Issue 659144  has been merged into this issue.

yunchao, qiankun, can someone on Intel take a look at this bug? since you can reproduce this easily. I am currently stacked with tasks.

I can take a look now.

Thank you!

In my investigation, the crash issue is caused by a memory allocation issue in ANGLE.

On Windows, ANGLE uses constant buffer as uniform buffer in OpenGL ES. In D3D a constant buffer has a maximum size (65536 bytes) that a D3D shader can access. Although MSDN says on Win8 and later OS we can create a constant buffer that is larger than 65536 bytes[1], to ensure the compatibility in ANGLE the size of a uniform buffer is restricted not over 65536 bytes[2].

The case attempts to allocate a large block of memory to a uniform block (262144 bytes). With patch #427200 the memory block will be immediately allocated and passed to a uniform block [3].
 
In setSubData(target, data, size, offset) buffer should be resized before passing data to it [4]. The parameter size will be checked before the buffer is really resized [5]. In FillBufferDesc the size of the buffer (bufferDesc->ByteWidth) is set not over maxUniformBlockSize (65536 bytes) [6]. In this case the size of the newly created constant buffer is only 65536 bytes, then in setData a runtime error occurs when attempting to memcpy 262144 bytes into a 65536-byte buffer [7].

In Chromium before #427200, since data is nullptr, the 262144-byte memory allocation is not executed at once when bufferData is called [8], and because the test only passes four floats to the uniform block by bufferSubData, at this point ANGLE just creates a 65536-byte constant buffer and memcpy the data to it, so there is no errors generated.

I drop the restriction code and the case can pass on my Win10 machine. But I think it is reasonable for ANGLE to restrict the size of a constant buffer no over 65536 bytes to be compatible with Win7. So should we use multiple constant buffers to simulate a larger buffer, or just add additional restriction on the size of a uniform block, or other better solutions?

[1] https://msdn.microsoft.com/en-us/library/windows/desktop/ff476501(v=vs.85).aspx
[2] https://cs.chromium.org/chromium/src/third_party/angle/src/libANGLE/renderer/d3d/d3d11/renderer11_utils.cpp?l=878
[3] https://cs.chromium.org/chromium/src/gpu/command_buffer/service/buffer_manager.cc?l=465
[4] https://cs.chromium.org/chromium/src/third_party/angle/src/libANGLE/renderer/d3d/d3d11/Buffer11.cpp?l=334
[5] https://cs.chromium.org/chromium/src/third_party/angle/src/libANGLE/renderer/d3d/d3d11/Buffer11.cpp?l=948
[6] https://cs.chromium.org/chromium/src/third_party/angle/src/libANGLE/renderer/d3d/d3d11/Buffer11.cpp?l=1046
[7] https://cs.chromium.org/chromium/src/third_party/angle/src/libANGLE/renderer/d3d/d3d11/Buffer11.cpp?l=840
[8] https://cs.chromium.org/chromium/src/third_party/angle/src/libANGLE/renderer/d3d/d3d11/Buffer11.cpp?l=309

Geoff, Jamie, what do you think?

Looking now.

This is an ANGLE bug, will fix.

The following revision refers to this bug:
  https://chromium.googlesource.com/angle/angle/+/5677e4d136883f681b491daa492366db29fa3a78

commit 5677e4d136883f681b491daa492366db29fa3a78
Author: Jamie Madill <jmadill@chromium.org>
Date: Fri Oct 28 19:27:07 2016

Buffer11: Ensure we don't overflow on setData.

When mapping uniform buffers for very large buffers, we could end
up copying past buffer bounds. This would trigger crashes on some
configs. We can fix this by clamping the copy size correctly.

BUG= chromium:659892 

Change-Id: I9d1af984da34867692d4c7b8908c016ebec7a63b
Reviewed-on: https://chromium-review.googlesource.com/404931
Reviewed-by: Geoff Lang <geofflang@chromium.org>
Reviewed-by: Jamie Madill <jmadill@chromium.org>
Commit-Queue: Jamie Madill <jmadill@chromium.org>

[modify] https://crrev.com/5677e4d136883f681b491daa492366db29fa3a78/src/libANGLE/renderer/d3d/d3d11/Buffer11.cpp

The following revision refers to this bug:
  https://chromium.googlesource.com/angle/angle/+/5677e4d136883f681b491daa492366db29fa3a78

commit 5677e4d136883f681b491daa492366db29fa3a78
Author: Jamie Madill <jmadill@chromium.org>
Date: Fri Oct 28 19:27:07 2016

Buffer11: Ensure we don't overflow on setData.

When mapping uniform buffers for very large buffers, we could end
up copying past buffer bounds. This would trigger crashes on some
configs. We can fix this by clamping the copy size correctly.

BUG= chromium:659892 

Change-Id: I9d1af984da34867692d4c7b8908c016ebec7a63b
Reviewed-on: https://chromium-review.googlesource.com/404931
Reviewed-by: Geoff Lang <geofflang@chromium.org>
Reviewed-by: Jamie Madill <jmadill@chromium.org>
Commit-Queue: Jamie Madill <jmadill@chromium.org>

[modify] https://crrev.com/5677e4d136883f681b491daa492366db29fa3a78/src/libANGLE/renderer/d3d/d3d11/Buffer11.cpp

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/988aa562e76cacc7b6b39d9f7b33c25f5b7824f8

commit 988aa562e76cacc7b6b39d9f7b33c25f5b7824f8
Author: qiankun.miao <qiankun.miao@intel.com>
Date: Sun Oct 30 09:14:46 2016

Roll ANGLE af7f301..705a919

https://chromium.googlesource.com/angle/angle.git/+log/af7f301..705a919

BUG= chromium:659892 ,  540829 , 655247,  chromium:639760 ,  chromium:659326 ,  chromium:659326 ,  658555 

TEST=bots

CQ_INCLUDE_TRYBOTS=master.tryserver.chromium.win:win_optional_gpu_tests_rel;master.tryserver.chromium.mac:mac_optional_gpu_tests_rel;master.tryserver.chromium.linux:linux_optional_gpu_tests_rel;master.tryserver.chromium.android:android_optional_gpu_tests_rel

Review-Url: https://codereview.chromium.org/2457243003
Cr-Commit-Position: refs/heads/master@{#428622}

[modify] https://crrev.com/988aa562e76cacc7b6b39d9f7b33c25f5b7824f8/DEPS

 Issue 660670  has been merged into this issue.

Assuming this is fixed?

Yes, thanks for closing.