[webkit-changes] [WebKit/WebKit] 0cf61b: Fix ProxyingNetworkAgent message receiver leak acr...

Fri, 22 May 2026 09:44:56 -0700 

  Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: 0cf61b7a19b4202e3547751c4b016033582be19f
      
https://github.com/WebKit/WebKit/commit/0cf61b7a19b4202e3547751c4b016033582be19f
  Author: BJ Burg <[email protected]>
  Date:   2026-05-22 (Fri, 22 May 2026)

  Changed paths:
    M Source/WebKit/UIProcess/Inspector/Agents/ProxyingNetworkAgent.cpp
    M Source/WebKit/UIProcess/Inspector/Agents/ProxyingNetworkAgent.h

  Log Message:
  -----------
  Fix ProxyingNetworkAgent message receiver leak across process swaps
https://bugs.webkit.org/show_bug.cgi?id=314902
rdar://177178776

Reviewed by Sihui Liu and Qianlang Chen.

ASSERTION FAILED: !m_messageReceiverMapCount in ~MessageReceiver, on
Tahoe Debug, observed flaking on http/tests/ssl/applepay/ApplePayButton.html
when the Inspector SI tests that ran before it left ProxyingNetworkAgent
registrations behind on swapped-out WebProcessProxy instances.

ProxyingNetworkAgent::enableInstrumentationForProcess registers itself
as a per-page IPC message receiver on each WebProcessProxy hosting a
frame. Under Site Isolation, when a frame swaps process (provisional
commit, cross-origin navigation), the swapped-out process leaves
forEachWebContentProcess() but its addMessageReceiver registration on
*this remains. disable() iterated forEachWebContentProcess() and so
only cleaned up currently-associated processes; m_instrumentedProcessPageCounts
was then cleared without removing receivers from the stale processes,
leaking m_messageReceiverMapCount on the agent. Once Inspector
disconnected and ~ProxyingNetworkAgent ran (when WebPageProxy itself
later died), MessageReceiver's destructor asserted.

* Source/WebKit/UIProcess/Inspector/Agents/ProxyingNetworkAgent.h:
* Source/WebKit/UIProcess/Inspector/Agents/ProxyingNetworkAgent.cpp:
(Inspector::ProxyingNetworkAgent::~ProxyingNetworkAgent):
  Drain any leftover receiver registrations as a backstop for teardown
  paths that bypass willDestroyFrontendAndBackend() -> disable().
(Inspector::ProxyingNetworkAgent::removeAllRegisteredReceivers):
  Iterate m_instrumentedProcessPageCounts, look up each WebProcessProxy
  by ProcessIdentifier, and call removeMessageReceiver. Skip when the
  proxy is gone -- the inspected WebPageProxy keeps its main
  WebProcessProxy alive until after WebPageInspectorController tears
  down, and cross-origin iframe processes are kept alive by their own
  page state, so in practice the lookup succeeds.
(Inspector::ProxyingNetworkAgent::disable):
  Iterate the registration map directly instead of
  forEachWebContentProcess() so we notify and unregister from every
  process we registered against, including stale ones.

Canonical link: https://commits.webkit.org/313741@main



To unsubscribe from these emails, change your notification settings at 
https://github.com/WebKit/WebKit/settings/notifications

Reply via email to