[webkit-changes] [WebKit/WebKit] f8acb9: Cherry pick 305413.672@safari-7624-branch (4fcd36e...

Thu, 04 Jun 2026 21:58:53 -0700 

  Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: f8acb9cb819c1f8ae56c81b5e5076403a6b12a5b
      
https://github.com/WebKit/WebKit/commit/f8acb9cb819c1f8ae56c81b5e5076403a6b12a5b
  Author: Ryosuke Niwa <[email protected]>
  Date:   2026-06-04 (Thu, 04 Jun 2026)

  Changed paths:
    M Source/WebKit/UIProcess/WebProcessProxy.cpp
    M Source/WebKit/UIProcess/WebProcessProxy.h
    M Tools/TestWebKitAPI/Tests/WebKit/WKWebView/WebLocks.mm

  Log Message:
  -----------
  Cherry pick 305413.672@safari-7624-branch (4fcd36e3a363)
https://bugs.webkit.org/show_bug.cgi?id=316322
rdar://178745136

    REGRESSION(305413.548@safari-7624-branch): Crash in 
WebProcessProxy::hasCommittedClientOrigin
    https://bugs.webkit.org/show_bug.cgi?id=312335
    rdar://174679141

    Reviewed by Chris Dumez.

    WebProcessProxy::hasCommittedClientOrigin has a code path for processes 
running workers (isRunningWorkers())
    that dereferences m_site as in *m_site. m_site is a 
WTF::Expected<WebCore::Site, SiteState> — when it holds
    the error value SiteState::MultipleSites, operator*() accesses the 
non-existent value member, throwing
    std::bad_variant_access. This propagates uncaught to the Objective-C run 
loop boundary, triggering std::terminate().

    The three conditions that must hold simultaneously for this crash to occur:
      1. isRunningWorkers() is true — a service worker is running inside a web 
content process (not a dedicated worker
         process), so m_serviceWorkerInformation is set.
      2. m_site holds MultipleSites — a cross-site navigation occurred in that 
same web content process (no process swap),
         so didStartProvisionalLoadForMainFrame set m_site = 
makeUnexpected(SiteState::MultipleSites).
      3. A RequestLock IPC from the service worker arrives after condition 2 — 
the service worker's termination is
         deferred (terminateRemoteWorkerContextConnectionWhenPossible instead 
of the old disableRemoteWorkers), so
         isRunningWorkers() remains true during a window where the worker can 
still send IPCs.

    Fixed the bug by adding a HashSet<WebCore::Site> m_committedSites to 
WebProcessProxy, populated whenever m_site is
    assigned a valid Site (in createForRemoteWorkers, 
didStartProvisionalLoadForMainFrame, and
    didStartUsingProcessForSiteIsolation). In hasCommittedClientOrigin, when 
isRunningWorkers() is true but m_site does
    not holds a value (it's MultipleSites), the check falls back to 
m_committedSites instead of dereferencing m_site
    in an error state. This correctly validates the worker's origin against the 
sites the process has legitimately
    committed — rather than crashing or incorrectly rejecting a legitimate lock 
request and killing the web process.

    Test: Tools/TestWebKitAPI/Tests/WebKitCocoa/WebLocks.mm

    * Source/WebKit/UIProcess/WebProcessProxy.cpp:
    (WebKit::WebProcessProxy::createForRemoteWorkers):
    (WebKit::WebProcessProxy::hasCommittedClientOrigin const):
    (WebKit::WebProcessProxy::didStartProvisionalLoadForMainFrame):
    (WebKit::WebProcessProxy::didStartUsingProcessForSiteIsolation):
    * Source/WebKit/UIProcess/WebProcessProxy.h:
    * Tools/TestWebKitAPI/Tests/WebKitCocoa/WebLocks.mm:
    (TestWebKitAPI::enableWebLocksAPI):
    (TestWebKitAPI::runSnapshotAcrossPagesTest):
    (TestWebKitAPI::runLockRequestWaitingOnAnotherPage):
    (TestWebKitAPI::TEST(WebLocks, 
ServiceWorkerLockRequestAfterCrossSiteNavigationInSameProcess)):

Originally-landed-as: 305413.672@safari-7624-branch (4fcd36e3a363). 
rdar://174679141
Canonical link: https://commits.webkit.org/314616@main



To unsubscribe from these emails, change your notification settings at 
https://github.com/WebKit/WebKit/settings/notifications

Reply via email to