[webkit-changes] [WebKit/WebKit] ff9bb6: [WebGPU] Out of bounds read with index buffer shar...

[mwyrzykowski]

  Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: ff9bb65302c896d0c21632b1c11fda6fb51f1744
      https://github.com/WebKit/WebKit/commit/ff9bb65302c896d0c21632b1c11fda6fb51f1744
  Author: Mike Wyrzykowski <mwyrzykowski at apple.com>
  Date:   2025-01-20 (Mon, 20 Jan 2025)

  Changed paths:
    A LayoutTests/fast/webgpu/nocrash/fuzz-286215-expected.txt
    A LayoutTests/fast/webgpu/nocrash/fuzz-286215.html
    M Source/WebGPU/WebGPU/Buffer.h
    M Source/WebGPU/WebGPU/Buffer.mm
    M Source/WebGPU/WebGPU/RenderPassEncoder.mm

  Log Message:
  -----------
  [WebGPU] Out of bounds read with index buffer shared between GPURenderBundles and GPURenderPass
https://bugs.webkit.org/show_bug.cgi?id=286215
rdar://142756512

Reviewed by Tadeu Zagallo.

Unlike normal GPURenderPass calls, GPURenderBundles rewrite the ICB contents
when an OOB read occurs. This is specific to each GPURenderBundle. Using a single
flag per index buffer is wrong here since a valid GPURenderPass call would allow
an invalid GPURenderBundle call to be processed.

Resolve this by tracking state per ICB. Normal render passes get id=zero which
is not a value MTLResourceID.

* LayoutTests/fast/webgpu/nocrash/fuzz-286215-expected.txt: Added.
* LayoutTests/fast/webgpu/nocrash/fuzz-286215.html: Added.
Add regression test.

* Source/WebGPU/WebGPU/Buffer.h:
(WebGPU::Buffer::didReadOOB const): Deleted.
(WebGPU::Buffer::didReadOOB): Deleted.
* Source/WebGPU/WebGPU/Buffer.mm:
(WebGPU::Buffer::canSkipDrawIndexedValidation const):
(WebGPU::Buffer::drawIndexedValidated):
(WebGPU::Buffer::didReadOOB const):
(WebGPU::Buffer::didReadOOB):
* Source/WebGPU/WebGPU/RenderPassEncoder.mm:
(WebGPU::RenderPassEncoder::executeBundles):
Track OOB reads per ICB.

Canonical link: https://commits.webkit.org/289163@main



To unsubscribe from these emails, change your notification settings at https://github.com/WebKit/WebKit/settings/notifications