[webkit-changes] [WebKit/WebKit] a71717: [iOS] Web process may crash when running text extr...

Tue, 19 Aug 2025 22:14:08 -0700 

  Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: a71717e57d42ff056c77eafbb4ad4c4945c26c56
      
https://github.com/WebKit/WebKit/commit/a71717e57d42ff056c77eafbb4ad4c4945c26c56
  Author: Wenson Hsieh <wenson_hs...@apple.com>
  Date:   2025-08-19 (Tue, 19 Aug 2025)

  Changed paths:
    A 
LayoutTests/fast/text-extraction/debug-text-extraction-max-depth-no-crash-expected.txt
    A 
LayoutTests/fast/text-extraction/debug-text-extraction-max-depth-no-crash.html
    M Source/WebCore/page/text-extraction/TextExtraction.cpp

  Log Message:
  -----------
  [iOS] Web process may crash when running text extraction, if the DOM is 
deeper than ~100 elements
https://bugs.webkit.org/show_bug.cgi?id=297636
rdar://156496565

Reviewed by Aditya Keerthi and Abrar Rahman Protyasha.

The recursive algorithm used to extract visible text context for 
UIIntelligenceSupport currently
allocates ~1 KB per call frame, most of which is due to the inline capacity 
reserved when using
`composedTreeChildren`. For a DOM structure deeper than 100 elements, this 
sometimes causes us to
exceed the stack limit of 1 MB on iPhone, causing the web content process to 
crash.

Avoid this by explicitly passing an inline capacity of 0 for 
`composedTreeChildren`, which brings
the stack size back down to a reasonable ~120 bytes, bringing us well below the 
maximum stack size
limit even at the current maximum DOM tree depth of 500 nodes.

* 
LayoutTests/fast/text-extraction/debug-text-extraction-max-depth-no-crash-expected.txt:
 Added.
* 
LayoutTests/fast/text-extraction/debug-text-extraction-max-depth-no-crash.html: 
Added.

Note that this test only fails on a real iOS device or virtual machine, where 
the stack size limit
is 1 MB. On a macOS device, this isn't an issue even at max depth because we 
still fit comformably
in the 16 MB limit, with the default inline capacity.

* Source/WebCore/page/text-extraction/TextExtraction.cpp:
(WebCore::TextExtraction::extractRecursive):

Canonical link: https://commits.webkit.org/298939@main



To unsubscribe from these emails, change your notification settings at 
https://github.com/WebKit/WebKit/settings/notifications
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to