Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: 0dad921c8a6b371e567e1a74bac3399909e0ea93
https://github.com/WebKit/WebKit/commit/0dad921c8a6b371e567e1a74bac3399909e0ea93
Author: Basuke Suzuki <[email protected]>
Date: 2026-04-28 (Tue, 28 Apr 2026)
Changed paths:
M Source/WebCore/history/BackForwardCache.cpp
M Source/WebCore/history/BackForwardCache.h
M Source/WebCore/history/CachedFrame.cpp
M Source/WebCore/loader/FrameLoader.cpp
Log Message:
-----------
[Site Isolation] Add multi-process BackForwardCache and CachedFrame support
https://bugs.webkit.org/show_bug.cgi?id=313507
rdar://175721231
Reviewed by Sihui Liu.
Prepare BackForwardCache and CachedFrame for multi-process BFCache with
Site Isolation.
Add a new take(BackForwardFrameItemIdentifier, Page*) overload that
looks up cache entries directly by identifier rather than through a
HistoryItem. This is needed because subframe processes suspend and
restore their BFCache entries using the main frame's identifier passed
from the UIProcess, without access to the HistoryItem. The existing
take(HistoryItem&, Page*) now delegates to the new overload.
Add Page ownership validation to both take() and get(). With
multi-process BFCache, a subframe process caches its Page under the
main frame's BackForwardFrameItemIdentifier via SetSubframesSuspended.
If a different Page in the same process later navigates to the same
back/forward item, the FrameLoader's BFCache lookup can find this
subframe entry instead of a cache miss. Since the subframe's CachedPage
has a RemoteFrame main frame with no DocumentLoader, restoring from it
causes a crash. The Page validation ensures each Page only finds its own
cache entries. The take() overload checks before removing from the map
so mismatched entries are preserved for their rightful owner.
In CachedFrame, restore() now null-guards m_document to support
RemoteFrame entries. In an iframe process under Site Isolation, the
Page's main frame is a RemoteFrame with no Document — the CachedFrame
stores the frame tree structure but not a Document. The child frame
reconstruction loop and pruneDetachedChildFrames() are moved outside
the m_document guard so they execute for both LocalFrame and RemoteFrame
paths. CachedFrame::open() adds a RemoteFrame branch that calls
restore() directly, since RemoteFrames have no FrameLoader to drive the
restoration.
In FrameLoader::continueLoadAfterNavigationPolicy, replace the
isInBackForwardCache() check with BackForwardCache::get(). The former
only checks if the key exists in the cache, while the latter also
validates Page ownership. Without this, the FrameLoader can take the
BFCache restoration path using a subframe's CachedPage, stalling the
navigation instead of proceeding to the normal load path that triggers
a process swap via the UIProcess.
No new tests (no behavior change for single-process BFCache).
* Source/WebCore/history/BackForwardCache.cpp:
(WebCore::BackForwardCache::addIfCacheable):
(WebCore::BackForwardCache::take):
(WebCore::BackForwardCache::get):
* Source/WebCore/history/BackForwardCache.h:
* Source/WebCore/history/CachedFrame.cpp:
(WebCore::CachedFrameBase::restore):
(WebCore::CachedFrame::open):
* Source/WebCore/loader/FrameLoader.cpp:
(WebCore::FrameLoader::continueLoadAfterNavigationPolicy):
Canonical link: https://commits.webkit.org/312248@main
To unsubscribe from these emails, change your notification settings at
https://github.com/WebKit/WebKit/settings/notifications
