[webkit-changes] [WebKit/WebKit] 547252: AX: In rare circumstances, WebKit can loop infinit...

Tue, 09 Jun 2026 20:26:22 -0700 

  Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: 5472527c2f962e2a7a9f6333bd29a122710d386e
      
https://github.com/WebKit/WebKit/commit/5472527c2f962e2a7a9f6333bd29a122710d386e
  Author: Tyler Wilcock <[email protected]>
  Date:   2026-06-09 (Tue, 09 Jun 2026)

  Changed paths:
    A 
LayoutTests/accessibility/aria-owns-crash-after-subtree-update-expected.txt
    A LayoutTests/accessibility/aria-owns-crash-after-subtree-update.html
    M LayoutTests/platform/glib/TestExpectations
    M Source/WebCore/accessibility/AXObjectCache.cpp
    M Source/WebCore/accessibility/AccessibilityNodeObject.cpp

  Log Message:
  -----------
  AX: In rare circumstances, WebKit can loop infinitely downstream of 
updateOwnedChildrenIfNecessary(), causing stack overflow crashes
https://bugs.webkit.org/show_bug.cgi?id=316542
rdar://172763724

Reviewed by Dominic Mazzoni and Andres Gonzalez.

For a long while now, we have observed rare stack overflow crashes
originating from updateOwnedChildrenIfNecessary(). It's unclear how
these crashes are ocurring, since existing function relationCausesCycle
should (and does in all known situations) prevent an aria-owns
relationship from being established if it would cause a cycle.

The current theory is that these crashes happen when the tree is dirty and
in the process of being rebuilt after dynamic DOM changes (which may introduce
cycles that relationCausesCycle didn't and couldn't possibly have
checked for at relations-creation time). But I haven't been able to
construct markup that actually reproduces this, including the new layout
test, which passes with and without the newly added guard (described below).

The speculative fix taken by this commit is the addition of a per-traversal 
visited
set in updateOwnedChildrenIfNecessary, breaking if we encounter a node we've 
already seen.

* LayoutTests/accessibility/aria-owns-crash-after-subtree-update-expected.txt: 
Added.
* LayoutTests/accessibility/aria-owns-crash-after-subtree-update.html: Added.
* Source/WebCore/accessibility/AccessibilityNodeObject.cpp:
(WebCore::AccessibilityNodeObject::updateOwnedChildrenIfNecessary):

Canonical link: https://commits.webkit.org/314865@main



To unsubscribe from these emails, change your notification settings at 
https://github.com/WebKit/WebKit/settings/notifications

Reply via email to