Name

    KHR_robust_buffer_access_behavior

Name Strings

    GL_KHR_robust_buffer_access_behavior

Contact

    Jon Leech (oddhack 'at' sonic.net)
    Piers Daniell, NVIDIA (pdaniell 'at' nvidia.com)

Contributors

    Jan-Harald Fredriksen, ARM
    Jeff Bolz, NVIDIA
    Kenneth Russell, Google
    Pat Brown, NVIDIA

Notice

    Copyright (c) 2012-2014 The Khronos Group Inc. Copyright terms at
        http://www.khronos.org/registry/speccopyright.html

Status

    Complete. 
    Approved by the OpenGL ES Working Group on June 25, 2014.
    Approved by the ARB on June 26, 2014.
    Ratified by the Khronos Board of Promoters on August 7, 2014.

Version

    Version 7, June 26, 2014

Number

    ARB Extension #169
    OpenGL ES Extension #189

Dependencies

    OpenGL ES 2.0 or OpenGL 3.2 are required.

    GL_KHR_robustness is required.
    
    This extension is written against the OpenGL ES 3.1 Specification
    (version of June 4, 2014) and the OpenGL ES 3.10.3 Shading Language
    Specification (version of June 6, 2014)

Overview

    This extension specifies the behavior of out-of-bounds buffer and
    array accesses. This is an improvement over the existing
    KHR_robustness extension which states that the application should
    not crash, but that behavior is otherwise undefined. This extension
    specifies the access protection provided by the GL to ensure that
    out-of-bounds accesses cannot read from or write to data not owned
    by the application. All accesses are contained within the buffer
    object and program area they reference. These additional robustness
    guarantees apply to contexts created with the robust access flag
    set.

IP Status

    No known IP claims.

New Procedures and Functions

    None

New Tokens

    None

Additions to the OpenGL ES 3.1 Specification

    Append to section 6.4 "Effects of Accessing Outside Buffer Bounds" on p.
    58:
    
   "Robust buffer access can be enabled by creating a context with robust
    access enabled through the window system binding APIs. When enabled, any
    command unable to generate a GL error as described above, such as buffer
    object accesses from the active program, will not read or modify memory
    outside of the data store of the buffer object and will not result in GL
    interruption or termination.

    Out-of-bounds reads may return any of the following values:

      * Values from anywhere within the buffer object.
      * Zero values, or (0,0,0,x) vectors for vector reads where x is a
        valid value represented in the type of the vector components and may
        be any of

        + 0, 1, or the maximum representable positive integer value, for
          signed or unsigned integer components
        + 0.0 or 1.0, for floating-point components

    Out-of-bounds writes may modify values within the buffer object or be
    discarded.

    Accesses made through resources attached to binding points are only
    protected within the buffer object from which the binding point is
    declared. For example, for an out-of-bounds access to a member variable
    of a uniform block, the access protection is provided within the uniform
    buffer object, and not for the bound buffer range for this uniform
    block."


    Add a new subsection 10.3.4rob "Robust Buffer Access" preceding section
    10.3.5 "Packed Vertex Data Formats" on p. 243:

   "Robust buffer access can be enabled by creating a context with robust
    access enabled through the window system binding APIs. When enabled,
    indices within the element array (see section 10.3.7) that reference
    vertex data that lies outside the enabled attribute's vertex buffer
    object result in reading zero. It is not possible to read vertex data
    from outside the enabled vertex buffer objects or from another GL
    context, and these accesses do not result in abnormal program
    termination."


    Replace the last paragraph of section 11.1.3.2 "Texel Fetches", on p.
    265:
    
    "In all the above cases, if the context was created with robust buffer
    access enabled (see section 10.3.4rob), the result of the texture fetch
    is zero, or a texture source color of (0,0,0,1) in the case of a texel
    fetch from an incomplete texture. If robust buffer access is not
    enabled, the result of the texture fetch is undefined in each case."


    Replace the last paragraph of section 11.1.3.12 "Undefined Behavior" on
    p. 272:
    
   "Robust buffer access can be enabled by creating a context with
    robust access enabled through the window system binding APIs. When
    enabled, out-of-bounds accesses will be bounded within the working
    memory of the active program, cannot access memory owned by other
    GL contexts, and will not result in abnormal program termination.
    Out-of-bounds access to local and global variables cannot read
    values from other program invocations. An out-of-bounds read may
    return another value from the active program's working memory or
    zero. An out-of-bounds write may overwrite a value from the active
    program's working memory or be discarded.
    
    Out-of-bounds accesses to resources backed by buffer objects cannot read
    or modify data outside of the buffer object. For resources bound to
    buffer ranges, access is restricted within the buffer object from which
    the buffer range was created, and not within the buffer range itself.
    Out-of-bounds reads and writes behave as described in section 6.4.
    
    Out-of-bounds accesses to arrays of resources, such as an array of
    textures, can only access the data of bound resources. Reads from
    unbound resources return zero and writes are discarded. It is not
    possible to access data owned by other GL contexts.

    Applications that require defined behavior for out-of-bounds
    accesses should range check all computed indices before
    dereferencing the array, vector or matrix."


