[webkit-changes] [WebKit/WebKit] e22f44: AX: Convert recursive descendant traversal functio...

Mon, 20 Apr 2026 13:09:51 -0700 

  Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: e22f4427f1ee76be7e8959406d6ae92e4578c1f3
      
https://github.com/WebKit/WebKit/commit/e22f4427f1ee76be7e8959406d6ae92e4578c1f3
  Author: Tyler Wilcock <[email protected]>
  Date:   2026-04-20 (Mon, 20 Apr 2026)

  Changed paths:
    A LayoutTests/accessibility/aria-hidden-deep-dom-no-crash-expected.txt
    A LayoutTests/accessibility/aria-hidden-deep-dom-no-crash.html
    M Source/WebCore/accessibility/AXCoreObject.h

  Log Message:
  -----------
  AX: Convert recursive descendant traversal functions to iterative to prevent 
stack overflow
https://bugs.webkit.org/show_bug.cgi?id=312780
rdar://172861598

Reviewed by Joshua Hoffman.

enumerateDescendantsIncludingIgnored, findUnignoredDescendant, and
enumerateUnignoredDescendants used unbounded recursion to traverse the
accessibility tree. This could cause stack overflow in two scenarios:

  1. JavaScript constructs a deeply nested DOM (e.g. via appendChild) and
     toggles aria-hidden, recomputeIsIgnoredForDescendants calls 
enumerateDescendantsIncludingIgnored,
     which recurses through every descendant with no depth limit.

  2. The tree has a cycle, and we recurse infinitely following the cycle
     until we crash.

This commit converts all three functions from recursion to iterative DFS
using an explicit Vector stack, preventing the possibility of stack overflow.
An iteration limit is added to avoid looping forever, and asserts are
added to detect cyles so we can try to debug and fix them (if that is
indeed what was causing this).

* LayoutTests/accessibility/aria-hidden-deep-dom-no-crash-expected.txt: Added.
* LayoutTests/accessibility/aria-hidden-deep-dom-no-crash.html: Added.
* Source/WebCore/accessibility/AXCoreObject.h:
(WebCore::Accessibility::findUnignoredDescendant):
(WebCore::Accessibility::enumerateDescendantsIncludingIgnored):
(WebCore::Accessibility::enumerateUnignoredDescendants):

Canonical link: https://commits.webkit.org/311611@main



To unsubscribe from these emails, change your notification settings at 
https://github.com/WebKit/WebKit/settings/notifications

Reply via email to