[webkit-changes] [WebKit/WebKit] d16628: AX: Building the accessibility tree from a deep DO...

Tyler Wilcock noreply at github.com
Fri Feb 28 08:30:31 PST 2025 

  Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: d16628e4f1b697ca3dd77ba1af1a29d5e90eee47
      https://github.com/WebKit/WebKit/commit/d16628e4f1b697ca3dd77ba1af1a29d5e90eee47
  Author: Tyler Wilcock <tyler_w at apple.com>
  Date:   2025-02-28 (Fri, 28 Feb 2025)

  Changed paths:
    A LayoutTests/accessibility/button-in-deep-dom-expected.txt
    A LayoutTests/accessibility/button-in-deep-dom.html
    M LayoutTests/platform/glib/TestExpectations
    M LayoutTests/platform/ios/TestExpectations
    M Source/WebCore/SaferCPPExpectations/UncountedCallArgsCheckerExpectations
    M Source/WebCore/accessibility/AccessibilityNodeObject.cpp
    M Source/WebCore/accessibility/AccessibilityRenderObject.cpp
    M Source/WebCore/dom/ComposedTreeIterator.cpp
    M Source/WebCore/dom/ComposedTreeIterator.h

  Log Message:
  -----------
  AX: Building the accessibility tree from a deep DOM on iOS causes a stack overflow crash
https://bugs.webkit.org/show_bug.cgi?id=288560
rdar://145622766

Reviewed by Antti Koivisto and Ryosuke Niwa.

With the default inline capacity for ComposedTreeIterator::m_contextStack of 8, the size of this class
is extremely large (roughly 9.5k bytes). This is problematic when building the accessibility tree,
which is done so recursively, as it causes stack overflow crashes on iOS-like operating systems, as they have a
significantly smaller maximum stack size than macOS.

With this commit, we add a `template <size_t ContextInlineCapacity>` to ComposedTreeIterator that
allows individual callsites to control how much inline capacity the iterator uses internally.
Then we use this template in AccessibilityRenderObject::addChildren and AccessibilityNodeObject::addChildren
to specify zero inline capacity (meaning all the vector's contents go to the heap), avoiding the crash.

In the future, we should consider rewriting the algorithm to build the accessibility tree to be iterative
rather than recursive.

* LayoutTests/accessibility/button-in-deep-dom-expected.txt: Added.
* LayoutTests/accessibility/button-in-deep-dom.html: Added.
* LayoutTests/platform/ios/TestExpectations: Enable new test.
* Source/WebCore/accessibility/AccessibilityNodeObject.cpp:
* Source/WebCore/accessibility/AccessibilityRenderObject.cpp:
(WebCore::AccessibilityRenderObject::addChildren):
* Source/WebCore/dom/ComposedTreeIterator.cpp:
(WebCore::ComposedTreeIterator::Context::Context): Deleted.
(WebCore::ComposedTreeIterator::ComposedTreeIterator): Deleted.
(WebCore::ComposedTreeIterator::initializeContextStack): Deleted.
(WebCore::ComposedTreeIterator::dropAssertions): Deleted.
(WebCore::ComposedTreeIterator::traverseShadowRoot): Deleted.
(WebCore::ComposedTreeIterator::traverseNextInShadowTree): Deleted.
(WebCore::ComposedTreeIterator::traverseNextLeavingContext): Deleted.
(WebCore::ComposedTreeIterator::advanceInSlot): Deleted.
(WebCore::ComposedTreeIterator::traverseSiblingInSlot): Deleted.
* Source/WebCore/dom/ComposedTreeIterator.h:
(WebCore::ComposedTreeIterator<ContextInlineCapacity>::ComposedTreeIterator):
(WebCore::ComposedTreeIterator<ContextInlineCapacity>::traverseNext):
(WebCore::ComposedTreeIterator<ContextInlineCapacity>::traverseNextSkippingChildren):
(WebCore::ComposedTreeIterator<ContextInlineCapacity>::traverseNextSibling):
(WebCore::ComposedTreeIterator<ContextInlineCapacity>::traversePreviousSibling):
(WebCore::ComposedTreeIterator<ContextInlineCapacity>::depth const):
(WebCore::ComposedTreeDescendantAdapter::begin):
(WebCore::ComposedTreeDescendantAdapter::end):
(WebCore::ComposedTreeDescendantAdapter::at):
(WebCore::ComposedTreeChildAdapter::Iterator::Iterator):
(WebCore::ComposedTreeChildAdapter::Iterator::operator++):
(WebCore::ComposedTreeChildAdapter::Iterator::operator--):
(WebCore::composedTreeDescendants):
(WebCore::composedTreeChildren):
(WebCore::ComposedTreeIterator<ContextInlineCapacity>::Context::Context):
(WebCore::ComposedTreeIterator<ContextInlineCapacity>::initializeContextStack):
(WebCore::ComposedTreeIterator<ContextInlineCapacity>::dropAssertions):
(WebCore::ComposedTreeIterator<ContextInlineCapacity>::traverseShadowRoot):
(WebCore::ComposedTreeIterator<ContextInlineCapacity>::traverseNextInShadowTree):
(WebCore::ComposedTreeIterator<ContextInlineCapacity>::traverseNextLeavingContext):
(WebCore::ComposedTreeIterator<ContextInlineCapacity>::advanceInSlot):
(WebCore::ComposedTreeIterator<ContextInlineCapacity>::traverseSiblingInSlot):
(WebCore::ComposedTreeIterator::ComposedTreeIterator): Deleted.
(WebCore::ComposedTreeIterator::traverseNext): Deleted.
(WebCore::ComposedTreeIterator::traverseNextSkippingChildren): Deleted.
(WebCore::ComposedTreeIterator::traverseNextSibling): Deleted.
(WebCore::ComposedTreeIterator::traversePreviousSibling): Deleted.
(WebCore::ComposedTreeIterator::depth const): Deleted.

Canonical link: https://commits.webkit.org/291331@main



To unsubscribe from these emails, change your notification settings at https://github.com/WebKit/WebKit/settings/notifications

More information about the webkit-changes mailing list