Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: 04f8f8e8059d44ce8129b702dd578c7743e772bc
https://github.com/WebKit/WebKit/commit/04f8f8e8059d44ce8129b702dd578c7743e772bc
Author: BJ Burg <[email protected]>
Date: 2026-05-15 (Fri, 15 May 2026)
Changed paths:
M LayoutTests/platform/mac-wk2/TestExpectations
M Source/WebKit/UIProcess/Inspector/WebPageInspectorController.cpp
M Source/WebKit/UIProcess/Inspector/WebPageInspectorController.h
M Source/WebKit/UIProcess/WebFrameProxy.cpp
M Source/WebKit/WebProcess/Inspector/FrameInspectorTarget.cpp
M Source/WebKit/WebProcess/Inspector/FrameInspectorTarget.h
Log Message:
-----------
REGRESSION(313207@main): Web Inspector: ProxyingNetworkAgent leaks
IPC::MessageReceiver after cross-origin iframe process swap
https://bugs.webkit.org/show_bug.cgi?id=314808
rdar://177056433
Reviewed by Abrar Rahman Protyasha.
Two distinct teardown bugs surface from the same cross-origin iframe
process swap path under Site Isolation. Both manifest as flaky crashes
attributed to whatever non-SI test runs after a Web Inspector layout
test in WKTR's run order, which is why
http/tests/ssl/applepay/ApplePayButton.html was the visible victim.
The first issue is that WebPageInspectorController::didCommitProvisionalFrame
re-instruments the new WebContent process for network events but never
removes the old process's instrumentation. The (oldProcessID, oldPageID)
entry stays in ProxyingNetworkAgent::m_instrumentedProcessPageCounts and
its IPC::MessageReceiver registration on the old WebProcessProxy outlives
the agent. ~ProxyingNetworkAgent then asserts in ~IPC::MessageReceiver
during the next WKWebView teardown. Thread the iframe's old pageID from
WebFrameProxy::commitProvisionalFrame through to didCommitProvisionalFrame,
and disable instrumentation for the old process before re-enabling on the
new one.
The second issue is that FrameInspectorTarget::connect() chooses
provisionalFrame() ?: coreLocalFrame() and registers the frontend channel
with that frame's inspector controller. disconnect() makes the same
choice independently. Under Site Isolation those two choices can resolve
to different LocalFrames -- a provisional load can start after connect,
or the previously-provisional frame commits and replaces coreLocalFrame().
Disconnecting from a controller that never registered the channel asserts
in FrontendRouter::disconnectFrontend. Pin a WeakPtr<LocalFrame> at
connect time and disconnect from that same frame's controller.
Test changes:
- evaluate-in-cross-origin-iframe.html (was [ Failure Crash ]) now passes.
- execution-context-from-frame-target.html (was [ Failure ]) now passes.
* Source/WebKit/UIProcess/WebFrameProxy.cpp:
(WebKit::WebFrameProxy::commitProvisionalFrame):
* Source/WebKit/UIProcess/Inspector/WebPageInspectorController.h:
* Source/WebKit/UIProcess/Inspector/WebPageInspectorController.cpp:
(WebKit::WebPageInspectorController::didCommitProvisionalFrame):
* Source/WebKit/WebProcess/Inspector/FrameInspectorTarget.h:
* Source/WebKit/WebProcess/Inspector/FrameInspectorTarget.cpp:
(WebKit::FrameInspectorTarget::connect):
(WebKit::FrameInspectorTarget::disconnect):
* LayoutTests/platform/mac-wk2/TestExpectations:
Canonical link: https://commits.webkit.org/313318@main
To unsubscribe from these emails, change your notification settings at
https://github.com/WebKit/WebKit/settings/notifications
