createGrid consumes excessive memory and crashes on pages with extremely large elements

[dbjorge]

Product

axe-core

Product Version

4.6.3

Latest Version

• I have tested the issue with the latest version of the product

Issue Description

Overview

Today, createGrid understands to avoid expanding grids for elements which are not visible:

axe-core/lib/commons/dom/create-grid.js

Lines 87 to 93 in d4522cd

	// filter out any elements with 0 width or height
	// (we don't do this before so we can calculate stacking context
	// of parents with 0 width/height)
	const rect = vNode.boundingClientRect;
	if (rect.width !== 0 && rect.height !== 0 && isVisibleOnScreen(node)) {
	addNodeToGrid(grid, vNode);
	}

However, for elements which are partially visible and extremely large, this check isn't quite enough to avoid an undesirable explosion of grid size.

The motivating example is the Monaco editor. To render its main content area's background, it uses an element which is styled with width: 1e6; height: 1e6 (the linked playground page contains 3 editor areas, so it has 3 such elements).

The presence of these elements causes axe-core scans to eat up an enormous amount of memory (~2.5GB) and time (~4s wall time on my dev box), and often causes the whole target page to crash. Almost all of the perf hit comes from call stack createGrid > addNodeToGrid > loopGridPosition > loopNegativeIndexMatrix > loopNegativeIndexMatrix, where axe-core is allocating a separate JS object for each cell of a roughly 5000x5000 grid, almost every cell of which is not visible on screen.

I would imagine that making createGrid cooperate with elements like this would probably require coming up with a means to calculate the specific clipping of an element's clientRect(s) which are visible on screen and only add that to the grid, rather than adding the entire clientRect(s) whenever any part of the element is visible. I bet that's trickier than it sounds, though...

Expectation

axe-core should be able to scan the repro page in question with performance comparable to axe-core@4.4.3

Actual

Scanning the repro page takes ~2.5GB JS heap, ~4s wall time on my dev box, and often crashes the page entirely

How to Reproduce

• In Chromium, open the Monaco editor
• Open the F12 dev tools' "Performance" tab and start a trace
• Perform an axe-core scan (eg, from F12 dev console, await fetch("https://cdnjs.cloudflare.com/ajax/libs/axe-core/4.6.3/axe.js").then(r => r.text()).then(src => eval(src)); await axe.run();)
• Stop the performance trace and observe results

Additional context

Regression introduced between 4.4.3 to 4.5.0 (presumably with the addition of the new grid mechanism)

[straker]

Wow. I never expected such large elements. I'll have to do some investigating on that one. Thanks for pinpointing the issue for us.

[mtfoley]

FWIW, I've found that this function is relied on by the rules "color-contrast", "color-contrast-enhanced", and "target-size".

[RalphMarshall]

If a complete fix isn't coming soon it would be nice to get a check added. The Monaco editor is fairly widely used so this is hampering our testers when they try to evaluate pages in our application. Perhaps an additional check that if the width * height is larger than some number you return a warning saying you could not evaluate the element.

[straker]

We looked into this and I think we've come up with a plan. The Monaco editor uses the .monaco-editor-background element (which is the 1e6 width x height element) for each of the code editors (javascript, html, and css) and the rendered output. Each of these elements is contained within an overflow: hidden ancestor (.editor-scrollable) which is the true size of the editor.

What we decided to do is to trim an elements bounding box to be the size of the non-overflow area of all it's ancestors. That way we only add to the grid when that grid cell is visible. We are already doing this for color-contrast when we get the bounding box of text nodes in get-visible-child-text-rects so we can reuse a lot of that code to determine the rect size of the element to add to the grid.

[RalphMarshall]

@straker - thanks for looking into this. The fix sounds reasonable, and we'll be looking forward to the next release!