[webkit-changes] [WebKit/WebKit] 4abdcb: [WebGPU] Using array length in the fragment but no...
mwyrzykowski
noreply at github.com
Fri Dec 6 21:25:12 PST 2024
Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: 4abdcb41023887bb6b06b4b5f90452e1361e8351
https://github.com/WebKit/WebKit/commit/4abdcb41023887bb6b06b4b5f90452e1361e8351
Author: Mike Wyrzykowski <mwyrzykowski at apple.com>
Date: 2024-12-06 (Fri, 06 Dec 2024)
Changed paths:
A LayoutTests/fast/webgpu/nocrash/fuzz-284090-expected.txt
A LayoutTests/fast/webgpu/nocrash/fuzz-284090.html
M Source/WebGPU/WebGPU/RenderPipeline.mm
Log Message:
-----------
[WebGPU] Using array length in the fragment but not vertex buffer leads to AB size mismatch
https://bugs.webkit.org/show_bug.cgi?id=284090
rdar://140803154
Reviewed by Tadeu Zagallo.
A bind group shared between vertex and fragment stages will will be treated
as a single element in the entries container, but the vertex shader may not
use the bind group's length while the fragment shader does.
This leads to the AB in the vertex shader being 8 bytes (for the single buffer case)
while the fragment shader was 16 bytes.
Correct the out of bounds read by ensuring we consider reused entries.
* LayoutTests/fast/webgpu/nocrash/fuzz-284090-expected.txt: Added.
* LayoutTests/fast/webgpu/nocrash/fuzz-284090.html: Added.
Add regression test.
* Source/WebGPU/WebGPU/RenderPipeline.mm:
(WebGPU::Device::addPipelineLayouts):
Canonical link: https://commits.webkit.org/287493@main
To unsubscribe from these emails, change your notification settings at https://github.com/WebKit/WebKit/settings/notifications
More information about the webkit-changes
mailing list