RESOLVED FIXED300391
REGRESSION (300964@main): [ macOS Debug ] TestWebKitAPI.ProcessSwap.SameSiteWindowWithOpenerNavigateToFile is a consistent crash 
https://bugs.webkit.org/show_bug.cgi?id=300391
Summary REGRESSION (300964@main): [ macOS Debug ] TestWebKitAPI.ProcessSwap.SameSiteW...
Karl Rackler
Reported 2025-10-08 08:51:22 PDT
Created attachment 477029 [details] Assertion Description: TestWebKitAPI.ProcessSwap.SameSiteWindowWithOpenerNavigateToFile The test regressed in the commit range https://commits.webkit.org/compare/300965@main...300963@main. 300964@main introduced new process caching logic that conflicts with frame lifecycle management. This issue can be reproduced using the command: run-api-tests --debug TestWebKitAPI.ProcessSwap.SameSiteWindowWithOpenerNavigateToFile --force --iterations=1 --iterations 1 --force TestWebKitAPI.ProcessSwap.SameSiteWindowWithOpenerNavigateToFile History: https://results.webkit.org/?limit=50000&suite=api-tests&test=TestWebKitAPI.ProcessSwap.SameSiteWindowWithOpenerNavigateToFile Test Run: https://build.webkit.org/#/builders/1224/builds/2940 17:32:09.417 55926 worker/0 TestWebKitAPI.ProcessSwap.SameSiteWindowWithOpenerNavigateToFile Crashed FIRST ASSERTION (WebProcess): 18:23:17.094 55926 ASSERTION FAILED: !WebProcess::singleton().webFrame(m_frameID) 18:23:17.094 55926 /Volumes/Data/worker/Apple-Sequoia-Debug-Build/build/Source/WebKit/WebProcess/WebPage/WebFrame.cpp(195) : WebKit::WebFrame::WebFrame(WebPage &, WebCore::FrameIdentifier) 18:23:17.094 55926 1 0x750b468a3 WebKit::WebFrame::WebFrame(WebKit::WebPage&, WTF::ObjectIdentifierGeneric<WebCore::FrameIdentifierType, WTF::ObjectIdentifierMainThreadAccessTraits<unsigned long long>, unsigned long long>) 18:23:17.094 55926 2 0x750b469e5 WebKit::WebFrame::WebFrame(WebKit::WebPage&, WTF::ObjectIdentifierGeneric<WebCore::FrameIdentifierType, WTF::ObjectIdentifierMainThreadAccessTraits<unsigned long long>, unsigned long long>) 18:23:17.094 55926 3 0x750b460d5 WebKit::WebFrame::create(WebKit::WebPage&, WTF::ObjectIdentifierGeneric<WebCore::FrameIdentifierType, WTF::ObjectIdentifierMainThreadAccessTraits<unsigned long long>, unsigned long long>) SECOND ASSERTION (UIProcess): 18:23:17.094 55926 ASSERTION FAILED: site.isEmpty() || m_processMap.get(site).get() == &process || process.process().state() == WebProcessProxy::State::Terminated 18:23:17.094 55926 /Volumes/Data/worker/Apple-Sequoia-Debug-Build/build/Source/WebKit/UIProcess/BrowsingContextGroup.cpp(180) : void WebKit::BrowsingContextGroup::removeFrameProcess(FrameProcess &) 18:23:17.094 55926 1 0x14f63beec WebKit::BrowsingContextGroup::removeFrameProcess(WebKit::FrameProcess&) 18:23:17.094 55926 2 0x14f67e5ad WebKit::FrameProcess::~FrameProcess() 18:23:17.094 55926 3 0x14f67e755 WebKit::FrameProcess::~FrameProcess()
Attachments
Assertion (32.81 KB, text/plain)
2025-10-08 08:51 PDT, Karl Rackler 		no flags
Details
View All Add attachment proposed patch, testcase, etc.
Radar WebKit Bug Importer
Comment 1 2025-10-08 08:51:30 PDT
<rdar://problem/162203480>
EWS
Comment 2 2025-10-08 09:15:51 PDT
Test gardening commit 301210@main (45076c46b458): <https://commits.webkit.org/301210@main> Reviewed commits have been landed. Closing PR #52012 and removing active labels.
Ryosuke Niwa
Comment 3 2025-10-08 14:16:48 PDT
Hm... it's strange that this affected non-site-isolation bot.
Ryosuke Niwa
Comment 4 2025-10-08 23:30:07 PDT
Interesting. This is a regression from the change to store BrowsingContextGroup in WebBackForwardListItem.
Ryosuke Niwa
Comment 5 2025-10-09 01:34:50 PDT
Huh, this test randomly enables site isolation. That explains why the code change affected this test.
Ryosuke Niwa
Comment 6 2025-10-10 13:41:39 PDT
So apparently back-forward cache is supposed to be disabled when site isolation is enabled. That explains this failure. We just need to figure out where to bail out in this test so that we won’t hit assertions.
Ryosuke Niwa
Comment 7 2025-10-13 14:58:36 PDT
WebPageProxy::commitProvisionalPage doesn't close WebPage if the frame had opener but ProvisionalPageProxy::didCommitLoadForFrame doesn't convert such a page to a RemotePage either if browsing context groups don't match. So when we try to navigate back this frame, we end up trying to create another WebPage with the same frame ID.
Ryosuke Niwa
Comment 8 2026-03-04 17:34:10 PST
This test is passing now.
Ryosuke Niwa
Comment 9 2026-03-04 17:36:41 PST
Pull request: https://github.com/WebKit/WebKit/pull/59941
EWS
Comment 10 2026-03-04 23:55:43 PST
Committed 308686@main (d91963597c11): <https://commits.webkit.org/308686@main> Reviewed commits have been landed. Closing PR #59941 and removing active labels.
Note You need to log in before you can comment on or make changes to this bug.