Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: aff0077f73888d76b10a920855661aa98027e40e
https://github.com/WebKit/WebKit/commit/aff0077f73888d76b10a920855661aa98027e40e
Author: Ryosuke Niwa <[email protected]>
Date: 2026-03-17 (Tue, 17 Mar 2026)
Changed paths:
A LayoutTests/fast/parser/html-parser-depth-limit-hang-expected.txt
A LayoutTests/fast/parser/html-parser-depth-limit-hang.html
M Source/WebCore/html/parser/HTMLConstructionSite.cpp
M Source/WebCore/html/parser/HTMLConstructionSite.h
M Source/WebCore/html/parser/HTMLTreeBuilder.cpp
Log Message:
-----------
Deeply nested <div> causes hang in parser (realistic example)
https://bugs.webkit.org/show_bug.cgi?id=309208
rdar://171763407
Reviewed by Wenson Hsieh and Ryan Reno.
This PR fixes an infinite loop in the HTML parser that occurs when parser hits
the tree depth limit.
The HTML parser limits the DOM tree depth at 512. When this limit is reached,
HTMLConstructionSite's
attachLater pops the top element from the open elements stack before pushing
the new element, keeping
the depth at 512.
The problem is that this pop-and-push happens blindly — it can pop
table-internal elements such as
table, tbody, tr, td, th, that the parser's insertion mode state machine
depends on. This creates
an inconsistency between the insertion mode and the actual stack contents and
causes an infinite loop.
With the test case specifically, td fails to get inserted into the stack of
open elements, resulting
in the parser state to be InsertionMode::InCell without having td/th in the
stack of open elements.
When `</table>` arrives in this state, HTMLTreeBuilder's closeTheCell fails
silently and falls into
an infinite loop.
To fix this problem, this PR adds a new boolean state in HTMLConstructionSite,
which indicates that
we've reached the maximum tree depth, and checks this state in HTMLTreeBuilder.
When the flag is set,
we call resetInsertionModeAppropriately to correct the insertion mode to be
consistent with the stack
of open elements.
Analysis done with Claude AI.
Test: fast/parser/html-parser-depth-limit-hang.html
* LayoutTests/fast/parser/html-parser-depth-limit-hang-expected.txt: Added.
* LayoutTests/fast/parser/html-parser-depth-limit-hang.html: Added.
* Source/WebCore/html/parser/HTMLConstructionSite.cpp:
(WebCore::HTMLConstructionSite::attachLater): Set m_hasReachedMaxDOMTreeDepth
to true when we've\
reached the maximum tree depth of 512.
* Source/WebCore/html/parser/HTMLConstructionSite.h:
(WebCore::HTMLConstructionSite::hasReachedMaxDOMTreeDepth const): Added.
* Source/WebCore/html/parser/HTMLTreeBuilder.cpp:
(WebCore::HTMLTreeBuilder::processStartTagForInBody):
(WebCore::HTMLTreeBuilder::processStartTagForInTable):
(WebCore::HTMLTreeBuilder::processStartTag): Ditto.
(WebCore::HTMLTreeBuilder::processEndTagForInTableBody):
(WebCore::HTMLTreeBuilder::processEndTagForInRow):
(WebCore::HTMLTreeBuilder::processTrEndTagForInRow):
(WebCore::HTMLTreeBuilder::processTableEndTagForInTable):
Canonical link: https://commits.webkit.org/309454@main
To unsubscribe from these emails, change your notification settings at
https://github.com/WebKit/WebKit/settings/notifications
