[webkit-changes] [WebKit/WebKit] 520cf9: [Site Isolation] fast/dom/no-assert-for-malformed-...

Fri, 08 May 2026 23:35:22 -0700 

  Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: 520cf977e28c5565409a1db6741e2fa64827a398
      
https://github.com/WebKit/WebKit/commit/520cf977e28c5565409a1db6741e2fa64827a398
  Author: Ryosuke Niwa <[email protected]>
  Date:   2026-05-08 (Fri, 08 May 2026)

  Changed paths:
    M Source/WebCore/loader/FrameLoader.cpp

  Log Message:
  -----------
  [Site Isolation] fast/dom/no-assert-for-malformed-js-url-attribute.html fails
https://bugs.webkit.org/show_bug.cgi?id=314429

Reviewed by Sihui Liu and Brady Eidson.

The test was timing out with site isolation due to the following sequence of 
events:

  1. The parent's document reaches complete, so FrameLoader::checkCompleted() 
sets
     m_isComplete = true and fires the load event handler synchronously via
     checkCallImplicitClose().
  2. That handler (e.g. an iframe src mutation in body.onload) starts a 
cross-process
     navigation on a subframe, setting 
m_provisionalLoadHappeningInAnotherProcess to
     true on that subframe's loader.
  3. checkCompleted() then calls checkLoadComplete(), but 
checkLoadCompleteForThisFrame()
     for the parent hits isLoadingInAPISense() -> subframeIsLoading() -> true 
(because of
     the subframe's flag), so it early-returns at CommittedPage without 
dispatching
     didFinishLoad. The parent's FrameLoader state stays at CommittedPage.
  4. The cross-process load eventually finishes/fails. The UI process IPCs
     DidFinishLoadInAnotherProcess to the parent's WebContent process, which 
calls
     LocalFrame::didFinishLoadInAnotherProcess() ->
     FrameLoader::provisionalLoadFailedInAnotherProcess(). That clears the 
cross-process
     flag and calls parent->checkCompleted().
  5. checkCompleted() short-circuits because m_isComplete is already true - and 
nothing
     calls checkLoadComplete(). The parent's state machine never advances to 
Complete,
     so WebLocalFrameLoaderClient::dispatchDidFinishLoad() is never called. As 
a result,
     WebKitTestRunner's injected bundle never sees didFinishLoadForFrame for 
the main
     frame, topLoadingFrame stays set, and the test times out.

This PR fixes the test by making 
FrameLoader::provisionalLoadFailedInAnotherProcess call
checkLoadComplete() on the parent, not just checkCompleted(). This unblocks the 
parent's
loader state machine when its document had already reached complete while a 
subframe was
still pending in another process.

Test: fast/dom/no-assert-for-malformed-js-url-attribute.html

* Source/WebCore/loader/FrameLoader.cpp:
(WebCore::FrameLoader::provisionalLoadFailedInAnotherProcess):

Canonical link: https://commits.webkit.org/312940@main



To unsubscribe from these emails, change your notification settings at 
https://github.com/WebKit/WebKit/settings/notifications

Reply via email to