RESOLVED INVALID 112354
[BlackBerry] Store floating point images in correctly sized vector. 
https://bugs.webkit.org/show_bug.cgi?id=112354
Summary [BlackBerry] Store floating point images in correctly sized vector.
Jonathan Feldstein
Reported 2013-03-14 08:44:40 PDT
Resolves 3 WebGL conformance suite crashes, namely: - oes-texture-float-with-canvas - oes-texture-float-with-image - oes-texture-float-with-video This bug occurs as a result of trying to create a texture with texImage2D with either a provided floating point canvas, image, or video. The issue occurs because a vector used to store this texture is resized to width * height * 4 which is large enough for non-floating point images, but is not large enough for floating ones. ie. an RGBA floating point image is of size: width * height * 4 * sizeof(float). As a result of having a vector that is too small to hold the image contents, we end up writing beyond the end of the vector which results in a variety of different crashes depending on where in memory we end up writing to. Additionally, needless amount of space are allocated for smaller images. ie. an RGB image of unsigned bytes only requires width * height * 3 bytes of space. This commit also makes sure that the vector is resized to the exact size that is needed to fit the provided image.
Attachments
Patch (5.70 KB, patch)
2013-03-14 08:51 PDT, Jonathan Feldstein 		no flags
DetailsFormatted DiffDiff
Patch2 (5.63 KB, patch)
2013-03-14 09:19 PDT, Jonathan Feldstein 		no flags
DetailsFormatted DiffDiff
Patch3 (4.19 KB, patch)
2013-03-14 09:47 PDT, Jonathan Feldstein 		rwlbuis: review+
webkit.review.bot: commit-queue-
DetailsFormatted DiffDiff
Show Obsolete (2) View All Add attachment proposed patch, testcase, etc.
Jonathan Feldstein
Comment 1 2013-03-14 08:51:21 PDT
Created attachment 193130 [details] Patch
Rob Buis
Comment 2 2013-03-14 09:02:27 PDT
Comment on attachment 193130 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=193130&action=review > Source/WebCore/platform/graphics/blackberry/GraphicsContext3DBlackBerry.cpp:427 > + sizeofChannels *= 1; I guess this is not needed. Maybe the compiler does not generate the instructions though. > Source/WebCore/platform/graphics/blackberry/GraphicsContext3DBlackBerry.cpp:454 > + sizeofChannels *= 1; Ditto.
Rob Buis
Comment 3 2013-03-14 09:02:57 PDT
Comment on attachment 193130 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=193130&action=review > Source/WebCore/ChangeLog:3 > + [BlackBerry] Resolves 3 WebGL conformance suite crashes. I think the bug title can be improved.
Jonathan Feldstein
Comment 4 2013-03-14 09:08:00 PDT
(In reply to comment #2) > (From update of attachment 193130 [details]) > View in context: https://bugs.webkit.org/attachment.cgi?id=193130&action=review > > > Source/WebCore/platform/graphics/blackberry/GraphicsContext3DBlackBerry.cpp:427 > > + sizeofChannels *= 1; > > I guess this is not needed. Maybe the compiler does not generate the instructions though. > > > Source/WebCore/platform/graphics/blackberry/GraphicsContext3DBlackBerry.cpp:454 > > + sizeofChannels *= 1; > > Ditto. You're definitely correct that it's needless. I was trying to be more clear about what's going on. Perhaps I could add case statements which simply break immediately without doing a multiply. Is that a fair compromise?
Rob Buis
Comment 5 2013-03-14 09:14:58 PDT
(In reply to comment #4) > (In reply to comment #2) > > (From update of attachment 193130 [details] [details]) > > View in context: https://bugs.webkit.org/attachment.cgi?id=193130&action=review > > > > > Source/WebCore/platform/graphics/blackberry/GraphicsContext3DBlackBerry.cpp:427 > > > + sizeofChannels *= 1; > > > > I guess this is not needed. Maybe the compiler does not generate the instructions though. > > > > > Source/WebCore/platform/graphics/blackberry/GraphicsContext3DBlackBerry.cpp:454 > > > + sizeofChannels *= 1; > > > > Ditto. > > You're definitely correct that it's needless. I was trying to be more clear about what's going on. Perhaps I could add case statements which simply break immediately without doing a multiply. Is that a fair compromise? Sounds good :)
Jonathan Feldstein
Comment 6 2013-03-14 09:19:44 PDT
Created attachment 193136 [details] Patch2 Removed code that needlessly multiplied by one.
Jonathan Feldstein
Comment 7 2013-03-14 09:47:57 PDT
Created attachment 193142 [details] Patch3
Rob Buis
Comment 8 2013-03-14 09:48:37 PDT
Comment on attachment 193142 [details] Patch3 Nice fix.
WebKit Review Bot
Comment 9 2013-03-14 09:52:58 PDT
Comment on attachment 193142 [details] Patch3 Rejecting attachment 193142 [details] from commit-queue. Failed to run "['/mnt/git/webkit-commit-queue/Tools/Scripts/webkit-patch', '--status-host=webkit-commit-queue.appspot.com', '--bot-id=gce-cq-03', 'apply-attachment', '--no-update', '--non-interactive', 193142, '--port=chromium-xvfb']" exit_code: 2 cwd: /mnt/git/webkit-commit-queue Last 500 characters of output: ffs from patch file(s). patching file Source/WebCore/ChangeLog Hunk #1 succeeded at 1 with fuzz 3. patching file Source/WebCore/platform/graphics/blackberry/GraphicsContext3DBlackBerry.cpp Hunk #1 FAILED at 411. 1 out of 1 hunk FAILED -- saving rejects to file Source/WebCore/platform/graphics/blackberry/GraphicsContext3DBlackBerry.cpp.rej Failed to run "[u'/mnt/git/webkit-commit-queue/Tools/Scripts/svn-apply', '--force', '--reviewer', 'Rob Buis']" exit_code: 1 cwd: /mnt/git/webkit-commit-queue Full output: http://webkit-commit-queue.appspot.com/results/17041591
Note You need to log in before you can comment on or make changes to this bug.