Validate binding ranges against buffer size #7875
Conversation
|
Hmm. If disallowing zero-size bindings breaks the CTS in CI, then maybe it is a bad idea. |
There was a problem hiding this comment.
Thank you very much for the safety condition comments and documentation!
We should take this patch as it stands, but I think the way it's written may suggest a misunderstanding of an important aspect of wgpu's architecture, and we should address that misunderstanding in a follow-up PR. See the comments here:
Lines 181 to 195 in 3d0fe3a
Specifically, it doesn't seem valuable to make BufferBinding::new_unchecked unsafe when the only thing you can do with it is pass it to an unsafe Device or CommandEncoder method anyway.
I admit this concern is arguable: certainly the code does continue to do necessary validation in wgpu-core, with the wgpu-hal changes merely forcing people to think about safety conditions in a more focused place (at BufferBinding creation time) than they would otherwise (at set_index_buffer, create_bind_group, etc. time).
| /// Some back ends cannot tolerate zero-length regions; for example, see | ||
| /// [VUID-VkDescriptorBufferInfo-offset-00340][340] and | ||
| /// [VUID-VkDescriptorBufferInfo-range-00341][341], or the | ||
| /// documentation for GLES's [glBindBufferRange][bbr]. This documentation | ||
| /// previously stated that a `BufferBinding` must have `offset` strictly less | ||
| /// than the size of the buffer, but this restriction was not honored elsewhere | ||
| /// in the code, so has been removed. However, it remains the case that | ||
| /// some backends do not support zero-length bindings, so additional | ||
| /// logic is needed somewhere to handle this properly. See | ||
| /// [#3170](https://github.com/gfx-rs/wgpu/issues/3170). |
There was a problem hiding this comment.
This is fine for now, but for the future: documentation should not generally explain its own history; we have git and commit log messages for that. The documentation's audience is someone trying to understand what rules they need to follow today. Providing rationale and context can serve that goal, but the above seems distracting.
Fixes the issues noted in #1039 (comment). Together with #7874, this addresses #1039.
This tightens up the validation of binding sizes. I have added a helper on the wgpu_core
Buffertype to resolve implicit remainder-of-buffer sizes and validate the binding offset and size against the size of the buffer. This helper is now the preferred way of constructing ahal::BufferBinding. Direct construction is no longer allowed in wgpu_core. There is an unsafenew_uncheckedhelper for cases where direct construction is necessary.The more controversial and potentially risky part of this change is that the validation of binding size rejects zero-size bindings. Previously, zero-size bindings were allowed increate_buffer_binding, even thoughhal::BufferBindingwas documented as not allowing zero-size bindings. So I think this version is safer, but it's possible that zero-size bindings were tolerated in some cases before that will no longer work.I have left support for zero-size bindings in approximately the same state as it was, since attempting to disallow them entirely caused test failures. #3170
Testing
Tested locally using the following CTS tests:
The tests are still failing, due to #3170, but the situation is improved.
Squash or Rebase? Rebase (seems useful to keep the "validate binding ranges" and "restore zero-sized buffer" support commits separate, since it may be useful to revert the latter).
Checklist
cargo fmt.taplo format.cargo clippy --tests. If applicable, add:--target wasm32-unknown-unknowncargo xtask testto run tests.CHANGELOG.mdentry.