Changeset 249369 in webkit

Timestamp:

Sep 1, 2019 4:08:38 PM (5 years ago)

Author:

mmaxfield@apple.com

Message:

[WHLSL] Resources don't work when only a subset of a bind group is referenced by a shader
​https://bugs.webkit.org/show_bug.cgi?id=201383

Reviewed by Dean Jackson.

Source/WebCore:

Bind groups correspond to argument buffers in Metal. Both the Metal API and Metal Shading Language
have to agree on the layout of exactly which resources lie at which byte offsets within an argument
buffer.

Before this patch, we only emitted code for the items in the argument buffer that were actually
referenced by the shader source code. However, because these items are held inside a struct, if
we omit one item from the middle of the struct, the byte offets of all the successive items would
be wrong. This means that the Metal API and the shader would disagree about how to access these
resources, making the resources inaccessible (and causing security problems).

Tests: webgpu/whlsl/sparse-bind-group-2.html

webgpu/whlsl/sparse-bind-group-3.html
webgpu/whlsl/sparse-bind-group.html

• Modules/webgpu/WHLSL/Metal/WHLSLEntryPointScaffolding.cpp:

(WebCore::WHLSL::Metal::EntryPointScaffolding::emitResourceHelperTypes):
(WebCore::WHLSL::Metal::VertexEntryPointScaffolding::emitHelperTypes):
(WebCore::WHLSL::Metal::FragmentEntryPointScaffolding::emitHelperTypes):
(WebCore::WHLSL::Metal::ComputeEntryPointScaffolding::emitHelperTypes):

• Modules/webgpu/WHLSL/Metal/WHLSLEntryPointScaffolding.h:
• Modules/webgpu/WHLSL/WHLSLSemanticMatcher.cpp:

(WebCore::WHLSL::matchResources):
(WebCore::WHLSL::matchVertexAttributes):
(WebCore::WHLSL::matchColorAttachments):

LayoutTests:

• webgpu/whlsl/compute.html:
• webgpu/whlsl/sparse-bind-group-2-expected.txt: Added.
• webgpu/whlsl/sparse-bind-group-2.html: Added.
• webgpu/whlsl/sparse-bind-group-3-expected.txt: Added.
• webgpu/whlsl/sparse-bind-group-3.html: Added.
• webgpu/whlsl/sparse-bind-group-expected.txt: Added.
• webgpu/whlsl/sparse-bind-group.html: Added.

Location:

trunk

Files:

• LayoutTests/ChangeLog (modified) (1 diff)
• LayoutTests/webgpu/whlsl/compute.html (modified) (1 diff)
• LayoutTests/webgpu/whlsl/sparse-bind-group-2-expected.txt (added)
• LayoutTests/webgpu/whlsl/sparse-bind-group-2.html (added)
• LayoutTests/webgpu/whlsl/sparse-bind-group-3-expected.txt (added)
• LayoutTests/webgpu/whlsl/sparse-bind-group-3.html (added)
• LayoutTests/webgpu/whlsl/sparse-bind-group-expected.txt (added)
• LayoutTests/webgpu/whlsl/sparse-bind-group.html (added)
• Source/WebCore/ChangeLog (modified) (1 diff)
• Source/WebCore/Modules/webgpu/WHLSL/Metal/WHLSLEntryPointScaffolding.cpp (modified) (5 diffs)
• Source/WebCore/Modules/webgpu/WHLSL/Metal/WHLSLEntryPointScaffolding.h (modified) (1 diff)
• Source/WebCore/Modules/webgpu/WHLSL/WHLSLSemanticMatcher.cpp (modified) (9 diffs)
• Source/WebCore/platform/graphics/gpu/cocoa/GPUBindGroupLayoutMetal.mm (modified) (1 diff)

trunk/LayoutTests/ChangeLog

@@ +1 @@
+2019-09-01  Myles C. Maxfield  <mmaxfield@apple.com>
+
+        [WHLSL] Resources don't work when only a subset of a bind group is referenced by a shader
+        https://bugs.webkit.org/show_bug.cgi?id=201383
+
+        Reviewed by Dean Jackson.
+
+        * webgpu/whlsl/compute.html:
+        * webgpu/whlsl/sparse-bind-group-2-expected.txt: Added.
+        * webgpu/whlsl/sparse-bind-group-2.html: Added.
+        * webgpu/whlsl/sparse-bind-group-3-expected.txt: Added.
+        * webgpu/whlsl/sparse-bind-group-3.html: Added.
+        * webgpu/whlsl/sparse-bind-group-expected.txt: Added.
+        * webgpu/whlsl/sparse-bind-group.html: Added.
+
 2019-09-01  Wenson Hsieh  <wenson_hsieh@apple.com>
 

