Name

    ARB_robust_buffer_access_behavior

Name Strings

    GL_ARB_robust_buffer_access_behavior

Contact

    Piers Daniell, NVIDIA (pdaniell 'at' nvidia.com)

Contributors

    Jan-Harald Fredriksen, AMD
    Jeff Bolz, NVIDIA
    Kenneth Russell, Google
    Pat Brown, NVIDIA

Notice

    Copyright (c) 2012-2013 The Khronos Group Inc. Copyright terms at
        http://www.khronos.org/registry/speccopyright.html

Status

    Complete.
    Approved by the ARB on 2012/06/12.

Version

    Last Modified Date:  October 2, 2013
    Version:             10

Number

    ARB Extension #135

Dependencies

    The ARB_robustness extension is required.
    
    This extension is written against The OpenGL 4.2 (Compatibility Profile)
    specification.

Overview

    This extension specifies the behavior of out-of-bounds buffer and array
    accesses. This is an improvement over the existing ARB_robustness
    extension which stated that the application should not crash, but
    the behavior is otherwise undefined. This extension specifies the access
    protection provided by the GL to ensure that out-of-bounds accesses
    cannot read from or write to data not owned by the application. All
    accesses are contained within the buffer object and program area they
    reference. These additional robustness guarantees apply to contexts
    created with the CONTEXT_FLAG_ROBUST_ACCESS_BIT_ARB feature enabled.

IP Status

    No known IP claims.

New Procedures and Functions

    None

New Tokens

    None

Additions to Chapter 2 of the OpenGL 4.2 (Compatibility Profile)
Specification (OpenGL Operation)

    Add to Section 2.8 "Vertex Arrays" before 2.8.1 (Packed Vertex Data
    Formats):

    "Robust buffer access can be enabled by creating a context with robust
    access enabled through the window system binding APIs. When enabled,
    indices within the elements array that reference vertex data that
    lies outside the enabled attributes vertex buffer objects, result in
    reading zero. It is not possible to read vertex data from outside the
    enabled vertex buffer objects or from another GL context, and these
    accesses do not result in abnormal program termination."

    Add to Section 2.9.4 (Effects of Accessing Outside Buffer Bounds) on
    page 65 the following:
    
    "Robust buffer access can be enabled by creating a context with robust
    access enabled through the window system binding APIs. When enabled, any
    command unable to set a GL error as described above, for example buffer
    object accesses from the active program, will not read or modify memory
    outside of the buffer object and will not result in GL interruption or
    termination. Out-of-bounds reads may return values from within the buffer
    object or zero. Out-of-bounds writes may modify values within the buffer
    object or be discarded. Accesses made through resources attached to
    binding points are only protected within the buffer object from which the
    binding point is declared. For example, for an out-of-bounds access to
    a member variable of a uniform block, the access protection is provided
    within the uniform buffer object, and not for the bound buffer range for
    this uniform block."

    Add a new paragraph to the end of the "Texel Fetches" sub-section on page
    147 that reads:
    
    "In all the above cases, if the context was created with robust buffer
    access enabled then instead of undefined behavior the result of the
    texel fetch is zero. For the case of a texel fetch on an incomplete
    texture the result is a texture source color of (0, 0, 0, 1)."

    Add the following paragraph to the sub-section titled "Undefined Behavior"
    near the bottom of page 152:
    
    "Robust buffer access can be enabled by creating a context with robust
    access enabled through the window system binding APIs. When enabled,
    out-of-bounds accesses will be bounded within the working memory of the
    active program and cannot access memory owned by other GL contexts,
    and will not result in abnormal program termination. Out-of-bounds
    access to local and global variables cannot read values from other
    program invocations. An out-of-bounds read may return another value
    from the active program's working memory or zero. An out-of-bounds
    write may overwrite a value from the active program's working memory
    or be discarded.
    
    Out-of-bounds accesses to resources backed by buffer objects cannot
    read or modify data outside of the buffer object. For resources bound
    to buffer ranges, access is restricted within the buffer object from
    which the buffer range was created, and not within the buffer range
    itself. Out-of-bounds reads may return values from within the buffer
    object or zero. Out-of-bounds writes may modify values within the buffer
    object or be discarded.
    
    Out-of-bounds accesses to arrays of resources, such as an array of
    textures, can only access the data of bound resources. Reads from
    unbound resources return zero and writes are discarded. It is not
    possible to access data owned by other GL contexts.

    Applications that require defined behavior for out-of-bounds accesses
    should range check all computed indices before dereferencing the array,
    vector or matrix."

Additions to The OpenGL Shading Language Specification, Version 4.20.6

    Add a new Section 5.11 (Out-of-Bounds Access and Robust Buffer Access
    Behavior)
    
    "In the sub-sections described above for array, vector, matrix and
    structure accesses, any out-of-bounds access produced undefined behavior.
    However, if robust buffer access is enabled via the OpenGL API, such accesses will
    be bound within the memory extent of the active program. It will not be
    possible to access memory from other programs, and accesses will not result in
    abnormal program termination. Out-of-bounds reads return undefined values,
    which include values from other variables of the active program or zero.
    Out-of-bounds writes may be discarded or overwrite other variables of the
    active program, depending on the value of the computed index and how this
    relates to the extent of the active program's memory. Applications that
    require defined behavior for out-of-bounds accesses should range check
    all computed indices before dereferencing an array."

Errors

    None

New State

    None

New Implementation Dependent State

    None

Issues

    1) Why are out-of-bounds reads of buffer object backed resourced defined
       to "return zero or a value from the current buffer object" rather than
       just "return zero"?
       
       RESOLVED: This is necessary to allow the implementation to either
       range check, apply a mask/modulus or apply a clamp to the index.
       
    2) Why do out-of-bounds writes to buffer object backed resources have a
       stronger guarantee than reads? The spec says that writes outside of
       the bounded range are discarded but reads are only protected within
       the buffer object.
       
       RESOLVED: This stronger guarentee for writes can be made because
       GPUs made since around 2008 (DX10) already implement this behavior.

Revision History

    Rev.    Date       Author     Changes
    ----  ------------ ---------  -------------------------------------------
     10   02 Oct 2013  Jon Leech  Drop bogus clause about reading zero for
                                  ``disabled attributes'' in section 2.8
                                  (Bug 10695).

      9   15 May 2012  pdaniell   Specify that texel fetches are defined to
                                  return zero for the error cases only when
                                  robust buffer access is enabled.

      8   20 Apr 2012  pdaniell   Mark issues 1 and 2 resolved.
    
      7   15 Mar 2012  pdaniell   Edits based on reviews from Kenneth Russel
                                  and Jan-Harald Fredriksen.

      6   30 Jan 2012  pdaniell   Edits based on internal review.
    
      5   24 Jan 2012  pdaniell   Add spec language to define out of bounds
                                  access behavior of vertex array index,
                                  buffer objects and shader arrays, vectors
                                  and matrices.

      4   24 Jan 2012  pdaniell   ARBify. Still need to convert to real spec.

      3   28 Nov 2011  pdaniell   Simplify the spec to better represent what
                                  today's desktop GPUs already support.

      2   16 Nov 2011  pdaniell   Add some more detail to the overview

      1   27 Oct 2011  kbr        Initial version
