Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: c8533d6a372369d5d5e205fd46ce87060a4b9737
https://github.com/WebKit/WebKit/commit/c8533d6a372369d5d5e205fd46ce87060a4b9737
Author: Sihui Liu <[email protected]>
Date: 2026-02-13 (Fri, 13 Feb 2026)
Changed paths:
M Source/WebCore/history/BackForwardCache.cpp
M Source/WebCore/loader/FrameLoader.cpp
M Tools/TestWebKitAPI/Tests/WebKit/WKBackForwardListTests.mm
Log Message:
-----------
Back navigation may never complete when navigating to a site with subframe
https://bugs.webkit.org/show_bug.cgi?id=306933
rdar://169597227
Reviewed by Chris Dumez.
With current implementation, back navigation may never complete in the
following case:
1. Navigate page / main frame a site that has an iframe (HistoryItem1 created
in WebProcess1)
2. Navigate the iframe (HistoryItem2 created in WebProcess1)
3. Navigate main frame cross-site (HistoryItem3 created in WebProcess2)
4. Go back (going back to HistoryItem2)
Under PSON, there's a process swap when going back: UI process will tell
WebProcess1, which has cached page for
HistoryItem2 to perform the navigation. In
HistoryController::recursiveGoToItem(), the item and fromItem are the same
(as the cached page is at HistoryItem2 state), so itemsAreClones() will return
false, and HistoryController will start
loading the HistoryItem2. Then in FrameLoader::loadItem(),
sameDocumentNavigation will be true because the main frame
is actually at HistoryItem1 -- this means in
HistoryItem::shouldDoSameDocumentNavigationTo(), itemIDs are different but
documentSequenceNumbers are the same (as main frame does not change document
between HistoryItem1 and HistoryItem2).
Then FrameLoader is doing a same document navigation and the load is never
committed (as no request is made for same
document navigation).
There is actually an assertion in FrameLoader::loadItem(), saying
sameDocumentNavigation should never be true if we are
continuing a backforward navigation in new process. To fix this, turning the
assertion into an actual resetting of
sameDocumentNavigation if we notice the load is in a new process. This patch
also removes a debug assertion in
canCacheFrame() because if frame is already cached and being restored, its
document might not have a frame; and this
frame is not in cacheable state.
Test: WKBackForwardList.PageCacheGoBackAfterNavigatingSameSiteIframe
WKBackForwardList.NoPageCacheGoBackAfterNavigatingSameSiteIframe
* Source/WebCore/history/BackForwardCache.cpp:
(WebCore::canCacheFrame):
* Source/WebCore/loader/FrameLoader.cpp:
(WebCore::FrameLoader::loadItem):
* Tools/TestWebKitAPI/Tests/WebKit/WKBackForwardListTests.mm:
(runGoBackAfterNavigatingSameSiteIframe):
(TEST(WKBackForwardList, PageCacheGoBackAfterNavigatingSameSiteIframe)):
(TEST(WKBackForwardList, NoPageCacheGoBackAfterNavigatingSameSiteIframe)):
Canonical link: https://commits.webkit.org/307473@main
To unsubscribe from these emails, change your notification settings at
https://github.com/WebKit/WebKit/settings/notifications