trunk/LayoutTests/webgpu/whlsl/compute.html

@@ -75 +75 @@
     resultsBuffer.unmap();
 }
+
 window.jsTestIsAsync = true;
 getBasicDevice().then(function(device) {

trunk/Source/WebCore/ChangeLog

@@ +1 @@
+2019-09-01  Myles C. Maxfield  <mmaxfield@apple.com>
+
+        [WHLSL] Resources don't work when only a subset of a bind group is referenced by a shader
+        https://bugs.webkit.org/show_bug.cgi?id=201383
+
+        Reviewed by Dean Jackson.
+
+        Bind groups correspond to argument buffers in Metal. Both the Metal API and Metal Shading Language
+        have to agree on the layout of exactly which resources lie at which byte offsets within an argument
+        buffer.
+
+        Before this patch, we only emitted code for the items in the argument buffer that were actually
+        referenced by the shader source code. However, because these items are held inside a struct, if
+        we omit one item from the middle of the struct, the byte offets of all the successive items would
+        be wrong. This means that the Metal API and the shader would disagree about how to access these
+        resources, making the resources inaccessible (and causing security problems).
+
+        Tests: webgpu/whlsl/sparse-bind-group-2.html
+               webgpu/whlsl/sparse-bind-group-3.html
+               webgpu/whlsl/sparse-bind-group.html
+
+        * Modules/webgpu/WHLSL/Metal/WHLSLEntryPointScaffolding.cpp:
+        (WebCore::WHLSL::Metal::EntryPointScaffolding::emitResourceHelperTypes):
+        (WebCore::WHLSL::Metal::VertexEntryPointScaffolding::emitHelperTypes):
+        (WebCore::WHLSL::Metal::FragmentEntryPointScaffolding::emitHelperTypes):
+        (WebCore::WHLSL::Metal::ComputeEntryPointScaffolding::emitHelperTypes):
+        * Modules/webgpu/WHLSL/Metal/WHLSLEntryPointScaffolding.h:
+        * Modules/webgpu/WHLSL/WHLSLSemanticMatcher.cpp:
+        (WebCore::WHLSL::matchResources):
+        (WebCore::WHLSL::matchVertexAttributes):
+        (WebCore::WHLSL::matchColorAttachments):
+
 2019-09-01  Said Abou-Hallawa  <sabouhallawa@apple.com>
 

