RESOLVED FIXED314139
REGRESSION (297241@main): Overflow siblings at parser's max DOM tree depth get fully rendered, causing slow layout 
https://bugs.webkit.org/show_bug.cgi?id=314139
Summary REGRESSION (297241@main): Overflow siblings at parser's max DOM tree depth ge...
zak ridouh
Reported 2026-05-05 17:05:07 PDT
After 297241@main fixed the parser's DOM depth cap to trigger at exactly 512 (>= instead of >), overflow elements now land at depth 512 instead of 513. The render tree's depth check at StyleTreeResolver only skips depth > 512, so the overflow siblings now pass through and get fully styled and laid out. Content with thousands of overflow siblings for example, a Mail message embedding a crash log with many unmatched <unavailable> tags produces ~1500 sibling inline boxes at the boundary depth. Inline layout then walks the ancestor chain per box (LineBox::parentInlineBox / inlineLevelBoxAbsoluteTop), giving O(depth × N) and ~15s render times. Fix it with the following: at the maximum render tree depth, skip elements that have a previous element sibling. The single legitimate deepest element keeps its renderer; the overflow run gets none.
Attachments
Add attachment proposed patch, testcase, etc.
zak ridouh
Comment 1 2026-05-05 17:05:27 PDT
<rdar://172219636>
zak ridouh
Comment 2 2026-05-05 17:25:51 PDT
Pull request: https://github.com/WebKit/WebKit/pull/64319
EWS
Comment 3 2026-05-06 16:37:48 PDT
Committed 312751@main (69a399de80ab): <https://commits.webkit.org/312751@main> Reviewed commits have been landed. Closing PR #64319 and removing active labels.
EWS
Comment 4 2026-05-11 11:26:44 PDT
Committed 305877.486@webkitglib/2.52 (024db5335281): <https://commits.webkit.org/305877.486@webkitglib/2.52> Reviewed commits have been landed. Closing PR #64674 and removing active labels.
Note You need to log in before you can comment on or make changes to this bug.