Skip to content

Commit

Permalink
Fix bounds check in Queue::writeBuffer when buffer has been destroyed
Browse files Browse the repository at this point in the history 
https://bugs.webkit.org/show_bug.cgi?id=270538
rdar://123811082

Reviewed by Mike Wyrzykowski.

Buffer::destroy updates m_buffer but didn't update m_size, and it shouldn't update the size as
seen by the JS API.

Instead of updating it, I derive the size from m_buffer and replace size() with currentSize()
and initialSize()

I also add a null check to avoid writing to a buffer that is null.

* LayoutTests/fast/webgpu/write-to-destroyed-buffer-expected.txt: Added.
* LayoutTests/fast/webgpu/write-to-destroyed-buffer.html: Added.
* Source/WebGPU/WebGPU/Buffer.h:
(WebGPU::Buffer::create):
* Source/WebGPU/WebGPU/Buffer.mm:
(WebGPU::Device::createBuffer):
(WebGPU::Buffer::Buffer):
(WebGPU::Buffer::getMappedRange):
(WebGPU::Buffer::errorValidatingMapAsync const):
(WebGPU::Buffer::mapAsync):
(WebGPU::Buffer::size const):
* Source/WebGPU/WebGPU/Queue.mm:
(WebGPU::Queue::validateWriteBuffer const):

Canonical link: https://commits.webkit.org/275756@main
  • Loading branch information
@achristensen07
achristensen07 committed Mar 6, 2024
1 parent c31beeb commit 7fed860
Show file tree
Hide file tree
Showing 11 changed files with 623 additions and 32 deletions.
1 change: 1 addition & 0 deletions LayoutTests/fast/webgpu/write-to-destroyed-buffer-expected.txt
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
This test passes if it does not crash.
Loading

0 comments on commit 7fed860

Please sign in to comment.