Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: a7d0c47159318aea357997cd6a387444af4c8ffe
https://github.com/WebKit/WebKit/commit/a7d0c47159318aea357997cd6a387444af4c8ffe
Author: Tyler Wilcock <[email protected]>
Date: 2026-04-13 (Mon, 13 Apr 2026)
Changed paths:
A LayoutTests/accessibility/aria-labelledby-cycle-multi-element-expected.txt
A LayoutTests/accessibility/aria-labelledby-cycle-multi-element.html
M Source/WebCore/accessibility/AccessibilityNodeObject.cpp
Log Message:
-----------
AX: Resolving aria-labelledby and aria-describedby can cause infinite
recursion, eventually crashing
https://bugs.webkit.org/show_bug.cgi?id=312187
rdar://174683836
Reviewed by Chris Fleizach.
The accessible name computation had no recursion guard against cycles
involving 3+ elements. The existing ignoredChildNode guard only prevented
direct 2-element cycles. Cycles through intermediary elements bypassed it
because each descriptionForElements call created a fresh TextUnderElementMode
with a different ignoredChildNode.
Added a visited-element set (via static NeverDestroyed<HashSet>) to both
ariaLabeledByAttribute() and ariaDescribedByAttribute(). If we re-enter
either function for an element already being resolved, we return an empty
string, breaking the cycle. This follows the W3C accname spec: "If the
current node is already part of an aria-labelledby traversal, do not
follow its aria-labelledby."
* LayoutTests/accessibility/aria-labelledby-cycle-multi-element-expected.txt:
Added.
* LayoutTests/accessibility/aria-labelledby-cycle-multi-element.html: Added.
* Source/WebCore/accessibility/AccessibilityNodeObject.cpp:
(WebCore::AccessibilityNodeObject::ariaDescribedByAttribute const):
(WebCore::AccessibilityNodeObject::ariaLabeledByAttribute const):
Canonical link: https://commits.webkit.org/311172@main
To unsubscribe from these emails, change your notification settings at
https://github.com/WebKit/WebKit/settings/notifications
