Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: 4b8d7f51936cbbc9b16d36278a0ac2c9b50439e1
https://github.com/WebKit/WebKit/commit/4b8d7f51936cbbc9b16d36278a0ac2c9b50439e1
Author: Brady Eidson <[email protected]>
Date: 2025-11-15 (Sat, 15 Nov 2025)
Changed paths:
M Source/WebKit/Shared/JavaScriptEvaluationResult.cpp
M Tools/TestWebKitAPI/Tests/WebKitCocoa/WKWebViewEvaluateJavaScript.mm
Log Message:
-----------
Make JSExtractor serialize iteratively, restoring the ability to serialize
object graphs 40,000 levels deep.
rdar://164658717
Reviewed by Geoffrey Garen.
When serialized JavaScript objects to send to the UI process, we used to use
SerializedScriptValue.
It walked JS object graphs iteratively, with a preset limit of going 40,000
nesting levels deep.
When we moved entirely off of SerializedScriptValue and onto JSExtractor we
changed from iterative to
recursive behavior, therefore limiting our nesting depth to whatever the stack
could handle.
Originally this meant particularly deep object graphs could exhaust the stack
and crash the WebContent
process, which we detected and stopped in https://commits.webkit.org/303006@main
But this still left us in a situation where a JS object that might have
successfully serialized before
would now fail to serialize. Informally I found about ~12,500 nesting levels
deep instead of 40,000.
We know of at least one WKWebView app that evaluates JavaScript and was falling
victim to this.
This patch restores iterative behavior to JSExtractor, removing the reliance on
the system stack.
It also adds the same 40,000 deep restriction that SerializedScriptValue.
Test: Tools/TestWebKitAPI/Tests/WebKitCocoa/WKWebViewEvaluateJavaScript.mm
* Source/WebKit/Shared/JavaScriptEvaluationResult.cpp:
(WebKit::JavaScriptEvaluationResult::JSExtractor::addObjectToMap): Instead of
being part of a recursive
algorithm, this function now iteratively walks the entire object graph, one
nesting level at a time.
(WebKit::JavaScriptEvaluationResult::JSExtractor::extractJSValue):
(WebKit::JavaScriptEvaluationResult::JSExtractor::jsValueToExtractedValue):
Directly extracts the current
JSValueRef into a serialized Value. In the case of Arrays or Objects that
need identifiers from values
on the next nesting level, it keeps a placeholder of their structure to be
filled in at the end.
(WebKit::JavaScriptEvaluationResult::JSExtractor::isSafeToRecurse): Deleted.
(WebKit::JavaScriptEvaluationResult::JSExtractor::toValue): Deleted.
* Tools/TestWebKitAPI/Tests/WebKitCocoa/WKWebViewEvaluateJavaScript.mm:
((EvaluateJavaScript, Serialization)):
Canonical link: https://commits.webkit.org/303074@main
To unsubscribe from these emails, change your notification settings at
https://github.com/WebKit/WebKit/settings/notifications
