Currently most of the ports of WebGL will crash in the following situation: - enableVertexAttribArray(index) is called, but a pointer is not set up via bindBuffer / vertexAttribPointer - drawArrays or drawElements is called, even if the current program does not reference this particular attribute array. The problem is that the vertex attribute is initially set up for client-side arrays. The GL apparently does not have enough information to know that the attribute array is unreferenced by the current program and attempts to copy its data to the graphics card, leading to a NULL pointer dereference and a crash. This does not appear to happen when a vertex buffer object is bound to the vertex attribute. To fix this, we hypothesize that it is sufficient to bind a zero-length buffer object to all of the vertex attribute arrays at context initialization time. This way their storage is always specified to live on the graphics card. It is not possible with the WebGL API to re-initialize a vertex attribute array to use client-side arrays. Note that the index validation already in place prevents attempts to walk off the end of vertex buffer objects actually referenced by the program.
Created attachment 57057 [details] patch For the newly added test, Chrome with CommandBuffer port will crash without this patch, but will not crash with this patch.
Patch becomes invalid due to the new WebGL spec updates.
See https://bugs.webkit.org/show_bug.cgi?id=40315