Bug 314238
| Summary: | [Site Isolation] Fix CachedFrame ASSERT for RemoteFrame-backed parent frames | ||
|---|---|---|---|
| Product: | WebKit | Reporter: | Basuke Suzuki <basuke> |
| Component: | New Bugs | Assignee: | Basuke Suzuki <basuke> |
| Status: | RESOLVED FIXED | ||
| Severity: | Normal | CC: | webkit-bug-importer |
| Priority: | P2 | Keywords: | InRadar |
| Version: | WebKit Nightly Build | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
Basuke Suzuki
In multi-process BFCache with Site Isolation, an iframe process's CachedPage has a RemoteFrame as its main frame (no document in this process) with LocalFrame children that do have documents. CachedFrame::destroy() and CachedFrame::clear() both returned early when m_document was null, skipping recursive child cleanup. Child CachedFrames would then be destroyed by their unique_ptr without their own destroy()/clear() being called, triggering ASSERT(!m_document) in the CachedFrameBase destructor (fires non-fatally in WebContent process in Debug).
Move the child frame iteration in destroy() and clear() before the early m_document null-check. Child cleanup has no dependency on the parent's document and is safe to call unconditionally. The parent's own m_document teardown remains guarded as before.
Covered by existing tests. Subtask of rdar://161762363.
| Attachments | ||
|---|---|---|
| Add attachment proposed patch, testcase, etc. |
Basuke Suzuki
<rdar://problem/176395663>
Basuke Suzuki
Pull request: https://github.com/WebKit/WebKit/pull/64470
EWS
Committed 312856@main (c6c2fea6a7f9): <https://commits.webkit.org/312856@main>
Reviewed commits have been landed. Closing PR #64470 and removing active labels.