecking, Custom] void         vertexAttrib4fv(in unsigned long indx, in Float32Array values);
         [StrictTypeChecking] void         vertexAttribPointer(in unsigned long indx, in long size, in unsigned long type, in boolean normalized, 
-                                                              in long stride, in long offset) raises(DOMException);
+                                                              in long stride, in long long offset) raises(DOMException);
 
         [StrictTypeChecking] void         viewport(in long x, in long y, in long width, in long height);