Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: d32378b4f5840ea927aaa9ac15f1811fdbb1e8a4
https://github.com/WebKit/WebKit/commit/d32378b4f5840ea927aaa9ac15f1811fdbb1e8a4
Author: Sihui Liu <[email protected]>
Date: 2026-06-12 (Fri, 12 Jun 2026)
Changed paths:
M Source/WebKit/WebProcess/WebPage/WebPage.cpp
Log Message:
-----------
[Site Isolation] Multiple layout tests are crashing due to assertion failure:
frame->page() == this
https://bugs.webkit.org/show_bug.cgi?id=316417
rdar://178830885
Reviewed by Charlie Wolfe.
Under Site Isolation, frames of the same page can be hosted in different
processes and frame state updates are async:
web process hosting the frame => UI process => other web processes hosting the
same frame remotely.
There is a race where a web process detaches a frame locally before handling an
in-flight state update message from
another process. For example, the process hosting the parent frame removes an
iframe element via JavaScript (e.g.
document.write()), which detaches the frame synchronously — but UIProcess has
already forwarded a state update for that
frame, which arrives after the detach. In this case it is safe to ignore the
update, since the frame will be destroyed
soon.
Replace ASSERT(frame->page() == this) with early returns to handle this race.
The exception is
frameWasRemovedInAnotherProcess, where markAsRemovedInAnotherProcess() must
still run unconditionally to prevent a
spurious DidDestroyFrame from being sent to UIProcess when the frame is later
destroyed locally.
* Source/WebKit/WebProcess/WebPage/WebPage.cpp:
(WebKit::WebPage::didFinishLoadInAnotherProcess):
(WebKit::WebPage::frameWasRemovedInAnotherProcess):
(WebKit::WebPage::allFrameTreeSyncDataChangedInAnotherProcess):
(WebKit::WebPage::createProvisionalFrame):
(WebKit::WebPage::loadDidCommitInAnotherProcess):
Canonical link: https://commits.webkit.org/315141@main
To unsubscribe from these emails, change your notification settings at
https://github.com/WebKit/WebKit/settings/notifications
