Branch: refs/heads/webkitglib/2.52
Home: https://github.com/WebKit/WebKit
Commit: 758d272dafacb6ab4bc8d5821f412ea0328d5f6d
https://github.com/WebKit/WebKit/commit/758d272dafacb6ab4bc8d5821f412ea0328d5f6d
Author: Ryosuke Niwa <[email protected]>
Date: 2026-03-18 (Wed, 18 Mar 2026)
Changed paths:
A LayoutTests/fast/parser/html-parser-depth-limit-hang-expected.txt
A LayoutTests/fast/parser/html-parser-depth-limit-hang.html
M Source/WebCore/html/parser/HTMLConstructionSite.cpp
M Source/WebCore/html/parser/HTMLConstructionSite.h
M Source/WebCore/html/parser/HTMLTreeBuilder.cpp
Log Message:
-----------
Cherry-pick 309454@main (aff0077f7388).
https://bugs.webkit.org/show_bug.cgi?id=309208
Deeply nested <div> causes hang in parser (realistic example)
https://bugs.webkit.org/show_bug.cgi?id=309208
rdar://171763407
Reviewed by Wenson Hsieh and Ryan Reno.
This PR fixes an infinite loop in the HTML parser that occurs when parser
hits the tree depth limit.
The HTML parser limits the DOM tree depth at 512. When this limit is
reached, HTMLConstructionSite's
attachLater pops the top element from the open elements stack before
pushing the new element, keeping
the depth at 512.
The problem is that this pop-and-push happens blindly — it can pop
table-internal elements such as
table, tbody, tr, td, th, that the parser's insertion mode state machine
depends on. This creates
an inconsistency between the insertion mode and the actual stack contents
and causes an infinite loop.
With the test case specifically, td fails to get inserted into the stack of
open elements, resulting
in the parser state to be InsertionMode::InCell without having td/th in the
stack of open elements.
When `</table>` arrives in this state, HTMLTreeBuilder's closeTheCell fails
silently and falls into
an infinite loop.
To fix this problem, this PR adds a new boolean state in
HTMLConstructionSite, which indicates that
we've reached the maximum tree depth, and checks this state in
HTMLTreeBuilder. When the flag is set,
we call resetInsertionModeAppropriately to correct the insertion mode to be
consistent with the stack
of open elements.
Analysis done with Claude AI.
Test: fast/parser/html-parser-depth-limit-hang.html
* LayoutTests/fast/parser/html-parser-depth-limit-hang-expected.txt: Added.
* LayoutTests/fast/parser/html-parser-depth-limit-hang.html: Added.
* Source/WebCore/html/parser/HTMLConstructionSite.cpp:
(WebCore::HTMLConstructionSite::attachLater): Set
m_hasReachedMaxDOMTreeDepth to true when we've\
reached the maximum tree depth of 512.
* Source/WebCore/html/parser/HTMLConstructionSite.h:
(WebCore::HTMLConstructionSite::hasReachedMaxDOMTreeDepth const): Added.
* Source/WebCore/html/parser/HTMLTreeBuilder.cpp:
(WebCore::HTMLTreeBuilder::processStartTagForInBody):
(WebCore::HTMLTreeBuilder::processStartTagForInTable):
(WebCore::HTMLTreeBuilder::processStartTag): Ditto.
(WebCore::HTMLTreeBuilder::processEndTagForInTableBody):
(WebCore::HTMLTreeBuilder::processEndTagForInRow):
(WebCore::HTMLTreeBuilder::processTrEndTagForInRow):
(WebCore::HTMLTreeBuilder::processTableEndTagForInTable):
Canonical link: https://commits.webkit.org/309454@main
Canonical link: https://commits.webkit.org/305877.233@webkitglib/2.52
To unsubscribe from these emails, change your notification settings at
https://github.com/WebKit/WebKit/settings/notifications
