Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: 7ff8905cfd095d76e97e6adc5846bf065d486323
https://github.com/WebKit/WebKit/commit/7ff8905cfd095d76e97e6adc5846bf065d486323
Author: Brent Fulgham <[email protected]>
Date: 2026-02-26 (Thu, 26 Feb 2026)
Changed paths:
M Source/WebCore/page/LocalFrame.cpp
M Tools/TestWebKitAPI/SourcesCocoa.txt
M Tools/TestWebKitAPI/TestWebKitAPI.xcodeproj/project.pbxproj
A
Tools/TestWebKitAPI/Tests/WebKitCocoa/GetComputedStyleAfterIframeRemoval-subframe.html
A
Tools/TestWebKitAPI/Tests/WebKitCocoa/GetComputedStyleAfterIframeRemoval.html
A
Tools/TestWebKitAPI/Tests/WebKitCocoa/GetComputedStyleAfterIframeRemoval.mm
A
Tools/TestWebKitAPI/Tests/WebKitCocoa/GetComputedStyleAfterIframeRemovalPlugIn.mm
A
Tools/TestWebKitAPI/Tests/WebKitCocoa/GetComputedStyleAfterIframeRemovalProtocol.h
Log Message:
-----------
LocalFrame::frameWasDisconnectedFromOwner does not properly reset RenderView
https://bugs.webkit.org/show_bug.cgi?id=308573
rdar://171101953
Reviewed by Ryosuke Niwa.
The Document object holds a unique_ptr to a RenderView (m_renderView) that
holds a CheckedRef
to a LocalFrameView. The LocalFrameView is an aspect of the m_frame member of
the Document.
When the Document detaches from a frame, the RenderView pointer it holds is no
longer valid.
Crash data indicated that the RenderView was not being properly cleaned up when
the frame
member was cleared or changed.
This seems to be because of Document::frameWasDisconnectedFromOwner (and more
recent Site
Isolation versions of this logic) improperly called Document::detachFromFrame
directly,
rather than Document::willBeRemovedFromFrame, which handles the bookkeeping for
keeping
RenderView (as well as selection views, etc.) in sync.
A new API test was added to confirm the RenderView is fully cleaned up when the
frame
is detached from the document.
Tests:
Tools/TestWebKitAPI/Tests/WebKitCocoa/GetComputedStyleAfterIframeRemoval-subframe.html
Tools/TestWebKitAPI/Tests/WebKitCocoa/GetComputedStyleAfterIframeRemoval.html
Tools/TestWebKitAPI/Tests/WebKitCocoa/GetComputedStyleAfterIframeRemoval.mm
Tools/TestWebKitAPI/Tests/WebKitCocoa/GetComputedStyleAfterIframeRemovalPlugIn.mm
Tools/TestWebKitAPI/Tests/WebKitCocoa/GetComputedStyleAfterIframeRemovalProtocol.h
* Source/WebCore/page/LocalFrame.cpp:
(WebCore::LocalFrame::frameWasDisconnectedFromOwner const): Switch from calling
detachFromFrame directly, and instead call willBeRemovedFromFrame (which calls
detachFromFrame
after completing some cleanup).
* Tools/TestWebKitAPI/SourcesCocoa.txt:
* Tools/TestWebKitAPI/TestWebKitAPI.xcodeproj/project.pbxproj:
*
Tools/TestWebKitAPI/Tests/WebKitCocoa/GetComputedStyleAfterIframeRemoval-subframe.html:
Added.
*
Tools/TestWebKitAPI/Tests/WebKitCocoa/GetComputedStyleAfterIframeRemoval.html:
Added.
* Tools/TestWebKitAPI/Tests/WebKitCocoa/GetComputedStyleAfterIframeRemoval.mm:
Added.
(-[GetComputedStyleAfterIframeRemovalObject didNotCrashWithResult:]):
(TestWebKitAPI::TEST(WebKit,
GetComputedStyleAfterIframeOwnerDestructionDoesNotCrash)):
*
Tools/TestWebKitAPI/Tests/WebKitCocoa/GetComputedStyleAfterIframeRemovalPlugIn.mm:
Added.
(-[GetComputedStyleAfterIframeRemovalPlugIn
webProcessPlugIn:didCreateBrowserContextController:]):
(-[GetComputedStyleAfterIframeRemovalPlugIn
webProcessPlugInBrowserContextController:didFinishDocumentLoadForFrame:]):
(-[GetComputedStyleAfterIframeRemovalPlugIn
webProcessPlugInBrowserContextController:didRemoveFrameFromHierarchy:]):
*
Tools/TestWebKitAPI/Tests/WebKitCocoa/GetComputedStyleAfterIframeRemovalProtocol.h:
Added.
Canonical link: https://commits.webkit.org/308317@main
To unsubscribe from these emails, change your notification settings at
https://github.com/WebKit/WebKit/settings/notifications