Additions to chapter 5 of the OpenGL ES Shading Language Specification
version 3.10.3

    Add a new section 5.12 "Out-of-Bounds Access and Robust Buffer Access
    Behavior" on p. 84:
    
   "In the sections described above for array, vector, matrix and structure
    accesses, any out-of-bounds access produces undefined behavior. However,
    if robust buffer access is enabled via the GL API, such accesses will be
    bound within the memory extent of the active program. It will not be
    possible to access memory from other programs, and accesses will not
    result in abnormal program termination. Out-of-bounds reads return
    undefined values, which include values from other variables of the
    active program or zero. Out-of-bounds writes may be discarded or
    overwrite other variables of the active program, depending on the value
    of the computed index and how this relates to the extent of the active
    program's memory. Applications that require defined behavior for
    out-of-bounds accesses should range check all computed indices before
    dereferencing an array."

Errors

    None

New State

    None

New Implementation Dependent State

    None

Interactions with OpenGL ES 2.0

    If only OpenGL ES 2.0 is supported then modifications to texel fetch
    behavior are ignored, since texel fetch functionality does not exist
    in OpenGL ES 2.0.

Interactions with OpenGL

    In OpenGL implementations of this extension, the language in section 6.4
    on values returned from out-of-bound reads is still applied in its
    entirety to the "Undefined Behavior" language in section 11.1.3.12,
    including the (0,0,0,x) read behavior.

    However, when read specifically against the operations in 6.4,
    out-of-bounds reads are further restricted to return either values from
    anywhere within the buffer object, or zero. The less tightly specified
    (0,0,0,x) reads defined for OpenGL ES does *not* apply in this case.

Issues

    1) Why are out-of-bounds reads of buffer object backed resources defined
       to allow returning "a value from the current buffer object" in
       addition to one of several possible defined values?
       
       RESOLVED: This is necessary to allow the implementation to either
       range check, apply a mask/modulus or apply a clamp to the index.
       
    2) Why do out-of-bounds writes to buffer object backed resources have a
       stronger guarantee than reads? The spec says that writes outside of
       the bounded range are discarded but reads are only protected within
       the buffer object.
       
       RESOLVED: This stronger guarantee for writes can be made because
       GPUs made since around 2008 (DX10) already implement this behavior.

    3) How does this extension differ from
       ARB_robust_buffer_access_behavior?

       - It is written against OpenGL ES 3.1 instead of GL 4.2, and can
         be implemented for OpenGL ES 2.0 contexts as well.
       - References to GL_CONTEXT_FLAG_ROBUST_ACCESS_BIT_ARB are
         removed, since there is no query for context creation flags in
         any version of OpenGL ES.
       - For OpenGL ES implementations only, it widens the scope of possible
         return values from OOB buffer reads to (0,0,0,x) where x is zero,
         one, or MAXINT for integer types.

    4) What value should be returned for out of bounds reads that are
       not part of another resource?

       DISCUSSION: As noted in bug 12104, some implementations cannot return
       zero for all components in this case, but may return another defined
       value, such as one, for the alpha component of vector reads. The
       agreed resolution has been incorporated in the language for section
       2.9.4 and referenced from elsewhere in the extension language.

    5) How should this extension be enabled via EGL?

       PROPOSED: If a context is successfully created supporting
       KHR_robustness (see issue 10 of that spec), the EGL 1.5 spec and
       EGL_EXT_create_context_robustness extensions will be modified to
       *allow* (but not require) support of
       GL_KHR_robust_buffer_access_behavior as well.

       DISCUSSION: We can't require support of this extension, because
       that's a behavior modification to the EGL context creation
       functionality and cannot be supported on existing implementations
       which may support robustness already but not the additional
       guarantees of this spec.

    6) What changed in promoting this extension from OES to KHR? What
       remains to be done for consistency between GL and ES?

       DISCUSSION: The only meaningful difference is identified in the
       "Interactions with OpenGL" section, and is simply slightly tighter
       constrains on out-of-range buffer reads through the operations in
       section 6.4.


Revision History

    Rev.    Date       Author     Changes
    ----  ------------ ---------  -------------------------------------------
      7   2014/06/26   Jon Leech  Change from OES to KHR. Update issue 3
                                  and add issue 6 on ES / GL differences.
      6   2014/06/24   Jon Leech  Rebase against OpenGL ES 3.1. Fix typos.
                                  Add issue 5 on enabling the extension
                                  at context creation time.
      5   2014/06/09   Jon Leech  Update values-returned language to allow
                                  returning any of 0, 1, or the maximum 
                                  representable positive value for integer
                                  types (Bug 12104).
      4   2014/06/02   Jon Leech  Incorporate new language on values returned
                                  from reads inside a buffer object (Bug
                                  12104 comment #31).
      3   2014/05/14   Jon Leech  Revert language on disabled attribute 
                                  reads mistakenly included from bug 10695.
      2   2014/05/07   Jon Leech  Add issue 4 on values to be returned
                                  from out of bounds reads (Bug 12104).
      1   2014/04/23   Jon Leech  Branch from ARB_rbab and convert to be
                                  based on ES 3 specs instead of GL 4.2.
