[webkit-changes] [WebKit/WebKit] 01812b: Fix occasional crash in foundMixedContentInFrameTr...

Alex Christensen noreply at github.com
Fri Dec 6 18:33:30 PST 2024 

  Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: 01812b56dd474ae6c2cda2af9f512be30ee906c1
      https://github.com/WebKit/WebKit/commit/01812b56dd474ae6c2cda2af9f512be30ee906c1
  Author: Alex Christensen <achristensen at apple.com>
  Date:   2024-12-06 (Fri, 06 Dec 2024)

  Changed paths:
    A LayoutTests/http/tests/site-isolation/resources/child-frame.html
    A LayoutTests/http/tests/site-isolation/resources/grandchild-frame.html
    A LayoutTests/http/tests/site-isolation/resources/great-grandchild-frame.html
    A LayoutTests/http/tests/site-isolation/unload-grandchild-fetch-expected.txt
    A LayoutTests/http/tests/site-isolation/unload-grandchild-fetch.html
    M Source/WebCore/loader/MixedContentChecker.cpp
    M Source/WebKit/WebProcess/WebPage/WebPage.cpp
    M Tools/TestWebKitAPI/Tests/WebKitCocoa/SiteIsolation.mm

  Log Message:
  -----------
  Fix occasional crash in foundMixedContentInFrameTree with site isolation enabled
https://bugs.webkit.org/show_bug.cgi?id=284173

Reviewed by Pascoe.

I found a condition where the crash can happen with site isolation enabled if a pagehide event
handler initiates a fetch during teardown as a result of a frame being removed in another
process.  I added a unit test that hit the crash and changed the crash to an early return.

Along the way I found that the assertion in WebPage::frameWasRemovedInAnotherProcess can hit
if a race condition of multiple processes removing the same frame is hit.  In this case, the
frame has already been removed so there is nothing to do, so early returning is correct behavior.

I also found that WebProcessProxy::didDestroyFrame wasn't routing the message to the WebPageProxy
if a RemotePageProxy was communicating with the process that did the removing.  I added an
API test to verify the state is being handled properly once WebProcessProxy::didDestroyFrame is
redone in a way that behaves correctly in this case without breaking anything else.

* LayoutTests/http/tests/site-isolation/resources/child-frame.html: Added.
* LayoutTests/http/tests/site-isolation/resources/grandchild-frame.html: Added.
* LayoutTests/http/tests/site-isolation/resources/great-grandchild-frame.html: Added.
* LayoutTests/http/tests/site-isolation/unload-grandchild-fetch-expected.txt: Added.
* LayoutTests/http/tests/site-isolation/unload-grandchild-fetch.html: Added.
* Source/WebCore/loader/MixedContentChecker.cpp:
(WebCore::foundMixedContentInFrameTree):
* Source/WebKit/UIProcess/WebProcessProxy.cpp:
(WebKit::WebProcessProxy::didDestroyFrame):
* Source/WebKit/WebProcess/WebPage/WebPage.cpp:
(WebKit::WebPage::frameWasRemovedInAnotherProcess):
* Tools/TestWebKitAPI/Tests/WebKitCocoa/SiteIsolation.mm:
(TestWebKitAPI::TEST(SiteIsolation, RemoveFrameFromRemoteFrame)):

Canonical link: https://commits.webkit.org/287487@main



To unsubscribe from these emails, change your notification settings at https://github.com/WebKit/WebKit/settings/notifications

More information about the webkit-changes mailing list