Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: d16628e4f1b697ca3dd77ba1af1a29d5e90eee47
https://github.com/WebKit/WebKit/commit/d16628e4f1b697ca3dd77ba1af1a29d5e90eee47
Author: Tyler Wilcock <[email protected]>
Date: 2025-02-28 (Fri, 28 Feb 2025)
Changed paths:
A LayoutTests/accessibility/button-in-deep-dom-expected.txt
A LayoutTests/accessibility/button-in-deep-dom.html
M LayoutTests/platform/glib/TestExpectations
M LayoutTests/platform/ios/TestExpectations
M Source/WebCore/SaferCPPExpectations/UncountedCallArgsCheckerExpectations
M Source/WebCore/accessibility/AccessibilityNodeObject.cpp
M Source/WebCore/accessibility/AccessibilityRenderObject.cpp
M Source/WebCore/dom/ComposedTreeIterator.cpp
M Source/WebCore/dom/ComposedTreeIterator.h
Log Message:
-----------
AX: Building the accessibility tree from a deep DOM on iOS causes a stack
overflow crash
https://bugs.webkit.org/show_bug.cgi?id=288560
rdar://145622766
Reviewed by Antti Koivisto and Ryosuke Niwa.
With the default inline capacity for ComposedTreeIterator::m_contextStack of 8,
the size of this class
is extremely large (roughly 9.5k bytes). This is problematic when building the
accessibility tree,
which is done so recursively, as it causes stack overflow crashes on iOS-like
operating systems, as they have a
significantly smaller maximum stack size than macOS.
With this commit, we add a `template <size_t ContextInlineCapacity>` to
ComposedTreeIterator that
allows individual callsites to control how much inline capacity the iterator
uses internally.
Then we use this template in AccessibilityRenderObject::addChildren and
AccessibilityNodeObject::addChildren
to specify zero inline capacity (meaning all the vector's contents go to the
heap), avoiding the crash.
In the future, we should consider rewriting the algorithm to build the
accessibility tree to be iterative
rather than recursive.
* LayoutTests/accessibility/button-in-deep-dom-expected.txt: Added.
* LayoutTests/accessibility/button-in-deep-dom.html: Added.
* LayoutTests/platform/ios/TestExpectations: Enable new test.
* Source/WebCore/accessibility/AccessibilityNodeObject.cpp:
* Source/WebCore/accessibility/AccessibilityRenderObject.cpp:
(WebCore::AccessibilityRenderObject::addChildren):
* Source/WebCore/dom/ComposedTreeIterator.cpp:
(WebCore::ComposedTreeIterator::Context::Context): Deleted.
(WebCore::ComposedTreeIterator::ComposedTreeIterator): Deleted.
(WebCore::ComposedTreeIterator::initializeContextStack): Deleted.
(WebCore::ComposedTreeIterator::dropAssertions): Deleted.
(WebCore::ComposedTreeIterator::traverseShadowRoot): Deleted.
(WebCore::ComposedTreeIterator::traverseNextInShadowTree): Deleted.
(WebCore::ComposedTreeIterator::traverseNextLeavingContext): Deleted.
(WebCore::ComposedTreeIterator::advanceInSlot): Deleted.
(WebCore::ComposedTreeIterator::traverseSiblingInSlot): Deleted.
* Source/WebCore/dom/ComposedTreeIterator.h:
(WebCore::ComposedTreeIterator<ContextInlineCapacity>::ComposedTreeIterator):
(WebCore::ComposedTreeIterator<ContextInlineCapacity>::traverseNext):
(WebCore::ComposedTreeIterator<ContextInlineCapacity>::traverseNextSkippingChildren):
(WebCore::ComposedTreeIterator<ContextInlineCapacity>::traverseNextSibling):
(WebCore::ComposedTreeIterator<ContextInlineCapacity>::traversePreviousSibling):
(WebCore::ComposedTreeIterator<ContextInlineCapacity>::depth const):
(WebCore::ComposedTreeDescendantAdapter::begin):
(WebCore::ComposedTreeDescendantAdapter::end):
(WebCore::ComposedTreeDescendantAdapter::at):
(WebCore::ComposedTreeChildAdapter::Iterator::Iterator):
(WebCore::ComposedTreeChildAdapter::Iterator::operator++):
(WebCore::ComposedTreeChildAdapter::Iterator::operator--):
(WebCore::composedTreeDescendants):
(WebCore::composedTreeChildren):
(WebCore::ComposedTreeIterator<ContextInlineCapacity>::Context::Context):
(WebCore::ComposedTreeIterator<ContextInlineCapacity>::initializeContextStack):
(WebCore::ComposedTreeIterator<ContextInlineCapacity>::dropAssertions):
(WebCore::ComposedTreeIterator<ContextInlineCapacity>::traverseShadowRoot):
(WebCore::ComposedTreeIterator<ContextInlineCapacity>::traverseNextInShadowTree):
(WebCore::ComposedTreeIterator<ContextInlineCapacity>::traverseNextLeavingContext):
(WebCore::ComposedTreeIterator<ContextInlineCapacity>::advanceInSlot):
(WebCore::ComposedTreeIterator<ContextInlineCapacity>::traverseSiblingInSlot):
(WebCore::ComposedTreeIterator::ComposedTreeIterator): Deleted.
(WebCore::ComposedTreeIterator::traverseNext): Deleted.
(WebCore::ComposedTreeIterator::traverseNextSkippingChildren): Deleted.
(WebCore::ComposedTreeIterator::traverseNextSibling): Deleted.
(WebCore::ComposedTreeIterator::traversePreviousSibling): Deleted.
(WebCore::ComposedTreeIterator::depth const): Deleted.
Canonical link: https://commits.webkit.org/291331@main
To unsubscribe from these emails, change your notification settings at
https://github.com/WebKit/WebKit/settings/notifications
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