trunk/Source/WebCore/Modules/webgpu/WHLSL/Metal/WHLSLEntryPointScaffolding.cpp

@@ -140 +140 @@
 }
 
-void EntryPointScaffolding::emitResourceHelperTypes(StringBuilder& stringBuilder, Indentation<4> indent)
+void EntryPointScaffolding::emitResourceHelperTypes(StringBuilder& stringBuilder, Indentation<4> indent, ShaderStage shaderStage)
 {
     for (size_t i = 0; i < m_layout.size(); ++i) {
@@ -148 +148 @@
             Vector<std::pair<unsigned, String>> structItems;
             for (size_t j = 0; j < m_layout[i].bindings.size(); ++j) {
+                auto& binding = m_layout[i].bindings[j];
+                if (!binding.visibility.contains(shaderStage))
+                    continue;
+
+                auto elementName = m_namedBindGroups[i].namedBindings[j].elementName;
+                auto index = m_namedBindGroups[i].namedBindings[j].index;
+                if (auto lengthInformation = m_namedBindGroups[i].namedBindings[j].lengthInformation)
+                    structItems.append(std::make_pair(lengthInformation->index, makeString("uint2 ", lengthInformation->elementName, " [[id(", lengthInformation->index, ")]];")));
+
                 auto iterator = m_resourceMap.find(&m_layout[i].bindings[j]);
-                if (iterator == m_resourceMap.end())
-                    continue;
-                auto& type = m_entryPointItems.inputs[iterator->value].unnamedType->unifyNode();
-                if (is<AST::UnnamedType>(type) && is<AST::ReferenceType>(downcast<AST::UnnamedType>(type))) {
-                    auto& referenceType = downcast<AST::ReferenceType>(downcast<AST::UnnamedType>(type));
-                    auto mangledTypeName = m_typeNamer.mangledNameForType(referenceType.elementType());
-                    auto addressSpace = toString(referenceType.addressSpace());
-                    auto elementName = m_namedBindGroups[i].namedBindings[j].elementName;
-                    auto index = m_namedBindGroups[i].namedBindings[j].index;
-                    structItems.append(std::make_pair(index, makeString(addressSpace, " ", mangledTypeName, "* ", elementName, " [[id(", index, ")]];")));
-                    if (auto lengthInformation = m_namedBindGroups[i].namedBindings[j].lengthInformation)
-                        structItems.append(std::make_pair(lengthInformation->index, makeString("uint2 ", lengthInformation->elementName, " [[id(", lengthInformation->index, ")]];")));
-                } else if (is<AST::NamedType>(type) && is<AST::NativeTypeDeclaration>(downcast<AST::NamedType>(type))) {
-                    auto& namedType = downcast<AST::NativeTypeDeclaration>(downcast<AST::NamedType>(type));
-                    auto mangledTypeName = m_typeNamer.mangledNameForType(namedType);
-                    auto elementName = m_namedBindGroups[i].namedBindings[j].elementName;
-                    auto index = m_namedBindGroups[i].namedBindings[j].index;
-                    structItems.append(std::make_pair(index, makeString(mangledTypeName, ' ', elementName, " [[id(", index, ")]];")));
+                if (iterator != m_resourceMap.end()) {
+                    auto& type = m_entryPointItems.inputs[iterator->value].unnamedType->unifyNode();
+                    if (is<AST::UnnamedType>(type) && is<AST::ReferenceType>(downcast<AST::UnnamedType>(type))) {
+                        auto& referenceType = downcast<AST::ReferenceType>(downcast<AST::UnnamedType>(type));
+                        auto mangledTypeName = m_typeNamer.mangledNameForType(referenceType.elementType());
+                        auto addressSpace = toString(referenceType.addressSpace());
+                        structItems.append(std::make_pair(index, makeString(addressSpace, " ", mangledTypeName, "* ", elementName, " [[id(", index, ")]];")));
+                    } else if (is<AST::NamedType>(type) && is<AST::NativeTypeDeclaration>(downcast<AST::NamedType>(type))) {
+                        auto& namedType = downcast<AST::NativeTypeDeclaration>(downcast<AST::NamedType>(type));
+                        auto mangledTypeName = m_typeNamer.mangledNameForType(namedType);
+                        structItems.append(std::make_pair(index, makeString(mangledTypeName, ' ', elementName, " [[id(", index, ")]];")));
+                    }
+                } else {
+                    // The binding doesn't appear in the shader source.
+                    // However, we must still emit a placeholder, so successive items in the argument buffer struct have the correct offset.
+                    // Because the binding doesn't appear in the shader source, we don't know which exact type the bind point should have.
+                    // Therefore, we must synthesize a type out of thin air.
+                    WTF::visit(WTF::makeVisitor([&](UniformBufferBinding) {
+                        structItems.append(std::make_pair(index, makeString("constant void* ", elementName, " [[id(", index, ")]];")));
+                    }, [&](SamplerBinding) {
+                        structItems.append(std::make_pair(index, makeString("sampler ", elementName, " [[id(", index, ")]];")));
+                    }, [&](TextureBinding) {
+                        // FIXME: https://bugs.webkit.org/show_bug.cgi?id=201384 We don't know which texture type the binding represents. This is no good very bad.
+                        structItems.append(std::make_pair(index, makeString("texture2d<float4> ", elementName, " [[id(", index, ")]];")));
+                    }, [&](StorageBufferBinding) {
+                        structItems.append(std::make_pair(index, makeString("device void* ", elementName, " [[id(", index, ")]];")));
+                    }), binding.binding);
                 }
             }
@@ -426 +444 @@
     stringBuilder.append(indent, "};\n\n");
     
-    emitResourceHelperTypes(stringBuilder, indent);
+    emitResourceHelperTypes(stringBuilder, indent, ShaderStage::Vertex);
 }
 
@@ -531 +549 @@
     stringBuilder.append(indent, "};\n\n");
 
-    emitResourceHelperTypes(stringBuilder, indent);
+    emitResourceHelperTypes(stringBuilder, indent, ShaderStage::Fragment);
 }
 
