[webkit-changes] [WebKit/WebKit] 81f0e0: [iOS] REGRESSION (305399@main): Web process crashe...

Sat, 07 Feb 2026 17:30:27 -0800 

  Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: 81f0e08ab7b0d778be26b25bff178128d8639a68
      
https://github.com/WebKit/WebKit/commit/81f0e08ab7b0d778be26b25bff178128d8639a68
  Author: Wenson Hsieh <[email protected]>
  Date:   2026-02-07 (Sat, 07 Feb 2026)

  Changed paths:
    A LayoutTests/editing/pasteboard/copy-paste-deep-dom-no-crash-expected.txt
    A LayoutTests/editing/pasteboard/copy-paste-deep-dom-no-crash.html
    M Source/WebCore/editing/ReplaceSelectionCommand.cpp
    M Tools/WebKitTestRunner/TestController.cpp
    M Tools/WebKitTestRunner/cocoa/TestControllerCocoa.mm

  Log Message:
  -----------
  [iOS] REGRESSION (305399@main): Web process crashes when pasting DOM fragment 
with depth of ~100 elements in Mail compose
https://bugs.webkit.org/show_bug.cgi?id=307250
rdar://169722784

Reviewed by Ryosuke Niwa and Richard Robinson.

After 305399@main (which adds a heuristic to keep text legible after pasting 
dark text into Mail
compose in dark mode), pasting very-deeply nested DOM content into Mail compose 
in dark mode may
cause a web content process crash, due to exceeding maximum stack memory limits.

This happens because the call to `composedTreeChildren` allocates ~1 KB of 
stack memory by default;
since this is called recursively, any attempt to paste content more than 100 
elements deep will
exceed the 1 MB maximum stack size on iOS.

Address this by specifying an explicit inline capacity of 0.

Test: editing/pasteboard/copy-paste-deep-dom-no-crash.html

* LayoutTests/editing/pasteboard/copy-paste-deep-dom-no-crash-expected.txt: 
Added.
* LayoutTests/editing/pasteboard/copy-paste-deep-dom-no-crash.html: Added.

Note that this test only fails on a real iOS device or virtual machine, where 
the stack size limit
is 1 MB. On a macOS device, this isn't an issue even at max depth because we 
still fit comformably
in the 16 MB limit, with the default inline capacity.

* Source/WebCore/editing/ReplaceSelectionCommand.cpp:
(WebCore::collectStylesToRemove):
* Tools/WebKitTestRunner/TestController.cpp:
(WTR::TestController::resetStateToConsistentValues):
* Tools/WebKitTestRunner/cocoa/TestControllerCocoa.mm:
(WTR::TestController::platformCreateWebView):

Canonical link: https://commits.webkit.org/307017@main



To unsubscribe from these emails, change your notification settings at 
https://github.com/WebKit/WebKit/settings/notifications

Reply via email to