[webkit-changes] [WebKit/WebKit] 57b2f8: AX: Some places in accessibility traverse through ...

Tyler Wilcock Tue, 21 Apr 2026 21:16:02 -0700

  Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: 57b2f8d4bbd70e2365abb9e3d96aadf525a20b86
      
https://github.com/WebKit/WebKit/commit/57b2f8d4bbd70e2365abb9e3d96aadf525a20b86
  Author: Tyler Wilcock <[email protected]>
  Date:   2026-04-21 (Tue, 21 Apr 2026)


  Changed paths:
    A 
LayoutTests/accessibility/left-right-line-range-display-table-in-flex-expected.txt
    A LayoutTests/accessibility/left-right-line-range-display-table-in-flex.html
    M LayoutTests/platform/glib/TestExpectations
    M Source/WebCore/accessibility/AXObjectCache.cpp
    M Source/WebCore/accessibility/AccessibilityObject.cpp

  Log Message:
  -----------
  AX: Some places in accessibility traverse through VisiblePositions without 
checking progress was made, meaning we can loop forever
https://bugs.webkit.org/show_bug.cgi?id=312932
rdar://175280603

Reviewed by Joshua Hoffman.

In 311153@main we fixed three while-loops in AccessibilityObject.cpp where
VisiblePosition::next() or previous() could return the same position, causing
an infinite loop and permanently hanging the main-thread. This change applies
the same defensive pattern to five additional loops that have the same 
vulnerability:

1. leftLineVisiblePositionRange: previous() loop without progress check
2. rightLineVisiblePositionRange: next() loop without progress check
3. updateAXLineStartForVisiblePosition: while(true) with previous() and no
 stuck-position guard
4. characterOffsetFromVisiblePosition: nextVisuallyDistinctCandidate loop
 with no guard despite comments acknowledging the risk
5. characterOffsetForBounds: bidirectional CharacterOffset iteration with no
 stuck-position check

* 
LayoutTests/accessibility/left-right-line-range-display-table-in-flex-expected.txt:
 Added.
* LayoutTests/accessibility/left-right-line-range-display-table-in-flex.html: 
Added.
* LayoutTests/platform/glib/TestExpectations:
* Source/WebCore/accessibility/AXObjectCache.cpp:
(WebCore::AXObjectCache::characterOffsetFromVisiblePosition):
(WebCore::AXObjectCache::characterOffsetForBounds):
* Source/WebCore/accessibility/AccessibilityObject.cpp:
(WebCore::updateAXLineStartForVisiblePosition):
(WebCore::AccessibilityObject::leftLineVisiblePositionRange const):
(WebCore::AccessibilityObject::rightLineVisiblePositionRange const):

Canonical link: https://commits.webkit.org/311749@main



To unsubscribe from these emails, change your notification settings at 
https://github.com/WebKit/WebKit/settings/notifications

[webkit-changes] [WebKit/WebKit] 57b2f8: AX: Some places in accessibility traverse through ...

Reply via email to