Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: bede95377e0004f150f875bc189a8ca95deeec91
https://github.com/WebKit/WebKit/commit/bede95377e0004f150f875bc189a8ca95deeec91
Author: Basuke Suzuki <[email protected]>
Date: 2026-06-09 (Tue, 09 Jun 2026)
Changed paths:
M LayoutTests/platform/mac-site-isolation/TestExpectations
M Source/WebCore/history/BackForwardCache.cpp
M Source/WebCore/loader/FrameLoader.cpp
M Source/WebCore/page/Page.cpp
M Source/WebCore/page/Page.h
Log Message:
-----------
[Site Isolation] BFCache crash on goBack when cached main frame was
RemoteFrame at suspension time
https://bugs.webkit.org/show_bug.cgi?id=316458
rdar://178857523
Reviewed by Sihui Liu.
FrameLoader::commitProvisionalLoad gated its main-frame BFCache step on
`!frame->tree().parent()`. Under Site Isolation a cross-site swap can leave
the old LocalFrame detached (parent null) but still reachable from this
code path with a stale `m_mainFrame` back-pointer; `Frame::isMainFrame()`
also returns true for it. The page's actual main has already been swapped
to a RemoteFrame elsewhere. Caching this orphan stored a CachedPage for a
phantom Page (Remote main, no Local descendants), which then null-derefed
on restore in FrameLoader::loadDifferentDocumentItem ->
updateCachedDocumentLoader.
Tighten the gate to identity-check against the page's current main frame.
Add a debug-only ASSERT in BackForwardCache::addIfCacheable to catch any
future regression where a no-LocalFrame page reaches this path. The
release behavior is unchanged — the FrameLoader gate is the actual fix.
* LayoutTests/platform/mac-site-isolation/TestExpectations:
* Source/WebCore/loader/FrameLoader.cpp:
(WebCore::FrameLoader::commitProvisionalLoad):
* Source/WebCore/history/BackForwardCache.cpp:
(WebCore::BackForwardCache::addIfCacheable):
Canonical link: https://commits.webkit.org/314823@main
To unsubscribe from these emails, change your notification settings at
https://github.com/WebKit/WebKit/settings/notifications
