236988 – AX: AccessibilityObject::ariaTreeRows can crash in a deep hierarchy due to recursive descent

Bug 236988 - AX: AccessibilityObject::ariaTreeRows can crash in a deep hierarchy due to recursive descent

Summary: AX: AccessibilityObject::ariaTreeRows can crash in a deep hierarchy due to re...

Status:	NEW

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	Accessibility (show other bugs)
Version:	WebKit Nightly Build
Hardware:	Unspecified Unspecified

Importance:	P2 Normal
Assignee:	Tyler Wilcock

URL:
Keywords:	InRadar

Depends on:
Blocks:

Reported:	2022-02-21 12:01 PST by Tyler Wilcock
Modified:	2022-02-25 09:30 PST (History)
CC List:	11 users (show)

See Also:

Attachments
Patch (10.59 KB, patch) 2022-02-21 12:13 PST, Tyler Wilcock	no flags	Details \| Formatted Diff \| Diff
Patch (10.71 KB, patch) 2022-02-21 12:27 PST, Tyler Wilcock	ews-feeder: commit-queue-	Details \| Formatted Diff \| Diff
Show Obsolete (1) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Tyler Wilcock 2022-02-21 12:01:39 PST

AccessibilityObject::ariaTreeRows calls itself recursively on its child objects all the way down to the leaves. Although WebKit tree depth is limited to 512 levels (https://github.com/WebKit/WebKit/blob/2077b50205f4d8f943b88e233302b52c8b4699af/Source/WebCore/page/SettingsBase.h#L72#L73), this can still sometimes cause a stack overflow.

ITM is especially vulnerable to this, as currently we call ariaTreeRows on every single isolated object we create.

Comment 1 Radar WebKit Bug Importer 2022-02-21 12:01:55 PST

<rdar://problem/89249539>

Comment 2 Tyler Wilcock 2022-02-21 12:13:16 PST

Created attachment 452753 [details]
Patch

Comment 3 Tyler Wilcock 2022-02-21 12:27:31 PST

Created attachment 452756 [details]
Patch

Comment 4 Andres Gonzalez 2022-02-21 12:44:02 PST

(In reply to Tyler Wilcock from comment #3)
> Created attachment 452756 [details]
> Patch

--- a/Source/WebCore/accessibility/AccessibilityObject.cpp
+++ a/Source/WebCore/accessibility/AccessibilityObject.cpp

+    // This method descends recursively, so avoid stack overflow by bailing early if we're >450 levels away from where we started.
+    if (ancestors.size() > 450)

Can we add the comment here about the arbitrary choice of 450 and a FIXME for making this non-recursive?

Does the test fail/crash without this change?

Comment 5 Aakash Jain 2022-02-25 06:39:53 PST

I cancelled https://ews-build.webkit.org/#/builders/68/builds/9128 to speed up ios-wk2 queue. It finished running layout-tests and indicated accessibility/deep-aria-tree-rows-crash.html failure

Comment 6 chris fleizach 2022-02-25 09:08:20 PST

Comment on attachment 452756 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=452756&action=review

> Source/WebCore/accessibility/AccessibilityObject.cpp:1905
>      

The code for going through aria owns and descendants looks identical. Can we merge those blocks?
450 seems arbitrarily large. Can we cap this to 10 and still be sufficient?

Comment 7 Andres Gonzalez 2022-02-25 09:30:23 PST

(In reply to chris fleizach from comment #6)
> Comment on attachment 452756 [details]
> Patch
> 
> View in context:
> https://bugs.webkit.org/attachment.cgi?id=452756&action=review
> 
> > Source/WebCore/accessibility/AccessibilityObject.cpp:1905
> >      
> 
> The code for going through aria owns and descendants looks identical. Can we
> merge those blocks?
> 450 seems arbitrarily large. Can we cap this to 10 and still be sufficient?

I think we agreed that this change is not needed, so this can be closed.