@@ -581 +599 @@
 void ComputeEntryPointScaffolding::emitHelperTypes(StringBuilder& stringBuilder, Indentation<4> indent)
 {
-    emitResourceHelperTypes(stringBuilder, indent);
+    emitResourceHelperTypes(stringBuilder, indent, ShaderStage::Compute);
 }
 

trunk/Source/WebCore/Modules/webgpu/WHLSL/Metal/WHLSLEntryPointScaffolding.h

@@ -65 +65 @@
     EntryPointScaffolding(AST::FunctionDefinition&, Intrinsics&, TypeNamer&, EntryPointItems&, HashMap<Binding*, size_t>& resourceMap, Layout&, std::function<MangledVariableName()>&& generateNextVariableName);
 
-    void emitResourceHelperTypes(StringBuilder&, Indentation<4>);
+    void emitResourceHelperTypes(StringBuilder&, Indentation<4>, ShaderStage);
 
     enum class IncludePrecedingComma {

trunk/Source/WebCore/Modules/webgpu/WHLSL/WHLSLSemanticMatcher.cpp

@@ -62 +62 @@
 {
     HashMap<Binding*, size_t> result;
-    HashSet<size_t> itemIndices;
-    if (entryPointItems.size() == std::numeric_limits<size_t>::max())
-        return WTF::nullopt; // Work around the fact that HashSet's keys are restricted.
+    HashSet<size_t, DefaultHash<size_t>::Hash, WTF::UnsignedWithZeroKeyHashTraits<size_t>> itemIndices;
     for (auto& bindGroup : layout) {
         auto space = bindGroup.name;
@@ -83 +81 @@
                     continue;
                 result.add(&binding, i);
-                itemIndices.add(i + 1); // Work around the fact that HashSet's keys are restricted.
+                itemIndices.add(i);
             }
         }
@@ -93 +91 @@
         if (!WTF::holds_alternative<AST::ResourceSemantic>(semantic))
             continue;
-        if (!itemIndices.contains(i + 1))
+        if (!itemIndices.contains(i))
             return WTF::nullopt;
     }
@@ -143 +141 @@
 {
     HashMap<VertexAttribute*, size_t> result;
-    HashSet<size_t> itemIndices;
-    if (vertexInputs.size() == std::numeric_limits<size_t>::max())
-        return WTF::nullopt; // Work around the fact that HashSet's keys are restricted.
+    HashSet<size_t, DefaultHash<size_t>::Hash, WTF::UnsignedWithZeroKeyHashTraits<size_t>> itemIndices;
     for (auto& vertexAttribute : vertexAttributes) {
         for (size_t i = 0; i < vertexInputs.size(); ++i) {
@@ -158 +154 @@
                 return WTF::nullopt;
             result.add(&vertexAttribute, i);
-            itemIndices.add(i + 1); // Work around the fact that HashSet's keys are restricted.
+            itemIndices.add(i);
         }
     }
@@ -167 +163 @@
         if (!WTF::holds_alternative<AST::StageInOutSemantic>(semantic))
             continue;
-        if (!itemIndices.contains(i + 1))
+        if (!itemIndices.contains(i))
             return WTF::nullopt;
     }
@@ -231 +227 @@
 {
     HashMap<AttachmentDescriptor*, size_t> result;
-    HashSet<size_t> itemIndices;
-    if (attachmentDescriptors.size() == std::numeric_limits<size_t>::max())
-        return WTF::nullopt; // Work around the fact that HashSet's keys are restricted.
+    HashSet<size_t, DefaultHash<size_t>::Hash, WTF::UnsignedWithZeroKeyHashTraits<size_t>> itemIndices;
     for (auto& attachmentDescriptor : attachmentDescriptors) {
         for (size_t i = 0; i < fragmentOutputs.size(); ++i) {
@@ -246 +240 @@
                 return WTF::nullopt;
             result.add(&attachmentDescriptor, i);
-            itemIndices.add(i + 1); // Work around the fact that HashSet's keys are restricted.
+            itemIndices.add(i);
         }
     }
@@ -255 +249 @@
         if (!WTF::holds_alternative<AST::StageInOutSemantic>(semantic))
             continue;
-        if (!itemIndices.contains(i + 1))
+        if (!itemIndices.contains(i))
             return WTF::nullopt;
     }

trunk/Source/WebCore/platform/graphics/gpu/cocoa/GPUBindGroupLayoutMetal.mm

@@ -85 +85 @@
     END_BLOCK_OBJC_EXCEPTIONS;
 
+    // FIXME: https://bugs.webkit.org/show_bug.cgi?id=201384 This needs to set the "textureType" field
     [mtlArgument setDataType:dataType];
     [mtlArgument setIndex:index];